Security Baseline
7 TopicsSecurity Baseline 23H2 issue with Hardened UNC Paths
I am testing the 23H2 Security Baseline and ran the CIS Benchmark assessment. A setting that previously passed with the November 2021 baseline is now failing. It is the Hardened UNC Paths under Administrative Templates - Network - Network Provider. The attached screenshot named Hardened UNC Paths...png shows the setting configured in the baseline. The screenshot named Registry.png shows the registry after the baseline is applied. The entry for \\*\SYSVOL does not show up and the entry for \\*\NETLOGON is wrong. When adding the entry to the registry for this setting, Microsoft swapped the Name and Data values. The screenshot Registry from Nov 2021 baseline.png is what it should look like and this passes the CIS Benchmark assessment. Can anyone else confirm this? I plan to open a ticket for this issue.1.4KViews0likes5CommentsCIS Benchmark Assessment fails on Defender settings on Security Baseline 23H2
With the November 2021 Security Baseline, my device passed all but one setting on the CIS Benchmark Assessment. After applying Security Baseline 23H2, I am failing all of them. See CIS Benchmark Assessment.png for the comparison. I found that something in the 23H2 Security Baseline is blocking access to the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Windows Defender\Policy Manager folder in the registry. See attached screenshot. Since the CIS Assessment cannot access the settings to verify them, it gives us a fail on all of the Defender settings. When I go back to the November 2021 baseline, I can see all the settings in the folder. I've reviewed every setting in the 23H2 baseline to see what would cause this and cannot find anything. Any suggestions would be greatly appreciated. Right now, it seems safer to stay on the November 2021 baseline.349Views0likes0CommentsAfter Removing GPO, Intune Policies Not Applying
Part of our fleet remains Entra Hybrid Join (as computers are refreshed, they are Entra Joined instead). We apply Windows Security Baselines through both Group Policy and Intune. Recently, we evaluated the differences between the two baselines and determined they are nearly identical. Accordingly, we decided to disable GPO based security baselines for Entra Hybrid Joined devices and let Intune push security settings for the baseline instead. Here's the expected behavior: Security baseline settings are set by both Intune and GPO. By default, GPO wins, so the Intune setting is not applied. When the GPO settings are removed, at some point in the next 24 hours (I believe it happens every 😎 all Intune policies are reapplied whether or not they have changed. With the GPOs gone, MDM policies that were once blocked by group policy are applied. The end result: all security policies are applied, but most of them are coming from Intune (MDM) instead of from GPOs. However, this is not what is happening. While Intune claims the security baseline have applied, the settings that were once overridden by GPOs never apply and the computer effectively has no security baseline. Here's what I've done to try to fix this: Make a copy of the existing baseline with a new name and assign it to the computers, unassign the original baseline. This does not work. The policies claim to have applied, but never apply on the endpoint. Change a single setting in the baseline hoping the change triggers the whole configuration reapplying. The endpoint only applies the changed setting, other settings in the baseline do not get applied. Unassign the baseline entirely, wait for the computer to sync and reassign the baseline. This works, but is not a viable solution for a large fleet of computers. This would be fine if all of our computers were receiving GPO updates regularly, but they're not (they are remote). This only works if the computer syncs one time while no settings are applied and again after the configurations are reassigned. We can't negotiate the timing on this for our whole fleet of computers. Apply the policy that makes MDM policies take precedence over GPOs. This did not work. Here's what we're not willing to try (I'm preempting some of Microsoft's usual boilerplate responses): We will not reset the computers - there are too many for this to be a scalable solution. We will not unjoin and rejoin the computers from MDM - there are too many for this to be a scalable solution. While I'm tempted to open a support case with Microsoft, this has only ever been a time-consuming and frivolous process. I expect they would pass the ticket around and eventually apologize to me when they decide this is a support case I should actually pay for. Why would MDM policies not apply even after the group policies that once conflicted with them have been removed? This is impacting all Entra Hybrid Joined computers, the vast majority of which are running the latest build of Windows 11 23H2. Some of these computers have sat for 48 hours in this state, so I don't think this is something that will be resolved with time. Any advice would be greatly appreciated!Solved1.5KViews0likes9CommentsSecurity Baselines
Hi, I'm having an issue after enabling the baseline securities. When we connect our laptop to the docking station via the Thunderbolt port, the peripherals (mouse, keyboard, and network connection) get blocked. We suspected the policy "Disable new DMA devices when this computer is locked," but disabling it didn't help. Does any body have any idea, which policy it might be blocking the peripherals ? this is a headache to find.375Views0likes1CommentSecurity Baselines for Microsoft 365 Apps
I wanted to get a little clarification on some best practices for using Security Baselines in Intune. Primarily in relation to Microsoft Edge and Microsoft 365. There are multiple areas where policies are managed for these apps: Intune Microsoft 365 Apps Admin Center Microsoft Edge (Located in the Microsoft 365 Admin Center) This is made more confusing in that baselines are made available for Microsoft 365 apps in both Intune and the Apps Admin Center. Not only that, but access to the policy area of the Apps Admin Center is also available in the Intune Apps tab. Microsoft does not really provide clear intent on what each section is intended for, but I'm intuiting they are intending the following: Security Baselines for M365 and Edge apps are managed in Intune. For devices not being managed by Intune, these baselines can also be configured for work or school accounts logged in from an Azure registered device, allowing for a separation of work and personal data. Configurations outside of the Security baselines are intended to be configured in the associated admin center for the app. With all that being said, does anyone know if Microsoft intends to continue support for the M365 Apps Admin Center Policy Configurations or Security Baselines in Intune? What is Microsoft's intention behind the variety of Admin Centers that can apply policies for these the M365 and Edge applications? Are there any best practices for where I should be applying configurations from for these apps? JM589Views0likes0CommentsSecurity baseline for windows 10 - Onedrive toghter with Teams
Hello! I have activated Security baseline for Windows 10 on some test clients. All settings are default. When it is activated on the clients, PowerPoint presentations do not work in Teams. Live presentation that you can select when you are in a meeting (you can see all your PowerPoints) do not display any files at all. Select files from OneDrive do not work, the screen only displays gray rows. When I remove the clients from the baseline everything works fine. Where do I start troubleshooting amongst all settings?Solved2KViews0likes3CommentsSecurity Baselines instead of standalone configs?
Hi everyone, i'm aksing myself why security baselines are useful? At this moment i use device configurations for ATP, Hello, Device restrictions etc.. Why should i use security baselines instead? What are the advantages for me? Thank you in advance. 🙂 PatrickSolved1.7KViews0likes3Comments