As part of our ongoing investment in improving the Microsoft Intune admin experience, we're excited to announce a Microsoft 365 Apps for enterprise security baseline as well as a new version of the Microsoft Edge security baseline available in the May release of Intune! Security baselines are configuration options available in Intune for configuring profiles to help you secure and protect your devices and users. These new baselines feature an improved user interface and reporting experience, consistency and accuracy improvements, and the new ability to support assignment filters for profiles.
The Microsoft 365 Apps for Enterprise security baseline provides a starting point for IT admins to evaluate and balance the security benefits with the productivity needs of their users. This baseline aligns with the security recommendations for Microsoft 365 Apps for enterprise group policy security baseline v2206 and is now available in the Intune admin center.
We updated the security baseline for Microsoft Edge to the latest available group policy version (Edge v112). For more information, see Security baseline for Microsoft Edge version 112. The security baseline for Microsoft Edge contains recommended settings for security conscious customers based on the latest group policy security baseline. To learn more about what has changed between versions, please see List of the settings in the Microsoft Edge security baseline in Intune.
The May 2023 version of Microsoft Edge baseline (v112) will become the default version when creating new profiles. Existing profiles on the latest versions across all security baselines will still be editable and manageable when the new versions are released. However, you’ll see changes when trying to upgrade from the September 2020 version to May 2023 version, as it will be a manual process.
To upgrade profiles on the September 2020 version, go to Endpoint Security > Security baselines. Baselines with a blue arrow can be updated to the latest version. Create a new profile and follow the instructions to download a .csv file that contains the existing profile’s settings, default values, and customizations. Use this file as a guide to create a new profile and manually reapply any custom settings and device assignments.
What does “manually upgrading” mean and which profile versions does it apply to?
If you're on the September 2020 version of the Edge baseline, you’ll have to create a new profile to use the May 2023 version. You won’t be able to copy over any setting customizations or device assignments to this new profile and will have to apply any setting customizations or device assignments manually.
If you're on any version prior to September 2020, you’ll use the previous upgrade flow. Refer to Create security baseline profiles in Microsoft Intune for information about how to upgrade from earlier baseline versions.
Will manual upgrading be required every time a new Edge baseline version is released?
No. This is a one-time process to upgrade from the September 2020 version to the May 2023 version of the Security baseline for Microsoft Edge. For subsequent upgrades in the Edge baseline, we’ll use a guided upgrade flow.
Will my settings and device assignments be copied over to the new profile after manually upgrading?
No. This will be a brand-new profile with default baseline settings (unless customized) and no device assignments. To see which settings your previous profile had, use the .csv generated by selecting the Export profile settings button in the Change Version window, to compare and customize accordingly.
Will my previous profiles be deleted once I manually upgrade to the new version?
Existing profiles won’t be deleted. Admins are given the choice to keep previous profiles even after creating a new one on the latest version. However, Microsoft always recommends keeping only the latest baseline version on your devices to keep your environment secure with the latest Microsoft-recommended security settings.
There are a few issues you should be aware of related to this initial release of the security baselines, including configuring exact values for certain settings and seeing duplicate settings in the reporting view.
Certain settings require exact values and formats to operate correctly. These are known issues admins need to be aware of when editing these setting values. The actual values are documented in Microsoft Security Compliance Toolkit 1.0.
Baselines reporting only reports the actual setting name. However, the backend for the Microsoft 365 apps for enterprise baseline uses the same setting name and a path for context. So, customers will see seemingly duplicate entries in reporting when they’re actually separate.
For example, the Allow Trusted Location on the network (User) setting is configured for the Microsoft Access 2016, Excel 2016, PowerPoint 2016, Project 2016, Visio 2016, and Word 2016 apps but only appears as one setting.
Stay tuned to What's new in Intune as we continue to improve the security baseline experience and release new versions.
Provide feedback below on what you want to see and let us know if you have any additional questions on this by replying to this post or tagging @IntuneSuppTeam out on Twitter.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.