As part of our ongoing investment in improving the Microsoft Intune admin experience, we're excited to announce a Microsoft 365 Apps for enterprise security baseline as well as a new version of the Microsoft Edge security baseline available in the May release of Intune! Security baselines are configuration options available in Intune for configuring profiles to help you secure and protect your devices and users. These new baselines feature an improved user interface and reporting experience, consistency and accuracy improvements, and the new ability to support assignment filters for profiles.
How it works
The Microsoft 365 Apps for Enterprise security baseline provides a starting point for IT admins to evaluate and balance the security benefits with the productivity needs of their users. This baseline aligns with the security recommendations for Microsoft 365 Apps for enterprise group policy security baseline v2206 and is now available in the Intune admin center.
Updated Edge baseline content
We updated the security baseline for Microsoft Edge to the latest available group policy version (Edge v112). For more information, see Security baseline for Microsoft Edge version 112. The security baseline for Microsoft Edge contains recommended settings for security conscious customers based on the latest group policy security baseline. To learn more about what has changed between versions, please see List of the settings in the Microsoft Edge security baseline in Intune.
Changes to upgrade process for baselines
The May 2023 version of Microsoft Edge baseline (v112) will become the default version when creating new profiles. Existing profiles on the latest versions across all security baselines will still be editable and manageable when the new versions are released. However, you’ll see changes when trying to upgrade from the September 2020 version to May 2023 version, as it will be a manual process.
To upgrade profiles on the September 2020 version, go to Endpoint Security > Security baselines. Baselines with a blue arrow can be updated to the latest version. Create a new profile and follow the instructions to download a .csv file that contains the existing profile’s settings, default values, and customizations. Use this file as a guide to create a new profile and manually reapply any custom settings and device assignments.
Common questions
What does “manually upgrading” mean and which profile versions does it apply to?
If you're on the September 2020 version of the Edge baseline, you’ll have to create a new profile to use the May 2023 version. You won’t be able to copy over any setting customizations or device assignments to this new profile and will have to apply any setting customizations or device assignments manually.
If you're on any version prior to September 2020, you’ll use the previous upgrade flow. Refer to Create security baseline profiles in Microsoft Intune for information about how to upgrade from earlier baseline versions.
Will manual upgrading be required every time a new Edge baseline version is released?
No. This is a one-time process to upgrade from the September 2020 version to the May 2023 version of the Security baseline for Microsoft Edge. For subsequent upgrades in the Edge baseline, we’ll use a guided upgrade flow.
Will my settings and device assignments be copied over to the new profile after manually upgrading?
No. This will be a brand-new profile with default baseline settings (unless customized) and no device assignments. To see which settings your previous profile had, use the .csv generated by selecting the Export profile settings button in the Change Version window, to compare and customize accordingly.
Will my previous profiles be deleted once I manually upgrade to the new version?
Existing profiles won’t be deleted. Admins are given the choice to keep previous profiles even after creating a new one on the latest version. However, Microsoft always recommends keeping only the latest baseline version on your devices to keep your environment secure with the latest Microsoft-recommended security settings.
Known issues
There are a few issues you should be aware of related to this initial release of the security baselines, including configuring exact values for certain settings and seeing duplicate settings in the reporting view.
Baseline settings
Certain settings require exact values and formats to operate correctly. These are known issues admins need to be aware of when editing these setting values. The actual values are documented in Microsoft Security Compliance Toolkit 1.0.
Microsoft 365 Apps for enterprise security baseline
- Encryption type for password protected Office 97-2003 files (User)
- Value: Enabled
- Encryption type: (User)
- Value: Microsoft Enhanced RSA and AES Cryptographic Provider, AES 256,256
- Note, this is a plain text field. For this and all plain text fields, entered values need to be case sensitive, separated by commas, and have no spaces in between. Refer to the example image below.
- Encryption type for password protected Office Open XML files (User)
- Value: Enabled
- Encryption type: (User)
- Value: Microsoft Enhanced RSA and AES Cryptographic Provider, AES 256,256
- Note, this is a plain text field.
A screenshot of the valid settings input in the template for the applications.
- Restrict legacy JScript execution for Office
- Value: Enabled
- For all applications, use the value 69632, as illustrated in the image below.
A screenshot of the valid settings input into the template for HTTP authentication.
-
Security Baseline for Microsoft Edge
- Supported authentication schemes
- Value: Enabled
- Supported authentication schemes (Device)
- Value: ntlm,negotiate
- Note, this is a plain text field.
A screenshot of the valid settings input into the template for HTTP authentication.
- Supported authentication schemes
Setting duplicates in reporting view
Baselines reporting only reports the actual setting name. However, the backend for the Microsoft 365 apps for enterprise baseline uses the same setting name and a path for context. So, customers will see seemingly duplicate entries in reporting when they’re actually separate.
For example, the Allow Trusted Location on the network (User) setting is configured for the Microsoft Access 2016, Excel 2016, PowerPoint 2016, Project 2016, Visio 2016, and Word 2016 apps but only appears as one setting.
Stay in the know
Stay tuned to What's new in Intune as we continue to improve the security baseline experience and release new versions.
Provide feedback below on what you want to see and let us know if you have any additional questions on this by replying to this post or tagging @IntuneSuppTeam out on Twitter.