Deploy Intune MDM Security Baseline

Microsoft is now providing security baseline for the modern workplace through Intune Mobile Device Management (MDM). This is well known from GPO world with Security and Compliance Toolkit (SCT)

This is a good entry point for security on modern workplaces. It can help you define company security strategy, by knowing what you can set on MDM. It’s a collection of configuration settings recommended by Microsoft.

It’s a good way for you to ensure the best protection across devices without having to get too deep in knowing all MDM possibilities.

Baselines

As a starting point for Microsoft and his security baselines (Windows 10 october 2018 release), here are the settings Microsoft will configure to ensure best protection. Up to you to modify these settings and enable your owns. This list and settings will grow, following the consumer needs and best practices.

Above Lock
App Runtime
Application Management
Auto Play
Bitlocker
Browser
Connectivity
Credentials Delegation
Credentials UI
Data Protection
Device Guard
Device Installation
Device Lock
Event Log Service
Experience
Exploit Guard
File Explorer
Internet Explorer
Local Policies Security Options
MS Security Guide
MSS Legacy
Power
Remote Desktop Services
Remote Management
Remote Procedure Call
Search
Smart Screen
System
Wi-Fi
Windows Connection Manager
Windows Defender
Windows Ink Workspace
Windows PowerShell

You can find the full description here : https://docs.microsoft.com/en-us/intune/security-baseline-settings-windows

This is what security baseline is offering to Modern Workplace Admins :

  • In-depth reporting on the state of each setting in the baseline on every device in your organization
  • A first-class policy interface using familiar Intune policies to easily customize and deploy a baseline with MDM
  • A versioning experience to stay up-to-date when Microsoft updates security baseline recommendations

Deployment

1. Add security baselines to your Azure Tenant and select Preview: MDM Security Baseline for October 2018

Add Security Baselines in you Azure view

2. Create your first profile by clicking on Create profile

Create your first profile

3. Review profile settings and click Create

Set your first security baseline profile

4. You still need to assign the profile to your test users.

Assign to selected groups

And you are all set!

You can now get metrics on profile assignation and get all devices that are not matching baseline or have not well configured.

More information

First blog information from Microsoft
https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Microsoft-Intune-introduces-MDM-Security-Baselines-to-secure-the/ba-p/313442

All security baselines in details
https://docs.microsoft.com/en-us/intune/security-baseline-settings-windows

Deploy security baseline
https://docs.microsoft.com/en-us/intune/security-baselines

Leave a Reply

Your email address will not be published. Required fields are marked *