In July, Microsoft announced that the Windows 10 security baseline feature in Intune was now generally available. The company first revealed it back at Microsoft Ignite 2018.
With it now widely available, it’s a good time to get an overview of the security baselines and what they mean for organizations considering Intune.
Windows 10 Security Baselines for Intune
While any organization with Intune can use Windows 10 Security Baselines, Microsoft is targeting companies either currently moving to Microsoft’s EMM offering or considering it.
Microsoft says that the Group Policy security teams helped create these baselines, which are meant to offer best practice security recommendations. The Windows 10 security baselines provide organizations the ability to implement security configurations on employee devices without having to develop the baselines from scratch or through the use of templates. Admins can tweak the baselines once they’re in place.
The Windows 10 security baselines cover a wide variety of settings admins would normally set themselves, from device encryption, preventing data exfiltration, application management to smaller aspects like allowing notifications to appear on lock screens. The amount of settings that are included is pretty large—you can read the whole list here. Once set up, admins can use Intune to automatically determine if devices remain in compliance.
Microsoft will release new updates to the security baselines over time, with the latest one being for Windows 10 version 1809. Intune includes the ability to compare the current and new baselines to determine the latest changes. Additionally, Microsoft offers two instances designed to complement the other: MDM Security Baseline and Defender ATP baseline, with the latter being in tech preview. The second instance does require organizations to already have Defender ATP and isn’t recommended for VMs or VDI endpoints due to certain baseline settings.
Windows 10 RSS MDM Security Baseline is the first to see an official release and is currently just for Windows, but iOS and Android will eventually get it, too.
Not Microsoft’s first foray into security baselines
Microsoft has slowly worked their way toward this product, offering other options for admins over the years. There was the Security Compliance Manager that the company laid to rest in 2017, which offered GPO-based security configuration recommendations. Microsoft did struggle to keep it updated, though.
The company collaborated with the Center for Internet Security (CIS) to develop some security baselines for Windows 7 and Internet Explorer 8. Microsoft also developed the Security Compliance Toolkit (SCT), which helped admins to manage GPO and implement settings through Active Directory or local policy. SCT included a Policy Analyzer tool that provided info on redundant GPO settings or inconsistencies, letting you know the differences between versions of GP and comparing against local policy and registry settings.
Do other vendors offer similar security baseline tools?
Not every organization uses Intune, so do other vendors offer similar products? Not really that I could find; though, some vendors offer solutions for different OSes and other applications.
This year, VMware announced the technical preview of a baseline feature coming to Workspace ONE UEM for Windows. Right now, admins can create Windows 10 baselines, CIS Windows 10 Benchmarks, and upload custom baselines. The CIS benchmarks are pretty in depth (and cover a variety of OSes), providing recommendations that cover password rules, network configuration, public/private profiles, and more.
For macOS and iOS deployments, Jamf created scripts in Jamf Pro to help organizations implement CIS benchmarks. The vendor created three scripts to define baselines, schedule continuous checks for compliance, and automate the remediation process.
Lastly, CIS also provides some assistance for admins looking to implement the security benchmarks the non-profit provides. There’s the CIS-CAT Pro Assessor tool that scans an organization’s current configuration and compares it to the CIS benchmarks. And then there’s CIS Build Kits, which takes the benchmarks and allows admin to implement through GPO or via a shell in *nix environments.
Implementing security baseline settings seems like such a mammoth task, so it’s nice that Microsoft is offering a way to make it less cumbersome. I’d be curious whether admins find it useful once they spend some time with it versus creating a security policy template; seems less painful, even if it means using Intune. (Though, Microsoft hopes everyone will use Intune anyway with SCCM co-management.)
I’d never given much thought to the initial setup of security configurations. However, during my research for this article, it became clear to me that with the classes offered and articles out there, that admins used to be largely on their own, relying on security templates to help them develop the best security settings.
The MDM Security Baseline feature shows a continuing trend from Microsoft toward providing built-in features. It’s not hard to see why though; it makes it easier for Intune to work with all the solutions on an endpoint, like Windows ATP and Windows Info Protection.
The Windows 10 security baselines could be one selling point that pushes organizations into adopting Intune over AirWatch or another solution. It could make admins’ lives easier when configuring security settings. What do you think? If you’re planning on rolling this out and think it will make your life easier, let us know!