With the 2101 Service Release of Microsoft Intune, released this week (February 1, 2021) Microsoft released a lot of new features (more on that in other blogposts). One of the important changes in this service release is the fact that the security baselines for Windows 10 and Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) have been updated. The security baseline for Microsoft Edge hasn’t been updated.

I consider the baselines the foundation you use to build your modern workplace. They contain a set of recommended settings coming from Microsoft on how to configure your Windows 10 devices, Microsoft Defender for Endpoint settings or Microsoft Edge settings.

With the release of the MDM Security Baseline for December 2020, the August 2020 version has become deprecated. This means that if you have implemented the August 2020 version, your profile is now read-only and you cannot edit its settings anymore. If you want to edit the settings in the security baseline, you must perform an upgrade first, after which the baseline can be modified again. This same principle is valid for the baselines of Microsoft Defender for Endpoint and Microsoft Edge.

•uołs•a,•, pavoddns 2 sali40'd pavepcsse lle spuacuwa•a' •pave•adap s! uołs'a,•, au!łaseq V

For more information about what is in the baselines, see:

MDM Security Baseline for December 2020

Microsoft Defender for Endpoint baseline for December 2020 – version 6

Microsoft doesn’t detail what’s changed in their documentation, but you can easily find out for yourself

You can compare the available security baselines with each other. You can do this from the profiles section by selecting 2 baselines and clicking on “Compare baselines”.

If you click on compare baselines, you will be prompted to download an .CSV file. The CSV mentions whether the settings are added or removed, equal or not equal.  So, if you want to know what changed, simply filter on added, not equal and removed and you’ll have your changes.

Display Name Block consumer specific features Block third-party suggestions in Windows Spotlight Scheduled scan start time Block hardware device installation by device identifiers upload XML Definition Id deviceConfiguration- windows10GeneralConfiguration merSpecificFeatures deviceConfiguration- windows10GeneraIConfiguration artyNotifications deviceConfiguration- windows10GeneralConfiguration deviceConfiguration- windows10GeneraIConfiguration Deviceldentifiers deviceConfiguration- windowsSpotlight810ckConsu windowsSpotIight810ckThirdP defenderScheduledScanTime hardwareDeviceInstaIIation8y August 2020 true true NotApplicable ha rdwa reDeviceInsta Blocked", " removeMatchingHardwar OCOA"]} windows10EndpointProtectionConfiguration_defenderExploitPr otectionXml December 2020 false false "notconfigured" NotAppIicabIe NotApplicable Comparison notEqual notEquaI added removed removed

Comparison example

You can update your profiles by selecting the profile, and clicking “Change Version”. You can then select the security baseline version you want to update to, and whether or not you want to keep your custom settings from the baseline you want to upgrade. Once upgraded, the exclamation mark will be removed, and you can see that the version is updated to December 2020.

The Security baselines really add value to your Modern Workplace. Using the Microsoft provided best practices is really helpful if you want to setup a Modern Workplace solid basis. The functionality to compare the baselines is really handy, and it’s really easy to upgrade your version of the baseline, while maintaining the customizations you created.

The security baselines have some disadvantages though, personally I would rather have seen that Microsoft provided a set of Configuration Profiles combined in a policy set. See my article: What are Intune Policy Sets? Looking at what the current policy sets can do, and which scenarios are not supported I don’t think that policy sets are usable though. Some challenges you will face with implementing Security baselines, is that they might contain settings which you already have set with a Configuration Profile, in that case you might have a conflict reported and since the security baseline sometimes uses other naming for a setting, finding the conflicting settings sometimes is a challenge.

Previous articleHow to use the new Approvals app in Microsoft Teams
Next articleWhat is DEX | EX(P) & why should it matter to you?
I started my career in 1995 as a System Engineer in the broadcast industry, building and maintaining video editing suites and television studio's and later specializing in Telecine equipment. In 1998 I switched to a first line support function within the Information Technlogy on the dealing room of a large bank, working my way up to a 3rd line support engineer. From this position i started to work on projects, which eventually resulted in projects where I worked across the border. In this period I implemented and designed several deployment solutions for mass rollout of workstations, laptops and servers. Since 2009 I switched to a consultancy function mainly focusing on but not limited to System Center design and implementation projects, besides that I became a Microsoft Certified Trainer (MCT) and currently teach System Center Related Classes (SCCM, SCOM and SCSM). In Januari 2010 I received the Microsoft MVP award with the expertise Setup & Deployment which was extended in 2011 and 2012. In 2013 and 2014 I was awarded the VMware vExpert award. In october 2014 I received the Microsoft MVP award with the expertise System Center Cloud and Datacenter Management (SCCDM).

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.