IMPORTANT:- This has been developed as a starting point or foundation and is not necessarily considered "complete". It is being made available to allow learning, development, and knowledge-sharing amongst communities.
No liability is assumed for the usage or application of the settings within this project in production tenants.
The original purpose of this baselin was to develop a single-import "policy set" which covered all necessary configuration to provide a secure Windows device with minimal engineering effort. Additional settings to improve overall end-user experience were added, such as OneDrive KFM and automatic Outlook configuration.
After seeing many people across varying communities struggle with the initial "barrier to entry" to Intune, especially coming from a knowledge set around on-prem GPO, I wanted to make the pack publicly available to enable easier access to learning the functionality available.
To create the initial secure device configuration, data analysis was carried out over the following well-known security guidance frameworks, such as:
- NCSC Device Security Guidance [https://www.ncsc.gov.uk/collection/device-security-guidance/platform-guides/windows]
- CIS Windows Benchmarks [https://www.tenable.com/audits/search?q=CIS+Windows+Intune&sort=&page=1]
- Intune Security Baselines for Windows, Edge & Defender for Endpoint [https://endpoint.microsoft.com/#blade/Microsoft_Intune_Workflows/SecurityManagementMenu/securityBaselines]
- Microsoft Best Practice
Additional configurations were then layered using information from various MVP blogs and community resources, as well as significant personal experience across multiple customer environments.
Policies are configured and named to be as understandable to their purpose as possible. More information will be available soon.
The baseline was exported using the tool developed by Mikael Karlsson (GitHub and Twitter), and can be imported in the same way. Download or clone this repo, run the IntuneManagement tool and in the tool settings, change the "Root folder" under Import/Export to the folder of the baseline. Authenticate to a tenant with appropriate credentials, and use the Bulk>Import menu to import the whole baseline. Individual policy imports can be achieved using the "Import" option in the bottom right of the tool.
- Windows Update for Business Reports - With an appropriate Azure subscription, a Log Analytics Workspace can be created to monitor update compliance of devices. - Additional information
- M365 Apps Updates - Creation of a Servicing Profile through config.office.com can ensure Office Apps for Business/Enterprise remain up-to-date on the Monthly Enterprise Channel. Settings in the "Office - Update Settings" policy can remain as Servicing Profiles take priority of any other Office management. Ensure the Inventory is enabled.
Due to the wildly differing nature of environments, it is not possible to create a "baseline" for AppLocker or Windows Defender Application Control. While the baseline ensures standard users cannot elevate to install applications, apps that do not require elevation or install to a user's AppData folder may not be blocked.
There are some settings that fall outside of this baseline, however should be considered to ensure underlying tenant security:
| Setting | Link |
|---|---|
| Combined user registration (now set to "All" by default but may be set to "None" or scoped to groups for older tenants) | User Features |
| Restrict access to Azure AD administration portal | User Settings |
| Enable SSPR for All Users | Password Reset |
| Disable user admin consent requests | Enterprise Apps |
| Do not allow users to consent to apps | Consent and Permissions |
| AAD Company Branding (can cause Autopilot to fail) | Company Branding |
| Disable Security Defaults (if utilising Conditional Access) | Properties |
| Ensure legacy "per-user" MFA is disabled | Multi-factor Authentication |
See CHANGELOG.MD for latest baseline changes.