Skip to content

Community-driven baseline to accelerate Intune adoption and learning.

License

Notifications You must be signed in to change notification settings

sribaabu/OpenIntuneBaseline

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

OpenIntuneBaseline

Twitter Follow Twitter Follow

Discord


IMPORTANT:- This has been developed as a starting point or foundation and is not necessarily considered "complete". It is being made available to allow learning, development, and knowledge-sharing amongst communities.
No liability is assumed for the usage or application of the settings within this project in production tenants.


Rationale

The original purpose of this baselin was to develop a single-import "policy set" which covered all necessary configuration to provide a secure Windows device with minimal engineering effort. Additional settings to improve overall end-user experience were added, such as OneDrive KFM and automatic Outlook configuration.

After seeing many people across varying communities struggle with the initial "barrier to entry" to Intune, especially coming from a knowledge set around on-prem GPO, I wanted to make the pack publicly available to enable easier access to learning the functionality available.

Development

To create the initial secure device configuration, data analysis was carried out over the following well-known security guidance frameworks, such as:

Additional configurations were then layered using information from various MVP blogs and community resources, as well as significant personal experience across multiple customer environments.

Available Baseline Settings

Policies are configured and named to be as understandable to their purpose as possible. More information will be available soon.

Baseline Import

The baseline was exported using the tool developed by Mikael Karlsson (GitHub and Twitter), and can be imported in the same way. Download or clone this repo, run the IntuneManagement tool and in the tool settings, change the "Root folder" under Import/Export to the folder of the baseline. Authenticate to a tenant with appropriate credentials, and use the Bulk>Import menu to import the whole baseline. Individual policy imports can be achieved using the "Import" option in the bottom right of the tool.

Supporting Configuration:

  • Windows Update for Business Reports - With an appropriate Azure subscription, a Log Analytics Workspace can be created to monitor update compliance of devices. - Additional information
  • M365 Apps Updates - Creation of a Servicing Profile through config.office.com can ensure Office Apps for Business/Enterprise remain up-to-date on the Monthly Enterprise Channel. Settings in the "Office - Update Settings" policy can remain as Servicing Profiles take priority of any other Office management. Ensure the Inventory is enabled.

Settings not covered by the baseline:

Due to the wildly differing nature of environments, it is not possible to create a "baseline" for AppLocker or Windows Defender Application Control. While the baseline ensures standard users cannot elevate to install applications, apps that do not require elevation or install to a user's AppData folder may not be blocked.

Additional Notes:

There are some settings that fall outside of this baseline, however should be considered to ensure underlying tenant security:

Setting Link
Combined user registration (now set to "All" by default but may be set to "None" or scoped to groups for older tenants) User Features
Restrict access to Azure AD administration portal User Settings
Enable SSPR for All Users Password Reset
Disable user admin consent requests Enterprise Apps
Do not allow users to consent to apps Consent and Permissions
AAD Company Branding (can cause Autopilot to fail) Company Branding
Disable Security Defaults (if utilising Conditional Access) Properties
Ensure legacy "per-user" MFA is disabled Multi-factor Authentication

Changelog

See CHANGELOG.MD for latest baseline changes.

About

Community-driven baseline to accelerate Intune adoption and learning.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors