Windows 10 Security Baseline in Intune

Now that Microsoft Intune 1901 are released, the MDM security baseline are spotted!

This was a huge topic during Ignite 2018, and I’m pretty sure that you have been waiting for this like everybody else 🙂
Now it’s time to compare security baseline in Intune with the one from NCSC.

What are security baselines?

Every organization faces security threats. However, the types of security threats that are of most concern to one organization can be completely different from another organization. For example, an e-commerce company may focus on protecting its Internet-facing web apps, while a hospital may focus on protecting confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization.

A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers

Now let’s configure some security baseline within Intune

Head to the Azure Portal, login as a global admin and follow these steps:

  • Go to Intune -> Security Baseline (Preview)
  • Click MDM Security Baseline for October 2018 (This security baseline is for Windows 10 1809)
  • Click Create profile
  • Enter a name etc. Windows Security Baseline – October 2018
  • Click to expand settings

From here you can expand all the category and see/set the settings as you want it.

Prevent users from enrolling personal Windows devices into Intune

To restrict enrollment to only allow corporate Windows device please follow these steps

  • Start the Microsoft 365 device management portal
  • Go to Device enrollment -> Device restriction
  • Click on Default -> Properties
  • Click Select platforms
  • Ensure that you are allowing Windows (MDM) enrollment. Set to allow or all Windows enrollment will be blocked
  • Click on Properties -> Configure
  • Select “Block” on ‘Windows personally owned’