When I looked at a specific device that was affected, as shown above, I could see two errors on the device. One was from a user designated as System account, which was also somewhat puzzling. Also follow me on twitter @rebeladm to get updates about new blog posts. Enterprises must choose between single- or multivendor SASE approaches, as well as DIY or managed service options. Intune admins must be familiar with all the most essential security features that the platform offers. Learn about features such as conditional access and MTD integrations below.

You can update your profiles by selecting the profile, and clicking “Change Version”. You can then select the security baseline version you want to update to, and whether or not you want to keep your custom settings from the baseline you want to upgrade. Once upgraded, the exclamation mark will be removed, and you can see apple en sawgrass that the version is updated to December 2020. Implement MDM compliance policies for additional settings not covered by baselines or individual Endpoint security policies. If you already have individual Endpoint security and Intune policies deployed you will need to be careful if you then start to deploy baseline policies.

As a starting point for a security baseline, we can use Microsoft’s best practices. I always use these baselines when starting a new project or implementation, unless the customer or I have a good reason to go in a different direction. This is all set up at the start of the workshop or while the Pilot is running.

As an administrator, I prefer both these services to stay on in all corporate devices. So let’s see how we can do this using Intune security baseline policy. Microsoft recommended settings are coming with the “Baseline versions”. At the moment there is only one baseline version available . But as new windows versions come, there will be new baseline versions.

Compliance Policies are used to evaluate a device’s compliance against a pre-defined baseline, such as the requirement for a device to be encrypted or to be within a defined minimum OS version. The other new enforced setting is “Specifies whether the display-capture permissions-policy is checked or skipped. The Security Baseline is now updated to the latest version. If you made a duplication of the Security Baseline you can now assign it to a test group, otherwise it will be deployed in your environment. Avoid backing yourself into a corner by going with the defaults because it’s easy and convenient.

If you check the Official Microsoft Doc, you can see the current Baseline version in use and previous baselines. Implement individual Endpoint security policies for additional settings not covered by the baselines. The canary ring is basically test devices and users to determine the effects of applying policies.

On theAssignmentstab, select groups to includeand assign the baseline to one or more groups. You will have to enter the name and description of the Security Baseline for Windows 10 or 11. The platformandBaseline version are automatically selected.

When a security baseline setting no longer applies to a device, or settings in a baseline are set to Not configured, those settings on a device don’t revert to a pre-managed configuration. Instead, the previously managed settings on the device keep their last configurations as received from the baseline until some other process updates those settings on the device. A security baseline includes the best practices and recommendations on settings that impact security. Intune partners with the same Windows security team that creates group policy security baselines. These recommendations are based on guidance and extensive experience.

Once all the settings are in place click on Next to proceed. Then go to Windows Defender Firewall settings and make sure firewall settings are set to Yes. As hybrid work and virtual collaboration grow, legacy security tools are no longer enough.

If there are differences in the settings between the baseline policies and those configured in Intune MDM, MAM and Endpoint security you’ll end up with a conflict. Thus, you will either need to make sure that the settings are identical between all the policies that you use or stop using some of the conflicting policies. Generally, I would suggest that just using the baseline policy for the setting is a best practice approach. When you look at the settings available in these baselines, as shown above for Edge, you’ll notice that they basically contain many of the same settings available to you in individual Endpoint security policies.