Security Baseline (Endpoint Manager) - Configure and apply the Security Baseline

This step by step tutorial will show you how to configure and apply the Intune / Endpoint Manager security baseline

This is Part 1 of a 5 part series

=======================================================================

Welcome to part 1 of my five part series of tutorials taking you step by step on how to configure Microsoft Endpoint Manager / Intune focusing on the essential security configurations.

Security Essentials - Five part series

1. Configure and apply the Security Baseline - Link - This Tutorial

2. Configure Windows Hello for Business - Link

3. Configure Windows 10 Compliance Policy - Link

4. Enabling and Configuring BitLocker - Link
5. Utilize dedicated Intune admin accounts rather than Global Admin accounts - Link

If you don't have a test environment for Intune / Endpoint Manager, just follow this guide on 

How to get a Free Developer Tenant with 25 x E5 licenses and a free Top Level domain name - Link

=======================================================================

1. Configure and apply the Security Baseline

The Intune / Endpoint Manager security baseline is the preferred solution for applying a default configuration to your endpoints. The default configurations are a great start for securing your environment, and it is a pretty easy process to edit settings as needed in the future.

Like all things security related, it is highly recommended to test to a small pilot group first to ensure you aren't affecting all users with a restriction that affects corporate productivity. 

Resources - 
Security Baselines - Link

In this tutorial, I will be configuring the Security Baseline to apply my pre-determined settings to meet my Password requirements. All other configurations will be kept to default at this point.


To configure and apply the Security Baseline -
Endpoint Manager - Endpoint Security - Security Baselines


Select the baseline - Windows 10 Security Baseline


Create Profile


Name - Windows 10 Security Baseline for Corporate Devices and Staff
Description - This security baseline applies to all Corporate devices and staff


Configuration settings -
Note that you can search for settings - like UAC if you need to edit the UAC functionality.

Review your business needs and update the Security Baseline as needed.

Scroll down and expand the section - Device Lock
Below shows the defaults in the version for December 2020.
Hover mouse over the info symbol to view more details on each of the options.


The hover mouse function shows more info for each of the options.
Note that setting the number of sign-in failures before wiping device to zero to disable the auto-wipe function will be important when creating a Security Baseline for Windows 10 BYOD devices for example.


For this tutorial, I have configured as below as I want to enforce a six digit PIN on Windows devices.

Configure as per business needs - Next


Scope tags - Not configured

Assignments -
For this tutorial, I have added my groups to cover all users protected by MFA and all Windows 10 autopilot devices, and Corporate devices.


Assignments will now display the groups targeted
Next


Review and Create
Create



========================================================================

Check out all my tutorials - Link 

Highlights include - 
13 part series on how to perform the initial Tenant and Intune Configuration - Link 

1. Configure DNS and CNAME
2. Company Branding - Self Service Password Reset (SSPR) - Enable Enterprise State Roaming
3. Enable Conditional Access and MFA (Multi factor authentication)
4. Configure Conditional Access Terms of Use
5. Company Terms and Conditions
6. User and Device Groups, and Device Categories
7. Set-up Autopilot profile and configure MAM and MDM scope for automatic enrollment
7a. More information regarding options for configuring the MDM and MAM user scopes
8. Enrollment Status Page
9. Enrollment Restrictions
10. Deploying Microsoft 365 apps (Office apps)
11. Enable Microsoft Store for Business and publish the Company Portal app
12. Assign Company Portal app
13. Test autopilot via register online

===============================================================

 

About the author -
Terry Munro is an IT specialist based in Brisbane, Australia.
He draws upon over 20 years experience designing and delivering technical solutions to a variety of enterprise clients in the private, Government and Education sectors, to revolutionise client businesses through collaboration and getting the most value from a variety of cloud solutions.
He is passionate about learning new technologies and is a firm believer in sharing knowledge to provide a better experience for all.

You can connect with Terry
LinkedIn - https://www.linkedin.com/in/terry-munro/
Facebook - @IntuneAdmin - https://www.facebook.com/IntuneAdmin/
Facebook Community Group - https://www.facebook.com/groups/intuneadmin/ 
GitHub Repository - https://github.com/TeamTerry