Alignment to Microsoft baselines in Intune

[Wazza22]

How do these policies align with the Microsoft baseline policies in Intune? Would you use these policies in addition to using the Microsoft security baselines or is it one or the other? I noticed some differences in your policies from the MS baseline ones, example:

Policy: Win - OIB - Device Security - U - Device Guard, Credential Guard and HVCI - v3.1
Credential Guard = (Enabled without lock) Turns on Credential Guard without UEFI lock.

MS Policy: Microsoft Defender for Endpoint Baseline
Credential Guard = (Enabled with UEFI lock) Turns on Credential Guard with UEFI lock.

[incedIT]

Unofficial answer, but I use this baseline instead of the Microsoft baselines. One of the biggest issues is that some of the Microsoft baselines tattoo their configuration to the endpoint, so settings will not change even when I edit the policy. It's also great to have policies split out into categories as it is easier to find what you are looking for.

If you enable that setting with UEFI lock, it requires physical prescence to turn it off, so it is more secure but can be a pain for admins. With UEFI lock off, it can be disabled using the registry. Our users are standard users with Applocker blocking regedit so although there is some risk compared to locked, the ability to be able to support remotely outweighs for us at least.

Ref: https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/
"The default enablement is without UEFI Lock, thus allowing administrators to disable Credential Guard remotely if needed."
"UEFI lock... prevents attackers from disabling Credential Guard with a registry key change"

[Wazza22]

Great explanation - thanks for the detailed answer.

[xenadmin]

@SkipToTheEndpoint As mentioned in #44 I had a few questions. As it turns out, there is already a very similar discussion. I'm asking myself the same question: How does this align with the Intune | Endpoint security | Security baselines from Microsoft?

In my understanding, it replaces them. But somehow not completely, and that confuses me. Maybe this needs a paragraph in the Wiki or readme?

So far, it looks to me like this:

Microsoft Security Baseline for Windows 10 and later
gets replaced by:
Win - OIB - Device Security - *

Microsoft Defender for Endpoint Security Baseline
gets replaced by:
Win - OIB - Defender Antivirus *
Win - OIB - Windows Firewall - *

Microsoft Security Baseline for Microsoft Edge
gets replaced by:
Win - OIB - Microsoft Edge - *

Microsoft Windows 365 Security Baseline
gets replaced by:
Win365 - OIB - Device Security - *

Microsoft 365 Apps for Enterprise Security Baseline
gets replaced by:
Win - OIB - Microsoft Office - *
Win - OIB - Microsoft OneDrive - *

But, I see a proper replacement for everything, but the Microsoft 365 Apps for Enterprise Security Baseline. Those don't replace each other. And there is a reason, I bet.

Could you elaborate a bit, about how this replaces the MS Baseline, and how it's meant to be aligned?

[SkipToTheEndpoint]

Hey @xenadmin.
So my intention has never specifically been to 1:1 duplicate any framework, be it CIS or MS, but there's obviously a significant amount of overlap across them.
What those other frameworks don't take into account is:
a) Subsequent Admin manageability.
b) User experience.

So to answer your question:
If someone needs to deploy CIS, or is told to stick to the MS baseline - Sure, go do that, and deal with the inevitable frustrations of trying to do so.
If someone wants to start from a "known good" configuration that's laid out with manageability in mind, that also deeply cares about the end-user experience - Start here!

The other important thing to note is that whether it's MS, CIS or the OIB, if you don't like the way a setting is configured or it causes problem for your org - Change it! Think it's missing something - Add it!

On to the M365 Apps Baseline - I've had great success deploying it alongside the OIB, but it does cause some noticeable pop-ups and potential issues that could very much break an environment that uses legacy systems and processes. Go ahead and very carefully test it in your environment.

[xenadmin]

Hi @SkipToTheEndpoint, sorry for the late reply and thanks for your reply.

my intention has never specifically been to 1:1 duplicate any framework, be it CIS or MS, but there's obviously a significant amount of overlap across them.

I 100% understand this, and the overlap just obviously leads to such questions.

What those other frameworks don't take into account is:
a) Subsequent Admin manageability.
b) User experience.

That's what I love this project for. It aims a good middle spot for SMB.

So to answer your question:
If someone needs to deploy CIS, or is told to stick to the MS baseline - Sure, go do that, and deal with the inevitable frustrations of trying to do so.

Not my goal at all =)

If someone wants to start from a "known good" configuration that's laid out with manageability in mind, that also deeply cares about the end-user experience - Start here!

That's why I'm here!

The other important thing to note is that whether it's MS, CIS or the OIB, if you don't like the way a setting is configured or it causes problem for your org - Change it! Think it's missing something - Add it!

Of course, already altered minor settings, like allowed extensions ;-)

On to the M365 Apps Baseline - I've had great success deploying it alongside the OIB.

That's the core of my question, isn't it? You would import (nearly) everything from OIB, but additionally you would deploy the MS365 Apps Baseline. But not any of the other baselines, as there would be obvious conflicts, right?

Is that what it would boil down to: OIB + MS365 and I could ignore the others?

Oh and what I forgot: Would you like to explain, why you especially did not re-create the MS365 Apps Baseline, like you did with, Windows, Defender and Edge? You altered all three to be good at "Subsequent Admin manageability" & "User experience" but left that one out, there must be a reason?