One question I’m often asked is around security policies within Intune, where to set them and why can they be set in so many different places?
Before I start on what I prefer, there is no right or wrong answer for this one, ultimately they are all changing the same files/registry keys so it is personal preference. I would also suggest watching the excellent AMA from Microsoft on the subject here
So, what are the options:
- Standard policies within Device Configuration (device restrictions, settings catalog etc.)
- Security Baselines
- Setting policies within their individual security blades
The one thing to note is DO NOT set the same setting in two different policies or they’ll conflict on both policies, even if the setting value is the same.
Let’s look at the Pros and Cons of each one:
Standard Policies
The traditional way of managing settings within Intune, simply hop into Devices – Device Configuration and create a policy. For security settings this will be a mix of a Settings Catalog, Device Restrictions and possibly some Administrative Template based settings if you’re still working with Internet Explorer (for example)
These are what we are all used to and with the recent updates we even get the nice Settings Catalog style view on all of the policies with an overview of how they are working:
It looks nice and works nicely, but does have a couple of drawbacks:
Firstly, if you want to delegate access to your Security team, you’re going to need to start playing with Scope tags (have a read here if you’re not familiar), or give them read-only to everything.
Secondly, they aren’t centrally updated like the Baselines (more to follow)
Thirdly, you don’t have buttons to fix any issues with AV signatures etc. (again, more to follow)
If these don’t bother you and you want to stick to one page for all policies, setting them here is perfectly acceptable.
Security Baselines
Introduced back in 2020, Security Baselines are:
Security baselines are groups of pre-configured Windows settings that help you apply and enforce granular security settings that are recommended by the relevant security teams. You can also customize each baseline you deploy to enforce only those settings and values you require. When you create a security baseline profile in Intune, you're creating a template that consists of multiple device configuration profiles.Accessible via the Endpoint Security Menu, Windows Security Baselines gives a long list of settings which you can simply switch on or off (and it is a long list)
The one key advantage of these is that Microsoft update them centrally with new settings and to apply the new settings it is as simple as changing the version:
It’s worth noting that when a new version is released, any current policies will switch into Read-Only mode until the version has been updated. They will continue to apply to devices, but you can’t change them.
If you are starting out on your Intune journey, these are an excellent starting point and even now I use a custom baseline to catch some settings not picked up elsewhere.
The drawbacks to a baseline:
- It hasn’t received the updated overview yet
- There are a LOT of settings, if you get conflicts or errors, make use of the Arrange by buttons on the columns
- You can’t remediate issues within the Baseline policies
- If a setting has options of Configured or Not Configured, changing a setting which was previously Configured to Not Configured will NOT revert on the devices. It simply stops sending any commands for that setting. If you apply a setting and it causes issues, the only way to revert is to start digging in the registry (or rebuild)
Security Blade Policies
A relatively new feature within Intune are the specific security policies within the Endpoint Security blade which contains the usual suspects as well as a few newer options:
One of the key advantages here is that you can delegate permissions to this section only via either the Endpoint Security Manager role, or a custom role with access to Security Baselines and Security Tasks which will please a security team, but without having to give them full access to everything.
Some of these newer options include:
Setting local admins on devices by Group:
And blocking devices/device services:
What I like about these is the overview screen where you can quickly spot any issues and remediation actions
You then have options to remediate the issue:
These policies don’t cover all settings though, they are my preferred method of deploying, but I tend to mix and match with Security Baselines as well.
If you do go down this route, these are the policy settings to miss on a baseline to avoid a conflict
- Bitlocker
- Browser (I use the Edge baseline)
- Firewall
- Microsoft Defender
If you want a copy of my baseline, it is on Github
As mentioned at the start, there is no right or wrong way to apply these policies, but hopefully this will help in the decision making.
Thank YOU!
Wish I found this earlier, thanks for laying it all out
Glad you have found it useful, these policies can be a minefield to work out what’s best!
Amazing explanations, incredibly practical. Thank you for your expertise and time on this.
Would there be a section for comparisons between Security Baselines EG. Intune vs M365 Defender for Endpoint?
Yes, I will get that added on ASAP. My personal opinion is the Defender for Endpoint baselines within Intune Baselines are a quick deployment, but don’t have the same control as setting them individually via each security blade. The main Security Baseline has settings which would otherwise be in Admin Templates around IE and RDP so these have some use, where as the Defender for Endpoint settings are all the same as can be set via individual policies, just without the same level of control and granuality.
Andrew thank you for this great post and I’m loving all content in general.
I have quick question, hoping you can point us in the right direction. Near the end you mentioned that the blade policies don’t cover all the settings. So I’m curious if you have a resource that shows what is missing from the blade policies that’s covered else where?
Hi, it’s mostly around the more legacy parts, IE11, RDP, TLS etc. I usually create those in a Security Baseline, but use the security blade where possible. Happy to send a JSON extract of the baseline if it would help
That would amazing, thank you so much!
Here you go, json and a Microsoft PowerShell script to import it if needed:Github
What should we use at the assignments -> all users or all devices? if i need to apply it to all
It depends on what the policy is doing and what settings it is applying. If you can provide a bit more info I should be able to advise better
Great stuff, but what kind of permissions are needed for the script to run ?
I already have Intune administrator
You will need to grant MS Graph for the permissions it needs when connecting. You’ll need Global Admin or Roles admin for that part