Microsoft is releasing security baselines for on-premises Active Directory connected devices using group policies. These are used by many organizations around the globe for decades. Using these security settings, administrators can control the state of the corporate devices and maintain the standards. When we are moving device management to the cloud, we can't use group policy settings as group policies are not working in the same way with Azure AD. But now, by using Microsoft Intune security baseline, we can apply Microsoft recommended pre-defined windows security settings to Intune managed Azure AD joined windows 10 devices.
- This is only applicable for devices with Windows 10 version 1809 and later
- You need to have your devices enrolled with Intune with relevant licenses to use this feature. You can find more info about device enrollment using my previous blog posts http://www.rebeladmin.com/2018/11/step-step-guide-enroll-windows-10-devices-microsoft-intune-using-autopilot/
- Microsoft recommended settings are coming with the "Baseline versions". At the moment there is only one baseline version available (MDM Security Baseline for May 2019). But as new windows versions come, there will be new baseline versions.
- When a new baseline version is available, we can migrate already existing security profiles to the new baseline version.
In this blog post, I am going to demonstrate how we can use security baseline policies to enforce security settings.
In my demo setup, I have Azure AD joined Windows 10 device called W5001.
When I log in to this device, I noticed the user has turned off the Windows defender antivirus protection.
Also, Windows defender firewall is turned off.
As an administrator, I prefer both these services to stay on in all corporate devices. So let's see how we can do this using Intune security baseline policy.