Device Hardening with Endpoint Manager Security Baseline for Windows Policy

The word on the street is not “If I get hacked” but “when I will get hacked” and securing your infrastructure starts from your end users and devices and hardening those devices that the users use every day have never been so important. Security Baseline policy for Windows 10 and later. This is one of the recommended policies that just needs to be created at a minimum level and the latest settings template will be assigned to the devices. I would say the effort to configure this policy is just less than 5% of what needs to be enabled to give your device that “acceptable” security configuration. This is somewhat similar to other famous security frameworks as the recommendations have been created by the Microsoft Security teams as a way to close the gaps as well as to enhance the end-user device’s security posture.

The good thing about the baseline is, it covers pretty much all the critical areas of the device when it comes to security, and you can build your advanced policies on top of this. This article includes my experience and texts from Microsoft docs which I found useful.

At a glance, Security Baseline will,
Stop SMBv1, Enable Windows Defender Firewall, Enable Defender AV settings, Control LM Compatibility settings (LM, NTLM, NTLMv2), Disables Autoplay, Manages Smart Screen and the list goes on

MEM enrolled and MDE onboarded requirement

The device needs to be enrolled into Endpoint Manager and have onboarded into Defender for Endpoint in order to use the features of this as this has both MEM and MDE setting enforcements. Device assignment will be done via Azure AD groups.

Windows version requirement
  • Windows 10 version 1809 and later
  • Windows 11
Licensing requirement

Microsoft Defender for Endpoint P1 or P2 – to cover the Defender related settings
An Intune license for Device Management settings

Where to find the baselines

Endpoint Manager > Endpoint Security > Security baselines > Security Baseline for Windows 10 and later

Policy Sync times
  • 24 hours to fully apply the policy to the workstation
  • Any changes to the policy will take 6 hours to appear
Group Policy over MEM

Worth noting and a reminder to check your GPOs. Chances are some policy settings may have already been implemented via GPO(s). If that’s the case, this is a good time to move that function to Endpoint Manager. Also, you may need to consider the MEM Wins Over GPO configuration policy

Piloting before rolling out

It is highly advisable to pilot the Baseline Policy in few computers as the user experience can be tough if they start getting disruptions. Plan your comms so the users know there is a change coming that protects their workstations better.

User noise and fine tuning

This comes to the User noise and fine tuning. It is important the security team evaluate and review the settings and identify user impact if there are any. I’ll give you an example.

Attack Surface Reduction (ASR) Rules under the Microsoft Defender section. When enabling ASR Rule policies, Microsoft advises to enable them in Audit mode first at least for 30 days and review the reports to see each rule’s impact on user computers. The rules can be quite stringent to set to Block mode at once. However, enabling the Security Baseline Policy will set the ASR rules to Block mode as that is the template Microsoft has created. This is contradicting but be mindful when enabling the baseline as it can make user noise. No finance user would like their Excel Macros to get blocked suddenly. It’s a process.

Likewise, there are few settings that helpdesk might get complaints on. So again, review the policy settings, fine tune if required.

Duplicating policies

You can easily duplicate a policy and create a new one. The duplicated policy will not get assigned to any device group until you add a group to it.

This method can be handy when you need to change a subset of settings and apply to a pilot set of devices and if all good, then discard it and change the original policy’s settings.

Changing baseline versions

To keep up with the current Security trends Microsoft keep on updating the Baselines and introducing new settings to it. As a result, the versions of the Baseline get changed. If and when there are version changes, you will see an exclamation mark in front of the policy – meaning its outdated. In that case you need to update it. If you check the Official Microsoft Doc, you can see the current Baseline version in use and previous baselines.

from MS Docs

Before applying the new policy, you can review and compare the policies.

Test the new version to a pilot group before converting the current policy to the new version which can get applied to the whole fleet.

Compare Policies

Select both the policies and select Compare Baselines option and a CSV file will get downloaded

from MS Docs

The CSV File will clearly show the rules that’s Added and what’s being Removed.

Change Baseline Version

When you are ready to change the versions,

Select the outdated policy, Change Version option will get activated

from MS Docs

You can select the version as below and confirm the selection. The assigned device group will get the updated policy version and if there are any new settings, they will be applied.

from MS Docs
Conflicting settings with other policies

This very important because simply you don’t need to have the same setting setup in two different policies with different options.

Imagine you have setup this ASR Rule setup in the Security Baseline policy

Block Office applications from injecting code into other processesBlock

And in the Endpoint Security > Attack Surface Reduction Rules the same rule has set to Audit

This will conflict this setting as it has 2 values in 2 policies and will end up seeing a conflict in the reports and this will not get applied to the devices.

However, if you setup Not Configured in one policy for the same setting if that option is available, the other customization will take priority over that.

Advanced settings available in other security polices

This has a connection to the previous section. Security Baseline will activate some of the important settings of each aspect of the Windows OS. In some sections, it will only touch base a subset of settings and more advanced settings are available in the relevant specific policy. And you will see the same setting is available in that specific policy which you configured in the Security Baseline. This will end up in a conflict. Make sure you cross check the policies and set the settings to Not Configured in one policy to avoid those conflicts.

Example: Microsoft Defender Firewall Policy and the Firewall section in the Security Baseline

Default Inbound Action for Domain Profile setting Vs. Inbound Connections Blocked setting

Microsoft Defender Firewall Policy

Firewall section in the Security Baseline

Removing baseline and settings tattooing issue

This is something that Microsoft has fixed, but I have seen it’s not 100%. The settings in the Security Baseline policy are a bunch of CSPs (Configuration Service Provider) that has its own setting parameters and values. The idea of removing a device group from an assignment makes those CSPs to revert back to their default value is not possible sometimes. Same as how a GPO would work. Unassuming the GPO from that user or the computer won’t remove the change that’s done most of the time.

Microsoft recommends creating a new Security Baseline and set that specific setting to Not Configured and let the device sync. But that might not work all the time if that specific setting in the Windows OS doesn’t have the Not Configured option.

This is what Microsoft has to say about it.

from MS Docs

This is equally important as you need to know which devices has been synced with the policy and which settings has been ended up in error and conflict state.

Device Status

Per Setting Status

Devic Configuration reports (Select Devices > All devices > select a device > Device configuration) of device will further tell you more about the policies if they have successfully applied or will show if there are conflicting policies.

Monitor assignment failures and dig into the settings and devices with the issue

Endpoint Manager Monitor section offers some good diagnostics and with a little bit of digging around you can pinpoint what’s the conflict or the error setting so you can go and change it accordingly.

Filer for Status == Conflict

Click on the Setting name and then you’ll find other profiles with the same setting

Error handling

Event Viewer Logs are in Event viewer > Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin location for further policy troubleshooting.

Final thoughts

Do you need a Security Baseline? Yes. Will this be enough to protect your devices? No. Why? Microsoft have heaps of other Security policies specific to different areas of the device (BitLocker, Device Control, Firewall, ASR etc.) and they must be rolled out properly after evaluating the impact and with proper change management processes. But yes, surely the Baseline Security policies will harden your end user Windows devices as the step one of the device protection journey where you then apply the specific polices on top of it.


One thought on “Device Hardening with Endpoint Manager Security Baseline for Windows Policy

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.