Microsoft Intune Baseline Configuration and Customization

Protect your organization with compliance, device profile, and app protection policies

Key Takeaways:

How does Intune's security baseline policy enhance Windows device security configurations?
What role does the Policy and Profile Manager play in managing security baselines in Intune?
How can organizations monitor device compliance status with Intune's compliance policies?
What are the key steps to creating device configuration profiles in Intune for Windows devices?

In the mobility management space, cloud-based Microsoft Intune is a valuable productivity tool that keeps corporate data secure. It does this by managing user access to resources while simplifying application and device management across virtual endpoints, mobile devices, and desktop computers. 

Device and network security is paramount in today’s cybersecurity landscape. In this article, we’ll cover Intune security baseline and compliance policies, device configuration profiles, and app protection policies. 

Security baseline policies

Security baseline policies offer a set of recommended security configurations for devices operating on Windows 10 version 1809 and later, as well as Windows 11 (be sure to verify the compatibility with the latest Windows versions). Although Windows is designed to be secure right out of the box, setting your own baseline policies gives you granular control over security configuration. 

Every security baseline consists of a group of preconfigured Windows settings that can be customized. Creating a security baseline profile in Intune means you’ve built a template of multiple device configuration profiles.

The default configuration already enables BitLocker for removable drives, requires a password to unlock a device, disables basic authentication, and more. Default values that don’t work for your organization can be customized for your needs.

The most current version of the security baseline – November 2021 – offers more than 30 customizable settings. Each setting is set to the recommended configuration. Settings can be found for credentials, data protection, device guard, Internet Explorer, and Microsoft Defender. 

Managing baselines

A prerequisite for managing baselines in Intune is the Policy and Profile Manager built-in role. To use this, sign in to the Microsoft Endpoint Manager Admin Center and click on the Security Baseline node in the Endpoint Security node. You’ll select the Security Baseline for Windows 10 and later set. 

  • Click + Create Profile to create your security baseline by selecting the latest version. Each new version of the baseline replaces the previous version. You’ll enter a name and description of the security baseline.
  • You can add Scope Tags to ensure the right I.T. admins have access to and visibility for the required Intune object. Next, on the Assignments tab, select included groups and assign the baseline.

Profiles can be edited through Endpoint Security > security baselines, selecting the baseline type, and then selecting profiles. Find the profile you want to edit, select Properties, make your changes on all tabs, and select Review + Save.

Before you deploy the baseline, navigate to the Review  + Create tab and examine the baseline details. Selecting Create saves and deploys the profile. 

Once deployed, security baselines and profiles must be monitored for devices that match or don’t match the values, for the profile that applies to users and devices, and how the settings for a particular profile are set on various devices. 

Of course, the security state must be monitored as well. 

  • Go to Intune and select Endpoint security > Security baselines, and choose a security baseline type > Properties.
  • Expand Settings to hone in and view all the settings categories as well as individual settings in the baseline. This includes their configuration for this instance.
  • The monitor options allow you to view the deployment status of the profile on individual devices and user status, plus the status of the settings from the baseline instance.

Click on the Per setting status policy report, which shows the security baseline status of each setting for the policy across all devices and users.

Compliance policies

Compliance policies help ensure all devices meet your organization’s security and compliance requirements. You can set policies that enforce password requirements, encryption policies, and more. Compliance policies in Intune include

  • Definitions of rules and settings that must be met by users and devices.
  • Actions that apply to non-compliant devices, including user alerts.
  • The ability to block non-compliant users and devices when combined with conditional access.
  • The overriding of setting configurations you manage via device configuration policies that conflict

Compliance policies have two parts in Intune. Compliance policy settings that every device receives set a baseline for how compliance policy works in your organization. Device compliance policy is composed of platform-specific rules you custom configure and deploy to user and/or device groups. 

Included with Intune is a device compliance dashboard to monitor device compliance status and get more information about policies and devices.

Device configuration profiles

Device configuration profiles allow you to configure settings on devices, including Wi-Fi, VPN, and email settings, as well as set device restrictions such as camera disabling and app access restrictions. These profiles are created in the admin center. You will:

  • Select Devices using the options of overview, monitor, by platform, or manage devices.
  • Choose Configuration > Create, and choose your platform.
  • The platform you choose determines the settings you can configure.
  • Add your settings.

You can also add scope tags here to filter profiles to specific I.T. groups in distributed I.T. 

Next, for Windows 11 and Windows 10, you’ll add applicability rules that target grouped devices that meet specific criteria. 

  • In the policy, select Applicability Rules and choose if you want to include or exclude particular users or groups.
  • In Property, choose a filter – either O.S. edition or O.S. version.
  • Then, choose Add to save your changes.

Consider doing the following when creating profiles:

  • To know what they are and what they do, name your policies and use the Description field. 
  • When creating a profile, create it by its task.
  • Create profiles that apply to specific groups within your organization.
  • Separate user and device policies.

And most importantly, any time you create a new restrictive policy, be sure to communicate the change to all users.

App protection policies

Protect your organization’s data – control how apps interact with it. These policies help prevent data leakage, restrict access to sensitive data, and more. Your app protection policies can apply to apps that are or are not managed by Intune and can be customized to meet specific needs. This framework can be used for iOS and Android app management as well. There are three configuration levels:

  • Enterprise basic data protection. This is Level 1 protection with a PIN and encryption and performs selective wipe operations. This entry-level configuration provides similar data protection control in Exchange Online mailbox policies and introduces I.T. and the user population to the APP.
  • Enterprise-enhanced data protection. Building on Level 1, this second level introduces APP data leakage prevention mechanisms and minimum O.S. requirements. This configuration applies to most mobile users accessing work or school data.
  • Enterprise high data protection. Level 3 includes advanced data protection mechanisms, enhanced PIN configuration, and APP Mobile Threat Defense. This is the configuration for users with access to high-risk data.

You’ll create Android and iOS app protection policies through the Microsoft Intune admin center by selecting Apps  > App protection policies details. You’ll select Create Policy and then the operating system.

  • Add the name and description on the Basics page.
  • Then click Next to get to the Apps page, where you will choose the apps for this policy.
  • Clicking Next brings you to the Data Protection page with settings for loss prevention controls, and you’ll choose the operating system, either iOS/iPadOS or Android.
  • Click Next to reach the Access Requirements page to configure PIN and credential requirements. 
  • Click Next to display the Conditional launch page. Set the sign-in security requirements for your app protection policy. Select a Setting and enter the Value. Select the Action you want to take if users don’t meet your requirements. In some cases, multiple actions can be configured for a single setting. Select the proper conditional launch setting for the operating system, iOS/iPadOS or Android.

Next, you’ll reach the Assignments page, where you’ll choose groups of users to assign the protection policy. Then select Next: Review + Create, where you can ensure correct values and settings. Then, click Create.

Microsoft Intune offers a powerful tool to control end-user devices, apply configuration profiles, and set policies, as well as security measures and controls. It offers cross-platform endpoint management with built-in security, mobile application management, and endpoint analytics.

Manage endpoint security with a value-driven I.T. managed services provider

Attentus delivers exceptional results. We hold M.S. Expert certification, have a 97.5% customer satisfaction rating, and for more than 20 years, we’ve been helping customers with their I.T. issues.

Book a free consultation to learn more about how we can help you keep your I.T. environment secure.