Security should always be at the forefront of our thinking these days and I can tell you that I’m up to my elbows in it on a regular basis. Today, it was announced that Microsoft has finally developed a security baseline for Intune that should help many us of dealing with custom security policies and help standardize our methods for hardening devices.
With the traditional desktop, I usually walk through a fairly well-defined process when configuring the Group Policy security baselines:
- Go to Microsoft and download a baseline
- Modify it accordingly
- Test and remediate issues
- Deploy to production
Unfortunately, there has been a noticeable lack of guidance for Mobile Device Management (MDM) and modern desktops. Microsoft’s position has been to refer organizations to the out of box configuration of Windows 10 and call it a day.
Trying to sell that to IT security has fallen flat because they need hardened baselines such as the ones published by the Center for Internet Security.
I’m not saying that the Microsoft Windows 10 baselines are unusable, in fact, there is quite a bit of similarity amongst baselines. That being said, the security stance is often more aggressive with the non-Microsoft baselines and they provide the customizations that some customers require.
There is a tradeoff in that the non-Microsoft alternatives do provide greater security but they also begin to cause issues with the applications and the expected functionality needed by IT support.
I’ve worked with customers trying to make sense of how their security baselines can be carried forward to the modern desktop and, without exception, they have had to deal with a lot of complexity and little documentation.
The traditional security baseline has over 450 settings in it and that is only a subset of what is available in the over 3000 Group Policy settings that could be deployed. To make matters worse, only about 150 of those settings can be deployed via MDM, which makes the migration effort a real challenge.
Microsoft offers a free tool called MMAT to help with the migration process, but I find it does little more than identify what you can and can’t migrate from Group Policy to MDM. That translates into more work for us because we have to figure out whether the setting is accessed through the Intune console or if it has to be implemented as a custom MDM policy.
If you ask me, custom policies deserve a special place in hell because the learning curve is steep and, once you learn how to do it, there is still more effort required to migrate each setting across.
Even if you are dead set on migrating your settings there is more to think about. For example, if a device is joined to Azure AD and not Active Directory do all the settings still apply? In the case of the Windows Firewall, you don’t need custom rules for the domain profile because it isn’t used.
So where do we turn?
After hearing about much customer pain, Microsoft has taken to heart that there is a need to provide Intune specific baselines that make sense for modern device configuration.
So, in October, Microsoft will begin releasing a modern baseline that you can use as a template inside of Intune to give you that initial security baseline for a modern desktop. The settings will have a proper GUI, which should significantly improve the process of building custom policies.
The issue some people may have with the initial release is that the baseline is composed entirely of settings that Microsoft has determined as being needed for a modern desktop. I foresee that there will be some disagreement in the industry whether the set of configuration items are deemed complete, as well as whether they are configured correctly.
What about security settings that aren’t managed using MDM?
Keep in mind that the modern desktop is moving towards simplicity so some settings will not make it to MDM.
For those that do, you can use Local Group Policy Objects or Group Policy to deliver the missing settings to devices that are hybrid joined to Active Directory and Azure AD.
I’ve even toyed with Azure Automation and PowerShell Desired State Configuration, but that involves more effort to build the MOF files needed to configure the registry of the device which has its own learning curve.
As with all first-generation solutions, not every policy or feature is available so don’t expect everything to be there, nevertheless, this should unblock some use cases so you can more easily implement security baselines through Intune.
I believe that Microsoft is on the right path but we have to keep in mind that this is the first attempt by Microsoft to directly address this issue. The new user interface gives us something that can be more easily consumed by customers which is a huge win.
I recommend trying to stay within the confines of what Intune can do out of the box and take a very critical look at each setting you wish to migrate. Too often what I see is a lack of effort to understand what the modern desktop is and planning appropriately.
I’ll keep repeating it over and over that the modern desktop isn’t about taking what you have and simply migrating it across to a new platform. Do your homework and you’ll reap the lower complexity and cost of ownership associated with going modern.