Previous parts in this series are:
Office 365 Mobile MDM – Modern Device Management with Microsoft 365 Business Premium–Part 1
Endpoint Manager – Modern Device Management with Microsoft 365 Business Premium – Part 4
One of the biggest challenges with the availability of all these policies via Intune MDM and MAM as well as Endpoint security is getting to a ‘best practices’ state.
One of the benefits that Endpoint security provides is the ability to implement Security baselines as shown above. There is a baseline for Windows 10 security, Microsoft Defender ATP and Microsoft Edge already. Microsoft recently announced that an Office baseline will soon be available.
The idea is that Microsoft will publish a ‘best practices’ baseline, as shown above for Edge, and that you can create a policy or ‘profile’ as it is called here, from this to use across your environment just like any other policy we have already spoken about.
The idea is that, rather than you having to work out and apply a range of best practice settings across all the individual policies, you can simply implement these baseline policies from Microsoft as a starting point.
Another benefit is, as updated baselines are released by Microsoft, you can simply update any existing ‘profile’ you have created with these baselines to incorporate these updated settings.
When you look at the settings available in these baselines, as shown above for Edge, you’ll notice that they basically contain many of the same settings available to you in individual Endpoint security policies. Thus, setting once via a baseline ‘profile’ is a much faster method of implement these settings. Otherwise, you’d probably have to create multiple individual policies to achieve the same level of protection.
You can, of course, adjust any baseline ‘profile’ that you create and when a new baseline is available it can be applied to existing ‘profile’ you have created while maintaining any custom settings you have made in that ‘profile’. You can also create a range of different ‘profiles’ from baselines and target them to different audiences in your environment just as you can with other individual policies from Intune MDM, MAM and Endpoint security.
If you already have individual Endpoint security and Intune policies deployed you will need to be careful if you then start to deploy baseline policies. If there are differences in the settings between the baseline policies and those configured in Intune MDM, MAM and Endpoint security you’ll end up with a conflict. Thus, you will either need to make sure that the settings are identical between all the policies that you use or stop using some of the conflicting policies. Generally, I would suggest that just using the baseline policy for the setting is a best practice approach.
Why do I believe this? If you look at the volume of policy settings that can be made across all options like Intune MDM, MAM and Endpoint security, it makes more sense to me to start with what Microsoft believes is best practice first and adjust from there. Doing so is going to:
1. Reduce the amount of individual settings in individual policies that you need to make.
2. Reduce setting conflicts across all your policies.
3. Allow you to more easily to update to new best practices when they become available.
With this in mind and looking back across what we have talked about so far with MDM and MAM, Intune and Endpoint security, I would suggest this as a new best practice approach to configuring device security is, in order:
1. Implement all Microsoft baseline security policies.
2. Make any required customisations to the deployed baseline ‘profiles’ in your environment.
3. Implement individual Endpoint security policies for additional settings not covered by the baselines.
4. Implement MDM compliance policies for additional settings not covered by baselines or individual Endpoint security policies.
5. Implement MDM configuration policies for additional settings not covered by baselines, individual Endpoint security and MDM compliance policies.
6. Implement MAM application protection polices for additional settings not covered by baselines, individual Endpoint security, MDM compliance and MDM configuration policies.
7. Implement MAM configuration policies for additional settings not covered by baselines, individual Endpoint security, MDM compliance, MDM configuration policies and MAM application protection policies.
in short, start with baselines, then implement individual Endpoint security policies, then Intune MDM policies, then Intune MAM policies.
At this stage, no single policy is going to provide all the protection required. Thus, you need to use a mix of policies across baseline, Endpoint security and Intune to suit your needs. However, in the long run, I see baselines and Endpoint security policies as being the future and suggest you start there rather than the traditional approach that was to start with Intune. If you already have Intune in place, for example, then you’ll need to think about migrating to baselines and Endpoint security policies as I am currently doing. It will be frustrating at times tracking down the duplicates at times, but I suggest doing so will position you better for future improvements in the device management space.
Success with device management is not merely about select the right setting in a policy, it is also about deploying it effectively into your organisation. That’s what I’ll take a look at in the next article.
As something else to consider, I’d suggest you have a read of my article:
In light of the recommendation to apply Microsoft baselines. The questions to think about are – in the future why can’t Microsoft simply apply these baseline policies automatically and use AI to fill the gaps with additional settings? Where does that then leave those who are setting device polices today?