Home » Blogs » Top 5 Questions during Modern Workplace Part 5 – Security Settings

Top 5 Questions during Modern Workplace Part 5 – Security Settings

During my engagements I have the chance to see many different environments and learn how customers transform to a modern workplace. In this series I will share the top 5 questions which arise. In this blog I will answer:

How can I migrate my existing settings, because they were good?

My fist question is always if it really make sense or when the policies were created from scratch the last time? Often they were used since Windows XP/7. If they were recreated for example in a Windows 10 project my next question is if the settings follow a specific Security Baseline like the Microsoft, CIS or NIST to just name a few. In most cases the settings were chosen based on experience by a single engineer which is in most cases not optimal…

As soon we decide to rebuilt the policies and have defined which framework to use, we also have to decide how we deploy them. Especially when choosing the Microsoft security Baseline we have the built-in Security Baseline feature within MEM. It is important to mention that these settings are not the same as in the official Microsoft security Baseline. But why?

The standard Microsoft Security Baseline contains various settings which are not important within a cloud only environment and the MEM/Intune Security Baselines were built for a fast start in a Cloud only environment. Therefore when you are using Azure AD Join and are no longer using servers with NTLM Kerberos authentication in your on-premises network then you can use the built-in policy which allows you a fast start without big efforts. But keep in mind, some settings within the MEM based Baseline are bundled and therefore you cannot disable or set all settings to not configured. but in normal cases this should not be a problem.

If you are using on-premises services or Azure AD Hybrid join I follow the standard Microsoft Security Baseline and do the tedious task to work through the whole Excel sheet and set each setting in a Intune Policy. Thanks to the settings catalog this is now much simpler.

Tip When working though the Excel sheet, add a column for the profile name and the Intune setting name. This helps in the future to find the setting again.

Summary

In most cases it’s recommend and the best thing if you start from scratch based on an official security baseline and then deploy just the most important settings like Office Templates, OneDrive Configuration and others.

About
Latest Posts

Follow me

Thomas Kurth

Principal Security Consultant | MVP at baseVISION AG

I’m a consultant, trainer and architect for modern workplace and enterprise mobility projects with Microsoft Technologies in the past ten years. I love to push and design the modern workplace based on Microsoft 365 for my customers which is the only answer for the current security threats, agile world and the fast-changing business requirements of my customers. Important for me is to simplify and automate the operational processes, because there are the highest costs.

Follow me

2 Comments

Nick · March 2, 2022 at 21:05

Hi Thomas,

Can you explain me where we can find the excel sheet with the various policy settings?

Thanks!

Thomas Kurth · March 26, 2022 at 22:56

The excel file is part of the Microsoft Security Compliance Toolkit: https://www.microsoft.com/en-us/download/details.aspx?id=55319

Top 5 Questions during Modern Workplace Part 5 – Security Settings