During my engagements I have the chance to see many different environments and learn how customers transform to a modern workplace. In this series I will share the top 5 questions which arise. In this blog I will answer:
How can I migrate my existing settings, because they were good?
My fist question is always if it really make sense or when the policies were created from scratch the last time? Often they were used since Windows XP/7. If they were recreated for example in a Windows 10 project my next question is if the settings follow a specific Security Baseline like the Microsoft, CIS or NIST to just name a few. In most cases the settings were chosen based on experience by a single engineer which is in most cases not optimal…
As soon we decide to rebuilt the policies and have defined which framework to use, we also have to decide how we deploy them. Especially when choosing the Microsoft security Baseline we have the built-in Security Baseline feature within MEM. It is important to mention that these settings are not the same as in the official Microsoft security Baseline. But why?
The standard Microsoft Security Baseline contains various settings which are not important within a cloud only environment and the MEM/Intune Security Baselines were built for a fast start in a Cloud only environment. Therefore when you are using Azure AD Join and are no longer using servers with NTLM Kerberos authentication in your on-premises network then you can use the built-in policy which allows you a fast start without big efforts. But keep in mind, some settings within the MEM based Baseline are bundled and therefore you cannot disable or set all settings to not configured. but in normal cases this should not be a problem.
If you are using on-premises services or Azure AD Hybrid join I follow the standard Microsoft Security Baseline and do the tedious task to work through the whole Excel sheet and set each setting in a Intune Policy. Thanks to the settings catalog this is now much simpler.
In most cases it’s recommend and the best thing if you start from scratch based on an official security baseline and then deploy just the most important settings like Office Templates, OneDrive Configuration and others.