Security Baselines in Microsoft Intune are templates that contains policy configurations that by default are configured with the best practice from the Microsoft security teams. And that makes a Security Baseline the perfect starting point when creating a new policy set for the modern workplace. When creating a Security Baseline, all settings are pre-configured with the security best-practice from Microsoft. However, you are able to change the settings to a value of your needs.
There are Security Baselines available for Windows 10 and later, Microsoft Defender for Endpoint, Microsoft Edge and Windows 365 (for virtual machines).
Every once in a while, new versions of a Security Baseline are released by Microsoft. When a new version is released, you can easily update your current Security Baselines as I will show you in this blog post.
When a new version of a Security Baseline is released by Microsoft a yellow bar is displayed with the message “At least one profile or policy is using a deprecated version. Microsoft recommends that you update all policies and profiles to the latest version”. Keep also in mind that older versions of a security baseline will be read-only until you upgrade them.
Before you upgrade the deprecated version of the Security Baseline, it is good to check which changes are made before deploying it in your production environment. For the following steps, login the the Microsoft Endpoint Manager Admin Center and navigate to Endpoint Security > Security baselines
Select the Security Baseline you want to update and open the Versions tab, select both your current version and the new one and click Compare baselines.
Click Yes to download a comma-separated values (.csv) file.
Open the file, select column A, open the Data tab and click Text to Columns.
Select Delimited and click Next
Make sure that Comma is selected and click Finish.
Select row 1, open the Home tab and click Sort & Filter. Click Filter.
Click the pulldown menu in the Comparison column and make sure to deselect equal. Click Ok.
This will display a list with all the changes. From this point you have the following options:
- Duplicate the current Security Baseline and upgrade this one to the new version to test it first (with a selected group of users first)
- Upgrade the existing Security Baseline directly in your production environment
The choice depends of course on the changes in the Security Baseline.
To duplicate a Security Baseline, go to the Profiles tab and click the ellipsis button (3 dots) and click Duplicate.
Fill in a New name and optionally a New description. Click Save.
Refresh the page so the new Security Baseline will be visible. Select the duplicated Security Baseline and click Change Version.
Select the Security Baseline version you want to upgrade to. Then select one of the following options.
- Accept baseline changes but keep my existing setting customizations (this will keep all your customizations you made in the previous version)
- Accept baseline changes and discard existing setting customizations (this will remove your customizations and every policy setting will be the default one from the Security Baseline)
The Security Baseline is now updated to the latest version. If you made a duplication of the Security Baseline you can now assign it to a test group, otherwise it will be deployed in your environment.