Deploying latest Microsoft Edge Security baseline using Intune


Microsoft keeps the security baselines up to date in general with each new versions coming out. Be it Windows OS 10\11, Windows Server OS 2022, Microsoft 365 Apps or Edge. Edge security baseline for v112 was recently released and I wanted to roll this out in my tenant using Intune. This blog covers the details on the setup.

If you are using still using GPOs, then you can easily import the security baseline templates and assign them. In Intune, Microsoft had introduced Security baseline profiles to allow rolling out the security baselines out of the box. However, despite being a cloud managed feature, the baselines have not been updated in a long time. However, as of 31st March 2023, in a blog post comment, Microsoft have indicated that the security baselines may now finally be getting updated in Intune. More details can be found in this link.


This is fantastic news and long awaited in my opinion. However, if you don't want to wait until the security baselines are updated in Intune, you can import them in Intune and start rolling them out right away. 

A security baseline includes the best practices and recommendations on settings by Microsoft that improves the security posture overall so it is a no brainer to implement it. However, the baselines can be restrictive, so general rule of thumb is to test the settings before rolling them out in production.

Unlike other security baselines, Edge doesn't come with its own templates. Instead it comes with a GPO backed up gpreport.html file which we are going to import and then migrate the settings using Group Policy analytics in Intune. 

Note: There are many ways to import these settings in Intune, but for all intend and purposes, I am going with the least administrative option to get the settings imported and setup in Intune

A quick word on Group Policy analytics..

Before Microsoft added the functionality of allowing importing the GPO templates directly in Intune, Group policy analytics within the reporting section in Intune allowed organizations to generate a report, assess the readiness of each setting and evaluate the options to implement them using Intune. While the tool is in preview, it is still a powerful feature, especially when it comes to tackling with GPO 'like' settings and extremely handy in absence of actual template files.

Let's see how to import the GPO and then migrate the available or supported settings over to settings catalog in Intune

1. Download the security baseline from here if not already done.

2. Unpack the contents and get ready to sign-in to the Microsoft Intune Admin Center
3. Browse to Devices > Group Policy analytics (preview) > Import
4. Click on Import and select the xml for the GPO that you want to import. In case of Edge, the downloaded baseline already comes with the GPO report which can be directly imported.



5. Next to the GPO that you want in your Settings Catalog profile, select the Migrate checkbox.

6. Select the settings that you want to migrate and hit next.

Note: It is recommended to review the Group Policy settings before migrating them all. It's possible some settings may not apply to cloud-based policy management or don't apply to cloud native endpoints.

7. Confirm the configuration settings and hit next.
8. Give a name and hit next.
9. Depending on the category of the settings, either assign to user based group or devices. In this case, Edge security baseline being for devices, I chose to assign to a device based group.



There is also an option of configuring the security baseline settings individually. Here is a full list of settings available in v112 of Edge.


End result

Once the device syncs, the policies will be applied and the same can be verified both locally on the device and in the Intune admin console.




Compliance status of each setting can be viewed in the Intune admin console as well.


Conclusion

The migrate feature work on best effort basis. It takes the parsed data from the imported Group Policy object (GPO) and translates it to a relevant setting in the Settings Catalog, if the setting exists. With the latest mention by Microsoft relating to updating the security baselines in Intune in the coming months in 2023, the assignment of the security settings should become seamless, but until then, we may just have to work with what we got.

Comments

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

Prevent users from running certain programs or applications on Windows endpoints using Intune

Intune: Configure Printers for Non-Administrative Users