Deploying latest Microsoft Edge Security baseline using Intune

-

Microsoft keeps the security baselines up to date in general with each new versions coming out. Be it Windows OS 10\11, Windows Server OS 2022, Microsoft 365 Apps or Edge. Edge security baseline for v112 was recently released and I wanted to roll this out in my tenant using Intune. This blog covers the details on the setup.

If you are using still using GPOs, then you can easily import the security baseline templates and assign them. In Intune, Microsoft had introduced Security baseline profiles to allow rolling out the security baselines out of the box. However, despite being a cloud managed feature, the baselines have not been updated in a long time. However, as of 31st March 2023, in a blog post comment, Microsoft have indicated that the security baselines may now finally be getting updated in Intune. More details can be found in this link.


This is fantastic news and long awaited in my opinion. However, if you don't want to wait until the security baselines are updated in Intune, you can import them in Intune and start rolling them out right away. 

A security baseline includes the best practices and recommendations on settings by Microsoft that improves the security posture overall so it is a no brainer to implement it. However, the baselines can be restrictive, so general rule of thumb is to test the settings before rolling them out in production.

Unlike other security baselines, Edge doesn't come with its own templates. Instead it comes with a GPO backed up gpreport.html file which we are going to import and then migrate the settings using Group Policy analytics in Intune. 

Note: There are many ways to import these settings in Intune, but for all intend and purposes, I am going with the least administrative option to get the settings imported and setup in Intune

A quick word on Group Policy analytics..

Before Microsoft added the functionality of allowing importing the GPO templates directly in Intune, Group policy analytics within the reporting section in Intune allowed organizations to generate a report, assess the readiness of each setting and evaluate the options to implement them using Intune. While the tool is in preview, it is still a powerful feature, especially when it comes to tackling with GPO 'like' settings and extremely handy in absence of actual template files.

Let's see how to import the GPO and then migrate the available or supported settings over to settings catalog in Intune

1. Download the security baseline from here if not already done.

2. Unpack the contents and get ready to sign-in to the Microsoft Intune Admin Center
3. Browse to Devices > Group Policy analytics (preview) > Import
4. Click on Import and select the xml for the GPO that you want to import. In case of Edge, the downloaded baseline already comes with the GPO report which can be directly imported.



5. Next to the GPO that you want in your Settings Catalog profile, select the Migrate checkbox.

6. Select the settings that you want to migrate and hit next.

Note: It is recommended to review the Group Policy settings before migrating them all. It's possible some settings may not apply to cloud-based policy management or don't apply to cloud native endpoints.

7. Confirm the configuration settings and hit next.
8. Give a name and hit next.
9. Depending on the category of the settings, either assign to user based group or devices. In this case, Edge security baseline being for devices, I chose to assign to a device based group.



There is also an option of configuring the security baseline settings individually. Here is a full list of settings available in v112 of Edge.


End result

Once the device syncs, the policies will be applied and the same can be verified both locally on the device and in the Intune admin console.




Compliance status of each setting can be viewed in the Intune admin console as well.


Conclusion

The migrate feature work on best effort basis. It takes the parsed data from the imported Group Policy object (GPO) and translates it to a relevant setting in the Settings Catalog, if the setting exists. With the latest mention by Microsoft relating to updating the security baselines in Intune in the coming months in 2023, the assignment of the security settings should become seamless, but until then, we may just have to work with what we got.

Comments

Post a Comment

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

-
Image
Every now and then it so happens that BitLocker recovery keys do not escrow in AAD. The usual culprits are incorrect BitLocker policies and\or the device hardware configuration failing to meet the minimum requirements. The other scenario and something I recently experienced is when everything is setup right and still the recovery key doesn’t escrow in AAD. As I understand, this can happen if the escrow process got interrupted the first time due to network or local devices related issues and the process could not resume. To circumvent this issue, one can simply push a PowerShell script to the devices to force the escrow of the recovery keys to AAD. Here is a script to do so. try{ $BitlockerVol = Get-BitLockerVolume -MountPoint $env:SystemDrive         $KPID=""         foreach($KP in $BitlockerVol.KeyProtector){             if($KP.KeyProtectorType -eq "RecoveryPassword"){                 $KPID=$KP.KeyProtectorId                 break;             }         }        $o
Read more

Intune: Configure Printers for Non-Administrative Users

-
Image
Configuring printers for end users or giving them the ability to do it themselves is a normal requirement for organizations. Now if your users are Administrators, then the configuration can be straight forward, but in case of Non-Administrators there are additional steps required as Non-Administrators will not be able to add a driver in the driver store despite being able to install a printer. In this blog, I will cover the steps that I took to address this requirement using Intune. The setup involves 2 steps -  1. Setup registries. 2. Install the driver and configure the printer Setting up registries – The registries that need to be configured are actually part of a GPO setting – Allow non-administrators to install drivers for these device setup classes It can be found under: Computer Configuration -> Policies -> Administrative Templates -> System -> Driver Installation I used a Powershell script to set the values and wrapped it in a Win32 application. $Path1
Read more

Intune: UAC Elevation Prompt Behavior for Standard Users

-
Image
Implementing and maintaining a good security posture is an integral part of overall IT security governance for most organizations now. While you want to harden the security of infrastructure and give least number of privileges to your end users, sometimes you may need to cut back on the restrictions to ensure a good user experience and an effective IT support process. Recently, I had a requirement where the customer wanted to ease the restriction on the end user devices to make the helpdesk support process more efficient. This involved easing the UAC level access for the Standard users and if you are managing your devices using Intune, then this blog may just help you. Let us see what all is involved and some of the ways that you can use to implement this easily. Policy CSP – LocalPoliciesSecurityOptions LocalPoliciesSecurityOptions has many CSP settings and if you are managing these settings at an individual level, then the CSP that we need to concern ourselves with here is U
Read more