Super quick blog post, covering the new version of Security Baselines for Windows 10 and 11 in Intune, which was delivered to us with the 2111 service release.
Not much has changed. In fact, if coming from the previous baseline version (December 2020), only one setting has been added: Scan scripts that are used in Microsoft browsers.
So lets take a quick peek at the process I went through, in order to update my Security Baseline.
The first thing I did, was to create a brand new security baseline, based on the new version.
This is simply done, by using + Create profile and following the creation process.
- NOTE: Per usual this is taking place in the Microsoft Endpoint Manager admin center in the Endpoint security area: https://endpoint.microsoft.com
I’ve blogged about this before, right here: Comparing Security Baselines in Endpoint Manager using Powershell and Microsoft Graph API – imab.dk
To really confirm what has changed in the Security Baseline, I’m comparing the two. That be comparing the brand new version with the security baseline I have assigned today.
As shown in the illustration below, I have:
- An original: Security Baseline – Windows 10 – December 2020 – IT Department
- A modified: Security Baseline – Windows 10 – November 2021 – Original
And sure enough, the output which comes as a notepad.exe session, tells me that the new version has 1 additional setting, and that 1 setting is defenderAllowScanScriptsLoadedInInternetExplorer. Just as promised by Microsoft.
Next, I’m duplicating my current Security Baseline in order to update the duplicate to the new version.
- I do this, in order to make sure, that settings in a Security Baseline, which is already assigned to my devices, doesn’t have their settings changed unintentionally.
Update/change the version with the Change Version button:
Select the new version from November 2021 and keep your existing setting customizations:
Then I ran another compare between the Security Baseline used today, and the new Duplicate one:
I do this to make sure, that there are no other differences than the newly introduced setting: defenderAllowScanScriptsLoadedInInternetExplorer
This is confirmed from the notepad output as illustrated below:
The setting in question, translates into the highlighted in the illustration below:
At this stage, I renamed the newly duplicated and updated Security Baseline, and assigned it to my devices in place of the previous one.