MDM administrators that utilize Microsoft Endpoint Management (Intune) are familiar with the concept of Security Baselines. A security baseline is a collection of Microsoft recommended configuration settings that help secure and protect enterprise users and devices. For instance, MEM offers security baselines for Windows 10, Microsoft Defender ATP and Edge. Security baselines are an easy and effective way for admins to ensure that they are consistently enforcing a minimum security level that will address fundamental security and compliance issues. Some admins may be surprised that security baselines are available for Group Policy as well.
The Benefits of Using Security Baselines
While it is perfectly ok to configure your own MDM profile or GPO to select and configure available settings, baselines are a quick and easy way to enforce a default baseline that prevents users from making changes that will result in an insecure state. There are a number of benefits of using security baselines offered by Microsoft.
- They are already configured by Microsoft security experts
- They enforce settings that mitigates contemporary security threats.
- Baseline settings have been pretested to ensure that they do not cause operational issues that are worse than the risks they mitigate
- They ensure that users and device configuration settings are compliant with the baseline
Security Baselines are not just for MDM
Microsoft has been releasing Security baselines since the Windows XP days. Because Group Policy offers far more settings than MDM, the simplification that they offer for AD environments is even more of a benefit. For instance, there are more than 200 Microsoft Edge Group Policy settings for Windows, but only some of these are security related. By implementing Microsoft Edge baselines, you can rest assure that you are deploying the most up-to-date security settings for Microsoft Edge using your GPO environment.
Security Baseline for Microsoft Edge v83
Microsoft just recently announced the release of the Microsoft v83 of Microsoft Edge. Microsoft continues to release new versions and settings for the new Chromium Edge browser. Version 83 includes 19 new computer and user based settings. The accumulated total of Edge settings currently stands at 311 Computer policy settings and 286 User configuration policy settings. The current baseline involves 12 of these settings which are identical to the v80 security baseline.
To obtain the security baseline for Microsoft Edge, you need to download the Security Compliance Kit. The compliance kit the following:
- Importable GPOs
- A script to apply the GPOs to local policy
- A script to import the GPOs into Active Directory Group Policy
- A spreadsheet documenting all recommended settings in spreadsheet form
- Policy Analyzer rules
- GP Reports
Implementing the Baseline into your AD Environment
Keep in mind that you must have the Edge v83 ADMX files contained within your Central Store as a prerequisite. Once you download the toolkit, open the Scripts folder and run either the local policy script or the AD import script as shown below.
In this example we using the Baseline-ADimport script. The script will then import a GPO called MSFT Edge version 80 – Computer that involves the following Administrative Templates.
Some of the configured settings include the following:
The toolkit includes a GP Reports Folder that contains an HTML report of GPO templates available in the baseline.
It is recommended that you stay current with the latest security baselines of Edge and Windows 10. You can keep abreast of future baselines as they become available through the Microsoft website.
You can learn about the newest policy settings available with Edge v83 on the Microsoft website.