Important Update! I published a new export to solve import issues but that export missed the following so if you download that export update it with the following changes to match the Security Baseline:
- Administrative Templates > MS Security Guide
Changed from Disabled – Enabled:Disabled - Local Policies Security Options
Microsoft Network Client Send Unencrypted Password To Third Party SMB Servers
Changed from Enable – Disable - Search
Allow Indexing Encrypted Stores Or Items
Change from Allow = Block - Smart Screen – Missing
Added
Enable Smart Screen In Shell : Enabled
Prevent Override For Files In Shell : Enabled
I wrote a post a couple of weeks ago with the Microsoft Edge Security Baseline policy re-created in Settings catalog. I got a lot of questions if I had done it with the Windows MDM Security Baseline as well and here it is.
This was not a fun exercise it took a while. Looking forward to the end of Internet Explorer 11 once and for all, recreating this brought back memories on configuring IE 11 with Group Policies…. Not all positive.
I like using Settings Catalog better than the security baseline because it is easier to modify, easier to manage and follow up.
When I recreated the Edge Security baseline I had to use a PowerShell script to set two settings, that was not needed this time all settings was available.
The policy can be downloaded in .json format here:
https://github.com/Ccmexec/Intune-MEM/tree/master/Windows%20MDM%20Security%20Baseline%20Settings%20Catalog
I hope you find it useful
Awesome to see that you created the baseline based on Catalog settings. Only when I want to import it I get an error message. I normally use “SettingsCatalog_Import_FromJSON.ps1” for the import but it doesn’t seem to work with the JSON file. How should it be imported? Would be nice if you would mention that on your blog.
Good Idea! I will do that!
Regards,
Jörgen
Hi – I’d popped over to GitHub to take a look at your baseline but can’t seem to find the JSON to download. I can only see a readme file. Any ideas where it might be so I can download it?
Hi Jörgen
Thanks for your great effort giving us this one…
I have just tested your new export, and it is still failing when i´m using SettingsCatalog_Import_FromJSON.ps1:
Add-SettingsCatalogPolicy : Request to https://graph.microsoft.com/Beta/deviceManagement/configurationPolicies failed w
ith HTTP Status BadRequest Bad Request
Any advice on what to do? Is it the right way to import this with SettingsCatalog_Import_FromJSON.ps1: ?
best regards
Per
Hi, I have imported it using the Intune Management tool mentioned in the post, it solves some issue automatically when importing it.
Regards,
Jörgen
The Intune Management Tool is great, solved for me a lot of times Powershell warnings / errors with importing configuration JSONs.
Intune Management tool can be found here,
https://github.com/Micke-K/IntuneManagement
Hi Jörgen, I did the same exercise as you did an rebuild my own security baseline and took the MS baseline as an example.
After this I compare day baseline with yours and found some settings that in my opinion needs to be changed. (Maybe I’m wrong).
These settings are :
>> Administrative Templates > MS Security Guide
The setting in your template is : Configure SMB v1 client driver : Disabled.
I think this one needs to be set to enabled because to disable client-side processing of the SMBv1 protocol, select the “Enabled” radio button, then select “Disable driver”

>> Local Policies Security Options
Microsoft Network Client Send Unencrypted Password To Third Party SMB Servers : Enable.
I think this one needs to be set to Disabled.
Microsoft network client: Send unencrypted password to connect to third-party SMB servers If this security setting is enabled, the Server Message Block (SMB) redirector is allowed to send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication. Sending unencrypted passwords is a security risk. Default: Disabled.
>> Search
Allow Indexing Encrypted Stores Or Items = Allow.
I think this one needs to be set to Block.
Allows or disallows the indexing of items. This switch is for the Windows Search Indexer, which controls whether it will index items that are encrypted, such as the Windows Information Protection (WIP) protected files. When the policy is enabled, WIP protected items are indexed and the metadata about them are stored in an unencrypted location. The metadata includes things like file path and date modified. When the policy is disabled, the WIP protected items are not indexed and do not show up in the results in Cortana or file explorer. There may also be a performance impact on photos and Groove apps if there are a lot of WIP protected media files on the device. Most restricted value is 0.
>> Smart Screen
I think this option is missing from your Baseline and is available in the MS baseline.
Enable Smart Screen In Shell : Enabled
Prevent Override For Files In Shell : Enabled
Hi, Thank you for the great detective work! will update the export!
Regards,
Jörgen
You’re welcome. It’s a pretty time consuming job of rebuilding de baselines into your own configuration profile. It was good to compare the profiles of us 2 to be sure that most of the settings were correct.
How do this work with MDE managed computers?
Hello Jörgen,
I was looking for the JSON file and I only see the readme file. Will you be updating it shortly?
Saw your session at MMS Miami today where you mentioned importing security baselines. Would you be able to provide a new export? As others mentioned, it’s not in the GitHub currently. Thanks! Awesome session btw