Menu
CCMEXEC.COM – Enterprise Mobility
  • Home
  • General
  • Configuration Manager
  • Windows 10
  • Intune
  • GitHub
  • Windows 11
  • About the author
CCMEXEC.COM – Enterprise Mobility

Windows MDM Security Baseline – Settings Catalog

Posted on February 10, 2023April 27, 2023 by Jörgen Nilsson

Important Update! I published a new export to solve import issues but that export missed the following so if you download that export update it with the following changes to match the Security Baseline:

  • Administrative Templates > MS Security Guide
    Changed from Disabled – Enabled:Disabled
  • Local Policies Security Options
    Microsoft Network Client Send Unencrypted Password To Third Party SMB Servers
    Changed from Enable – Disable
  • Search
    Allow Indexing Encrypted Stores Or Items
    Change from Allow = Block
  • Smart Screen – Missing
    Added
    Enable Smart Screen In Shell : Enabled
    Prevent Override For Files In Shell : Enabled


I wrote a post a couple of weeks ago with the Microsoft Edge Security Baseline policy re-created in Settings catalog. I got a lot of questions if I had done it with the Windows MDM Security Baseline as well and here it is.
This was not a fun exercise it took a while. Looking forward to the end of Internet Explorer 11 once and for all, recreating this brought back memories on configuring IE 11 with Group Policies…. Not all positive.
I like using Settings Catalog better than the security baseline because it is easier to modify, easier to manage and follow up.
When I recreated the Edge Security baseline I had to use a PowerShell script to set two settings, that was not needed this time all settings was available.

The policy can be downloaded in .json format here:
https://github.com/Ccmexec/Intune-MEM/tree/master/Windows%20MDM%20Security%20Baseline%20Settings%20Catalog

I hope you find it useful

  • Settings Catalog
  • Windows Security Baseline
  • 11 thoughts on “Windows MDM Security Baseline – Settings Catalog”

    1. Leon says:
      February 11, 2023 at 11:34 am

      Awesome to see that you created the baseline based on Catalog settings. Only when I want to import it I get an error message. I normally use “SettingsCatalog_Import_FromJSON.ps1” for the import but it doesn’t seem to work with the JSON file. How should it be imported? Would be nice if you would mention that on your blog.

      Reply
      1. admin says:
        February 14, 2023 at 12:13 pm

        Good Idea! I will do that!

        Regards,
        Jörgen

        Reply
    2. Pingback: Intune Newsletter - 17th February 2023 - Andrew Taylor
    3. Jonathan Conway says:
      February 25, 2023 at 3:27 pm

      Hi – I’d popped over to GitHub to take a look at your baseline but can’t seem to find the JSON to download. I can only see a readme file. Any ideas where it might be so I can download it?

      Reply
    4. Per says:
      March 14, 2023 at 10:31 pm

      Hi Jörgen

      Thanks for your great effort giving us this one…

      I have just tested your new export, and it is still failing when i´m using SettingsCatalog_Import_FromJSON.ps1:

      Add-SettingsCatalogPolicy : Request to https://graph.microsoft.com/Beta/deviceManagement/configurationPolicies failed w
      ith HTTP Status BadRequest Bad Request

      Any advice on what to do? Is it the right way to import this with SettingsCatalog_Import_FromJSON.ps1: ?

      best regards
      Per

      Reply
      1. admin says:
        March 15, 2023 at 8:43 am

        Hi, I have imported it using the Intune Management tool mentioned in the post, it solves some issue automatically when importing it.
        Regards,
        Jörgen

        Reply
    5. Yves says:
      April 11, 2023 at 9:47 pm

      The Intune Management Tool is great, solved for me a lot of times Powershell warnings / errors with importing configuration JSONs.

      Intune Management tool can be found here,
      https://github.com/Micke-K/IntuneManagement

      Reply
    6. Yves says:
      April 26, 2023 at 1:57 pm

      Hi Jörgen, I did the same exercise as you did an rebuild my own security baseline and took the MS baseline as an example.

      After this I compare day baseline with yours and found some settings that in my opinion needs to be changed. (Maybe I’m wrong).

      These settings are :

      >> Administrative Templates > MS Security Guide
      The setting in your template is : Configure SMB v1 client driver : Disabled.

      I think this one needs to be set to enabled because to disable client-side processing of the SMBv1 protocol, select the “Enabled” radio button, then select “Disable driver” 

      
      >> Local Policies Security Options
      Microsoft Network Client Send Unencrypted Password To Third Party SMB Servers : Enable.

      I think this one needs to be set to Disabled.

      Microsoft network client: Send unencrypted password to connect to third-party SMB servers If this security setting is enabled, the Server Message Block (SMB) redirector is allowed to send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication. Sending unencrypted passwords is a security risk. Default: Disabled.

      >> Search
      Allow Indexing Encrypted Stores Or Items = Allow.
      I think this one needs to be set to Block.

      Allows or disallows the indexing of items. This switch is for the Windows Search Indexer, which controls whether it will index items that are encrypted, such as the Windows Information Protection (WIP) protected files. When the policy is enabled, WIP protected items are indexed and the metadata about them are stored in an unencrypted location. The metadata includes things like file path and date modified. When the policy is disabled, the WIP protected items are not indexed and do not show up in the results in Cortana or file explorer. There may also be a performance impact on photos and Groove apps if there are a lot of WIP protected media files on the device. Most restricted value is 0.

      >> Smart Screen
      I think this option is missing from your Baseline and is available in the MS baseline.

      Enable Smart Screen In Shell : Enabled
      Prevent Override For Files In Shell : Enabled

      Reply
      1. Jörgen Nilsson says:
        April 27, 2023 at 4:57 pm

        Hi, Thank you for the great detective work! will update the export!

        Regards,
        Jörgen

        Reply
        1. Yves says:
          April 27, 2023 at 10:35 pm

          You’re welcome. It’s a pretty time consuming job of rebuilding de baselines into your own configuration profile. It was good to compare the profiles of us 2 to be sure that most of the settings were correct.

          Reply
    7. Tomas says:
      May 8, 2023 at 1:57 pm

      How do this work with MDE managed computers?

      Reply

    Leave a Reply Cancel reply

    Your email address will not be published. Required fields are marked *

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    My name is Jörgen Nilsson and I work as a Senior Consultant at Onevinn in Malmö, Sweden. This is my blog where I will share tips and stuff for my own and everyone elses use on Enterprise Mobility and Windows related topics.
    All code is provided "AS-IS" with no warranties.

    Recent Posts

    • Community tools demoed at WPNinjas 2023
    • PowerShell script to keep Personal Teams away in Windows 11
    • Windows 11 Multi-App kiosk – a first look
    • Playing around with Driver Updates in Intune
    • MMUGSE – Summer Meetup 8th of June 2023

    ©2023 CCMEXEC.COM – Enterprise Mobility | WordPress Theme by Superb Themes
    This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish.Accept Reject Read More
    Privacy & Cookies Policy

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT