In service release 2504 of Intune new settings is added to the Windows 11 24H2 Security Baseline. However, they are not released as a new version of the baseline but added when you either create a new policy or edit an existing policy. In this post we will look at the experience upgrading and adding the newly added settings to the baseline.
The following policies are added in 2504:
Lanman Server
Audit Client Does Not Support Encryption – Baseline default: Enabled
Audit Client Does Not Support Signing – Baseline default: Enabled
Audit Insecure Guest Logon – Baseline default: Enabled
Auth Rate Limiter Delay In Ms – Baseline default: 2000
Enable Auth Rate Limiter – Baseline default: Enabled
Max SMB 2 Dialect – Baseline default: SMB 3.1.1
Min SMB 2 Dialect – Baseline default: SMB 3.0.0
Enable Mailslots – Baseline default: Disabled
Lanman Workstation
Audit Insecure Guest Logon – Baseline default: Enabled
Audit Server Does Not Support Encryption – Baseline default: Enabled
Audit Server Does Not Support Signing – Baseline default: Enabled
Max SMB 2 Dialect – Baseline default: SMB 3.1.1
Min SMB 2 Dialect – Baseline default: SMB 3.0.0
Require Encryption – Baseline default: Disabled
Enable Mailslots – Baseline default: Disabled
Experience: New policy
When creating a new policy, we get the newly added settings enabled per default as shown below, no surprise here really. The Lanman Workstation section showed below.
Experience: editing existing policy
Before editing an existing policy if we look at the settings there are now room for the new settings under Lanman Workstation section, but they are not yet listed
When editing an existing Security Baseline the settings are added to the baseline but we must configure the values ourself. This is how it looks.
Upgrading our Security baseline:
- We start with creating a backup of our existing security baseline (which is a great feature by the way) by selecting to duplicate it and give it a new name.
- Deploy the copy of our security baseline to an Entra group with test clients.
- Exclude the newly created group from the deployment of our original Security Baseline as well so we can test the new Security Baseline.
- Edit our new copy of the Security Baseline, this is the view that will we see, all the new settings are added as “Not Configured” both under Lanman Workstation and Lanman Server sections. We have to configure them ourself with the correct value from the documentation.
Then we test, test and test it before deploying it to all our production clients.
Conclusion, the new settings are added to existing Windows 11 24H2 Security baseline but we must still configure the values for the settings to match the documentation.