ASD's Blueprint for Secure Cloud

Device Security

This section describes the design decisions associated with Device Security for system(s) built using ASD's Blueprint for Secure Cloud.

Estimated reading time: 6 minutes

Settings associated with Device Security can be implemented through:

When using endpoint security policies along side other policy types, like security baselines or endpoint protection templates from device configuration policies, it is important to develop a plan for using multiple policy types to minimise the risk of conflicting settings. Security baselines, device configuration policies, and endpoint security policies are all treated as equal sources of device configuration settings by Microsoft Intune. A settings conflict occurs when a device receives two different configurations for a setting from multiple sources. Multiple sources can include separate policy types and multiple instances of the same policy. When Microsoft Intune evaluates policies for a device and identifies conflicting configurations for a setting, the affected setting can be flagged for an error or conflict and fail to apply.

All Enterprise mobile device management settings for devices, regardless of where they are set (Security Baselines, Endpoint Security Profiles, or Configuration Profiles), are exposed via various Configuration Service Providers (CSP). A Configuration Service Provider is an interface to read, set, modify or delete configuration settings on the device. These settings map to registry keys or files.

The Policy Configuration Service Provider enables the enterprise to configure policies on Windows 10 and Windows 11. This configuration service provider is used to configure any company policies. Policy scope is the level at which a policy can be configured. Some policies can only be configured at the device level, meaning the policy will take effect regardless of who is logged into the device. Other policies can be configured at the user level, meaning the policy will only take effect for that user.

Within Microsoft Intune, a Settings Catalogue configuration profile, provides a user interface for all the Policy CSP’s that can configured in one location. This feature simplifies how policies are created by displaying all the available settings. More settings are continually being added. This is the preferred method for configuring settings at a granular level. This method enables improved troubleshooting of setting conflicts. These profiles also allow device filtering (unlike Security Baselines) which enables the testing and incremental deployment of policies.

Endpoint security profiles

Device configuration profiles and baselines include a large body of diverse settings outside of the scope of securing endpoints. In contrast, each endpoint security profile focuses on a specific subset of device settings intended to configure one aspect of device security.

Following are brief descriptions of each endpoint security policy type:

  • Antivirus - Antivirus policies help security admins focus on managing the discrete group of antivirus settings for managed devices.
  • Disk encryption - Endpoint security disk encryption profiles focus on the settings that are relevant for a device’s built-in encryption method, like FileVault or BitLocker. This focus makes it easy for security admins to manage disk encryption settings without having to navigate a host of unrelated settings.
  • Firewall - The endpoint security Firewall policy in Intune is used to configure a device’s built-in firewall for devices that run macOS and Windows 10/11.
  • Endpoint detection and response - Microsoft Defender for Endpoint Intune Integration uses the endpoint security policies for endpoint detection and response (EDR) to manage the EDR settings and onboard devices to Microsoft Defender for Endpoint.
  • Attack surface reduction - When Defender antivirus is in use on Windows 10/11 devices, Intune endpoint security policies for attack surface reduction is used to manage those device settings.
  • Account protection - Account protection policies help protect the identity and accounts of users. The account protection policy is focused on settings for Windows Hello and Credential Guard, which is part of Windows identity and access management.

The settings made here are implemented through Policy CSP’s, which can also be set in a Settings Catalogue configuration profile.

Security Baselines

Security Baselines are pre-configured groups of Windows settings that are recommended by Microsoft. The security baselines are templates and are used to create a profile that is specific to the environment for deployment and applied to enrolled devices.

Within Microsoft Intune, pre-configured security baseline profiles can be associated to devices to align them with Microsoft security best practices. They are designed to make it easier and faster for customers to secure devices by accepting the Microsoft best practice for settings rather than the customer needing to assess and implement each setting one by one. These profiles contain multiple device specific configuration profiles and control several security related settings such as, but not limited to:

  • App Runtime
  • Autoplay
  • BitLocker

These baselines provide robust security guidelines and are generated by Microsoft

The settings made here are implemented through Policy CSP’s, which can also be set in a Settings Catalogue configuration profile.

Hardening guide setting deviations

The following Settings are deviations from ASD’s recommendations:

SettingValueJustification
TelemetryRequired (Basic)Requirement for Windows Update

Powershell Scripts and Remediations

In some cases Microsoft Intune policies may not exist for a particular endpoint setting. In these cases Powershell Scripts can be deployed using Intune to run on the endpoints to update configuration and security settings. Powershell Scripted configuration is deployed through the Intune management extension agent either as Configuration Scripts or Remediations.

Configuration Scripts execute on the endpoint by default using administrator privileges. The Intune agent checks after every reboot for new scripts or changes to scripts specified in Intune and executes them locally on the endpoint. The success or failure of the script is reported back to Intune.

Remediations use separate detect and remediation scripts to identify the condition where the script should run if the conditions are met will run the remediation. Success or failure of the script is also reported back to Intune.

Security & Governance

  • None identified

Design

  • None identified

References

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra