Device Security
This section describes the design decisions associated with Device Security for system(s) built using ASD's Blueprint for Secure Cloud.
Estimated reading time: 6 minutes
Settings associated with Device Security can be implemented through:
- Device Configuration Profiles
- Endpoint Security Profiles
- Security Baselines
- Powershell Scripts and Remediations
When using endpoint security policies along side other policy types, like security baselines or endpoint protection templates from device configuration policies, it is important to develop a plan for using multiple policy types to minimise the risk of conflicting settings. Security baselines, device configuration policies, and endpoint security policies are all treated as equal sources of device configuration settings by Microsoft Intune. A settings conflict occurs when a device receives two different configurations for a setting from multiple sources. Multiple sources can include separate policy types and multiple instances of the same policy. When Microsoft Intune evaluates policies for a device and identifies conflicting configurations for a setting, the affected setting can be flagged for an error or conflict and fail to apply.
All Enterprise mobile device management settings for devices, regardless of where they are set (Security Baselines, Endpoint Security Profiles, or Configuration Profiles), are exposed via various Configuration Service Providers (CSP). A Configuration Service Provider is an interface to read, set, modify or delete configuration settings on the device. These settings map to registry keys or files.
The Policy Configuration Service Provider enables the enterprise to configure policies on Windows 10 and Windows 11. This configuration service provider is used to configure any company policies. Policy scope is the level at which a policy can be configured. Some policies can only be configured at the device level, meaning the policy will take effect regardless of who is logged into the device. Other policies can be configured at the user level, meaning the policy will only take effect for that user.
Within Microsoft Intune, a Settings Catalogue configuration profile, provides a user interface for all the Policy CSP’s that can configured in one location. This feature simplifies how policies are created by displaying all the available settings. More settings are continually being added. This is the preferred method for configuring settings at a granular level. This method enables improved troubleshooting of setting conflicts. These profiles also allow device filtering (unlike Security Baselines) which enables the testing and incremental deployment of policies.
Note
Not all settings are available via the Setting Catalogue. See policies not configured
Endpoint security profiles
Device configuration profiles and baselines include a large body of diverse settings outside of the scope of securing endpoints. In contrast, each endpoint security profile focuses on a specific subset of device settings intended to configure one aspect of device security.
Following are brief descriptions of each endpoint security policy type:
- Antivirus - Antivirus policies help security admins focus on managing the discrete group of antivirus settings for managed devices.
- Disk encryption - Endpoint security disk encryption profiles focus on the settings that are relevant for a device’s built-in encryption method, like FileVault or BitLocker. This focus makes it easy for security admins to manage disk encryption settings without having to navigate a host of unrelated settings.
- Firewall - The endpoint security Firewall policy in Intune is used to configure a device’s built-in firewall for devices that run macOS and Windows 10/11.
- Endpoint detection and response - Microsoft Defender for Endpoint Intune Integration uses the endpoint security policies for endpoint detection and response (EDR) to manage the EDR settings and onboard devices to Microsoft Defender for Endpoint.
- Attack surface reduction - When Defender antivirus is in use on Windows 10/11 devices, Intune endpoint security policies for attack surface reduction is used to manage those device settings.
- Account protection - Account protection policies help protect the identity and accounts of users. The account protection policy is focused on settings for Windows Hello and Credential Guard, which is part of Windows identity and access management.
The settings made here are implemented through Policy CSP’s, which can also be set in a Settings Catalogue configuration profile.
Security Baselines
Security Baselines are pre-configured groups of Windows settings that are recommended by Microsoft. The security baselines are templates and are used to create a profile that is specific to the environment for deployment and applied to enrolled devices.
Within Microsoft Intune, pre-configured security baseline profiles can be associated to devices to align them with Microsoft security best practices. They are designed to make it easier and faster for customers to secure devices by accepting the Microsoft best practice for settings rather than the customer needing to assess and implement each setting one by one. These profiles contain multiple device specific configuration profiles and control several security related settings such as, but not limited to:
- App Runtime
- Autoplay
- BitLocker
These baselines provide robust security guidelines and are generated by Microsoft
- Windows 10 Security Baselines
- Microsoft Defender ATP Baseline
- Microsoft Edge Security Baseline
- Windows 365 Baseline Settings
- Microsoft Compliance ACSC Essential Eight
The settings made here are implemented through Policy CSP’s, which can also be set in a Settings Catalogue configuration profile.
Design Decisions
| Decision Point | Design Decision | Justification |
|---|---|---|
| Security Settings | Adopt ASD’s hardening guides as basis for security settings | Adheres to ASD’s Hardening Microsoft Windows 10 version 21H1 Workstations guidance. |
| Setting Configuration | Apply through Configuration Profiles (Catalogue Settings) where ever possible | Easier conflict resolution and configuration documentation and automation. |
Note
Using Catalogue Settings as a substitute for Security Baselines requires a manual review of settings when a new security baseline is released. Some Security Settings are not available via the Settings Catalog. https://github.com/microsoft/Intune-ACSC-Windows-Hardening-Guidelines/blob/main/docs/Policies%20not%20configured.md
Hardening guide setting deviations
The following Settings are deviations from ASD’s recommendations:
| Setting | Value | Justification |
|---|---|---|
| Telemetry | Required (Basic) | Requirement for Windows Update |
Powershell Scripts and Remediations
In some cases Microsoft Intune policies may not exist for a particular endpoint setting. In these cases Powershell Scripts can be deployed using Intune to run on the endpoints to update configuration and security settings. Powershell Scripted configuration is deployed through the Intune management extension agent either as Configuration Scripts or Remediations.
Configuration Scripts execute on the endpoint by default using administrator privileges. The Intune agent checks after every reboot for new scripts or changes to scripts specified in Intune and executes them locally on the endpoint. The success or failure of the script is reported back to Intune.
Remediations use separate detect and remediation scripts to identify the condition where the script should run if the conditions are met will run the remediation. Success or failure of the script is also reported back to Intune.
Related information
Security & Governance
Design
Configuration
- Endpoint Security Profiles
- Security Baselines
- Powershell Scripts and Remediations
- ASD Windows Hardening Guidelines
- Microsoft Intune - profile configurations
References
- Security Baselines Overview
- Endpoint Security Policies
- Windows MDM
- Policy CSP’s
- Settings Catalogue
- Security Baseline Settings
- ASD’s Hardening Microsoft Windows 10 version 21H1 Workstations
- Intune Profiles for ACSC Hardening Guidelines
- Configuration Scripts
- Remediations
- Microsoft Compliance ACSC Essential Eight
- Microsoft Intune ACSC Windows Hardening Guidelines