Jump to content

New Microsoft 365 apps security baseline profile and updates to the Microsoft Edge baseline


Recommended Posts

Guest Intune_Support_Team
Posted

As part of our ongoing investment in improving the Microsoft Intune admin experience, we're excited to announce a Microsoft 365 Apps for enterprise security baseline as well as a new version of the Microsoft Edge security baseline available in the May release of Intune! Security baselines are configuration options available in Intune for configuring profiles to help you secure and protect your devices and users. These new baselines feature an improved user interface and reporting experience, consistency and accuracy improvements, and the new ability to support assignment filters for profiles.

 

 

 

How it works

 

 

The Microsoft 365 Apps for Enterprise security baseline provides a starting point for IT admins to evaluate and balance the security benefits with the productivity needs of their users. This baseline aligns with the security recommendations for Microsoft 365 Apps for enterprise group policy security baseline v2206 and is now available in the Intune admin center.

 

 

 

largevv2px999.png.aa7dd5126d5cb91468014c3706701bbb.pngA screenshot of the Microsoft 365 Apps for Enterprise Security Baseline in Intune.

 

 

 

Updated Edge baseline content

 

 

We updated the security baseline for Microsoft Edge to the latest available group policy version (Edge v112). For more information, see Security baseline for Microsoft Edge version 112. The security baseline for Microsoft Edge contains recommended settings for security conscious customers based on the latest group policy security baseline. To learn more about what has changed between versions, please see List of the settings in the Microsoft Edge security baseline in Intune.

 

 

 

Changes to upgrade process for baselines

 

 

The May 2023 version of Microsoft Edge baseline (v112) will become the default version when creating new profiles. Existing profiles on the latest versions across all security baselines will still be editable and manageable when the new versions are released. However, you’ll see changes when trying to upgrade from the September 2020 version to May 2023 version, as it will be a manual process.

 

 

 

To upgrade profiles on the September 2020 version, go to Endpoint Security > Security baselines. Baselines with a blue arrow can be updated to the latest version. Create a new profile and follow the instructions to download a .csv file that contains the existing profile’s settings, default values, and customizations. Use this file as a guide to create a new profile and manually reapply any custom settings and device assignments.

 

 

 

largevv2px999.png.405c48349d6c68b2c80c7588118d814a.pngA screenshot of the Security Baseline for Microsoft Edge Profiles page with the blue arrow icons and Change Version selection highlighted.

 

 

 

largevv2px999.png.878fde7fcb388aef7960b7df318d156b.pngA screenshot of the Change Version window with the steps for upgrading to the latest baseline version.

 

 

 

Common questions

 

 

What does “manually upgrading” mean and which profile versions does it apply to?

 

If you're on the September 2020 version of the Edge baseline, you’ll have to create a new profile to use the May 2023 version. You won’t be able to copy over any setting customizations or device assignments to this new profile and will have to apply any setting customizations or device assignments manually.

 

 

 

If you're on any version prior to September 2020, you’ll use the previous upgrade flow. Refer to Create security baseline profiles in Microsoft Intune for information about how to upgrade from earlier baseline versions.

 

 

 

Will manual upgrading be required every time a new Edge baseline version is released?

 

No. This is a one-time process to upgrade from the September 2020 version to the May 2023 version of the Security baseline for Microsoft Edge. For subsequent upgrades in the Edge baseline, we’ll use a guided upgrade flow.

 

 

 

Will my settings and device assignments be copied over to the new profile after manually upgrading?

 

No. This will be a brand-new profile with default baseline settings (unless customized) and no device assignments. To see which settings your previous profile had, use the .csv generated by selecting the Export profile settings button in the Change Version window, to compare and customize accordingly.

 

 

 

Will my previous profiles be deleted once I manually upgrade to the new version?

 

Existing profiles won’t be deleted. Admins are given the choice to keep previous profiles even after creating a new one on the latest version. However, Microsoft always recommends keeping only the latest baseline version on your devices to keep your environment secure with the latest Microsoft-recommended security settings.

 

 

 

Known issues

 

 

There are a few issues you should be aware of related to this initial release of the security baselines, including configuring exact values for certain settings and seeing duplicate settings in the reporting view.

 

 

 

Baseline settings

 

 

Certain settings require exact values and formats to operate correctly. These are known issues admins need to be aware of when editing these setting values. The actual values are documented in Microsoft Security Compliance Toolkit 1.0.

 

 

 

Microsoft 365 Apps for enterprise security baseline

 

  • Encryption type for password protected Office 97-2003 files (User)
    • Value: Enabled
    • Encryption type: (User)
      • Value: Microsoft Enhanced RSA and AES Cryptographic Provider, AES 256,256
      • Note, this is a plain text field. For this and all plain text fields, entered values need to be case sensitive, separated by commas, and have no spaces in between. Refer to the example image below.

      [*]Encryption type for password protected Office Open XML files (User)

      • Value: Enabled
      • Encryption type: (User)
        • Value: Microsoft Enhanced RSA and AES Cryptographic Provider, AES 256,256
        • Note, this is a plain text field.
           
          largevv2px999.png.a9a3b1f637e332c8f457eda1ead62b8b.pngA screenshot of the valid settings input in the template for the applications.

      [*]Restrict legacy JScript execution for Office

      • Value: Enabled
      • For all applications, use the value 69632, as illustrated in the image below.
         
        largevv2px999.png.f6979270cc5413bff0307fdb72001d3c.pngA screenshot of the valid settings input into the template for HTTP authentication.

    [*]Security Baseline for Microsoft Edge

     

    • Supported authentication schemes
      • Value: Enabled
      • Supported authentication schemes (Device)
        • Value: ntlm,negotiate
        • Note, this is a plain text field.
           
          largevv2px999.png.5aee95f0c7239552cd305d4b1c3af4bd.pngA screenshot of the valid settings input into the template for HTTP authentication.

Setting duplicates in reporting view

 

 

Baselines reporting only reports the actual setting name. However, the backend for the Microsoft 365 apps for enterprise baseline uses the same setting name and a path for context. So, customers will see seemingly duplicate entries in reporting when they’re actually separate.

 

 

 

For example, the Allow Trusted Location on the network (User) setting is configured for the Microsoft Access 2016, Excel 2016, PowerPoint 2016, Project 2016, Visio 2016, and Word 2016 apps but only appears as one setting.

 

 

 

largevv2px999.png.7f677959665f5fda507b4e5e760644a6.pngA screenshot of the reporting view for Microsoft 365 Apps for Enterprise Security Baseline in Intune.

 

 

Stay in the know

 

 

Stay tuned to What's new in Intune as we continue to improve the security baseline experience and release new versions.

 

 

 

Provide feedback below on what you want to see and let us know if you have any additional questions on this by replying to this post or tagging @IntuneSuppTeam out on Twitter.

 

Continue reading...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...