Microsoft do not update security baselines that are available in the Microsoft Intune portal very often. The Security Compliance Toolkit and Baselines HERE , which has been updated as recently as 11th of October 2023, provides the following baselines.

• Windows 10 version 22H2 Security Baseline
• Windows 11 version 22H2 Security Baseline
• Microsoft 365 Apps for Enterprise 2306
• Microsoft Edge v117 Security Baseline
• Windows Server 2022 Security Baseline

Windows Server 2022 Baseline

Dean Ellerby, has an excellent post on how to enrol Windows Servers for MDE protection and management: HERE

1. Download latest Security Compliance Toolkit and Baselines: HERE
2. Browse to Intune \ Devices \ Group Policy analytics

3. Click on : Import Group Policy Object Files

The extracted files will look like below, browse to ‘GP Reports’ and then select each ‘gpreport.xml’

4. We then select the MSFT Windows Server 2022 – Defender Antivirus policy

5. We then select : Migrate

6. Select all settings on this page and next

7. Give the policy a name

8. Assign the policy to a Microsoft Entra ID dynamic device group containing Microsoft Windows servers or a manually configured security group.

MSFT Windows Server 2022 – Member Server Base Line

These settings cannot be managed by Microsoft Intune, however the settings can be exported to a csv and then use a tool like Azure Logic Apps or Azure Automation Functions to apply the base line settings.

1. Select MSFT Windows Server 2022 – Member Server

2. The select export

3. The export process will export all of the settings that can be re-used in Azure Automation

Windows 11, Microsoft Edge and Microsoft 365 Apps for Enterprise Baselines

The built in Windows 10 and later, Microsoft Edge compliance policy, have configuration settings that conflict with Microsoft Defender Endpoint configurations, specifically ASR (Attack Surface Reduction) policies, some of these settings cannot be excluded from the default : ‘Windows 10 and later, and Microsoft Edge compliance policies’

Import all of the gpreport.xml files for Windows 11, Microsoft Edge and Microsoft APPs for Enterprise as described in the Windows Server 2022 baseline section. The image below high lights what policies can be exported and then create endpoint security policies or Windows device configuration policies.

Summary

In this blog post , I am mainly focusing on Windows 11 22H2 and the latest build of Windows Server 2022.

Some of the main benefits of using the ‘Microsoft Security Compliance Toolkit and Baselines’

• Typically, when devices are onboarded to Microsoft Defender for Endpoint, there can be a lot of notifications in terms of vulnerabilities and recommendations. A lot of these notifications and recommendations can be resolved, when ensuring end user Windows 11 and Windows Server 2022 devices have up to date security baselines
• Microsoft provide a delta spreadsheet with all changes when a new ‘Microsoft Security Compliance Toolkit and Baseline’ is released
• The new policies for Windows 10 and later, uses , the ‘Settings Catalog’ template in Intune. It is very easy to remove configurations that conflict with ‘Microsoft Endpoint Security Policies’
• I love Google Chrome and have used it for years, but my preference is to block Google Chrome on all managed devices and use one browser: Microsoft Edge on all platforms.
• Windows Server 2022 Security Baseline policies can be exported and applied via automation in Azure and then updated with the delta information from new releases of ‘Microsoft Security Compliance Toolkit and Baselines’
  
  If anyone, or any organisation would like some further assistance with this, please get in touch with me via LinkedIn : https://www.linkedin.com/in/seanofarrelll/

Reference: Simon Hartmann Eriksen https://www.simsenblog.dk/2023/05/08/security-baseline-latest-as-settings-catalog/