You need to secure your Windows devices with Microsoft Intune? Here's how
Introduction
As the title reads, you might have a request to secure your Windows Devices and you have those devices enrolled in Intune (Endpoint Manager). Well, then you have a very low hanging fruit option, and it's called Security Baseline for Windows.
Security Baseline is a group of about 200 granular security settings that are all pre-approved and vetted and in fact recommended by Microsoft. Even more, they represent the sum of best practices and recomendations This concept isn't new, they exist for a long time already. They used to exist in the on premises world as well and would have been deployed via GPOs back then. Now your life is made easy by Intune 😀
Review
Next, I would recommend you review these security settings, because not all of them might suit you. Also, worth noted that these security baselines have from time to time newer releases. This means that.. as things progress, security baseline versions also progress, and thus, you need to periodically review and update/replacing the old version with the newer version.
This is the 2021 version which is still the latest one so far, but when you read this, newer versions might exist. Nevertheless, on the article above, you will have the full list of security options security baselines offer, and can review them. I distincly recall that in one of the previous versions, it would configure the execution policy in PowerShell to Restricted, which would cause all admins to pull out their hairs when trying to execute any PWS Cmdlet or Script.
Implement
After you're done with the review, let's deploy it (to test users, then to the pilot group). Go to Intune -> Endpoint Security -> Security Baselines -> For Windows 10
Here you can still configure, enable/disable some of the features that you identify as not fit for your org. Make sure you don't have conflicting settings with other Configuration Profiles applied to the same users.
Next, assign it to either a Device Group or User Group, Review & Create.
Another option would be to create from Devices -> Configuration Profiles -> New -> Win10/11 -> Settings Catalog and look for individual settings and cluster of settings that you then configure, but this is more of a "manual approach" (but also more customizable) of achieving this security hardening.
Conclusion
Security Baselines are groups of predefined security settings for Windows 10/11 devices that can be easily deployed via intune and have the best practice and reccomendations applied.