Rolling Out Intune Security Baselines Without Causing Office Chaos
Big news Microsoft just dropped the latest version of Intune Security Baselines! These handy settings help lock down Windows devices, Microsoft Edge, and other Microsoft apps with best-practice security configurations. Think of them as a security cheat sheet, covering everything from BitLocker encryption to Windows Defender policies and password rules basically, all the stuff that keeps IT folks up at night.
Now, I live and breathe CIS and NIST standards, so I get it security is crucial. But let’s be real: sometimes, even the best policies can cause unexpected chaos. Let me tell you about the time a security rollout literally locked people out of a building.
That One Time Security Policies Became Physical Security Policies
I was working with a massive customer, 87,000+ Windows devices and things were rolling out smoothly. Our pilot groups were around 7,000 devices at a time, no big deal. But then, there was this one PC. Just one. Sitting under someone’s desk overseas, minding its own business… except it also happened to run the entire building’s badge system.
When the new security policies hit, that PC went down, and suddenly nobody could get into the building. Oops. Imagine a crowd of employees stuck outside, wondering why IT hates them. Luckily, because of how I roll out these policies, we quickly reversed the changes and saved the day (and probably a few friendships).
A Smarter Way to Roll Out Security Baselines
This is exactly why I don’t believe in dumping an entire baseline onto devices all at once. Sure, it sounds efficient, but when something breaks, good luck figuring out which setting caused the mess. Instead, here’s my method for a smooth, drama-free rollout:
- Break It Down by Category: Instead of pushing everything at once, I split settings into smaller groups and roll them out gradually. Less risk, easier troubleshooting. I’ve even packaged them up into individual .json files for quick importing (link below!).
Security-Baselines/Windows Baseline 24H2 at master · dgulle/Security-Baselines
There are many methods to import .json files, but for this demo I’m just going to use the Intune Portal:
- Devices>Configuration> Create> Import Policy
- Browse to .Json file> Assign a name for the policy>Click Save
- After creating the new policy, assign it as you normally would.
2. Use a UAT Form for Rollouts – The pace depends on how fast my customers want to move, but since some settings only change 1-2 things, the impact is usually low. I’ve provided a link to an example that I use below.
Security-Baselines/Windows Baseline 24H2/UAT Form.xlsx at master · dgulle/Security-Baselines
With this UAT form, I roll out settings to pilot groups. If users experience an issue, we identify that specific group and troubleshoot from there. This makes life so much easier rather than debugging hundreds of settings at once, we’re only dealing with a handful at a time.
By taking this step-by-step approach, I keep security tight without accidentally locking people out of their offices (again).
