Welcome back! Last time, we dove into my go-to method for rolling out Windows Security Baselines. Since then, a few folks have reached out with some CIS Benchmark questions specifically about using Intune. So, let’s clear things up with a simple truth: CIS compliance is a great goal, but it’s not the finish line.
I’ve deployed CIS Benchmarks more times than I can count, and I can tell you I’ve never hit 100% of the settings. Why? Because every environment is unique. Think of security baselines as the foundation, not the fully furnished house. You’ll need to tweak and add extra layers outside of Intune’s default baselines to get things just right.
Step 1: Activate the Defender Vulnerability Management Add-on
If you don’t already have it, go ahead and start a trial of the Defender Vulnerability Management Add-on. It’s got a few additional features that aren’t included in Defender for Endpoint Plan 2. For this blog, we’re going to focus on one feature in particular: Security Baseline Assessment.
Once you’ve assigned the add-on license, grab a cup of coffee (or maybe even a whole lunch), because it can take up to six hours for everything to show up in the Defender Portal. While we wait, let’s hop over to Intune and get some work done.
Step 2: Tagging Devices in Defender
Remember that UAT Form I shared in Part 1? Well, we’re using it again.
First, we’re going to Tag these groups in the Defender portal. Now, I know you’re wondering, “Why am I doing this?” Just trust me for now; it’ll all make sense soon.
Creating a Custom Profile in Intune
Head over to Intune and create a custom profile.
Add the following OMA-URI values:
- Name: Something recognizable (so future you isn’t confused).
- Description: Be descriptive (trust me, it helps).
- OMA-URI:
./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/DeviceTagging/Group - Data Type: String
- Value: <Name of the Tag to be displayed in Defender> (e.g., Pilot Group 1)
Assign this to your Pilot Group 1 and give it some time to apply. This is a great moment to grab a sandwich.
Once it’s had time to work its magic, head back to the Defender Portal. You should now see the tag applied to your devices.
Step 3: Setting Up the Security Baseline Assessment
Now that the add-on license is fully active, it’s time to get down to business.
Go to Vulnerability Management > Baseline Assessment.
Create a Profile (pay no attention to my embarrassingly low pass percentage 🤫).
Give your profile a name, description, and activate it.
Set your profile scope based on what your environment needs. A good place to start? L1 policies.
Next, select your configurations. I recommend selecting all of them, and we’ll deal with exceptions later.
Here’s where things start coming together! Since we tagged Pilot Group 1 in Defender earlier, that tag now appears in the “Filter by device tags” section. This means that as devices are added to Pilot Group 1, they’ll automatically get pulled into the Baseline Assessment.
Why is this so awesome? Because now we can track which devices have received the configurations from Intune and which haven’t. If something isn’t compliant, you can check the details and see what’s going on before it becomes a problem.
When you’re ready to move to Pilot Group 2, just click Edit Profile and add the new tag. Rinse and repeat!
Step 4: Handling Exceptions (Because Nothing is Ever Perfect)
There will be times when a setting just will not work in your environment. That’s okay! Here’s how to handle it:
Navigate to Exceptions and click Create.
Fill in the details (the max duration is one year).
Set your scope.
Find the setting that needs an exception.
Apply the exception to the necessary devices.
And just like that, your exception is in place! You can now see these exceptions in Device Details within Defender and filter the columns as needed.
Bonus Tip: Watch Out for Known Issues
Some policies have quirks when scanned, so always check Microsoft’s documentation for known issues. It’ll save you a headache!
Wrapping Up
By using Defender tags and Pilot Groups, you can methodically roll out your Security Baselines, monitor compliance, and handle exceptions like a pro. The best part? You don’t have to guess whether a setting applied you’ll know exactly what’s happening.
One important thing to remember: everything in this blog takes time before you start seeing results. Between Intune policies applying, Defender tags syncing, and baseline assessments populating, expect to wait a few hours before things show up. So, don’t panic if changes don’t appear immediately grab a snack, take a walk, and check back later.
