The World According to Mitch

Okay, if you are a strong believer in cybersecurity, raise your hands. Okay, you can put them all down now. While I know there are people out there who believe that everything should be open to everyone, I doubt they are reading my blog.

Next: If you bought/acquired/were gifted/found/inherited your current computer and, before doing anything else, took all of the necessary precautions to harden that computer to ensure that you took every possible step to prevent intrusion or compromise, raise your hand.

…I see most of you who believe in the concept of cybersecurity did not raise your hand to confirm that you had done so. Why not? Because most of us do not know how to do this.

I might at some point write an article on how to do this for individual systems, but for the time being I am talking to the IT Pros who use Microsoft Intune to manage and maintain their endpoint devices.

There is a feature in Intune called Security Baselines and from what I can tell not nearly enough of you are using them… but you should. It is a great way to apply a set of policies that will protect your end users and allow you to spend less time chasing down the mundane issues that should be easily prevented.

From the main menu in Intune click on Endpoint Security. You know, that’s the button that you almost never click on because you decided that you use a third-party anti-malware solution so you don’t have to worry about Microsoft protecting your devices. Go ahead, click it!

In the Endpoint Security menu there is an option right near the top that says Security Baselines. You will now see a list of standard baselines that are available out of the box, including for Microsoft 365 Apps for Enterprise, Microsoft Defender for Endpoint, and several more. We are going to click on the one called Security Baseline for Windows 10 and later. Note that in the Version column it lists the most recent release of Windows 11… as of this writing Version 24H2. These baselines do evolve as the threat landscape does and new security options are introduced into the operating system. Anyhow, click it now.

We are now in the Profiles page and we are going to create a policy. click +Create Policy. In the Create a policy sidebar there are no options to configure so just click Create.

On the Create profile screen you should name your profile. While it is easy to think that this will be your only profile, you might realize that we are on to something with these baselines and customize a few of them for different uses or different devices, so make sure you give it a name (and possibly a description) that will make sense to you. Click Next.

Under the Configuration settings tab there are a lot of options that we can configure. You can expand each grouping and you will see that they are all pre-configured to restrict any number of potential vulnerabilities… many of which are caused by the end user. As an example, under the Browser options there is one to Prevent Cert Error Overrides. This option blocks users from visiting sites that have invalid certificates, and is generally a bad idea. There are, of course, reasons why we might need to allow this… such as users connecting to sites by IP Address, but that is something that mostly admins would have to do, and not the end users. In any event, you can scroll through these options to make sure there is nothing that would be counterproductive for your environment. The pre-set configuration is a set of recommendations, and not law.

There are hundreds of settings that you can configure; many or most of them should be familiar to you if you have dabbled in Group Policy, but remember that applying restrictive security policies can break things so if you do not know what a policy setting is, either disable it, or take this opportunity to research what it is.

There is a good chance that when you apply these often restrictive policies that things might break, so a) be careful; b) test yourself, and then apply the policy to a canary group, and then wider… before applying them to the entire company.

There is a great quote that I came across recently that sums up my feelings on cybersecurity. Cybersecurity should cause healthy friction. It should never be a barrier to productivity, but it can help to remind us that we cannot simply romp freely without a care through cyberspace. It requires caution and guardrails and rules to follow… and we the IT Pros are tasked with the role of applying and enforcing them.