Introducing and implementing the Windows 365 security baseline

What’s up, everyone!

Did you hear that Microsoft has updated their security baselines? In this post I will explain what security baselines there are and how to implement them. The previous version of the Windows 365 security baseline broke the ability to upload files to the Cloud PC using the webclient (link). Let’s find out if that is still the case! 

Introducing security baselines

Think of security baselines as a group of settings that apply for a specific solution, designed to improve security. These baselines are updated by Microsoft (see the current version in the table below) but you as admins have the ability to change settings as needed. And yes, they are free to use! 

But keep in mind that these security baselines can actually break things. So make sure to review the settings and change settings where needed. And make sure to test them on a small group of test devices. 

Currently Microsoft provides the following baselines:

  • Microsoft 365 Apps  for Enterprise security baseline: v2306
  • Microsoft Defender for Endpoint security baseline: v24H1
  • Security baseline for Microsoft Edge: v117
  • Security baseline for Windows 10 and later: v23H2
  •  Windows 365 security baseline: v24H1
Using these baselines is a great way to enhance security for these products.

Implementing the Windows 365 security baseline

You can implement these baselines using the Microsoft Intune admin center, Endpoint security and select the baseline you want to deploy. In this demo I will be implementing the Windows 365 security baseline.

You’ll see a nice overview of the existing profiles created using the selected baseline (if there are any). This is also the location where you can create a new profile. Just click the + Create profile button in the ribbon:

A new blade will fold out on the righthand side of your screen. The platform and profile type is already filled in. Click the Create button to continue:

Provide a name for the profile and enter a description. Click Next to continue.

The Configuration settings tab give you an overview of all the settings that are configured in the security baseline. If you want, you can already make changes to your liking and click the Next button once you are ready. In this demo I will leave all of the settings the way they are since I want to check if the uploads are still broken if you use the webclient.

Add scope tags if you want and click Next to continue:

Assign the profile to the desired Cloud PCs. In real world scenarios I would advise to use a test group first, so the impact is small if something would break. Once you verified that every things works like it should, you could reassign the profile to a dynamic security group that contains all Cloud PCs. That way you know that these settings would also apply to newly created Cloud PCs. Since this is a demo tenant I will assign the profile to all of my Cloud PCs.

Once selected, you get a nice overview of the group and how many devices are impacted by this selection:

All that is left to do is to zoom out, admire your awesome work, drink a coffee and select the Create button if you are happy with the configuration.

Creating the profile will only take a couple of seconds. It will appear in the overview (Endpoint security, Security baselines, Windows 365 security baseline).

Changing settings in existing profiles

In case you would like to edit settings in this profile, just navigate back to the profile and select the name. Just like other profiles in Microsoft Intune, you can get the same overview of the basics, assignments, scope tags and configuration settings. Click the Edit button next to Configuration settings to change the settings. 

Making sure that the security profile has been applied

It takes a bit of time before the profile is applied to the Cloud PC. You can track the status on the security profile itself:

At this point we have 11 Cloud PCs that have checked in and applied the security baseline for Windows 365. Every Cloud PC reports a conflict in the settings so most likely I have a setting in this profile that is configured somewhere else. Let’s find out!

All I need to do is to click on a Cloud PC which brings me to an overview of all the settings that are a part of the profile and their status. To make things easy, filter on the status:

Pfew, only one setting is conflicting. This should be an easy fix then. We can simply click on the conflicting setting to get more information. In this case I get the following information:

Alright, so apparently I’ve configured the PUA protection in two profiles. To solve the issue I need to remove the setting in one of these places. In this case I’ve decided I want to keep my MDE settings in one place so I will edit the security baseline and remove this setting:

Now we just have to wait until the Cloud PCs check in again for the setting to be applied.

Did we break the file upload using the webclient? (again)

The previous baseline contained a setting that blocked file uploads from the webclient. Let’s find out if this baseline causes the same issue. 

Sign into the webclient (https://windows365.microsoft.com) and click the arrow pointing upwards to upload a file:

You get the following notification once the upload completes:

And it seems that the functionality is broken again as there is no virtual drive in Windows Explorer:

The question you could ask yourself if this is really a problem. Do your users use apps like the Windows app to connect to their Cloud PC? Then there is no issue. 

If they do use the webclient, you could ask if they should be able to upload and download files using the webclient. You only need to change the setting if they should be able to. 

But let’s change the setting just for the fun of it. Let’s head back to the security baseline profile in Microsoft Intune. Locate the following setting and change it to not configured:

Save the change and wait until the Cloud PCs have picked up the changed baseline settings.

We now have the ability to upload and download files using the webclient:

That’s all there is to it! 

I just want to mention that I’ve seen a video of my friend Neil McLoughlin recently about the security baseline for Windows 365. You can checkout this awesome video here and make sure to give him a follow on YouTube!

Resources

I used the following resources for this post:

https://learn.microsoft.com/en-us/mem/intune/protect/security-baseline-settings-windows-365

Unable To Upload Files To The Cloud PC Using The Webclient – dominiekverham.com

One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *