question

MikePalmer-1666 avatar image
0 Votes"
MikePalmer-1666 asked JarvisSun-MSFT answered

Microsoft EndPoint Manager Endpoint Security - Security Baselines - Assigning new profile

We are using Microsoft Endpoint Manager to manage over 4000 Windows 10 machines. We have any issue with the Endpoint Security Baseline profiles where our production profile has sleep S1-S3 disabled but we need to enable it again so we have a Pre-Production policy for testing the change.

The problem is I cannot get the Pre-Production policy to be work due to the conflict of the sleep setting change I'm trying implement against the clients. I read somewhere that if you change the baseline profile that you must reset the security baseline on the Windows 10 device first. The problem I cannot work out how to achieve this.

Can anyone help me please?

Regards

Mike

windows-10-securitymem-intune-device-configurations
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JarvisSun-MSFT avatar image
0 Votes"
JarvisSun-MSFT answered

@MikePalmer-1666 Thanks for posting our Q&A.
When you use multiple security baselines, review the settings in each one to identify when different baselines introduce conflicting values for the same setting. Because you can deploy security baselines that are designed for different intents, and deploy multiple instances of the same baseline that includes customized settings, you might create configuration conflicts for devices that must be investigated and resolved. Also be aware of your device configuration profiles, which can configure many of the same settings as security baselines.
Reference: https://docs.microsoft.com/en-us/mem/intune/protect/security-baselines-monitor#resolve-conflicts-for-security-baselines
Hope it can help



If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

yannara avatar image
0 Votes"
yannara answered yannara commented

I can change the settings on the fly without a problem, but I have heard, that if you get stuck in production with old baseline settings published by MS, you cannot edit that anymore. So only the last, valid baseline is editable. Maybe that is the case with you? If not, can you drop some screenshots what is happening and possibly gray out?

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Yannara,

Both profiles are running the December 2020 baseline when you go into the pre-production profile device status it reports conflict for my device. More confusing when you drill through the data I get the Policy name for 'Windows 10 MDM Security Baseline for May 2019" which does not exist as a policy within our environment anymore.

Mike

0 Votes 0 ·

I can corrected the baseline for May 2019 does exist and it is no longer assigned but using an old baseline. It appears to be conflicting with this policy on the screen timeout.

Mike

0 Votes 0 ·

@MikePalmer-1666 I can edit Baseline on-a-fly with no problem. If you have a conflict, you should yourself decide, which you keep, normal config profile settings or baseline. Se each one of them to not-configure and you should get rid of the conflict.

120953-image.png


0 Votes 0 ·
image.png (22.8 KiB)