Monitor security baselines and profiles in Microsoft Intune
Intune provides several options to monitor your security baselines. You can:
- Monitor a security baseline, and any devices that match (or don't match) the recommended values.
- Monitor the security baselines profile that applies to your users and devices.
- View how the settings from a selected profile are set on a selected device.
You can also view the Endpoint security configurations that apply to individual devices, which include security baselines.
This article walks you through these monitoring options.
Security baselines in Intune provides more details on the security baselines feature in Microsoft Intune.
Monitor the baseline and your devices
When you monitor a baseline, you get insight into the security state of your devices based on Microsoft's recommendations. To view these insights, sign in to the Microsoft Endpoint Manager admin center, go to Endpoint security > Security baselines and select a security baseline type like the MDM Security Baseline. Then, from the Profile pane, select the profile instance for which you want to view details. This opens to the profiles Properties pane where you can then select any of the profile reports from the Monitor section.
It takes up to 24 hours for data to appear after you first assign a baseline. Later changes take up to six hours to appear.
As you drill in to reports and devices, various details are available.
Monitor the profile
Monitoring the profile gives insight into the deployment state of your devices, but not the security state based on the baseline recommendations.
- In Intune, select Security Baselines > select a baseline to open its Profiles pane.
Under Manage > Properties, a list of all the settings in the baseline are shown. You can also change any of these settings:
In Monitor, you can see the deployment status of the profile on individual devices, the status for each user, and the status for each setting in the baseline:
View settings from profiles that apply to a device
You can select a profile for a Security Baseline, and drill-in to view a list of settings from that profile as they apply to an individual device. To view that list, drill into Endpoint security > Security baselines > select the security baseline type > select the Profile you want to view > Device status. You can also view the list by going to Endpoint Security > All devices > select a device > Endpoint security configuration > select a baseline version.
After selecting a device, Microsoft Endpoint Manager admin center displays a list of the settings from that profile, including the category the setting is from, and the configuration state on the device. Configuration states include the following values:
- Success – The setting on the device matches the value as configured in the profile. This is either the baselines default and recommended value, or a custom value specified by an administrator when the profile was configured.
- Conflict – The setting is in conflict with another policy, has an error, or is pending an update.
- Not applicable – The setting is not applied by the profile.
The status values for settings will update in a future release to provide more granular details.
View Endpoint security configurations per device
View details about the security configurations that apply to an individual device, which can help you isolate settings that are misconfigured.
Sign in to the Microsoft Endpoint Manager admin center.
Go to Devices > All devices and select the device you want to view.
In the Monitor category, select Endpoint security configuration to view the list of security configurations that apply to that device.
You can select an Endpoint security configuration to drill in and view additional details about the evaluation of that security configuration on the device.
Troubleshoot using per-setting status
You deployed a security baseline, but the deployment status shows an error. The following steps give you some guidance on troubleshooting the error.
In Intune, select Security Baselines > select a baseline > Profiles.
Select a profile > Under Monitor > Per-setting status.
The table shows all the settings, and the status of each setting. Select the Error column or the Conflict column to see the setting causing the error.
MDM diagnostic information
Now you know the problematic setting. The next step is to find out why this setting is causing an error or conflict.
On Windows 10 devices, there's a built-in MDM diagnostic information report. This report includes default values, current values, lists the policy, shows if it's deployed to the device or the user, and more. Use this report to help determine why the setting is causing a conflict or error.
On the device, go to Settings > Accounts > Access work or school.
Select the account > Info > Advanced Diagnostic Report > Create report.
Choose Export, and open the generated file.
In the report, look for the error or conflict setting in the different sections of the report.
For example, look in the Enrolled configuration sources and target resources section or the Unmanaged policies section. You may get an idea of why it's causing an error or conflict.
Diagnose MDM failures in Windows 10 provides more information on this built-in report.
- Some settings also list the GUID. You can search for this GUID in the local registry (regedit) for any set values.
- The Event Viewer logs may also include some error information on the problematic setting (Event viewer > Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin).