Intune 24H2 Baseline as Individual Settings Catalog Profiles

Around a year ago I posted the Windows Intune 23H2 Baseline as individual catalog files, I’d put all the configurations from each section into the Device Configuration Settings Catalog format and exported them as JSON so that they can be easily imported. I’ve now updated and posted the new Intune 24H2 security baseline.

Microsoft have slightly negated the need to do this now, as when you now create a new baseline in security baselines it puts one giant baseline in the settings catalog, however read below on while this may be more convenient than previously it still makes it hard to implement, especially in large environments.

Why should I use grouped individual profiles instead of just using the Microsoft Baseline?

The Microsoft Security Baseline now gets published in the Settings Catalog, i.e if you create a new baseline today in Endpoint Security node it will create a new 24H2 version, both here in baselines…..

and here in Configurations, Microsoft have taken a step forward, where as the baseline used to only publish the in the Security baselines blade they now publish it in your settings catalog too. However…

HOWEVER

The default settings are still all in one giant profile which can make testing more difficult, especially trying to narrow down which setting might be too restrictive in your environment

Using individual profiles instead

I’ve put baseline into each of the individual components that make up the baseline, The files are representative of each section of the baseline i.e

Each file corresponds to that section of the baseline

This makes it much easier to apply sections of the policy at a time

Download

You can Download the Zip Here Intune 24H2 Baseline as Settings Catalog

FAQ:

Why do I want them as settings catalog individual profiles why not just use them in one profile?

Having the settings grouped in the catalog enables greater flexibility in testing and adding removing settings, you do not need to apply a whole set of settings and then try to plow through hundreds of settings to see why something is not working, or is too restrictive in your environment, having them grouped helps in rolling out, especially in large environments.

Are all settings copied?

All settings are exactly as Microsoft has them set in the 24H2 Baseline out of the box with one exception which is LAPS as this is setup separately , just for your info LAPS has only one default setting in the baseline anyway which is …

Apart from this absolutely all settings are in the files like for like

Are there many changes from 23H2 baseline?

No not very many at all, so few I can list them,The 24H2 Baseline is identical to 23H2 except Microsoft have now added as default

Defender

• Block execution of potentially obfuscated scripts
• Block Win32 API calls from Office macros
• Block Office communication application from creating child processes
• Block all Office applications from creating child processes
• Block Adobe Reader from creating child processes
• Block credential stealing from the Windows local security authority subsystem
• Block JavaScript or VBScript from launching downloaded executable content
• Block untrusted and unsigned processes that run from USB
• Block Office applications from creating executable content
• Block Office applications from injecting code into other processes
• Block executable content from email client and webmailEnable Convert Warn To Block Warn verdicts are converted to block.
• Hide Exclusions From Local Users local users will no longer be able to see the exclusion list in Windows Security App or via PowerShell.
• Oobe Enable Rtp And Sig Update
• Passive Remediation PASSIVEREMEDIATIONFLAGSENSEAUTOREMEDIATION: Passive Remediation Sense AutoRemediation.
• Quick Scan Include Exclusions all files and directories that are excluded from real-time protection using contextual exclusions are scanned during a quick scan.

Device Guard

Machine Identity Isolation
(Disabled) Machine password is only LSASS-bound and stored in $MACHINE.ACC registry key.

Kerberos

• PK Init Hash Algorithm Configuration
• Enabled & Supported
• PK Init Hash Algorithm SHA256
• PK Init Hash Algorithm SHA384
• PK Init Hash Algorithm SHA512

Not Supported

• PK Init Hash Algorithm SHA1

Sudo

Setting enabled but Sudo is disabled.

Where can I download the files?

You can Download the Zip Here Intune 24H2 Baseline as Settings Catalog