Let’s learn how you can download and configure security baselines. The baselines are an essential benefit for the organizations, In addition to the security assurance of its products, Microsoft enables you to have fine control over your environments by providing various configuration capabilities using security baselines.
A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.
You can use security baselines to:
- Ensure that user and device configuration settings are compliant with the baseline.
- Set configuration settings. For example, you can use Group Policy, Microsoft Endpoint Configuration Manager, or Microsoft Intune to configure a device with the setting values specified in the baseline.
Every organization faces security threats. However, the types of security threats that are of most concern to one organization can be completely different from another organization. The one thing that all organizations have in common is a need to keep their apps and devices secure.
These devices must be compliant with the security standards (or security baselines) defined by the organization. The security baselines are included in the Security Compliance Toolkit (SCT), which can be downloaded from the Microsoft Download Center.
- Download Intune CIS Benchmark for Windows 10 or Windows 11
- Download Microsoft Edge ADMX Group Policy Templates
- New Group Policy Settings Available in Different Versions of Windows 10
Download Microsft Security Baselines
The first step is to download the baseline from the Microsoft Download Center –
This download page is for the Security Compliance Toolkit (SCT), which comprises tools that can assist admins in managing baselines in addition to the security baselines.
Download Microsoft Security Compliance Toolkit https://www.microsoft.com/en-us/download/details.aspx?id=55319
The Security Compliance Toolkit consists of:
- Windows 11 security baseline
- Windows 10 security baselines
- Windows 10 Version 21H2
- Windows 10 Version 21H1
- Windows 10 Version 20H2
- Windows 10 Version 1809
- Windows 10 Version 1607
- Windows 10 Version 1507
- Windows Server security baselines
- Windows Server 2022
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2
- Microsoft Office security baseline
- Office 2016
- Microsoft 365 Apps for Enterprise Version 2206
- Microsoft Edge security baseline
- Edge version 98
- These tools to help admins manage the security baselines –
- Policy Analyzer
- Local Group Policy Object (LGPO)
- Set Object Security
- GPO to Policy Rule
Select the file which you want to download, For Example: Select Windows 11 Security Baseline and click on Next.
Based on the selection, The file will automatically start downloading the zipped file. Once you have the downloaded executable, proceed to the next step for extraction.
The next step is to extract the contents of Windows 11 Security Baseline.zip to a folder. Open the extracted folder “Windows 11 Security Baseline.”
The Security Baseline archive for each Windows version contains several folders:
- Documentation – Contains XLSX and PDF files with a detailed description of the settings applied in the Security Baseline.
- GP Reports – HTML reports with the GPO settings to be applied.
- GPOs – Contains GPO objects for different scenarios. You can import the policies to your Group Policy Management (GPMC) console.
- Scripts – PowerShell scripts to easily import GPO settings to the domain or local policies.
- Templates – ADMX/ADML GPO templates.
The Templates folder contains the templates you need to deploy the baseline. These files are shown below –
Import Security Baselines – Automation Scripts
In the extracted templates, Open \Windows 11 Security Baseline\Windows11-Security-Baseline-FINAL\Scripts and Run the PowerShell Script.
Note – Don’t directly execute the script in a production environment. Ensure you have existing backup policies. It’s always best to analyze in the test environment.
- Baseline-LocalInstall.ps1 -> Applies a Windows security configuration baseline to local group policy.
- Baseline-ADImport.ps1 -> Import all GPOs in this baseline into Active Directory Group Policy.
Import GPO Security Baselines to Central Store | Active Directory Domain
To take advantage of the benefits of the security baseline, you must create a Central Store in the sysvol folder on a Windows domain controller. The Central Store is a file location checked by the Group Policy tools by default.
The Group Policy tools use all .admx files in the Central Store. The files in the Central Store are replicated to all domain controllers.
You can now copy the Microsoft Security Baseline ADMX and ADML files to the central policy store location on your domain controller. The following is the central store path for the HTMD lab environment – \\Admemcm\sysvol\memcm.com\Policies.
NOTE! – Always take a backup of the PolicyDefinations folder before adding new or replacing ADMX and ADML files.
You can now explore the latest added features in the baseline. Create a Group Policy for in Domain Controller.
Open Group Policy Management console. In the navigation pane, expand Forest:YourForestName, expand Domains, expand YourDomainName, and then click Group Policy Objects and then click New.
Name the object for the product you’re configuring, For Example, Windows 11 Security Baseline. Right-click on the new object and select Import Settings.
On the Backup location, Click Browse and find the baseline folder you extracted and click Next.
Select the GPOs from which you want to import settings, then click Next and complete the process.
The imported GPOs to Windows 11 Security Baseline added, Next you can proceed to create a policy and best practice to use WMI Filters.
Group Policy WMI filtering is very useful when we would like to filter a GPO based on certain conditions, such as a specific hardware type, OS type, or Server Role.