Security Baselines Download Configuration Guide

Let’s learn how you can download and configure security baselines. The baselines are an essential benefit for the organizations, In addition to the security assurance of its products, Microsoft enables you to have fine control over your environments by providing various configuration capabilities using security baselines.

A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.

You can use security baselines to:

Patch My PC
  • Ensure that user and device configuration settings are compliant with the baseline.
  • Set configuration settings. For example, you can use Group Policy, Microsoft Endpoint Configuration Manager, or Microsoft Intune to configure a device with the setting values specified in the baseline.

Every organization faces security threats. However, the types of security threats that are of most concern to one organization can be completely different from another organization. The one thing that all organizations have in common is a need to keep their apps and devices secure.

These devices must be compliant with the security standards (or security baselines) defined by the organization. The security baselines are included in the Security Compliance Toolkit (SCT), which can be downloaded from the Microsoft Download Center. 

Download Microsft Security Baselines

The first step is to download the baseline from the Microsoft Download Center –

This download page is for the Security Compliance Toolkit (SCT), which comprises tools that can assist admins in managing baselines in addition to the security baselines.

Download Microsoft Security Compliance Toolkit https://www.microsoft.com/en-us/download/details.aspx?id=55319

Click on Download - Security Baselines Download Configuration Guide
Click on Download – Security Baselines Download Configuration Guide

The Security Compliance Toolkit consists of:

  • Windows 11 security baseline
  • Windows 10 security baselines
    • Windows 10 Version 21H2
    • Windows 10 Version 21H1
    • Windows 10 Version 20H2
    • Windows 10 Version 1809
    • Windows 10 Version 1607
    • Windows 10 Version 1507
  • Windows Server security baselines
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
  • Microsoft Office security baseline
    • Office 2016
    • Microsoft 365 Apps for Enterprise Version 2206
  • Microsoft Edge security baseline
    • Edge version 98
  • These tools to help admins manage the security baselines – 
    • Policy Analyzer
    • Local Group Policy Object (LGPO)
    • Set Object Security
    • GPO to Policy Rule

Select the file which you want to download, For Example: Select Windows 11 Security Baseline and click on Next.

Select the file - Security Baseline Download Configuration Guide 2
Select the file – Security Baseline Download Configuration Guide 2

Based on the selection, The file will automatically start downloading the zipped file. Once you have the downloaded executable, proceed to the next step for extraction.

The next step is to extract the contents of Windows 11 Security Baseline.zip to a folder. Open the extracted folder “Windows 11 Security Baseline.”

Extract Security Baseline - Security Baseline Download Configuration Guide 3
Extract Security Baseline – Security Baseline Download Configuration Guide 3

The Security Baseline archive for each Windows version contains several folders:

  • Documentation – Contains XLSX and PDF files with a detailed description of the settings applied in the Security Baseline.
  • GP Reports – HTML reports with the GPO settings to be applied.
  • GPOs – Contains GPO objects for different scenarios. You can import the policies to your Group Policy Management (GPMC) console.
  • Scripts – PowerShell scripts to easily import GPO settings to the domain or local policies.
  • Templates – ADMX/ADML GPO templates.

The Templates folder contains the templates you need to deploy the baseline. These files are shown below –

Security Baseline Download Configuration Guide 4
Security Baseline Download Configuration Guide 4

Import Security Baselines – Automation Scripts

In the extracted templates, Open \Windows 11 Security Baseline\Windows11-Security-Baseline-FINAL\Scripts and Run the PowerShell Script.

Note – Don’t directly execute the script in a production environment. Ensure you have existing backup policies. It’s always best to analyze in the test environment.

  • Baseline-LocalInstall.ps1 -> Applies a Windows security configuration baseline to local group policy.
  • Baseline-ADImport.ps1 -> Import all GPOs in this baseline into Active Directory Group Policy.
Import Security Baselines - Automation Scripts
Import Security Baselines – Automation Scripts

Import GPO Security Baselines to Central Store | Active Directory Domain

To take advantage of the benefits of the security baseline, you must create a Central Store in the sysvol folder on a Windows domain controller. The Central Store is a file location checked by the Group Policy tools by default.

The Group Policy tools use all .admx files in the Central Store. The files in the Central Store are replicated to all domain controllers.

You can now copy the Microsoft Security Baseline ADMX and ADML files to the central policy store location on your domain controller. The following is the central store path for the HTMD lab environment – \\Admemcm\sysvol\memcm.com\Policies.

NOTE! – Always take a backup of the PolicyDefinations folder before adding new or replacing ADMX and ADML files.

You can now explore the latest added features in the baseline. Create a Group Policy for in Domain Controller.

Open Group Policy Management console. In the navigation pane, expand Forest:YourForestName, expand Domains, expand YourDomainName, and then click Group Policy Objects and then click New.

Import GPO Security Baselines to Central Store 1
Import GPO Security Baselines to Central Store 1

Name the object for the product you’re configuring, For Example, Windows 11 Security Baseline. Right-click on the new object and select Import Settings.

Import GPO Security Baselines to Central Store | Active Directory Domain 2
Import GPO Security Baselines to Central Store | Active Directory Domain 2

On the Backup location, Click Browse and find the baseline folder you extracted and click Next.

Import GPO Security Baselines to Central Store | Active Directory Domain 3
Import GPO Security Baselines to Central Store | Active Directory Domain 3

Select the GPOs from which you want to import settings, then click Next and complete the process.

Import GPO Security Baselines to Central Store | Active Directory Domain 4
Import GPO Security Baselines to Central Store | Active Directory Domain 4

The imported GPOs to Windows 11 Security Baseline added, Next you can proceed to create a policy and best practice to use WMI Filters.

Group Policy WMI filtering is very useful when we would like to filter a GPO based on certain conditions, such as a specific hardware type, OS type, or Server Role.

Import GPO Security Baselines to Central Store | Active Directory Domain 5
Import GPO Security Baselines to Central Store | Active Directory Domain 5

About Author – Jitesh, Microsoft MVP, has over five years of working experience in the IT Industry. He writes and shares his experiences related to Microsoft device management technologies and IT Infrastructure management. His primary focus is Windows 10 Deployment solution with Configuration Manager, Microsoft Deployment Toolkit (MDT), and Microsoft Intune.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.