I’m excited to see the new Security Baseline version is finally available in Intune. Version 23H2 for Windows 10/11. This is a quick look at the policy and useful details on migration to the new policy.
- What you will see in the Security Baselines now
- What’s Available in Version 23H2
- Some Notable Settings
- Migrating from an older Baseline
- Test Before Applying!
- What’s Gone?
- Useful Links
What you will see in the Security Baselines now
When you go into the Baseline, you will see the previously created Baselines for your Organization. However, you can create the new Baseline, which will be created in the new version below.
What’s Available in Version 23H2
Since there are plenty of settings, please refer this URL to see all the settings, their default behavior.
🔗https://learn.microsoft.com/en-us/mem/intune/protect/security-baseline-settings-mdm-all?pivots=mdm-23h2
Some Notable Settings
No more Internet Explorer settings. This is self-explanatory as 23H2 doesn’t ship with IE anymore.
Microsoft Edge
System Services
LAPS
WHfB
User Rights
And etc. etc.
Migrating from an older Baseline
This is the most important of them all I believe. At the moment you may have an older version of the Baseline, which is November 2021. Moving from this to the new 23H2 must be planned, tested, and rolled out to the fleet.
According to Microsoft:
If You Were Using An Older Profile Released Before May 2023
- Existing profiles don’t upgrade to new versions automatically.
- Settings in baseline profiles that don’t use the latest version become read-only. You can continue using those older profiles, including editing their name, description, and assignments, but you can’t edit settings for them or create new profiles based on those older versions.
When you change the profile version:
- You select the latest instance of the same baseline. You can’t change between two different baseline types, such as changing a profile from using a baseline for Defender for Endpoint to using the MDM security baseline.
- You can export and download a CSV file that lists the changes between the two baseline versions involved.
- You choose how to update the profile:
- You can keep all your customizations from the original baseline version.
- You can choose to use the default values for all settings in the new baseline version.
Read-Only Settings as below
When you select change policy, it will provide you the option to change straight away and the new policy will be activated.
If You Are Using A Profile Released After May 2023
After the changes made in the policy change in Intune, the policies created after May 2023 (Example 2021 November Security Baseline policy), you will see the below message when trying to change to the new version.
Ideally, the new profile creation is a manual process as you need to customize the settings as per the old policy.
The CSV file will look like below
Once all custom settings have been created, you can activate the new profile and target the devices.
Test Before Applying!
This is important as the policy settings may have changed and you ned to understand the device behaviour before rolling it out to the wider range of devices.
Tip: Duplicate the current November 2021 Policy change that policy to the latest 23H2 policy and apply it to a pilot group to see the behavior. If all good, change the main production policy to be the latest version.
What’s Gone?
In my previous blog post about the Security Baselines, I’ve mentioned about Compare Baselines option when you select the older and current policies. Well, I tried to do the same today and could not find it. It’s a bit disappointing as now you have to download the CSV file and use it as a guide when creating the new profile. However, I wish Microsoft would at this because the change is significant and seeing everything in one CSV file can be a good thing.
Useful Links
🔗What certifications do Microsoft’s security baselines have?
🔗Manage security baseline profiles in Microsoft Intune
Discover more from EMS Route
Subscribe to get the latest posts to your email.
EMS Route 
One thought on “How to Change Intune Security Baseline Policy to Version 23H2?”