Shared Baseline Subscriptions
Baselines can now be subscribed to. Essential 8 Maturity Level 1,2 and 3 are now able to be subscribed to.
These baselines build upon each other so when moving from M1-2 and so on. Its simply a case of aligning the new policies for that maturity level. Much easier to maintain and and standardise.
These is outlined in the video below.
How to get started with Essential 8 M1 + Inforcer Best Practices M1
The Essential 8 M1 + Inforcer Best Practices M1 has been built as a "Turn Key" set of policies that can be deployed to your baseline tenant easily and effectively.
The policies within this baseline have been devised alongside the input of several customers, to make sure they are the lowest impact while still offering security coverage and compliance with the Essential 8 Framework for Maturity Level 1.
The policies are tagged to make Identification during deployment easier. The tags are broken up into the below Areas and Colours.
You can create these Tags in your own baseline once deployed to make Tenant Alignment Easier
An outlined matrix of these and the policies they are assigned to can be found here.
Baseline Creation
The below video goes through the deployment of the E8M1 + Best practice baseline.
This baseline is fully configured out of the box ready to align to your tenants.
Defender for Office 365 Policies and Conditional Access Policies will need to be enabled as part of deployment.
You are, of course, more than welcome to modify it to suit your own requirements
Policy Considerations
When building your baseline there are some policy types that might be worth excluding.
These are outlined below:
Mac OS polcies - If you don't manage any Mac devices, it is not worth including their policies in your baseline, and you can not select the MacOS category in Intune
Defender for Office 365 - If you use other 3rd party tools for mail management that don't use Defender for Office 365, you'll need to unselect these policies.
Patching - If you currently use your RMM for patching, it may be best to unselect these patching policies.
There are also some default values that need to be changed.
These are
Organisational Contact
Tenant ID in the "Restrict File Sync to Tenant ID" policy
Custom Baselines
This feature allows for you to only make available certain categories of policy or policies that have been tagged with a particular tag. This means you only need to chase alignment around the policies that you have chosen to be in your baseline comparison.
The below video demonstrates how to create a baseline from the source tenant based on policy tags that have been assigned to the tenant.
Tenant Alignment
In the below videos, we run through the process of aligning a customer to our baseline tenant.
We look at Suggested Policies, the workflow of renaming similar policies, and aligning policies that don't exist in our customer tenant but exist in the baseline tenant.
We also look at the alignment required section, working through Unaccepted Deviations and Existing customer policies, explaining the difference and the different alignment steps we can take.
Renaming Similar Policies
Inforcer, as part of tenant alignment, looks at policies that are in your customers tenant and compares to the baseline policy, looking for similar policies that can be renamed for parity.
Suggested Policy Alignment
When aligning policies that are suggested but don't exist in the baseline, the most important things to remember are;
To enable any policies that you want to have on in your customers tenant as inforcer defaults to a disabled state.
The Tick Overwrite option, where Microsoft allows for policies to be created with the same names and to avoid duplicates this option must be ticked.
Not all policies have an 'off' or 'on' state, but mainly Conditional Access policies and Defender for Office 365 policies.
Unaccepted Deviations
This is where renamed policies or policies that had already been existing are dealt with. So either configuration differences are aligned or deviations are accepted because a customer has a specific need for a policy to differ from the baseline.
Existing Customer Policies
These are policies that exist in the customers tenant but have no corresponding policy in the baseline. This is where the policy would either be accepted, as there is a need for it to still exist in the customer tenant. Otherwise, as you can see in the example below, the policy will be deleted.