![]() If we look for “Store passwords using reversible encryption” we’ll also notice that it’s missing and add that to our tally. But since we’re trying to be as accurate as possible, I’ll have a list of the differences between the STIG and our MDM settings at the end of this article. I would consider the alphanumeric option as meeting the second half of the complexity requirements. The beginning of the GPO talks about validating Account and Display names against the password – which are not options in our Security Baseline. Since I wasn’t 100% sure about “Password must meet complexity requirements”, take a quick look at the GPO and see if it can be met with the available settings. The only one we need to change is password length, set to 14 instead of 8. We can easily find the “Enforce password history”, “Maximum password age”, “Minimum password length”, and “Minimum password age” settings. We have a ton of settings here so let’s get to it! Starting with the Password Policy, let’s head back to the Security Baseline: Security Baseline and STIG GPResult side by side Just like before, open up the GPResult from the Reports folder, and expand the settings: Computer STIG Settings You can either create new profiles for the Computer settings or reuse the same profiles (I’ll be reusing them for simplicity). So now we have two profiles for our 2 User STIG settings. Enabling the prevent personal OneDrive setting ![]() Select the setting and click Enabled (like the GPResult User STIG shows) to add the setting to our Administrative Template. Once you create the profile, select click Settings, select Office from the drop down, and type “ prevent users from s”… Prevent users from syncing personal OneDrive accountsĪnd viola! There’s the setting we needed. Let’s save the Security Baseline and create an Administrative Template Device Configuration profile.Īdministrative templates have to be created before you can edit them. So we’ll have to fall back to Administrative Templates. If we try to hunt down the “Prevent users from synchronizing personal OneDrive accounts” setting we’ll notice it doesn’t exist. If we search for Toast, we’ll find the setting we’re looking for: Block display of toast notifications set to Yes On the Configuration settings pane, we can search for each of our settings. I’ll name mine DoD Windows 10 STIG v1r18 (matching the STIG itself). ![]() MDM Security Baselines MDM Security Baseline Profiles In Intune, create a new Security Baseline by clicking Device Security > Security Baselines > MDM Security Baseline > Profiles > + Create Profile. The User STIG has only 2 settings, so we’ll start here. We have a few options here, but the easiest (for me at least) would be to look at the Reports folder and inspect the GPO exports. I’m using the same DoD Windows 10 v1r18 copy as before: DISA STIG directory Our first step is just like before: open up the DISA STIG and review the settings. If the Security Baselines fall short, we’ll see if we can supplement them with other Intune profiles. Today we will implement the DISA STIG into modern Intune profiles by using Security Baselines. All of that work has led up to this point, where we’ll be doing something completely new. When I first set out to do those tasks years ago I had to learn how to do them via trial and error, which is why I turned them into blog posts. In reality they were mostly mimicking work I’ve done before – leveraging LGPO and MMAT to apply GPOs. ![]() My last two posts have covered the DISA STIG in-depth.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |