In this post, I’m going to demonstrate how to use the preview version of the Intune Settings Catalog to create an Internet Explorer 11 baseline. For those of you who manage legacy web apps that require IE 11 on a modern desktop, the Settings Catalog experience is a real improvement over the old workflow to configure the browser using Intune. So, let’s dive in.
In early 2021, Microsoft launched a new framework for configuring Windows, called the Intune Settings Catalog. The framework was built from the ground up with the goal of simplifying the process of configuring Windows on Intune along with the hope of bringing the experience more in line with other configuration workflows that already existed on Intune.
Under the hood, the Intune Settings Catalog makes use of MDM settings, but the ride is much more comfortable.
For those of you who haven’t had an opportunity to configure Windows on Intune with the pre-existing tools, let me just say, it is time-consuming, and depending on the requirements it can be a very unfamiliar process that’s difficult to optimize.
Before the release of the Settings Catalog, configuring Intune’s settings was managed with a set of different technologies that Microsoft had built over the years to configure Windows devices. First, there were configuration templates and custom settings (see figure 1).
Then Microsoft introduced ADMX backed settings – a new hope for a better experience and more settings coverage. As it turned out, rather than improve the situation, these technologies created a cumbersome mess to manage.
After working through the IE11 baseline use case, I can say that the Settings Catalog appears to have achieved what its predecessors couldn’t.
Everything from the underlying Graph APIs in the Intune backend to the administrator user interface is separate and built new from scratch. But at the end of the day, these settings in the Intune console are still programming the same MDM settings on the client device but the experience is much more digestible for the administrator.
With some background out of the way, it’s time for the rubber to hit the road. I wanted to put the Settings Catalog through its paces on a real-world example and create an Internet Explorer 11 security baseline and see what I could (and could not) configure via the Settings Catalog.
The reason I felt this was important is that the current workflow for configuring Intune is horrid. Even if you have countless hours to construct an MDM policy by hand as a custom policy or JSON payload, it isn’t an easy win.
And you’re not done there, custom, hand-coded policies are cumbersome to maintain for the average administrator. So, my hope was that the Settings Catalog truly made this process less painful and more manageable.
Before we can start, we need the documented IE11 baseline from Microsoft, which is available from the Microsoft Security Compliance Toolkit downloads: Download Microsoft Security Compliance Toolkit 1.0 from Official Microsoft Download Center
Once the page loads, you’ll be presented with several options to download (see Figure 2). For this demonstration, I’m only interested in downloading the Windows 10 Version 20H2 and Windows Server Version 20H2 Security Baseline.zip (1), so I’ll select that and click the Next button (2) to download it.
Figure 2. Download options for IE 11 security baseline.
Once the archive is downloaded, open the archive and navigate to the root of the Windows-10-Windows Server-v20H2-Security-Baseline-FINAL folder. Next, open the GP Reports folder where you will find two GPO Reports for the Internet Explorer 11 Settings in the Baseline. The two GPO Reports are:
- MSFT Internet Explorer 11 – Computer.htm
- MSFT Internet Explorer 11 – User.htm
Figure 3. The GPO Reports (highlighted) necessary for the IE 11 security baseline.
Open the first file to view the majority of the security baseline settings for IE11. To find the settings, click the Administrative Templates (1) heading then Windows Components/Internet Explorer (2). See figure 4.
Figure 4. Location of IE11 security baselines in MSFT Internet Explorer 11 – Computer.htm
Pretty much everything for IE 11 as a best practice should be configured per-machine settings wise though the settings catalog will support per-user settings in some cases which may help fit your requirements.
Pro-tip: I prefer a two-monitor experience for this task. On one display, I have the MEM console open, and on the other display, I have the security baselines. It is a manual process, but dual monitors make it much easier.
In the MEM portal (see Figure 5), navigate to Devices > Windows > Configuration policies (1) and click Create a profile (2) for your Windows 10 devices. The properties dialog will open where you choose the Platform (3) and the Platform type (4).
Figure 5. Create new configuration policy in the MEM portal.
You will notice that the drop-down list for Profile type now includes the new Settings catalog (preview) option. To create the baseline, select Settings catalog and click the Create button.
Figure 6. Configuration profile properties dialog.
Enter in a name (1) for the Settings Catalog profile and then click the Next button (2).
Figure 7. Basic properties for the Settings Catalog security baseline.
On the next screen that opens, click the + Add settings link.
Figure 8. Customize the settings for the new security baseline.
On the Settings picker screen, we’re presented with the available settings we can configure for the security baseline.
This screen is a considerable improvement for finding settings in Intune over previous tools. I love how I can find categories using the search function. I’d love it even more if the search function extended to specific settings so I could find them regardless of category. Alas, it’s still a big improvement.
The tree view of the settings surprised me with how helpful a simple UX feature can be – especially for configuring Internet Explorer. When I expand the Administrative Templates node, the settings line up with those typically configured using Group Policy.
Figure 9. New and improved settings selection interface provided by Settings Catalog Profile type.
Here’s where having dualies really shines. In order to transpose the settings from the GPO Reports over to MEM requires manually configuring the settings one by one. I know it isn’t glorious, but the end result is.
For example, my first configuration setting is Prevent bypassing SmartScreen Filter warnings in the root of the Internet Explorer settings.
Figure 10. The Prevent bypassing SmartScreen Filter warnings setting is enabled for this demonstration.
To configure the setting on the MEM side, you have to locate the setting (in the list of the available settings) and then select it to open another dialog where you enable it (see Figure 11).
Figure 11. Enable the Prevent bypassing SmartScreen Filter warnings setting.
Once the second screen opens, then you can enable the setting (see Figure 12).
Figure 12. Enable a single setting within the list of available settings.
I may be overly cautious because I save the policy after adding a batch of settings by going through and saving it without deploying it anywhere.
In the end, you should have a nice spiffy baseline that looks something like Figure 13.
Figure 13. Settings Catalog IE11 Security Baseline.
For the most part, this was a success, I was able to find every setting except one. Not sure what will be the status but I am assuming it is in the works. When you get to the category Windows Components/Internet Explorer/Security Features/Consistent Mime Handling there is no setting to configure to match the baseline. If this setting but is something you need you can compensate with a custom policy for the meantime.
I was hoping to share this policy as a JSON file, but the community tools are not quite there yet. The Settings Catalog uses a different set of Graph APIs that offer some unique capabilities, unfortunately, there are no features for backing up and restoring these policies.
I am hopeful that something will be released, but this is still a preview feature with a long road ahead.
I highly recommend both using and testing this baseline, hopefully, you’ll eventually be able to rid your modern desktop of IE11 but until then this might help to keep it secured.
Is the baseline you created here from the versions available for download different to the ones that are available directly in Endpoint Manager https://docs.microsoft.com/en-us/mem/intune/protect/security-baselines-configure ?
Hi, the preferred way is probably to keep with the Microsoft baseline until you need to change things that are not in the baseline.