{"id":13597850,"url":"https://github.com/SkipToTheEndpoint/OpenIntuneBaseline","last_synced_at":"2025-04-10T05:33:41.899Z","repository":{"id":132587830,"uuid":"493403016","full_name":"SkipToTheEndpoint/OpenIntuneBaseline","owner":"SkipToTheEndpoint","description":"Community-driven baseline to accelerate Intune adoption and learning.","archived":false,"fork":false,"pushed_at":"2025-03-07T12:54:07.000Z","size":893,"stargazers_count":630,"open_issues_count":10,"forks_count":141,"subscribers_count":69,"default_branch":"main","last_synced_at":"2025-03-07T13:41:46.413Z","etag":null,"topics":["device-config","intune","microsoft","security"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/SkipToTheEndpoint.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":".github/funding.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"buy_me_a_coffee":"skiptotheendpoint"}},"created_at":"2022-05-17T20:24:55.000Z","updated_at":"2025-03-07T12:54:11.000Z","dependencies_parsed_at":"2023-06-07T05:45:23.808Z","dependency_job_id":"af895189-36cd-4a81-8b19-e3b72dc6cf1a","html_url":"https://github.com/SkipToTheEndpoint/OpenIntuneBaseline","commit_stats":null,"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SkipToTheEndpoint%2FOpenIntuneBaseline","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SkipToTheEndpoint%2FOpenIntuneBaseline/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SkipToTheEndpoint%2FOpenIntuneBaseline/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SkipToTheEndpoint%2FOpenIntuneBaseline/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/SkipToTheEndpoint","download_url":"https://codeload.github.com/SkipToTheEndpoint/OpenIntuneBaseline/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248163430,"owners_count":21057939,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["device-config","intune","microsoft","security"],"created_at":"2024-08-01T17:00:42.300Z","updated_at":"2025-04-10T05:33:36.887Z","avatar_url":"https://github.com/SkipToTheEndpoint.png","language":null,"readme":"# OpenIntuneBaseline\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://twitter.com/SkipToEndpoint\"\u003e\n    \u003cimg alt=\"Twitter Follow\" src=\"https://img.shields.io/twitter/follow/SkipToEndpoint?label=Follow%20%40SkipToEndpoint\u0026logo=Twitter\u0026style=flat-square\" target=\"_blank\" /\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://skiptotheendpoint.co.uk\"\u003e\n    \u003cimg alt=\"Twitter Follow\" src=\"https://img.shields.io/badge/Read%20my%20blog-grey?style=flat-square\u0026logo=ghost\" target=\"_blank\" /\u003e\n  \u003c/a\u003e\n\u003c/p\u003e\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://discord.gg/msems\"\u003e\n    \u003cimg alt=\"Discord\" src=\"https://img.shields.io/discord/1008077287813550090?label=Join%20the%20MS%20EMS%20Community\u0026logo=discord\u0026style=flat-square\" target=\"_blank\" /\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://discord.gg/winadmins\"\u003e\n    \u003cimg alt=\"Discord\" src=\"https://img.shields.io/discord/618712310185197588?label=Join%20WinAdmins\u0026logo=discord\u0026style=flat-square\" target=\"_blank\" /\u003e\n  \u003c/a\u003e\n\u003c/p\u003e\n\n---\n\n\u003e [!IMPORTANT]\n\u003e This has been developed as a starting point or foundation and is not necessarily considered \"complete\". It is being made available to allow learning, development, and knowledge-sharing amongst communities.\n\u003e\n\u003e No liability is assumed for the usage or application of the settings within this project in production tenants.\n\n---\n\n## Project History\nThe OpenIntuneBaseline (OIB) project was started as a way to provide a \"known good\" baseline security posture for Windows devices managed by Microsoft Intune.\n\n### Security Framework Adherence\nWhen creating the initial Windows baseline, substantial data analysis was carried out over well-known security frameworks, such as:\n\n* NCSC Device Security Guidance\n* CIS Windows Benchmarks\n* ACSC Essential Eight\n* Intune Security Baselines for Windows, Edge \u0026 Defender for Endpoint\n* Microsoft Best Practice\n\nThe OIB was not created by simply applying the recommendations from these frameworks. While there is obviously significant overlap, I was driven to create something that included a number of user-experience additions not seen in the above frameworks, as well as my own significant experience implementing these across multiple customer environments, and how admin managability can be impacted by doing so.\n\nSecurity frameworks tend to be seen as unmovable hard requirements rather than what they are, which is a set of **recommendations**. In fact, the CIS themselves preface their benchmarks with the following:\n\n\u003e It is acceptable if _**100% of the benchmark is not applied**_, as it is the responsibility and decision of each organization to determine which settings are applicable to their unique needs.\n\nIt is **impossible** to create a true \"one-size-fits-all\" set of policies due to the massively differing nature of enterprise requirements. There is also a significant amount of \"noise\" in the security community, with many recommending settings that are not necessarily required or beneficial, such as enforcing default behaviour that a standard user cannot change, or settings that have been included in GPO baselines since the days of Windows 7. \n\nThis baseline is designed to be a starting point or guide, and all configurations applied to an environment regardless of source should be reviewed and adjusted to suit your own business requirements.\n\nThat being said, if there's something you feel is missing or should be included, please feel free to raise an issue or submit a PR.\n\n---\n\n## Importing the Baseline\nYou have two options when importing the baseline:\n\n### **IntuneManagement**\nThis is the recommended method, as it allows for an import of the entire baseline. \n\nThese files have been exported using the [IntuneManagement](https://github.com/Micke-K/IntuneManagement) tool developed by [Mikael Karlsson](https://twitter.com/Micke_K_72), and can be imported in the same way.\nPlease consult the IntuneManagement documentation for further information on how to import the baseline or for issues.\n\nYou can choose to import as much or as little of the baseline as you wish, though you will need to change the \"Root folder\" to the appropriate folder for the platform (e.g. WINDOWS), or policy types (e.g. Settings Catalog) you wish to import.\n\n### **Native Import**\n\nI understand not everyone has the ability or permissions to use the IntuneManagement tool, and have been asked to support using the [native import/export functionality in Intune](https://learn.microsoft.com/en-us/mem/intune/configuration/settings-catalog?tabs=sc-search-filter%2Csc-reporting#import-and-export-a-profile).\n\nNOTE: The Native Import is limited to only importing Settings Catalog policies in the Device Configuration blade. This means settings outside of that (e.g. Compliance, Endpoint Security) are not available. I would recommend submitting feedback within Intune to expand the ability to import/export all policy types.\n\n---\n\n## Versioning \u0026 Repo Structure\nThis project started as Windows only and the naming convention has been somewhat... fluid. Now that additional OS's have been added, some form of standardisation is necessary.\nVersion numbers will primarily follow the format of `Major.Minor`, occasionally using `Major.Minor.Patch` if something fits in the \"bug fix\" category.\n\nEach OS will have its own folder, with OS-specific files (readme, changelog, baseline JSON's, supporting information etc.) contained within.\n\nThe current OIB versions are:\n| OS | Current Release | Change Log | Wiki Page |\n|:---:|:---:|:---:|:---:|\n| [Windows](https://github.com/SkipToTheEndpoint/OpenIntuneBaseline/tree/main/WINDOWS) | [v3.3](https://github.com/SkipToTheEndpoint/OpenIntuneBaseline/releases/tag/windows-v3.3) | [Link](/WINDOWS/CHANGELOG.md) | [Link](https://github.com/SkipToTheEndpoint/OpenIntuneBaseline/wiki/win-readme) |\n| [Windows 365](https://github.com/SkipToTheEndpoint/OpenIntuneBaseline/tree/main/WINDOWS365) | [v1.0](https://github.com/SkipToTheEndpoint/OpenIntuneBaseline/releases/tag/win365-v1.0) | [Link](/WINDOWS365/CHANGELOG.md) | [Link](https://github.com/SkipToTheEndpoint/OpenIntuneBaseline/wiki/win365-readme) |\n| [MacOS](https://github.com/SkipToTheEndpoint/OpenIntuneBaseline/tree/main/MACOS) | [v1.0](https://github.com/SkipToTheEndpoint/OpenIntuneBaseline/releases/tag/macos-v1.0) | [Link](/MACOS/CHANGELOG.md) | [Link](https://github.com/SkipToTheEndpoint/OpenIntuneBaseline/wiki/macos-readme) |\n\nPlease consult the wiki pages and README.md in each OS folder for more information.\n\n---\n\n## Policy Naming Convention\nAcross the OIB, the following naming convention is used, seen below with some examples:\n| OS | | Identifier | | Category | | Device/User Assignment | | Sub-Category | | Version |\n|:---:|:-:|:---:|:-:|:---:|:-:|:---:|:-:|:---:|:-:|:---:|\n| Win | - | OIB | - | Device Security | - | D | - | Login and Lock Screen | - | v3.0 |\n| Win365 | - | OIB | - | Device Security | - | D | - | Resource Redirection | - | v1.0 |\n| MacOS | - | OIB | - | Microsoft Edge | - | D | - | Security | - | v1.0 |\n\nFurther information on the naming convention can be found in the [FAQ](/FAQ.md#why-do-policies-have-d-and-u-in-their-name).","funding_links":["https://buymeacoffee.com/skiptotheendpoint"],"categories":["PowerShell","Others"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FSkipToTheEndpoint%2FOpenIntuneBaseline","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FSkipToTheEndpoint%2FOpenIntuneBaseline","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FSkipToTheEndpoint%2FOpenIntuneBaseline/lists"}