A few years back, Microsoft published a GitHub repository showcasing how to use PowerShell to interact with the Microsoft Graph, enabling users to create and manage objects in Intune. Later, they released three “Security Profiles” as illustrated below:
Image credit: Microsoft
This repository contained most configurations necessary for deploying these profiles, serving as a valuable resource globally for those looking to standardize device management configurations in Intune.
About a year ago, Microsoft announced that this original Intune Graph samples repository would be archived, as most functionality was moving to the newer Microsoft Graph PowerShell SDK. While a new repository is now available, the previously mentioned security profiles have not been maintained. But where there’s a gap, there’s also an opportunity.
Previously, I created my own security profile tailored to the needs of small and mid-sized businesses (SMBs). It has evolved over time, initially taking cues from the “Enterprise” baseline and then adapting it for SMB environments. Today, I’ll share the latest version.
Understanding the Format
This profile is intended as an example, designed to be easy for others to adapt as needed. You’re not required to use the exact policies here; they can serve as a reference, much like the original samples. I made a few improvements over the “Enterprise” profile, such as:
- Removing settings irrelevant to SMBs (e.g., Device Guard/Credential Guard isn’t supported with M365 Business Premium).
- Reducing the number of components required, so you no longer need to download and maintain multiple scripts, folders, and JSON files.
To ensure flexibility, I kept the configuration modular, allowing users to adopt individual components as needed. Here’s how I addressed these improvements:
- Adjusted the “Enterprise” policies to filter out obsolete or irrelevant settings, making them SMB-appropriate.
- Embedded the JSON configurations within each script, so each can run independently.
- Created separate scripts for different policy types—enabling you to work with Compliance, App Protection, or Device Configuration policies separately.
Each script follows a simple format:
- Connect to Microsoft Graph
- Define functions
- Define policies in JSON
- Execute functions to deploy policies
You can access these updated scripts in my GitHub repository: Microsoft-365/mggraph-samples.
More Updates Coming
I plan to expand these scripts over the coming months. Some features are still in progress and may eventually form part of a separate, stricter “SMB-Strict” profile, akin to Microsoft’s “Specialized” security in Enterprise.
What’s Included in the SMB Profile
For now, the profile includes:
- Compliance Policies: Based on Microsoft’s “Enterprise” model, this includes an immediate policy and one with a 24-hour delay, as some compliance settings can cause issues if applied immediately. It also includes a policy related to Defender for Business. Run
Install-SmbCompliancePolicies.ps1. - App Protection Policies: These protect corporate data on iOS and Android devices, whether personal or company-owned, allowing selective wiping of corporate data. Run
Install-SmbAppProtectionPolicies.ps1. - Device Configuration & ADMX Profiles: This includes settings like BitLocker, Antivirus, ASR rules, and Edge browser configurations. Some settings, such as blocking extensions in Edge or requiring USB encryption, have been removed for broad SMB compatibility. Run
Install-SmbDeviceConfigs.ps1andInstall-SmbAdmxConfigs.ps1. - Settings Catalog Baselines: These profiles break down the extensive Intune Security Baselines, removing overlapping or conflicting settings for simplified SMB deployment. Run
Install-SmbSettingsCatalogBaselines.ps1. - Conditional Access Policies: These can now be managed alongside Intune policies using the Microsoft Graph PowerShell SDK. Run
Install-SmbCondtionalAccessPolicies.ps1.
To install everything at once, run Install-SmbSecurityProfile.ps1. Note that none of these policies are assigned or enabled by default, so you will need to set up assignments and exclusions (e.g., Emergency access accounts) yourself. It’s recommended to start with a pilot group before a full rollout.
Considering Intune Security Baselines or Endpoint Security Profiles?
While the SMB profiles are based on Enterprise templates, deploying both may require modifying some settings to avoid conflicts (and checking licensing requirements). I prefer to use Security Baselines as reference points, building more tailored Settings Catalog policies that allow for more granular management than the comprehensive Security Baselines.
Additional Notes
Here’s why I selected this policy set for the SMB profile:
- BYOD for Mobile Devices: Most SMBs don’t purchase mobile devices for users, often sticking to BYOD policies, while providing laptops or desktops. The profile thus includes only app protection policies (MAM) for mobile and device compliance (full MDM) for laptops. This ensures control over corporate data across devices.
- Focus on Defender for Business: This profile centers on Defender for Business rather than third-party Antivirus/EDR, as Microsoft’s solution offers an integrated, cost-effective approach.
- Balanced Security: Designed to cover essential security points without excessive restrictions, this profile balances security with usability, ideal for SMBs.
As a Managed Services Provider, it’s crucial to ensure both ease of use and security for clients. Over time, I recommend adding stricter policy controls as appropriate.
Implementation Practice
Typically, I start engagements by reviewing core services (Entra ID, Intune, Exchange, SharePoint) using best-practice checklists, followed by setting up Defender for Business and deploying policies. I start with a pilot group, expanding as needed. Conditional Access for devices is activated last, once all devices show compliance.
I hope this provides a clear overview of the process. Good luck!