When all three STIGs from the respective GPO folders I targeted are successfully imported, it will list the following information: Any XML files without the appropriate Unicode ending will also fail the process. If the GPO is larger than 750 kB, the import process will fail. A single GPO cannot be larger than 750 kB. Note: Check the sizes of any GPO XML files that you import (STIGs or any baseline XML file). (Step 4) I will locate and select each gpreport.xml in the three folders and (Step 5) select open each time. (Step 3) This will bring out the flyout card and I will select the folder icon to import each gpreport.xml. (Step 1) I will go back to the Group Policy Analytics page in MEM and (step 2) select the import icon at the top. Next, we will import the three STIGs in the next several steps. DISA is nice enough to provide the STIGed gpreport.xml file for what we want to accomplish in each folder, so it makes it that much easier. If your enterprise has its own internal STIGs, you would just open GPMC.msc, right-click on the STIGed GPO, and then do a “save report” and name “gpreport” and then selecting “XML" as the output and not HTML. I will also go into the DoD Microsoft Edge V1R1 folder and locate and confirm the gpreport.xml file is present as I will also use this file for the import in addition to the other STIGs. Two GPOs exist in this folder and we will be importing both (User and Computer). Next, I will go into the DoD Windows 10 V2R2 folder and locate and confirm the gpreport.xml file is present as we will be using this file for the import. I have already downloaded the most current STIGs (Apr 2021) as seen below from the public page of the Department of Defense (DoD) Cyber Exchange hosted by the Defense Information Systems Agency (DISA). This feature will allow you or your enterprise to analyze your on-premises GPOs and determine the level of MEM support. Select “ Devices” and then “ Group Policy analytics" to land on the policy page to perform the import of the STIGs we are going to analyze. Once logged in you will arrive at the home page. Navigate to Microsoft Endpoint Manager and log in with your credentials. This article assumes you have enrolled or are going to enroll devices in MEM and we want to check to make sure your tenant status is green on the home page before continuing. Importing STIGs in Microsoft Endpoint Manager If you are a State/Federal/DoD agency and use MEM, feel free to follow along with your tenant as this demo was performed in IL5 before writing this article below in my private Microsoft tenant. At the end of this article, I will reference several publicly available Federal baselines/STIGs to download and implement in your organization if you are not already using a stringent baseline as of today. Certain Federal agencies and other Department of Defense (DoD) entities have created their own internal and also publicly available baselines or better known as Security Technical Implementation Guides (STIGs). These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers. Security baselines are a group of Microsoft-recommended configuration settings which explain their security impact. What is Microsoft Security Baselines and/or STIGs? With that said, let's import several baselines and see the correlation from on-premises to MEM mapping and see how we can make the move to the cloud that much easier. In this article, I will explain and show how to import an on-premises baseline Group Policy Objects (GPO) into Microsoft Endpoint Manager (MEM) and see the settings that directly carry over and how to create a policy for the ones that are not MDM compliant. With my large customer base in the Microsoft Federal space and having to comply with internal security baselines and moving to a cloud-centric platform to manage devices, it is important to know if the baselines/settings will carry over. This is John Barbare and I am a Sr Customer Engineer at Microsoft focusing on all things in the Cybersecurity space.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |