Security Baselines are great, simple to set up and deploy and a very quick way of ensuring your Windows 10 devices are secure. They are also a very quick way of crippling your estate if you are not careful with your testing beforehand, so I cannot stress this enough - test thoroughly before even attempting to deploy to any quantity of devices.
So just to recap, to deploy a security baseline is as simple as the following;
Log into the Microsoft Endpoint Manager admin center, navigate to Endpoint security > Security baselines
Under the Windows 10 Security Baselines heading select the MDM Security Baseline option
Select Create profile
Give your profile a suitable name, select Next
Now you will be able to see all of the settings available within the profile. We are just going to accept the defaults for demo purposes, however I stress again, test these settings thoroughly before attempting to deploy into production
Select the groups you wish to deploy the baseline to then click Next
Select Create to complete the deployment of the baseline
After a short test phase with my secure configuration, which includes MDM profiles, custom configuration and a security baseline, it was soon established that both the Windows + P (Select a display mode) and Windows + K (Quick connect) options were no longer available on devices. Not ideal for usability.
It turns out this was related to the Windows 10 Device Restriction MDM profile setting General > Device discovery being set to Block
I had set this originally, following NCSC guidelines for Windows 10 MDM
Great, I thought, now connecting to wireless monitors shouldn't be a problem. But I soon found out that the connection was just timing out. I figured out that this time it was indeed the security baseline causing the issue, but which setting was it? My initial hunch was that it almost seemed firewall related, but when I viewed the local firewall settings on the device experiencing the issue, I could see the appropriate firewall rule was indeed configured
On further investigation I soon realised that the May 2019 MDM baseline contains a setting that by default prevents the merge of firewall rules within group policy and hence the settings contained in local group policy would not apply. It is documented here and affects the public profile
I therefore needed to create a Firewall exclusion and configured a new profile in the following manner;
Navigate to Devices > Windows
Select Configuration Profiles and then Create Profile
Enter a suitable name, select Windows 10 and later for the platform and then Endpoint protection for the profile type
Navigate to Microsoft Defender Firewall under the Firewall rules heading select Add
Populate the settings based on the Wireless Display (TCP-In) Firewall rule
The profile should then be deployed to your devices enabling you to connect to Wi-Fi displays once more.
Thanks for reading this post!
Thanks Leon! This solved everything! Cheers!
ReplyDeleteNo problem at all!
DeleteLive Saver. Thankyou
ReplyDeleteEPIC find, thank you Leon! This helped tremendously for our enterprise environment where we want to apply the security baselines. It was taking forever to figure out which setting was preventing Windows + K and Windows + P
ReplyDeleteNo problem, glad it has helped!
DeleteThanx, you made a lot of my colleage happy :)
ReplyDeleteThank you, Leon. This also worked for me.
ReplyDeleteThis also works in the classic AD group policy. Glad I found this, thank you.
ReplyDeleteFor the aliens that find this in 2 million years and need to do this for some reason:
Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security - LDAP://cn={GUID},cn=….
Create a new inbound rule, make it custom, and just add the configurations from the screenshots in this article.
Just wanted to say that this still is applicable on Windows 11 22H2 when using the Security Baseline. Thanks!
ReplyDelete