Security Baseline / Configuration Policies - NCSC

Welcome to the community, Matt Page 🙂!

Great call out!
We have the ability to deploy CIS policy baselines, and import Intune profiles/policies/settings, but can't currently do it with OMA-URI types.

Outside of the NCSC policies, are there other profiles/policies/settings that you're implementing that require OMA-URI and aren't available from the Settings Catalog, Properties catalog or Templates?

Or, if we add the NCSC policies as deployable options in NMM, would that meet your needs?

Hi Dave,

Thanks for coming back to my post.

In answer to your question I would say that both were requirements.... Typically UK Government agencies will adhere to CIS or NCSC baselines, and the requirement from which one will depend what part of Government they operate under. As an example, Defence/MOD Gov agencies will adhere to NCSC from my experience. The NCSC Baselines/Configuration Policies are fairly old and that's why they focus towards OMA-URI types. Being able to import and deploy these to customers would be a huge benefit.

In addition, there are still some settings that aren't in the Settings Catalog or Template that require OMA-URI type settings. So the ability to be able to Import and deploy OMA-URI policy types with 'String' values would be beneficial. 

Thanks again for replying, happy to provide any further detail. 

You're very welcome, Matt. I appreciate you taking the time to include your use-case on this.
It not only helps our Product Team (who will likely be reaching out to you), but it also helps get the wheels turning for our other partners to see "Oh, yes! I need that too because of x,y,z."

Keep it up!

Hi Dave, I have another example use case for a custom OMA-URI config profile in Intune that uses a String value. Adding certificates to the Trusted Publishers certificate store on managed endpoints: https://techcommunity.microsoft.com/blog/intunecustomersuccess/adding-a-certificate-to-trusted-publishers-using-microsoft-intune/1974488

I’d really love it if NMM supported this config profile, so I don’t have to manually create it directly in Intune in each of my customer tenants.

Thanks, Jeff Turgeon!
I loving having multiple partners give their take on how a feature could help them.
Especially when they provide links like you and Matt have! 🤩

I believe we may already have what you're asking for though. (see Overview of Certificate Management – Nerdio Help Center)

Do you think that'll work for what you're needing to do?

Hi Dave. What I’m after is slightly different than that feature. The custom OMA-URI profile I have in Intune deploys third-party certificates into the Trusted Publishers store (in my specific example, they’re Microsoft certs that were used to sign some of the default Office add-ins - ironically, when deploying Microsoft’s own recommended security baseline for Microsoft 365 Apps, you end up getting trust bar notifications every time you open an Office app, unless you trust these certs).

My take on the NMM feature you just linked is that it’s for first-party (i.e. my own) code signing certs so I could sign the PowerShell scripts I use in Intune and NMM, and subsequently enforce a strict execution policy on PowerShell. But the implication there is that I need to have access to the private key (in a .pfx file), which I don’t have for third-party certs (just a .cer with the public key).

Ahh. Thanks for clarifying, Jeff.
That completely makes sense. 

That's definitely a very valid use-case/real-world scenario. 😎