I've released a new PowerShell function called Compare-IntuneSecurityBaseline in my IntuneStuff module.

This function allows you to easily identify the differences in settings between two Intune Security baselines. For instance, when Microsoft introduces a new Security Baseline for Windows 10, you can quickly see how it varies from your currently deployed baseline.

---

How to use

Install-Module IntuneStuff

Connect-MgGraph -Scope DeviceManagementConfiguration.Read.All

Compare-IntuneSecurityBaseline

When you invoke Compare-IntuneSecurityBaseline, you will be interactively asked to select the baseline type.

And then select two baselines of such type to compare.

Function exports both baselines as JSON objects and makes the comparison.

The result will be objects that look like this 👇

What do the object columns contain

• Result - type of change (whether the setting differs or is missing completely)

• Setting - name of the setting as is in the exported JSON file

  • JSON name doesn’t match the setting names in the Intune GUI. Use just one of the keywords when searching the GUI (for example when searching for device_vendor_msft_policy_config_defender_submitsamplesconsent search the GUI for ‘samples’ or ‘consent’).

• OldBslnValue - JSON value of the first baseline setting

• NewBslnValue - JSON value of the second baseline setting

---

Summary

With the function Compare-IntuneSecurityBaseline in place, we can now easily compare our current baselines with their newly released versions. Such information can help to decide which settings need to be modified to avoid breaking our environment etc 🙂