Enforcing Security Baselines in Intune
๐ What to Use and What to Watch
Microsoft Intune offers powerful capabilities for securing Windows endpoints through pre-configured Security Baselines. These baselines are curated collections of Microsoft-recommended settings to help enforce security and compliance across your device fleet.
๐ What Are Intune Security Baselines?
Security baselines in Intune are policy templates that apply recommended security configurations to Windows devices, leveraging settings across:
- Windows Security
- Microsoft Defender
- Microsoft Edge
- Device Lock, BitLocker, SmartScreen and more
Each baseline is versioned and updated periodically to reflect the latest threat intelligence and best practices.
Note from Microsoft: In May 2023, Intune began rollout of a new security baseline format for each new baseline release or version update. The new format updates the baseline settings to directly take their name and configuration options from the configuration service provider (CSP) that the baseline setting manages. Intune also introduced a new process to help you migrate an existing security baseline profile to the newer baseline version. This new behavior is a one-time process that replaces the normal update behavior when you move from the most recent version of an older profile to a newer version that became available in May 2023 or later. The Microsoft Defender for Endpoint security baseline is optimised for physical devices and is currently not recommended for use on virtual machines (VMs) or VDI endpoints. Certain baseline settings can impact remote interactive sessions on virtualised environments.
๐งญ Prerequisites
Before applying a security baseline:
- Devices must be Entra ID joined or hybrid joined
- Intune must be set up with device compliance policies
- Devices should be running Windows 10/11 Pro, Enterprise or Education
๐ช Step-by-Step: Deploying a Security Baseline
โ Step 1: Sign in to Intune Admin Centre
- URL: https://intune.microsoft.com
- Navigate to Endpoint Security โ Security baselines
โ Step 2: Choose a Baseline
Select from available baselines. eg:
- Microsoft Defender for Endpoint baseline
- Microsoft Edge baseline
- Windows 10 and later Security Baseline
We’ll proceed with Windows 10 and later Security Baseline.
Click Create profile.
โ Step 3: Configure the Baseline
- Name your profile (eg.
Win11_Security_Baseline_Pilot) - Choose platform version (match with deployed OS versions)
Click Next.
Now review and configure settings in sections like:
- Windows Defender Antivirus
- BitLocker
- Account Lockout Policy
- SmartScreen
- Credential Guard
๐ก Tip: Review defaults โ not all settings suit every org. For example, enabling Credential Guard may break older legacy apps.
โ Step 4: Assign the Baseline
- Choose groups to assign the policy to (eg.
Pilot-Windows11-Laptops) - Optionally, exclude certain test or legacy devices
Click Next, review, and Create.
โ Step 5: Monitor Deployment
After assignment, monitor deployment via Profile Assignment Status
โ ๏ธ What Not to Blindly Accept
Some baseline defaults are too aggressive for all environments. Pay special attention to:
| Setting | Why to Review |
|---|---|
| Block removable storage | May break USB productivity devices |
| Enable Credential Guard | May block legacy credential use |
| BitLocker enforcement | Ensure TPM is available, or deployment will fail |
| Exploit protection (CFG) | Known to cause app crashes in some cases |
๐ Always test on a pilot group before rolling out organisation-wide.
๐งน Updating or Retiring Baselines
Microsoft occasionally updates baseline versions. Always check:
- “Baseline versions” page to see updates
- Use “Compare baseline versions” to migrate settings carefully
- Retire old baselines that are no longer in use
โ Summary
Security baselines in Intune allow you to deploy secure-by-default configurations across your Windows estate quickly and consistently.
Just remember:
- Start small with pilot groups
- Review settings that may impact usability
- Monitor and iterate as your environment evolves
๐ Useful Links:
#MicrosoftIntune #EndpointSecurity #SecurityBaseline #ModernWorkplace #IntuneTips #Windows11 #CloudManagement #EntraID