Intune makes it easy to deploy Windows security baselines to help you secure and protect your users and devices.
Even though Windows and Windows Server are designed to be secure out-of-the-box, many organizations still want more granular control over their security configurations. To navigate the large number of controls, organizations often seek guidance on configuring various security features. Microsoft provides this guidance in the form of security baselines.
Security baselines are groups of pre-configured Windows settings that help you apply and enforce granular security settings that are recommended by the relevant security teams. You can also customize each baseline you deploy to enforce only those settings and values you require. When you create a security baseline profile in Intune, you’re creating a template that consists of multiple device configuration profiles.
To learn more about why and when you might want to deploy security baselines, see Windows security baselines in the Windows security documentation.
This feature applies to:
- Windows 10 version 1809 and later
- Windows 11
You deploy security baselines to groups of users or devices in Intune, and the settings apply to devices that run Windows 10/11. For example, the MDM Security Baseline automatically enables BitLocker for removable drives, automatically requires a password to unlock a device, automatically disables basic authentication, and more. When a default value doesn’t work for your environment, customize the baseline to apply the settings you need.
Separate baseline types can include the same settings but use different default values for those settings. It’s important to understand the defaults in the baselines you choose to use, and to then modify each baseline to fit your organizational needs.
Note
Microsoft doesn’t recommend using preview versions of security baselines in a production environment. The settings in a preview baseline might change over the course of the preview.
Security baselines can help you to have an end-to-end secure workflow when working with Microsoft 365. Some of the benefits include:
- A security baseline includes the best practices and recommendations on settings that impact security. Intune partners with the same Windows security team that creates group policy security baselines. These recommendations are based on guidance and extensive experience.
- If you’re new to Intune, and not sure where to start, then security baselines gives you an advantage. You can quickly create and deploy a secure profile, knowing that you’re helping protect your organization’s resources and data.
- If you currently use group policy, migrating to Intune for management is much easier with these baselines. These baselines are natively built in to Intune, and include a modern management experience.
Available security baselines
The following security baseline instances are available for use with Intune. Use the links to view the settings for recent instances of each baseline.
- Security Baseline for Windows 10 and later
- Microsoft Defender for Endpoint baseline
(To use this baseline your environment must meet the prerequisites for using Microsoft Defender for Endpoint). NoteThe Microsoft Defender for Endpoint security baseline has been optimized for physical devices and is currently not recommended for use on virtual machines (VMs) or VDI endpoints. Certain baseline settings can impact remote interactive sessions on virtualized environments. For more information, see Increase compliance to the Microsoft Defender for Endpoint security baseline in the Windows documentation. - Microsoft Edge Baseline
- Windows 365 Security Baseline
After a new version for a profile releases, settings in profiles based on the older versions become read-only. You can continue using those older profiles, including editing their name, description, and assignments, but you won’t be able to edit settings for them or create new profiles based on the older versions.
When you’re ready to use the more recent version of a baseline, you can create new profiles or update your existing profiles to the new version. See Change the baseline version for a profile in the Manage security baseline profiles article.
About baseline versions and instances
Each new version instance of a baseline can add or remove settings or introduce other changes. For example, as new Windows settings become available with new versions of Windows 10/11, the MDM Security Baseline might receive a new version instance that includes the newest settings.
In the Microsoft Endpoint Manager admin center, under Endpoint security > Security baselines you’ll see a list of the available baselines. The list includes:
- The baseline template name.
- How many profiles you have that use that type of baseline.
- How many separate instances (versions) of the baseline type are available.
- A Last Published date that identifies when the latest version of the baseline template became available.
To view more information about the baseline versions you use, select a baseline type, like MDM Security Baseline to open its Profiles pane, and then select Versions. Intune displays details about the versions of that baseline that are in use by your profiles. The details include the most recent and current baseline version. You can select a single version to view deeper details about the profiles that use that version.
You can choose to change of the version of a baseline that’s in use with a given profile. When you change the version, you don’t have to create a new baseline profile to take advantage of updated versions. Instead you can select a baseline profile and use the built-in option to change the instance version for that profile to a new one.
Compare baseline versions
On the Versions pane for a security baseline is a list of each version of this baseline that you’ve deployed. This list also includes the most recent and active version of the baseline. When you create a new security baseline profile, the profile uses that most recent version of the security baseline. You can continue using profiles based on older versions, including editing their name, description, and assignments, but you won’t be able to edit settings for those older profile versions.
To understand what’s changed between versions, select the checkboxes for two different versions, and then select Compare baselines. You’re then prompted to download a CSV file that details those differences.
The download identifies each setting in the two baseline versions, and notes if this setting has changed (notEqual) or has remained the same (equal). Details also include the default value for the setting by version, and if the setting was added to the more recent version, or removed from the more recent version.
Avoid conflicts
You can use one or more of the available baselines in your Intune environment at the same time. You can also use multiple instances of the same security baselines that have different customizations.
When you use multiple security baselines, review the settings in each one to identify when your different baseline configurations introduce conflicting values for the same setting. Because you can deploy security baselines that are designed for different intents, and deploy multiple instances of the same baseline that includes customized settings, you might create configuration conflicts for devices that must be investigated and resolved.
In addition, security baselines often manage the same settings you might set with device configuration profiles or other types of policy. Therefore, remain aware of and consider your additional policies and profiles for settings when seeking to avoid or resolve conflicts.
Use the information at the following links to help identify and resolve conflicts:
Ref: https://docs.microsoft.com/en-us/mem/intune/protect/security-baselines