Now booking Q1 Intune migrations — talk to an engineer.

CyberSystem
← Back to Blog

Intune Security Baselines: Complete Configuration Guide

Learn how to configure and deploy Intune Security Baselines to secure Windows devices with Microsoft's recommended security settings for Windows, Microsoft Edge, and Microsoft Defender for Endpoint.

By Ali Alame
intunesecurity-baselineswindows-securitydevice-managementmicrosoft-365defenderbest-practices

Security baselines in Microsoft Intune are preconfigured groups of Windows device settings that help you apply and enforce granular security configurations recommended by Microsoft's security teams. These baselines provide a quick way to deploy security best practices across your organization without manually configuring hundreds of individual settings.

What Are Intune Security Baselines?

Security baselines in Intune are groups of preconfigured Windows settings that represent Microsoft's recommended security posture. Each baseline is a template consisting of multiple device configuration profiles that work together to secure your devices.

Key Benefits

  • Quick Deployment: Preconfigured settings based on Microsoft security recommendations
  • Best Practices: Settings aligned with security industry standards
  • Automated Updates: Microsoft keeps baselines current as Windows features evolve
  • Easy Migration: Simplifies transition from Group Policy to modern management
  • Comprehensive Coverage: Includes settings for Windows, Edge, and Defender

Available Security Baselines

Intune supports several security baseline types:

  1. Security Baseline for Windows 10 and later - Core Windows security settings
  2. Microsoft Defender for Endpoint baseline - Defender-specific security configurations
  3. Microsoft Edge baseline - Browser security and privacy settings
  4. Windows 365 Security Baseline - Optimized for Cloud PC environments

For a complete list, see Use security baselines to configure Windows devices in Intune.

Prerequisites

Before deploying security baselines, ensure:

  • Licensing: Microsoft Intune Plan 1 subscription is required
  • Permissions: Your account needs RBAC permissions for security baselines:
    • Assign
    • Create
    • Delete
    • Read
    • Update
  • Device Requirements: Devices must be enrolled in Intune and running supported Windows editions

For detailed prerequisites, see Manage security baseline profiles in Microsoft Intune.

Creating a Security Baseline Profile

Step 1: Access Security Baselines

  1. Sign in to the Microsoft Intune admin center
  2. Navigate to Endpoint security > Security baselines
  3. Select the baseline you want to configure (e.g., Security baseline for Windows 10 and later)
  4. Click Create policy

Step 2: Configure Basics

  1. Name: Enter a descriptive name (e.g., "Standard profile for Windows Security Baseline")
  2. Description: Optional but recommended description of the baseline's purpose
  3. Select Next

Step 3: Review Configuration Settings

The Configuration settings tab displays groups of settings available in the baseline:

  • Expand groups to view individual settings
  • Review default values - Each setting has a default configuration preset
  • Use search to find specific settings quickly
  • Check settings insights - Light bulb icons provide confidence indicators

Important: Default settings are typically the most restrictive. Review each setting to ensure it doesn't conflict with:

  • Other Intune policies
  • Business requirements
  • Application compatibility
  • Network configurations

For detailed guidance, see Manage security baseline profiles in Microsoft Intune.

Step 4: Assign Scope Tags (Optional)

Scope tags help organize and filter baselines:

  1. Select + Select scope tags
  2. Choose one or more tags
  3. Click Select
  4. Select Next

Step 5: Assign to Groups

  1. Under Assignments, select + Select groups to include
  2. Choose device or user groups
  3. Use + Select groups to exclude to fine-tune assignments
  4. Select Next

Best Practice: Deploy baselines to device groups for more predictable behavior.

Step 6: Review and Create

  1. Review all settings and assignments
  2. Select Create to save the baseline

Understanding Baseline Settings

Default Settings Behavior

Each baseline includes default configurations that represent Microsoft's security recommendations. However:

  • Different baselines may have different defaults for the same setting
  • Review settings carefully to understand their intent
  • Customize as needed for your organization's requirements

Common Setting Categories

Security baselines typically include settings for:

  • Browser: Password manager, pop-up blocking
  • Remote Assistance: Remote connection controls
  • Firewall: Network security rules
  • BitLocker: Disk encryption settings
  • Windows Defender: Antivirus and threat protection
  • User Account Control: Elevation prompts
  • Local Policies: Security and audit settings

Settings Insights

Some settings include insights (light bulb icon) that show:

  • How similar organizations configured the setting
  • Confidence indicators based on successful deployments
  • Recommendations for configuration

For more information, see Settings insight.

Recommended Baseline Configuration

Windows Security Baseline

For a standard Windows security baseline, Microsoft recommends:

  1. Deploy the Windows MDM security baseline as a starting point
  2. Review and customize settings based on your needs
  3. Test on a pilot group before broad deployment
  4. Monitor compliance after deployment

Defender for Endpoint Baseline

After setting up Microsoft Defender for Endpoint:

  1. Deploy the Defender for Endpoint baseline
  2. Configure settings specific to Defender capabilities
  3. Integrate with Intune for unified management

For guidance, see Step 6. Monitor device risk and compliance for security baselines.

Managing Security Baselines

Monitoring Compliance

Monitor baseline compliance through:

  1. Endpoint security > Security baselines > Select your baseline
  2. View Device and user check-in status
  3. Review Device assignment status
  4. Check Per setting status for detailed compliance

Updating Baselines

When Microsoft releases new baseline versions:

  1. Review changes in the new version
  2. Test the new baseline on a pilot group
  3. Migrate existing profiles using Intune's migration process
  4. Monitor for issues after migration

Important: Microsoft doesn't recommend using preview baseline versions in production. Preview settings may change during the preview period.

Best Practices

1. Start with Defaults, Customize Carefully

  • Begin with Microsoft's recommended defaults
  • Customize only when business needs require it
  • Document any customizations and their rationale

2. Test Before Broad Deployment

  • Deploy to a small pilot group first
  • Monitor for application compatibility issues
  • Verify network connectivity isn't affected
  • Test user workflows

3. Avoid Conflicts

Security baselines can conflict with:

  • Other device configuration profiles
  • Compliance policies
  • Group Policy settings (if using hybrid)

Resolution: Compliance policies take precedence over configuration policies. Review Compliance and device configuration policies that conflict.

4. Use Scope Tags

Organize baselines by:

  • Department or business unit
  • Geographic location
  • Device type
  • Security tier

5. Monitor Regularly

  • Review compliance reports weekly
  • Address noncompliant devices promptly
  • Update baselines when new versions are available
  • Document any issues and resolutions

Common Configuration Scenarios

Scenario 1: Standard Enterprise Deployment

Configuration:

  • Deploy Windows Security Baseline with default settings
  • Deploy Defender for Endpoint baseline (if licensed)
  • Assign to all Windows devices
  • Monitor compliance weekly

Scenario 2: High-Security Environment

Configuration:

  • Deploy Windows Security Baseline
  • Customize firewall settings for specific network requirements
  • Deploy Defender for Endpoint baseline with enhanced settings
  • Use scope tags to organize by security tier
  • Implement stricter compliance policies

Scenario 3: Education Environment

Configuration:

  • Deploy Windows Security Baseline
  • Adjust settings for shared device scenarios
  • Consider Windows 365 Security Baseline for Cloud PCs
  • Test thoroughly with educational applications

Troubleshooting

Issue: Settings Not Applying

Solutions:

  • Verify device is enrolled and checking in
  • Check for policy conflicts
  • Review device assignment status
  • Ensure device meets baseline requirements

Issue: Application Compatibility Problems

Solutions:

  • Review baseline settings that might affect applications
  • Test applications in pilot group first
  • Adjust specific settings as needed
  • Document required exceptions

Issue: Baseline Conflicts

Solutions:

  • Review all assigned policies
  • Check for overlapping settings
  • Understand conflict resolution rules
  • Use scope tags to organize policies

Additional Resources

Conclusion

Intune Security Baselines provide a powerful, efficient way to deploy Microsoft's recommended security configurations across your Windows devices. By following these best practices:

✅ Start with defaults and customize carefully
✅ Test thoroughly before broad deployment
✅ Monitor compliance regularly
✅ Avoid policy conflicts
✅ Keep baselines updated

You can establish a strong security foundation for your organization while maintaining operational efficiency and user productivity.

Remember: Security baselines are a starting point. Regularly review and adjust them based on your organization's evolving security needs, threat landscape, and business requirements.