Security baselines in Intune (Windows, Edge, Defender)

Intune, Microsoft 365, Windows 3 Minutes

MAI_ddc086c935692a84

Most security baseline deployments I walk into were finished in about four minutes.

Someone opened Intune, found Security baselines, picked the Windows one, clicked through the wizard accepting every default, hit Create, and moved on. Box ticked. Tenant “hardened”.

That’s not security configuration. That’s a screenshot for the onboarding report.

Here’s the thing nobody tells you. A baseline you’ve never read isn’t a baseline. It’s a pile of Microsoft’s opinions you’ve agreed to without looking. And one of those opinions might break BitLocker enrolment on every machine without a TPM.

So let’s actually do this properly. It’s already in the licence your client pays for.

What is a security baseline, really?

A security baseline is Microsoft’s own recommended configuration for a product, bundled into one policy you deploy from Intune.

Not a list of suggestions. Not a report. Actual settings that get pushed to the device — BitLocker, firewall, Defender, password rules, SmartScreen — preset to the values Microsoft’s security team uses internally.

The point is speed. Instead of hand-building forty configuration profiles, you deploy one baseline and you’re 80% of the way to a hardened endpoint. Microsoft maintains the recommended settings and ships new versions as Windows evolves.

You get a few flavours: Windows, Microsoft Defender for Endpoint, Microsoft Edge, and Windows 365. There’s no separate SKU to buy. If your client is on Business Premium, this is already sitting in their tenant waiting.

Step-by-Step: deploying your first baseline

Portal only. No PowerShell.

Open the baselines

Sign in to the Microsoft Intune admin center and go to Endpoint security > Security baselines. You’ll see each baseline type with its current version on the right.

Pick one and create the profile

Start with Security Baseline for Windows 10 and later. Click it, then Create profile. Always take the newest version — older ones go read-only the moment a new one ships.

Name it like you’ll see it again

Give it a name your future self can read at a glance, like WIN-Baseline-Pilot. When a tenant has thirty policies, naming is the documentation.

Read the settings. Actually read them.

This is the step everyone skips. Walk the Configuration settings tabs. The defaults are deliberately restrictive — that’s the point — but restrictive settings break things. BitLocker enforcement on hardware without TPM 2.0 will tank an enrolment. Firewall rules will fight on-prem Group Policy on hybrid devices.

Assign to a pilot, not the fleet

Assign to a device group of ten to twenty machines with mixed hardware. Not your IT team’s identical laptops — include the weird old Dell from accounting. That’s where the breakage hides.

Watch the overview

Give it 24 hours, then check the profile’s Overview. You’ll see four buckets:

Succeeded        – applied cleanly
Error            – failed to apply
Conflict         – this setting is fighting another policy
Not applicable   – device can't support it

Notice what’s missing? There’s no “Secure” status. The portal tells you settings applied — never that you’re protected. Those are different claims, and the gap between them is your job.

Why this actually changes behaviour

Two reasons this matters more than the four-minute version.

First, conflicts are real and they’re silent. If the same setting lives in a baseline and a configuration profile, the device gets neither. It sits in Conflict and quietly does nothing. Run a pilot and you catch it. Deploy to everyone on a Friday and you find out Monday.

Second — and this is the one that catches people — baseline settings tattoo. Remove the assignment and the settings don’t roll back. They stay frozen at the last value applied. There’s no undo button.

“So if I unassign it, doesn’t the device go back to normal?”

No. It stays exactly where the baseline left it. You’d have to push the opposite setting to reverse it. Treat every baseline deployment as a one-way door, because it mostly is.

A baseline is a starting line, not a finish line. Microsoft’s Windows baseline covers maybe 150 of the 450-odd settings a CIS benchmark wants. That’s fine. Start here, layer the rest later.

The four-minute deployment and the real one look identical in a screenshot. They behave nothing alike on the device.

Read the settings once. Pilot once. Then you can tell a client their fleet is hardened and actually mean it.

A baseline isn’t there to make you look secure. It’s there to make you secure — but only if you read it first.

Unknown's avatar

Published by directorcia

Published

Leave a comment