Intune Security Baselines - What are they and how to use them?

Here's the thing Microsoft won't tell you about Intune security baselines: the policies don't unapply.

I'll say that again because it matters. You deploy a baseline, it pushes settings to your devices, and those settings get tattooed to the machine. If something breaks (and something will break), you can't just untick a box and have it roll back. Sometimes you can overwrite the value with a different policy. Sometimes you need to push a new setting that contradicts the old one. And sometimes you're wiping the device.

I learned this the hard way on a client engagement. We'd deployed the Windows 10 MDM baseline to a pilot group, realized one of the firewall rules was killing a legacy app they needed, and spent two days figuring out that "Not configured" doesn't mean "undo what I just did." It means "stop managing this setting going forward," which is a very different thing when the registry key is already written.

So before you read another word of this post: test baselines on a pilot group first. Always.

What Baselines Actually Are (Quick Version)

Security baselines are pre-built bundles of security settings that Microsoft thinks you should enable on Windows and Edge. They're available as Group Policy packages or through Intune's MDM interface.

They're aimed at organizations that don't have deep security expertise in-house. If you've never touched Attack Surface Reduction rules and don't know where to start, baselines give you a decent starting point. Small shops with no dedicated IT team, greenfield deployments with zero policies in place, that sort of thing.

Check your licensing first.

I'm serious. Microsoft treats baselines like must-set settings, but some of them require specific licenses to actually do anything. The Defender for Endpoint baseline is the main offender. You'll deploy it, everything will look fine in the portal, and then wonder why half the settings aren't applying. The answer is almost always "you don't have the right license."

The Four Baselines (and Why They Overlap So Much)

As of writing there are four baseline profiles: Windows 10 MDM, Defender for Endpoint, Microsoft Edge, and Windows 365.

Lots of overlap between them. I won't go through every category (that'd be its own series), but here's the short version of each:

Windows 10 MDM is the big one. Covers BitLocker, firewall, Defender AV, local policies, the works. One thing to know: the "Browser" category in this baseline refers to Edge Legacy, not Chromium Edge. If you want Chromium settings, you need the Edge baseline separately.

Defender for Endpoint is smaller but focused. Firewall rules, ASR, Defender SmartScreen. Needs the DfE license to actually do anything useful.

Microsoft Edge covers Chromium Edge only. If you need Legacy Edge or Internet Explorer settings, those are in the Windows 10 MDM baseline.

Windows 365 is basically a Frankenstein of the other three. Microsoft pulled in the Edge baseline wholesale, grabbed Defender and ASR rules from the DfE baseline, and dropped Power and Wi-Fi settings (makes sense for a cloud PC). They also added Defender AV Exclusions from Simplified Security Policies*. No Data Protection, no Device Lock.

The full diff:

  • Power and Wi-Fi dropped. Makes sense, it's a cloud PC.
  • The entire Edge baseline got copy-pasted in wholesale
  • Defender and ASR rules from DfE
  • Defender AV Exclusions via Simplified Security Policies* (this one surprised me, it's the only thing that doesn't come from an existing baseline)
  • No Data Protection, no Device Lock

*Simplified Security Policies is its own topic. Microsoft's docs cover the basics.

How Much Overlap?

I put together a comparison table for an internal doc at work. It's simplified but gives you the picture. The numbers are total policy counts per category across the three main baselines.

Quick example: Firewall has 41 policies under Defender for Endpoint but only 18 under Windows 10 MDM. Internet Explorer has 117 policies under Win10 and zero everywhere else. The overlap is real and it's the main source of conflicts (more on that in a second).

You'll notice some blank rows: App & Browser Isolation, Defender AV Exclusions, Endpoint Detection & Response, Exploit Protection. Those aren't part of baselines at all. They live under Simplified Security Profiles. I was too lazy to make a separate table when I adapted this from our internal docs, so think of those rows as a reminder that baselines don't cover everything.

The Conflict Problem (Read This Part)

This is where it gets painful. Deploy both the Windows 10 MDM and Defender for Endpoint baselines to the same device and you will get conflicts. Both baselines configure firewall settings. Both touch Defender. And Intune doesn't merge them intelligently. It just flags a conflict and the device sits there with the setting in an undefined state.

I'm probably not supposed to show this, but here's a real example from a mature tenant (not mine) just so you can see what this looks like in practice:

Look at the error and conflict counts. The errors are inflated here because this tenant has a bunch of test configurations fighting each other. Ignore those. The conflicts are what matter, because those mean two policies are trying to set the same registry key to different values and neither one wins cleanly.

If you click into the Profile assignment status pie chart, you get the device breakdown:

This device has both the Windows 10 MDM and Defender for Endpoint baselines applied. Selecting the conflict and sorting by status shows what Intune's unhappy about. Notice how it's almost entirely firewall rules. That tracks with the overlap table from earlier: both baselines want to own the firewall, and neither backs down.

On the right side, Intune shows which other profile is causing the conflict. That profile name is what you need. Go find it, figure out which policy should win, and set the loser to "Not configured" so there's only one source of truth for that setting.

Fair warning: Intune won't always show you where the conflict lives, especially if the conflicting setting came from a device configuration profile instead of another baseline. That's when troubleshooting gets really tedious.

Setting One Up (The Short Version)

Navigate to Endpoint Security > Security Baselines, pick your baseline, and hit + Create profile.

You'll see all available versions. Pick the latest one unless you have a reason not to.

Standard wizard. Name, scope tags, group assignments. I'm not going to walk through every click because you can read a wizard. The part that actually matters is the configuration settings page.

Each setting has three states: the recommended value, an alternative, and "Not configured." Pay attention to the ones marked as recommended but not enabled by default. Those are the ones Microsoft thinks you should turn on but didn't want to force.

Don't just accept the defaults blindly. Same rule as importing GPOs: test first, because some of these settings will break older applications and you won't find out until someone calls you about it.

Review + Create. Take a screenshot of these settings before you deploy. Seriously. When something breaks in a week and you're trying to remember what you changed, you'll thank yourself.

Once it's deployed, you can edit it later from Endpoint Security > [Your Baseline] > Properties > Edit

Same wizard, same categories. Changes get pushed to devices on next sync.

Updating to New Baseline Versions

Microsoft periodically updates baselines. When they do, your existing baseline profile goes read-only. You can't edit it anymore, only compare and migrate.

The comparison tool is actually decent, which I wasn't expecting. First time I saw a version update I assumed I'd have to diff the settings manually. You can export a CSV showing exactly what changed between versions:

Pick both versions and hit Compare. The output is a side-by-side diff:

Hit the export button to get a CSV. Way easier to work with in Excel than squinting at this in the browser.

The raw CSV needs some formatting, but once you sort on the change column, you can see exactly what Microsoft added, removed, or modified. In the example I looked at, the only change between versions was the addition of "Scan scripts that are used in Microsoft browsers." Everything else stayed the same.

What Baselines Don't Cover

Baselines aren't CIS or NIST compliant out of the box. They're close, maybe 99% aligned, but there are a few disagreements. The Administrator elevation prompt behavior under Local Policies Security Options is one I've run into where Microsoft and CIS differ. Don't assume you'll pass a CIS audit just because you flipped on baselines.

There's also a ton of security configuration that baselines simply don't touch. You'll still need ADMX template imports, Simplified Security Profiles, device configuration profiles, custom OMA-URIs, the settings catalog... the list goes on. Baselines are a starting point, not the finish line.

If you're new to all this, Microsoft's own documentation is required reading. Getting comfortable with Microsoft docs is honestly a skill in itself. You'll spend a lot of time in there.

If you want a deeper look at individual settings, I've been pulling them apart in separate posts. The Credential Guard writeup is probably the most useful one so far, since that's the setting I see people misconfigure the most.

Popular posts from this blog

Intune Log on Rights

Image
I locked myself out of a test machine last week. Not in a fun way. Not in a "forgot my password" way. In a "the sign-in method you're trying to use isn't allowed" way, where no account on the device could log in at all. Not the admin. Not the test user. Nobody. Ok. Probably just something to do with Windows Hello. No worries. Lemme just login with the password. 😒 Thanks for giving me the benefit of the doubt but I DID not mean to do this on purpose. I've deployed this exact policy before in production environments. I know how it works. And I still managed to brick the logon on my test device. I had to wipe the machine. Completely. What happened? I forgot the #!&%?! USERS group. The trap with AADJ devices On AADJ-only devices, local group memberships are still evaluated for user rights assignments. Your Entra ID groups don't just float freely. They need to be nested inside one of the local BUILTIN groups on the ma...
Read more