Intune’s security baselines allow the deployment of recommended security settings to your Windows devices managed in Intune. It can help your organization secure and protect your users and devices with granular control over their security configurations. This post will guide you through Intune Security baseline creation and configuration.

When you create a security baseline profile in Intune a template that consists of multiple device configuration profiles is created. The settings in each baseline are device configuration settings like those found in Intune policies. This can help to save time creating these multiple policies. You can see the list of available Windows security baselines.

Version and available Intune Security baseline

Microsoft’s security baselines are updated frequently. Intune allows to see and update the version of a baseline. To see the behaviour of updating and conflicting security baseline see the Microsoft documentation.

At the time of this writing, the latest security baselines available in Intune are:

• Windows
• Defender
• Edge
• Windows 365
• Microsoft 365 Apps

Requirements

Before starting, you need to know that Security baseline is available only on Windows 10 1809 or later. You’ll also need the Intune Policy and profile manager or Intune administrator security role

Configure Intune Security baseline profile

For our example, we’ll create a Windows Security baseline

• Open the Intune Console and browse to Endpoint Security / Security Baseline / Security Baseline for Windows 10 and later. (You can see the security baseline version on the right column)

• Click on Create Profile

• Give your Intune Security baseline a significative name and click Next

• The Configuration Settings tab provides all of the configurable items with the recommended settings from Microsoft

From there, it’s up to your security team to give you which setting you need to configure. We have a couple of examples in one of our previous posts about GPO security baseline.

For our example, we will stop all available Xbox services at device startup

• Configure Scopes if desired

• The Intune Security baseline can be assigned to a group directly from the creation wizard. Be careful with who you assign a security baseline. Testing and pilot is recommended to avoid user impact.

• Summary review and click Create at the Bottom

Change security baseline version

To see the behaviour of updating and conflicting security baseline see the Microsoft documentation.

Additional notes

Is there a Differences between GPO and Intune security baseline?

No, Microsoft states that it’s the same.

Can I use the preview security baseline?

Just like new builds of Windows 10, a new security baseline requires testing before deploying to production. Add this to your test plan!

Can I Rollback Security baseline?

Removing the Security baseline assignment will not work as GPO does! Configurations are tattoed on the computer. Removing the Security baseline assignment will leave configurations as the last configuration applied to the computer.

While most configurations aren’t likely to break stuff, if you wish to remove it, it will be required to configure as the opposite to be successful.

Co-Management consideration

Security baseline requires the Co-management workload for Device Configuration to be set to Intune

If you need more details about Co-Management, see our previous post.

Monitor and troubleshoot

Microsoft provides lots of details to help monitor and troubleshoot baseline compliance. See the following post for more details

For more details about security baseline, see Microsoft docs