Forum Discussion

drivesafely's avatar
drivesafely
Brass Contributor
Jan 13, 2025

Guidance on Applying Security Baselines

Hello everyone,  

We plan to apply the security baseline for Windows 10 and 11 devices. There’s already a predefined baseline available at Endpoint Security > Security Baselines > Security Baseline for Windows 10 and later, where we can create and assign profiles to devices.  

If we later want to remove these Security Baseline settings from specific devices, is it sufficient to simply remove those devices from the assignment, or will additional steps be required?  

Alternatively, similar settings can be applied via Devices > Configuration Profiles by creating a custom policy from scratch.  

Which method is recommended: Security Baseline Policy or Device Configuration Policy?  

Your guidance will be appreciated.  

Thanks,

  • Ankido's avatar
    Ankido
    Iron Contributor

    Hi drivesafely,

     

    1- Security baselines are pre-configured settings provided by Microsoft to quickly secure your tenant. They cover Windows, Edge, Windows 365, and Microsoft Defender for Endpoint. While not as detailed as custom policies, they offer an easy and efficient way to get started. If you switch to more specific policies, remember to set the related baseline setting to "Not configured" to avoid conflicts. Baseline policies are regularly updated, and when a new version is released, the current policy switches to read-only mode in Intune. You’ll need to update them to make changes. This process is the same for all baselines, and for this example, we'll configure the Microsoft Edge baseline, as it’s least likely to conflict with other settings.

    It is recommended to use Security Baseline Policy if you want to quickly apply a basic security configuration that Microsoft recommends to secure your device. It's a simple and fast solution that provides good protection without needing to customize detailed settings.

    If you need more precise control and want specific policy settings that are not covered by baselines, Device Configuration Policy is the better option. It offers more granularity and flexibility to tailor security exactly to your needs.

    So, the choice depends on how much control and customization you need. If you're looking for a quick and easy solution, the baseline is preferable, but for more detailed control, you should use Device Configuration Policy.

    When you apply a security baseline to a device, it will receive certain settings defined in the baseline. If you then remove the device from the baseline assignment, the settings will not automatically be removed. The device will retain these settings until something else occurs.

    To remove the settings from the device, you need to do one of the following:

    1. Assign another policy: If you have another security policy that doesn’t have the same settings, you can assign it to the device instead. The new policy will replace the old settings.
    2. Reset the settings: If you don’t want to assign a new policy, you’ll need to manually change the settings on the device or set the old settings to "Not configured" to restore them to their default state.

    In summary: simply removing the device from the baseline assignment will not remove the settings; you must either assign a new policy or manually reset the settings.

     

    Feel free to reach out if you have any more questions!

  • fbatuns's avatar
    fbatuns
    Brass Contributor

    Hey there,

    we have implemented the Security-Baselines to all our Devices last year.

    You are totally right, to remove the baseline from a client, it's enough to remove the assignment. Keep in mind, that in some cases, if you remove the assignment the policy is no longer enforced but settings on the client are left "as is". In order to change the setting on the client, you have to implement a new Configuration Profile and assign it to the client.

     

    Our approach was to keep the Baseline to all our clients the same, no exceptions. (Since it's called baseline :-))

    For exceptions we left some Settings in the Baseline "Unconfigured" and deployed a dedicated Configuration Profile with these settings and controlled our exception in that one.

    I guess technically, Configuration Profiles and Security-Baseline are the same (since both of them are also listed under Configurations Profiles. Baseline ist just a Preset of Microsoft-Recommended Settings do harden your devices. (I think this one is especially handy if you start from scratch in a new environment)

     

    Hope this helps.

    Kind regards

    Fabian

Resources