Forum Discussion

drivesafely's avatar
drivesafely
Iron Contributor
Jan 13, 2025

Guidance on Applying Security Baselines

Hello everyone,   We plan to apply the security baseline for Windows 10 and 11 devices. There’s already a predefined baseline available at Endpoint Security > Security Baselines > Security Baseline ...
Intune
fbatuns's avatar
fbatuns
Iron Contributor
Feb 07, 2025

Hey there,

we have implemented the Security-Baselines to all our Devices last year.

You are totally right, to remove the baseline from a client, it's enough to remove the assignment. Keep in mind, that in some cases, if you remove the assignment the policy is no longer enforced but settings on the client are left "as is". In order to change the setting on the client, you have to implement a new Configuration Profile and assign it to the client.

 

Our approach was to keep the Baseline to all our clients the same, no exceptions. (Since it's called baseline :-))

For exceptions we left some Settings in the Baseline "Unconfigured" and deployed a dedicated Configuration Profile with these settings and controlled our exception in that one.

I guess technically, Configuration Profiles and Security-Baseline are the same (since both of them are also listed under Configurations Profiles. Baseline ist just a Preset of Microsoft-Recommended Settings do harden your devices. (I think this one is especially handy if you start from scratch in a new environment)

 

Hope this helps.

Kind regards

Fabian

Resources