Forum Discussion

drivesafely's avatar
drivesafely
Iron Contributor
Jan 13, 2025

Guidance on Applying Security Baselines

Hello everyone,   We plan to apply the security baseline for Windows 10 and 11 devices. There’s already a predefined baseline available at Endpoint Security > Security Baselines > Security Baseline ...
Intune
Ankido's avatar
Ankido
Iron Contributor
Feb 07, 2025

Hi drivesafely,

 

1- Security baselines are pre-configured settings provided by Microsoft to quickly secure your tenant. They cover Windows, Edge, Windows 365, and Microsoft Defender for Endpoint. While not as detailed as custom policies, they offer an easy and efficient way to get started. If you switch to more specific policies, remember to set the related baseline setting to "Not configured" to avoid conflicts. Baseline policies are regularly updated, and when a new version is released, the current policy switches to read-only mode in Intune. You’ll need to update them to make changes. This process is the same for all baselines, and for this example, we'll configure the Microsoft Edge baseline, as it’s least likely to conflict with other settings.

It is recommended to use Security Baseline Policy if you want to quickly apply a basic security configuration that Microsoft recommends to secure your device. It's a simple and fast solution that provides good protection without needing to customize detailed settings.

If you need more precise control and want specific policy settings that are not covered by baselines, Device Configuration Policy is the better option. It offers more granularity and flexibility to tailor security exactly to your needs.

So, the choice depends on how much control and customization you need. If you're looking for a quick and easy solution, the baseline is preferable, but for more detailed control, you should use Device Configuration Policy.

When you apply a security baseline to a device, it will receive certain settings defined in the baseline. If you then remove the device from the baseline assignment, the settings will not automatically be removed. The device will retain these settings until something else occurs.

To remove the settings from the device, you need to do one of the following:

  1. Assign another policy: If you have another security policy that doesn’t have the same settings, you can assign it to the device instead. The new policy will replace the old settings.
  2. Reset the settings: If you don’t want to assign a new policy, you’ll need to manually change the settings on the device or set the old settings to "Not configured" to restore them to their default state.

In summary: simply removing the device from the baseline assignment will not remove the settings; you must either assign a new policy or manually reset the settings.

 

Feel free to reach out if you have any more questions!

Resources