Microsoft Technical Takeoff: Windows and Microsoft Intune
Oct 24 2022 07:00 AM - Oct 27 2022 12:00 PM (PDT)

Security Baselines instead of standalone configs?

Regular Contributor

Hi everyone,


i'm aksing myself why security baselines are useful? At this moment i use device configurations for ATP, Hello, Device restrictions etc..

Why should i use security baselines instead? What are the advantages for me?


Thank you in advance. :)


3 Replies
best response confirmed by PatrickF11 (Regular Contributor)

@PatrickF11 The benefits would be that you get recommended settings just as we do with the GPO version of the baseline. Each time a new Windows 10 version is released a new version of the baseline for that version will be available. That will save you time and makes it easier to be more secure. 


@Jörgen Nilsson 


Only Problem is that the Intune Security Baseline for Windows is not keeping up with the Windows Security Baseline.


In Aug 2020 the Intune Windows Baseline on a new tenant with release 2007, the Intune Windows 10 Security Baseline version is May 2019.


Since May 2019 the Windows Security Baseline went final in Nov 2019 [ ] but over half a year later and the Intune Security Baseline for Windows 10 hasn't been touched.


It wouldn't be such a problem if Security baseline deployed settings which another policy could tweak, but that causes setting conflicts.


And if you have Windows Security Baseline + Windows Defender ATP Baseline ... you have to be very careful to in your policy changes because both baselines have some overlapping settings (example bitlocker)


These are some reasons why i don't use the baselines. :\
By the way: I've opnened up a ticket at MS asking what is the best practice. (So where to configure some settings. Some of them are in the old-fashioned device configuration profiles, some of them are in the baselines, too, and some of them are in the device security blade, too.)
The supports answer was: Device configuration profiles. :D