Intune Security Baselines Policies for Windows 10 or Windows 11 Deployment Guide

This guide helps you to use Intune security baselines to configure Windows devices from Intune MEM Portal. Intune makes it easy to deploy Windows security baselines to help you secure and protect your users and devices.

Security baselines are groups of pre-configured Windows settings that help you apply and enforce granular security settings recommended by the relevant security teams. You can also customize each baseline you deploy to implement only the required settings and values. 

You deploy security baselines to groups of users or devices in Intune, and the settings apply to devices that run Windows 10/11. Security baselines can help you to have a secure end-to-end workflow when working with Microsoft 365.

Microsoft Endpoint Manager updates the versions of built-in Security Baselines depending on the changing needs of a typical organization. Each setting in a baseline has a default configuration for that baseline version.

Patch My PC

If you’re new to Intune and not sure where to start, Intune Admin Portal is one of the first things you have to learn, and predefined security baselines give you an advantage. You can quickly create and deploy a secure profile, knowing that you’re helping protect your organization’s resources and data.

Intune Security Baselines Policies for Windows 10 or Windows 11

To manage baselines in Intune, your account must have the Policy and Profile Manager built-in role. Let’s see how to create security baseline policies for Windows 10 or 11.

Adaptiva
  • Navigate to the Endpoint Security node. Click on the Security Baselines node.
Endpoint Security - Intune Security Baselines Policies for Windows 10 or Windows 11
Endpoint Security – Intune Security Baselines Policies for Windows 10 or Windows 11

Here You can see several other baseline policies in this node, Select the Security Baseline for Windows 10 and later set.

Intune Security Baselines Policies for Windows 10 or Windows 11
Intune Security Baselines Policies for Windows 10 or Windows 11

You can now click on + Create Profile to create a Security Baseline for Windows 10 or 11. You can also check the versions of the baseline available. The Supported baseline is November 2021.

When a new baseline version becomes available, it replaces the previous version. Profiles instances that you’ve created prior to the availability of a new version.

You may notice the banner showing the message that At least one profile or policy is using a deprecated version. Microsoft recommends that you update all policies and profiles to the latest version. 

Create Profile - Intune Security Baselines Policies for Windows 10 or Windows 11
Create Profile – Intune Security Baselines Policies for Windows 10 or Windows 11

You will have to enter the name and description of the Security Baseline for Windows 10 or 11. The platform and Baseline version are automatically selected. You can click on the Next button to continue.

  • Name -> Security Baseline for Windows 10 or Windows 11
  • Platform -> Windows 10 and Later
  • Baseline Version -> November 2021
Provide Name - Intune Security Baselines Policies for Windows 10 or Windows 11
Provide Name – Intune Security Baselines Policies for Windows 10 or Windows 11

You can get a quick overview of the Windows 10 or Windows 11 security baseline categories with the default values of these tables.

  • Select a group to expand and review the available settings.
  • Use the search bar and specify keywords that filter the view to display only those groups that contain your search criteria.

Each setting in a baseline has a default configuration for that baseline version. This will help you understand the configurations quickly and adjust them as per your requirements. However, We would recommend using the default security baseline.

Setting Name Baseline Default
RPC unauthenticated client optionsAuthenticated
Account Logon Audit Credential Validation (Device)Success and Failure
Block user control over installationsYes
Scan incoming email messagesYes
Apply UAC restrictions to local accounts on network logonEnabled
Auto play default auto run behaviorDo not execute
List of Intune Security Baselines Settings for Windows 10 or 11
Configuration Settings - Intune Security Baselines Policies for Windows 10 or Windows 11
Configuration Settings – Intune Security Baselines Policies for Windows 10 or Windows 11

In Scope tags, you can assign a tag to filter the profile to specific IT groups. Add scope tags (if required) and click Next.

On the Assignments tab, select groups to include and assign the baseline to one or more groups. Use Select groups to exclude to fine-tune the assignment. Select Next to continue.

Assignments - Intune Security Baselines Policies for Windows 10 or Windows 11
Assignments – Intune Security Baselines Policies for Windows 10 or Windows 11

When you’re ready to deploy the baseline, advance to the Review + create tab and review the details for the baseline. Select Create to save and deploy the profile.

Review Settings - Intune Security Baselines Policies for Windows 10 or Windows 11
Review Settings – Intune Security Baselines Policies for Windows 10 or Windows 11

A notification will appear automatically in the top right-hand corner with a message. You can see the message “Profile created successfully”. Once you create the profile, it’s pushed to the assigned group and might apply immediately.

Profile Created - Intune Security Baselines Policies for Windows 10 or Windows 11
Profile Created – Intune Security Baselines Policies for Windows 10 or Windows 11

Monitor Intune Security Baselines and Profiles

Intune provides several options to monitor security baselines. You can:

  • Monitor a security baseline, and any devices that match (or don’t match) the recommended values.
  • Monitor the security baseline profile that applies to your users and devices.
  • View how the settings from a selected profile are set on a selected device.
Intune Security Baselines Policies for Windows 10 or Windows 11 Deployment Guide 1
Monitor Security Baselines and Profiles

You can also view the Device configuration report to see which device configuration based policies apply to individual devices, which include security baselines.

Monitoring the profile gives insight into the deployment state of your devices, but not the security state based on the baseline recommendations.

  • In Intune, select Endpoint security > Security baselines, and select a security baseline type like the MDM Security Baseline > MDM Security Baseline for Windows 10 and later for November 2021 > Properties.
  • In the Properties of the baseline, expand Settings to drill in and view all the settings categories and individual settings in the baseline, including their configuration for this instance of the baseline.
Security Baselines Properties - Monitor Security Baselines and Profiles
Security Baselines Properties – Monitor Security Baselines and Profiles

Use the options for Monitor to view the deployment status of the profile on individual devices, the status for each user, and the status of the settings from the instance of the baseline.

Assignment Status - Monitor Security Baselines and Profiles
Assignment Status – Monitor Security Baselines and Profiles

Click on the Per setting status policy report, and This report shows the security baseline status of each setting for the policy across all devices and users.

Per Settings Status - Monitor Security Baselines and Profiles
Per Settings Status – Monitor Security Baselines and Profiles
Setting NameBaseline Default
Block display of toast notificationsYes
Turn on Windows SmartScreenYes
Block Automatically connecting to Wi-Fi hotspotsYes
PowerShell script block loggingEnabled
Scan removable drives during a full scanYes
Block app installations with elevated privilegesYes
List of Intune Security Baselines Settings for Windows 10 or 11

Author

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.