How to Implement Security Baselines in Microsoft Intune for Device Management

Start by navigating to the Microsoft Intune admin center where all security baseline management takes place. This is your central hub for deploying and monitoring security configurations.

Open your web browser and navigate to the Microsoft Intune admin center. Sign in with your administrative credentials that have permissions to manage endpoint security policies.

Once logged in, navigate to Endpoint security in the left navigation pane, then select Security baselines. This section displays all available baseline types that Microsoft maintains and updates automatically.

You'll see several baseline options including:

• Security Baseline for Windows 10 and later
• MDM Security Baseline for Windows
• Microsoft Defender security baseline
• Microsoft 365 Apps security baseline

Choose the primary security baseline that will form the foundation of your device security strategy. The "Security Baseline for Windows 10 and later" is the most comprehensive option for general Windows device management.

Click on Security Baseline for Windows 10 and later from the available baselines list. This baseline contains Microsoft's recommended security settings for Windows devices and is regularly updated by the same Windows security team that creates Group Policy baselines.

Review the baseline overview page which shows:

• Current version information
• Number of settings included
• Last update timestamp
• Deployment statistics if you have existing profiles

Click Create profile to begin configuring your baseline deployment. This opens the profile creation wizard where you'll customize settings for your organization.

Set up the fundamental profile information that will help you identify and manage this baseline deployment across your organization.

On the Basics tab, configure the following required fields:

• Name: Enter a descriptive name like "Corporate Windows Security Baseline - 2026"
• Description: Add details about the purpose and scope, such as "Standard security configuration for all corporate Windows devices with BitLocker and authentication requirements"

The name should be specific enough to distinguish this profile from others you might create. Include the date or version information to track updates over time.

Click Next to proceed to the Configuration settings tab where you'll review and customize the actual security settings.

Examine the default security configurations and modify them to match your organization's specific requirements. The baseline comes preconfigured with Microsoft's recommended settings, but you can adjust them as needed.

On the Configuration settings tab, you'll see categories of security settings. Key default configurations include:

• BitLocker: Automatically enabled for removable drives
• Authentication: Requires passwords to unlock devices
• Network Security: Disables basic authentication protocols
• Windows Defender: Enhanced threat protection settings

To modify a setting:

1. Expand the relevant category (e.g., "BitLocker")
2. Click on the setting you want to change
3. Select your preferred configuration from the dropdown
4. Review the setting description to understand its impact

Common customizations include:

• Adjusting password complexity requirements
• Modifying BitLocker encryption methods
• Configuring Windows Defender exclusions
• Setting firewall rules for specific applications

Set up scope tags to control which administrators can manage this baseline profile and which devices it can be applied to. This is crucial for organizations with multiple IT teams or geographic regions.

On the Scope tags tab, you can assign scope tags that limit administrative access to this profile. If your organization uses role-based access control, this step ensures only authorized administrators can modify the baseline.

To add scope tags:

1. Click Select scope tags
2. Choose from existing scope tags like "IT-Corporate", "Regional-EMEA", or "Security-Team"
3. Select the tags that match your administrative structure
4. Click Select to apply the tags

If you don't use scope tags or want all administrators to access this profile, you can leave this section empty. The profile will inherit the default scope.

Configure which users or devices will receive this security baseline. Proper assignment ensures the baseline applies to the right devices while avoiding conflicts with existing policies.

On the Assignments tab, you'll configure deployment targets. Security baselines can be assigned to either user groups or device groups, depending on the scope of settings being configured.

To assign the baseline:

1. Click Select groups to include
2. Choose your target groups from the list (e.g., "All Corporate Devices" or "Finance Department Users")
3. Click Select to add the groups

For exclusions, if needed:

1. Click Select groups to exclude
2. Choose groups that should not receive this baseline (e.g., "Test Devices" or "Executive Laptops")
3. Click Select to add exclusions

Best practices for assignments:

• Start with a pilot group of 10-20 devices for testing
• Use device groups for settings that affect the entire device
• Use user groups for settings that follow the user across devices
• Avoid overlapping assignments that might create conflicts

Complete the baseline deployment and set up monitoring to track compliance across your device fleet. This final step activates the security settings and provides ongoing visibility into their effectiveness.

On the Review + create tab, review all your configuration choices:

• Profile name and description
• Number of configured settings
• Scope tag assignments
• Target group assignments

Click Create to deploy the baseline. Intune immediately begins applying the settings to assigned devices during their next policy refresh cycle (typically within 8 hours for new policies).

To monitor deployment progress:

1. Return to Endpoint security > Security baselines
2. Select your baseline type
3. Click on Profiles to see your deployed profile
4. Click on your profile name to view the overview dashboard

The monitoring dashboard shows:

• Device compliance status: Compliant, non-compliant, and error counts
• Setting details: Which specific settings are causing compliance issues
• Device list: Individual device status and last check-in times

Manage ongoing baseline maintenance as Microsoft releases new versions and security updates. The cloud-managed system automatically provides new baseline versions, but you control when to migrate your deployments.

When Microsoft releases a new baseline version (using the current CSP-based format introduced in May 2023), you'll see a notification in the Intune admin center. To migrate to a newer version:

1. Navigate to Endpoint security > Security baselines
2. Select your baseline type
3. Click on Profiles
4. Select the checkbox next to the profile you want to migrate
5. Click Change Version from the toolbar

The migration wizard will:

• Show differences between your current version and the new version
• Highlight new settings added to the baseline
• Identify any settings that have changed default values
• Allow you to review and approve the migration

During migration, you can:

• Accept all new default settings
• Customize new settings before applying
• Review the impact on currently assigned devices