This blog article covers the implementation options of the different Microsoft Intune security baselines and gives an overview of policies that can impact your users.

1. For what purpose are the security baselines?
2. What security baselines are available?
3. How should the security baselines be used? How do I start?
4. Which policies should be considered and checked in particular, as they could affect the user experience in your company?

For what purpose are the security baselines?

The Microsoft Intune security baselines are a collection of security policies compiled by the Microsoft security team, Windows developers and the security community. With Microsoft Intune, the security baselines can be activated with a few mouse clicks. However, as quickly as they are created, it takes more time to analyze, review and test all the settings. The most important thing to know about security baselines is that you cannot simply activate all security baselines and distribute them to all productive clients. The security baselines increase the security, but various settings will have a major impact for your users. A rollout must be carefully planned and users must be informed of changes in advance. Below you will find a list of settings that you should particularly consider and adapt to your organizational requirements.

What security baselines are available?

The following security baseline are available for use with Microsoft Intune:

Security Baselines Names	Current Baseline	Description
Security Baseline for Windows 10 and later	November 2021	Provides a comprehensive set of recommended settings needed to securely configure devices running Windows, including browser settings, PowerShell settings, and settings for some security features like Microsoft Defender Antivirus.
Microsoft Defender for Endpoint Baseline	Version 6	Provides settings that optimize all the security controls in the Defender for Endpoint stack, including settings for endpoint detection and response (EDR). The Defender for Endpoint security baseline has been optimized for physical devices and is currently not recommended for use on virtual machine (VMs) or VDI endpoints. Certain baseline settings can impact remote interactive sessions on virtualized environments. To use this baseline your environment must have a Microsoft Defender for Endpoint Subscription.
Microsoft Edge Baseline	September 2020 (Edge version 85 and later)	Provides a comprehensive set of recommended security settings for the Microsoft Edge Web Browser.
Windows 365 Security Baseline (Preview)	November 2021	Provides a comprehensive set of recommended security settings for Windows 365 (Microsoft Cloud PC). Microsoft doesn’t recommend using preview versions of security baselines in a production environment. The settings in a preview baseline might change over the course of the preview.

How should the security baselines be used? How do I start?

The easiest way to start is with the “Security Baseline for Windows 10 and later” baseline. To do this, all default settings can first be applied to a test client. If you have a Microsoft Defender for Endpoint subscription, Microsoft recommends that you also use the “Microsoft Defender for Endpoint Baseline”

Ideally, devices onboarded to Defender for Endpoint are deployed both baselines: the Windows Intune security baseline to initially secure Windows and then the Defender for Endpoint security baseline layered on top to optimally configure the Defender for Endpoint security controls

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-machines-security-baseline?view=o365-worldwide#compare-the-microsoft-defender-for-endpoint-and-the-windows-intune-security-baselines

In a third step, the Microsoft Edge baseline can be applied. The Microsoft Defender for Endpoint and Microsoft Edge baselines should first be applied to a test client with the default settings. The Windows 365 Security Baseline was only developed for Microsoft Cloud PCs and should currently only be used for test purposes.

If you are already distributing BitLocker, Windows Defender Antivirus or Windows Defender Firewall settings via Microsoft Intune (e.g. via Endpoint Security or Configuration Profiles), you should remove the assignments first, otherwise conflicts may occur. The following best practices approach can be followed when it comes to policy assignments via Microsoft Intune.

Which policies should be considered and checked in particular, as they could affect the user experience in your company?

Settings	Baseline	Impact Description	User Experience / Comments
Category: Attack Surface Reduction Rules (Microsoft Defender for Endpoint Baseline) Category: Microsoft Defender (Security Baseline for Windows 10 and later) Block Office communication application from creating child processes: Enable Block Office applications from creating executable content: Block	Microsoft Defender for Endpoint Baseline and Security Baseline for Windows 10 and later	This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating potentially malicious executable content, by blocking malicious code from being written to disk.	If you use third party office add-ins, there is a very good chance that that they will be blocked by Attack Surface Reduction Rules. Use audit mode to evaluate how attack surface reduction rules would affect your organization if enabled. Run all rules in audit mode first so you can understand how they affect your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they might perform tasks in ways that seem similar to malware. By monitoring audit data and adding exclusions for necessary applications, you can deploy attack surface reduction rules without reducing productivity. To find the audited entries on a client, go to Applications and Services > Microsoft > Windows > Windows Defender > Operational and filter the current log for “Warning”. Or you can review it even easier with Windows Defender for Endpoint. There are already predefined “Attack surface reduction” reports available, where “Blocked” and “Audited” events are reported: https://security.microsoft.com – Reports – Attack surface reduction rules
Category: BitLocker BitLocker system drive policy – Startup authentication required: Yes	Microsoft Defender for Endpoint Baseline	This setting allows you to configure whether BitLocker requires more authentication each time the computer starts. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both.	Most likely, most users will be annoyed to remember an additional PIN and use the same PIN as for Hello for Business or, even worse, write the PIN on a piece of paper and keep it with the device. In most cases, this will not improve security unless you have the users on your side and they understand that the extra PIN brings a security benefit. Also important to note: For silent enable scenarios (including Autopilot) this setting cannot be successful, as user interaction is required. Is is recommended hat PIN is disabled where silent enablement of BitLocker is required. To disable BitLocker Startup authentication, the following settings must be adjusted: BitLocker – BitLocker system drive policy: Startup authentication required: Not Configured
Category: BitLocker BitLocker removable drive policy – Block write access to removable data-drives not protected by BitLocker: Yes	Microsoft Defender for Endpoint Baseline and Security Baseline for Windows 10 and later	When set to Yes, Windows will no allow any data to be written to removable drives that are not BitLocker protected. If an inserted removable drive is not encrypted, the user will need to complete the BitLocker setup wizard for the drive before write access is granted. Setting this to not configured will allow data to be written to non-encrypted removeable drives.	The policy is included in the baselines “Microsoft Defender for Endpoint Baseline” as well as in “Security Baseline for Windows 10 and later”. Here the question arises as to how a company has defined the handling of external storage media (USB sticks, external hard drives). Certainly, activation must be planned and communicated in advance. To remove the blocking, the following must be adjusted: BitLocker removable drive policy: Not configured
Category: Browser Prevent user from overriding certificate errors: Yes	Security Baseline for Windows 10 and later	Microsoft Edge, by default, allows overriding of the security warnings to sites that have SSL errors, bypassing or ignoring certificate errors. Enabling this policy prevents overriding of the security warnings.	If you use internal websites that do not have an SSL certificate, you will no longer be able to access these websites. Before this policy can be activated, it must be ensured that all company-relevant web services have an SSL certificate. Sometimes WLAN access points still have login websites that do not have an SSL certificate (e.g. in hotels). This means that access to the WLAN would then also no longer work. In order to continue using websites without an SSL certificate, the setting of Prevent user from overriding certificate errors: “Yes” must be set to “Not Configured”.
Category: Local Policies Security Options Standard user elevation prompt behavior: Automatically deny elevation requests	Security Baseline for Windows 10 and later	This policy setting controls the behavior of the elevation prompt for standard users. Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed	If you use the “Run as administrator” feature with your standard users to perform administrative tasks, this will no longer work after activating this setting. If you want to continue using the “Run as administrator” feature, just change the setting from “Automatically deny elevation requests” to “Prompt for credentials on the secure desktop”.
Category: Microsoft Edge Control which extensions cannot be installed: Enabled Extension IDs the user should be prevented from installing (or * for all) * is selected by default	Microsoft Edge Baseline	List the specific extensions that users can’t install in Microsoft Edge. Use * to block all extensions that aren’t explicitly listed in the allow list.	When you deploy this policy, any extensions on this list that were previously installed by users are disabled, and the user won’t be able to enable them. If you remove an item from the list of blocked extensions, that extension is automatically re-enabled anywhere it was previously installed. Note that * is selected by default. So all extensions will be blocked. One exception should be noted. If the extensions were distributed via the Configuration Settings “Control which extensions are installed silently”, they are not deactivated. It only affects extensions that have been installed by the user. Extensions that are already installed can be checked via Microsoft Defender Vulnerability Management. https://security.microsoft.com/vulnerability-management-inventories/extensions It is to be determined whether extensions in your environment are to be blocked in general. Specific extensions can be distributed to all users via the policy “Control which extensions are installed silently”. If you want to leave it up to your users or only block specific extensions, then the policy can be deactivated as follows: Control which extensions cannot be installed: Disabled or Enabled If Enabled remove * (all) from “Extension IDs the user should be prevented from installing” and add just your specific extension.
Category: Microsoft Edge Allow users to proceed from the SSL warning page: Disabled	Microsoft Edge Baseline	Microsoft Edge, by default, allows overriding of the security warnings to sites that have SSL errors, bypassing or ignoring certificate errors. Enabling this policy prevents overriding of the security warnings.	This is the same policy that is used in the “Security Baseline for Windows 10 and later” baseline, only here it is called a bit differently: “Allow users to proceed from the SSL warning page”. Therefore, the same considerations apply: If you use internal websites that do not have an SSL certificate, you will no longer be able to access these websites. Before this policy can be activated, it must be ensured that all company-relevant web services have an SSL certificate. Sometimes WLAN access points still have login websites that do not have an SSL certificate (e.g. in hotels). This means that access to the WLAN would then also no longer work. In order to continue using websites without an SSL certificate, the setting of Allow users to proceed from the SSL warning page: “Disabled” must be set to “Not Configured”.

Under no circumstances should this list be considered complete. Depending on how work is done and which applications are used, various other policies may also have an impact. I would therefore be interested to know which security baseline default policies you had to rethink and adapt? Let me know in the comments. The aim would be to update the list continuously and provide an optimal rollout guideline for security baselines.