(67) Security Baselines

Within Microsoft Intune there are number of security Baselines, to read more about what and why use Security Baselines, refer to https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines

The following listed below are recommended to apply to your pilot devices and production environments.

Navigate to https://endpoint.microsoft.com/ then select Endpoint Security then select Security Baselines. Click on the each Security Baseline and select Create profile.

Recommendations:

For Security Baseline for Windows 10 and later, create the profile and set the listed values in table to "Not Configured".

To exclude removable drive policy from being picked up by the Security Baseline, ensure to set BitLocker removable drive policy as "Not configured"

For Microsoft Defender for Endpoint Baseline, create the profile and set the listed values in table to "Not Configured".

For Security Baseline for Microsoft Edge, create the profile and deploy to your groups. There is a new release for Microsoft Edge, which can be found here: https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-version-112/ba-p/3789975. No exceptions are needed in this case.

For Windows 365 Security Baseline, create the profile and deploy to your W365 devices. For more detail, this can be found here: https://learn.microsoft.com/en-us/mem/intune/protect/security-baseline-settings-windows-365

For Microsoft 365 Apps for Enterprise Security Baseline, create the profile and deploy to your devices. No exceptions are needed in this case unless your environment is not using Microsoft 365 Apps Suite. More information can be found here: https://learn.microsoft.com/en-us/deployoffice/security/security-baseline