Deploy security baselines
Windows 365 Security Baselines are a set of policy templates built on security best practices and experience from real world implementations. You can use security baselines to get security recommendations that can help lower risks. The Windows 365 baselines enable security configurations for Windows 10, Microsoft Edge, and Microsoft Defender for Endpoint. They include versioning features and help customers choose when to update user policies to the latest release.
Windows 365-branded security baselines are a group of tested and validated recommended settings available in Microsoft Intune that apply to the following areas:
- Windows 10 settings: 1809
- MDATP settings: version 4
- Microsoft Edge settings: April 2020 (Microsoft Edge version 80 and later)
You can optionally apply Windows 365 security baselines to the Microsoft Entra groups containing Cloud PC devices in your tenant.
Tip
Like any configuration change, it is always a good idea to test the security baseline on a pilot group of Cloud PCs. For information on how to build a rollout plan in Microsoft Intune, see the Microsoft Intune planning guide. For information on Microsoft Defender for Endpoint features can be tested, see Test how Microsoft Defender for Endpoint features work in audit mode.
Sign in to the Microsoft Intune admin center select Endpoint Security > View Security Baselines.
Select Windows 365 Security Baseline (Preview).
Select Create Profile and provide a name for your profile.
On the Basics page, provide a Name > Next.
On the Configuration settings tab, view the groups of settings that are available in the baseline you selected. You can expand a group to view the settings in that group, and the default values for those settings in the baseline. To find specific settings:
- Select a group to expand and review the available settings.
- Use the Search bar and specify keywords that filter the view to display only those groups that contain your search criteria.
Each setting in a baseline has a default configuration for that baseline version. Reconfigure the default settings to meet your business needs. Different baselines might contain the same setting, and use different default values for the setting, depending on the intent of the baseline.
Select Next.
On the Scopes page, optionally select scope tags > Next.
On the Assignments tab, select a device group with the Cloud PCs to include and then assign the baseline to one or more groups with your Cloud PCs. Use Add groups under Excluded groups to fine-tune the assignment. Select Next.
When you're ready to deploy the baseline, advance to the Review + create tab and review the details for the baseline. Select Create to save and deploy the profile.
As soon as you create the profile, it's pushed to the assigned group and will apply immediately.
For more information, see Use security baselines to configure Windows devices in Intune.
Next steps
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for