Security Baselines
Deploy Microsoft-recommended security configurations to Windows devices using security baselines. These pre-configured policy sets implement security best practices for Windows, Edge, Defender, and Microsoft 365 Apps.
Note: Security baselines are curated by Microsoft security teams based on real-world attack data and industry standards. Regular updates address new threats.
Available Baselines
Windows Security Baseline
Core Windows security settings: credential protection, BitLocker, Windows Defender Firewall, audit policies, and user rights.
Platform: Windows 11. Version: November 2024
Microsoft Defender for Endpoint
Defender antivirus, attack surface reduction, exploit protection, network protection, and controlled folder access settings.
Platform: MDE. Version: December 2024
Microsoft Edge Security
Browser security settings: SmartScreen, password manager, InPrivate mode, extension controls, and SSL/TLS configuration.
Platform: Edge. Version: October 2024
Microsoft 365 Apps
Office application security: macro settings, ActiveX controls, protected view, and document trust settings.
Platform: Office. Version: September 2024
Baseline Settings Overview
Credential Protection
- Credential Guard enabled
- Remote Credential Guard
- Block mimikatz-style attacks
- NTLM restrictions
BitLocker Encryption
- Require encryption on OS drive
- Encryption method: XTS-AES 256
- TPM + PIN or TPM + startup key
- Recover key backup to Azure AD
Firewall Configuration
- Firewall enabled for all profiles
- Block inbound connections by default
- Stealth mode enabled
- Logging for dropped packets
Account Protection
- Disable local administrator
- Block Microsoft accounts
- Account lockout policies
- Password requirements
Deploying Baselines
- Create Profile — Select baseline type and version to use.
- Review Settings — Examine default settings. Customize if needed.
- Assign to Groups — Target pilot group first, then expand to production.
- Monitor Compliance — Track which devices meet baseline requirements.
Customizing Baselines
You can modify baseline settings while keeping the baseline structure:
Override Individual Settings
Change specific settings while keeping others at recommended values. Useful for business exceptions.
Set to “Not Configured”
Mark settings as not configured to avoid conflicts with existing policies. Setting becomes unmanaged.
Document Changes
Use description field to document why you deviated from Microsoft recommendations for audit purposes.
Warning: Use Microsoft’s defaults when possible. Deviations may reduce security posture.
Baseline Versions
Version Updates
Microsoft releases new baseline versions with Windows updates. New versions may add settings or change recommendations.
Upgrading Baselines
Create new profile with latest version. Compare settings between old and new. Migrate assignments when ready.
Version Comparison
Use compare feature to see what changed between baseline versions. Helps assess impact of upgrade.
Compliance Monitoring
- Compliant — All settings match baseline
- Not Compliant — One or more settings differ
- Error — Could not evaluate
Click on non-compliant devices to see which settings are out of compliance and the expected vs. actual values.
Best Practices
- Start with pilot group — Test baselines on a small group before broad deployment.
- Keep baselines current — Update to latest versions as they’re released to stay protected.
- Minimize customization — Use Microsoft defaults when possible. Document all deviations.
- Watch for conflicts — Avoid deploying overlapping policies. Baselines should be primary source.
API Reference
GET /api/devices/security-baselines— List deployed security baselinesGET /api/devices/security-baselines/templates— List available baseline templatesGET /api/devices/security-baselines/:id/compliance— Get compliance status for baselinePOST /api/devices/security-baselines— Create baseline profileGET /api/devices/security-baselines/compare— Compare baseline versions