Skip to Content
DevicesSecurity PoliciesSecurity Baselines

Security Baselines

Deploy Microsoft-recommended security configurations to Windows devices using security baselines. Pre-configured policy sets implement best practices for Windows, Edge, Defender, and Microsoft 365 Apps.

Available Baselines

Windows Security Baseline

Core Windows security: credential protection, BitLocker, Defender Firewall, audit policies, user rights. Targets Windows 10/11.

Microsoft Defender for Endpoint

Defender antivirus, ASR, exploit protection, network protection, and controlled folder access.

Microsoft Edge Security

Browser security: SmartScreen, password manager, InPrivate mode, extension controls, SSL/TLS.

Microsoft 365 Apps

Office security: macro settings, ActiveX controls, protected view, document trust.

Key Settings

Credential Protection

  • Credential Guard enabled
  • Remote Credential Guard
  • Block mimikatz-style attacks
  • NTLM restrictions

BitLocker Encryption

  • Require encryption on OS drive
  • XTS-AES 256 encryption method
  • Recovery key backup to Azure AD

Firewall Configuration

  • Firewall enabled for all profiles
  • Block inbound by default
  • Stealth mode enabled
  • Logging for dropped packets

Deploying Baselines

  1. Create a security baseline profile
  2. Select baseline type and version
  3. Review default settings and customize if needed
  4. Assign to pilot group first
  5. Monitor compliance and expand

Customizing Baselines

  • Override individual settings while keeping others at recommended values
  • Set to Not Configured to avoid conflicts
  • Document changes for audit purposes

Compliance Monitoring

  • Compliant — All settings match baseline
  • Not Compliant — One or more settings differ
  • Error — Could not evaluate

Best Practices

  • Start with pilot group before broad deployment
  • Keep baselines current with latest versions
  • Minimize customization from defaults
  • Watch for policy conflicts

API Reference

  • GET /api/devices/security/baselines — List baselines
  • GET /api/devices/security/baselines/templates — List templates
  • GET /api/devices/security/baselines/:id/compliance — Get compliance
  • POST /api/devices/security/baselines — Create profile
Last updated on
Endpoint Security OverviewWeb Protection