Deploy Intune MDM Security Baseline

Microsoft is now providing security baseline for the modern workplace through Intune Mobile Device Management (MDM). This is well known from GPO world with Security and Compliance Toolkit (SCT)

This is a good entry point for security on modern workplaces. It can help you define company security strategy, by knowing what you can set on MDM. It’s a collection of configuration settings recommended by Microsoft.

It’s a good way for you to ensure the best protection across devices without having to get too deep in knowing all MDM possibilities.


As a starting point for Microsoft and his security baselines (Windows 10 october 2018 release), here are the settings Microsoft will configure to ensure best protection. Up to you to modify these settings and enable your owns. This list and settings will grow, following the consumer needs and best practices.

Above Lock
App Runtime
Application Management
Auto Play
Credentials Delegation
Credentials UI
Data Protection
Device Guard
Device Installation
Device Lock
Event Log Service
Exploit Guard
File Explorer
Internet Explorer
Local Policies Security Options
MS Security Guide
MSS Legacy
Remote Desktop Services
Remote Management
Remote Procedure Call
Smart Screen
Windows Connection Manager
Windows Defender
Windows Ink Workspace
Windows PowerShell

You can find the full description here :

This is what security baseline is offering to Modern Workplace Admins :

  • In-depth reporting on the state of each setting in the baseline on every device in your organization
  • A first-class policy interface using familiar Intune policies to easily customize and deploy a baseline with MDM
  • A versioning experience to stay up-to-date when Microsoft updates security baseline recommendations


1. Add security baselines to your Azure Tenant and select Preview: MDM Security Baseline for October 2018

Add Security Baselines in you Azure view

2. Create your first profile by clicking on Create profile

Create your first profile

3. Review profile settings and click Create

Set your first security baseline profile

4. You still need to assign the profile to your test users.

Assign to selected groups

And you are all set!

You can now get metrics on profile assignation and get all devices that are not matching baseline or have not well configured.

More information

First blog information from Microsoft

All security baselines in details

Deploy security baseline

Leave a Reply

Your email address will not be published. Required fields are marked *