6.0 Defender for Endpoint(MDE): Apply Security Baseline Policy

6.0 Defender for Endpoint(MDE): Apply Security Baseline Policy

In this post, we discuss how to deploy a security baseline policy from MDM for MDE to enforce security policy to manage devices to protect against known security threats.

Assume the situation where we have onboarded devices to MDE and get lots of recommendations to fix. We have multiple options to fix those but not sure which way is better. The recommendation is to use the baseline security policy and see how many recommendations got fixed. After that, fix the remaining recommendation by creating other profiles like ASR, AV, etc. There are multiple security baselines and is created and maintained by Microsoft as below.

Microsoft Defender for Endpoint Baseline: it is a set of recommended security configurations that includes attack surface reduction, BitLocker, device guard, antivirus, firewall protection, device control, exploit protection, and smart screen designed to enforce security for endpoints.

In the below image, we have filtered the recommendation by configuration change and we can see there are 61 items that need to fix. This screenshot is before applying the security baseline policy. We will apply the security baseline policy and will see how many got fixed after that.

Go to Microsoft Intune admin center (endpoint.microsoft.com) and navigate to Endpoint security->Security baselines->Microsoft Defender for Endpoint Baseline->Create profile.

Supply a meaningful name and click on next.

Below are the settings that will be deployed to the endpoints. You can have a quick look at each setting and keep the default. You can change it if you want to make any.

You can define the scope of this policy based on the device tag but we are targetting this policy for all the devices so leave it default.

Assign the policy to the target group. We are targeting it for all the devices in group MDE_VM. Review all the settings and create the policy.

The below image is showing that the policy has been deployed to the device successfully.

If we click on device status then we can see the device name with the status.

We can also see the what are the settings pushed to the devices with status.

Now let's see if there are any changes happening on the MDE portal. Go to the security.microsoft.com->endpoints->Vulnerability management->Recommendations. Filter by remediation type->Configuration change.

Now we can see the recommendation has decreased from 61 to 39.

Even without that filter, there are only 40 recommendations, which means the baseline security has fixed lots of things in one go.


If we use a baseline security policy then we don't need to create so many separate policies and the best part of this is it's maintained by Microsoft so if there are any changes required that will be done by Microsoft.

Hope this was helpful, contact me on Twitter @sakaldeep for any queries.