This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 25%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETM%3C/text%3E%3C/svg%3E)
Hi all,
As the Defender for endpoint license is included with my M365 Business Premium i'm looking into this as a possible AV solution.
We use intune autopilot and the Configuration profiles and Compliance policies to secure and limit the devices.
This is combined with Conditional Access to push certain security baselines to the device and also the user.
Now we use a device restriction configuration profile in intune that blocks certain items. Now the "endpoint security" tab (via the intune admin center) allows you to create 4 Security Baselines.
Can anyone tell me what will happen to my existing policies if i configure the "Security Baseline for Windows 10 and later" and "Microsoft Defender for Endpoint Baseline" ?
Thanks in advance
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 62%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Tom Meeus , Thanks for posting in Q&A.
For your questions, here are my answers for your reference:
Q1: What will happen to my existing policies if I configure the "Security Baseline for Windows 10 and later" and "Microsoft Defender for Endpoint Baseline"?
A1: In General, many of the settings you can configure for devices can be managed by different features in Intune. When you use multiple methods or instances of the same method to configure the same setting, ensure your different methods either agree or aren't deployed to the same devices, otherwise they will conflict. Say in other words, if you use device configuration, please don't use endpoint security.
Here is a link with some details for your reference:
https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security#avoid-policy-conflicts
Q2: From a management perspective, should I prefer Intune to determine this baseline or the Endpoint security?
A2: In fact, Intune is a cloud-based endpoint management solution. It manages user access and simplifies app and device management across your many devices, including mobile devices, desktop computers, and virtual endpoints, and endpoint security is just one feature available in Intune. Endpoint security policies are intended to assist you in focusing on the security of your devices while also reducing risk. If you want to deploy such policies in a batch, Intune is a good option.
Q3: If at a certain point the Cxo’s want to move to another AV/protection suite, should I leave the baselines at Intune?
A3: Based as I know, currently, the integrated AV is Microsoft Defender. If you want to move to another AV. You can let it there as not configured.
Q4: Do I need to see Endpoint security as a standalone defender version, or does it link up with the other Defender programs?
A4: In fact, the Endpoint security node in Intune is used to configure device security and to manage security tasks for devices when those devices are at risk, it is not a defender version. You can use endpoint security to do the following:
• Review the status of all your managed devices.
• Deploy security baselines that establish best practice security configurations for devices.
• Manage security configurations on devices through tightly focused policies.
• Establish device and user requirements through compliance policy.
• Integrate Intune with your Microsoft Defender for Endpoint team.
For more information about Endpoint Security, you can refer to this link:
https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security
Hope the above information can help you.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thanks you for this elaborate explanation!
So the solution is quite clear, you need to combine the two like this:
Q: On the license side, if you want to use the Endpoint Security blade in Intune, what license(s) are required?
@Tom Meeus , Thanks for your reply. In fact, the conflict of policies depends on whether these policies use the same Windows CSP.
https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider
Another question about license, as far as I know, most features in Endpoint security do not require additional licenses except Intune license. It should be noticed that if you want to use the conditional access feature, you need an additional AAD premium license, https://learn.microsoft.com/en-us/mem/intune/protect/conditional-access, and the Microsoft Defender for Endpoint feature also requires an additional license. For more details about Microsoft 365 Defender licensing requirements, you can refer to this link:
https://learn.microsoft.com/en-us/microsoft-365/security/defender/prerequisites?view=o365-worldwide#licensing-requirements
Hope the above information can help.
@Caleb-MSFT I've done some more digging and going further on the screenshot i posted above, it gets more complicated if you use the "Security baselines".
Security Baseline for Windows 10 and later AND Windows 365 Security Baseline (Preview) are the same and will conflict.
So can i assume that the Windows 365 Security Baseline (Preview) is the all-in-one version of the three above as it contains all settings of the other three?
So to clarify, you have your Compliance policies and your Configuration profiles in Intune.
On top of that you have the Endpoint Security's "Security baselines" that contains four baselines but one baseline (Windows 365 Security Baseline (Preview)) will make the other three (Microsoft Edge Baseline, Microsoft Defender for Endpoint Baseline, Security Baseline for Windows 10 and later) obsolete as it contains all settings the others have.
Then you got the "Manage" tab in the Endpoint Security blade that allows you to configure Antivirus, Disk encryption (bitlocker), Firewall, etc.
Bottom-line: I want to use one baseline (Windows 365 Security Baseline (Preview)) that covers it all in one go, can i do that with this rule?
I will only use the Configuration profiles in Intune to deploy VPN, Wi-Fi, network drive mapping stuff.
@Tom Meeus , Thanks for your reply.
For your questions, here are my answers for your reference:
Q1: Can I assume that the Windows 365 Security Baseline (Preview) is the all-in-one version of the three above as it contains all settings of the other three?
A1: In fact, Windows 365 and Windows 10 are different. Windows 365 is a cloud-based service that automatically creates a new type of Windows virtual machine (Cloud PCs) for your end users.
https://learn.microsoft.com/en-us/windows-365/overview
Windows 365 Security Baseline policies apply to Windows 365 Cloud PCs, If the enrolled device is Windows 365, we can deploy this policy. For more details about Windows 365 baseline settings, you can refer to this link:
https://learn.microsoft.com/en-us/mem/intune/protect/security-baseline-settings-windows-365
If our device is Windows 10 and later, we can choose “security Baseline for Windows 10 and later”.
Q2: I want to use one baseline (Windows 365 Security Baseline (Preview)) that covers it all in one go, can I do that with this rule? I will only use the Configuration profiles in Intune to deploy VPN, Wi-Fi, network drive mapping stuff.
A2: Before going on, please ensure the devices is Windows 365 cloud PC instead of Windows 10 or Windows 11. If yes, that will be OK.
Hope the above information can help.
Hi Caleb,
Thanks for the explanation. The devices here are Windows 10/11 so it will be "security Baseline for Windows 10 and later"
As for using those, i've tested them out in a Dev environment and the chaos was gigantic.
The template idea is fine for a newly founded company but not for an existing as the impact is massive when the policies starts locking down.
Also you need to know what every option in that template is doing before enabling them, this is not something i got the time and resources for.
For now i will keep to the "device restriction policies" and leave the template to the side as the unpredictability and impact is massive.
I would need a 5-10 support IT team just to cope with every possible error if I would deploy these options.
@Tom Meeus , Thanks for your reply. I notice you will keep the device restriction policies. If you have any question with Intune in the future, feel free to post in our Q&A to discuss together.
Thanks for your time and have a nice day!
Short answer - they will not merge and you need to review settings and solve conflicts yourself. I also seen, that Windows Sec Baseline and Edge sec baseline have overlaping settings as well and they will conflict each other.
From Ignite / technical takeoff sessions by Microsoft, I learned that these security baselines will also flow into Settings Catalog model later on....maybe next year.