Are Microsoft Security Baselines allowed to deploy via MS Intune with MS Business Premium licensing to better secure Windows Pro devices?

Question

Dear all,

I am no native English speaker, so please excuse any incorrect spelling.
We are hoping to reach a wider range of professionels who could answer this question by using english plus it probably helps a wider range of people this way.

I will jump directly to the core questions that are relevant to answer the question regarding license requirement for the use of security baselines for our usecase.

Afterwards i will explain our research effort so far and the origin of confusion about licensing requirements for MS Security Baselines deployment via Intune with Microsoft Business Premium Abonnement. I will also link all relevant MS Learn or Documentation resources for official references and better understanding.

Lastly i will give a short description on what our current situation, ideas and struggles are, so people looking for help in similar situations can relate and adapt.

• Our questions: Maybe you can help or find answers here Which MS Security Baselines are allowed and useful to deploy with MS Business Premium License on licensed Windows Pro Devices (11) via MS Intune. MS Intune for deployment license is coverend in MS Business Premium and Windows Pro license needs to be covered by the Device it is applied to.
  The more unclear license requirement is, which Product License is needed for the MS Edge and Defender security baselines to be allowed to apply on device.
  • Security Baseline for Windows 10 and later (Version 23H2) In our Understanding useful and allowed to deploy since it only requires Windows 11 Pro Device Edition and license - is this correct?
  • Microsoft Defender for Endpoint baseline (Version 24H1)
    Could be useful on top of the default policies for antivirus and firewall created in ms defender and synced to ms intune
    License requirements are unclear since it always refers to license for Microsoft Defender for Endpoint but BP includes Defender for Business.
  • Microsoft 365 Apps for Enterprise (Version 2306)
    Neither useful nor licensed since it applies to Office Apps for Enterprise which is not included in Business Premium and available as standalone
  • Microsoft Edge Baseline (Version 117)
    Probably useful in our opinion and should also be included in BP since there is no standalone product license for edge available or is there?
  • Windows 365 Security Baseline (Version 24H1)
    Neither useful nor licensed since it applies to MS 365 virtual cloud devices which are not included in Business Premium and avaiable as standalone
• Our efforts & reseach: Maybe it comes in handy or you find something we are missing
  • Secure managed and unmanaged devices - Microsoft 365 Business Premium | Microsoft Learn
    Refers to the use of MS Autopilot to onboard company devices and activate bitlocker encryption to bump up security
  • Windows security features licensing and edition requirements | Microsoft Learn
    Shows an overview on windows license and edition requirements for security features (especially enable / manage bitlocker and for security baselines)
    • Security baselines guide | Microsoft Learn
      Explains security baselines in more depth and explains that baselines can be applied via MDM (Intune).
      Also covers the approach, that bitlocker is automatically activated when applying MS Security Baseline for Windows 10 and later.
      Generally explains that Windows Pro is seen as entitlement for the use of Security Baselines.
  • Learn about Intune security baselines for Windows devices | Microsoft Learn
    Explains available security baselines in MS Intune and has a Note to the Defender for endpoint baseline, that it needs to cover prerequisites for using.
    Refers to:
    • Microsoft Defender for Endpoint Prerequisites
      Contains:
      [...]For Defender for Endpoint licensing options, seeLicensing requirementsinMinimum requirements for Microsoft Defender for EndpointandHow to set up a Microsoft 365 E5 Trial Subscription.[...]
      And therefore refers to:
    • Minimum requirements for Microsoft Defender for Endpoint - Microsoft Defender for Endpoint | Microsoft Learn
      Which says, that it applies to Defender for Endpoint P1 & P2 and XDR (Portal) and under Licensing lists Defender for Business and Endpoint 1&2.
      That would be enough but it says further more, that "[...] For more detailed information about licensing requirements for Microsoft Defender for Endpoint, seeMicrosoft Defender for Endpoint licensing information*. [....]".*And therefore refers to:
    • Microsoft 365 Guidance for Security & Compliance - Microsoft Defender for Endpoint
      And here is the confusion: It says that you need Defender for Endpoint P1 or P2 standalone or included in Enterprise Versions.
      There is a separate paragraph about Defender for Business but that being not refered in "Minimum requirements" makes is unclear for us.
      See:
    • Microsoft 365 Guidance for Security & Compliance - Microsoft Defender for Business
  • Configure Security Policies (Intune) Contains:
  • Prerequisites
    Contains:
    "[...]Use of baselines through Intune requires you to have an active subscription for the managed product, when applicable. For example, use of the Microsoft Defender for Endpoint baseline doesn't grant rights to use Microsoft Defender. Instead, the baseline provides a method to configure and manage settings that are present on devices that are licensed for and managed by Microsoft Defender for Endpoint." Basically this is the end for our understanding as end consumer with some IT Knowledge, because at the end there is no further licensing explaination.
    Every assumption made above results out of endless hours of reseach without coming to a final, secure and compliant conclusion.
• Our current situation: Maybe you can relate
  Since we are a small company and small business support by Microsoft is not available in our region and we do not operate with a partner but desire to archive the best Protection possible, we are trying to understand and implement the best security features on our own.
  We have completed to Basic Microft Learn Documentation for Business Premium, Defender for Business, Defender for Office 365 and some other but basically only little security policies or settings are explained there and e.g. Bitlocker enablement is references but not explained in depth.
  By further investigating how to utilize a standard tool set of best practise security features we literally stumbled over MS Security Baselines.
  We happily found out that the Baseline for Windows would automatically include Bitlocker Enablement, but we also discovered that there are complex license requirements for some usecases, e.g. for MS BP: Bitlocker Enablement is licensed, Bitlocker Management not. Here is where the confusion began.
  We are not at a stage where we either accept die minimum security standard that is coverend in the above mentioned guidelines or additionally implement useful and covered well proven Microsoft security baselines on top and enroll via MS Intune or need to dive into every possible configuration manually.
  Last one is probably not manageable in terms of costs and efforts because there a really to many and it is way to hard to understand as non professional.

To sum this all up: We would be very thankful for advise on licensing requirements and evaluation / recommendations for the use of MS baselines from an expert!

*** Moved from Windows / Windows 11 / Security and privacy ***

Answer 1

Hello jw___.,

thank you for posting on the Microsoft Community Forums.

Based on the description, I understand that your issue is related to Microsoft Intune.

Since there are no engineers dedicated to Microsoft Intune in this forum. In order to be able to deal with your questions quickly and efficiently, I recommend that you repost your questions in the Q&A forum, where there will be a dedicated engineer to provide you with a professional and effective response.

Here is a link to the Q&A forum: https://learn.microsoft.com/en-us/answers/questions/

Have a nice day.

Best regards,

Lei