List configurations in active baseline profiles

Applies to:

Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the Microsoft Defender Vulnerability Management public preview trial.

1.API description

This API retrieves a list of the configurations being assessed in active baseline profiles.

1.1 Parameters

  • Supports OData V4 queries
  • OData supported operators:
    • $filter on: id, category, name, CCE
    • $top with max value of 10,000
    • $skip

1.2 HTTP request

GET /api/baselineConfigurations 

1.3 Request headers

Name Type Description
Authorization String Bearer {token}. Required.

1.4 Response

If successful, this method returns 200 OK with the list of baseline configurations in the body.

1.5 Properties

Property Type Description
uniqueId String Identifier for the specific configuration across baseline benchmarks.
Id String Identifier of the specific configuration in the baseline benchmark.
benchmarkName String The name of the benchmark.
benchmarkVersion String The version of the benchmark. May contain operating system details.
name String The configuration name at it appears in the benchmark.
description String The configuration description as it appears in the benchmark.
category String The configuration category as it appears in the benchmark.
complianceLevels String The compliance level of the benchmark where this configuration appears.
cce Int The CCE for this configuration as it appears in the benchmark.
rationale String The rationale for this configuration as it appears in the benchmark. For STIG benchmark this isn't supplied for this configuration.
source Array [String] Array of the registry paths or other locations used to determine the current device setting.
recommendedValue Array [String] Array of the recommended value for each source returned in the 'source' property array (values returned in the same order as the source property array).
remediation String The recommended steps to remediate.
isCustom Boolean True if the configuration is customized, false if not.

1.6 Example

1.5.1 Request example


1.6.2 Response example

    "@odata.context": "$metadata#BaselineConfigurations ", 
    "value": [
            "id": "9.3.9",
            "uniqueId": "CIS_1.4.0-windows_server_2016_9.3.9",
            "benchmarkName": "CIS",
            "benchmarkVersion": "1.4.0-windows_server_2016",
            "name": "(L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'",
            "description": "<p xmlns:xhtml=\"\">  Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word             <span class=\"inline_block\">DROP</span>   in the action column of the log.          </p>",
            "category": "Public Profile",
            "complianceLevels": [
                "Level 1 - Domain Controller",
                "Level 1 - Member Server",
                "Level 2 - Domain Controller",
                "Level 2 - Member Server"
            "cce": "CCE-35116-3",
            "rationale": "<p xmlns:xhtml=\"\">If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users.</p>",
            "remediation": "<div xmlns:xhtml=\"\">    <p>      <p>  To establish the recommended configuration via GP, set the following UI path to                 <span class=\"inline_block\">Yes</span>  :              </p>      <code class=\"code_block\">Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log dropped packets  </code>      <p class=\"bold\">Impact:</p>      <p>        <p>Information about dropped packets will be recorded in the firewall log file.</p>      </p>    </p>  </div>",
            "recommendedValue": [
                "Equals '1'"
            "source": [
            "isCustom": false

See also


Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.