Increase compliance to the Microsoft Defender for Endpoint security baseline
Applies to:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender XDR
Want to experience Defender for Endpoint? Sign up for a free trial.
Security baselines ensure that security features are configured according to guidance from both security experts and expert Windows system administrators. When deployed, the Defender for Endpoint security baseline sets Defender for Endpoint security controls to provide optimal protection.
To understand security baselines and how they're assigned on Intune using configuration profiles, read this FAQ.
Before you can deploy and track compliance to security baselines:
Compare the Microsoft Defender for Endpoint and the Windows Intune security baselines
The Windows Intune security baseline provides a comprehensive set of recommended settings needed to securely configure devices running Windows, including browser settings, PowerShell settings, and settings for some security features like Microsoft Defender Antivirus. In contrast, the Defender for Endpoint baseline provides settings that optimize all the security controls in the Defender for Endpoint stack, including settings for endpoint detection and response (EDR) and settings also found in the Windows Intune security baseline. For more information about each baseline, see:
- Windows security baseline settings for Intune
- Microsoft Defender for Endpoint baseline settings for Intune
Ideally, devices onboarded to Defender for Endpoint are deployed both baselines: the Windows Intune security baseline to initially secure Windows and then the Defender for Endpoint security baseline layered on top to optimally configure the Defender for Endpoint security controls. To benefit from the latest data on risks and threats and to minimize conflicts as baselines evolve, always apply the latest versions of the baselines across all products as soon as they're released.
Note
The Defender for Endpoint security baseline has been optimized for physical devices and is currently not recommended for use on virtual machine (VMs) or VDI endpoints. Certain baseline settings can impact remote interactive sessions on virtualized environments.
Monitor compliance to the Defender for Endpoint security baseline
The Security baseline card on device configuration management provides an overview of compliance across Windows 10 and Windows 11 devices that have been assigned the Defender for Endpoint security baseline.
Card showing compliance to the Defender for Endpoint security baseline
Each device is given one of the following status types:
- Matches baseline: Device settings match all the settings in the baseline.
- Does not match baseline: At least one device setting doesn't match the baseline.
- Misconfigured: At least one baseline setting isn't properly configured on the device and is in a conflict, error, or pending state.
- Not applicable: At least one baseline setting isn't applicable on the device.
To review specific devices, select Configure security baseline on the card. This takes you to Intune device management. From there, select Device status for the names and statuses of the devices.
Note
You might experience discrepancies in aggregated data displayed on the device configuration management page and those displayed on overview screens in Intune.
Review and assign the Microsoft Defender for Endpoint security baseline
Device configuration management monitors baseline compliance only of Windows 10 and Windows 11 devices that have been specifically assigned the Microsoft Defender for Endpoint security baseline. You can conveniently review the baseline and assign it to devices on Intune device management.
Select Configure security baseline on the Security baseline card to go to Intune device management. A similar overview of baseline compliance is displayed.
Tip
Alternatively, you can navigate to the Defender for Endpoint security baseline in the Microsoft Azure portal from All services > Intune > Device security > Security baselines > Microsoft Defender ATP baseline.
Create a new profile.
Microsoft Defender for Endpoint security baseline overview on IntuneDuring profile creation, you can review and adjust specific settings on the baseline.
Assign the profile to the appropriate device group.
Create the profile to save it and deploy it to the assigned device group.
Tip
Security baselines on Intune provide a convenient way to comprehensively secure and protect your devices. Learn more about security baselines on Intune.
Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.
Related articles
- Ensure your devices are configured properly
- Get devices onboarded to Microsoft Defender for Endpoint
- Optimize ASR rule deployment and detections
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.