List of the settings in the Microsoft Defender for Endpoint security baseline in Intune

Article
02/23/2023

This article is a reference for the settings that are available in the different versions of the Microsoft Defender for Endpoint security baseline that you can deploy with Microsoft Intune. You can use the tabs below to select and view the settings in the current baseline version and a few older versions that might still be in use.

For each setting you’ll find the baselines default configuration, which is also the recommended configuration for that setting provided by the relevant security team. Because products and the security landscape evolve, the recommended defaults in one baseline version might not match the defaults you find in later versions of the same baseline. Different baseline types, like the MDM security and the Defender for Endpoint baselines, could also set different defaults.

When the Intune UI includes a Learn more link for a setting, you’ll find that here as well. Use that link to view the settings policy configuration service provider (CSP) or relevant content that explains the settings operation.

When a new version of a baseline becomes available, it replaces the previous version. Profiles instances that you’ve created prior to the availability of a new version:

Become read-only. You can continue to use those profiles but can't edit them to change their configuration.
Can be updated to the latest version. After you update a profile to the current baseline version, you can edit the profile to modify settings.

To learn more about using security baselines, see Use security baselines. In that article you'll also find information about how to:

Change the baseline version for a profile to update a profile to use the latest version of that baseline.

Microsoft Defender for Endpoint baseline for December 2020 - version 6

Microsoft Defender for Endpoint baseline for September 2020 - version 5

Microsoft Defender for Endpoint baseline for April 2020 - version 4

Microsoft Defender for Endpoint baseline for March 2020 - version 3

The Microsoft Defender for Endpoint baseline is available when your environment meets the prerequisites for using Microsoft Defender for Endpoint.

This baseline is optimized for physical devices and isn't recommended for use on virtual machines (VMs) or VDI endpoints. Certain baseline settings can affect remote interactive sessions on virtualized environments. For more information, see Increase compliance to the Microsoft Defender for Endpoint security baseline in the Windows documentation.

Attack Surface Reduction Rules

Attack surface reduction rules support a merger of settings from different policies, to create a superset of policy for each device. Only the settings that aren't in conflict are merged. Settings that are in conflict are not added to the superset of rules. Previously, if two policies included conflicts for a single setting, both policies were flagged as being in conflict, and no settings from either profile would be deployed.

Attack surface reduction rule merge behavior is as follows:

Attack surface reduction rules from the following profiles are evaluated for each device the rules apply to:
- Devices > Configuration policy > Endpoint protection profile > Microsoft Defender Exploit Guard > Attack Surface Reduction
- Endpoint security > Attack surface reduction policy > Attack surface reduction rules
- Endpoint security > Security baselines > Microsoft Defender for Endpoint Baseline > Attack Surface Reduction Rules.
Settings that don't have conflicts are added to a superset of policy for the device.
When two or more policies have conflicting settings, the conflicting settings aren't added to the combined policy, while settings that don’t conflict are added to the superset policy that applies to a device.
Only the configurations for conflicting settings are held back.

To learn more, see Attack surface reduction rules in the Microsoft Defender for Endpoint documentation.

Block Office communication apps from creating child processes
Baseline default: Enable
Learn more
Block Adobe Reader from creating child processes
Baseline default: Enable
Learn more
Block Office applications from injecting code into other processes
Baseline default: Block
Learn more
Block Office applications from creating executable content
Baseline default: Block
Learn more
Block JavaScript or VBScript from launching downloaded executable content
Baseline default: Block
Learn more
Enable network protection
Baseline default: Enable
Learn more
Block untrusted and unsigned processes that run from USB
Baseline default: Block
Learn more
Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Baseline default: Enable
Learn more
Block executable content download from email and webmail clients
Baseline default: Block
Learn more
Block all Office applications from creating child processes
Baseline default: Block
Learn more
Block execution of potentially obfuscated scripts (js/vbs/ps)
Baseline default: Block
Learn more
Block Win32 API calls from Office macro
Baseline default: Block
Learn more

Application Guard

For more information, see WindowsDefenderApplicationGuard CSP in the Windows documentation.

When you use Microsoft Edge, Microsoft Defender Application Guard protects your environment from sites that aren't trusted by your organization. When users visit sites that aren't listed in your isolated network boundary, the sites open in a Hyper-V virtual browsing session. Trusted sites are defined by a network boundary.

Turn on Application Guard for Edge (Options)
Baseline default: Enabled for Edge
Learn more
- Block external content from non-enterprise approved sites
  Baseline default: Yes
  Learn more
- Clipboard behavior
  Baseline default: Block copy and paste between PC and browser
  Learn more
Windows network isolation policy
Baseline default: Configure
Learn more
- Network domains
  Baseline default: securitycenter.windows.com

BitLocker

Require storage cards to be encrypted (mobile only)
Baseline default: Yes
Learn more

Note

Support for Windows 10 Mobile and Windows Phone 8.1 ended in August of 2020.
Enable full disk encryption for OS and fixed data drives
Baseline default: Yes
Learn more
BitLocker system drive policy
Baseline default: Configure
Learn more
- Configure encryption method for Operating System drives
  Baseline default: Not configured
  Learn more
BitLocker fixed drive policy
Baseline default: Configure
Learn more
- Block write access to fixed data-drives not protected by BitLocker
  Baseline default: Yes
  Learn more
  This setting is available when BitLocker fixed drive policy is set to Configure.
- Configure encryption method for fixed data-drives
  Baseline default: AES 128bit XTS
  Learn more
BitLocker removable drive policy
Baseline default: Configure
Learn more
- Configure encryption method for removable data-drives
  Baseline default: AES 128bit CBC
  Learn more
- Block write access to removable data-drives not protected by BitLocker
  Baseline default: Not configured
  Learn more

Standby states when sleeping while on battery Baseline default: Disabled
Learn more
Standby states when sleeping while plugged in
Baseline default: Disabled
Learn more
Enable full disk encryption for OS and fixed data drives
Baseline default: Yes
Learn more
BitLocker system drive policy
Baseline default: Configure
Learn more
- Startup authentication required
  Baseline default: Yes
  Learn more
- Compatible TPM startup PIN
  Baseline default: Allowed
  Learn more
- Compatible TPM startup key
  Baseline default: Required
  Learn more
- Disable BitLocker on devices where TPM is incompatible
  Baseline default: Yes
  Learn more
- Configure encryption method for Operating System drives
  Baseline default: Not configured
  Learn more
BitLocker fixed drive policy
Baseline default: Configure
Learn more
- Block write access to fixed data-drives not protected by BitLocker
  Baseline default: Yes
  Learn more
  This setting is available when BitLocker fixed drive policy is set to Configure.
- Configure encryption method for fixed data-drives
  Baseline default: AES 128bit XTS
  Learn more
BitLocker removable drive policy
Baseline default: Configure
Learn more
- Configure encryption method for removable data-drives
  Baseline default: AES 128bit CBC
  Learn more
- Block write access to removable data-drives not protected by BitLocker
  Baseline default: Not configured
  Learn more

BitLocker system drive policy
Baseline default: Configure
Learn more
- Startup authentication required
  Baseline default: Yes
  Learn more
- Compatible TPM startup PIN
  Baseline default: Allowed
  Learn more
- Compatible TPM startup key
  Baseline default: Required
  Learn more
- Disable BitLocker on devices where TPM is incompatible
  Baseline default: Yes
  Learn more
- Configure encryption method for Operating System drives
  Baseline default: Not configured
  Learn more
Standby states when sleeping while on battery Baseline default: Disabled
Learn more
Standby states when sleeping while plugged in
Baseline default: Disabled
Learn more
Enable full disk encryption for OS and fixed data drives
Baseline default: Yes
Learn more
BitLocker fixed drive policy
Baseline default: Configure
Learn more
- Block write access to fixed data-drives not protected by BitLocker
  Baseline default: Yes
  Learn more
  This setting is available when BitLocker fixed drive policy is set to Configure.
- Configure encryption method for fixed data-drives
  Baseline default: AES 128bit XTS
  Learn more
BitLocker removable drive policy
Baseline default: Configure
Learn more
- Configure encryption method for removable data-drives
  Baseline default: AES 128bit CBC
  Learn more
- Block write access to removable data-drives not protected by BitLocker
  Baseline default: Not configured
  Learn more

Browser

Require SmartScreen for Microsoft Edge
Baseline default: Yes
Learn more
Block malicious site access
Baseline default: Yes
Learn more
Block unverified file download
Baseline default: Yes
Learn more

Data Protection

Block direct memory access
Baseline default: Yes
Learn more

Device Guard

Turn on credential guard
Baseline default: Enable with UEFI lock
Learn more

Device Installation

Hardware device installation by device identifiers
Baseline default: Block hardware device installation
Learn more
- Remove matching hardware devices Baseline default: Yes
- Hardware device identifiers that are blocked
  Baseline default: Not configured by default. Manually add one or more device identifiers.

Hardware device installation by setup classes
Baseline default: Block hardware device installation
Learn more
- Remove matching hardware devices Baseline default: Not configured
- Hardware device identifiers that are blocked Baseline default: Not configured by default. Manually add one or more device identifiers.

Block hardware device installation by setup classes:
Baseline default: Yes
Learn more
- Remove matching hardware devices:
  Baseline default: Yes
- Block list
  Baseline default: Not configured by default. Manually add one or more setup class globally unique identifiers.

DMA Guard

Enumeration of external devices incompatible with Kernel DMA Protection
Baseline default: Block all
Learn more

Enumeration of external devices incompatible with Kernel DMA Protection
Baseline default: Not configured
Learn more

Endpoint Detection and Response

Sample sharing for all files
Baseline default: Yes
Learn more
Expedite telemetry reporting frequency
Baseline default: Yes
Learn more

Firewall

Stateful File Transfer Protocol (FTP)
Baseline default: Disabled
Learn more
Number of seconds a security association can be idle before it's deleted
Baseline default: 300
Learn more
Preshared key encoding
Baseline default: UTF8
Learn more
Certificate revocation list (CRL) verification
Baseline default: Not configured
Learn more
Packet queuing
Baseline default: Not configured
Learn more
Firewall profile private
Baseline default: Configure
Learn more
- Inbound connections blocked
  Baseline default: Yes
  Learn more
- Unicast responses to multicast broadcasts required
  Baseline default: Yes
  Learn more
- Outbound connections required
  Baseline default: Yes
  Learn more
- Inbound notifications blocked
  Baseline default: Yes
  Learn more
- Global port rules from group policy merged
  Baseline default: Yes
  Learn more
- Firewall enabled
  Baseline default: Allowed
  Learn more
- Authorized application rules from group policy not merged
  Baseline default: Yes
  Learn more
- Connection security rules from group policy not merged
  Baseline default: Yes
  Learn more
- Incoming traffic required
  Baseline default: Yes
  Learn more
- Policy rules from group policy not merged
  Baseline default: Yes
  Learn more

Stealth mode blocked
Baseline default: Yes
Learn more

Firewall profile public
Baseline default: Configure
Learn more
- Inbound connections blocked
  Baseline default: Yes
  Learn more
- Unicast responses to multicast broadcasts required
  Baseline default: Yes
  Learn more
- Outbound connections required
  Baseline default: Yes
  Learn more
- Authorized application rules from group policy not merged
  Baseline default: Yes**
  Learn more
- Inbound notifications blocked
  Baseline default: Yes
  Learn more
- Global port rules from group policy merged
  Baseline default: Yes
  Learn more
- Firewall enabled
  Baseline default: Allowed
  Learn more
- Connection security rules from group policy not merged
  Baseline default: Yes
  Learn more
- Incoming traffic required
  Baseline default: Yes
  Learn more
- Policy rules from group policy not merged
  Baseline default: Yes
  Learn more

Stealth mode blocked
Baseline default: Yes
Learn more

Firewall profile domain
Baseline default: Configure
Learn more
- Unicast responses to multicast broadcasts required
  Baseline default: Yes
  Learn more
- Authorized application rules from group policy not merged
  Baseline default: Yes
  Learn more
- Inbound notifications blocked
  Baseline default: Yes
  Learn more
- Global port rules from group policy merged
  Baseline default: Yes
  Learn more
- Firewall enabled
  Baseline default: Allowed
  Learn more
- Connection security rules from group policy not merged
  Baseline default: Yes
  Learn more
- Policy rules from group policy not merged
  Baseline default: Yes
  Learn more

Stealth mode blocked
Baseline default: Yes
Learn more

Microsoft Defender

Turn on real-time protection
Baseline default: Yes
Learn more
Additional amount of time (0-50 seconds) to extend cloud protection timeout
Baseline default: 0
Learn more
Scan all downloaded files and attachments
Baseline default: Yes
Learn more
Scan type
Baseline default: Quick scan
Learn more
Defender schedule scan day:
Baseline default: Everyday
Defender scan start time:
Baseline default: Not configured
Defender sample submission consent
Baseline default: Send safe samples automatically
Learn more
Cloud-delivered protection level
Baseline default: High
Learn more
Scan removable drives during full scan
Baseline default: Yes
Learn more
Defender potentially unwanted app action
Baseline default: Block
Learn more
Turn on cloud-delivered protection
Baseline default: Yes
Learn more

Turn on real-time protection
Baseline default: Yes
Learn more
Additional amount of time (0-50 seconds) to extend cloud protection timeout
Baseline default: 0
Learn more
Scan all downloaded files and attachments
Baseline default: Yes
Learn more
Scan type
Baseline default: Quick scan
Learn more
Defender sample submission consent
Baseline default: Send safe samples automatically
Learn more
Cloud-delivered protection level
Baseline default: High
Learn more
Scan removable drives during full scan
Baseline default: Yes
Learn more
Defender potentially unwanted app action
Baseline default: Block
Learn more
Turn on cloud-delivered protection
Baseline default: Yes
Learn more

Run daily quick scan at
Baseline default: 2 AM
Learn more
Scheduled scan start time
Baseline default: 2 AM
Configure low CPU priority for scheduled scans
Baseline default: Yes
Learn more
Block Office communication apps from creating child processes
Baseline default: Enable
Learn more
Block Adobe Reader from creating child processes
Baseline default: Enable
Learn more
Scan incoming email messages
Baseline default: Yes
Learn more
Turn on real-time protection
Baseline default: Yes
Learn more
Number of days (0-90) to keep quarantined malware
Baseline default: 0
Learn more
Defender system scan schedule
Baseline default: User defined
Learn more
Additional amount of time (0-50 seconds) to extend cloud protection timeout
Baseline default: 0
Learn more
Scan mapped network drives during a full scan
Baseline default: Yes
Learn more
Turn on network protection
Baseline default: Yes
Learn more
Scan all downloaded files and attachments
Baseline default: Yes
Learn more
Block on access protection
Baseline default: Not configured
Learn more
Scan browser scripts
Baseline default: Yes
Learn more
Block user access to Microsoft Defender app
Baseline default: Yes
Learn more
Maximum allowed CPU usage (0-100 percent) per scan
Baseline default: 50
Learn more
Scan type
Baseline default: Quick scan
Learn more
Enter how often (0-24 hours) to check for security intelligence updates
Baseline default: 8
Learn more
Defender sample submission consent
Baseline default: Send safe samples automatically
Learn more
Cloud-delivered protection level
Baseline default: *Not configured
Learn more
Scan archive files
Baseline default: Yes
Learn more
Turn on behavior monitoring
Baseline default: Yes
Learn more
Scan removable drives during full scan
Baseline default: Yes
Learn more
Scan network files
Baseline default: Yes
Learn more
Defender potentially unwanted app action
Baseline default: Block
Learn more
Turn on cloud-delivered protection
Baseline default: Yes
Learn more
Block Office applications from injecting code into other processes
Baseline default: Block
Learn more
Block Office applications from creating executable content
Baseline default: Block
Learn more
Block JavaScript or VBScript from launching downloaded executable content
Baseline default: Block
Learn more
Enable network protection
Baseline default: Audit mode
Learn more
Block untrusted and unsigned processes that run from USB
Baseline default: Block
Learn more
Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Baseline default: Enable
Learn more
Block executable content download from email and webmail clients
Baseline default: Block
Learn more
Block all Office applications from creating child processes
Baseline default: Block
Learn more
Block execution of potentially obfuscated scripts (js/vbs/ps)
Baseline default: Block
Learn more
Block Win32 API calls from Office macro
Baseline default: Block
Learn more

Run daily quick scan at
Baseline default: 2 AM
Learn more
Scheduled scan start time
Baseline default: 2 AM
Configure low CPU priority for scheduled scans
Baseline default: Yes
Learn more
Block Office communication apps from creating child processes
Baseline default: Enable
Learn more
Block Adobe Reader from creating child processes
Baseline default: Enable
Learn more
Scan incoming email messages
Baseline default: Yes
Learn more
Turn on real-time protection
Baseline default: Yes
Learn more
Number of days (0-90) to keep quarantined malware
Baseline default: 0
Learn more
Defender system scan schedule
Baseline default: User defined
Learn more
Additional amount of time (0-50 seconds) to extend cloud protection timeout
Baseline default: 0
Learn more
Scan mapped network drives during a full scan
Baseline default: Yes
Learn more
Turn on network protection
Baseline default: Yes
Learn more
Scan all downloaded files and attachments
Baseline default: Yes
Learn more
Block on access protection
Baseline default: Not configured
Learn more
Scan browser scripts
Baseline default: Yes
Learn more
Block user access to Microsoft Defender app
Baseline default: Yes
Learn more
Maximum allowed CPU usage (0-100 percent) per scan
Baseline default: 50
Learn more
Scan type
Baseline default: Quick scan
Learn more
Enter how often (0-24 hours) to check for security intelligence updates
Baseline default: 8
Learn more
Defender sample submission consent
Baseline default: Send safe samples automatically
Learn more
Cloud-delivered protection level
Baseline default: *Not configured
Learn more
Scan archive files
Baseline default: Yes
Learn more
Turn on behavior monitoring
Baseline default: Yes
Learn more
Scan removable drives during full scan
Baseline default: Yes
Learn more
Scan network files
Baseline default: Yes
Learn more
Defender potentially unwanted app action
Baseline default: Block
Learn more
Turn on cloud-delivered protection
Baseline default: Yes
Learn more
Block Office applications from injecting code into other processes
Baseline default: Block
Learn more
Block Office applications from creating executable content
Baseline default: Block
Learn more
Block JavaScript or VBScript from launching downloaded executable content
Baseline default: Block
Learn more
Enable network protection
Baseline default: Audit mode
Learn more
Block untrusted and unsigned processes that run from USB
Baseline default: Block
Learn more
Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Baseline default: Enable
Learn more
Block executable content download from email and webmail clients
Baseline default: Block
Learn more
Block all Office applications from creating child processes
Baseline default: Block
Learn more
Block execution of potentially obfuscated scripts (js/vbs/ps)
Baseline default: Block
Learn more
Block Win32 API calls from Office macro
Baseline default: Block
Learn more

Microsoft Defender Security Center

Block users from editing the Exploit Guard protection interface
Baseline default: Yes
Learn more

Smart Screen

Block users from ignoring SmartScreen warnings
Baseline default: Yes
Learn more
Turn on Windows SmartScreen
Baseline default: Yes
Learn more
Require SmartScreen for Microsoft Edge
Baseline default: Yes
Learn more
Block malicious site access
Baseline default: Yes
Learn more
Block unverified file download
Baseline default: Yes
Learn more
Configure Microsoft Defender SmartScreen
Baseline default: Enabled
Prevent bypassing Microsoft Defender SmartScreen prompts for sites
Baseline default: Enabled
Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads
Baseline default: Enabled
Configure Microsoft Defender SmartScreen to block potentially unwanted apps
Baseline default: Enabled

Require apps from store only
Baseline default: Yes
Turn on Windows SmartScreen
Baseline default: Yes
Learn more

Windows Hello for Business

For more information, see PassportForWork CSP in the Windows documentation.

Block Windows Hello for Business
Baseline default: Disabled
- Lowercase letters in PIN Baseline default: Allowed
- Special characters in PIN Baseline default: Allowed
- Uppercase letters in PIN Baseline default: Allowed