Security baselines assessment

Applies to:

Important

Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Note

Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the Microsoft Defender Vulnerability Management public preview trial.

Instead of running never-ending compliance scans, security baselines assessment helps you to continuously and effortlessly monitor your organization's security baselines compliance and identify changes in real time.

A security baseline profile is a customized profile that you can create to assess and monitor endpoints in your organization against industry security benchmarks. When you create a security baseline profile, you're creating a template that consists of multiple device configuration settings and a base benchmark to compare against.

Security baselines provide support for Center for Internet Security (CIS) benchmarks for Windows 10, Windows 11, and Windows Server 2008 R2 and above, as well as Security Technical Implementation Guides (STIG) benchmarks for Windows 10 and Windows Server 2019.

Get started with security baselines assessment

  1. Go to Vulnerability management > Baselines assessment in the Microsoft 365 Defender portal.

  2. Select the Profiles tab at the top, then select the Create profile button.

  3. Enter a name and description for your security baselines profile and select Next.

  4. On the Baseline profile scope page set the profile settings such as software, base benchmark (CIS or STIG), and the compliance level and select Next.

  5. Select the configurations you want to include in the profile.

    Screenshot of the add configuration settings page

    Select Customize if you want to change the threshold configuration value for your organization.

    Screenshot of the customize configuration settings page

  6. Select Next to choose the device groups and device tags you want to include in the baseline profile. The profile will be automatically applied to devices added to these groups in the future.

  7. Select Next to review the profile.

  8. Select Submit to create your profile.

  9. On the final page, select View profile page to see the assessment results.

Note

You can create multiple profiles for the same operating system with various customizations.

When you customize a configuration an icon will appear beside it to indicate that it has been customized and is no longer using the recommended value. Select the reset button to revert to the recommended value.

Useful icons to be aware of:

Previously customized configuration - This configuration has been customized before. When creating a new profile if you select Customize, you'll see the available variations you can choose from.

Not using the default value - This configuration has been customized and is not using the default value.

Security baselines assessment overview

On the security baselines assessment overview page you can view device compliance, profile compliance, top failing devices and top misconfigured devices.

Review security baseline profile assessment results

  1. In the Profiles page, select any of your profiles to open a flyout with additional information.

    Screenshot of the baseline profile page

  2. Select Open profile page. The profile page contains two tabs Configurations and Devices.

View by configuration

In the Configurations tab, you can review the list of configurations and assess their reported compliance state.

Configuration tab in the profile page

By selecting a configuration in the list, you'll see a flyout with details for the policy setting, including the recommended value (the expected value range for a device to be considered compliant) and the source used to determine the current device settings.

Configuration flyout details in the profile page

The Devices tab shows a list of all applicable devices and their compliance state against this specific configuration. For each device, you can use the current value detected to see why it's compliant or non compliant.

Screenshot of the baseline compliance page

View by device

In the main Devices tab, you can review the list of devices and assess their reported compliance state.

By selecting a device in the list, you'll see a flyout with additional details.

Devices tab in the profile page

Select the Configuration tab to view the compliance of this specific device against all the profile configurations.

At the top of the device side panel, select Open device page to go to the device page in the device inventory. The device page displays the Baseline compliance tab that provides granular visibility into the compliance of the device.

By selecting a configuration in the list, you'll see a flyout with compliance details for the policy setting on this device.

Use advanced hunting

You can run advanced hunting queries on the following tables to gain visibility on security baselines in your organization:

  • DeviceBaselineComplianceProfiles: provides details on created profiles.
  • DeviceBaselineComplianceAssessment: device compliance related information.
  • DeviceBaselineComplianceAssessmentKB: general settings for CIS and STIG benchmarks (not related to any device).