Security baselines assessment
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender Vulnerability Management
- Microsoft 365 Defender
Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the Microsoft Defender Vulnerability Management public preview trial.
Instead of running never-ending compliance scans, security baselines assessment helps you to continuously and effortlessly monitor your organization's security baselines compliance and identify changes in real time.
A security baseline profile is a customized profile that you can create to assess and monitor endpoints in your organization against industry security benchmarks. When you create a security baseline profile, you're creating a template that consists of multiple device configuration settings and a base benchmark to compare against.
Security baselines provide support for Center for Internet Security (CIS) benchmarks for Windows 10, Windows 11, and Windows Server 2008 R2 and above, as well as Security Technical Implementation Guides (STIG) benchmarks for Windows 10 and Windows Server 2019.
Get started with security baselines assessment
Go to Vulnerability management > Baselines assessment in the Microsoft 365 Defender portal.
Select the Profiles tab at the top, then select the Create profile button.
Enter a name and description for your security baselines profile and select Next.
On the Baseline profile scope page set the profile settings such as software, base benchmark (CIS or STIG), and the compliance level and select Next.
Select the configurations you want to include in the profile.
Select Customize if you want to change the threshold configuration value for your organization.
Select Next to choose the device groups and device tags you want to include in the baseline profile. The profile will be automatically applied to devices added to these groups in the future.
Select Next to review the profile.
Select Submit to create your profile.
On the final page, select View profile page to see the assessment results.
You can create multiple profiles for the same operating system with various customizations.
When you customize a configuration an icon will appear beside it to indicate that it has been customized and is no longer using the recommended value. Select the reset button to revert to the recommended value.
Useful icons to be aware of:
- This configuration has been customized before. When creating a new profile if you select Customize, you'll see the available variations you can choose from.
- This configuration has been customized and is not using the default value.
Security baselines assessment overview
On the security baselines assessment overview page you can view device compliance, profile compliance, top failing devices and top misconfigured devices.
Review security baseline profile assessment results
In the Profiles page, select any of your profiles to open a flyout with additional information.
Select Open profile page. The profile page contains two tabs Configurations and Devices.
View by configuration
In the Configurations tab, you can review the list of configurations and assess their reported compliance state.
By selecting a configuration in the list, you'll see a flyout with details for the policy setting, including the recommended value (the expected value range for a device to be considered compliant) and the source used to determine the current device settings.
The Devices tab shows a list of all applicable devices and their compliance state against this specific configuration. For each device, you can use the current value detected to see why it's compliant or non compliant.
View by device
In the main Devices tab, you can review the list of devices and assess their reported compliance state.
By selecting a device in the list, you'll see a flyout with additional details.
Select the Configuration tab to view the compliance of this specific device against all the profile configurations.
At the top of the device side panel, select Open device page to go to the device page in the device inventory. The device page displays the Baseline compliance tab that provides granular visibility into the compliance of the device.
By selecting a configuration in the list, you'll see a flyout with compliance details for the policy setting on this device.
Use advanced hunting
You can run advanced hunting queries on the following tables to gain visibility on security baselines in your organization:
- DeviceBaselineComplianceProfiles: provides details on created profiles.
- DeviceBaselineComplianceAssessment: device compliance related information.
- DeviceBaselineComplianceAssessmentKB: general settings for CIS and STIG benchmarks (not related to any device).
Submit and view feedback for