๐ฏ Objective of Day-11
By the end of Day-11, you will be able to:
- Explain what Intune Security Baselines are
- Deploy baselines safely
- Understand Defender for Endpoint integration
- See how device risk affects access decisions
1๏ธโฃ What Are Security Baselines?
Security Baselines are Microsoft-recommended security configurations that:
- Apply industry best practices
- Reduce attack surface
- Standardize device security
๐ Think of baselines as secure starting points, not final tuning.
2๏ธโฃ Security Baseline vs Compliance vs Configuration
| Feature | Purpose | Enforces | Evaluates |
|---|---|---|---|
| Security Baseline | Best-practice security | โ Yes | โ No |
| Configuration Profile | Custom settings | โ Yes | โ No |
| Compliance Policy | Trust decision | โ No | โ Yes |
๐ Baselines enforce, compliance decides.
3๏ธโฃ Available Security Baselines in Intune
Common baselines:
- Windows Security Baseline
- Microsoft Defender for Endpoint Baseline
- Microsoft Edge Baseline
Each baseline targets a specific security layer.
4๏ธโฃ Where to Configure Security Baselines
Steps:
- Intune Admin Center
- Endpoint security
- Security baselines
- Select baseline (e.g., Windows)
- Create profile
5๏ธโฃ Deploying a Security Baseline (Safely)
Best practice steps:
- Create baseline profile
- Assign to pilot group first
- Review conflicts
- Monitor impact
- Expand gradually
๐ Never assign baselines to All devices on Day-1.
6๏ธโฃ Common Settings Applied by Baselines
- Credential Guard
- Defender Antivirus
- Firewall enforcement
- Attack Surface Reduction (ASR) rules
- SmartScreen protection
๐ These settings actively change device behavior.
7๏ธโฃ What Is Microsoft Defender for Endpoint (MDE)?
Defender for Endpoint is an Endpoint Detection & Response (EDR) solution that:
- Detects threats
- Assesses device risk
- Reports vulnerabilities
- Feeds risk data to Conditional Access
8๏ธโฃ How Intune & Defender for Endpoint Work Together
Flow:
Device โ Defender detects risk
โ Risk score updated
โ Intune receives status
โ Conditional Access evaluates access
๐ Defender does not block access โ CA does.
9๏ธโฃ Enable Defender for Endpoint Integration
Steps:
- Intune โ Tenant administration
- Connectors and tokens
- Microsoft Defender for Endpoint
- Enable connection
๐ Device Risk Levels (Important)
Defender assigns risk:
- Low
- Medium
- High
These can be used in Conditional Access policies.
1๏ธโฃ1๏ธโฃ Real-World Scenario
Situation:
User device is compliant but infected.
What happens:
- Defender flags device as High risk
- CA policy blocks access
- Admin remediates device
- Access restored automatically
๐ This is risk-based security in action.
1๏ธโฃ2๏ธโฃ Common Admin Mistakes
โ Enabling baselines without pilot testing
โ Conflicting baseline + configuration profiles
โ Ignoring Defender alerts
โ No CA policy tied to device risk
1๏ธโฃ3๏ธโฃ Best Practices Checklist
โ Pilot first
โ Monitor conflicts
โ Align Defender + CA
โ Document changes
โ Review monthly
โ End of Day-11 Outcome
You can now:
โ Explain security baselines confidently
โ Deploy them safely
โ Understand Defender integration
โ Design stronger security posture
๐ Day-12 Preview
Day-12: Risk-Based Conditional Access
- Device risk vs sign-in risk
- Defender-driven access blocking
- Real incident response flow
- Admin troubleshooting scenarios