Security Baseline: how to efficiently protect your devices

Modern technology is destined to become an integral part of our life to allow us to save time, improve our efficiency and reduce costs related to our business; more company evolves in the technological field, the greater the exposure to threats of cyber attacks.

For this reason, Microsoft has tried to focus its efforts on providing increasingly secure operating systems; in this article, we will analyze some aspects related to security and how to efficiently protect your endpoints.

In addition to ensuring the security of its products and operating systems, Microsoft provides various configuration solutions in order to have control over its environments also based on business needs.

Before deep dive into these solutions, however, it is necessary to start from one aspect – essential – to better understand the context in which you are operating and define the priorities for advanced endpoint protection.

Security Configuration Framework

Security Configuration Framework (SecCon) aims to outline the necessary settings that IT Admins should adopt to protect their systems based on certain levels of security.

The reason behind the development of this framework is to make the adoption of security configurations simpler and more streamlined; on Windows systems, various criteria are available and this makes it difficult to choose the best setting to adopt without generating disruption to the end user’s operation.

SecCon organizes and divides the devices into one of the following 5 security configurations:

Figure 1 – Security Configuration Framework Level
  • Level 1 enterprise basic security: this configuration is recommended as a minimum security configuration for a corporate device.
  • Level 2 enterprise enhanced security: this configuration is recommended for devices where users access sensitive or confidential information; some of these configurations may have an impact on user operations and on the compatibility of apps, so it is advisable to test and validate these settings.
  • Level 3 enterprise high security: this configuration is recommended for devices managed by a structured organization or for specific users or groups of users who are at high risk (example: users who manage particularly sensitive data whose theft would have a major impact at company level in terms of costs and know-how) .This level should be considered as a target for most companies.
  • Level 4 DevOps workstation: this configuration is recommended for developers who are increasingly becoming a means of accessing servers and systems containing sensitive data or where critical workloads could be compromised.
  • Level 5 administrator workstation: IT admins represent the highest risk for organizations from a security perspective; for this reason, the most restricted level is recommended for the workstations used by these users.

At this point, the question to ask is the following: what is the most suitable level to be adopted within my organization and what settings should I set to reach this level?

To help companies adopt these levels and consequently secure endpoints, Microsoft cyclically releases security baselines that help guide IT administrators in choosing the various criteria.

Windows Security Baseline

As previously reported, each organization is different from another, especially in terms of IT security; the lowest common denominator is the security of the endpoints so that they are compliant with the defined corporate security standards.

Windows Security Baselines are a set of configurations recommended by the Microsoft Security team aimed at device protection; these settings are based on collecting feedback from product groups, partners and customers.

Windows Security Baselines are useful for:

  • ensure that the configurations applied on the user side and the computer side are compliant with the guidelines;
  • define configurations through the use of Group Policy, Microsoft Endpoint Configuration Manager or Microsoft Intune;

Le Windows Security Baseline sono incluse all’interno del Security and Compliance Toolkit (disponibile al seguente link); questo set di strumenti permette agli amministratori IT una gestione efficiente di tutte le baseline fornite da Microsoft.

Simplicity in importing configurationsDedicated only to systems connected to an Active Directory infrastructure
Ability to make changes easily based on your organizational needsNo reporting
Table 1 – Pros & Cons Windows Security Baseline

Intune Security Baseline

Intune Security Baselines (or MDM Security Baselines) offer the same benefits and functionality available in the Security and Compliance Toolkit.

As for the Windows Security Baselines, the Intune Security Baselines are a set of preconfigured settings recommended by the Microsoft Security team in order to make your devices more secure; these baselines are available by accessing the Endpoint Security section of the Microsoft Endpoint Manager Admin Center portal and can be applied to groups of users/devices on Azure AD. Now, the following baselines are available:

  • Windows 10 Security Baseline: dedicated to securing your Windows 10 systems;
  • Microsoft Defender for Endpoint Baseline: dedicated to protecting your devices from latest generation malicious attacks;
  • Microsoft Edge Baseline: dedicated to securing the new Microsoft browser;

This type of baseline is dedicated only to cloud-based systems, therefore where authentication is based exclusively on Azure Active Directory.

Simplicity in the application of configurationsDedicated to cloud systems only
Reporting availableLimited deviation
Poor documentation
Table 2 – Pros & Cons Intune Security Baseline

Configuration Profiles

Another method that can be used to increase security on your endpoints is the application of the Configuration Profile; through the adoption of these profiles, IT admins are able to control and limit the actions available on the devices. Obviously, the adoption of this method is particularly expensive in terms of time-consuming and management as it involves the creation of various types of profiles.

To speed up this process, you can take advantage of the Settings Catalog functionality (currently in preview) which allows you to simplify the search for specific settings by channeling them into a single interface and grouping by categories. Through this feature, you can then view the catalog of all available settings and proceed to create new policies from scratch based on your needs.

Reporting available Dedicated to cloud systems only
Ability to make changes easily based on your organizational needsHigh effort required for the application of all configurations
Various types of profiles required
Table 3 – Pros & Cons Configuration Profiles


Here are some useful references to the official Microsoft documentation:


Through the release of Security Baseline, Microsoft supports IT administrators in fighting the increasingly frequent escalation of malicious attacks; it is important to underline that Microsoft makes these baselines available free of charge and cyclically carries out revisions by updating the configurations also based on the feedback received.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: