How to Deploy the Windows 11 Security Baseline in Intune

When organizations move toward modern cloud-based management, one of the biggest challenges is ensuring device security stays consistent across all endpoints. With hundreds of available Windows settings — covering authentication, encryption, firewall rules, app protection, and system hardening — manually configuring everything is time-consuming and prone to mistakes.

That’s why Microsoft provides Security Baselines: preconfigured, Microsoft-recommended policy templates that help you deploy a secure configuration for Windows devices with minimal effort. In a recent Tech Community discussion, Microsoft highlighted how straightforward it is to deploy the Windows 11 Security Baseline using Intune — and why it should be part of every modern management strategy.

In this blogpost, you’ll learn what the Win11 Security Baseline is, why it matters, and how to deploy it step-by-step using Intune.

What is the Windows 11 Security Baseline?

A Security Baseline is a curated set of Windows configuration policies developed by Microsoft security engineers. These settings align with industry standards and reflect Microsoft’s recommended hardening practices for enterprise environments.

A baseline typically covers:

BitLocker encryption & drive protection
Password, authentication & credential hardening
Microsoft Defender & threat protection
Application control & SmartScreen
Firewall & network restrictions
OS hardening (Secure Boot, legacy protocol restrictions, etc.)

Because baselines bundle hundreds of settings into a single profile, they dramatically simplify secure configuration. Instead of individually managing these settings, Intune lets you deploy everything at once — with consistent enforcement across devices.

Why Deploy Security Baselines Through Intune?

Using Intune for baseline deployment offers several advantages:

✔ Centralized cloud-based management

All devices receive security settings directly from Intune — no more on-prem GPO complexity.

✔ Faster rollouts

Deploy Microsoft’s recommended settings instantly across groups or pilot rings.

✔ Automatic updates

New baseline versions (e.g., 24H2) contain updated recommendations that track new threats and OS changes.

✔ Reduced configuration drift

Devices automatically reapply policies, keeping them compliant.

✔ Easier troubleshooting

Intune’s reporting tools allow you to analyze conflicts, failures, and device-level setting statuses.

Security baselines allow you to standardize Windows 11 security without manual overhead — making them ideal for hybrid, remote, and BYOD environments.

How to Deploy the Windows 11 Security Baseline in Intune

Based on Microsoft’s guidance and the discussion from the Intune Tech Community, here’s the exact process to deploy the Windows 11 baseline.

1. Open the Intune Admin Center

Go to:
https://intune.microsoft.com

Make sure you have a role such as Endpoint Security Manager, Policy and Profile Manager, or Global Administrator.

2. Navigate to Endpoint Security → Security Baselines

In the left navigation panel:
Endpoint security → Security baselines

You’ll see different baseline types:

Windows 10 and later Security Baseline
Microsoft Edge baseline
Microsoft Defender baseline
Windows 365 baseline

Choose Security Baseline for Windows 10 and later — this baseline also applies to Windows 11.

3. Create a New Baseline Profile

Click + Create profile, then select:

Platform: Windows 10 and later
Profile Type: Windows 11 Security Baseline (latest version)

Select the newest version available, such as 24H2, to ensure the most up-to-date protection settings.

4. Review & (Optionally) Customize the Settings

Each baseline includes multiple configuration categories. The default values are Microsoft’s recommended secure configuration.

You may want to tweak settings if:

Legacy apps require less-strict firewall rules
Your company uses different BitLocker recovery key storage
Your users rely on older protocols or authentication methods (not recommended)

Most organizations apply the default baseline first, then adjust based on testing.

5. Assign the Baseline to Device Groups

Under Assignments, choose:

Azure AD device groups
Pilot groups
All devices (after testing)

Best practice:
Deploy to a small pilot group first to avoid production disruption.

6. Review and Deploy

Click Create.
Intune will now push the baseline policies to assigned devices. Settings apply automatically when devices sync.

7. Monitor Baseline Status & Conflicts

After deployment, go to:
Endpoint security → Security baselines → (your baseline) → Reports

You can check:

Per-setting enforcement
Device compliance
Conflicts (e.g., settings overridden by another policy)
Errors or ignored settings

Conflicts are common in hybrid environments where GPO and Intune overlap — Intune’s reporting helps identify and resolve these issues.

Best Practices Before Deploying

🔍 Test on a pilot group

Security Baselines can be strict — test before broad rollout.

🔄 Update to the newest baseline version

Security changes over time. Older baselines may miss protections included in newer Windows builds.

⚖ Avoid duplicate or conflicting policies

Using both configuration profiles and baselines for the same setting can cause conflicts. Keep things clean and minimal.

📝 Document your custom changes

If you deviate from Microsoft defaults, ensure your changes are well-documented for audits and troubleshooting.

Conclusion

Deploying the Windows 11 Security Baseline with Intune is one of the fastest, most reliable ways to harden your environment according to Microsoft best practices. With just a few clicks, you can roll out a secure configuration to thousands of devices — without manually setting every policy.

Whether you’re managing a remote workforce, hybrid environment, or brand-new fleet of Windows 11 endpoints, baselines give you a powerful and consistent security foundation.