October 12, 2025
Blog
Rolling Out Intune Security Baselines: What We See in the Field
When working with Microsoft Intune across organizations of all sizes, the concept of security baselines comes up almost daily. In our teams, we manage security settings for over half a million endpoints across all our customers. Security baselines basically let us apply Microsoft’s best-practice security recommendations in bulk, and keep them updated as Windows, Defender, and other Microsoft products evolve.
What Are Intune Security Baselines?
Security baselines in Intune are not just templates—they’re collections of pre-configured device settings that help us enforce a strong security posture without having to reinvent the wheel. Microsoft publishes different baselines for specific products:
• Windows baseline: Covers core OS settings.
• Defender for Endpoint baseline: Adds advanced threat protection policies.
• Microsoft Edge baseline: Manages browser-related security.
• Microsoft 365 Apps baseline: Locks down Office apps.
• Windows 365 baseline: For securing cloud PCs.
For each customer, we choose and tweak the baseline as needed, depending on their compliance needs and digital workforce. Baselines get applied in Intune admin center, assigned to the right groups, and pushed out to all managed devices almost instantly.
TL;DR:
- What Are Intune Security Baselines?
Quick overview of baseline types and why we use them for mass device management.
- Managing Baselines in the Real World
How we deploy, update, and track baselines for over 500K devices.
- Highlights of Windows 11 25H2 Baseline
Main new features: app removal, Wi-Fi 7, backup & recovery, energy saver, security improvements.
- Our Implementation Workflow
How we test, roll out, and monitor baselines for customers.
- Key Takeaways
Why updating to the latest security baseline is a must for security, compliance, and efficiency.
Sources
How Security Baseline Management Works (From Experience)
Once we create a baseline, it’s assigned to relevant device or user groups. Updates are also part of our routine. When Microsoft releases a new version of any baseline, the existing configurations become read-only. We create a new baseline based on the update—either pulling custom settings forward or starting fresh—then assign it and remove the old one from active groups. This keeps our fleet consistent and helps us avoid configuration drift.
For big deployments, we usually test updates on a subgroup first, then roll out to production devices in waves. Reporting tools help us track which devices are compliant or out-of-date, so we can remediate quickly.
Why We Use Baselines—Practical Gains
• Instantly enforce recommended security without one-off scripts
• Unified management for all devices (Windows, Defender, Office, Edge)
• Easy tracking and remediation of compliance gaps
• Simplifies audits and reporting
Our Focus: Latest Windows Security Baseline 25H2
Microsoft recently released the Windows 11 security baseline for version 25H2. We’re rolling this update out to many of our customers now. Here’s what’s new and why it matters for daily management:
Key Security Updates in the Windows 11 25H2 Baseline Include:
• Printer Security: Added permissions (“RESTRICTED SERVICES\PrintSpoolerService”) allowing the Print Spooler’s restricted service identity to securely impersonate clients, tightening this attack vector.
• NTLM Auditing Enhancements: NTLM (legacy authentication) auditing is enabled by default to improve visibility and help organizations reduce lateral movement risks.
• Policy-Controlled Removal of Built-in Microsoft Store Apps: Admins can now remove certain apps such as Xbox gaming apps, Paint, consumer Outlook, etc., to streamline endpoint provisioning and reduce unnecessary software clutter in Enterprise and Education editions.
• Removal of Deprecated Components: PowerShell 2.0 and Windows Management Instrumentation command-line (WMIC) are removed in this baseline, removing potential security risks but possibly impacting custom scripts.
• Alignment with Latest Standards: The baseline aligns with recent Windows 11 capabilities and security standards, providing tighter control on security-related policies.
Windows 11 25H2 OS Features Supporting Baseline Security Enhancements
• Wi-Fi 7 Enterprise Support: This allows organizations to leverage new generation wireless capabilities (speed, reliability, security).
• Windows Backup and Quick Machine Recovery: Enhances disaster recovery and reduces downtime on boot failures, assisting enterprise device management.
• Energy Saver and Taskbar Management: New MDM policies improve resource use and user experience with lower IT overhead.
• AI-Integrated Productivity Features and Privacy Updates: Better privacy controls and AI enhancements that do not compromise security but improve user acceptance of features.
Our usual workflow looks like this:
• Review new baseline changes when Microsoft publishes them.
• Create a new profile in Intune for the baseline, evaluate Microsoft’s defaults, tweak for business needs.
• Test with a pilot group, check compliance results and device behavior.
• Roll out to production in phases, monitoring for issues.
• Track compliance and remediate any drift.
With every baseline update, we communicate changes to customer IT teams, especially when new features (or removed ones) might affect user experience or compliance reporting.
To sum it up:
Deploying Intune Security Baselines is one of the most efficient ways we keep our customers’ endpoints secure and compliant, especially in environments with tens or hundreds of thousands of devices. Staying current with the latest baseline—like Windows 11 25H2—means we not only meet compliance but also bring productivity and IT efficiency gains to the table.