Intune Security Policies – Which to apply where?

One question I’m often asked is around security policies within Intune, where to set them and why can they be set in so many different places?

Before I start on what I prefer, there is no right or wrong answer for this one, ultimately they are all changing the same files/registry keys so it is personal preference. I would also suggest watching the excellent AMA from Microsoft on the subject here

So, what are the options:

  1. Standard policies within Device Configuration (device restrictions, settings catalog etc.)
  2. Security Baselines
  3. Setting policies within their individual security blades

The one thing to note is DO NOT set the same setting in two different policies or they’ll conflict on both policies, even if the setting value is the same.

Let’s look at the Pros and Cons of each one:

Standard Policies

The traditional way of managing settings within Intune, simply hop into Devices – Device Configuration and create a policy. For security settings this will be a mix of a Settings Catalog, Device Restrictions and possibly some Administrative Template based settings if you’re still working with Internet Explorer (for example)

These are what we are all used to and with the recent updates we even get the nice Settings Catalog style view on all of the policies with an overview of how they are working:

It looks nice and works nicely, but does have a couple of drawbacks:

Firstly, if you want to delegate access to your Security team, you’re going to need to start playing with Scope tags (have a read here if you’re not familiar), or give them read-only to everything.

Secondly, they aren’t centrally updated like the Baselines (more to follow)

Thirdly, you don’t have buttons to fix any issues with AV signatures etc. (again, more to follow)

If these don’t bother you and you want to stick to one page for all policies, setting them here is perfectly acceptable.

Security Baselines

Introduced back in 2020, Security Baselines are:

Security baselines are groups of pre-configured Windows settings that help you apply and enforce granular security settings that are recommended by the relevant security teams. You can also customize each baseline you deploy to enforce only those settings and values you require. When you create a security baseline profile in Intune, you're creating a template that consists of multiple device configuration profiles.

Accessible via the Endpoint Security Menu, Windows Security Baselines gives a long list of settings which you can simply switch on or off (and it is a long list)

The one key advantage of these is that Microsoft update them centrally with new settings and to apply the new settings it is as simple as changing the version:

It’s worth noting that when a new version is released, any current policies will switch into Read-Only mode until the version has been updated. They will continue to apply to devices, but you can’t change them.

If you are starting out on your Intune journey, these are an excellent starting point and even now I use a custom baseline to catch some settings not picked up elsewhere.

The drawbacks to a baseline:

  1. It hasn’t received the updated overview yet
  2. There are a LOT of settings, if you get conflicts or errors, make use of the Arrange by buttons on the columns
  3. You can’t remediate issues within the Baseline policies
  4. If a setting has options of Configured or Not Configured, changing a setting which was previously Configured to Not Configured will NOT revert on the devices. It simply stops sending any commands for that setting. If you apply a setting and it causes issues, the only way to revert is to start digging in the registry (or rebuild)

Security Blade Policies

A relatively new feature within Intune are the specific security policies within the Endpoint Security blade which contains the usual suspects as well as a few newer options:

One of the key advantages here is that you can delegate permissions to this section only via either the Endpoint Security Manager role, or a custom role with access to Security Baselines and Security Tasks which will please a security team, but without having to give them full access to everything.

Some of these newer options include:

Setting local admins on devices by Group:

And blocking devices/device services:

What I like about these is the overview screen where you can quickly spot any issues and remediation actions

You then have options to remediate the issue:

These policies don’t cover all settings though, they are my preferred method of deploying, but I tend to mix and match with Security Baselines as well.

If you do go down this route, these are the policy settings to miss on a baseline to avoid a conflict

  • Bitlocker
  • Browser (I use the Edge baseline)
  • Firewall
  • Microsoft Defender

If you want a copy of my baseline, it is on Github


As mentioned at the start, there is no right or wrong way to apply these policies, but hopefully this will help in the decision making.

Posted in Intune