What Does Endpoint security baseline Mean?
This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.
On This Page
What do you want to do?
Quick Definition
An endpoint security baseline is a list of essential security settings that every device on a network must follow. Think of it as a checklist that ensures each computer, tablet, or phone has basic protections like firewalls, antivirus, and encryption turned on. It helps organizations reduce risk by making sure no device is left vulnerable.
Common Commands & Configuration
New-IntuneSecurityBaseline -Name "Windows 11 Security Baseline v1.0" -Description "Baseline for all managed endpoints" -TemplateId "9348e6a7-1234-5678-9abc-def012345678" -AssignmentGroupId "group-id-123"Creates a new security baseline policy in Microsoft Intune for Windows 11 using a specific template ID, assigning it to a device group. This is used when rolling out a baseline to endpoints managed by Intune.
MD-102 and MS-102: Tests understanding of creating baseline policies programmatically via PowerShell. The template ID must match a known baseline version. Know how to retrieve template IDs using Get-IntuneSecurityBaselineTemplate.
aws configservice put-config-rule --config-rule file://ec2-baseline-rule.jsonDeploys a custom AWS Config rule defined in a JSON file to enforce a specific baseline configuration, such as requiring all EC2 instances to have termination protection enabled or a specific AMI ID.
AWS SAA: Tests ability to automate baseline compliance using AWS Config. The JSON file should include the rule name, scope (e.g., EC2 instances), and source identifier for the Lambda function.
Set-MpPreference -DisableRealtimeMonitoring $falseEnables real-time monitoring for Microsoft Defender Antivirus. This command ensures the endpoint security baseline's requirement for active antimalware protection is met.
MD-102 and Security+: Tests knowledge of PowerShell cmdlets for managing Defender settings. This cmdlet is often used in remediation scripts when a baseline detects that real-time protection is off.
auditpol /set /subcategory:"Logon" /success:enable /failure:enableConfigures advanced audit policy to log both successful and failed logon attempts. This is part of a security baseline to ensure visibility into authentication events.
Security+ and CySA+: Tests understanding of auditing configuration. Know that this policy is applied via 'auditpol' or GPO. The exam may ask which command enables logon auditing.
aws inspector create-assessment-template --assessment-template-name CIS-Baseline-Check --duration-in-seconds 3600 --rules-package-arns arn:aws:inspector:us-east-1:123456789012:rulespackage/0-SomeCISIdCreates an AWS Inspector assessment template that runs a CIS baseline check on endpoints for a duration of 3600 seconds (1 hour). Used to scan for baseline compliance.
AWS SAA: Tests understanding of Inspector's role in baseline compliance. Know the concept of rules packages (e.g., CIS, Common Vulnerabilities and Exposures).
Get-GPResultantSetOfPolicy -User "domain\username" -Computer "computer-name" -ReportType HTML -Path "C:\reports\baseline-report.html"Generates a RSoP (Resultant Set of Policy) report for a specific user and computer, showing which Group Policy settings (including baseline policies) are applied.
MD-102 and Security+: Tests the ability to verify baseline application. The exam may ask which tool or command to use when a device is not adhering to the baseline and you need to see effective policies.
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name "AUOptions" -Value 4 -PropertyType DWordForces automatic update configuration to 'Auto install and restart' via registry. This ensures the endpoint baseline for patch management is enforced.
MD-102 and Security+: Tests registry-based configuration of Windows Update. This is a common way to set baseline patch policy when Group Policy is not available.
Must Know for Exams
Endpoint security baselines appear across many IT certification exams because they are a foundational concept in both security and device management.
For CompTIA Security+ (SY0-601), the concept is directly covered under Domain 3 (Implementation), Objective 3.2: Given a scenario, implement security configuration baselines. The exam expects you to know the types of hardening techniques that go into a baseline, such as disabling unnecessary ports, enabling encryption, and applying patches. Questions often present a scenario where you must choose the best baseline configuration for a specific device type.
For CompTIA CySA+ (CS0-002), baselines are important for monitoring and detection. The exam covers how to establish performance and security baselines for network traffic, system logs, and user behavior. You may be asked to identify which baseline violation indicates a compromise, such as a spike in outbound traffic from a workstation that normally has very low traffic.
For AWS Solutions Architect Associate (SAA-C02, SAA-C03), the concept appears in the context of AWS Config and AWS Security Hub. You need to understand how to use AWS managed rules to enforce a security baseline on EC2 instances, S3 buckets, and IAM roles. Questions may ask what rule to enable to ensure that all EBS volumes are encrypted (a baseline requirement) or that security groups do not allow unrestricted inbound access.
For Microsoft MD-102 (Modern Desktop Administrator), the baseline is a core topic. You are required to know how to configure and manage security baselines using Microsoft Intune, specifically the built-in security baselines for Windows 10/11, Microsoft Edge, and Microsoft Defender for Endpoint. Exam questions ask about selecting the right baseline settings for different device roles, deploying baselines to groups, and troubleshooting compliance.
For Microsoft SC-900 (Security, Compliance, and Identity Fundamentals), the baseline is introduced as part of the security management capabilities in Microsoft 365. Questions might ask which Microsoft 365 tool is used to apply security baselines (Microsoft 365 Defender or Intune).
For Microsoft AZ-104 (Azure Administrator), baselines are part of governance and compliance using Azure Policy. You need to know how to create policy definitions that enforce baseline settings, like requiring VM extensions for antimalware or encrypting storage accounts.
For Microsoft MS-102 (Microsoft 365 Administrator), the role includes managing security baselines across the entire Microsoft 365 tenant, including Exchange Online, SharePoint, and Teams. The exam tests your ability to assess compliance with baselines using the Microsoft Secure Score feature.
For ISC2 CISSP, baselines fall under the Asset Security domain (Domain 2) and Security Operations (Domain 7). You must understand that baselines are a key part of asset management and secure provisioning. Questions may ask what document defines the minimum security configurations for an organization's endpoints.
In all these exams, you must be careful not to confuse a baseline with a full security policy. The baseline is the specific technical settings, while the policy is the higher-level document that states the requirements. Another common trap is thinking that once a baseline is set, it never changes; baselines must be updated regularly.
Simple Meaning
Imagine you are a landlord renting out apartments in a big building. To keep everyone safe, you decide that every apartment must have a working smoke detector, a deadbolt lock on the front door, and a fire extinguisher in the kitchen. These are the minimum safety requirements. An endpoint security baseline works exactly the same way, but for computers and other devices on a company network.
Each device, whether it is a laptop used by an employee working from home or a server in a data center, needs a set of basic security measures. These measures might include turning on a firewall to block unwanted internet traffic, installing antivirus software to catch malicious programs, requiring passwords or fingerprints to log in, and encrypting data so that if the device is lost or stolen, the information cannot be read.
Without a baseline, devices can have very different levels of protection. One employee might have strong antivirus and automatic updates, while another might have turned off the firewall to make a game run faster. That second device becomes a weak spot that attackers can use to break into the whole network. The baseline ensures that every device meets at least the same minimum standard.
In practice, IT teams create a baseline by choosing a list of settings and then using tools to apply those settings automatically to all devices. They might also check regularly to make sure no one has changed the settings. If a device does not meet the baseline, it might be blocked from accessing company resources until it is fixed.
So, an endpoint security baseline is like a rulebook for safety that every device must follow. It stops small problems from becoming big disasters by making sure no device is left unguarded.
Full Technical Definition
An endpoint security baseline is a documented, repeatable set of mandatory security configurations and controls applied to endpoint devices such as workstations, laptops, mobile devices, and servers. The baseline establishes a minimum security posture that all endpoints must meet to be compliant with organizational policy and, often, regulatory requirements. Baselines are derived from industry standards and frameworks, including the Center for Internet Security (CIS) Benchmarks, National Institute of Standards and Technology (NIST) Special Publication 800-53, and vendor-specific hardening guides from Microsoft, Apple, Linux distributions, and cloud providers like AWS and Azure.
From a technical perspective, an endpoint security baseline typically includes configurations in several categories:
Access Control: This includes requirements for strong password policies, multi-factor authentication (MFA), account lockout thresholds, and disabling local administrator accounts unless absolutely necessary. For example, a baseline might require that all user accounts have passwords at least 12 characters long and that MFA is enabled for any account with administrative privileges.
Operating System Hardening: This involves disabling unnecessary services, ports, and protocols. For example, the baseline might disable legacy protocols like SMBv1, Telnet, and FTP, and ensure that only required network ports are open. It also includes enabling security features such as Windows Defender Firewall, Microsoft Defender for Endpoint, or Linux iptables/UFW.
Application and Software Controls: The baseline specifies which software is allowed to run, often using application whitelisting or software restriction policies. It also requires that all software is kept up to date with security patches. For example, a baseline might state that only approved browsers (like the latest version of Chrome or Edge) can be used and that all third-party software must be from a trusted source.
Data Protection: Encryption is a key component. The baseline mandates full-disk encryption (like BitLocker on Windows or FileVault on macOS) for all devices. It also includes requirements for data loss prevention (DLP) policies, such as blocking the copying of sensitive files to USB drives.
Network Security: This includes configuration of host-based firewalls, VPN requirements, and network segmentation. For instance, a baseline might require that devices connect to the corporate network only through a VPN with strong encryption (IPsec or TLS) and that the host firewall blocks inbound connections by default.
Monitoring and Logging: The baseline defines what security events must be logged (e.g., failed logins, user account changes, application crashes) and how logs must be transmitted to a central security information and event management (SIEM) system. It also specifies that endpoint detection and response (EDR) agents must be installed and running.
Patch Management: Devices must automatically install critical and important security updates within a defined timeframe, often 48 hours for critical patches. This includes operating system updates, firmware updates, and updates for third-party applications like Java, Adobe Reader, and web browsers.
Implementation is typically automated using group policy objects (GPO) in Active Directory, Microsoft Intune or Microsoft Endpoint Configuration Manager for Windows devices, JAMF for macOS, and configuration management tools like Ansible, Puppet, or Chef for Linux and cloud workloads. Cloud platforms like AWS and Azure also offer baseline compliance features, such as AWS Config rules and Azure Policy, which can automatically enforce baseline settings on virtual machines and other services.
Compliance is verified through regular scanning and reporting. Tools like Microsoft Defender for Cloud, Qualys, Tenable Nessus, and open-source scanners like OpenSCAP evaluate each endpoint against the baseline and report non-compliant settings. Devices that fall out of compliance may be automatically quarantined or have their network access restricted until remediation occurs.
The baseline is not static. It must be reviewed and updated as new threats emerge, new patches are released, and as the organization's infrastructure evolves. A change management process should govern updates to the baseline to ensure that changes do not break critical applications but still address current threats.
Real-Life Example
Think of an endpoint security baseline like the safety checklist that a pilot goes through before every flight. Before an airplane takes off, the pilot and co-pilot follow a printed checklist that includes dozens of items: check the fuel level, test the controls, ensure the landing gear is down, verify the altimeter, confirm the radio is working, and so on. They do not skip any step, even if they have flown the same plane hundreds of times. That checklist is the baseline.
Now imagine an airline that has many planes. If one pilot decides that checking the landing gear is optional because the plane has never had a problem, that plane could land with the gear up, causing a disaster. The checklist makes sure every plane is safe before it leaves the ground.
In the IT world, an endpoint security baseline is that same pre-flight checklist for every device. The checklist includes items like: is the firewall turned on? Is the antivirus software installed and running? Are all security patches up to date? Is encryption enabled? Is the device password-protected?
Just like the pilot cannot take off without completing the checklist, in many organizations a device cannot connect to the network until it proves it meets the baseline. This is called Network Access Control (NAC). The device is scanned, and if it fails any items, it is sent to a quarantine network where it can get updated or fixed before it is allowed full access.
The pilot analogy also highlights that the checklist must be followed every time. A device that was compliant at the start of the day might become non-compliant if a user disables the firewall or installs a risky application. Continuous monitoring is needed, just like the pilot continues to check systems throughout the flight.
Finally, the checklist must be updated as new risks appear. If the aviation authority discovers a new issue with a plane component, they update the checklist. Similarly, when a new zero-day vulnerability emerges, the baseline is updated to require the latest patch or configuration change. This keeps the organization prepared for evolving threats.
Why This Term Matters
In modern IT environments, endpoints are the primary target for cyberattacks. Ransomware, phishing, and malware often start by compromising a single laptop or phone. Without a security baseline, each device is protected only as well as the user or local administrator decides. This inconsistency creates gaps that attackers can exploit.
A baseline gives organizations a consistent, defendable minimum security posture. It reduces the attack surface by ensuring that every device has basic protections in place. This is especially important for remote work, where devices are outside the corporate network and may connect to public Wi-Fi or untrusted environments.
Baselines also simplify compliance. Regulations like GDPR, HIPAA, and PCI-DSS require companies to implement security controls. A well-documented baseline provides evidence that the organization has taken reasonable steps to protect data. Auditors ask for these documents, and without them, companies risk fines and reputational damage.
From a practical standpoint, baselines make IT management easier. Instead of configuring each device manually, administrators apply a standard configuration to hundreds or thousands of machines using automated tools. This saves time and reduces human error. When a security incident occurs, responding is faster because the administrators know exactly what the baseline settings are, so they can quickly identify anomalies.
Finally, a baseline is essential for threat detection. Most security tools, like EDR and SIEM, compare endpoint behavior against a known good state. If the baseline is defined, deviations from it can be flagged as suspicious. Without a baseline, it is very hard to distinguish normal activity from malicious activity.
How It Appears in Exam Questions
Exam questions about endpoint security baselines typically fall into four categories: scenario selection, configuration steps, compliance evaluation, and troubleshooting.
Scenario-based questions: These present a business requirement or security incident and ask you to recommend the best baseline setting. For example, a company wants to ensure that all laptops used by traveling salespeople have full-disk encryption and a host firewall. The answer would involve configuring BitLocker and Windows Defender Firewall as part of the endpoint security baseline. Another scenario might describe a breach that occurred because a user disabled automatic updates, and the question asks which baseline setting would have prevented it.
Configuration questions: In exams like MD-102 or AZ-104, you might be given a list of steps and asked to arrange them in the correct order to deploy a security baseline via Intune or Group Policy. For instance, first create the baseline profile, then assign it to a group of devices, then monitor compliance using the compliance dashboard. These questions test your familiarity with the specific tool's interface and workflow.
Compliance evaluation questions: These present a report showing that some devices are non-compliant with the baseline. You are asked to determine the likely cause. For example, a device might show that antivirus is not running because the user tampered with the service. The correct answer is to enforce the baseline with a remediation script that automatically restarts the service on non-compliant devices.
Troubleshooting questions: A common question in security exams is: 'An administrator deploys a security baseline to all workstations, but users report that a critical business application no longer works. What is the most likely issue?' The answer is typically that the baseline disabled a service or port that the application requires. The solution is to create a warning or exception in the baseline for that specific application.
Another pattern in CySA+ and CISSP is to ask: 'What is the primary purpose of establishing a security baseline for endpoints?' The correct answer is to establish a consistent security posture across all systems. Distractors might include increasing system performance or reducing maintenance costs, which are secondary benefits at best.
Practise Endpoint security baseline Questions
Test your understanding with exam-style practice questions.
Example Scenario
Scenario: GreenLeaf Corp is a mid-sized company with 500 employees. Most employees use Windows 10 laptops provided by the company. Recently, a malware infection spread through the network because one employee's laptop did not have the latest antivirus definitions. The IT manager decides to implement a security baseline.
The baseline includes: - All laptops must have Windows Defender Antivirus running with real-time protection enabled. - Automatic updates for Windows and Microsoft Office must be turned on. - BitLocker full-disk encryption must be enabled. - The built-in Windows Firewall must be active, blocking all inbound connections except those required for file sharing. - Unnecessary services like Remote Registry and Telnet must be disabled. - Users must not have local administrator privileges.
The IT team uses Microsoft Intune to create a security baseline policy. They assign the policy to all devices in the 'Windows Laptops' group. Within a few hours, the baseline is applied. The compliance dashboard shows that 10 devices are non-compliant because they have BitLocker disabled. The IT team investigates and finds that those laptops are older models that do not have a Trusted Platform Module (TPM) chip. The team updates the baseline to require BitLocker only on devices with TPM 2.0 and to use a password-based encryption method on older devices. After this change, all devices are compliant. The company now has a consistent security posture, and the risk of another malware outbreak is significantly reduced.
Common Mistakes
Believing that a baseline is a one-time setup that never needs updating.
Threats evolve, software updates change default settings, and new vulnerabilities are discovered regularly. A baseline that is not updated becomes outdated and leaves endpoints exposed.
Schedule regular reviews of the baseline, at least quarterly, and whenever a major vulnerability is disclosed that requires a new configuration change.
Thinking that a baseline should include every possible security setting to be effective.
Overly restrictive baselines can break needed applications and frustrate users. Users may then find ways to bypass the controls, creating a false sense of security.
Focus on the most critical settings that address the most common threats. Involve application owners in the baseline creation to ensure compatibility.
Assuming all endpoints must have the same baseline regardless of their role.
A server in a data center has different security requirements than a mobile salesperson's laptop. A single baseline may be too restrictive for some endpoints and too permissive for others.
Create multiple baseline profiles based on device type and role, such as 'User Workstation,' 'Server,' 'Mobile Device,' and 'Kiosk.' Apply the appropriate profile to each group.
Confusing a security baseline with a security policy or standard.
A policy is a high-level document that states what must be protected and why. A baseline is the specific technical configuration that implements that policy. They are different artifacts.
Use a layered approach: write a security policy, then create a standard that specifies the baseline configurations, and finally implement the baseline using technical controls.
Relying only on manual configuration to enforce the baseline.
Manual configuration is error-prone and time-consuming. It also does not scale to large environments and cannot easily enforce continuous compliance.
Use automated tools like Group Policy, Microsoft Intune, Azure Policy, or configuration management software (Ansible, Puppet, Chef) to deploy and monitor the baseline.
Exam Trap — Don't Get Fooled
{"trap":"Selecting a baseline setting that only increases performance or user convenience rather than security.","why_learners_choose_it":"Exam questions sometimes include a distractor that sounds like a good idea, such as disabling unnecessary services to speed up the computer. While disabling unneeded services can be part of a baseline, the primary goal is security, not performance.
Learners may pick this option because they see 'disable unnecessary services' as a security hardening step, but the question might present it as a performance improvement, which is not the main purpose.","how_to_avoid_it":"Always read the question carefully to determine what is being asked. If the question is about improving security, choose the option that directly closes a vulnerability or reduces the attack surface.
If the question explicitly asks for a performance benefit, then the performance-related answer might be correct. Understand that while some baseline settings may have side benefits, their primary intent is security."
Commonly Confused With
A security policy is a high-level document that outlines an organization's security goals, responsibilities, and rules. An endpoint security baseline is a specific set of technical configurations that implement the requirements of a security policy. The policy says 'we require encryption,' while the baseline says 'use BitLocker with AES-256 encryption.'
Think of the security policy as the law that says 'all buildings must have fire safety measures.' The baseline is the detailed code that specifies 'every floor must have a sprinkler system with a specific water pressure.'
A security standard is a set of criteria that an organization uses to measure compliance, often derived from industry frameworks like ISO 27001 or NIST. A baseline is a specific configuration that meets the standard. The standard might require 'multifactor authentication for all privileged accounts,' and the baseline would specify using a specific authenticator app and requiring a PIN.
The standard is the recipe: 'you must bake a cake that rises at least 3 inches.' The baseline is the exact list of ingredients and oven temperature that consistently gives you that result.
A system hardening guide is a document that lists recommended security settings for a specific operating system or application, often published by the vendor or a security organization like CIS. An endpoint security baseline is an organization's custom selection and enforcement of certain settings from such guides. The guide is a resource; the baseline is the mandatory policy.
A woodworking guide shows many ways to build a chair, but the baseline is the specific design and materials you require for all chairs in your restaurant to ensure they are safe and consistent.
A compliance baseline is a broader concept that can include security, regulatory, and operational requirements, such as ensuring data retention policies are followed. An endpoint security baseline focuses specifically on the technical security posture of individual devices. Compliance baselines often encompass multiple endpoint baselines.
A compliance baseline for a bank might include, 'all teller computers must log transactions and encrypt data.' That is one endpoint security baseline inside a larger compliance framework that also includes physical security and employee training.
Step-by-Step Breakdown
Identify requirements
Start by understanding the organization's security policy, regulatory obligations (like GDPR or HIPAA), and the specific threats the endpoints face. This step defines what needs to be protected and to what level.
Select a baseline framework
Choose an established baseline framework such as CIS Benchmarks, Microsoft Security Baselines, or NIST guidelines. These provide tested, best-practice configurations that can be adapted to your environment.
Adapt the baseline to your environment
Adjust the selected framework to fit your organization's specific needs. For example, you might allow a certain port for a legacy application or exclude a specific device type that cannot support encryption. Document all deviations.
Create the baseline document
Write a clear document that lists every configuration setting, the expected value, and the rationale. This serves as the reference for implementation and future audits. Include version number and date.
Define groups and scope
Divide endpoints into groups based on role (e.g., workstations, servers, mobile devices). Each group may have a slightly different baseline. Define which devices need which baseline profile.
Implement the baseline using automation
Use tools like Group Policy, Intune, Azure Policy, or configuration management software to apply the baseline settings to all devices in the defined groups. Automate deployment to ensure consistency and speed.
Monitor compliance
Set up regular scanning or continuous monitoring to check that devices remain compliant with the baseline. Use tools that generate reports and alert you when a device falls out of compliance.
Remediate non-compliance
When a device is found to be non-compliant, take action. This could be automatic (e.g., reapply the baseline settings) or manual (e.g., quarantine the device). Ensure a clear escalation process.
Review and update the baseline
Schedule periodic reviews of the baseline to incorporate new security patches, address emerging threats, and remove obsolete settings. Update the baseline document and reapply to all devices.
Practical Mini-Lesson
In a practical IT environment, an endpoint security baseline is not just a theoretical construct; it is an operational necessity. As a professional, your job is to balance security with usability. If the baseline is too strict, users will find ways around it, like running their own unmanaged devices or disabling protections. If it is too lax, attackers will exploit the gaps.
Start by evaluating your organization's risk posture. A financial institution handling sensitive customer data needs a stricter baseline than a small marketing agency. Consider the sensitivity of the data that endpoints access. Use industry frameworks like the CIS controls as a starting point, but always test the configurations in a lab before rolling them out broadly. Some settings, like disabling macros in Office documents, can block legitimate workflows and cause help desk calls.
Deployment is where many baselines fail. Manual installation on hundreds of devices is impossible to maintain. You must use automation. In Microsoft environments, Group Policy is the traditional tool, but Intune is increasingly used for modern management, especially for remote devices that are not domain-joined. For macOS, JAMF Pro is common. For Linux servers, tools like Ansible or Puppet allow you to define the desired state and enforce it.
Once deployed, you need visibility. Use a tool like Microsoft 365 Defender or Azure Security Center to see a compliance score and identify which devices are falling out of compliance. Pay attention to the 'drift', devices that were compliant but have changed over time due to user actions or software updates. You can use Azure Policy with 'DeployIfNotExists' effect to automatically correct drift without manual intervention.
What can go wrong? A badly configured baseline can break critical applications. For example, if the baseline disables PowerShell execution, a security tool that depends on PowerShell will stop working. Always have a rollback plan and a change management process. Another common issue is that the baseline may conflict with other policies, such as a security baseline that disables SMBv1 while a legacy application requires it. In such cases, you must either update the application or create an exception with compensating controls, such as network segmentation.
Finally, remember that a baseline is a living document. When a new zero-day vulnerability is announced, your baseline may need to be updated within hours. For example, if a vulnerability in a common software component is discovered, the baseline should require the immediate installation of the patch. Having an agile process for updating baselines is essential for effective security.
Defining Endpoint Security Baseline and Its Critical Role in Governance
An endpoint security baseline is a formally documented set of minimum security configurations and controls that must be applied to all endpoints-such as workstations, servers, laptops, and mobile devices-within an organization's IT environment. This baseline serves as the foundational security posture from which all deviations are measured and managed. It is not a one-time checklist but a living document that evolves as threats, compliance requirements, and technology change.
From an exam perspective, particularly for certifications like CompTIA Security+, ISC2 CISSP, and AWS SAA, the endpoint security baseline is a core concept in risk management and security governance. It answers the question: 'What is the minimum acceptable level of security for every device that accesses corporate resources?'
The importance of a security baseline cannot be overstated. Without it, organizations experience configuration drift, where endpoints slowly deviate from secure settings due to user changes, software updates, or administrative oversight. This drift often leads to exploitable vulnerabilities. For example, a single endpoint that lacks a critical patch or has an outdated antivirus definition can become the entry point for ransomware or data exfiltration.
In cloud and hybrid environments, such as those tested in AZ-104 and MS-102, baselines extend to virtual machines, Azure Arc-connected servers, and Intune-managed devices. The baseline ensures that even ephemeral or auto-scaled resources meet security standards from the moment they are provisioned. This is directly tied to concepts like Azure Policy, AWS Config rules, and Microsoft Defender for Cloud's secure score.
A well-designed baseline typically covers: account policies (password length, lockout thresholds), patch management requirements, antivirus/antimalware configurations, firewall rules, disk encryption (e.g., BitLocker), application whitelisting or blacklisting, and user privilege controls. It also includes logging and monitoring requirements, such as ensuring that security events are forwarded to a SIEM.
For exam takers, understanding that a security baseline is a control standard, not a tool, is crucial. Questions often ask where baselines should be applied-for example, 'Should a security baseline be applied to legacy systems?' The answer is yes, but with exceptions formally documented and approved through a risk acceptance process. This aligns with the CISSP domain of security and risk management and the CySA+ domain of compliance and assessment.
baselines are integral to continuous monitoring. Tools like Microsoft Defender for Endpoint, AWS Inspector, and security configuration management (SCM) tools compare current configurations against the baseline and generate compliance reports. Automated remediation can enforce the baseline, reverting unauthorized changes. This concept is tested heavily in MS-102 and MD-102, especially when configuring compliance policies in Intune.
the endpoint security baseline is the bedrock of endpoint security. It reduces the attack surface, enables consistent management, supports compliance with regulations like HIPAA and PCI DSS, and provides a measurable standard for audits. Every administration and security candidate must be able to define, justify, and apply a baseline in both on-premises and cloud contexts.
Creating and Managing Endpoint Security Baselines with Microsoft Intune (MD-102, MS-102)
Microsoft Intune is the primary tool for endpoint management in modern Microsoft-centric environments. Its endpoint security baselines are pre-configured groups of security settings derived from industry best practices, including Microsoft's own security teams and guidance from the Center for Internet Security (CIS). These baselines are directly relevant to the MD-102 (Microsoft Endpoint Administrator) and MS-102 (Microsoft 365 Administrator) exams, where candidates must understand how to deploy, customize, and monitor baseline policies.
When you navigate to the Microsoft Intune admin center, under 'Endpoint security' > 'Security baselines', you will see available baselines such as 'Microsoft Defender for Endpoint Protection', 'Microsoft Edge Baseline', and 'Windows 10 and later Security Baseline'. Each baseline contains hundreds of settings categorized into groups like 'Application Control', 'BitLocker', 'Firewall', 'Windows Defender Antivirus', and 'Attack Surface Reduction Rules'.
To create a baseline policy, an administrator selects the desired baseline version, assigns it to device groups (dynamic or static), and configures settings to either 'Allowed', 'Required', or 'Not configured'. Crucially, Intune allows the use of 'Not configured' to avoid overwriting user customizations that are acceptable to the organization. This granularity is a common exam point. For example, a question may ask: 'What setting in a security baseline will ensure that BitLocker is enabled on all managed devices?' The answer is to set the 'Require Device Encryption' option to 'Yes'.
Versioning is a key concept. Baselines are updated periodically as new threats emerge and new security features are added. Intune provides a version history, and administrators must often migrate from older baseline versions to new ones. If a device is assigned to multiple baselines with conflicting settings, the most restrictive setting wins by default-but this can be overridden using custom policies. This is a frequently tested nuance in MD-102.
Monitoring baseline compliance is done through the 'Device Compliance' section in Intune. Devices that fail baseline checks are flagged, and administrators can configure automated actions, such as sending a notification, blocking access to corporate resources, or triggering a remediation script. Conditional access policies (tested in SC-900 and AZ-104) can then be configured to enforce compliance. For instance, a Conditional Access policy might require a device to be compliant with the security baseline before granting access to Exchange Online.
Another important aspect is the difference between 'Baselines' and 'Policies for Endpoint Security'. Baselines are broader and more stringent, while policies can be fine-tuned. The exam often asks when to use one over the other. Use baselines when you need a comprehensive, standardized security posture across many devices. Use custom endpoint security policies for specific workloads or when you need to test a new configuration on a small subset of devices.
Finally, the integration with Microsoft Defender for Cloud is vital. Baselines exported to Defender for Cloud provide a unified view of compliance across on-premises, AWS, and Azure workloads. This is explicitly covered in MS-102 and AZ-104 as part of multicloud security management. If you are studying for these exams, practice creating a baseline policy in a lab environment-the hands-on experience of assigning groups, configuring settings, and verifying compliance reports is invaluable.
Implementing Endpoint Security Baselines Using AWS Config and AWS Inspector (AWS SAA)
In the AWS ecosystem, endpoint security baselines are implemented primarily through AWS Config rules and AWS Inspector, both of which are integral to the AWS Solutions Architect Associate (SAA-C03) exam. Unlike Intune's direct device management, AWS treats endpoints as EC2 instances, on-premises servers via AWS Systems Manager, or containers. The baseline is not a single policy document but a collection of rules and assessments that continuously evaluate the configuration of these resources against best practices.
AWS Config is a service that records resource configurations and evaluates them against desired baseline configurations. You can create custom Config rules (using AWS Lambda) or use managed rules like 'ec2-instance-detailed-monitoring-enabled', 'iam-user-unused-credentials-check', or 's3-bucket-public-read-prohibited'. For an endpoint security baseline, you would create a Config rule that checks whether all EC2 instances have the 'instance-metadata-service' set to 'v1' or 'v2' with a required token, or whether attached security groups block public SSH access.
A common exam scenario asks how to enforce a baseline that requires all EC2 instances to have a specific AMI from a limited set of approved AMIs. The answer: use an AWS Config rule with a Lambda function that checks the 'image-id' attribute and triggers a noncompliance notification. This is a direct test of understanding how baselines can be automated and enforced.
AWS Inspector, on the other hand, focuses on vulnerability assessments and software compliance. It can scan endpoints for missing patches, common vulnerabilities and exposures (CVEs), and deviations from a CIS baseline. Inspector's assessment templates allow you to specify a baseline rule package, such as 'CIS Benchmark for Amazon Linux 2'. When a scan is run, it generates a findings report. The exam often asks: 'Which service provides ongoing vulnerability scanning that includes CIS baseline checks?' The answer is Inspector, and it is important to know that Inspector supports both network and host assessments.
Another key point: AWS Systems Manager Patch Manager and State Manager can be used to enforce baselines. State Manager defines a policy that ensures every EC2 instance has a specific patching state, and Patch Manager can automate the application of patches to meet the baseline. This ties into the concept of 'desired state configuration' which is analogous to Intune's baseline compliance.
For the exam, you must also understand the difference between AWS Config (configuration drift detection) and AWS Inspector (vulnerability scanning). They are complementary. A baseline should include both. For example, a Config rule might enforce that every instance has a specific tag (e.g., 'SecurityBaseline: v1.2'), while Inspector ensures the actual software is patched.
Finally, remember that AWS Organizations and multi-account governance often require a centralized baseline. AWS Config aggregators can consolidate compliance status across accounts, and AWS Security Hub provides a single pane of glass for baseline compliance findings. This architecture is frequently tested in SAA and is a real-world pattern for large enterprises. When setting up a baseline in AWS, always consider how it scales across multiple VPCs, regions, and accounts.
A practical command used in this context is 'aws configservice put-config-rule --config-rule file://my-baseline-rule.json', where the JSON file defines the rule parameters. This command is used to deploy custom baseline rules programmatically, which is a best practice for infrastructure as code (IaC). Understanding this command's syntax and its integration with CloudFormation helps solidify the concept for the exam.
Common Endpoint Security Baseline Misconfigurations and How to Remediate Them (CompTIA Security+, CySA+)
Even with a well-defined endpoint security baseline, misconfigurations occur due to human error, ambiguous policies, or lack of training. These misconfigurations are a central topic in CompTIA Security+ (SY0-601) and CySA+ (CS0-002) exams, where candidates must identify the most likely root cause of a security gap and then choose the correct remediation.
The most common misconfiguration is a password policy that is too weak or not enforced. A baseline should require a minimum password length of 14 characters, complexity, and expiration every 90 days. However, administrators often set the baseline but forget to apply it to service accounts or legacy systems. In an exam scenario, you might see a question where a domain admin account has a 10-character password and no expiration. The correct response is to apply the baseline to all accounts, including service accounts, unless an exception is explicitly approved.
Another frequent issue is the improper configuration of Windows Firewall. The baseline might require that inbound connections be blocked by default, with exceptions only for essential services. But administrators may accidentally leave Remote Desktop enabled on public-facing servers. This is tested in Security+ and CySA+ through network scanning questions-if a port scan shows RDP open on an endpoint, the baseline is not being enforced. Remediation involves checking the Windows Firewall rules via Group Policy or Intune and verifying that RDP is restricted to authorized IP ranges.
Antivirus exclusions are another area of misconfiguration. Baseline policies often define that antivirus real-time protection must be on and exclusions must be minimized. However, support teams sometimes add broad exclusions (like entire C: drive) to troubleshoot performance issues. This creates a blind spot. Exam questions might present a scenario where a malware outbreak occurs on a system that has antivirus enabled, but the infection vector was a file in an excluded directory. The correct answer is to audit antivirus exclusion lists against the baseline and remove unauthorized ones.
Logging and auditing configuration is also commonly missed. The baseline should enable advanced audit policies, such as Logon/Logoff, Object Access, and Process Creation events. If a security breach goes undetected because logs are not being generated, the baseline is failing. In CySA+, you may be asked to identify the most likely root cause of missing security events-the answer often points to an audit policy not being configured in the baseline. Remediation with Group Policy is: 'Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration'. The command-line tool 'auditpol' can also be used to set and verify audit configuration.
User privilege management is a cornerstone of a baseline. The principle of least privilege must be enforced. A misconfiguration occurs when standard users are granted local administrator rights, either through a direct group membership or a GPO that adds users to the local Administrators group. Attackers exploit this to elevate privileges. Exam questions frequently describe a network where many users can install software, leading to malware infections. The solution is to apply a baseline that removes all users except IT administrators from the local Administrators group and uses AppLocker or Windows Defender Application Control (WDAC) to enforce application whitelisting.
Finally, patch management baseline violations are the most cited cause of breaches. Endpoints that miss a critical patch (especially for VPNs or browsers) are vulnerable. A common misconfiguration is allowing users to defer updates or setting patch windows too infrequently. Remediation involves using a patch management tool like WSUS or Microsoft Intune to enforce a maximum lag time for critical patches (e.g., 7 days). In AWS, this corresponds to using Systems Manager Patch Manager with a baseline that requires patching within a specific maintenance window.
Understanding these misconfigurations prepares you for both the multiple-choice questions and the performance-based questions (PBQs) on Security+ and CySA+. Real-world troubleshooting of baseline failures often starts with a compliance report that shows a 'Noncompliant' status. The skill is to then dive into the specific setting that is out of compliance and correct it using the appropriate tool-whether that's a GPO, Intune policy, or AWS Config rule. Memorize common remediation steps and associated command-line tools, as these directly map to exam objectives.
Troubleshooting Clues
Endpoint not receiving baseline policy from Intune
Symptom: Device status shows 'Not evaluated' or 'Unknown' in Intune endpoint security baselines, even after several days. User can install any software without restriction.
The device may not be properly enrolled in Intune, or the user is not a member of the assigned group. Alternatively, the baseline policy might have been deleted or the device has a heterogeneous OS version that does not support the baseline. Also, if the baseline requires a specific Windows edition (e.g., Pro or Enterprise) and the device runs Home, it won't apply.
Exam clue: MD-102: Questions present a device that is listed as 'Pending' or 'Not applicable'. The cause is often that the device's OS version is not supported. Another clue: the device was enrolled but never checked in with the Intune service due to network isolation.
Antivirus exclusions causing baseline noncompliance
Symptom: Security baseline compliance report shows failure for 'Defender real-time protection enabled'. However, the endpoint has Defender running, but a custom exclusion exists.
The baseline may require zero or strictly limited exclusions. If an exclusion is present (e.g., an entire drive or a critical folder), it can interfere with real-time monitoring. The baseline setting 'Disable Realtime Monitoring' might be misconfigured or the baseline's antivirus policy might have 'Allow user exclusions' set to 'Allowed' instead of 'Blocked'.
Exam clue: Security+ and CySA+: Exam scenario where a company suffers a ransomware infection despite having real-time protection. The clue is that administrative tools were used to create exclusions, which is a common misconfiguration. The correct answer is to remove unauthorized exclusions.
Password policy not enforced on service accounts
Symptom: Overall password policy compliance is high across user accounts, but a penetration test reveals that a service account 'svc_backup' has a password 'Password123' that never expires.
Security baselines often apply only to user accounts in specific OUs. Service accounts in Active Directory may be placed in a different OU that is excluded from the baseline GPO. The baseline may not include the 'Fine-Grained Password Policies' feature for service accounts.
Exam clue: Security+ or CISSP: Presents a scenario where a baseline appears effective but a specific account type is weak. The resolution is to extend the baseline to all accounts or use special password policies for service accounts. Know that service accounts should have long, complex passwords that are rotated regularly.
AWS Config rule for baseline compliance triggering false positives
Symptom: AWS Config rule 'ec2-instance-ssh-key-check' shows noncompliance for instances that use Session Manager instead of SSH keys.
The baseline rule was written assuming all instances require SSH key pairs, but the organization uses AWS Systems Manager Session Manager for administrative access, which does not require SSH keys. The rule does not have an exclusion for instances with the SSM agent installed and proper IAM roles.
Exam clue: AWS SAA: Tests understanding that custom Config rules must account for alternative access methods. The exam may ask how to update the rule to exclude instances that use Session Manager, which would involve modifying the Lambda function logic.
Baseline compliance check fails due to network connectivity issues
Symptom: Devices in the remote branch office are flagged as noncompliant for 'Firewall enabled' even though they have the firewall enabled locally. Reports are from Intune.
The device may be unable to communicate with Intune to transmit health attestation data. The firewall might be blocking the Intune management endpoints (e.g., manage.microsoft.com, login.microsoftonline.com). The device's firewall is actually enabled, but the compliance status cannot be reported properly.
Exam clue: MD-102: How to troubleshoot a device that shows noncompliant despite local settings being correct. Answer: Check network connectivity to required endpoints. Also, use the 'Test-DeviceConnectivity' tool or check the MDM diagnostic logs.
AWS Inspector assessment completes with zero findings
Symptom: A scheduled AWS Inspector baseline assessment runs but returns no findings for a critical server. The server is running an outdated OS version with known CVEs.
The assessment template may not be properly associated with the target resource group. Alternatively, the inspector agent might not be installed or running on the instance. Also, the rules package selected might be for network assessments only (not host), and the instance may not have network access to Inspector's service endpoints.
Exam clue: AWS SAA: Questions where an admin runs Inspector but gets no results. The clue is often missing agent or wrong assessment type (network vs. host). The correct answer is to install the AWS Inspector agent and retry.
Group Policy baseline not applying to nested OUs
Symptom: Windows 10 security baseline GPO is linked to the parent OU 'Workstations'. Devices in a child OU 'Sales' do not apply the baseline settings, and users are able to disable Windows Defender.
By default, Group Policy inheritance is enabled. However, the 'Sales' OU may have 'Block Inheritance' enabled, preventing the baseline GPO from applying. Alternatively, the baseline GPO's security filtering might not include the 'Sales' computers group.
Exam clue: MD-102 and Security+: Tests GPO inheritance and filtering. The exam might show a GPO applied to a higher level but not affecting a sub-OU. The solution is to check inheritance blocking and security filters.
Memory Tip
Think BASELINE: Block unwanted ports, Authenticate users, Secure data with encryption, Enable logging, Limit privileges, Install updates, Never skip reviews, Enforce automatically.
Learn This Topic Fully
This glossary page explains what Endpoint security baseline means. For a complete lesson with labs and practice, see the topic guide.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
CS0-003CompTIA CySA+ →MD-102MD-102 →MS-102MS-102 →AZ-104AZ-104 →SC-900SC-900 →SY0-701CompTIA Security+ →CISSPCISSP →SAA-C03SAA-C03 →Legacy Exam Context
Older materials may mention these exam versions, but learners should use the current objectives for their target exam.
SY0-601SY0-701(current version)Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
5G is the fifth generation of cellular network technology, designed to deliver faster speeds, lower latency, and support for many more connected devices than previous generations.
Quick Knowledge Check
1.A company uses Microsoft Intune to enforce a security baseline for Windows 10 devices. After applying the baseline, several devices report as 'Noncompliant' for the setting 'Require Device Encryption'. Which is the MOST likely cause?
2.An organization has an AWS Config rule that checks whether EC2 instances have 'termination protection' enabled. A security engineer notices that several instances are noncompliant. The engineer wants to automate remediation. Which AWS service should be used to automatically re-enable termination protection when noncompliance is detected?
3.A workstation is not reflecting the security baseline password policy (minimum 14 characters, complexity required). The GPO is linked to the parent OU, and the workstation is in a child OU named 'IT' that has inheritance enabled. The password policy still shows old settings. What is the MOST likely cause?
4.A CySA+ analyst is reviewing a compliance report for an endpoint with a security baseline. The report states that 'Windows Defender Antivirus real-time protection is disabled'. The analyst checks the service and finds it running. What is the BEST next step?
5.An MD-102 administrator configures a Windows 10 security baseline in Intune that includes 'AppLocker' rules. A user reports that an approved application does not launch. The application is in a signed directory. What should the administrator check FIRST?
Frequently Asked Questions
What is the difference between a security baseline and a security configuration?
A security baseline is the complete set of minimum security settings for an endpoint. A security configuration is one specific setting within that baseline, such as the 'password length' setting.
How often should an endpoint security baseline be updated?
At least quarterly, and additionally whenever a new critical vulnerability emerges that requires a configuration change. Major operating system updates may also require baseline updates.
Can a security baseline be applied to mobile devices like iOS or Android?
Yes, mobile device management (MDM) solutions like Microsoft Intune, JAMF, or VMware Workspace ONE allow you to define and enforce security baselines on mobile devices, including passcode requirements, encryption, and VPN settings.
What happens if a device is not compliant with the baseline?
It depends on the organization's policy. Common actions include logging the non-compliance, sending an alert to the IT team, blocking the device from accessing the network, or automatically attempting to remediate the settings.
Is an endpoint security baseline the same as a system image?
No. A system image is a complete snapshot of an operating system and installed applications. A baseline is a list of security configuration settings. You can apply a baseline to a system image, but they are different concepts.
Do cloud-based endpoints, like virtual machines in AWS, need a security baseline?
Absolutely. Cloud VMs are still endpoints and need the same protections. AWS provides baseline enforcement through AWS Config rules and EC2 Security Groups, but you still need to harden the operating system itself.
What is the most common mistake when creating a security baseline?
The most common mistake is making the baseline too restrictive, which breaks needed applications and leads users to bypass security controls. A baseline must balance security with operational practicality.
Summary
An endpoint security baseline is the foundational layer of defense for any organization's endpoints. It defines the minimum security configurations that every device must meet, ensuring consistency, reducing vulnerabilities, and simplifying compliance with regulations and standards. Without a baseline, security becomes fragmented, and attackers can exploit weak links.
For IT professionals, understanding how to create, implement, and maintain baselines is essential. It involves selecting appropriate controls from frameworks like CIS and NIST, adapting them to the organization's needs, deploying them through automation, and monitoring compliance continuously. Mistakes such as treating the baseline as a static document or applying a one-size-fits-all approach can undermine its effectiveness.
In certification exams, endpoint security baselines appear across a wide range of tests, from Security+ and CySA+ to AWS, Azure, and Microsoft 365 exams. Candidates must be able to apply baselines to specific scenarios, troubleshoot common issues, and understand the role of baselines within larger security architectures like Zero Trust.
The key takeaway is that a baseline is not a one-time project but an ongoing process. It must evolve with threats, technology, and business requirements. When implemented properly, it is one of the most effective controls for protecting endpoints and, by extension, the entire organization.