This chapter covers Microsoft Defender for Endpoint security baselines, a critical component of the Defender XDR stack. Security baselines provide a set of pre-configured security settings that help organizations harden their endpoints against common threats. On the SC-200 exam, approximately 5-8% of questions touch on security baselines, focusing on their deployment, management, and compliance monitoring. Understanding how to configure, assess, and remediate baseline deviations is essential for the Security Operations Analyst role, as baselines directly impact the organization’s security posture and are frequently tested in case studies and scenario-based questions.
Jump to a section
Consider a city’s building code that specifies minimum requirements for fire safety, electrical wiring, and structural integrity. The code does not dictate every detail of a building’s design, but it mandates that all buildings must have fire alarms, sprinklers in certain areas, and electrical outlets with ground-fault circuit interrupters near water. An inspector periodically checks that each building complies. If a building fails, the owner must remediate before receiving a certificate of occupancy. In this analogy, Microsoft Defender for Endpoint’s security baselines are the building code. They define a set of mandatory security configurations—like enabling real-time protection, blocking certain attack surfaces, and setting tamper protection—that every device must meet. The Microsoft 365 Defender portal acts as the inspector, continuously checking each device against the baseline and reporting compliance status. If a device drifts from the baseline (e.g., a user disables real-time protection), the portal flags it as non-compliant and can trigger remediation actions, just as a building owner must fix violations. The baseline is not a one-size-fits-all prescription; organizations can customize it by selecting which controls to enforce, analogous to a city allowing stricter local ordinances. Importantly, the baseline is enforced at the device level via configuration profiles pushed through Microsoft Intune or Group Policy, ensuring every endpoint adheres to the security standards set by the organization.
What Are Microsoft Defender for Endpoint Security Baselines?
Microsoft Defender for Endpoint (MDE) security baselines are curated sets of security configuration settings that are recommended by Microsoft security experts to harden endpoints. These baselines are derived from industry best practices, including the Microsoft Security Compliance Toolkit and the Center for Internet Security (CIS) benchmarks. They are designed to reduce the attack surface by enforcing security controls such as antivirus configuration, firewall rules, attack surface reduction (ASR) rules, and device control policies.
Security baselines in MDE are not standalone products but are integrated into the Microsoft 365 Defender portal as part of endpoint security policies. They are applied to devices via Microsoft Intune (for cloud-managed devices) or Group Policy (for on-premises devices). The baselines are versioned (e.g., baseline version 10.0.22000.1 for Windows 10) and are periodically updated to reflect new threats and mitigations.
Why Security Baselines Exist
Organizations often struggle with inconsistent security configurations across their endpoint fleet. Users may disable security features inadvertently or maliciously, and IT teams may apply different settings across departments. Security baselines solve this by providing a standardized, enforceable set of configurations that align with Microsoft’s security recommendations. They serve as a starting point for organizations to build their own custom policies, ensuring a minimum security floor.
From an exam perspective, security baselines are often the correct answer when a question asks for a method to enforce consistent security settings across thousands of endpoints with minimal administrative overhead. They are also a key component of the “Security Configuration Management” workload in Microsoft 365 Defender.
How Security Baselines Work Internally
Security baselines operate through a mechanism of policy evaluation and enforcement. Here is a step-by-step breakdown:
Baseline Definition: Each baseline is a JSON file that contains a list of configuration settings, each with a specific value and a rule type (e.g., registry key, WMI filter, PowerShell script). The baseline is stored in the Microsoft Intune service (for cloud-managed devices) or in Active Directory (for Group Policy).
Policy Assignment: An administrator selects which devices or groups receive the baseline. This is done through a security baseline profile in the Microsoft 365 Defender portal or Intune. The profile includes the baseline version and any customizations (e.g., excluding certain settings).
Policy Delivery: For cloud-managed devices, the baseline is delivered via the Intune Management Extension (IME) or the Microsoft Defender for Endpoint agent. For on-premises devices, Group Policy updates via the Windows Update service.
Local Application: The device’s local security agent (e.g., the Microsoft Defender Antivirus service) applies the settings. Some settings take effect immediately (e.g., disabling a service), while others require a reboot (e.g., changes to the Windows Firewall).
Compliance Assessment: Periodically (by default every 8 hours), the device reports its current configuration to the Microsoft 365 Defender portal. The portal compares the reported state against the baseline and generates a compliance status: Compliant, Non-compliant, or Error.
Remediation: If a device is non-compliant, the administrator can configure automatic remediation (e.g., reapply the baseline settings) or manually trigger a remediation action. The device will attempt to self-remediate by reapplying the baseline settings during the next policy refresh cycle.
Key Components, Values, Defaults, and Timers
Baseline Versions: Each baseline has a version number (e.g., 10.0.22000.1). The version is important because updates to the baseline may add or remove settings. The exam may test that you know to use the latest baseline version.
Compliance Check Interval: Default is 8 hours, but this can be changed via the “Device configuration refresh cycle” setting in Intune (range: 30 minutes to 365 days).
Remediation Timeout: By default, the device has 30 minutes to apply remediation before the action is marked as failed.
Attack Surface Reduction Rules: These are a subset of baseline settings. The exam often tests specific ASR rules, such as “Block executable content from email client and webmail” (GUID: be9ba2d9-53ea-4cdc-84e5-9b1eeee46550).
Tamper Protection: When enabled, it prevents changes to Microsoft Defender Antivirus settings. It is part of the security baseline. The exam may ask what happens if tamper protection is enabled and an administrator tries to disable real-time protection – the answer is that the change is blocked.
Configuration and Verification Commands
To check the baseline compliance status on a device, you can use the following PowerShell command (requires administrative privileges):
Get-MpComputerStatus | Select-Object AMServiceEnabled, AntivirusEnabled, RealTimeProtectionEnabled, TamperProtectionSourceThis command returns the current state of key Defender settings. For a more comprehensive compliance check, use the Microsoft 365 Defender portal:
Navigate to Endpoints > Configuration management > Endpoint security policies.
Select the security baseline profile.
View the Device compliance tab to see a list of devices and their status.
For Group Policy managed devices, you can use the Resultant Set of Policy (RSOP) tool to verify applied settings:
rsop.mscInteraction with Related Technologies
Security baselines interact closely with:
Microsoft Intune: Baselines are created and assigned through Intune security policies. Intune handles the delivery and compliance reporting.
Microsoft Defender for Endpoint: The MDE agent on the device enforces the baseline settings and reports compliance.
Azure Active Directory (Azure AD): Device identities are used to target baselines to specific groups.
Microsoft 365 Defender Portal: The portal provides a unified view of baseline compliance across all devices.
Windows Update for Business: Some baseline settings may require specific Windows updates to be installed (e.g., to support ASR rules).
Common Exam Scenarios
- Scenario: An organization wants to ensure that all Windows 10 devices have real-time protection enabled and tamper protection turned on. The baseline should be applied to all devices in the “Sales” group. - Exam answer: Create a security baseline profile in Intune, select the Windows 10 security baseline, enable the relevant settings, assign the profile to the “Sales” group. - Scenario: A device reports as non-compliant because a user disabled real-time protection. What should the analyst do? - Exam answer: First, check if tamper protection is enabled. If it is, the user should not have been able to disable it – investigate possible tampering. If tamper protection is off, the analyst can either manually re-enable real-time protection or configure automatic remediation in the baseline profile.
Trap Patterns on the Exam
Trap: The exam might present a scenario where a baseline is applied but a specific setting is not effective. The candidate might think the baseline is broken, but the actual issue could be that a conflicting policy (e.g., a custom Intune policy) is overriding the baseline. The correct answer is to check the policy conflict resolution order.
Trap: The exam might ask about the default compliance check interval. Many candidates guess “24 hours” but the correct answer is “8 hours.”
Trap: A question might state that tamper protection is enabled, and the candidate is asked if they can disable real-time protection via Group Policy. The answer is no – tamper protection blocks any change, including those from Group Policy, unless the change is made through a trusted path (e.g., Microsoft 365 Defender portal with appropriate permissions).
1. Access the Security Baselines
Navigate to the Microsoft 365 Defender portal (https://security.microsoft.com). Under the **Endpoints** section, select **Configuration management** > **Endpoint security policies**. Here, you will see a list of existing policies, including security baseline profiles. This is the central location for managing all endpoint security configurations. The portal provides a unified interface, so you do not need to switch to Intune separately, although the underlying policies are stored in Intune. For the exam, remember that the Microsoft 365 Defender portal is the primary console for security operations analysts.
2. Create a New Baseline Profile
Click **Create new policy** and select the platform (e.g., Windows 10, Windows 11, macOS). Then choose **Security baseline** as the profile type. Give the profile a name and description. The baseline version is automatically selected based on the latest available version for the chosen platform. You can optionally customize the baseline by toggling specific settings on or off. For example, you might disable a setting that conflicts with a line-of-business application. This step is critical because misconfigurations can lead to compliance failures or application incompatibility.
3. Configure Baseline Settings
The baseline includes multiple categories: **Microsoft Defender Antivirus**, **Attack Surface Reduction**, **Device Control**, **Firewall**, and **BitLocker**. Each category contains individual settings. For instance, under Microsoft Defender Antivirus, you can enable **Cloud-delivered protection**, **Real-time protection**, and **Tamper protection**. The exam often tests specific settings like **Block at first sight** (enabled by default in baselines) and **Sample submission** (set to send safe samples automatically). You can override any setting by selecting **Enabled**, **Disabled**, or **Not configured**. Note that some settings are mandatory and cannot be changed (e.g., tamper protection in certain baseline versions).
4. Assign the Baseline to Groups
After configuring the settings, assign the profile to Azure AD groups (e.g., “All Windows 10 Devices” or “Finance Department”). You can also exclude specific groups. The baseline is applied during the next device check-in (typically within 8 hours). The assignment is dynamic – if a device joins the group later, it automatically receives the baseline. For the exam, understand that baselines are assigned to groups, not individual devices, to simplify management at scale.
5. Monitor Compliance and Remediate
Once the baseline is deployed, monitor compliance from the **Endpoint security policies** page. Select the baseline profile and view the **Device compliance** tab. Devices are listed with a status of **Compliant**, **Non-compliant**, or **Error**. For non-compliant devices, you can see which specific settings failed. You can then either manually trigger remediation (e.g., **Remediate** button) or configure automatic remediation in the profile settings. The exam may ask about the default remediation action – it is **None** (manual remediation required). You can change it to **Remediate automatically** if desired.
In a large enterprise with 50,000 Windows 10 devices, security baselines are indispensable. One common deployment scenario is to use a phased approach: first, assign the baseline to a pilot group of IT staff to test for application compatibility. For example, a financial services firm might need to ensure that a legacy trading application works with ASR rules enabled. During the pilot, they discover that the “Block credential stealing from the Windows local security authority subsystem (lsass.exe)” rule causes the trading app to crash. They then customize the baseline by excluding that specific rule for the pilot group while keeping the rest of the baseline. After validation, they roll out the baseline to the entire organization. Performance considerations include network bandwidth for policy delivery – Intune uses a delta update mechanism, so only changes are sent. Compliance reporting scales well, with the portal handling millions of devices. A common misconfiguration is forgetting to set automatic remediation, leading to persistent non-compliance. For instance, if a user disables real-time protection, the device remains non-compliant until an admin manually fixes it. To address this, the security team configures automatic remediation with a grace period of 2 hours. Another scenario involves managing macOS devices. The macOS security baseline includes settings like enabling FileVault disk encryption and configuring the firewall. However, macOS devices do not support all Windows-specific settings, so the baseline is smaller. An organization might deploy separate baselines for Windows and macOS. A frequent issue is when a device is not receiving the baseline because it is not enrolled in Intune. The analyst must check the device’s enrollment status. In one case, a healthcare provider had 200 devices that were not compliant because they were joined to the local domain but not Azure AD registered. The solution was to register them with Azure AD and enroll them in Intune. Finally, a common pitfall is policy conflicts. If a device receives both a security baseline and a custom Intune policy that sets the same setting to a different value, the baseline may be overridden. The resolution is to use the security baseline as the primary policy and avoid duplicate settings in other policies. The exam often tests this conflict resolution hierarchy: the most restrictive policy wins, but the order of precedence is: Intune security policies > Group Policy > local settings.
The SC-200 exam tests security baselines under objective 1.1: “Manage endpoints with Microsoft Defender for Endpoint.” Specifically, you should be able to:
Explain the purpose and benefits of security baselines.
Create, configure, and assign security baseline profiles.
Monitor compliance and remediate non-compliant devices.
Understand the interaction between baselines and other security policies.
Common wrong answers on the exam: 1. Confusing security baselines with security policies: Many candidates think that a security baseline is the same as a custom security policy. The key difference is that a baseline is a pre-defined set of recommended settings, while a policy can be any custom configuration. On the exam, if a question asks for a “set of recommended settings from Microsoft,” the answer is security baseline, not custom policy. 2. Assuming baselines are applied immediately: Candidates often choose “immediately” as the answer for when a baseline takes effect. The correct answer is “within 8 hours by default” or “at the next device check-in.” 3. Misunderstanding tamper protection: A trap question might say: “Tamper protection is enabled. Can you disable real-time protection via PowerShell?” The correct answer is “No, tamper protection blocks all local changes.” Some candidates think that because they are admins, they can override it, but tamper protection is designed to prevent even admins from making changes locally. 4. Overlooking the need for Intune enrollment: A scenario might describe devices that are not receiving the baseline. The candidate might suggest checking the baseline configuration, but the real issue could be that the devices are not enrolled in Intune. The exam expects you to verify device management status first.
Specific numbers and terms to memorize:
Default compliance check interval: 8 hours.
Baseline version format: e.g., 10.0.22000.1.
Tamper protection blocks local changes, including from Group Policy and PowerShell.
ASR rules are part of the security baseline.
The security baseline for Windows 10 includes over 150 settings.
Edge cases:
What if a device is non-compliant due to a setting that is not in the baseline? This is not possible – non-compliance is only measured against baseline settings.
What if a device is offline for more than 30 days? It will appear as “Unknown” in compliance reports.
What if a baseline is updated? Devices automatically receive the new version during the next check-in, but settings that were customized are preserved unless the new baseline removes the customization option.
How to eliminate wrong answers: Use the underlying mechanism. For example, if a question says “the user disabled real-time protection” and asks what to do, think about tamper protection first. If tamper protection is on, the user could not have disabled it – so the answer must involve investigating tampering. If tamper protection is off, then the answer is to re-enable it or configure automatic remediation. By reasoning through the mechanism, you can eliminate options that contradict known behavior.
Security baselines are pre-configured sets of security settings recommended by Microsoft for hardening endpoints.
Baselines are deployed via Microsoft Intune and monitored in the Microsoft 365 Defender portal.
Default compliance check interval is 8 hours.
Tamper protection, when enabled, blocks all local changes to Microsoft Defender Antivirus settings, including from administrators.
Attack Surface Reduction rules are part of the security baseline and have specific GUIDs that may appear on the exam.
Baselines can be customized by enabling, disabling, or not configuring individual settings.
Devices must be enrolled in Intune to receive cloud-based security baselines.
These come up on the exam all the time. Here's how to tell them apart.
Security Baseline
Pre-defined set of recommended settings from Microsoft.
Based on industry best practices and security research.
Simplifies compliance with regulatory requirements.
Automatically updated by Microsoft with new settings.
Can be customized but starts with a secure default.
Custom Security Policy
Administrator-defined set of settings.
May not align with best practices if not carefully designed.
Requires manual research and testing.
Must be manually updated by the administrator.
Offers full flexibility but requires more effort to secure.
Mistake
Security baselines can only be applied to Windows devices.
Correct
Microsoft Defender for Endpoint security baselines are available for Windows 10, Windows 11, Windows Server, macOS, and Linux. Each platform has its own baseline with platform-specific settings. For example, the macOS baseline includes FileVault and firewall settings.
Mistake
Once a baseline is applied, it cannot be customized.
Correct
Baselines are fully customizable. Administrators can enable, disable, or set specific settings to “Not configured.” However, some settings may be mandatory in the baseline (e.g., tamper protection in certain versions) and cannot be changed. Customization is done when creating the profile.
Mistake
Security baselines are enforced by Group Policy only.
Correct
While Group Policy can be used for on-premises devices, security baselines are primarily delivered via Microsoft Intune for cloud-managed devices. The exam focuses on Intune-based deployment. Group Policy is considered legacy for this context.
Mistake
Compliance is checked in real-time.
Correct
Compliance is checked periodically, with a default interval of 8 hours. Real-time compliance checking is not supported. The exam tests this interval value.
Mistake
If a baseline setting is configured as ‘Not configured,’ the device will be non-compliant.
Correct
‘Not configured’ means the baseline does not enforce that setting, so it does not affect compliance. The device is only non-compliant if a setting that is explicitly set to ‘Enabled’ or ‘Disabled’ does not match the required state.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The default compliance check interval is 8 hours. This means that after a baseline is assigned or a change is made, it can take up to 8 hours for the device to report its compliance status. You can change this interval in the Intune device configuration refresh cycle settings, but the exam expects you to know the default value of 8 hours.
No. Security baselines require devices to be managed by Microsoft Intune (or co-managed with Configuration Manager). For on-premises devices, you can use Group Policy to apply similar settings, but the security baseline feature in the Microsoft 365 Defender portal specifically relies on Intune for policy delivery and compliance reporting.
The change is blocked. Tamper protection prevents any modification to Microsoft Defender Antivirus settings, including disabling real-time protection, regardless of whether the change is made by a user, an administrator via PowerShell, or even through Group Policy. The only way to disable real-time protection in this case is to first disable tamper protection from the Microsoft 365 Defender portal (which requires appropriate permissions).
In the Microsoft 365 Defender portal, navigate to the security baseline profile and select the **Device compliance** tab. Click on the non-compliant device to see a detailed report listing each setting and its expected vs. actual value. This helps you identify exactly which settings need remediation.
Yes. Microsoft periodically releases new baseline versions that include new settings or updated recommended values. When a new version is released, you can choose to update your existing profiles to the new version. Devices will then receive the updated settings during their next check-in. However, any customizations you made to the previous version are preserved unless the new version removes that customization option.
A security baseline is a comprehensive set of security configurations that includes many categories, one of which is Attack Surface Reduction (ASR) rules. ASR rules are a subset of the baseline that specifically target common attack vectors, such as blocking macros from Office files or preventing executable content from email. The baseline also includes other categories like antivirus, firewall, and device control.
Yes. When assigning a baseline profile, you can specify groups to include and groups to exclude. For example, you can assign the baseline to “All Windows 10 Devices” but exclude “IT Pilot Group” if you want to test the baseline on a subset first. Exclusion groups take precedence over inclusion groups.
You've just covered Defender for Endpoint Security Baselines — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?