This chapter covers Microsoft Security Baselines, a critical component of Microsoft's security solutions. You will learn what security baselines are, why they are essential for maintaining a secure posture, and how they are implemented across Microsoft 365, Azure, and Windows. On the SC-900 exam, approximately 10-15% of questions in the 'Security Solutions' domain relate to security baselines, including their purpose, application, and integration with compliance and management tools. Mastering this topic will help you answer questions about default security configurations, compliance assessment, and the role of baselines in Zero Trust architectures.
Jump to a section
Think of Microsoft Security Baselines as the building code for a new house. Just as a building code specifies minimum requirements for electrical wiring, plumbing, and structural integrity to ensure safety and consistency across all constructions, a security baseline defines the minimum set of security configurations that must be applied to a device or service. A building code is not a one-size-fits-all blueprint—it provides a set of rules that every builder must follow, but you can customize finishes and layouts within those rules. Similarly, a security baseline from Microsoft provides a recommended set of security settings that administrators can apply, but they can adjust settings based on their organization's risk tolerance. The building inspector checks compliance against the code; in the digital world, tools like Microsoft Defender for Cloud and Intune assess devices against the baseline and report non-compliant settings. Just as ignoring building codes leads to unsafe structures, failing to apply security baselines leaves systems vulnerable to known attacks. The baselines are derived from industry best practices, like the Center for Internet Security (CIS) benchmarks, and are updated as new threats emerge, much like building codes are updated for earthquake or fire safety.
What Are Microsoft Security Baselines?
Microsoft Security Baselines are pre-configured groups of settings that represent the recommended security configuration for Microsoft products and services. They are essentially a set of security rules and best practices that Microsoft's security teams have developed based on real-world threat intelligence and industry standards such as CIS (Center for Internet Security) benchmarks and NIST (National Institute of Standards and Technology) guidelines. These baselines are designed to help organizations quickly achieve a secure state without having to research each individual security setting.
Why Do Security Baselines Exist?
The primary purpose of security baselines is to reduce the attack surface by enforcing a consistent, minimum security posture across all devices and services in an organization. Without baselines, administrators would need to manually configure hundreds of security settings, which is error-prone and time-consuming. Baselines also provide a benchmark for compliance monitoring—tools like Microsoft Defender for Cloud and Microsoft Intune can compare current configurations against the baseline and report deviations.
How Do Security Baselines Work Internally?
Security baselines are essentially a collection of Group Policy Objects (GPOs) or configuration profiles that contain specific security settings. For Windows, these settings include password policies, account lockout policies, audit policies, user rights assignments, security options, and Windows Defender Firewall rules. For Azure, baselines include settings for Azure Policy definitions that enforce compliance on Azure resources. For Microsoft 365, baselines include conditional access policies, identity protection settings, and device compliance policies.
When a baseline is applied, it modifies the underlying registry keys, security templates, or policy settings. For example, the 'Microsoft 365 Security Baseline' includes a conditional access policy that requires multi-factor authentication (MFA) for all users. When this baseline is deployed via Intune or Azure AD Conditional Access, it creates a policy that enforces MFA. Devices and users are then evaluated against this policy, and non-compliant entities are blocked or prompted for additional verification.
Key Components, Values, Defaults, and Timers
- Windows Security Baselines: These are provided as GPO backups that can be imported into Group Policy Management Console. They include settings like: - Account Policies: Minimum password length (default 14 characters), password history (24 remembered), maximum password age (90 days). - Lockout Policy: Account lockout threshold (5 invalid attempts), lockout duration (15 minutes), reset lockout counter after (15 minutes). - Audit Policy: Audit logon events (Success and Failure), audit account logon events (Success and Failure). - Windows Defender Firewall: Inbound connections blocked by default, outbound allowed.
- Azure Security Baselines: These are implemented via Azure Policy. For example, the 'Azure Security Benchmark' includes policies like:
- Enable MFA for privileged accounts: Policy definition ID /providers/Microsoft.Authorization/policyDefinitions/e0e698fd-8b1a-4f5d-9e5d-9f9e9e9e9e9e.
- Require encryption for storage accounts: Policy definition ID /providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9.
- Microsoft 365 Security Baselines: These are pre-built conditional access policies in Azure AD. For example: - Baseline policy: Require MFA for admins: This policy targets all users with admin roles and requires MFA. - Baseline policy: Block legacy authentication: This policy blocks authentication protocols that do not support MFA.
Default Values: Baselines are updated regularly. For example, the Windows 10 Security Baseline version 2004 includes over 200 settings. The default password policy in the baseline is more restrictive than the default Windows policy.
Timers: Some baselines include timed settings, such as session timeout for Azure AD (e.g., 8 hours for sign-in frequency).
Configuration and Verification Commands
For Windows, you can apply a security baseline using the LGPO.exe tool or via Group Policy:
# Import a security baseline GPO backup
LGPO.exe /s C:\Baselines\Windows10-2004-SecurityBaseline.infTo verify that a baseline is applied, you can use the secedit command:
secedit /analyze /db C:\temp\secbaseline.sdb /cfg C:\Baselines\Windows10-2004-SecurityBaseline.inf /log C:\temp\seclog.txtFor Azure, you can assign a baseline policy via Azure Policy:
# Assign the Azure Security Benchmark initiative
az policy assignment create --name "AzureSecurityBenchmark" --policy-set-definition "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8" --scope "/subscriptions/{subscriptionId}"To verify compliance, use:
az policy state list --resource "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}"For Microsoft 365, you enable baseline policies through the Azure AD portal or PowerShell:
# Enable MFA baseline policy
$policy = Get-AzureADMSConditionalAccessPolicy | Where-Object {$_.DisplayName -eq "Baseline policy: Require MFA for admins"}
$policy.State = "enabled"
Set-AzureADMSConditionalAccessPolicy -Id $policy.IdHow Baselines Interact with Related Technologies
Security baselines are closely tied to compliance and management tools:
Microsoft Intune: Uses baselines to create device configuration profiles. Intune's 'Security Baseline' feature allows you to select a baseline version (e.g., Windows 10 Security Baseline) and deploy it to devices. Intune then monitors compliance and reports non-compliant devices.
Microsoft Defender for Cloud: Uses Azure Security Benchmark as a baseline to assess Azure resources. It provides a secure score and recommendations based on how well resources adhere to the baseline.
Microsoft 365 Defender: Integrates with Microsoft 365 security baselines to enforce policies like MFA and device compliance.
Azure Policy: Enforces baselines at scale. When a resource is non-compliant, Azure Policy can automatically remediate or flag the resource.
Group Policy: On-premises Active Directory uses Group Policy to apply baselines to domain-joined computers.
Customization and Best Practices
While baselines provide a strong starting point, organizations should customize them to balance security and usability. For example, a baseline may require MFA for all users, but an organization with legacy systems may need to exempt service accounts. Baselines should be tested in a pilot group before broad deployment. Microsoft recommends using the 'Security Compliance Toolkit' to customize and test baselines.
Versioning and Updates
Baselines are versioned. For example, the Windows 10 Security Baseline has versions for each feature update (1809, 1903, 2004, etc.). Microsoft releases new baselines when major security threats emerge or when new features are added. Administrators should regularly review and update baselines to maintain security.
Summary of Key Exam Points
Baselines are pre-configured security settings that represent Microsoft's recommendations.
They are derived from industry standards like CIS and NIST.
They are applied via Group Policy, Intune, Azure Policy, or Azure AD Conditional Access.
Compliance assessment tools compare current state to baseline.
Baselines are customizable but should be tested.
The exam may ask about the purpose, tools used to apply baselines, and the relationship to secure score.
Select the Appropriate Baseline Version
The first step is to choose the correct baseline version for your environment. Microsoft provides baselines for different Windows versions (e.g., Windows 10 2004, Windows 11 21H2), Azure services, and Microsoft 365. Each baseline is tailored to the security capabilities of that version. For example, the Windows 10 baseline includes settings for Windows Defender Application Guard, which is not available in older versions. Selecting the wrong version may result in missing settings or errors. Administrators should download the latest baseline from the Microsoft Security Compliance Toolkit or use the built-in baselines in Intune.
Customize the Baseline for Your Organization
Out-of-the-box baselines are designed for maximum security, which may break legacy applications or workflows. Therefore, you must review each setting and adjust it based on your organization's risk tolerance and operational needs. For example, the baseline may require BitLocker encryption, but if your devices lack TPM, you may need to exempt them. Use the Security Compliance Toolkit's Policy Analyzer to compare the baseline against your current settings and identify conflicts. Customizations should be documented and approved by security teams.
Deploy the Baseline Using a Management Tool
Deploy the customized baseline via Group Policy (on-premises), Intune (cloud-managed devices), or Azure Policy (Azure resources). For Intune, you create a 'Security Baseline' profile, select the baseline version, and assign it to a group of devices. Intune then pushes the settings to devices during the next check-in (typically every 8 hours). For Group Policy, you import the baseline GPO and link it to an OU. For Azure Policy, you assign the 'Azure Security Benchmark' initiative to a subscription or resource group. Deployment should be phased: start with a test group, then pilot, then production.
Monitor Compliance and Remediate Non-Compliance
After deployment, continuously monitor compliance using tools like Intune's compliance reports, Defender for Cloud's secure score, or Group Policy's Resultant Set of Policy (RSoP). Non-compliant devices are flagged with specific settings that deviate from the baseline. For example, if a device has password length less than 14 characters, Intune marks it as non-compliant. Remediation can be automatic (e.g., Azure Policy's 'deployIfNotExists' effect) or manual (e.g., user notification). Regularly review compliance reports to identify trends and update baselines as needed.
Update Baselines Regularly
Security baselines are living documents. Microsoft releases updates in response to new vulnerabilities, changes in compliance requirements, or product updates. For example, the 'Azure Security Benchmark' is updated quarterly. Administrators should subscribe to Microsoft security advisories and review new baseline versions. When updating, repeat the customization, testing, and deployment process. Version control is critical: maintain a history of baseline versions and track changes. Use tools like the 'Security Compliance Toolkit' to compare baseline versions and understand what changed.
Scenario 1: Enterprise Windows 10 Deployment
A large enterprise with 10,000 Windows 10 devices needs to enforce a consistent security posture. Without baselines, each device may have different password policies, firewall rules, and audit settings. The IT team downloads the Windows 10 Security Baseline from the Microsoft Security Compliance Toolkit. They customize it to allow a longer password history (30) and exempt a legacy application that requires port 3389 (RDP) inbound. They deploy the baseline via Group Policy to a pilot OU of 100 devices. After two weeks, they review compliance using the Security Compliance Toolkit's Policy Analyzer and find that 10 devices have non-compliant settings due to local administrators overriding policies. They use Group Policy to enforce settings with 'No Override' and redeploy. After the pilot, they roll out to all devices. The secure score in Microsoft Defender for Cloud improves from 60% to 85%. Common issues include performance impact from enabled audit policies (log volume increases) and user complaints about stricter password requirements. The team mitigates by increasing log storage and communicating changes.
Scenario 2: Azure Subscription Compliance
A financial services company must comply with PCI DSS. They enable the 'Azure Security Benchmark' baseline in Defender for Cloud. This baseline includes policies like 'Enable MFA for privileged accounts' and 'Require encryption for storage accounts'. Initially, the secure score is 40% because many resources lack encryption and MFA is not enforced. The team assigns the built-in policy initiative to their subscription. Within 24 hours, non-compliant resources are flagged. For storage accounts without encryption, Azure Policy automatically enables encryption via the 'deployIfNotExists' effect. For MFA, they create a conditional access policy. After remediation, the secure score rises to 90%. However, a developer complains that a test storage account cannot be accessed because encryption was forced. The team creates an exemption for that resource. This scenario shows the need for careful testing and exceptions.
Scenario 3: Microsoft 365 MFA Baseline
A mid-sized organization wants to enforce MFA for all administrators. They enable the 'Baseline policy: Require MFA for admins' in Azure AD Conditional Access. This policy applies to all users with admin roles (Global Admin, Exchange Admin, etc.). The policy works by blocking sign-ins that do not satisfy MFA. After enabling, some admins report that they cannot access the admin portal from non-compliant devices. The team realizes that the baseline policy does not allow exceptions for trusted IPs. They decide to create a custom conditional access policy instead of using the baseline, which allows them to exclude the corporate network. This highlights that baselines are a starting point and may need customization.
The SC-900 exam tests your understanding of Microsoft Security Baselines primarily under objective 'Describe security solutions for Microsoft 365' and 'Describe security management capabilities in Azure'. Specifically, you should know:
What a security baseline is: A set of recommended security configurations for Microsoft products.
Purpose: To provide a consistent, secure starting point and reduce attack surface.
Sources: Derived from industry standards (CIS, NIST) and Microsoft's threat intelligence.
Tools for deployment: Group Policy, Intune, Azure Policy, Azure AD Conditional Access.
Compliance assessment: Tools like Defender for Cloud secure score and Intune compliance reports.
Customization: Baselines are customizable but should be tested.
Common wrong answers and traps:
'Security baselines are the same as compliance policies.' This is false. Compliance policies are broader and can include non-security settings (e.g., device jailbreak detection). Security baselines are specifically for security settings. The exam may ask to identify which is a security baseline vs. compliance policy.
'Baselines cannot be modified.' Many candidates think baselines are fixed. Actually, they are templates that can be customized. The exam may present a scenario where a baseline causes compatibility issues, and the correct answer is to customize it.
'Baselines are only for Windows.' This is a trap. Baselines exist for Azure, Microsoft 365, and other services. The exam may ask about baselines for Azure resources.
'Baselines are enforced automatically.' They are not enforced unless deployed via a management tool. Simply having a baseline available does not enforce it.
Specific numbers and terms:
The default password length in Windows Security Baseline is 14 characters (not the default Windows 10 of 0).
The default account lockout threshold is 5 attempts.
The baseline for Azure is called the Azure Security Benchmark.
The tool to customize baselines is the Security Compliance Toolkit.
Edge cases:
Baselines may conflict with existing Group Policy settings. The exam may ask about resolving conflicts using 'No Override' or precedence.
Baselines for Windows 10 are version-specific; applying a baseline for version 2004 to version 1809 may cause errors.
In Microsoft 365, baseline policies are 'pre-built' but not enabled by default. You must manually enable them.
How to eliminate wrong answers:
If a question asks about 'recommended security settings', the answer is 'security baseline'.
If a question mentions 'secure score', think about compliance with baselines.
If a question involves 'Group Policy' or 'Intune', it likely relates to deploying baselines.
Microsoft Security Baselines are pre-configured security settings recommended by Microsoft.
They are based on industry standards like CIS and NIST.
Baselines exist for Windows, Azure, and Microsoft 365.
Deployment tools include Group Policy, Intune, Azure Policy, and Azure AD Conditional Access.
Compliance is measured using secure score and compliance reports.
Baselines are customizable but should be tested before broad deployment.
Default password length in Windows baseline is 14 characters.
Account lockout threshold is 5 attempts by default.
The Azure Security Benchmark is the baseline for Azure resources.
Baselines are updated regularly; administrators should stay current.
These come up on the exam all the time. Here's how to tell them apart.
Security Baselines
Focus on security configurations (e.g., password length, encryption).
Derived from industry benchmarks (CIS, NIST).
Applied via Group Policy, Intune, Azure Policy.
Provide a secure starting point.
Example: Windows 10 Security Baseline.
Compliance Policies
Broader: include security and non-security settings (e.g., device jailbreak detection).
Can be custom-defined by organization.
Applied via Intune compliance policies, Conditional Access.
Focus on meeting specific regulatory or business requirements.
Example: 'Require device to be non-jailbroken'.
Mistake
Security baselines are the same as security policies.
Correct
Security policies are broader statements of management intent (e.g., 'All devices must be encrypted'). Baselines are specific technical configurations (e.g., 'BitLocker encryption must be enabled with 256-bit key'). Baselines implement policies.
Mistake
Baselines cannot be customized after deployment.
Correct
Baselines are templates that can be customized before deployment. You can modify settings to fit your environment. However, once deployed, you can update the baseline by deploying a new version.
Mistake
Baselines are only applicable to on-premises Windows devices.
Correct
Microsoft provides baselines for Windows, Azure, Microsoft 365, and even third-party applications. For example, there are baselines for Azure SQL Database and Office 365.
Mistake
Enabling a baseline automatically makes all devices compliant.
Correct
Enabling a baseline is the first step. Devices must be evaluated against the baseline, and non-compliant settings must be remediated. Tools like Defender for Cloud provide a secure score that reflects compliance level.
Mistake
Baselines are static and never change.
Correct
Microsoft updates baselines regularly to address new threats and changes in products. For example, the Azure Security Benchmark is updated quarterly. Administrators should stay current.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A security baseline is a specific set of technical configurations (e.g., 'minimum password length 14'), while a security policy is a high-level statement of intent (e.g., 'passwords must be strong'). Baselines implement policies. On the exam, you may need to identify which is a baseline vs. policy.
You can apply it using Group Policy (import the GPO backup), Intune (create a Security Baseline profile), or via the Security Compliance Toolkit's LGPO.exe tool. For example, use 'LGPO.exe /s baseline.inf' to import settings. The exam may ask about tools like Group Policy and Intune for deployment.
Yes, you can create a customized version of the baseline and deploy it as an update. However, you should test changes in a pilot group first. The exam may present a scenario where a baseline causes issues, and the correct answer is to customize it.
It is the security baseline for Azure services, consisting of a set of Azure Policy definitions that enforce security best practices. It is used by Defender for Cloud to assess resource compliance. The exam may ask about the name of the Azure baseline.
Secure score is a metric that indicates how well your environment complies with security baselines. In Defender for Cloud, the secure score increases as you remediate non-compliant resources. The exam may ask about the relationship between baselines and secure score.
No, they must be deployed via a management tool. Simply having a baseline available does not enforce it. The exam may test that you need to actively assign policies.
It is a set of tools from Microsoft that includes baselines, scripts, and tools like Policy Analyzer to help you customize and test baselines. The exam may ask about this toolkit.
You've just covered Microsoft Security Baselines — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?