AD3.6 Security Baselines vs Custom Profiles

The practical recommendation

For NE's environment — and for most organizations where an IT administrator is adding security to an existing Intune-managed environment — custom configuration profiles are the better choice. Here's why.

NE already has Intune deployed for device management. There are existing configuration profiles for WiFi, VPN, application deployment, and Windows Update rings. A security baseline applies hundreds of settings, many of which may conflict with these existing profiles. Conflicts between baseline settings and custom profile settings produce unpredictable results — the device may get the baseline setting, the custom setting, or neither.

The specific settings that matter for security — BitLocker encryption, firewall configuration, Defender Antivirus settings, Windows Update compliance — are better deployed as individual custom profiles where you control exactly what's configured. This avoids the conflict problem entirely and makes troubleshooting straightforward: if a setting isn't applied, you check one profile, not a matrix of overlapping baselines.

If you're building a new environment from scratch with no existing Intune profiles and no GPO inheritance, security baselines are a reasonable starting point — they provide a solid default configuration quickly. But review every setting in the baseline before deploying. Microsoft's recommended settings are a good starting point but not universally appropriate — some settings break specific applications, and others are more restrictive than necessary for your environment.

Creating the security configuration profiles

Instead of applying a full security baseline, create targeted configuration profiles for the settings that matter most. Navigate to intune.microsoft.com → Devices → Configuration → Create profile.

Profile 1 — BitLocker encryption. Platform: Windows 10 and later → Profile type: Endpoint protection → Windows Encryption. Configure: require device encryption, encrypt all drives, compatible TPM startup (allow TPM). Deploy to all Windows devices. This profile enables BitLocker silently on all enrolled devices and stores recovery keys in Entra ID.

Profile 2 — Windows Firewall. Platform: Windows 10 and later → Profile type: Endpoint protection → Microsoft Defender Firewall. Configure: enable firewall for domain, private, and public profiles, block all inbound connections by default, allow outbound. Deploy to all Windows devices.

Profile 3 — Defender Antivirus. Platform: Windows 10 and later → Profile type: Endpoint protection → Microsoft Defender Antivirus. Configure: enable real-time protection, enable cloud-delivered protection (high), enable automatic sample submission, schedule quick scan daily. Deploy to all Windows devices.

Profile 4 — Windows Update. Platform: Windows 10 and later → Profile type: Update rings for Windows 10 and later. Configure: quality update deferral 7 days, feature update deferral 30 days, deadline for quality updates 5 days, deadline for feature updates 14 days. Deploy to all Windows devices.

Each profile targets one security domain. No overlaps. No conflicts. Clear troubleshooting path. If a device has an issue with BitLocker, you check Profile 1. If antivirus isn't configured correctly, you check Profile 3. This is far simpler than debugging a security baseline that touches hundreds of settings.

Attack Surface Reduction rules — the highest-value custom settings

Beyond the four core profiles above, Attack Surface Reduction (ASR) rules provide significant protection against common attack techniques. These are Intune configuration settings that block specific malware delivery mechanisms without requiring Defender for Endpoint licensing.

Navigate to intune.microsoft.com → Endpoint security → Attack surface reduction → Create policy → Windows 10 and later → Attack Surface Reduction Rules.

The highest-impact ASR rules to enable first:

• Block executable content from email client and webmail: Prevents users from running executables delivered via email — a primary malware delivery vector.
• Block all Office applications from creating child processes: Prevents Office macros from launching PowerShell, cmd, or other processes — blocks the most common macro malware technique.
• Block JavaScript or VBScript from launching downloaded executable content: Prevents script-based payload downloaders.
• Block Office applications from injecting code into other processes: Prevents Office-based process injection attacks.

Set each rule to Audit mode first (not Block). Audit mode logs what would have been blocked without affecting users. Run in audit mode for 2 weeks and review the audit log (Defender → Reports → Attack surface reduction or Event Viewer → Applications and Services Logs → Microsoft → Windows → Windows Defender → Operational). If legitimate processes appear in the audit log, create exclusions before switching to Block mode.

# Verify ASR rules are applied
Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids
Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Actions

ASR rules are available on E3 — they don't require E5 or Defender for Endpoint. They're one of the most effective security controls included in your existing license that most administrators never enable. Deploying them as a custom profile (not via a security baseline) gives you control over which rules are active and which are in audit mode.

When you DO have Defender for Endpoint (E5)

If your organization upgrades to E5 or adds Defender for Endpoint as an add-on, the device compliance landscape changes significantly. MDE provides a device risk score that you can integrate with Intune compliance: a device with "High" risk (active malware detected, vulnerable configuration) is marked non-compliant regardless of other compliance checks.

This integration is configured in intune.microsoft.com → Endpoint security → Microsoft Defender for Endpoint → Connection settings. Enable the connection, then add a "Device threat level" check to your compliance policy: set it to "Medium" or "Low and above" to require devices to have an acceptable risk score.

This is future-proofing: you don't need it now on E3, but knowing the integration exists means you can plan for it if E5 becomes available.

Troubleshooting configuration profile conflicts

When a device setting isn't applying correctly, the cause is usually a profile conflict. Intune shows conflicts in two places:

Device page → Device configuration. Navigate to intune.microsoft.com → Devices → select the device → Device configuration. This shows every profile assigned to the device with its deployment status. "Succeeded" means the profile applied. "Conflict" means a setting in this profile conflicts with a setting in another profile. Click the conflicting profile to see which specific settings are in conflict.

Reports → Device assignment status. Navigate to intune.microsoft.com → Reports → Device configuration → Assignment status. This shows across all devices which profiles are succeeding, failing, or conflicting. A profile with a high conflict rate needs investigation — it's probably overlapping with another profile or a GPO.

The most common conflict pattern: an Intune security baseline and a custom configuration profile both configure the same Windows Firewall setting. The baseline sets "Block all inbound" and the custom profile sets "Allow RDP inbound." Both are valid settings but they can't coexist. Resolution: remove the firewall settings from one source. Since the custom profile was built deliberately for your environment and the baseline is generic, remove the firewall settings from the baseline (or don't use the baseline at all — which is the recommendation from this subsection).

For environments migrating from GPO to Intune, GPO settings may conflict with Intune profiles. Check whether the device is receiving both GPO and Intune settings for the same configuration. The general precedence is: Intune configuration profile > GPO for Intune-managed settings, but this varies by setting type. The cleanest approach is to remove GPO settings for any configuration managed through Intune — don't manage the same setting from two sources.

Verifying that configuration profiles are applying correctly

After deploying your four custom security profiles, verify each one is applying to the target devices:

Connect-MgGraph -Scopes "DeviceManagementConfiguration.Read.All"

# List all configuration profiles and their assignment status
Get-MgDeviceManagementDeviceConfiguration -All |
    Select-Object DisplayName, @{N="Platform";E={$_.AdditionalProperties.'@odata.type'}},
        LastModifiedDateTime |
    Format-Table -AutoSize

For a specific profile, check the per-device deployment status in the portal. Navigate to intune.microsoft.com → Devices → Configuration → select the profile → Device status. This shows every device the profile targets with the deployment result: Succeeded, Pending, Error, or Conflict.

Succeeded: The profile settings are applied on the device. No action needed.

Pending: The device hasn't checked in since the profile was assigned. Trigger a sync from the device page or wait for the next scheduled check-in (every 8 hours).

Error: The profile failed to apply. Click the device entry to see the error detail. Common errors: "Not applicable" (the device OS doesn't match the profile platform), "Remediation failed" (a setting can't be applied — e.g., BitLocker on a device without TPM), or "Access denied" (insufficient permissions for the Intune management extension).

Conflict: Another profile or GPO configures the same setting with a different value. Click the device entry to see which profiles are conflicting. Resolve by removing the duplicate from one source.

Run this verification for each of your four profiles (BitLocker, Firewall, Defender AV, Windows Update) within 48 hours of deployment. Any device showing Error or Conflict needs investigation before you rely on the profile for compliance enforcement.