Security Baseline (User)

Overview

Purpose / Short Summary:

The Devicie Security Baseline (User) provides a starting point for organisations to begin their Endpoint security improvement journey, while remaining productive. It covers a wide range of items that encourage standardisation, improve administrators overview and improve device security with minimal impact to typical user activity.

Intune Description:

Inspired by CIS 3.0, while allowing for a secure, but productive experience. Configuration impacting Device Lock and Device Guard.

Scope:

This baseline should be applied to users, in conjunction with the “DEVICIE-PROD-Security Baseline (Device)” baseline.

Policy Impact Areas

When deployed, this policy will impact:

Enforcing Device Lock, with minimum requirements
Configuring Device Guard

Deployment Notes

Pre-Deployment Considerations:
- Windows Hello for Business suitability
Post-Deployment Validation:
- Verify Windows Defender configuration
- Verify Windows Hello for Business being enabled, with 6+ number length required

Configuration Settings:

Name	Value
Administrative Templates
MSS (Legacy)
MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)	Disabled
Device Guard
Configure System Guard Launch	Unmanaged Enables Secure Launch if supported by hardware
Enable Virtualization Based Security	enable virtualization based security.
Credential Guard	(Enabled without lock) Turns on Credential Guard without UEFI lock.
Require Platform Security Features	Turns on VBS with Secure Boot.
Device Lock
Device Password Enabled	Enabled
Alphanumeric Device Password Required	Password, Numeric PIN, or Alphanumeric PIN required.
Device Password Expiration	365
Device Password History	24
Min Device Password Length	14
Minimum Password Age	1

Devicie Template Name	Security Baseline (User)
Default Intune Deployed Name	DEVICIE-PROD-Security Baseline (User)
Version	1.0
Template Last Updated	Nov 18, 2024
Document Status:	DRAFT
Document Last Updated:	Apr 10, 2025