6.1 Endpoint Security Policies and Security Baselines
Key Takeaways
- Endpoint security policies are purpose-built Intune policy types for security workloads such as antivirus, disk encryption, firewall, attack surface reduction, and endpoint detection and response.
- Security baselines are Microsoft-recommended collections of settings; targeted endpoint security policies are better when the requirement names one specific control such as BitLocker, Defender Antivirus, or firewall rules.
- MD-102 scenarios often test policy selection: use antivirus for Defender AV behavior, disk encryption for BitLocker or FileVault, firewall for network profile rules, and attack surface reduction for exploit and risky-behavior blocking.
- Configuration conflicts can occur when baselines, endpoint security policies, and device configuration profiles set the same setting differently on the same device.
- A secure design must include monitoring and remediation, not just assignment; verify deployment status, conflicts, device compliance, and security posture after policy rollout.
Why this matters for MD-102
The current Microsoft MD-102 study guide lists Protect devices at 15-20% of the exam and specifically calls out antivirus policies, disk encryption policies, firewall policies, attack surface reduction policies, security baselines, Defender for Endpoint integration, onboarding, and update management. Expect scenario questions that ask which Intune control solves a precise protection requirement.
Endpoint protection in Intune is not one generic profile. The exam wants you to recognize the management surface, the platform, and the downstream effect. A requirement to configure Microsoft Defender Antivirus exclusions is different from a requirement to rotate a BitLocker recovery key, enforce firewall behavior across domain/private/public profiles, or deploy a Microsoft-recommended hardening package.
Policy families you must distinguish
| Requirement cue | Best Intune area | What it controls | Common distractor |
|---|---|---|---|
| Real-time protection, scan behavior, Defender AV exclusions, security intelligence | Endpoint security > Antivirus | Microsoft Defender Antivirus and related AV settings | Feature updates or app configuration |
| BitLocker on Windows, FileVault on macOS, recovery behavior, encryption settings | Endpoint security > Disk encryption | Data-at-rest protection | Compliance policy alone |
| Domain/private/public firewall profiles or firewall rules | Endpoint security > Firewall | Built-in firewall behavior and network access controls | Delivery Optimization |
| Block risky behaviors such as malicious Office child processes, script abuse, credential theft paths, or device control rules | Endpoint security > Attack surface reduction | Hardening and exploit-path reduction | Antivirus only |
| Broad Microsoft-recommended hardening starting point | Endpoint security > Security baselines | Curated sets of security settings for products such as Windows, Microsoft Defender for Endpoint, Microsoft Edge, Microsoft 365 Apps, and Windows 365 | Hand-built settings catalog profile for every setting |
| Onboard devices to Defender for Endpoint and configure EDR settings | Endpoint security > Endpoint detection and response | Security telemetry, onboarding, and EDR settings | Compliance policy only |
Baseline vs. targeted setting
A security baseline is the fastest way to deploy a broad, opinionated set of recommended settings. Use it when the scenario says the organization wants Microsoft-recommended hardening quickly, wants a starting posture, or is migrating security configuration from older group policy thinking into Intune.
A targeted endpoint security policy is the better answer when the scenario names a specific workload. If the stem says BitLocker, choose disk encryption. If it says Microsoft Defender Firewall, choose firewall. If it says ASR rules, choose attack surface reduction. If it says real-time protection, Defender AV scan settings, or exclusions, choose antivirus.
Conflict and rollout discipline
Intune treats different policy types as configuration sources. If a baseline sets a firewall option and a firewall profile sets a different value for the same device, the result can be a conflict. The exam will not always say "conflict" directly; it may describe settings that fail to apply, inconsistent device state, or admins deploying duplicate controls.
Use this rollout sequence for real-world and exam thinking:
- Start with a pilot device group and one policy intent.
- Deploy a baseline only after reviewing its defaults and exceptions.
- Use targeted endpoint security policies for settings that need ownership, tuning, or separate lifecycle control.
- Avoid setting the same value in a baseline, settings catalog profile, and endpoint security policy at the same time.
- Monitor assignment, device status, per-setting errors, and conflicts before broad deployment.
Exam decision pattern
When a question asks for a policy, identify the noun in the requirement first. "Encrypt" points to disk encryption, "network profiles" points to firewall, "malicious macros and exploit techniques" points to attack surface reduction, and "recommended set of settings" points to a security baseline. Compliance policies can evaluate whether a device meets requirements, but they do not replace the policy that configures the security control.
A company wants to centrally configure Microsoft Defender Antivirus real-time protection, scan options, and exclusions on Windows devices. Which Intune policy family is the best fit?
Security leadership wants a quick Microsoft-recommended hardening starting point for Windows devices, with later tuning for exceptions. What should the administrator deploy first?
Which statements correctly describe endpoint security policies and baselines in Intune? Select all that apply.
Select all that apply