Mike, an MSP I know, recently called me in something close to despair.

“Six laptops at a client site aren’t encrypted,” he said. “Gary’s got local admin rights on his desktop. And when I look across all our clients in Intune, they’re set up completely differently. I can’t get a handle on it. I’m losing it.”

Mike’s problem isn’t unusual. If you manage dozens—or thousands—of devices across multiple organisations, you’ll know that Intune can be a blessing and a curse. Yes, it’s powerful. Yes, it’s the best way to manage devices in the Microsoft 365 ecosystem. But without a standardised security approach, it’s like asking five chefs to cook the same dish without a recipe. You’ll get five very different meals—and probably some questionable ingredients along the way.

This is where baselines come in.

What Exactly Is a Baseline?

A baseline is, in simple terms, a blueprint for security. It’s a template of recommended configurations and policies you can apply to devices across your organisation. Instead of crafting everything by hand—writing policies for encryption, compliance, device configuration—you start with a set of proven, pre-built standards.

Think of it as the foundation of a house. Once it’s in place, you can customise as much as you like. But without it, the whole structure is wobbly.

The Baseline Options

1. Microsoft Security Baselines

Straight out of the box, Microsoft gives you a set of security baselines in Intune. For example, there’s one for Windows 10 and later. It’s built into the portal, easy to deploy, and—crucially—kept updated (although Microsoft has been known to let them sit untouched for years at a time).

Click “Create Policy,” select your baseline, and assign it to your devices. Simple. But you’re locked into what Microsoft deems secure.

2. CIS Benchmarks

The Center for Internet Security (CIS) publishes its own benchmarks—standards that align to their well-regarded cybersecurity framework. These are detailed, prescriptive, and respected worldwide.

The catch? They’re not easily plug-and-play. You’ll likely need to pay for CIS’s SecureSuite membership to get “build kits” you can import directly into Intune. Without that, you’re left with documentation and a lot of manual configuration.

3. NCSC Guidance (UK)

Here in the UK, the National Cyber Security Centre has also produced Windows configuration guidance. You can even grab JSON files from their GitHub repository.

Sounds promising—until you notice the last update was four years ago. In IT security, four years might as well be four decades.

The Open Intune Baseline

Then there’s the option I recommend—the Open Intune Baseline.

Created by James Robinson, a Microsoft MVP, this community-driven baseline takes the best of Microsoft’s, CIS’s, and expert recommendations, and rolls them into a free, regularly updated package.

You can download it from GitHub. Inside, you’ll find policies covering:

• Windows device security

• Microsoft Office hardening

• Microsoft Edge configurations

• Windows Hello for Business

• iOS and Android app protection policies

• macOS security profiles

In short: everything you need for a modern, cross-platform security baseline.

Making It Easy: The Intune Management Tool

Of course, downloading policies is one thing. Importing them into Intune is another. That’s where Michael Carson’s Intune Management Tool comes in.

Also free, also community-driven, this tool lets you import and export policies into Intune with a few clicks. You point it at your downloaded baseline folder, select the policies you want, and import. Minutes later, your tenancy is populated with a full suite of security and compliance policies, ready to assign to groups.

Why It Matters

Standardisation isn’t glamorous. You won’t get a pat on the back for saying, “All our devices use the same encryption settings.” But you will avoid the kind of headaches Mike had—unprotected laptops, rogue admin rights, and a patchwork of inconsistent configurations across clients.

And when something goes wrong (as it always does), having a baseline means you’ve got a known good state to fall back on.

Final Word

Security baselines in Intune aren’t just another Microsoft buzzword. They’re the difference between managing devices confidently and lurching from crisis to crisis.

You could pay for CIS. You could roll the dice on outdated NCSC templates. Or you could use the Open Intune Baseline—a free, community-driven, regularly updated standard that will save you hours and keep your clients safe.

In the end, Intune without a baseline is like building a house on sand. It’ll stand up for a while, but don’t expect it to last the storm.