“Custom security baselines aren’t failing because they’re flawed — they’re failing because your infrastructure is stuck in 2012.”

In my previous blog, we discussed how to build a custom security baseline using Microsoft Defender for Endpoint (MDE). But creating the baseline is just half the battle. The real test lies in its implementation.

In enterprise environments with diverse operating systems, legacy infrastructure, and shifting patch cycles, pushing a custom security baseline is like trying to install a Formula 1 engine into a 90s minivan.

In this post, we’ll explore the real-world hurdles teams face when deploying custom baselines at scale. You'll learn:

• How compatibility issues break your baseline dreams

• What happens when baselines collide with Windows or app updates

• How to strike a balance between security and usability

• Lessons from the field, including a real case from a hybrid enterprise setup

Let’s dive in.

---

🧱 What Makes Baseline Deployment Challenging?

A custom security baseline is a collection of configuration settings that represent your org’s security posture. Think of it as a “security blueprint” for endpoints.

However, real-world implementation faces challenges like:

Table: Analysis of challenges and their real-world impact

---

🧟‍♂️ Compatibility Issues with Legacy Systems

Let’s face it — not every organization can afford to ditch legacy systems overnight.

Legacy systems often run outdated operating systems or applications that rely on older protocols and configurations. While modern security baselines enforce strict rules (such as the deprecation of SMBv1 or older versions of TLS), these rules may inadvertently disable vital functionalities for legacy applications. For example, some internal business applications might still depend on protocols that are considered insecure by today’s standards.
Disabling insecure protocols like SMBv1 can prevent the spread of ransomware, yet certain legacy file-sharing applications require SMBv1 for functionality. Similarly, legacy endpoints might depend on outdated TLS protocols for secure communications. Effective baseline customization means striking a balance between enhanced security and uninterrupted business operations.

🔥 Example: SMB Signing & Legacy Scanners

A large healthcare organization implemented a custom Defender baseline that enforced SMB signing across all endpoints. This broke connectivity with older medical imaging software still reliant on unsigned SMBv1 traffic. The result? Delays in patient reports.

💡 Mitigation Strategy:

• Use group targeting in Intune or GPO to exempt legacy devices from strict policies.

• Create a “Legacy Systems” profile with relaxed settings.

• Use baseline versioning: tag older systems with a separate v1.0 baseline.

• Before deploying into production, deploy to a test lab environment that mirrors the legacy systems. This will allow you to validate both security and functionality changes.

• Maintain detailed records of every exception or modification made for troubleshooting and future updates.

📑Comparative Analysis Table

The following table provides a comparative overview of key aspects affected by legacy compatibility versus modern security requirements:

Table: Comparative Analysis of Legacy vs. Modern System Security Requirements

---

🔁 Maintaining Baseline Integrity During Updates

🤔The Update Dilemma

Microsoft periodically releases updates to the default security baselines of MDE. These updates incorporate new threat intelligence, security enhancements, and sometimes deprecate older settings. While these updates improve overall security for modern systems, they can also conflict with custom adaptations made for legacy compatibility. Organizations face the risk of having their finely tuned custom baselines inadvertently overwritten or disrupted by default updates.

🧨 Case Study: Credential Guard Reset

An enterprise client noticed that Credential Guard, which was enabled via MDE baseline, silently disabled after a Windows 11 feature update. The update reset Group Policy-linked settings and reintroduced default values.

🧭 Recommended Flow:

flowchart TD
    A[Define Baseline in MDE] --> B[Deploy via Intune or GPO]
    B --> C[OS or App Update Occurs]
    C --> D{Configuration Persisted?}
    D -- Yes --> E[Baseline Integrity OK]
    D -- No --> F[Baseline Drift Detected]
    F --> G[Trigger Remediation via Intune Scripts / GPO]
    G --> H[Audit & Reapply Settings]

Mermaid Flowchart: Shows the step-by-step decision logic for updating Defender baselines in a mixed environment

👌Best Practices for Integrating Updates

To maintain baseline integrity during updates, consider the following steps:

1. Version Control for Baseline Files:
   Use a version control system like Git to manage your XML configuration files. This practice allows you to track every change, compare different versions, and quickly revert to a previous configuration if needed.

2. Baseline Change Tracking:
   Monitor the Microsoft baseline repository (such as the official GitHub page) to identify new changes. Compare these changes against your custom baseline and evaluate which changes could be beneficial or disruptive.

3. Modular Baseline Design:
   Instead of hardcoding every setting, adopt a modular design whereby specific sections of the baseline can be updated independently. Use parameters or placeholders to manage exceptions for legacy systems.

4. Incremental Testing and Staged Rollout:
   Before a wide-scale deployment, test the updated baseline in your lab environment. Validate that legacy devices remain operational and that the new security rules do not impede critical business operations. Use phased rollouts to gradually update production environments.

5. Automated Validation with KQL:
   Enhance your monitoring framework using Kusto Query Language (KQL) queries to track compliance. Regularly run queries that check for deviations from expected settings or unexpected behaviors following an update.

🧭Process Flow for Baseline Update

The update process for custom baselines can be visualized as a flowchart. This diagram outlines the necessary steps to ensure a seamless integration of new security updates while preserving the custom adjustments for legacy systems.

Figure 1: Update Process for Custom MDE Baselines

    flowchart TD
    A[Monitor Microsofts Baseline Updates] --> B[Download Latest Default Baseline]
    B --> C[Compare with Custom Baseline]
    C --> D[Identify Changes and Potential Conflicts]
    D --> E[Isolate Legacy-Specific Configurations]
    E --> F[Merge Beneficial Updates and Retain Custom Exceptions]
    F --> G[Conduct Lab Testing on Both Modern and Legacy Systems]
    G --> H[Deploy Incrementally to Production Environment]
    H --> I[Run KQL Queries for Post-Deployment Validation]

Mermaid Flowchart: Shows the step-by-step decision logic for updating Defender baselines in a mixed environment

🕵️Validation and Monitoring

🌬️Continuous Validation with KQL

After deployment, it is essential to continuously monitor the environment to ensure that both modern and legacy systems remain compliant with the custom baseline. KQL (Kusto Query Language) serves as a powerful tool for real-time data analysis and alerting. Regularly executing pre-defined KQL queries can help identify deviations from prescribed security settings promptly.

Example KQL Query for Legacy System Monitoring:

kqlDeviceConfigurationEvents  
| where EventTime > ago(1d)  
| where SettingName contains "Legacy"  
| summarize Count = count() by DeviceName, SettingName, ActionType  
| order by Count desc

Sample KQL query for monitoring legacy system settings and identifying anomalies.

🌀Monitoring Dashboard for Baseline Health

Building or leveraging a comprehensive dashboard that aggregates the results from your KQL queries is vital. A dashboard provides visual insights into compliance trends and helps security teams quickly pinpoint areas requiring remediation. Below is a sample table showing the key metrics that should be tracked.

Table: Key metrics for monitoring the health and compliance of custom security baselines.

---

🤖 Automating Baseline Validation and Drift Remediation

Manually managing security baselines across thousands of endpoints isn’t scalable — and worse, it’s error-prone. Automation ensures consistency, speeds up drift detection, and improves incident response. Below are essential tools and practices to integrate into your MDE baseline management pipeline.

---

⚙️ Key Automation Tools for Baseline Management

---

🧠 Use Case: Self-Healing Baseline with Intune + Graph API

Let’s say BitLocker enforcement is part of your baseline. After a patch update, a subset of machines silently disables encryption. Here’s how automation can detect and fix it:

1. KQL query detects non-compliant devices (e.g., BitLocker = off)

2. Alert is raised in Microsoft Sentinel

3. Logic App or Power Automate triggers Graph API script

4. Script remotely re-enables BitLocker via Intune remediation task

🛠️ Automation Script Example (Proactive Remediation – BitLocker)

powershellCopyEdit$BitLockerStatus = Get-BitLockerVolume | Select-Object -ExpandProperty ProtectionStatus
if ($BitLockerStatus -eq 0) {
    Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly
}

Schedule this via Intune > Devices > Scripts > Proactive Remediation

---

Below are two key Graph API scripts — one for querying Defender for Endpoint baseline compliance, and another for remediating a drifted setting (e.g., re-enabling Real-time Protection). These scripts are designed for secure automation using Microsoft Graph + Intune and integrate well into CI/CD or Azure Automation.

📜 Graph API Script — Query Defender Compliance

This script checks whether devices are compliant with a custom Defender baseline (e.g., Real-time Protection = On):

powershellCopyEdit# Prerequisites:
# - Azure AD App Registration with Intune/DeviceManagement RBAC
# - App permissions: DeviceManagementConfiguration.Read.All
# - Token retrieved via MSAL or ADAL

# Set variables
$TenantId = "<your-tenant-id>"
$ClientId = "<your-app-client-id>"
$ClientSecret = "<your-client-secret>"
$Scope = "https://graph.microsoft.com/.default"
$GraphUrl = "https://graph.microsoft.com/v1.0"

# Get Auth Token
$Body = @{
    client_id     = $ClientId
    scope         = $Scope
    client_secret = $ClientSecret
    grant_type    = "client_credentials"
}
$TokenResponse = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token" -Method POST -Body $Body
$Headers = @{ Authorization = "Bearer $($TokenResponse.access_token)" }

# Query device configurations for Defender Real-time Protection status
$uri = "$GraphUrl/deviceManagement/managedDevices?`$filter=deviceName eq 'DEVICE01'"
$response = Invoke-RestMethod -Headers $Headers -Uri $uri -Method GET

$response.value | Select-Object deviceName, complianceState, lastSyncDateTime

🔍 Output:

• Lists device compliance state

• Useful for dashboarding or triggering auto-remediation logic

---

🔧 Graph API Script — Remediate Defender Setting

This script sends a remediation configuration profile to affected devices (e.g., enabling Defender Real-time Protection if disabled).

powershellCopyEdit# Define the remediation JSON profile
$Profile = @{
    "@odata.type" = "#microsoft.graph.deviceConfiguration"
    displayName   = "Remediate Defender RealTime Protection"
    description   = "Enable Real-time Protection if disabled"
    platform      = "windows10AndLater"
    configurationSettings = @(
        @{
            "@odata.type" = "#microsoft.graph.windows10EndpointProtectionConfiguration"
            defenderMonitorFileActivity = "audit"
            defenderRealTimeMonitoringEnabled = $true
        }
    )
}

# Send remediation profile via Graph API
$uri = "$GraphUrl/deviceManagement/deviceConfigurations"
$body = $Profile | ConvertTo-Json -Depth 10
Invoke-RestMethod -Headers $Headers -Uri $uri -Method POST -Body $body -ContentType "application/json"

💡

Tip: Tag the devices first using dynamic groups or deviceCategory for targeted remediation.

---

🔄 Integrate with GitOps for Baseline Lifecycle

Treat your security baseline as code. Store all JSON, XML, and PowerShell configurations in a Git repo:

• Use GitHub Actions or Azure Pipelines to:

  • Link and test baseline syntax

  • Compare against latest Microsoft Baseline updates (diff check)

  • Deploy to staging/test groups upon PR merge

• Define approval gates for production deployment

This gives you version control, rollback capability, and audit trails — a must-have for enterprises with compliance requirements (ISO, HIPAA, etc.)

---

🧭Flowchart for automating lifecycle for Baseline Drift Detection and Remediation

flowchart TD
    A[Daily/Trigger Event] --> B[Run KQL Query for Baseline Drift]
    B --> C{Drift Detected?}
    C -- No --> Z[No Action Needed]
    C -- Yes --> D[Log Alert in Sentinel]
    D --> E[Trigger Logic App / Azure Automation]
    E --> F[Call Graph API: Identify Non-Compliant Devices]
    F --> G[Call Graph API: Push Remediation Config Profile]
    G --> H[Wait for Device Sync: Intune]
    H --> I[Run Compliance Check via Graph API]
    I --> J{Compliance Restored?}
    J -- No --> K[Escalate to SecOps/Manual Review]
    J -- Yes --> L[Log Success and Close]
    L --> Z

---

✅ Best Practices for Automation

• Modularize scripts: Break complex baselines into reusable policy blocks.

• Tag exceptions: Auto-detect and skip legacy or exempted devices using device tags.

• Schedule validation: Run KQL drift checks daily or post-patch via Sentinel.

• Secure automation: Store secrets (tokens, keys) in Azure Key Vault or GitHub secrets.

• Document workflows: Use diagrams and runbooks for handover and audit readiness.

---

🧪 Testing Isn’t Optional — It’s Survival

You need to simulate worst-case scenarios before pushing baselines to production.

🧰 Tools You Should Be Using:

• Microsoft Security Configuration Toolkit: test settings locally before deployment

• MDE Security Recommendations blade: validate risky configurations

• Windows Sandbox or Lab VMs: simulate updates and baseline reapplication

---

💼 Enterprise Case Study: Mixed-OS Retail Deployment

🎯 Background:

A multinational retail chain wanted to roll out a custom Defender for Endpoint baseline across 3,000+ devices, including:

• Windows 10/11 laptops

• Windows Server 2016 POS systems

• Android-based handheld scanners (via Defender for Endpoint on Android)

🚧 Problem:

The baseline included BitLocker enforcement and Exploit Protection. While newer Windows 11 machines handled it well, older Windows 10 and Server 2016 POS systems crashed due to incompatible settings.

🛠️ Solution:

• Created device groups in Intune:

  • Modern Clients (Win11) → Full baseline

  • Legacy POS (Win10/2016) → Light baseline

• Added baseline version labels (v1.0, v1.5) with tailored policies

• Scheduled monthly integrity reports and drift remediation scripts

📈 Result:

Reduced endpoint incidents by 42% in 3 months without impacting legacy uptime.

---

🔐 Striking the Balance: Security vs. Usability

Security should protect, not paralyze.

• Enabling ASR rules without exclusions can block Office macros used in finance workflows.

• Disabling PowerShell v2 can break older automation scripts.

• Hardened settings like LSA Protection require BIOS/UEFI support, which not all devices have.

💡

Always test policies under real workloads. Survey internal teams before enforcing hardening.

---

✅ Final Recommendations

Here’s a checklist to help you successfully implement a custom MDE security baseline:

---

📣 Wrapping Up

Custom security baselines are crucial, but not “set and forget.” Real-world implementation is messy — especially when you factor in legacy systems, updates, and cross-platform endpoints.

By learning from real-world cases and proactively planning for exceptions, you can harden your enterprise without breaking it.

Want a downloadable version of this checklist or the flowchart? Drop a comment or message on LinkedIn. Let’s secure smarter, not harder.

---

🔔 Follow @cybershiv for real-world cybersecurity tutorials, red teaming insights, and cloud security tips from the trenches.

---

💛 Enjoyed this guide? Support my work here → BuyMeACoffee.com/cybershiv