Appendix B: Intune Baseline Configurations

The following sections contain verbatim policy exports from the Open Intune Baseline (OIB) project, adapted for GCC High deployments. Each policy is exported in Intune's native settings catalog format. These configurations satisfy the device hardening requirements mapped in Chapter 10 and the CMMC control matrix in Appendix A.

Why this curation exists

Readers often arrive at this appendix expecting a single Microsoft-published "canonical Intune baseline for GCC High" they can download and deploy. No such baseline exists. What exists is a tiered ecosystem of partial sources, each useful but none turnkey for a GCC High CMMC Level 2 deployment. This appendix curates one out of those sources so the book ships with a deployment-ready set rather than a pointer to four incompatible ones.

Source	What it covers	Why it isn't the answer on its own
Microsoft Security Baselines (built into Intune at Endpoint security → Security baselines)	Windows, Microsoft Defender for Endpoint, M365 Apps for Enterprise, Microsoft Edge	Available in GCC High but commercial-flavored — endpoint references inside the baselines do not auto-rewrite to sovereign equivalents (*.us domains, USGov Azure suffixes, security.microsoft.us). Useful starting point, not turnkey.
Microsoft STIG-audit baseline for GCC High	Audits Windows device configuration against DISA STIG recommendations	Listed on the Microsoft Intune In development for Intune page. Audit-only, not configuration — reports compliance, does not enforce it.
Open Intune Baseline (OIB) at openintunebaseline.com	Comprehensive, MECE-organized policy set covering Endpoint Security, Configuration, Compliance, Apps, and Platform Scripts	Community-maintained and commercial-targeted by default. GCC High deployment requires manual substitution of sovereign endpoints throughout. The OIB maintainer publishes GCC High compatibility commentary but does not maintain a separate sovereign branch.
CISA SCuBA (Secure Cloud Business Applications) baselines	Service-side M365 configuration for Entra, Exchange, SharePoint, Teams, Power Platform, Defender. Maps to FedRAMP and CMMC.	Mostly M365 service configuration, not Intune device policy. Limited overlap with what this appendix covers.
DISA STIGs at public.cyber.mil/stigs	Federal Defense hardening baselines as JSON/XCCDF	DoD-flavored, calibrated for higher-side defense networks. A different baseline philosophy than OIB — designed for classified-network hardening rather than CMMC L2 commercial-defense supply chain. Some sections are Intune-importable.

The de facto canonical baseline for a GCC High CMMC Level 2 deployment is OIB + sovereign endpoint substitutions + CMMC control mappings + MDE Security Settings Management considerations + server-specific tuning. That is what this appendix produces, exported in Intune-native format and organized to import directly. If Microsoft publishes a sovereign-cloud configuration baseline (versus the audit-only STIG baseline currently in development), this appendix will adopt it as the upstream and document the deltas rather than curating from scratch.