Appendix B — Intune Baseline Configurations
Open Intune Baseline policy exports for CMMC Level 2 compliance
Defender For Endpoint
Defender For Endpoint
Removable Media
Removable Media — USB device control via Intune Endpoint Security with Reusable Settings, plus SOC alerting via Defender for Endpoint
Exploit Protection
Exploit Protection — system-wide DEP, ASLR, SEHOP, and CFG enforcement plus user-override lockdown via the Intune Settings Catalog
Attack Surface Reduction
Attack Surface Reduction
Defender Antivirus — AV Configuration
Defender Antivirus — AV Configuration settings catalog policy export
Windows Security Experience
Windows Security Experience
BitLocker
BitLocker
Least Privilege (LAPS)
Windows LAPS Configuration — Layer 1 default (v3.1) manages the built-in Administrator account; (24H2+) v3.6 advanced variant uses Automatic Account Management with a custom managed admin
Windows Firewall — Firewall Configuration
Windows Firewall — Firewall Configuration settings catalog policy export
Windows Hello for Business
Windows Hello for Business
Audit and Event Logging
Audit and Event Logging settings catalog policy export
Local Security Policies
Local Security Policies — Layer 1 default (v3.0) keeps built-in Administrator enabled; (24H2+) v3.6 advanced variant disables it (must be paired with (24H2+) LAPS)
Login and Lock Screen
Login and Lock Screen + Power and Device Lock — session lock timeouts and lockscreen behavior
Telemetry and Reporting
Telemetry and Reporting
Compliance — Defender for Endpoint
Compliance — Defender for Endpoint compliance policy export
Compliance — Device Health
Compliance — Device Health compliance policy export
Compliance — Device Security
Compliance — Device Security compliance policy export
Compliance — Password
Compliance — Password compliance policy export