New Security Baseline version November 2021 for Windows 10/11 in Microsoft Endpoint Manager


Super quick blog post, covering the new version of Security Baselines for Windows 10 and 11 in Intune, which was delivered to us with the 2111 service release.

Not much has changed. In fact, if coming from the previous baseline version (December 2020), only one setting has been added: Scan scripts that are used in Microsoft browsers.

So lets take a quick peek at the process I went through, in order to update my Security Baseline.

Security Baselines

The first thing I did, was to create a brand new security baseline, based on the new version.

This is simply done, by using + Create profile and following the creation process.

Comparing baselines

I’ve blogged about this before, right here: Comparing Security Baselines in Endpoint Manager using Powershell and Microsoft Graph API –

To really confirm what has changed in the Security Baseline, I’m comparing the two. That be comparing the brand new version with the security baseline I have assigned today.

As shown in the illustration below, I have:

  • An original:  Security Baseline – Windows 10 – December 2020 – IT Department
  • A modified: Security Baseline – Windows 10 – November 2021 – Original

And sure enough, the output which comes as a notepad.exe session, tells me that the new version has 1 additional setting, and that 1 setting is defenderAllowScanScriptsLoadedInInternetExplorer. Just as promised by Microsoft.

Next, I’m duplicating my current Security Baseline in order to update the duplicate to the new version.

  • I do this, in order to make sure, that settings in a Security Baseline, which is already assigned to my devices, doesn’t have their settings changed unintentionally.

Update/change the version with the Change Version button:

Select the new version from November 2021 and keep your existing setting customizations:


Then I ran another compare between the Security Baseline used today, and the new Duplicate one:

I do this to make sure, that there are no other differences than the newly introduced setting: defenderAllowScanScriptsLoadedInInternetExplorer

This is confirmed from the notepad output as illustrated below:

The setting in question, translates into the highlighted in the illustration below:


At this stage, I renamed the newly duplicated and updated Security Baseline, and assigned it to my devices in place of the previous one.


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.