Get started with Intune policy baselines in Nerdio Manager

When transitioning to Intune endpoint management, defining a standardized and scalable device configuration strategy might be challenging. The extensive range of policy options can lead to inconsistent deployments, security gaps, and increased administrative overhead. Without a structured approach, enforcing security baselines, restricting end-user access, and ensuring uniform configurations across multiple customers becomes complex.

Nerdio Manager addresses these challenges with a curated library of pre-built Intune policies that you can import into Nerdio Manager and apply across your managed customer accounts. These resources enable you to implement standardized configurations efficiently, enforce security best practices, and streamline policy management across accounts.

With a global policy strategy, you can accelerate deployments, reduce management overhead, and ensure a consistent, secure device experience.

Workflow overview

This guide provides a framework for standardizing and optimizing Intune policy management with Nerdio Manager. Specifically, it outlines the following key phases:

• Phase 1: Determine the policy set

• Phase 2: Implement policy baselines for standardization across accounts

• Phase 3: Monitor and manage configuration drift in policy baselines

• Phase 4: Optimize your policy baseline strategy

Phase 1: Determine the policy set

The first step in defining a standardized and scalable device configuration strategy is to determine the initial set of policies to implement.

Intune policies are broken down into categories. Consider the following most common category types:

• Conditional Access: These policies control access to Office cloud services, endpoints, and apps managed by Microsoft Entra. They form the foundation of Microsoft’s Zero Trust model. For details, see Common ways to use Conditional Access with Intune.

• Security baselines: These are predefined sets of policies specific to device types that configure fundamental security settings. For details, see Use security baselines to help secure Windows devices you manage with Microsoft Intune.

• Compliance policies: These policies define the criteria for a device to be considered as compliant. Compliance status can also determine whether a user is allowed access to Office services (OneDrive, SharePoint), applications (Salesforce, HubSpot), or other resources managed by Microsoft Entra, such as Azure VPN or Global Secure Access. For details, see Use compliance policies to set rules for devices you manage with Intune.

• Configuration profiles: These policies define device configurations, including UI/UX settings, feature restrictions, and system preferences. They are conceptually similar to legacy Group Policy Objects (GPOs) in traditional domain environments. For details, see Apply features and settings on your devices using device profiles in Microsoft Intune.

• Update rings: These policies control the deployment schedule, frequency, and types of Windows updates applied to enrolled devices. For details, see Update rings for Windows 10 and later policy in Intune.

• Mobile Application Management policies: These policies manage how applications behave on Windows, macOS, and mobile devices. While not all applications are supported, the list is continuously expanding. An example use case is preventing users from adding personal email accounts in Outlook. For details, see What is Microsoft Intune app management?.

• Autopilot profiles: Intune automates new device onboarding and device refresh processes through Autopilot. These profiles define how a device is reset, reconfigured, and provisioned with required applications and policies before the first sign in. Nerdio Manager supports both Autopilot v1 and v2. For details, see Configure Autopilot profiles.

• Enrollment Status Page policies: During Autopilot deployment or device enrollment, these policies control what information is displayed to the end user while setup completes. This can include app installations, security policies, network connections, and other provisioning details. For details, see Set up the Enrollment Status Page.

• Microsoft Defender for Endpoint policies: Microsoft Defender for Endpoint (EDR) is managed via Intune policies. These policies configure Defender’s behavior, including security settings, threat detection rules, and allow or deny lists. For details, see Protect data and devices with Microsoft Intune.

• Microsoft Defender for Office 365 policies: Previously known as Office ATP, these policies manage built-in email security settings, including spam filtering and threat protection for Microsoft 365 services. For details, see Preset security policies in EOP and Microsoft Defender for Office 365.

For details about Intune policy management in Nerdio Manager, see Intune Policy: MSP-level General Management.

Phase 2: Implement policy baselines for standardization across accounts

Once you have defined an initial set of policies, the next step is to create variations tailored to specific compliance or operational requirements. For example, you may need policy sets that adhere to HIPAA, financial regulations, or CMMC while still maintaining your core standards.

Step 1: Configure a policy baseline in Nerdio Manager

To simplify deployment and ensure consistency across multiple accounts, policy baselines allow you to group related policies into predefined sets. This approach simplifies onboarding and enables you to apply proven configurations, by reducing manual setup time and minimizing errors.

Create a baseline in Nerdio Manager to include a collection of policies reflecting the desired configuration state. This baseline serves as a template for streamlined deployment across multiple customers.

Once the policy baseline is created, add the relevant Intune policies to that baseline, ensuring that all necessary security, compliance, and configuration settings are included.

To configure a policy baseline:

1. In Nerdio Manager, at the MSP level, navigate to Policy management > Policy baselines.

2. Create a policy baseline:

   1. Select Add Baseline.

      

   2. In the Create policy baseline dialog box, enter the following information:

      • Name: Enter the name of the policy baseline.

      • Description: Enter the description.

      • Tags: Enter or select the desired tag(s).

        

   3. Select Save.

3. Assign policies to your baseline:

   1. On the Policy baselines page, locate the policy baseline you wish to work with.

   2. From the Assign action menu, select Edit policies.

      

   3. On the new page, select Add policies.

   4. In the Select Intune policies dialog box, select the desired policies, and then select Add.

   5. Review all the policies and select Apply and Close.

      

   6. When prompted, select Confirm.

Step 2: Assign accounts to your policy baseline

Once the policy baseline is created, and it includes a collection of policies reflecting your desired configuration state, you can assign accounts to it. This ensures that all customer accounts linked to the baseline inherit the same policy configuration automatically. Any modifications made to the policy baseline are applied to all assigned customer accounts, ensuring ongoing consistency without the need for manual updates across multiple accounts.

To assign accounts to a policy baseline:

1. In Nerdio Manager, at the MSP level, navigate to Policy Management > Policy baselines.

2. Locate the policy baseline you wish to work with.

3. From the action menu next to it, select Assign.

   

4. Select Add assignments.

5. In the Baseline assignments dialog box, enter the following information:

   • Select assignments: From the drop-down list, select the account(s).

   • Report-only: Select to evaluate policies in this baseline without immediately enforcing them on accounts.

     Note:Report-only assignment mode allows you to assess which policies are already applied, identify any missing configurations, and detect potential conflicts where policies share the same name but have different settings.

     

   • Add: Select to add the selected accounts to the existing assignment.

6. Select Confirm.

7. Review the accounts list and select Apply and Close.

8. When prompted, select Confirm.

Step 3: Enforce your policy baseline

Once validated, enforce your policy baseline by setting its assignment mode to Enforced.

To enforce a policy baseline:

1. In Nerdio Manager, at the MSP level, navigate to Policy management > Policy baselines.

2. Next to the policy baseline whose mode you wish to set, select Assign > Add assignments.

3. In the Baseline assignments dialog box:

   1. From the drop-down list, select the account to assign the baseline to.

   2. Select Enforced to enforce the policy baseline.

   3. Select Overwrite to replace the existing assignments with the new selection.

      

4. Select Confirm.

5. Select Apply and Close.

6. When prompted, select Confirm.

For more details, see Intune: Policy Baselines.

Phase 3: Monitor and manage configuration drift in policy baselines

After deploying policy baselines, configuration settings may need adjustments due to operational changes or customer requirements.

Configuration drift can occur when a policy is modified directly in the Intune portal, either by an administrator, an MSP technician, or an end customer in a co-managed environment.

In Nerdio Manager, you can track and manage configuration drift.

Step 1: Analyze the policy baseline status

The Policy baseline status page in Nerdio Manager provides the following insights:

• Real-time tracking of configuration drift, identifying discrepancies and providing remediation options. This allows you to monitor when an Intune policy within a baseline deviates from its intended settings and take corrective action.

• Verification of policy application, ensuring that a policy has not only changed but is also still applied to the intended group of users or devices. This helps maintain accurate policy enforcement and prevents misconfigurations that could lead to security or operational issues.

To view the policy baseline status:

1. In Nerdio Manager, at the MSP level, navigate to Policy management > Policy baselines.

2. Locate the policy baseline whose status you wish to view.

3. From the action menu next to it, select Status.

   

4. On the Status page, view the policy baseline status.

   

To verify policy deployment details:

• On the Status page, expand an arrow next to the customer name and analyze the policy deployment details for that customer.

  

Step 2: Handle configuration drift

Configuration drift can be intentional or unintentional. Depending on the nature, when a drift is detected, consider the following options:

• If intentional: Accept the drift for 30, 60, 90 days, or indefinitely, and add notes for tracking purposes.

  

  

• If unintentional: Reapply the original policy to restore compliance with the enforced policy baseline.

  

  

For details about how to manage configuration drift, see Intune Policy: MSP-level Advanced Management.

Phase 4: Optimize your policy baseline strategy

A well-structured policy baseline strategy ensures efficient policy management, consistency across customer environments, and simplified updates. By centralizing policy maintenance and leveraging variables for customization, you can enhance control while reducing manual effort.

Optimizing your policy baseline strategy includes the following steps:

• Step 1: Centralize policy management and updates

• Step 2: Enhance policy configuration with variables

• Step 3: Apply policies using group templates

• Step 4: Implement account-level policy backups

• Step 5: Enhance security with Nerdio Manager and the Center for Information Security (CIS)

Step 1: Centralize policy management and updates

IT policies are not static. Industry best practices, security requirements, and compliance standards evolve over time. Additionally, Microsoft regularly introduces new Intune capabilities, requiring you to reassess and refine your policy configurations.

Maintaining a centralized repository for policy management is critical to ensuring consistency, version control, and streamlined updates. Import policies from Intune to Nerdio Manager to ensure centralized policy maintenance and updates.

Specifically, Nerdio Manager provides the following key capabilities:

• Robust version control: Every time a policy is updated or modified, Nerdio Manager tracks changes, retains previous versions, and enables rollbacks if needed.

• Automated backups: Policies are backed up daily to ensure historical records are preserved.

• Drift detection: If an imported policy differs from the latest version in Intune, Nerdio Manager alerts you and provides the option to update or re-import the policy JSON. This minimizes risks associated with policy drift or misconfigurations.

  Besides, every previous version and its change logs are maintained, allowing you to revert back to a previous version or restore if a mistake is made.

• Independent policy storage: Unlike other solutions that rely on a single staging tenant, Nerdio Manager stores policies independently, ensuring continuity and reliability across multiple customer environments.

A centralized approach prevents policy fragmentation across multiple accounts, ensuring that policies are not created or modified inconsistently between your MSP instance and customer accounts.

For details about importing policies to Nerdio Manager, see Intune Policy: MSP-level Advanced Management.

Step 2: Enhance policy configuration with variables

Each Intune policy is essentially defined by a JSON structure, which describes the settings to be applied to the endpoint. While the Intune portal offers an interface for creating and managing these policies, the underlying framework is built on JSON, which is delivered to endpoints where the device interprets and applies the changes locally.

Nerdio Manager provides an enhancement to Intune policy management through the use of variables in the JSON definition. This enables more dynamic and scalable policy deployment, particularly when policies need to be applied across multiple customers with slight variations.

By defining variables, you can dynamically adjust settings for different customers while maintaining a single, standardized policy. Specifically, variables can be used in various Intune and conditional access policies to enhance flexibility, including:

• Named location definitions in conditional access policies

• Tenant IDs in configuration profiles

• SharePoint library IDs for access policies

• Wi-Fi SSIDs for network configurations

By incorporating variables into policies, you can reduce redundancy, streamline policy deployment, and enhance manageability. While implementing variables requires some initial setup, this approach significantly improves scalability as an organization’s Modern Work strategy evolves.

For details, see:

• Scripted Actions - MSP-Level Variables

• Scripted Actions - Account-Level Variables

Example: Dynamic wallpaper URL using variables:

Consider a scenario where you create a policy to set a Windows Desktop or Lock Screen wallpaper with a company logo. If this policy is imported into Nerdio Manager and assigned to multiple customers, each customer would receive the same URL for the wallpaper, leading to issues where the URL is not customer-specific. To resolve this, Nerdio Manager allows you to replace hard-coded values with variables that can be dynamically inherited based on the target customer.

Here’s an example of how the wallpaper URL is defined in JSON.

In the above example, the wallpaper URL is hardcoded. However, when using variables in Nerdio Manager, this URL can be replaced with a dynamic variable, allowing the policy to be customized for each customer. Below is the modified example where the wallpaper URL is dynamically set using Nerdio Manager's Inherited Variable:

In this version, the {$InheritedVars.wallpaperurl} variable dynamically resolves to a unique value for each customer, ensuring that each customer receives a personalized wallpaper URL while using the same policy. This approach significantly improves scalability and efficiency when managing policies across multiple customers.

Step 3: Apply policies using group templates

Once policies are defined, you can streamline their deployment across multiple customers through Nerdio Manager’s policy assignment capabilities.

In Nerdio Manager, you can assign policies individually to customers or deploy them as part of a policy baseline, as discussed in Phase 2: Implement policy baselines for standardization across accounts, with an option for Nerdio Manager to validate whether the policy applies to a user group or device group.

With the Group Templates feature in Nerdio Manager, you can also define a default set of Microsoft 365 security groups that can be consistently applied across all managed customers. Administrators have full control over group names and can leverage variables for dynamic naming conventions.

Nerdio Manager supports three types of group templates:

• Standard groups: These groups maintain a consistent structure across all customers for various use cases. Each customer inherits the same predefined groups, with variable-based naming support.

  Example: A security group named Lloyd Accountants PIM Group can be dynamically generated per customer.

• Dynamic / assigned user groups: These groups automatically add users based on static assignments or dynamic rules that evaluate user attributes in Entra ID.

  Example: The Los Angeles user group automatically includes users whose city attribute is set to Los Angeles.

• Dynamic / assigned device groups: These groups function similarly to user groups but apply to devices. Devices can be assigned statically or dynamically based on attributes.

  Example: The AVD devices group automatically includes devices with a display name attribute of AVD.

When assigning a policy, Nerdio Manager can automatically create a dynamic group based on a group template within the customer's tenant. The dynamic group then auto-populates members based on defined rules and immediately assigns the policy or an entire policy baseline to the group.

You can use variables to dynamically name these groups based on policy assignments. This enhances organization, simplifies policy deployment, and provides greater control over policy management.

For details, see Overview of Group Templates.

Step 4: Implement account-level policy backups

IT environments are prone to accidental changes and misconfigurations. While Microsoft does not provide built-in backup and restore capabilities for Intune policies, Nerdio Manager offers automated policy backup and restoration at the customer account level.

Consider the following backup features Nerdio Manager provides:

• Daily automated backups: Nerdio Manager automatically backs up all policies once per day, retaining them for 30 days.

• Manual point-in-time backups: You can trigger a manual backup at any time.

• Comprehensive policy coverage: Nerdio Manager backs up policies even if they are not actively managed through Nerdio Manager, ensuring all customer-level policies and assignments are protected.

• Variable support: If policies include Nerdio Manager variables, these are also backed up and retained.

For details, see Overview of Intune Policies Recovery Services.

Step 5: Enhance security with Nerdio Manager and the Center for Information Security (CIS)

Nerdio Manager has established an exclusive agreement with the Center for Internet Security (CIS), a globally recognized non-profit organization dedicated to improving cybersecurity. CIS is best known for:

• CIS controls: A set of best practices for strengthening cybersecurity defenses.

• CIS benchmarks: Industry-standard security configurations for over 25 product categories, including Windows 10, Windows 11, and Windows Server.

By using Nerdio Manager’s CIS-certified security baselines, you can efficiently deploy Intune security policies across multiple customers while ensuring alignment with industry best practices. This approach significantly reduces the complexity of security management and provides a scalable, compliant solution for modern IT environments.

Consider the following recommendations:

• Align Intune security policies with CIS benchmarks: A default Windows 11 installation is only 24% compliant with CIS Benchmarks. Many regulatory frameworks, such as NIST, ISO, HIPAA, and PCI, align with CIS standards. To simplify implementation, CIS provides the CIS Critical Security Controls Navigator, an interactive tool that maps CIS controls to various compliance requirements.

  Nerdio is the only MSP solution provider authorized to distribute CIS Security Baselines for Windows 11 endpoints at no cost. This allows MSPs to implement industry-leading security policies with minimal effort.

  • CIS-certified Intune security baselines cover 13 key categories:

  • CIS (L1) Admin Templates - System (Windows 10/11)

  • CIS (L1) Admin Templates - Windows Components (Windows 10/11)

  • CIS (L1) Auditing (Windows 10/11)

  • CIS (L1) Defender (Windows 10/11)

  • CIS (L1) Device and Lock & Windows Hello for Business (Windows 10/11)

  • CIS (L1) Firewall (Windows 10/11)

  • CIS (L1) Local Policies Security Options (Windows 10/11)

  • CIS (L1) Section 1 – 3.9.1.1 (Windows 10/11)

  • CIS (L1) Section 22 – 80 (Windows 10/11)

  • CIS (L1) System Services (Windows 10/11)

  • CIS (L1) User Rights (Windows 10/11)

  • CIS (L1) Windows Update (Windows 10/11)

  • CIS (L1) Virtualization-Based Technology (Windows 10/11)

• Simplify security policy implementation: Manually implementing CIS Benchmarks requires referencing a 1,300+ page PDF guide that details each setting and its rationale. Nerdio Manager eliminates this complexity by providing pre-built CIS Level 1 policy baselines that can be applied to customer environments in just a few clicks.

• Use CIS-CAT compliance reporting: To verify compliance, Nerdio provides CIS-CAT reports upon request. This tool scans endpoints after CIS policies have been applied, generating a detailed compliance report that:

  • Identifies aligned settings and non-compliant configurations.

  • Confirms that hardened endpoints achieve ~97% compliance with CIS Benchmarks.

  • Provides documented evidence of compliance with regulatory requirements.

  For details, see Enable CIS Hardened Images.

Summary

Nerdio Manager streamlines Intune policy management by enabling you to create scalable, automated, and adaptable policy frameworks and apply them across multiple customer accounts. Specifically:

• By leveraging variables, a single policy baseline can dynamically adjust per account, reducing manual effort while maintaining consistency.

• Group templates automate the creation of standardized Microsoft 365 security groups, ensuring policies are assigned efficiently and dynamically updated based on user or device attributes.

• Automated policy backups provide a safety net, allowing for quick restoration in case of accidental changes.

• Additionally, CIS-certified security baselines offer a one-click solution to align endpoints with industry best practices, ensuring compliance without the need for manual configuration.

Your optimized policy baseline strategy significantly reduces administrative overhead, enhances security, and improves policy enforcement at scale.

See also

• For related knowledge base articles, see Unified Endpoint Management.

• For discussions and insights from other users, visit the Nerdio community.