• Solution Baseline for Defender for Endpoint: Select the pencil icon to provide a unique name and description for each baseline.

  Justification: This makes it easier to determine the baseline applicability for a customer.

• Set to Report only.

  Justification: This setting is report-only because there is no enforcement action.

• Set to Report only.

  Justification: This setting is report-only because there is no enforcement action. It verifies if the correct API permissions are applied.

• Enable Defender for Endpoint: Select and set to Report only.

  Justification: When enabled, this setting automatically enables Defender for Endpoint at the customer-account level.

• Allow Defender to manage endpoint security configurations: Select and set to Enforce.

  Justification: Defender can't enforce security policies directly.

• Enable device diagnostics: Select and set to Enforce.

  Justification: Prevents troubleshooting limitations, enhances threat visibility, and supports effective remote assistance.

• Let Defender evaluate device risk:

  • Select all options - Windows, iOS, and Android.

  • Set to Enforce.

  Justification: Enabling Defender for Endpoint to evaluate device risk enhances security by integrating real-time risk assessments into Entra Conditional Access policies. This ensures that access to corporate resources is dynamically controlled based on a device's security posture.

• Device onboarding profile for Intune managed devices: Coming soon. Follow the Release Notes page for updates.

• Policy Baseline: Select either Nerdio’s default Policy baseline for Defender for Endpoint or Custom.

  Justification: The default option is ideal for partners without existing Defender for Endpoint policies. However, as you expand your Modern Work offerings, you might want to create a custom policy baseline instead. For details, see Intune: Policy Baselines.

• Assignment: Select All devices, or Custom (manually assign the configuration profile) if you want to choose what devices the policies should be assigned to individual customers.

  Justification: Typically, you want your endpoint security policies to apply to all devices. However, select Custom if you need to make exceptions.

• Service notifications: Coming soon. Follow the Release Notes page for updates.

This provides a high-level overview of how enabling the solution baseline affects the customer. It includes Enforce, Report-only, and Exclude mode details per each configuration tab.

• Solution Baseline for Entra ID: Select the pencil icon to provide a unique name and description for each baseline.

  Justification: This makes it easier to determine the baseline applicability for a customer.

• Let group owners add people outside the organization to Microsoft 365 Groups as guests: Deselect and set to Exclude.

  Justification: Allowing external guests can introduce security and compliance risks, such as potential data leaks and unauthorized access. It's advisable to exclude this setting, unless there is a clear business need.

• Let guest group members access group content: Deselect and set to Exclude.

  Justification: It is generally advisable to restrict guest access by default and enable it only when necessary, applying security controls to minimize data exposure.

• Users can register applications: Deselect and set to Exclude.

  Justification: Preventing all users from registering applications helps mitigate security risks, such as unauthorized third-party app integrations that could access organizational data.

• Restrict non-admin users from creating tenants: Select and set to Enforce.

  Justification: This prevents users from unintentionally or maliciously creating separate tenants, which could lead to data fragmentation, compliance issues, or shadow IT risks.

• Users can create security groups: Deselect and set to Exclude.

  Justification: This ensures IT control over group management.

• Users can create Microsoft 365 groups in Azure portals, API, or PowerShell: Deselect and set to Exclude.

• Justification: This prevents uncontrolled group sprawl, reducing administrative overhead.

• Guest invite restrictions: Select Member users and users assigned to specific admin roles can invite guest users including guests with member permissions.

  Justification: This prevents uncontrolled external access and security risks.

• User consent for applications: Select Do not allow user consent. An administrator will be required for all apps.

  Justification: Prevents unauthorized app access and data leaks.

• Users can request admin consent to apps they are unable to consent to: Select this option.

• Set to Report-only.

  Justification: This allows controlled access to apps while preventing users from granting excessive permissions.

• Registration Campaign State:

  • Select Enabled.

  • Set to Enforce.

  Justification: This encourages users to register for security features like MFA and Self-Service Password Reset (SSPR).

• Days allowed to snooze:

  • Set to 3.

  • Set to Enforce.

  Justification: This balances security and user convenience by giving users a short grace period.

• Limited number of snoozes: Select and set to Enforce.

  Justification: This prevents indefinite postponement of security registration and forces compliance within a reasonable timeframe.

This provides a high-level overview of how enabling the solution baseline affects the customer. It includes Enforce, Report-only, and Exclude mode details per each configuration tab.

• Solution Baseline for Exchange Online: Select the pencil icon to provide a unique name and description for each baseline.

  Justification: This makes it easier to determine the baseline applicability for a customer.

• Check for license: Set to Report-only.

  Justification: This setting is report-only because there is no enforcement action.

• Application context: Set to Report-only.

  Justification: This setting verifies if the correct API permissions are applied. It is report-only because there is no enforcement action.

• SPF: Select and set to Report-only.

• DKIM: Select and set to Report-only.

• DMARC: Select and set to Report-only.

  Justification: Enabling these options prevents spoofing, phishing, and email forgery.

• This accepted domain is: Select Authoritative.

  Justification: This ensures that Exchange Online is the primary mail host for your domain.

• Allow mail to be sent from this domain: Select and set to Enforce.

  Justification: This ensures outgoing emails are properly routed.

• Modern Authentication: Select and set to Enforce.

  Justification: This disables legacy authentication to reduce the attack surface.

• Ensure users installing Outlook add-ins is not allowed: Select and set to Enforce.

  Justification: This prevents installation of malicious add-ins.

• Turn off plus addressing for the organization: Select and set to Enforce.

  Justification: This prevents users from creating unlimited email variations (for example, user+randomtext@domain.com), reducing security risks and mail filtering issues.

• Turn on sending from alias: Deselect and set to Exclude.

  Justification: Prevents users from sending email from alternate or secondary email addresses.

• Turn off SMTP AUTH protocol for the organization: Select and set to Enforce.

  Justification: SMTP AUTH is insecure and often exploited by attackers for phishing and credential stuffing.

• Turn on use of legacy TLS clients: Deselect and set to Exclude.

  Justification: Legacy TLS is insecure and frequently targeted by attackers. Enable legacy TLS only if absolutely necessary, and implement a phased approach to migrate older clients to more secure protocols.

• Enable reply-all storm protection: Select this option.

  • Minimum number of recipients: Set to 1000.

  • Minimum number of reply-alls: Set to 8.

  • Block duration: Set to 10 (hours).

  • Set to Enforce.

  Justification: These settings prevent excessive reply-all responses that can create email storms or loops.

• Enable cloud-based message recall: Deselect and set to Exclude.

  Justification: This prevents reliance on an ineffective recall feature, potential security risks, and auditing challenges.

• Allow users to recall messages read by the recipient: Deselect and set to Exclude.

  Justification: This prevents compromise of audit trails and violations of compliance policies (for example, legal holds, eDiscovery) by recalling read messages.

• Enable recall alerts for recipients:

  • Select Disabled.

  • Set to Exclude.

  Justification: This prevents drawing attention to potentially sensitive information by notifying recipients when a recall attempt fails.

• External warning in Outlook: Select and set to Enforce.

  Justification: This warns users about external emails to help prevent phishing attacks.

• Ensure MailTips are enabled for end users: Select and set to Enforce.

  Justification: This provides real-time email guidance.

• Enable mailbox auditing: Select and set to Enforce.

  Justification: This tracks email access and actions for compliance.

• Additional storage providers in OWA: Deselect and set to Exclude.

  Justification: Prevents users from storing emails in untrusted locations.

• Default retention for deleted items:

  • Set to 30 (days).

  • Set to Enforce.

  Justification: This ensures emails are retained for a specified period for compliance.

• Auto-expanding archives: Select and set to Enforce.

  Justification: This provides additional mailbox storage for compliance users.

• Calendar sharing level: Select Calendar free/busy information with time only.

  Justification: This controls who can view or edit calendars.

• External calendar sharing: Select Sharing with a specific domain.

  Justification: Unless your organization requires open collaboration with external domains, it is best to take a more restrictive approach.

• Set to Enforce.

• Focused Inbox: Select and set to Enforce.

  Justification: This improves email organization.

• Common attachments filter (only for the default policy): Select and set to Report-only.

  Justification: This blocks dangerous file types, such as .exe or .vbs.

• Notifications for internal users sending malware (only for the default policy): Select and set to Report-only.

  Justification: This alerts internal senders if their email contains malware.

• Notifications have been set for Exchange Online Spam Policies: Select and set to Report-only.

  Justification: This ensures users are informed about quarantined messages.

• Anti-phishing policy has been created: Select and set to Report-only.

  Justification: This protects against impersonation attacks and spoofing.

This provides a high-level overview of how enabling the solution baseline affects the customer. It includes Enforce, Report-only, and Exclude mode details per each configuration tab.

• Solution Baseline for Intune: Select the pencil icon to provide a unique name and description for each baseline.

  Justification: This makes it easier to determine the baseline applicability for a customer.

• Set to Report-only.

  Justification: Set to Report-only mode unless you want to automatically enable Modern Work management for all your customers.

  The Enforce option automatically enables Modern Work management for all accounts that are assigned this solution baseline.

• Specify which users and groups can join devices to Microsoft Entra:

  • Select All.

  • Set to Enforce.

  Justification: All users can join their devices to Entra ID in an Autopilot environment.

• Require MFA to join devices to Entra: Select and set to Enforce.

  Justification: Enforcing this setting requires MFA when joining devices to Entra ID. Without MFA, there’s a risk that unauthorized users could join devices without verifying their identity, potentially exposing your environment to security threats.

• Specify the number of devices a user can enroll: Select this option.

  • Device limit: Set to 5.

  • Set to Enforce.

  Justification: Prevents a user from joining too many devices to an Entra domain without approval.

• Remove additional custom restrictions: Select and set to Enforce.

  Justification: Prevents other customizations from causing conflicts.

• Delete devices based on last check-in date: Select this option.

  • Set to 90 days.

  • Set to Enforce.

  Justification: Automatically cleans up devices that haven’t checked in for 90 days.

  Note: If an exception is needed, adjust the number of days to align with the customer’s policy.

• Mark devices non-compliant if no compliance policy is assigned: Select this option.

  • Set to 7 days.

  • Set to Enforce.

  Justification: Automatically marks a device as non-compliant and subjects it to additional security restrictions until it is up to date.

• Platform: Select Allow.

• Allow min/max versions: Leave blank.

• Personally owned: Select Allow.

• Set to Report-only.

  Justification: Set this option to Report-only mode until you have a firm understanding of Mobile Device Management (MDM).

• Platform: Select Allow.

• Allow min/max versions: Leave blank.

• Personally owned: Select Allow.

• Set to Report-only.

  Justification: Set this option to Report-only mode until you have a firm understanding of Mobile Device Management (MDM).

• Platform: Select Allow.

• Personally owned: Select Allow.

• Set to Report-only.

  Justification: Set this option to Report-only mode until you have a firm understanding of Mobile Device Management (MDM).

• Platform: Select Allow.

• Allow min/max versions: Leave blank.

• Personally owned: Select Allow.

• Set to Report-only.

  Justification: Set this option to Report-only mode until you have a firm understanding of Mobile Device Management (MDM).

• Select and set to Report-only.

  Justification: Set this option to Report-only mode until you have a firm understanding of Mobile Device Management (MDM).

• Select All.

• Set to Enforce.

  Justification: Eliminates the need to manually configure devices for Intune management.

• Assignment: Select Custom.

• Set to Report-only.

  Justification: Until you configure your Autopilot profiles, keeping this setting in Report-only mode prevents users from encountering unexpected screens during the out-of-box experience with a new computer. The Custom option allows targeting devices more selectively. For example, you can specify a testing group during deployment instead of applying it to all devices.

• Select and set to Report-only.

  Justification: Similar to Autopilot profiles, if your Enrollment Status Page (ESP) isn't configured yet, keeping this setting in Report-only mode prevents users from encountering unexpected screens during the out-of-box experience with a new computer.

• Enable LAPS for Entra ID joined devices: Select and set to Enforce.

  Justification: LAPS is a way to securely rotate the local admin password on your Entra ID-joined devices. For details, see What is Windows LAPS?.

• Deploy a Configuration Profile for enabling Intune-managed endpoints to store the built-in local admin password in Entra ID:

  • Select All Devices.

  • Set to Enforce.

  Justification: Unless you have another method for enabling LAPS on customer devices, this is a reliable way to securely store the local admin password in Entra ID.

• Enable WUfB Reports: Select and set to Enforce.

  Justification: If the customer has an Azure subscription, Windows Update for Business (WUfB) Reporting is a reliable way to gain analytics on Windows updates.

  Note: This requires an Azure subscription to create or use an Azure Log Analytics workspace for reporting.

• Deploy a configuration profile for enabling managed endpoints to report diagnostics needed for WUfB reports to function:

  • Select All Devices.

  • Set to Enforce.

  Justification: If you don’t already have another method for enabling WUfB on your customer devices, this is an effective way to ensure the devices report into WUfB Reports.

• Set to Exclude.

  Justification: Exclude this setting until you’ve built out your policy baselines.

• State (all settings): Set to Ignore.

• Set to Report-only.

  Justification: Set this option to Report-only mode until you have a firm understanding of Mobile Device Management (MDM).

• Windows data: Select and set to Enforce.

  Justification:Allows Intune to use additional OS diagnostic information.

• Device Diagnostics: Select and set to Enforce.

  Justification:Allows Intune to use additional device diagnostic information.

• Autopilot: Select and set to Enforce.

  Justification: Allows Intune to use additional Autopilot diagnostic information.

  Note: Even if you're not currently using Autopilot, enabling this setting is still recommended.

• App Protection: Select and set to Enforce.

  Justification:Allows Intune to use additional App Protection diagnostic information.

  Note: Even if you're not currently using App Protection policies, enabling this setting is still recommended.

• Set to Report-only.

  Justification: This setting is report-only because there is no enforcement action.

• Nerdio Manager for MSP needs read/write permissions for accessing the Graph API and other APIs in the customer's context: Set to Enforce.

  Justification: Provides Nerdio Manager with the correct permissions in the customer’s tenant.

• Provide Admin Consent for permissions: Set to Enforce.

  Justification: While some settings require explicit admin user consent, enforcing this setting allows permissions that support API-based consent to be granted automatically.

• CNAME Validation: Deselect and set to Exclude.

  Justification: Since automatic enrollment into Intune is already configured, this setting is not needed.

• Intune Provisioning Client: Set to Enforce.

  Justification: Required to use Intune and Autopilot.

  Note: Even if you're not currently using Autopilot, enabling this setting is still recommended.

• Validate Apple Business Manager:

  • Select Report invalid if the certificate expires in the next 30 days.

  • Set to Report-only.

  Justification: Set this option to Report-only mode until you have a firm understanding of Mobile Device Management (MDM).

• Solution Baseline for SharePoint & OneDrive: Select the pencil icon to provide a unique name and description for each baseline.

  Justification: This makes it easier to determine the baseline applicability for a customer.

• SharePoint:

  • Select New and existing guests.

  • Set to Enforce.

  Justification: This allows adding new external users but requires them to sign in.

• Limit external sharing by domain:

  • Select No.

  • Set to Enforce.

  Justification: For security, it is best to control sharing using either an allowlist or a blocklist. However, adjust this setting based on your organization's requirements.

• Allow guests to share items they don’t own: Deselect and set to Exclude.

  Justification: Prevents guests from resharing confidential files they don’t own.

• Apps that don’t use modern authentication:

  • Select Block access.

  • Set to Enforce.

  Justification: Preventing the use of legacy authentication methods helps mitigate security risks, as they lack MFA support and are vulnerable to password attacks.

• Allow notifications: Select and set to Enforce.

  Justification: Security notifications help users detect unauthorized access or file changes.

• Allow users to create modern pages: Select and set to Enforce.

  Justification: This allows users to create internal pages for collaboration.

• Allow commenting on modern pages: Select and set to Enforce.

  Justification: This facilitates internal collaboration.

• Days to retain a deleted user’s OneDrive:

  • Set to 60 (adjust per your requirement).

  • Set to Enforce.

  Justification: Retains files for a specified period in case of accidental deletion or compliance investigations.

• Show the Sync button on the OneDrive website: Select and set to Enforce.

  Justification: Allows users to sync files to their local device securely.

• Block upload of specific file types: Set per your requirement and set to Enforce.

  Justification: This blocks the upload of undesired file types, such as .exe, .msi, and .ps1.

• Check for license: Set to Report-only.

  Justification: This setting is report-only because there is no enforcement action.

• Application context: Set to Report-only.

  Justification: This setting is report-only because there is no enforcement action. It verifies if the correct API permissions are applied.

This provides a high-level overview of how enabling the solution baseline affects the customer. It includes Enforce, Report-only, and Exclude mode details per each configuration tab.

• Solution Baseline for Teams: Select the pencil icon to provide a unique name and description for each baseline.

  Justification: This makes it easier to determine the baseline applicability for a customer.

• Create private channels: Deselect and set to Exclude.

  Justification: This prevents increased IT overhead, limited features, and the risk of orphaned data.

• Create shared channels: Select and set to Report-only.

  Justification: This simplifies external collaboration, improves security, and reduces team sprawl.

• Invite external users to shared channels: Deselect and set to Exclude.

  Justification: This ensures that all additions go through IT administration, allowing for better security control.

• Join external shared channels: Deselect and set to Report-only.

  Justification: This allows trusted partner organizations to join through cross-tenant access settings for enhanced security control.

• Guest Access:

  • From the drop-down list, select Off.

  • Set to Enforce.

  Justification: This enhances security. You can handle external collaboration via shared channels, which don’t require guests in your account.

• Make private calls: Deselect and set to Exclude.

  Justification: This prevents unmonitored communication and potential misuse.

• Screen Sharing:

  • From the drop-down list, select Single Application.

  • Set to Enforce.

  Justification: This allows collaboration without sharing files but prohibits sharing the entire desktop.

• Meet Now in Channels: Deselect and set to Exclude.

  Justification: This prevents security risks, compliance issues, and loss of control.

• Edit sent messages: Deselect and set to Exclude.

  Justification: This prevents information tampering.

• Delete sent messages: Deselect and set to Exclude.

  Justification: This prevents unauthorized communication from being hidden, ensuring compliance and auditability.

• Chat: Deselect and set to Exclude.

  Justification: Reduces risk of unmonitored communication. Guests can still chat inside meetings.

• People in the organization can communicate with unmanaged Teams accounts: Deselect and set to Exclude.

  Justification: This prevents unmanaged accounts from being vulnerable to phishing attacks or malware that could compromise sensitive information.

• External users with Teams accounts not managed by an organization can contact users in the organization: Deselect and set to Exclude.

  Justification: This prevents unverified external users from contacting internal employees for malicious purposes.

• People in the organization can communicate with accounts in trial Teams tenants: Deselect and set to Exclude.

  Justification: This prevents increased risk to communication due to inadequate enterprise-level security measures in trial accounts.

• People in the organization can communicate with Skype users: Deselect and set to Exclude.

  Justification: This prevents security risks from Skype users, especially those on consumer accounts, who are not subject to the same enterprise security standards as Teams users.

• Private meeting scheduling: Select and set to Enforce.

  Justification: This enables private meeting scheduling only for authorized users and allows controlling who can create private meetings.

• Meet now in private meetings: Select and set to Enforce.

  Justification: This ensures that only authorized users can initiate Meet now sessions in private meetings.

• Channel meeting scheduling: Select and set to Enforce.

  Justification: This sets permissions to allow only Team Owners and Admins to schedule channel meetings.

• Meet now in channel meetings: Select and set to Enforce.

  Justification: This enables Meet now in channels only for Team Owners or authorized users.

• Outlook add-in: Select and set to Enforce.

  Justification: This enables Outlook add-in only for internal users who are trusted and require it for their daily operations.

• Attendance and engagement report:

  • From the drop-down list, select On, but organizers can turn it off.

  • Set to Enforce.

  Justification: This restricts report sharing and implements strong data retention policies to avoid unnecessary exposure.

• Include attendees in the report:

  • From the drop-down list, select Yes, but attendees can opt out.

  • Set to Enforce.

  Justification: This includes attendee information only when necessary for reporting and compliance.

• Attendee information:

  • From the drop-down list, select Only show who attended.

  • Set to Enforce.

  Justification: This minimizes data exposure, enhances privacy, and reduces the risk of data misuse.

• Anonymous users can join a meeting: Deselect and set to Exclude.

  Justification: This reduces the risk of uninvited participants.

• Anonymous users and dial-in callers can start a meeting: Deselect and set to Exclude.

  Justification: This prevents unauthorized meeting initiation.

• Who can bypass the lobby:

  • From the drop-down list, select Only organizers and co-organizers.

  • Set to Enforce.

  Justification: This ensures meetings are properly moderated.

• People dialing in can bypass the lobby: Deselect and set to Exclude.

  Justification: This allows controlling access for phone participants.

• People can join external meetings hosted by:

  • From the drop-down list, select Only people in trusted orgs.

  • Set to Enforce.

  Justification: This protects users from external threats.

• Meeting chat:

  • From the drop-down list, select On for everyone but for anonymous users.

  • Set to Enforce.

  Justification: This prevents spam, phishing attempts, and inappropriate messages by restricting chat access for anonymous users.

• External meeting chat: Deselect and set to Exclude.

  Justification: This prevents uncontrolled information sharing, security gaps with external domains, and a lack of oversight.

• Who can present:

  • From the drop-down list, select Only organizers and co-organizers.

  • Set to Enforce.

  Justification: This prevents external users from sharing unwanted or malicious content.

• Screen sharing:

  • From the drop-down list, select Single application.

  • Set to Enforce.

  Justification: This prevents participants from sharing an entire screen that could expose sensitive information, notifications, or background applications.

• Participants can give or request control: Deselect and set to Exclude.

  Justification: This prevents any participant from taking control of a shared screen, potentially accessing confidential files.

• External participants can give or request control: Deselect and set to Exclude.

  Justification: This prevents external users from taking control of shared content, accessing internal systems, or executing unauthorized actions.

• Require participant agreement for recording and transcription: Select and set to Enforce.

  Justification: This prevents legal and compliance issues, privacy concerts, and ethical considerations.

• Transcription: Deselect and set to Exclude.

  Justification: This prevents data retention risks, confidentiality issues, and compliance violations.

• Anonymous users can join a meeting: Deselect and set to Exclude.

  Justification: This prevents unverified attendees from disrupting meetings, sharing sensitive information with unintended participants, and bypassing tracking or verification.

Coming soon. Follow the Release Notes page for updates.

• License Validation: Set to Report-only.

  Justification: This setting is report-only because there is no enforcement action.

• Permissions: Set to Report-only.

  Justification: This setting is report-only because there is no enforcement action.

This provides a high-level overview of how enabling the solution baseline affects the customer. It includes Enforce, Report-only, and Exclude mode details per each configuration tab.