Known issue: Customizations not saved with security baseline policy update

Overview

Microsoft Intune security baselines enable organizations to create turnkey policy configurations with Microsoft's recommended settings. Intune supports two upgrade paths for your customizations: automatic migration and manual migration. Our upgrade process is explicit when a manual customization upgrade is required as documented in Configure security baseline policies in Microsoft Intune | Microsoft Learn.

Issue Identified in Security Baseline Updates

We’ve recently identified an issue in the security baseline update process where, during upgrades from specific versions, customizations are not automatically retained. Instead, these values are replaced with the default recommended values contained in the latest release.

The impacted baselines upgrades are as follows:

• Security Baseline for Microsoft Edge: Version 112 to Version 128
• Security Baseline for Windows 10 and later: Version 23H2 to Version 24H2
• Windows 365 Security Baseline: November 2021 to Version 24H1
• Microsoft Defender for Endpoint Security Baseline: Version 6 to Version 24H1
• Microsoft 365 Apps for Enterprise Security Baseline:  Version 2206 to Version 2306

When updating these security baselines, Intune creates a duplicate policy (without assignments) and automatically populates Microsoft’s recommended settings for the new version. These default configurations can be edited to apply customizations. However, customizations are not automatically carried over from the previous version when updating and admins will need to manually apply the customizations when creating the new profile.

If your organization deploys the new policy alongside the existing one and there are conflicting settings, Intune’s conflict resolution logic will determine which setting is applied (i.e. most secure wins, merge values), or leave the existing value in place until the conflict is resolved. In the event of conflict, Intune never removes policies from the device ensuring that devices always have security policy applied.

The Intune team will be delivering an update to automate migration of the impacted security baselines (and all future versions) in an upcoming release.

Interim Steps to Enable Custom Configurations in your Baseline Updates
When updating a policy to a newer baseline, your customizations must be recreated in the policy creation wizard. Customizations to the version 23H2 baseline are not carried over to the new policy, and the new policy will revert to Microsoft’s default recommended values for version 24H2.

Note: As mentioned above and reiterated here, this update does not remove the previous policy.

Figure 1: The Microsoft Intune admin center showing the Endpoint Security > Security baselines blade.

Organizations can upgrade an existing baseline (mentioned above) that will duplicate the profile:

Figure 2: The Microsoft Intune admin center showing where to update the Security baseline.

Organizations can customize baselines including modifying and editing the baseline in accordance with their organization’s policies:

Figure 3: The Microsoft Intune admin center displaying the editing of a Security Baseline for Windows 10 and later, with 'Device Lock' settings expanded.

To identify devices with conflicts between baseline updates, refer to the steps below:

1. Navigate to: Devices > Manage devices > Configuration > Policiestab and select an existing policy.
2. On the summary page, click View report.
   
   Figure 4: The Microsoft Intune admin center displaying the view report setting to discover detailed insights.

   The View report provides detailed insights into the devices targeted by the selected configuration policy, including:

   • Devices that have received the policy
   • Usernames associated with those devices
   • The check-in status and the most recent time each device/user checked in with the policy
3. You can also select a specific device to view more detailed information. Use the filter column to apply assignment filters. For example, the Check-in status filter helps you identify devices in different states such as Success, Error, and others - indicating how the policy was applied.

Figure 5: The Microsoft Intune admin center displaying where you can filter by and select check-in status.

For more information on policies and reporting, refer to: See device configuration policies with Microsoft Intune | Microsoft Learn.

For further guidance, refer to the Update a profile to the latest version in the Microsoft Learn documentation or see the section above for more details on the baseline update process.

If you have any questions, leave a comment on this post or reach out to us on X @IntuneSuppTeam.

Post Updates:

7/7/25: Post updated with additional details and screen captures for clarity.