title

Settings list for the Microsoft Intune security baseline for Microsoft Defender for Endpoint

description

View the settings in the Microsoft Intune security baseline for Microsoft Defender for Endpoint and each settings default value.

ms.date

09/10/2024

ms.topic

reference

ms.reviewer

aanavath

ms.collection

M365-identity-device-management

sub-secure-endpoints

zone_pivot_groups

atp-baseline-versions

Microsoft Defender for Endpoint security baseline settings reference for Microsoft Intune

This article is a reference for the settings that are available in the Microsoft Defender for Endpoint security baseline for Microsoft Intune.

About this reference article

Each security baseline is a group of preconfigured Windows settings that help you apply and enforce granular security settings that the relevant security teams recommend. You can also customize each baseline you deploy to enforce only those settings and values you require. When you create a security baseline profile in Intune, you're creating a template that consists of multiple device configuration settings.

The details that display in this article are based on baseline version you select at the top of the article. For each version, this article displays:

A list of each setting with its configuration as found in the default instance of that baseline version.
When available, a link to the underlying configuration service provider (CSP) documentation or other related content from the relevant product group that provides context and possibly additional details for a settings use.

When a new version of a baseline becomes available, it replaces the previous version. Profile instances that you’ve created prior to the availability of a new version:

Become read-only. While you can continue to use those profiles and edit their name, description, and assignments, you can’t modify the configuration of any settings in them.
Can be updated to the current version. After you update a profile to the current baseline version, you can edit the profile to modify settings.

To learn more about using security baselines, see:

::: zone pivot="mde-v24h1"

Microsoft Defender for Endpoint baseline version 24H1

::: zone-end ::: zone pivot="atp-december-2020"

Microsoft Defender for Endpoint baseline for December 2020 - version 6

::: zone-end ::: zone pivot="atp-sept-2020"

Microsoft Defender for Endpoint baseline for September 2020 - version 5

::: zone-end ::: zone pivot="atp-april-2020"

Microsoft Defender for Endpoint baseline for April 2020 - version 4

::: zone-end ::: zone pivot="atp-march-2020"

Microsoft Defender for Endpoint baseline for March 2020 - version 3

::: zone-end

The Microsoft Defender for Endpoint baseline is available when your environment meets the prerequisites for using Microsoft Defender for Endpoint.

This baseline is optimized for physical devices and isn't recommended for use on virtual machines (VMs) or VDI endpoints. Certain baseline settings can affect remote interactive sessions on virtualized environments. For more information, see Increase compliance to the Microsoft Defender for Endpoint security baseline in the Windows documentation.

::: zone pivot="mde-v24h1"

Administrative Templates

System > Device Installation > Device Installation Restrictions

Prevent installation of devices using drivers that match these device setup classes
Baseline default: Enabled
Learn more
- Prevented Classes
  Baseline default: d48179be-ec20-11d1-b6b8-00c04fa372a7
- Also apply to matching devices that are already installed.
  Baseline default: False

Windows Components > BitLocker Drive Encryption

Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)
Baseline default: Enabled
Learn more

[!IMPORTANT] [!INCLUDE windows-10-support]
- Select the encryption method for removable data drives:
  Baseline default: AES-CBC 128-bit (default)
- Select the encryption method for operating system drives:
  Baseline default: XTS-AES 128-bit (default)
- Select the encryption method for fixed data drives:
  Baseline default: XTS-AES 128-bit (default)

Windows Components > BitLocker Drive Encryption > Fixed Data Drives

Choose how BitLocker-protected fixed drives can be recovered
Baseline default: Enabled
Learn more
- Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives
  Baseline default: True
- Allow data recovery agent
  Baseline default: True
- Configure storage of BitLocker recovery information to AD DS
  Baseline default: Backup recovery passwords and key packages
  
  Value: Allow 256-bit recovery key
- Save BitLocker recovery information to AD DS for fixed data drives
  Baseline default: True
- Omit recovery options from the BitLocker setup wizard
  Baseline default: True
- Configure user storage of BitLocker recovery information:
  Baseline default: Allow 48-digit recovery password
Deny write access to fixed drives not protected by BitLocker
Baseline default: Enabled
Learn more
Enforce drive encryption type on fixed data drives
Baseline default: Enabled
Learn more
- Select the encryption type: (Device)
  Baseline default: Used Space Only encryption

Windows Components > BitLocker Drive Encryption > Operating System Drives

Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN.
Baseline default: Disabled
Learn more
Allow enhanced PINs for startup
Baseline default: Disabled
Learn more
Choose how BitLocker-protected operating system drives can be recovered
Baseline default: Enabled
Learn more
- Omit recovery options from the BitLocker setup wizard
  Baseline default: True
- Allow data recovery agent
  Baseline default: True
  
  Value: Allow 256-bit recovery key
- Configure storage of BitLocker recovery information to AD DS:
  Baseline default: Store recovery passwords and key packages
- Do not enable BitLocker until recovery information is stored to AD DS for operating system drives
  Baseline default: True
- Save BitLocker recovery information to AD DS for operating system drives
  Baseline default: True
- Configure user storage of BitLocker recovery information:
  Baseline default: Allow 48-digit recovery password
Enable use of BitLocker authentication requiring preboot keyboard input on slates
Baseline default: Enabled
Learn more
Enforce drive encryption type on operating system drive
Baseline default: Enabled
Learn more
- Select the encryption type: (Device)
  Baseline default: Used Space Only encryption
Require additional authentication at startup
Baseline default: Enabled
Learn more
- Configure TPM startup key and PIN:
  Baseline default: Do not allow startup key and PIN with TPM
- Configure TPM startup:
  Baseline default: Allow TPM
- Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)
  Baseline default: False
- Configure TPM startup PIN:
  Baseline default: Allow startup PIN with TPM
- Configure TPM startup key:
  Baseline default: Do not allow startup key with TPM

Windows Components > BitLocker Drive Encryption > Removable Data Drives

Control use of BitLocker on removable drives
Baseline default: Enabled
Learn more
- Allow users to apply BitLocker protection on removable data drives (Device)
  Baseline default: True
  - Enforce drive encryption type on removable data drives
    Baseline default: Enabled
    Learn more
    - Select the encryption type: (Device)
      Baseline default: Used Space Only encryption
- Allow users to suspend and decrypt BitLocker protection on removable data drives (Device)
  Baseline default: False
Deny write access to removable drives not protected by BitLocker
Baseline default: Enabled
Learn more
- Do not allow write access to devices configured in another organization
  Baseline default: False

Windows Components > File Explorer

Configure Windows Defender SmartScreen
Baseline default: Enabled
Learn more
- Pick one of the following settings: (Device)
  Baseline default: Warn and prevent bypass

Windows Components > Internet Explorer

Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet
Baseline default: Enabled
Learn more
Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet (User)
Baseline default: Enabled
Learn more
Prevent managing SmartScreen Filter
Baseline default: Enabled
Learn more
- Select SmartScreen Filter mode
  Baseline default: On

BitLocker

Allow Warning For Other Disk Encryption
Baseline default: Enabled
Learn more
Configure Recovery Password Rotation
Baseline default: Refresh on for both Azure AD-joined and hybrid-joined devices
Learn more
Require Device Encryption
Baseline default: Enabled
Learn more

Defender

Allow Archive Scanning
Baseline default: Allowed. Scans the archive files.
Learn more
Allow Behavior Monitoring
Baseline default: Allowed. Turns on real-time behavior monitoring.
Learn more
Allow Cloud Protection
Baseline default: Allowed. Turns on Cloud Protection.
Learn more
Allow Email Scanning
Baseline default: Allowed. Turns on email scanning.
Learn more
Allow Full Scan Removable Drive Scanning
Baseline default: Allowed. Scans removable drives.
Learn more
Allow On Access Protection
Baseline default: Allowed.
Learn more
Allow Realtime Monitoring
Baseline default: Allowed. Turns on and runs the real-time monitoring service.
Learn more
Allow Scanning Network Files
Baseline default: Allowed. Scans network files.
Learn more
Allow scanning of all downloaded files and attachments
Baseline default: Allowed.
Learn more
Allow Script Scanning
Baseline default: Allowed.
Learn more
Allow User UI Access
Baseline default: Allowed. Lets users access UI.
Learn more
- Block execution of potentially obfuscated scripts
  Baseline default: Block
  Learn more
- Block Win32 API calls from Office macros
  Baseline default: Block
  Learn more
- Block executable files from running unless they meet a prevalence, age, or trusted list criterion
  Baseline default: Block
  Learn more
- Block Office communication application from creating child processes
  Baseline default: Block
  Learn more
- Block all Office applications from creating child processes
  Baseline default: Block
  Learn more
- Block Adobe Reader from creating child processes
  Baseline default: Block
  Learn more
- Block credential stealing from the Windows local security authority subsystem
  Baseline default: Block
  Learn more
- Block JavaScript or VBScript from launching downloaded executable content
  Baseline default: Block
  Learn more
- Block Webshell creation for Servers
  Baseline default: Block
  Learn more
- Block untrusted and unsigned processes that run from USB
  Baseline default: Block
  Learn more
- Block persistence through WMI event subscription
  Baseline default: Audit
  Learn more
- [PREVIEW] Block use of copied or impersonated system tools
  Baseline default: Block
  Learn more
- Block abuse of exploited vulnerable signed drivers (Device)
  Baseline default: Block
  Learn more
- Block process creations originating from PSExec and WMI commands
  Baseline default: Audit
  Learn more
- Block Office applications from creating executable content
  Baseline default: Block
  Learn more
- Block Office applications from injecting code into other processes
  Baseline default: Block
  Learn more
- [PREVIEW] Block rebooting machine in Safe Mode
  Baseline default: Block
  Learn more
- Use advanced protection against ransomware
  Baseline default: Block
  Learn more
- Block executable content from email client and webmail
  Baseline default: Block
  Learn more
Check For Signatures Before Running Scan
Baseline default: Enabled
Learn more
Cloud Block Level
Baseline default: High
Learn more
Cloud Extended Timeout
Baseline default: Configured
Value: 50
Learn more
Disable Local Admin Merge
Baseline default: Enable Local Admin Merge
Learn more
Enable Network Protection
Baseline default: Enabled (block mode)
Learn more
Hide Exclusions From Local Admins
Baseline default: If you enable this setting, local admins will no longer be able to see the exclusion list in Windows Security App or via PowerShell.
Learn more
Hide Exclusions From Local Users
Baseline default: If you enable this setting, local users will no longer be able to see the exclusion list in Windows Security App or via PowerShell.
Learn more
Oobe Enable Rtp And Sig Update
Baseline default: If you enable this setting, real-time protection and Security Intelligence Updates are enabled during OOBE.
Learn more
PUA Protection
Baseline default: PUA Protection on. Detected items are blocked. They will show in history along with other threats.
Learn more
Real Time Scan Direction
Baseline default: Monitor all files (bi-directional).
Learn more
Scan Parameter
Baseline default: Quick scan
Learn more
Schedule Quick Scan Time
Baseline default: Configured
Value: 120
Learn more
Schedule Scan Day
Baseline default: Every day
Learn more
Schedule Scan Time
Baseline default: Configured
Value: 120
Learn more
Signature Update Interval
Baseline default: Configured
Value: 4
Learn more
Submit Samples Consent
Baseline default: Send all samples automatically.
Learn more

Device Guard

Credential Guard
Baseline default: (Enabled with UEFI lock) Turns on Credential Guard with UEFI lock.
Learn more

Dma Guard

Device Enumeration Policy
Baseline default: Block all (Most restrictive)
Learn more

Firewall

Certificate revocation list verification
Baseline default: None
Learn more
Disable Stateful Ftp
Baseline default: True
Learn more
Enable Domain Network Firewall
Baseline default: True
Learn more
- Allow Local Ipsec Policy Merge
  Baseline default: True
  Learn more
- Disable Stealth Mode
  Baseline default: False
  Learn more
- Disable Inbound Notifications
  Baseline default: True
  Learn more
- Disable Unicast Responses To Multicast Broadcast
  Baseline default: False
  Learn more
- Global Ports Allow User Pref Merge
  Baseline default: True
  Learn more
- Disable Stealth Mode Ipsec Secured Packet Exemption
  Baseline default: True
  Learn more
- Allow Local Policy Merge
  Baseline default: True
  Learn more
Enable Packet Queue
Baseline default: Configured
Value: Disabled
Learn more
Enable Private Network Firewall
Baseline default: True
Learn more
- Default Inbound Action for Private Profile
  Baseline default: Block
  Learn more
- Disable Unicast Responses To Multicast Broadcast
  Baseline default: False
  Learn more
- Disable Stealth Mode
  Baseline default: False
  Learn more
- Global Ports Allow User Pref Merge
  Baseline default: True
  Learn more
- Allow Local Ipsec Policy Merge
  Baseline default: True
  Learn more
- Disable Stealth Mode Ipsec Secured Packet Exemption
  Baseline default: True
  Learn more
- Disable Inbound Notifications
  Baseline default: True
  Learn more
- Allow Local Policy Merge
  Baseline default: True
  Learn more
- Default Outbound Action
  Baseline default: Allow
  Learn more
- Auth Apps Allow User Pref Merge
  Baseline default: True
  Learn more
Enable Public Network Firewall
Baseline default: True
Learn more
- Disable Stealth Mode
  Baseline default: False
  Learn more
- Default Outbound Action
  Baseline default: Allow
  Learn more
- Disable Inbound Notifications
  Baseline default: True
  Learn more
- Disable Stealth Mode Ipsec Secured Packet Exemption
  Baseline default: True
  Learn more
- Allow Local Policy Merge
  Baseline default: True
  Learn more
- Auth Apps Allow User Pref Merge
  Baseline default: True
  Learn more
- Default Inbound Action for Public Profile
  Baseline default: Block
  Learn more
- Disable Unicast Responses To Multicast Broadcast
  Baseline default: False
  Learn more
- Global Ports Allow User Pref Merge
  Baseline default: True
  Learn more
- Allow Local Ipsec Policy Merge
  Baseline default: True
  Learn more
Preshared Key Encoding
Baseline default: UTF8
Learn more
Security association idle time
Baseline default: Configured
Value: 300
Learn more

Microsoft Edge

Configure Microsoft Defender SmartScreen
Baseline default: Enabled
Configure Microsoft Defender SmartScreen to block potentially unwanted apps
Baseline default: Enabled
Enable Microsoft Defender SmartScreen DNS requests
Baseline default: Enabled
Enable new SmartScreen library
Baseline default: Enabled
Force Microsoft Defender SmartScreen checks on downloads from trusted sources
Baseline default: Enabled
Prevent bypassing Microsoft Defender SmartScreen prompts for sites
Baseline default: Enabled
Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads
Baseline default: Enabled

::: zone-end ::: zone pivot="atp-sept-2020,atp-december-2020"

Attack Surface Reduction Rules

Attack surface reduction rules support a merger of settings from different policies, to create a superset of policy for each device. Only the settings that aren't in conflict are merged. Settings that are in conflict are not added to the superset of rules. Previously, if two policies included conflicts for a single setting, both policies were flagged as being in conflict, and no settings from either profile would be deployed.

Attack surface reduction rule merge behavior is as follows:

Attack surface reduction rules from the following profiles are evaluated for each device the rules apply to:
- Devices > Configuration policy > Endpoint protection profile > Microsoft Defender Exploit Guard > Attack Surface Reduction
- Endpoint security > Attack surface reduction policy > Attack surface reduction rules
- Endpoint security > Security baselines > Microsoft Defender for Endpoint Baseline > Attack Surface Reduction Rules.
Settings that don't have conflicts are added to a superset of policy for the device.
When two or more policies have conflicting settings, the conflicting settings aren't added to the combined policy, while settings that don’t conflict are added to the superset policy that applies to a device.
Only the configurations for conflicting settings are held back.

To learn more, see Attack surface reduction rules in the Microsoft Defender for Endpoint documentation.

Block Office communication apps from creating child processes
Baseline default: Enable
Learn more
Block Adobe Reader from creating child processes
Baseline default: Enable
Learn more
Block Office applications from injecting code into other processes
Baseline default: Block
Learn more
Block Office applications from creating executable content
Baseline default: Block
Learn more
Block JavaScript or VBScript from launching downloaded executable content
Baseline default: Block
Learn more
Enable network protection
Baseline default: Enable
Learn more
Block untrusted and unsigned processes that run from USB
Baseline default: Block
Learn more
Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Baseline default: Enable
Learn more
Block executable content download from email and webmail clients
Baseline default: Block
Learn more
Block all Office applications from creating child processes
Baseline default: Block
Learn more
Block execution of potentially obfuscated scripts (js/vbs/ps)
Baseline default: Block
Learn more
Block Win32 API calls from Office macro
Baseline default: Block
Learn more

::: zone-end

::: zone pivot="atp-march-2020,atp-april-2020"

Application Guard

For more information, see WindowsDefenderApplicationGuard CSP in the Windows documentation.

When you use Microsoft Edge, Microsoft Defender Application Guard protects your environment from sites that aren't trusted by your organization. When users visit sites that aren't listed in your isolated network boundary, the sites open in a Hyper-V virtual browsing session. Trusted sites are defined by a network boundary.

Turn on Application Guard for Edge (Options)
Baseline default: Enabled for Edge
Learn more
- Block external content from non-enterprise approved sites
  Baseline default: Yes
  Learn more
- Clipboard behavior
  Baseline default: Block copy and paste between PC and browser
  Learn more
Windows network isolation policy
Baseline default: Configure
Learn more
- Network domains
  Baseline default: securitycenter.windows.com

::: zone-end ::: zone pivot="atp-december-2020,atp-sept-2020,atp-march-2020,atp-april-2020"

BitLocker

::: zone-end ::: zone pivot="atp-march-2020,atp-april-2020"

Require storage cards to be encrypted (mobile only)
Baseline default: Yes
Learn more

[!NOTE] Support for Windows 10 Mobile and Windows Phone 8.1 ended in August of 2020.
Enable full disk encryption for OS and fixed data drives
Baseline default: Yes
Learn more
BitLocker system drive policy
Baseline default: Configure
Learn more
- Configure encryption method for Operating System drives
  Baseline default: Not configured
  Learn more
BitLocker fixed drive policy
Baseline default: Configure
Learn more
- Block write access to fixed data-drives not protected by BitLocker
  Baseline default: Yes
  Learn more This setting is available when BitLocker fixed drive policy is set to Configure.
- Configure encryption method for fixed data-drives
  Baseline default: AES 128bit XTS
  Learn more
BitLocker removable drive policy
Baseline default: Configure
Learn more
- Configure encryption method for removable data-drives
  Baseline default: AES 128bit CBC
  Learn more
- Block write access to removable data-drives not protected by BitLocker
  Baseline default: Not configured
  Learn more

::: zone-end ::: zone pivot="atp-sept-2020"

Standby states when sleeping while on battery
Baseline default: Disabled
Learn more
Standby states when sleeping while plugged in
Baseline default: Disabled
Learn more
Enable full disk encryption for OS and fixed data drives
Baseline default: Yes
Learn more
BitLocker system drive policy
Baseline default: Configure
Learn more
- Startup authentication required
  Baseline default: Yes
  Learn more
- Compatible TPM startup PIN
  Baseline default: Allowed
  Learn more
- Compatible TPM startup key
  Baseline default: Required
  Learn more
- Disable BitLocker on devices where TPM is incompatible
  Baseline default: Yes
  Learn more
- Configure encryption method for Operating System drives
  Baseline default: Not configured
  Learn more
BitLocker fixed drive policy
Baseline default: Configure
Learn more
- Block write access to fixed data-drives not protected by BitLocker
  Baseline default: Yes
  Learn more This setting is available when BitLocker fixed drive policy is set to Configure.
- Configure encryption method for fixed data-drives
  Baseline default: AES 128bit XTS
  Learn more
BitLocker removable drive policy
Baseline default: Configure
Learn more
- Configure encryption method for removable data-drives
  Baseline default: AES 128bit CBC
  Learn more
- Block write access to removable data-drives not protected by BitLocker
  Baseline default: Not configured
  Learn more

::: zone-end ::: zone pivot="atp-december-2020"

BitLocker system drive policy
Baseline default: Configure
Learn more
- Startup authentication required
  Baseline default: Yes
  Learn more
- Compatible TPM startup PIN
  Baseline default: Allowed
  Learn more
- Compatible TPM startup key
  Baseline default: Required
  Learn more
- Disable BitLocker on devices where TPM is incompatible
  Baseline default: Yes
  Learn more
- Configure encryption method for Operating System drives
  Baseline default: Not configured
  Learn more
Standby states when sleeping while on battery
Baseline default: Disabled
Learn more
Standby states when sleeping while plugged in
Baseline default: Disabled
Learn more
Enable full disk encryption for OS and fixed data drives
Baseline default: Yes
Learn more
BitLocker fixed drive policy
Baseline default: Configure
Learn more
- Block write access to fixed data-drives not protected by BitLocker
  Baseline default: Yes
  Learn more This setting is available when BitLocker fixed drive policy is set to Configure.
- Configure encryption method for fixed data-drives
  Baseline default: AES 128bit XTS
  Learn more
BitLocker removable drive policy
Baseline default: Configure
Learn more
- Configure encryption method for removable data-drives
  Baseline default: AES 128bit CBC
  Learn more
- Block write access to removable data-drives not protected by BitLocker
  Baseline default: Not configured
  Learn more

::: zone-end

::: zone pivot="atp-march-2020,atp-april-2020"

Browser

Require SmartScreen for Microsoft Edge
Baseline default: Yes
Learn more
Block malicious site access
Baseline default: Yes
Learn more
Block unverified file download
Baseline default: Yes
Learn more

Data Protection

Block direct memory access
Baseline default: Yes
Learn more

::: zone-end ::: zone pivot="atp-march-2020,atp-april-2020,atp-sept-2020,atp-december-2020"

Device Guard

Turn on credential guard
Baseline default: Enable with UEFI lock
Learn more

Device Installation

::: zone-end ::: zone pivot="atp-march-2020,atp-april-2020"

Hardware device installation by device identifiers
Baseline default: Block hardware device installation
Learn more
- Remove matching hardware devices
  Baseline default: Yes
- Hardware device identifiers that are blocked
  Baseline default: Not configured by default. Manually add one or more device identifiers.

::: zone-end ::: zone pivot="atp-march-2020,atp-april-2020,atp-sept-2020"

Hardware device installation by setup classes
Baseline default: Block hardware device installation
Learn more
- Remove matching hardware devices
  Baseline default: Not configured
- Hardware device identifiers that are blocked
  Baseline default: Not configured by default. Manually add one or more device identifiers.

::: zone-end ::: zone pivot="atp-december-2020"

Block hardware device installation by setup classes: Baseline default: Yes
Learn more
- Remove matching hardware devices: Baseline default: Yes
- Block list
  Baseline default: Not configured by default. Manually add one or more setup class globally unique identifiers.

::: zone-end ::: zone pivot="atp-sept-2020,atp-december-2020"

DMA Guard

::: zone-end ::: zone pivot="atp-sept-2020,atp-december-2020"

Enumeration of external devices incompatible with Kernel DMA Protection
Baseline default: Block all
Learn more

::: zone-end ::: zone pivot="atp-march-2020,atp-april-2020"

Enumeration of external devices incompatible with Kernel DMA Protection
Baseline default: Not configured
Learn more

::: zone-end ::: zone pivot="atp-march-2020,atp-april-2020"

Endpoint Detection and Response

Sample sharing for all files
Baseline default: Yes
Learn more
Expedite telemetry reporting frequency
Baseline default: Yes
Learn more

::: zone-end ::: zone pivot="atp-march-2020,atp-april-2020,atp-sept-2020,atp-december-2020"

Firewall

Stateful File Transfer Protocol (FTP)
Baseline default: Disabled
Learn more
Number of seconds a security association can be idle before it's deleted
Baseline default: 300
Learn more
Preshared key encoding
Baseline default: UTF8
Learn more
Certificate revocation list (CRL) verification
Baseline default: Not configured
Learn more
Packet queuing
Baseline default: Not configured
Learn more
Firewall profile private
Baseline default: Configure
Learn more
- Inbound connections blocked
  Baseline default: Yes
  Learn more
- Unicast responses to multicast broadcasts required
  Baseline default: Yes
  Learn more
- Outbound connections required
  Baseline default: Yes
  Learn more
- Inbound notifications blocked
  Baseline default: Yes
  Learn more
- Global port rules from group policy merged
  Baseline default: Yes
  Learn more
- Firewall enabled
  Baseline default: Allowed
  Learn more
- Authorized application rules from group policy not merged
  Baseline default: Yes
  Learn more
- Connection security rules from group policy not merged
  Baseline default: Yes
  Learn more
- Incoming traffic required
  Baseline default: Yes
  Learn more
- Policy rules from group policy not merged
  Baseline default: Yes
  Learn more ::: zone-end ::: zone pivot="atp-march-2020,atp-april-2020"
- Stealth mode blocked
  Baseline default: Yes
  Learn more

::: zone-end ::: zone pivot="atp-march-2020,atp-april-2020,atp-sept-2020,atp-december-2020"

Firewall profile public
Baseline default: Configure
Learn more
- Inbound connections blocked
  Baseline default: Yes
  Learn more
- Unicast responses to multicast broadcasts required
  Baseline default: Yes
  Learn more
- Outbound connections required
  Baseline default: Yes
  Learn more
- Authorized application rules from group policy not merged
  Baseline default: Yes**
  Learn more
- Inbound notifications blocked
  Baseline default: Yes
  Learn more
- Global port rules from group policy merged
  Baseline default: Yes
  Learn more
- Firewall enabled
  Baseline default: Allowed
  Learn more
- Connection security rules from group policy not merged
  Baseline default: Yes
  Learn more
- Incoming traffic required
  Baseline default: Yes
  Learn more
- Policy rules from group policy not merged
  Baseline default: Yes
  Learn more ::: zone-end ::: zone pivot="atp-march-2020,atp-april-2020"
- Stealth mode blocked
  Baseline default: Yes
  Learn more

::: zone-end ::: zone pivot="atp-march-2020,atp-april-2020,atp-sept-2020,atp-december-2020"

Firewall profile domain
Baseline default: Configure
Learn more
- Unicast responses to multicast broadcasts required
  Baseline default: Yes
  Learn more
- Authorized application rules from group policy not merged
  Baseline default: Yes
  Learn more
- Inbound notifications blocked
  Baseline default: Yes
  Learn more
- Global port rules from group policy merged
  Baseline default: Yes
  Learn more
- Firewall enabled
  Baseline default: Allowed
  Learn more
- Connection security rules from group policy not merged
  Baseline default: Yes
  Learn more
- Policy rules from group policy not merged
  Baseline default: Yes
  Learn more ::: zone-end ::: zone pivot="atp-march-2020,atp-april-2020"
- Stealth mode blocked
  Baseline default: Yes
  Learn more

::: zone-end ::: zone pivot="atp-march-2020,atp-april-2020,atp-sept-2020,atp-december-2020"