The Windows 11 25H2 Security Baseline Is in Intune — Here…

Microsoft has published the Windows 11 version 25H2 security baseline for Intune, and there is one thing every admin needs to know before anything else: your existing baseline profiles will not update automatically. The new version is available in the console, but nothing changes on your devices until you take deliberate action. If you have been running the 24H2 or 23H2 baseline, those profiles continue to apply their original settings. The 25H2 settings, including new controls and updated defaults, do not land until you migrate.

This post covers what changed in the 25H2 baseline, a specific known issue you need to be aware of, how to find your current profiles, and a step-by-step path to migrating — including when to rebuild from scratch versus migrating in-place.

Action required: Existing security baseline profiles do not auto-update to new baseline versions. You must manually create a new profile or migrate your existing profiles to Windows 11 25H2. Until you do, the new settings are not applied.

What changed in the 25H2 baseline

Every new baseline version contains three categories of change. Understanding which category a setting falls into determines what you need to do during migration.

Change type	What it means	Migration action
New settings	Controls that did not exist in earlier baselines	Review each one — decide whether to keep Microsoft's recommended value or customise
Updated defaults	Settings that existed before but Microsoft changed the recommended value	Do not assume your old value carries over — the new default applies unless you explicitly override it
Retired settings	Settings removed from the baseline (deprecated OS feature, superseded control)	Identify whether you relied on these and replace or remove them from your configuration

The full list of settings for the Windows 11 25H2 baseline is in the Windows MDM security baseline settings reference on Microsoft Docs. Use it to do a side-by-side comparison with your current profile configuration before migrating.

Available baseline versions in Intune (as of June 2026): Windows 11 25H2, Windows 11 24H2, Windows 11 23H2, November 2021, December 2020, August 2020. New profiles should target 25H2. Older versions remain available for backward compatibility.

Known issue: IE11 COM automation setting was missing at launch

There is a specific issue with the 25H2 baseline that you need to check if you created a profile before the June 2026 Intune service update.

At initial release of the Windows 11 25H2 baseline, the setting "Disable Internet Explorer 11 launch via COM automation" was missing from the profile. Microsoft confirmed this and added the setting in the June 2026 Intune service update.

Who is affected: If you created a Windows 11 25H2 security baseline profile before the June 2026 Intune service update, that profile does not include the IE11 COM automation setting — even after the service update was applied. Profiles created after the update include it automatically.

What the setting does

This setting prevents applications from silently launching Internet Explorer 11 through COM automation interfaces. IE11 is end-of-life and its COM hosting surface is a known attack vector — scripts or legacy applications can invoke it to bypass modern browser security controls. Disabling COM-based IE11 launch is a standard hardening control in enterprise environments.

How to fix it

If your profile was created before the June 2026 service update, the fix is straightforward: open the profile in Intune, make any edit (or simply open and save without changes), and save it. This triggers Intune to re-evaluate the profile definition and pull in the now-present IE11 COM setting with its recommended value.

Go to Intune admin centre > Endpoint security > Security baselines > Windows 11 Security Baseline
Open the affected profile
Click Edit
Navigate through the steps (no changes needed) and click Save
Intune will re-process the profile with the IE11 COM setting now included

Tip: After saving, check the profile's settings list and confirm the IE11 COM automation setting is now present. If you customised any settings during migration, verify they were not altered by the save operation.

How to find your current baseline profiles

Security baseline profiles in Intune are under Endpoint security, not the Devices blade. Here is where to look:

Intune admin centre
  └─ Endpoint security
       └─ Security baselines
            ├─ Windows 11 Security Baseline      ← your profiles are here
            ├─ Windows 365 Security Baseline
            └─ Microsoft Defender for Endpoint Baseline

Under Windows 11 Security Baseline, select the tile and you will see all profiles currently assigned in your tenant. Each profile shows:

Baseline version — which version the profile is currently targeting (e.g., Windows 11 24H2)
Assigned groups — which device groups are receiving this profile
Profile status — how many devices are succeeded, pending, conflicted, or errored

Any profile showing a version earlier than Windows 11 25H2 is a candidate for migration.

Migration options: new profile vs in-place migration

There are two approaches to moving your devices onto the 25H2 baseline. The right choice depends on whether you need to preserve your existing customisations.

Approach	When to use	Trade-off
Option A — New profile	You want a clean start; your existing profile has accumulated drift or unclear customisations	Cleanest result — you review every setting intentionally. More time upfront.
Option B — In-place migration	You have a well-documented existing profile with specific customisations you want to carry forward	Faster — Intune carries your customisations forward, but you must still review changed defaults and new settings.

Conflict resolution reminder: When a baseline setting conflicts with a setting applied by another Intune policy (e.g., a device configuration profile or endpoint security policy), the most restrictive value typically wins. Review for conflicts before deploying, especially on settings with updated defaults in 25H2.

Whichever option you choose, test with a pilot group before deploying to your full device estate. See the testing section below.

Step-by-step migration guide

▶ Option A — Create a new profile from scratch (recommended for clean environments)

Go to Intune admin centre > Endpoint security > Security baselines > Windows 11 Security Baseline
Click + Create profile
Give the profile a clear name — e.g., Win11 25H2 Security Baseline — Pilot
Under Baseline version, select Windows 11 25H2
Work through each settings category. For each setting, decide:
- Accept Microsoft's recommended default (most settings — leave as-is)
- Customise away from the default where your environment requires it
On the Assignments page, assign to a pilot device group — not your full estate
Review and create the profile
Monitor device status under the profile for 24–48 hours before expanding scope
Once validated, reassign to your full Windows 11 device group and retire the old baseline profile

Do not delete your old profile immediately. Keep it assigned to a separate group or unassigned until the new profile is confirmed healthy across your pilot. You can then retire the old one.

▶ Option B — Migrate an existing profile in-place

Go to Intune admin centre > Endpoint security > Security baselines > Windows 11 Security Baseline
Open your existing baseline profile
Click Edit
On the Basics page, locate the Baseline version selector and change it to Windows 11 25H2
Intune will show you a comparison of settings between your current version and 25H2 — review this carefully:
- New settings: shown as additions — review and confirm the recommended value is appropriate
- Changed defaults: shown with old and new values — decide whether to accept the new default or retain your previous value
- Retired settings: shown as removals — note if you were relying on these and plan replacements
Continue through all settings categories
On Assignments, confirm the profile is scoped to a pilot group only before saving
Save the profile
Monitor device status for 24–48 hours, then expand scope to your full device group

Note on IE11 COM setting: If your profile was created before the June 2026 service update, the in-place migration process will surface the IE11 COM automation setting during this edit. Confirm it is set to the recommended value (Disabled) when you see it.

New: STIG audit baseline

Alongside the 25H2 security baseline, Microsoft also released a STIG audit baseline for Windows 11 in Intune. This is a separate, distinct baseline — it is audit-only, not enforcement.

Property	Detail
Benchmark	DISA STIG SCAP Benchmark Version 2, Release 7
Benchmark date	January 5, 2026
Mode	Audit only — assesses compliance, does not enforce or change settings
Who should use it	Organisations subject to DISA STIG compliance requirements (US government, defence contractors, regulated industries that align to STIG)

The STIG audit baseline does not replace the Windows 11 25H2 security baseline — they serve different purposes. The 25H2 baseline is your enforcement layer. The STIG audit baseline runs alongside it to report on DISA STIG compliance posture without making changes to device configuration.

Tip: If your organisation does not have DISA STIG compliance requirements, you do not need the STIG audit baseline. It is an optional addition for organisations that need to assess their posture against that specific framework.

Test before you roll out

Security baselines can have unexpected interactions with line-of-business applications, legacy configurations, or other Intune policies already deployed in your environment. Do not deploy directly to your full device estate.

A practical pilot approach:

Pilot group — IT team or a test ring (20–50 devices). Deploy the new 25H2 profile here first. Run for 24–48 hours minimum.
Check device status in Intune. Look for Error or Conflict states under the profile's device status view.
Validate key applications — anything that might be sensitive to security policy changes: browsers, VPN clients, legacy LOB applications.
Check for conflicts — go to Endpoint security > Security baselines > your profile > Per-setting status. Any setting showing Conflict is being overridden by another policy. Decide which policy should win.
Expand scope once the pilot is clean. Move to a broader ring before full deployment.

Conflict resolution in practice: When a baseline setting and a device configuration profile target the same setting with different values, Intune applies the most restrictive value. If you see unexpected application behaviour after deploying the baseline, check the per-setting status for conflicts before assuming the baseline is the sole cause.

The Windows 11 25H2 Security Baseline Is in Intune — Here Is What Changed and How to Migrate