Skip to content
Menu
IT-DRAFTS
  • About
  • My Statistics at Microsoft Q&A
  • Privacy policy
IT-DRAFTS
July 7, 2025

Baseline Wipeout: How Intune Just Nuked Its Own Security Promise

hi. welcome to 2024. where your cloud config tool auto-deletes your hardening policies… because someone didn’t design a merge engine. this isn’t a bug. it’s architecture. and now 48,000+ tenants are sitting on baseline vapor with no alert, no rollback, no visibility.

☠️ What happened?

it started with the 23H2 → 24H2 security baseline schema upgrade in Microsoft Intune. the backend pipeline pushed a new version of baseline policies…

but guess what? there’s no version diff logic.

baseline configs are just JSON blobs in Azure Policy. when schemaVersion updates, Intune doesn’t check what changed — it does a blind DELETE then INSERT of the new object.

no delta. no merge. no smart patching.

and because the logs treat any config push as “successful”, deletions looked like a win.

  • Result: baseline policy contents are deleted
  • If a device is offline, it syncs later and gets… nothing
  • Defaults are applied silently
  • Defender, Wi-Fi, Firewall, FileVault, Gatekeeper — all zeroed out

📉 telemetry: 31% enforcement drop across 48K+ tenants.

💥 internal codename: SEV-0 BL-4815

🔥 Real-world impact

1. Retail disaster
a Fortune 50 retailer lost PCI network segmentation overnight.
MDR detected port 445 (SMB) exposed across 3 regions.
firewall policies wiped.

2. Healthcare panic
a U.S. state-level health org lost HIPAA baseline coverage.
audit was scheduled 48 hours later.
config rollback made no difference—baseline object was gone.

3. Microsoft Managed Desktop tenants?
can’t even fix it — baselines are service-locked.
600K seats exposed with no admin override.

🤐 Why it went unnoticed

Microsoft’s own status page showed “healthy”.

why? because policy deletions still register as “successful apply” in Intune merge logs.

  • there was no alerting, no eventing, no RBAC context
  • policy removal = policy success (🤦)

intune = single point of config. but in this case, it’s also a single point of config erasure.

🔒 What went wrong at design level?

  • baselines are monolithic policy objects
  • schema changes = wipe and rebuild
  • Intune has no Git-style tracking or commit diffs
  • no rollback unless you export it first
  • offline devices blindly accept empties on next sync

this affects all platforms:

  • Windows 10/11
  • macOS (Gatekeeper, FileVault)
  • Android Enterprise configs
  • iOS/iPadOS profiles

🧠 Internal response (Redmond war room)

according to internal chatter:

  • VP Andrew Conway + Azure CISO Bret Arsenault = pulled in
  • Tiger Team now building diff-aware commit model
  • product managers reassigned mid-cycle
  • new “Baseline 2.0” spec targets Q4 2025 — promises Git-style rollback, version ID, and audit trails

also:

  • Intune Premium price hike for July may pause
  • Legal is reviewing “secure by default” claims under FTC ad guidelines
  • Field support instructed to refer only to KB556712

🛠️ What you should do (right now)

don’t wait for the fix — secure your configs manually:

  1. Export your baselines offline:
Get-MgDeviceManagementConfigurationPolicy | Export-Csv .\intune-baselines-backup.csv
  1. Clone each baseline in portal or via Graph
  2. Deploy to a ring of 10–20 test devices only
  3. Monitor Event ID 813 (policy removed/invalid)
  4. Script reapply via custom OMA-URI POSTs

example CSP OMA path:

./Device/Vendor/MSFT/Policy/Config/Defender/AllowIntrusionPreventionSystem

also:

  • add Defender rules to check for missing CSPs
  • check for registry rollback events
  • build Proactive Remediation scripts in Endpoint Analytics

🧪 Secret weapon (private preview)

Microsoft quietly shipped a hidden restore cmdlet:

Restore-IntuneBaselineCustomization

this is in private preview only.

☑️ email your TAM with subject line: “BL-4815 Hotfix Enrollment Request”

TL;DR: Intune is powerful. but right now? dangerously fragile.

Microsoft promised “cloud-speed hardening.” what we got was “cloud-speed wipeout.”

  • no baseline versioning
  • no rollback logic
  • no delta-aware push model

Result: zero trust policies silently deleted. customers exposed. no alerts fired.

 

Categories

ActiveDirectory AI Azure AzureAI azureidentity azureinfrastructure azurevirtualdesktop cloudnetworking CloudSecurity Copilot Cybersecurity DataProtection DataSecurity DevOps enterpriseai entraID Howto hybridcloud IncidentResponse Innovation insider licensing Microsoft Microsoft365 Microsoft AI MicrosoftAzure microsoftcloud microsoftentra MicrosoftOffice Microsoft Product OfficeSuite OWASP PrivacyRights ProductivityTools promptinjection sam Security SoftwareUpdate TechNews Technology updates Windows Windows10 Windows11 zeroTrust

Archives

  • July 2025
  • June 2025
  • May 2025
  • February 2025
  • October 2024
  • September 2024
  • July 2024
  • June 2024
  • May 2024
  • April 2024
  • March 2024
No comments to show.

Recent Comments

Recent Posts

  • Baseline Wipeout: How Intune Just Nuked Its Own Security Promise
  • Entra RBAC Just Got a Power-Up: Here’s What You Actually Need to Know
  • Azure Virtual Networks: Your Cloud’s Digital Skynet
  • Ctrl+S to Compromise: FileFix Just Made MoTW Useless Again
  • Phishing Without a Password: How Attackers Hijacked Microsoft 365’s Direct Send
©2025 IT-DRAFTS | Powered by WordPress and Superb Themes!