hi. welcome to 2024. where your cloud config tool auto-deletes your hardening policies… because someone didn’t design a merge engine. this isn’t a bug. it’s architecture. and now 48,000+ tenants are sitting on baseline vapor with no alert, no rollback, no visibility.
☠️ What happened?
it started with the 23H2 → 24H2 security baseline schema upgrade in Microsoft Intune. the backend pipeline pushed a new version of baseline policies…
but guess what? there’s no version diff logic.
baseline configs are just JSON blobs in Azure Policy. when schemaVersion updates, Intune doesn’t check what changed — it does a blind DELETE then INSERT of the new object.
no delta. no merge. no smart patching.
and because the logs treat any config push as “successful”, deletions looked like a win.
- Result: baseline policy contents are deleted
- If a device is offline, it syncs later and gets… nothing
- Defaults are applied silently
- Defender, Wi-Fi, Firewall, FileVault, Gatekeeper — all zeroed out
📉 telemetry: 31% enforcement drop across 48K+ tenants.
💥 internal codename: SEV-0 BL-4815
🔥 Real-world impact
1. Retail disaster
a Fortune 50 retailer lost PCI network segmentation overnight.
MDR detected port 445 (SMB) exposed across 3 regions.
firewall policies wiped.
2. Healthcare panic
a U.S. state-level health org lost HIPAA baseline coverage.
audit was scheduled 48 hours later.
config rollback made no difference—baseline object was gone.
3. Microsoft Managed Desktop tenants?
can’t even fix it — baselines are service-locked.
600K seats exposed with no admin override.
🤐 Why it went unnoticed
Microsoft’s own status page showed “healthy”.
why? because policy deletions still register as “successful apply” in Intune merge logs.
- there was no alerting, no eventing, no RBAC context
- policy removal = policy success (🤦)
intune = single point of config. but in this case, it’s also a single point of config erasure.
🔒 What went wrong at design level?
- baselines are monolithic policy objects
- schema changes = wipe and rebuild
- Intune has no Git-style tracking or commit diffs
- no rollback unless you export it first
- offline devices blindly accept empties on next sync
this affects all platforms:
- Windows 10/11
- macOS (Gatekeeper, FileVault)
- Android Enterprise configs
- iOS/iPadOS profiles
🧠 Internal response (Redmond war room)
according to internal chatter:
- VP Andrew Conway + Azure CISO Bret Arsenault = pulled in
- Tiger Team now building diff-aware commit model
- product managers reassigned mid-cycle
- new “Baseline 2.0” spec targets Q4 2025 — promises Git-style rollback, version ID, and audit trails
also:
- Intune Premium price hike for July may pause
- Legal is reviewing “secure by default” claims under FTC ad guidelines
- Field support instructed to refer only to KB556712
🛠️ What you should do (right now)
don’t wait for the fix — secure your configs manually:
- Export your baselines offline:
Get-MgDeviceManagementConfigurationPolicy | Export-Csv .\intune-baselines-backup.csv
- Clone each baseline in portal or via Graph
- Deploy to a ring of 10–20 test devices only
- Monitor Event ID 813 (policy removed/invalid)
- Script reapply via custom OMA-URI POSTs
example CSP OMA path:
./Device/Vendor/MSFT/Policy/Config/Defender/AllowIntrusionPreventionSystem
also:
- add Defender rules to check for missing CSPs
- check for registry rollback events
- build Proactive Remediation scripts in Endpoint Analytics
🧪 Secret weapon (private preview)
Microsoft quietly shipped a hidden restore cmdlet:
Restore-IntuneBaselineCustomization
this is in private preview only.
☑️ email your TAM with subject line: “BL-4815 Hotfix Enrollment Request”
TL;DR: Intune is powerful. but right now? dangerously fragile.
Microsoft promised “cloud-speed hardening.” what we got was “cloud-speed wipeout.”
- no baseline versioning
- no rollback logic
- no delta-aware push model
Result: zero trust policies silently deleted. customers exposed. no alerts fired.