DevOps Cheat Sheet microsoft intune  ·  security compliance toolkit  ·  vm testing lab Intune SCT VM Lab
I
Microsoft Intune
deploy and enforce security baselines
Core concepts
security baseline profileMicrosoft-recommended policy template per OS
settings catalogfine-grained endpoint hardening and compliance settings
assignmenttarget baseline to device groups or users
filtersinclude/exclude by platform, model, or enrollment state
scope tagsdelegate administration by business unit
compliance reporttrack passed/failed baseline settings per device
Baseline rollout flow
1. Create baseline policy (Endpoint security)
2. Import custom settings (from SCT backup)
3. Assign to pilot group (ring 0)
4. Review device check-in results
5. Expand to production rings
6. Monitor drift and remediate
Admin actions
1Endpoint security > Security baselinescreate policy
2Assign baseline to Azure AD grouptarget devices
3Use assignment filters where neededscope control
4Check Device status / Per-setting statusvalidate rollout
5Export report for exceptionsgovernance
Common policy areas
Microsoft Defender settings BitLocker and encryption Firewall profiles Credential Guard / LSA UAC and local policies Attack surface reduction rules Windows Update for Business Device compliance policy linkage
Enforcement lifecycle 
Define -> Pilot -> Enforce -> Audit

Define: translate SCT recommendations to Intune profile
Pilot: assign to test group and monitor stability
Enforce: expand in phased rings
Audit: review exceptions, update baseline versions
S
Microsoft Security Compliance Toolkit
define and manage baseline content
Core concepts
baseline packageversioned recommendations for Windows security
GPO backupsstarter policy set for Group Policy import
policy analyzercompare effective settings across baselines
documentation workbookexplains setting rationale and tradeoffs
version alignmentmatch toolkit release to your OS build
custom deltatrack org-specific deviations from default baseline
Engineering workflow
Acquiredownload latest SCT package for target OS
Reviewinspect spreadsheet and implementation notes
Compareuse Policy Analyzer to diff against current baseline
Adaptapply approved org exceptions and hardening deltas
Publishproduce import-ready package for Intune and lab tests
Baseline manifest (example)
{
  "baselineName": "Windows 11 Security Baseline",
  "source": "Microsoft SCT 24H2",
  "settings": [
    { "path": "Defender/ASR",
      "value": "Block Office child process" },
    { "path": "BitLocker/SystemDrive",
      "value": "Require TPM + PIN" }
  ],
  "exceptions": ["VDI kiosk OU"],
  "owner": "Security Engineering"
}
Toolkit components
Security baselines package GPO backup templates Policy Analyzer LGPO tooling Workbook spreadsheets Release notes and FAQs
Governance checklist
Map baseline to asset tiers Document each deviation Track owner and approver Version in source control Run regression tests in VM lab Publish rollback package
V
Virtual Machine Testing Environment
validate baseline behavior before broad deployment
Core concepts
golden imageclean OS snapshot for repeatable test runs
test ringspilot, business apps, high-risk workloads
snapshot checkpointrollback quickly after failed policy test
validation scriptautomated checks for expected baseline state
app compatibilityconfirm line-of-business apps remain functional
evidence capturecollect logs/screenshots for change approval
Hyper-V lab quick start
1. Create isolated virtual switch
2. Provision baseline candidate VM
3. Join test tenant / enroll into Intune
4. Apply pilot baseline assignment
5. Run validation and app smoke tests
6. Snapshot pass/fail artifacts
Validation dimensions
securitysettings applied as expected with no drift
usabilityno unacceptable end-user friction
performancestartup/login overhead within thresholds
operationshelpdesk workflows still workable
rollbackproven recovery path from checkpoint
Artifacts to store
Test case matrix Intune device status exports Event log bundles Compatibility notes Exception requests Rollback instructions
End-to-end baseline path
Use SCT to define settings, validate in VM lab, then enforce through Intune rings.
SCT Define
->
VM Validate
->
Intune Enforce
->
Compliance
intune baselines: learn.microsoft.com/mem/intune/protect/security-baselines
microsoft sct: aka.ms/securitycompliance
hyper-v labs: learn.microsoft.com/windows-server/virtualization/hyper-v
rev. 2026