
With Intune service release 2603, the security baseline for Windows 11 25H2 is now available. Nine settings have changed, existing 24H2 profiles are not auto-updated and become read-only. Which two settings need the most attention and how to complete the migration in four steps.
Microsoft regularly releases updated security baselines for Windows devices managed via Intune. With Intune service release 2603, published in April 2026, the security baseline for Windows 11 version 25H2 became available. The baseline contains nine changes compared to its 24H2 predecessor — four new settings, three updated settings, and two removed settings. The critical point: existing profiles do not automatically update. Anyone unaware of this and taking no action quietly falls behind the recommended security configuration.
This article covers what changes concretely, why two specific settings deserve particular attention, and the four steps IT teams should take over the coming weeks to bring their Windows 11 devices onto the current baseline.
A security baseline in Intune is a collection of pre-configured settings representing Microsoft's recommended security configuration for Windows devices. The settings span a wide range of components: BitLocker disk encryption, Windows Defender configuration, firewall rules, account policies, audit logging, and protocols such as NetBIOS and SMB. The baseline provides a solid starting point for organisations that want to strengthen their endpoint security without having to assemble every setting manually.
Baselines are version-specific: each Windows version has its own baseline. When Microsoft releases an updated version, IT teams are well-advised to adopt it — but the system does not enforce this. Existing profiles remain active but are not automatically updated to the new version.
That is precisely the issue IT teams are now encountering. With the arrival of the 25H2 baseline, the 24H2 profiles in Intune have been set to read-only. You can still view them, and they continue to apply to already assigned devices, but editing is no longer possible. New devices cannot be added to a read-only profile. Anyone who wants to provision new Windows 11 devices with a security baseline must do so via a new 25H2 profile.
The risk is not that your existing configuration immediately stops working. The risk is that you quietly fall behind: outdated settings, no access to new recommendations, and no ability to adjust the profile when circumstances change. For organisations actively using Intune for security management, this is a moment to act.
Of the nine changed settings, two deserve extra attention due to their potential impact on day-to-day operations. Both are deliberate and recommended security steps, but they require preparation.
The first is disabling NetBIOS on all network adapters, including those connected to private and domain networks. NetBIOS is a legacy name-resolution protocol that should no longer have an active role in modern environments where DNS is fully deployed. The protocol is also a well-known attack vector: attackers exploit NetBIOS and the related LLMNR protocol for poisoning attacks in which network credentials can be intercepted. Disabling NetBIOS is the right security decision. The caveat: if your environment still contains applications or devices that are reached exclusively via NetBIOS — older file servers, legacy printers, or certain ERP systems — disabling it can cause connectivity issues. Always test this setting in a pilot group before rolling it out broadly.
The second high-risk setting is the activation of command-line arguments in process creation events under Windows Security auditing. When Windows event 4688 — the creation of a new process — is logged, the log entry now also contains the full command line used to start that process. This is valuable detection information: attackers abusing PowerShell, running obfuscated scripts, or invoking credential-theft tools leave a recognisable trail in the process creation logs. The trade-off is that log volume increases. For organisations with a SIEM environment, this is generally manageable and strongly recommended. Those without central log monitoring will see Windows Event Logs grow and will need to adjust their retention configuration.
Microsoft recommends against a direct in-place update of an existing profile, instead favouring a controlled migration via a new profile. Four steps for a safe transition.
Step one: create a new profile in Intune based on the Windows 11 25H2 baseline via Endpoint Security > Security Baselines. Give the profile a name that includes the version, so you can distinguish it later. Do not yet assign the profile to production devices.
Step two: review all nine changed settings and assess whether the new value applies to your specific environment. Focus on the two high-risk settings: NetBIOS disabling and process creation logging. Only adjust settings if you have a demonstrable reason that deviates from the Microsoft recommendation.
Step three: assign the new profile to a pilot group of ten to fifteen devices, ideally spread across different roles and application types. Monitor for one to two weeks whether applications and network connections continue to work without disruption, particularly in environments that may still depend on NetBIOS.
Step four: after a successful pilot, expand the 25H2 profile to production groups and simultaneously remove the 24H2 profile from migrated devices. Never run both profiles simultaneously on the same device — conflicting settings can cause unexpected behaviour that is difficult to diagnose.
In addition to the Windows 11 baseline, Microsoft released an updated Edge security baseline in June 2026 with new settings and revised defaults. The same migration logic applies: existing Edge baseline profiles are not automatically updated. If you have an Edge security baseline deployed in Intune, run the same four migration steps for your Edge profiles. Review which settings have been added or changed before rolling out broadly.
Three focused checks for the next two weeks. First check: open the Intune portal and navigate to Endpoint Security > Security Baselines. Verify which version of the Windows security baseline is active on your devices. If you see the 24H2 version or older, migration to 25H2 is the priority. Second check: inventory whether your environment contains applications or network devices that depend on NetBIOS for name resolution — this is the most critical variable for a smooth migration. Third check: verify the log capacity of your SIEM or Windows Event Log storage if you activate process creation logging, and adjust the retention period as needed.
The Windows 11 25H2 security baseline requires no sweeping changes, but it does demand active attention and a structured approach. Waiting until a new device can no longer receive a baseline profile, or until a setting is no longer editable, means solving a problem that could have been prevented. Want support migrating your Intune security baselines, or setting up process audit logging in your security environment? Contact Zarioh for a technical conversation.