![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 3%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESO%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 61%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHP%3C/text%3E%3C/svg%3E)
Hi Swift,
Applying the Windows security baseline “as-is” almost always causes friction because it’s designed for maximum security, not usability. The best practice is to treat the baseline as a reference point, not a drop-in configuration. Start by importing the baseline into Group Policy or Intune, then layer in exceptions for business-critical workflows such as Office macros, line-of-business apps, or legacy authentication. Microsoft explicitly recommends customizing baselines to align with organizational risk tolerance, and maintaining a separate test OU or pilot group before broad deployment. In practice, most enterprises keep 80–90% of the baseline intact but relax settings around application control, scripting, and user experience blockers. The key is to document every deviation so you can justify it during audits and revisit it when workflows evolve.
If the above response helps answer your question, please hit "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
Harry.