Modules
Golden Master Policies
Define customer security baselines, assign them and detect configuration drift.
Purpose
A Golden Master Policy represents an expected security baseline: Intune, Defender, Entra, Windows compliance, encryption, MFA or a custom control.
Practical workflow
Create a policy, set platform and severity, assign it to customers, monitor drift, route critical events and document remediation.
Controls and validation
Validate assignments, drift counts, severity, owner, alert route and remediation notes. Start in monitor mode before enforcing anything.
Security and compliance
Automatic enforcement must be introduced carefully with customer validation, minimal permissions, rollback and complete audit.
Common mistakes
A policy without owner or remediation path becomes shelfware. A policy enforced too early can break a customer environment.
Current views and usage
Golden Master is split into Overview, Library and Builder. Overview tracks assignments, results, warnings and recommendations. Library lists created policies, metadata, severity and usage. Builder creates or edits a policy, including default system policies when an administrator wants to adapt them to the MSP standard.
A good GMP must be assignable, unassignable, removable when no longer relevant, documented and tested in monitor mode before enforcement. Recommended examples cover admin MFA, BitLocker, Defender Tamper Protection, Intune compliance, unsigned macro blocking, Edge baseline and legacy method disablement.