FREE2026 Endpoint Management Software Comparison|Independent, data-backed — no sales callGet the PDF →

Spotsaas logo
Free Excel template · Endpoint Management

Compliance Baseline Configuration Profile

A working spreadsheet for defining and scoring your endpoint security baseline against a recognized standard (CIS Benchmarks / Microsoft & Apple security baselines). The Baseline tab lists hardening controls — disk encryption, password policy, firewall, screen lock, OS patch level, EDR, account lockout, and more — each with a target value and your current status. A live compliance score and pass/fail summary tell you exactly where the fleet drifts from policy. Start on the Instructions tab.

  • Instructions
  • Settings
  • Baseline
  • Scorecard
★★★★★Trusted by 3,000+ buyers· built from 13 endpoint management software tools· independent
Excel template · FreeCompliance Baseline Configuration Profile

Where should we send it? Free · arrives in seconds · no spam.

We email it to you — one-click unsubscribe anytime.

  1. 1Tell us where to send it

    Your name and work email — nothing more.

  2. 2Check your inbox

    Your spreadsheet arrives in seconds, not days.

  3. 3Use it with your team

    Editable and ready to share — make it your own.

A peek inside

See exactly what you're getting

Free Excel template
Spotsaas · 2026
Compliance Baseline Configuration Profile
Instructions
Settings
Baseline
Scorecard
Get the spreadsheet

What it is

A Compliance Baseline Configuration Profile is a working spreadsheet for defining your endpoint security baseline against a recognized standard, then scoring how far your fleet has drifted from it. The Baseline tab lists hardening controls, disk encryption, OS patch level, password policy, firewall, screen lock, EDR, account lockout, and more, each with a target value, a weight, and a status you mark 1 if the control is enforced fleet-wide and verified, or 0 if it is not. A weighted score, a running total, and a live Scorecard update as you fill it in, turning an abstract notion of 'are we hardened' into a single compliance percentage with a clear pass or fail verdict.

The profile is explicitly mapped to the settings you would push through a UEM or MDM configuration profile, Intune, Jamf, Workspace ONE, and audited against a standard like the CIS Benchmarks or the Microsoft and Apple security baselines. The Settings tab lets you record which standard you are measuring against (for example CIS Benchmark Level 1), the platform (Windows 11 and macOS), and the pass threshold, defaulted to 90 percent, that drives the verdict. The Scorecard tab then computes total possible weight, achieved weighted score, the compliance percentage, your headroom versus the threshold, and a plain YES or NO on whether the fleet meets your bar.

What makes this more than a static document is the weighting and live scoring. Not every control matters equally, disk encryption with an escrowed recovery key carries more weight than a minor setting, so the score reflects real risk rather than a flat checkbox count. Because the spreadsheet recalculates as you change a status from 0 to 1, it doubles as both a planning tool, showing which gaps would most improve your score, and an ongoing measurement of baseline drift you can revisit each quarter as your hardening matures and you tighten the threshold.

What it's used for

Teams use a baseline configuration profile to make endpoint hardening measurable, turning a long list of security settings into a single, defensible compliance score. It supports a focused set of jobs:

  • Defining what 'compliant' means for the fleet by listing the hardening controls, encryption, patch level, password policy, firewall, screen lock, EDR, account lockout, each with an explicit target value drawn from a standard like CIS.
  • Scoring current reality against the baseline by marking each control 1 (enforced and verified fleet-wide) or 0 (not), so the gap between policy and practice becomes a concrete number rather than a vague worry.
  • Weighting controls by risk so the score reflects what actually matters, disk encryption with escrowed keys counts more than a minor setting, instead of treating every control as equal.
  • Recording the standard and platform you are measuring against, CIS Benchmark Level 1, Windows 11 and macOS, so the baseline is anchored to a recognized reference rather than internal opinion.
  • Setting a pass threshold (defaulted to 90 percent) that drives a clear YES or NO verdict on whether the fleet meets your bar, and showing your headroom or shortfall against it.
  • Identifying the highest-impact remediation: because the score is weighted and live, you can see which 0-status controls would most improve compliance if you closed them next.
  • Tracking baseline drift over time by re-scoring each quarter and tightening the threshold as hardening matures, turning the profile into an ongoing measurement rather than a one-off audit.

Who uses it

A scored baseline profile is the shared language between the people who set security policy, the people who enforce it, and the people who audit it. Each role uses the spreadsheet differently:

Security Engineers / SecOpsThey define the control list and target values against CIS or vendor baselines, set the weights to reflect real risk, and own the score as the measure of fleet hardening.
Endpoint / MDM AdministratorsThey map each control to a UEM configuration profile in Intune, Jamf, or Workspace ONE, and update the status as they enforce and verify controls fleet-wide.
Compliance / GRC teamsThey use the scored profile as audit evidence, demonstrating the baseline is defined, measured against a standard, and tracked against a threshold over time.
CISO / IT DirectorThey read the single compliance percentage and YES/NO verdict to understand posture at a glance and to set the pass threshold the fleet is judged against.
IT Project / Hardening LeadsThey use the weighted, live score to prioritize remediation, targeting the 0-status controls that would most improve compliance per unit of effort.
Auditors / AssessorsThey read the Settings and Scorecard tabs to confirm the baseline is anchored to a recognized standard and that drift is being measured rather than assumed away.

Context & good to know

The hard part of endpoint hardening is not knowing the controls, those are well documented in the CIS Benchmarks and vendor baselines, but knowing how completely they are actually enforced across a real, messy fleet. Organizations routinely have a hardening policy on paper while the live configuration tells a different story: encryption enforced on most devices but not all, EDR deployed but unhealthy on a subset, a firewall rule that drifted off. A scored baseline profile exists to close that gap between the policy and the practice, replacing 'we're mostly hardened' with a number you can defend and improve.

Weighting is what makes the score meaningful rather than cosmetic. A flat checklist treats disabling an obscure setting as equal to enforcing disk encryption with an escrowed recovery key, which badly misrepresents risk. By assigning weights, the profile lets a small number of high-value controls dominate the score the way they dominate real exposure, so a fleet that nails encryption, EDR, and patching scores well even with minor gaps, while one that misses a critical control cannot hide behind a long tail of trivial passes. The pass threshold then converts the weighted score into the binary leadership and auditors actually want: does the fleet meet the bar or not.

This profile is the measurement half of a hardening program whose action half is the hardening checklist, and it draws its live data from the same place an asset inventory does. The checklist tells you which controls to enforce; the baseline profile tells you how far you have gotten and where to push next; the asset inventory proves the coverage device by device. Because the spreadsheet is tool-agnostic, it sits cleanly above Intune, Jamf, Kandji, or any UEM, and because it recalculates live, it turns the quarterly question 'are we still hardened' from a guess into a re-scored, evidenced answer that you can watch improve as you tighten the threshold over time.

✓ Independent · vendors can't pay to rank

Built on verified data, not vendor spin

Every Spotsaas resource draws on the Spotsaas Score — a blend of verified review ratings, review volume, and feature depth across 13 endpoint management software tools. Refreshed regularly; data as of June 2026.

FAQ

Questions, answered

What is a compliance baseline configuration profile?

It is a structured way to define your endpoint security baseline, the set of hardening controls each device should meet, and score your fleet against it. Each control has a target value, a weight reflecting its importance, and a status (enforced or not). The spreadsheet computes a weighted compliance percentage and a pass or fail verdict against your threshold, turning hardening from a vague aspiration into a measurable number anchored to a standard like CIS.

What is a security baseline in endpoint management?

A security baseline is the agreed minimum secure configuration every managed device must meet, covering controls like disk encryption, OS patch level, password policy, firewall, screen lock, EDR, and account lockout. It is typically derived from a recognized standard such as the CIS Benchmarks or Microsoft and Apple security baselines and pushed through a UEM configuration profile. The baseline defines 'compliant'; the scored profile measures how close reality is.

What are CIS Benchmarks?

CIS Benchmarks are consensus-developed, widely recognized configuration standards for securely hardening operating systems and software, published by the Center for Internet Security. They specify concrete settings, for example password length or firewall posture, at defined rigor levels (such as Level 1 for a practical baseline). This profile lets you record which CIS level you are measuring against and score your fleet's controls toward it.

Why are controls weighted in the baseline?

Because not all controls carry equal risk. Disk encryption with an escrowed recovery key matters far more than a minor cosmetic setting, so the profile assigns each control a weight. The compliance score is then weighted, reflecting real exposure rather than a flat checkbox count. This prevents a fleet from looking compliant by passing many trivial controls while missing a critical one, which a simple checklist would obscure.

How is the compliance score calculated?

Each control's weighted score is its weight multiplied by its status (1 if enforced and verified, 0 if not). The Scorecard sums achieved weighted score against total possible weight and computes a compliance percentage. It then compares that percentage to your pass threshold, showing your headroom or shortfall and a plain YES or NO verdict. Everything recalculates live as you change a control's status.

What pass threshold should I set?

The template defaults to 90 percent, a common bar for a managed fleet, and recommends tightening it as your hardening matures. The threshold drives the verdict on the Scorecard: at or above it, the fleet passes; below it, it fails. There is no universal number, set it to a level that is honest about your risk tolerance and current capability, then raise it over time as you close gaps.

How does this relate to a UEM or MDM configuration profile?

The baseline maps directly to the settings you push through a UEM or MDM configuration profile in Intune, Jamf, or Workspace ONE. The spreadsheet is the policy-and-measurement layer: it defines the target values and scores enforcement, while the MDM profile is the mechanism that actually applies those settings to devices. You use the profile to decide what to enforce, then verify in the MDM that each control is live before marking its status 1.

How often should I re-score the baseline?

Re-score regularly, quarterly is a common cadence, because baselines drift as devices change, software updates settings, and new machines enroll. Because the spreadsheet recalculates live, re-scoring is quick and shows whether your compliance percentage is improving or slipping. Many teams also tighten the pass threshold at each review as their hardening matures, so the bar rises alongside their capability.

What is the difference between this profile and a hardening checklist?

The hardening checklist is the action list, the controls you push through your MDM to secure each device. The baseline configuration profile is the measurement counterpart, scoring how completely those controls are enforced across the fleet and against a standard. The checklist tells you what to do; the scored profile tells you how far you have gotten and which gaps to close next for the biggest improvement.

Can I use this profile across Windows and macOS?

Yes. The Settings tab lets you record the platform, for example Windows 11 and macOS, and the controls (encryption via BitLocker or FileVault, patch level, EDR, firewall, screen lock) apply across both with platform-appropriate target values. CIS publishes benchmarks for multiple operating systems, so you can anchor a mixed-fleet baseline to the relevant standard for each platform while scoring overall compliance in one place.

Keep exploring

More Endpoint Management resources

Endpoint Management Pricing ComparisonEndpoint Management Best Free ToolsAll Endpoint Management resources →Browse Endpoint Management software →

Grow your pipeline with buyers who are already looking for you

254,000+ buyers use Spotsaas every month to evaluate and shortlist software. Get in front of them — for free, or with a managed growth plan built around your category.

Book a strategy callClaim your free listing