Endpoint Protection|Microsoft 365|Security

How to Customize Endpoint Security Settings in Microsoft Intune

In this article, I’m going to show you how to customize endpoint security settings in Microsoft Intune. Including how to change security baseline settings, how to make sure devices are running a specific operating system version (or later), and how to configure Windows and iOS disk encryption settings.

Microsoft provides a series of recommended security baseline settings. But depending on your organization’s needs, it may be necessary to review and change the settings to ensure that devices and data are properly secured.

Additionally, you should configure Intune to automatically update Windows and make sure that devices aren’t running an outdated version of an operating system. Finally, configure disk encryption and Mobile Application Management settings to make sure data is protected on mobile devices.

What you need to know:

Sponsored Content

What is “Inside Microsoft Teams”?

“Inside Microsoft Teams” is a webcast series, now in Season 4 for IT pros hosted by Microsoft Product Manager, Stephen Rose. Stephen & his guests comprised of customers, partners, and real-world experts share best practices of planning, deploying, adopting, managing, and securing Teams. You can watch any episode at your convenience, find resources, blogs, reviews of accessories certified for Teams, bonus clips, and information regarding upcoming live broadcasts. Our next episode, “Polaris Inc., and Microsoft Teams- Reinventing how we work and play” will be airing on Oct. 28th from 10-11am PST.

  • The default recommended security baseline settings can be changed under Endpoint Security in the Endpoint Manager portal.
  • And you can ensure that Windows is updated automatically by going to Devices > Windows > Windows 10 update rings in the Endpoint Manager portal.
  • Ensuring Windows is running a specific version or later can be achieved by changing the settings under Devices > Home.
  • Windows disk encryption configuration can be set by creating a new profile and then changing the settings under Windows Encryption
  • Mobile Application Management settings can further help protect data on mobile devices.

Recommended security settings

Similar to Conditional Access policies, Microsoft provides you with some baseline Endpoint security policies as seen here. These are the recommended security settings; however you may customize them to your organization’s requirements.

Customize a security baseline in Microsoft Endpoint Manager (Intune)
Customize a security baseline in Microsoft Endpoint Manager (Intune)

To use the settings, you must select one of the policies and then create a profile. The profile should then be assigned to user or groups as needed. You can create multiple profiles and assign them to different groups or all users.

Customize a security baseline in Microsoft Endpoint Manager (Intune)
Customize a security baseline in Microsoft Endpoint Manager (Intune)

Now you can assign users or groups.

Assign users or groups in Microsoft Endpoint Manager (Intune)
Assign users or groups in Microsoft Endpoint Manager (Intune)

Ensure updates are deployed automatically to endpoints

All devices should be updated automatically. This helps you to keep devices compliant. This can be defined as follows:

  • In the Endpoint Manager portal go to Devices > Windows >Windows 10 update rings. Here you must create a new profile.
  • On the next page, name the profile.
  • Finally you get to configure the Windows update settings for the devices.

Configure Windows update settings in Microsoft Endpoint Manager (Intune)
Configure Windows update settings in Microsoft Endpoint Manager (Intune)

Update all Windows 10 machines to a specific version

Apart from having the right OS, it’s also important to streamline the OS version on each machine. You can achieve uniformity in the Windows 10 OS version installed on all devices.

Follow the path shown in the screenshot here. The Feature update to deploy field is the OS version that will be installed on all the selected machines.

Configure Windows update settings in Microsoft Endpoint Manager (Intune)
Configure Windows update settings in Microsoft Endpoint Manager (Intune)

iOS version policy

It’s important to have a policy in place to handle iOS devices too. The screenshot here showcases a new policy, where a specific version of iOS is defined for all iOS-based devices. The location for this is Devices > Update policies for iPadOS/iOS.

Configure iOS version policy settings in Microsoft Endpoint Manager (Intune)
Configure iOS version policy settings in Microsoft Endpoint Manager (Intune)

On the next page you must select the users on whom this will be effective.

Devices must be encrypted

BitLocker should be used to encrypt all your Windows 10 machines. In the Endpoint manager portal, go to Devices > Configuration profiles > Create Profile. In the new profile, define your settings under Windows Encryption.

Configure Windows BitLocker disk encryption settings in Microsoft Endpoint Manager (Intune)
Configure Windows BitLocker disk encryption settings in Microsoft Endpoint Manager (Intune)

 

You can also configure a similar policy to control iPad and iOS devices.

Protect your corporate data using application protection policies

End users access corporate data on organization-owned mobiles or on their personal devices. It’s critical to ensure that corporate data doesn’t leak. Because Mobile Application Management (MAM) depends on identity management, you can safeguard both managed and unmanaged mobile devices.

Application protection policies (APP) can be applied to all apps running on mobile platforms. You should configure APP for both iOS and Android devices.

APP for Android mobile devices
APP for iOS mobile devices

The settings in these policies can be used to enforce disk encryption; disable saving copies of data; restrict cut, copy, and paste operations between apps; block screen capture; and require a PIN to access specific apps.

Once you have configured all the settings above to suit your organization’s needs, you can be sure that you have a more secure mobile workforce, that devices are less likely to be compromised, and data is better protected.

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (0)

Leave a Reply

Vignesh hails from the city of Pune in India. He has been working in the IT industry for the past 10 years. His main areas of focus are Microsoft 365, Exchange Online, PowerShell, Teams, SharePoint, Microsoft 365 Security. Follow him on Twitter for the latest on Microsoft 365 @vignesh_mudliar and www.linkedin.com/in/vignesh-mudliar-86570915b
External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by: