How to Customize Endpoint Security Settings in Microsoft Intune

In this article, I’m going to show you how to customize endpoint security settings in Microsoft Intune. Including how to change security baseline settings, how to make sure devices are running a specific operating system version (or later), and how to configure Windows and iOS disk encryption settings.

Microsoft provides a series of recommended security baseline settings. But depending on your organization’s needs, it may be necessary to review and change the settings to ensure that devices and data are properly secured.

Additionally, you should configure Intune to automatically update Windows and make sure that devices aren’t running an outdated version of an operating system. Finally, configure disk encryption and Mobile Application Management settings to make sure data is protected on mobile devices.

What you need to know:

• The default recommended security baseline settings can be changed under Endpoint Security in the Endpoint Manager portal.
• And you can ensure that Windows is updated automatically by going to Devices > Windows > Windows 10 update rings in the Endpoint Manager portal.
• Ensuring Windows is running a specific version or later can be achieved by changing the settings under Devices > Home.
• Windows disk encryption configuration can be set by creating a new profile and then changing the settings under Windows Encryption. 
• Mobile Application Management settings can further help protect data on mobile devices.

Recommended security settings

Similar to Conditional Access policies, Microsoft provides you with some baseline Endpoint security policies as seen here. These are the recommended security settings; however you may customize them to your organization’s requirements.

Customize a security baseline in Microsoft Endpoint Manager (Intune)

To use the settings, you must select one of the policies and then create a profile. The profile should then be assigned to user or groups as needed. You can create multiple profiles and assign them to different groups or all users.

Customize a security baseline in Microsoft Endpoint Manager (Intune)

Now you can assign users or groups.

Assign users or groups in Microsoft Endpoint Manager (Intune)

Ensure updates are deployed automatically to endpoints

All devices should be updated automatically. This helps you to keep devices compliant. This can be defined as follows:

• In the Endpoint Manager portal go to Devices > Windows >Windows 10 update rings. Here you must create a new profile.
• On the next page, name the profile.
• Finally you get to configure the Windows update settings for the devices.

Configure Windows update settings in Microsoft Endpoint Manager (Intune)

Update all Windows 10 machines to a specific version

Apart from having the right OS, it’s also important to streamline the OS version on each machine. You can achieve uniformity in the Windows 10 OS version installed on all devices.

Follow the path shown in the screenshot here. The Feature update to deploy field is the OS version that will be installed on all the selected machines.

Configure Windows update settings in Microsoft Endpoint Manager (Intune)

iOS version policy

It’s important to have a policy in place to handle iOS devices too. The screenshot here showcases a new policy, where a specific version of iOS is defined for all iOS-based devices. The location for this is Devices > Update policies for iPadOS/iOS.

Configure iOS version policy settings in Microsoft Endpoint Manager (Intune)

On the next page you must select the users on whom this will be effective.

Devices must be encrypted

BitLocker should be used to encrypt all your Windows 10 machines. In the Endpoint manager portal, go to Devices > Configuration profiles > Create Profile. In the new profile, define your settings under Windows Encryption.

Configure Windows BitLocker disk encryption settings in Microsoft Endpoint Manager (Intune)

 

You can also configure a similar policy to control iPad and iOS devices.

Protect your corporate data using application protection policies

End users access corporate data on organization-owned mobiles or on their personal devices. It’s critical to ensure that corporate data doesn’t leak. Because Mobile Application Management (MAM) depends on identity management, you can safeguard both managed and unmanaged mobile devices.

Application protection policies (APP) can be applied to all apps running on mobile platforms. You should configure APP for both iOS and Android devices.

APP for Android mobile devices
APP for iOS mobile devices

The settings in these policies can be used to enforce disk encryption; disable saving copies of data; restrict cut, copy, and paste operations between apps; block screen capture; and require a PIN to access specific apps.

Once you have configured all the settings above to suit your organization’s needs, you can be sure that you have a more secure mobile workforce, that devices are less likely to be compromised, and data is better protected.