How to Customize Endpoint Security Settings in Microsoft Intune
In this article, I’m going to show you how to customize endpoint security settings in Microsoft Intune. Including how to change security baseline settings, how to make sure devices are running a specific operating system version (or later), and how to configure Windows and iOS disk encryption settings.
Microsoft provides a series of recommended security baseline settings. But depending on your organization’s needs, it may be necessary to review and change the settings to ensure that devices and data are properly secured.
Additionally, you should configure Intune to automatically update Windows and make sure that devices aren’t running an outdated version of an operating system. Finally, configure disk encryption and Mobile Application Management settings to make sure data is protected on mobile devices.
What you need to know:
- The default recommended security baseline settings can be changed under Endpoint Security in the Endpoint Manager portal.
- And you can ensure that Windows is updated automatically by going to Devices > Windows > Windows 10 update rings in the Endpoint Manager portal.
- Ensuring Windows is running a specific version or later can be achieved by changing the settings under Devices > Home.
- Windows disk encryption configuration can be set by creating a new profile and then changing the settings under Windows Encryption.
- Mobile Application Management settings can further help protect data on mobile devices.
Recommended security settings
Similar to Conditional Access policies, Microsoft provides you with some baseline Endpoint security policies as seen here. These are the recommended security settings; however you may customize them to your organization’s requirements.
To use the settings, you must select one of the policies and then create a profile. The profile should then be assigned to user or groups as needed. You can create multiple profiles and assign them to different groups or all users.
Now you can assign users or groups.
Ensure updates are deployed automatically to endpoints
All devices should be updated automatically. This helps you to keep devices compliant. This can be defined as follows:
- In the Endpoint Manager portal go to Devices > Windows >Windows 10 update rings. Here you must create a new profile.
- On the next page, name the profile.
- Finally you get to configure the Windows update settings for the devices.
Update all Windows 10 machines to a specific version
Apart from having the right OS, it’s also important to streamline the OS version on each machine. You can achieve uniformity in the Windows 10 OS version installed on all devices.
Follow the path shown in the screenshot here. The Feature update to deploy field is the OS version that will be installed on all the selected machines.
iOS version policy
It’s important to have a policy in place to handle iOS devices too. The screenshot here showcases a new policy, where a specific version of iOS is defined for all iOS-based devices. The location for this is Devices > Update policies for iPadOS/iOS.
On the next page you must select the users on whom this will be effective.
Devices must be encrypted
BitLocker should be used to encrypt all your Windows 10 machines. In the Endpoint manager portal, go to Devices > Configuration profiles > Create Profile. In the new profile, define your settings under Windows Encryption.
