Step 4 – Configure device features and settings to secure devices and access resources

• Article
• 08/14/2024

So far, you set up your Intune subscription, created app protection policies, and created device compliance policies.

In this step, you’re ready to configure a minimum or baseline set of security and device features that all devices must have.

This article applies to:

• Android
• iOS / iPadOS
• macOS
• Windows

When you create device configuration profiles, there are different levels and types of policies available. These levels are the minimum Microsoft recommended policies. Know that your environment and business needs can be different.

• Level 1 – Minimum device configuration: In this level, Microsoft recommends you create policies that:

  • Focus on device security, including installing antivirus, creating a strong password policy, and regularly installing software updates.
  • users access organization email controlled secure access network , .

• Level 2 – Enhanced device configuration: In this level, Microsoft recommends you create policies that:

  • Expand device security, including configuring disk encryption, enabling secure boot, and adding more password rules.
  • Use the built-in features and templates to configure more settings that are important for your organization, including analyzing on-premises Group Policy Objects (GPOs).

• Level 3 – High device configuration: In this level, Microsoft recommends you create policies that:

  • Move to password-less authentication, including using certificates, configuring single sign-on (SSO) to apps, enabling multifactor authentication (MFA), and configuring Microsoft Tunnel.
  • Add extra layers of security using Android common criteria mode or creating DFCI policies for Windows devices.
  • Use the built-in features to configure kiosk devices, dedicated devices, shared devices, and other specialized devices.
  • Deploy existing shell scripts.

This article lists the different levels of device configuration policies that organizations should use. Most of these policies in this article focus on access to organization resources and security.

These features are configured in device configuration profiles in the Microsoft Intune admin center. When the Intune profiles are ready, they can be assigned to your users and devices.

Level 1 – Create your security baseline

To help keep your organization data and devices secure, you create different policies that focus on security. You should create a list of security features that all users and/or all devices must have. This list is your security baseline.

baseline , minimum , Microsoft is recommends recommends following security policies :

• Install antivirus (AV) and regularly scan for malware
• Use detection and response
• Turn on the firewall
• Install software updates regularly
• Create a strong PIN/password policy

This section lists the Intune and Microsoft services you can use to create these security policies.

granular list Windows settings recommended values , Windows security baselines .

Antivirus and scanning

✅Install antivirus software and regularly scan for malware

All devices should have antivirus software installed and be regularly scanned for malware. Intune integrates with third party partner mobile threat defense (MTD) services that provide AV and threat scanning. For macOS and Windows, antivirus and scanning are built in to Intune with Microsoft Defender for Endpoint.

Your policy options:

information features , :

Detection and response

✅Detect attacks and act on these threats

detect threats quickly , you is help help minimize impact threat . combine policies Conditional Access , you is block block users devices accessing organization resources threat detected .

Your policy options:

information features , :

• Android Enterprise:
• iOS / iPadOS:
• Windows:

Firewall

✅Enable firewall devices

Some platforms come with a built-in firewall and on others, you might have to install a firewall separately. Intune integrates with third party partner mobile threat defense (MTD) services that can manage a firewall for Android and iOS / iPadOS devices. For macOS and Windows, firewall security is built in to Intune with Microsoft Defender for Endpoint.

Your policy options:

information features , :

Password policy

✅Create strong password / PIN policy block simple passcodes

PINs unlock devices. On devices that access organization data, including personally owned devices, you should require strong PINs/passcodes and support biometrics to unlock devices. Using biometrics is part of a password-less approach, which is recommended.

Intune uses device restrictions profiles to create and configure password requirements.

Your policy options:

For a list of the settings you can configure, go to:

Software updates

✅Regularly install software updates

All devices should be updated regularly and policies should be created to make sure these updates are successfully installed. For most platforms, Intune has policy settings that focus on managing and installing updates.

Your policy options:

information features and/or settings configure , :

Level 1 – Access organization email, connect to VPN or Wi-Fi

This section focuses on accessing resources in your organization. These resources include:

• Email for work or school accounts
• VPN connection for remote connectivity
• Wi-Fi connection for on-premises connectivity

Email

Many organizations deploy email profiles with preconfigured settings to user devices.

✅Automatically connect to user email accounts

The profile includes the email configuration settings that connect to your email server.

Depending on the settings you configure, the email profile can also automatically connect the users to their individual email account settings.

✅Use enterprise level email apps

Email profiles in Intune use common and popular email apps, like Outlook. The email app is deployed to user devices. After the app is deployed, you deploy the email device configuration profile with the settings that configure the email app.

email device configuration profile is includes includes settings connect Exchange .

✅Access work or school email

Creating an email profile is a common minimum baseline policy for organizations with users that use email on their devices.

Intune has built-in email settings for Android, iOS / iPadOS, and Windows client devices. When users open their email app, they can automatically connect, authenticate, and synchronize their organizational email accounts on their devices.

✅Deploy anytime

new devices , we is recommended recommended deploy email app enrollment process . enrollment completes , deploy email device configuration policy .

If you have existing devices, then deploy the email app at any time, and deploy the email device configuration policy.

started email profiles

started :

1. Deploy an email app to your devices. For some guidance, go to Add email settings to devices using Intune.

2. Create an email device configuration profile in Intune. Depending on the email app your organization uses, the email device configuration profile might not be needed.

   For some guidance, go to Add email settings to devices using Intune.

3. In the email device configuration profile, configure the settings for your platform:

4. Assign the email device configuration profile to your users or user groups.

VPN

Many organizations deploy VPN profiles with preconfigured settings to user devices. The VPN connects your devices to your internal organization network.

If your organization uses cloud services with modern authentication and secure identities, then you probably don’t need a VPN profile. Cloud-native services don’t require a VPN connection.

If your apps or services aren’t cloud-based or aren’t cloud-native, then deploy a VPN profile to connect to your internal organization network.

✅Work from anywhere

Creating a VPN profile is a common minimum baseline policy for organizations with remote workers and hybrid workers.

As users work from anywhere, they can use the VPN profile to securely connect to your organization’s network to access resources.

Intune has built-in VPN settings for Android, iOS / iPadOS, macOS, and Windows client devices. On user devices, your VPN connection is shown as an available connection. Users select it. And, depending on the settings in your VPN profile, users can automatically authenticate and connect to the VPN on their devices.

✅Use enterprise level VPN apps

VPN profiles is use Intune use common enterprise VPN apps , like Check Point , Cisco , Microsoft Tunnel , . VPN app deployed user devices . app deployed , you is deploy deploy VPN connection profile settings configure VPN app .

The VPN device configuration profile includes settings that connect to your VPN server.

✅Deploy anytime

On new devices, we recommended you deploy the VPN app during the enrollment process. When enrollment completes, then deploy the VPN device configuration policy.

If you have existing devices, deploy the VPN app at any time, and then deploy the VPN device configuration policy.

Get started with VPN profiles

started :

1. Deploy a VPN app to your devices.

2. Create a VPN configuration profile in Intune.

3. In the VPN device configuration profile, configure the settings for your platform:

4. Assign the VPN device configuration profile to your users or user groups.

Wi-Fi

Many organizations deploy Wi-Fi profiles with preconfigured settings to user devices. If your organization has a remote-only workforce, then you don’t need to deploy Wi-Fi connection profiles. Wi-Fi profiles are optional and are used for on-premises connectivity.

✅Connect wirelessly

As users work from different mobile devices, they can use the Wi-Fi profile to wirelessly and securely connect to your organization’s network.

The profile includes the Wi-Fi configuration settings that automatically connect to your network and/or SSID (service set identifier). Users don’t have to manually configure their Wi-Fi settings.

✅Support mobile devices on-premises

Creating a Wi-Fi profile is a common minimum baseline policy for organizations with mobile devices that work on-premises.

Intune has built-in Wi-Fi settings for Android, iOS / iPadOS, macOS, and Windows client devices. On user devices, your Wi-Fi connection is shown as an available connection. Users select it. And, depending on the settings in your Wi-Fi profile, users can automatically authenticate and connect to the Wi-Fi on their devices.

✅Deploy anytime

On new devices, we recommended you deploy the Wi-Fi device configuration policy when devices enroll in Intune.

If you have existing devices, you can deploy the Wi-Fi device configuration policy at any time.

Get started with Wi-Fi profiles

started :

1. Create a Wi-Fi device configuration profile in Intune.

2. Configure the settings for your platform:

3. Assign the Wi-Fi device configuration profile to your users or user groups.

Level 2 – Enhanced protection and configuration

This level expands on what you configured in level 1 and adds more security for your devices. In this section, you create a level 2 set of policies that configure more security settings for your devices.

Microsoft recommends the following level 2 security policies:

• Expire passwords regulate reusing old passwords. In Level 1, you created a strong PIN or password policy. If you haven’t already, be sure you configure your PINs & passwords to expire and set some password-reuse rules.

  You can use Intune to create a device restrictions policy or a settings catalog policy that configures these settings. For more information on the password settings you can configure, go to the following articles:

  Android devices , you is use use device restrictions policies set password rules :

  On iOS / iPadOS devices, you can use device restrictions policies and/or the settings catalog to set password rules:

  macOS devices , you is use use device restrictions policies and/or settings catalog set password rules :

  On Windows devices, you can use device restrictions policies and/or the settings catalog to set password rules:

• Intune includes hundreds of settings that can manage devices features and settings, like disabling the built-in camera, controlling notifications, allowing bluetooth, blocking games, and more.

  You can use the built-in templates or the settings catalog to see and configure the settings.

  • Device restrictions templates have many built-in settings that can control different parts of the devices, including security, hardware, data sharing, and more.

    You can use these templates on the following platforms:

    • Android
    • iOS / iPadOS
    • macOS
    • Windows

  • Use Settings catalog to see and configure all the available settings. You can use the settings catalog on the following platforms:

  • Use the built-in administrative templates, similar to configuring ADMX templates on-premises. You can use the ADMX templates on the following platform:

• If you use on-premises GPOs and want to know if these same settings are available in Intune, then use Group Policy analytics. This feature analyzes your GPOs and depending on the analysis, can import them into an Intune settings catalog policy.

  For more information, go to Analyze your on-premises GPOs and import them in Intune.

Level 3 – High protection and configuration

This level expands on what you configured in levels 1 and 2. It adds extra security features used in enterprise level organizations.

• Expand password-less authentication to other services used by your workforce. In level 1, you enabled biometrics so users can sign in to their devices with a fingerprint or facial recognition. In this level, expand password-less to other parts of the organization.

  • Use certificates to authenticate email, VPN, and Wi-Fi connections. Certificates are deployed to users and devices, and are then used by users to get access to resources in your organization through the email, VPN, and Wi-Fi connections.

    To learn more about using certificates in Intune, go to:

  • Configure single sign-on (SSO) for a more seamless experience when users open business apps, like Microsoft 365 apps. Users sign-in once and then are automatically signed-in to all the apps that support your SSO configuration.

    learn SSO Intune Microsoft Entra ID , :

  • Use multifactor authentication (MFA). When you move to password-less, MFA adds an extra layer of security, and can help protect your organization from phishing attacks. You can use MFA with authenticator apps, like Microsoft Authenticator, or with a phone call or text message. You can also use MFA when users enroll their devices in Intune.

    Multifactor authentication is a feature of Microsoft Entra ID and can be used with Microsoft Entra accounts. For more information, go to:

  • Set up Microsoft Tunnel for your Android and iOS / iPadOS devices. Microsoft Tunnel uses Linux to allow these devices access to on-premises resources using modern authentication and Conditional Access.

    Microsoft Tunnel uses Intune, Microsoft Entra ID, and Active Directory Federation Services (AD FS). For more information, go to Microsoft Tunnel for Microsoft Intune.

  • In addition to Microsoft Tunnel for devices enrolled with Intune, you can use Microsoft Tunnel for Mobile Application Management (Tunnel for MAM) to extend tunnel capabilities to Android and iOS/iPad devices that are enrolled with Intune. Tunnel for MAM is available as an Intune add-on that requires an extra license.

    For more information, go to Use Intune Suite add-on capabilities.

• Use Windows Local Administrator Password Solution (LAPS) policy to manage and back up the built-in local administrator account on your Windows devices. Because the local admin account can’t be deleted and has full permissions to the device, management of the built-in Windows administrator account is an important step in securing your organization. Intune policy for Windows LAPS uses the capabilities that are available for Windows devices that run version 21h2 or later.

  information , Intune support Windows LAPS .

• Use Microsoft Intune Endpoint Privilege Management ( EPM ) reduce attack surface Windows devices . EPM is empowers empowers users run standard users ( administrator rights ) remain productive determining users run apps elevated context .

  EPM elevation rules based file hashes , certificate rules , . rules configure help ensure expected trusted applications allow run elevated . Rules is can :

  • Manage the child processes that an app creates.
  • Support requests by users to elevate a managed process.
  • Allow for automatic elevations of files that just need to run without any user interruption.

  Endpoint Privilege Management is available as an Intune add-on that requires an extra license. For more information, go to Use Intune Suite add-on capabilities.

• Use Android Common Criteria mode Android devices highly sensitive organizations , like government establishments .

  For more information on this feature, go to Android Common Criteria mode.

• Create policies that apply to the Windows firmware layer. These policies can help prevent malware from communicating with the Windows OS processes.

  information feature , Use Device Firmware Configuration Interface ( DFCI ) profiles Windows devices .

• Configure kiosks, shared devices, and other specialized devices:

Follow the minimum recommended baseline policies

1. Set up Microsoft Intune
2. Add, configure, and protect apps
3. Plan for compliance policies
4. 🡺Configure device features (You are here)
5. Enroll devices