Device Configuration Profiles¶
Configuration profiles push settings, restrictions, and security controls to managed devices.
Intune admin center → Devices → Configuration
Windows — Security Baseline¶
The fastest way to harden Windows devices is to deploy the Microsoft security baseline — a pre-configured set of ~300 settings recommended by Microsoft.
Intune admin center → Endpoint security → Security baselines → Windows security baseline → Create profile
Tip
Review the baseline settings before deploying to production. Some settings (e.g., locking down removable storage, blocking legacy auth in local accounts) may need adjustment for your environment. Deploy to a pilot group first.
Key settings enforced by the baseline include:
| Area | Examples |
|---|---|
| BitLocker | Require encryption, TPM + PIN |
| Credential Guard | Enabled |
| Windows Defender Firewall | All profiles on |
| Exploit protection | CFG, SEHOP, DEP enabled |
| User Account Control | Prompt for admin consent |
| SMBv1 | Disabled |
| WDigest authentication | Disabled |
| AppLocker / WDAC | Optional — needs testing |
Windows — BitLocker¶
If not using the Security Baseline, create a dedicated BitLocker policy:
Intune admin center → Endpoint security → Disk encryption → Create policy → Windows → BitLocker
| Setting | Value |
|---|---|
| BitLocker — base settings: Enable full disk encryption for OS and fixed data drives | Yes |
| Require storage cards to be encrypted (mobile only) | Yes |
| OS drive: additional authentication at startup | Require |
| OS drive: TPM startup | Require TPM |
| OS drive: TPM startup PIN | Require startup PIN with TPM |
| OS drive: encryption method | XTS-AES 256-bit |
| Fixed drive: encryption method | XTS-AES 256-bit |
| Recovery key backup to Azure AD | Require (escrow to Entra ID) |
| Removable drive: configure encryption | Require |
Retrieve BitLocker recovery key from Intune¶
Intune admin center → Devices → All devices → [Device] → Recovery keys
Or via PowerShell:
Connect-MgGraph -Scopes "BitlockerKey.Read.All"
Get-MgInformationProtectionBitlockerRecoveryKey -Filter "deviceId eq 'device-guid'"
Windows — Windows Update Rings¶
Control when Windows updates are installed:
Intune admin center → Devices → Update rings for Windows 10 and later → Create
Pilot ring¶
| Setting | Value |
|---|---|
| Name | Update Ring — Pilot |
| Feature updates deferral | 0 days |
| Quality updates deferral | 0 days |
| Automatic update behaviour | Auto install and restart |
| Deadline for feature updates | 5 days |
| Deadline for quality updates | 3 days |
Production ring¶
| Setting | Value |
|---|---|
| Name | Update Ring — Production |
| Feature updates deferral | 14 days |
| Quality updates deferral | 7 days |
| Automatic update behaviour | Auto install at maintenance time |
| Deadline for feature updates | 7 days |
| Deadline for quality updates | 5 days |
| Grace period | 2 days |
| Pause updates allowed | Yes |
Windows — Endpoint Protection¶
Beyond the security baseline, key Defender settings to configure:
Intune admin center → Endpoint security → Antivirus → Create policy → Windows → Microsoft Defender Antivirus
| Setting | Value |
|---|---|
| Cloud protection | Enabled |
| Cloud-delivered protection level | High |
| Submit samples automatically | Send all samples |
| Real-time protection | Enabled |
| Behaviour monitoring | Enabled |
| Network protection | Enable |
| PUA protection | Enable |
| Tamper protection | Enable |
| Scan type | Quick scan |
| Scan frequency | Daily |
| Check for signature updates before running scan | Enable |
iOS — Device Restrictions¶
Intune admin center → Devices → Configuration → Create → iOS/iPadOS → Device restrictions
Recommended restrictions¶
| Setting | Value |
|---|---|
| App Store, Doc Viewing, Gaming: Require iTunes Store password for all purchases | Yes |
| Built-in apps: Siri while device is locked | Block |
| Cloud and Storage: Backup to iCloud | Block (if corporate data control required) |
| Cloud and Storage: iCloud document and data sync | Block |
| Connected Devices: Force Apple Watch wrist detection | Yes |
| Lock Screen Experience: Notification Centre in lock screen | Block |
| Password: Block simple passwords | Yes |
| Shared device: Block Account Modification | Yes (supervised only) |
Android Enterprise — Device Restrictions¶
Intune admin center → Devices → Configuration → Create → Android Enterprise (Work Profile or Fully Managed)
| Setting | Value |
|---|---|
| Work profile settings: Copy and paste between work and personal profiles | Block |
| Work profile settings: Data sharing between work and personal profiles | Block |
| General: Factory reset | Block (fully managed) |
| General: USB file transfer | Block (fully managed) |
| System security: Threat scan on apps | Require |
| Connectivity: Bluetooth | Configure as needed |
macOS — FileVault¶
Intune admin center → Endpoint security → Disk encryption → Create → macOS → FileVault
| Setting | Value |
|---|---|
| Enable FileVault | Yes |
| Recovery key rotation in months | 12 |
| Escrow location description | Intune escrow |
| Hide recovery key | No (allow user to view) |
| Number of times allowed to bypass | 0 (require at next login) |