Tag: Device

Analysis of Intune Windows 10/11 Compliance Policy Settings for Strong Security

This report examines each setting in the provided Intune Windows 10/11 compliance policy JSON and evaluates whether it represents best practice for strong security on a Windows device. For each setting, we explain its purpose, configuration options, and why the chosen value helps ensure maximum security.

Device Health Requirements (Boot Security & Encryption)

Require BitLockerBitLocker Drive Encryption is mandated on the OS drive (Require BitLocker: Yes). BitLocker uses the system’s TPM to encrypt all data on disk and locks encryption keys unless the system’s integrity is verified at boot[1]. The policy setting “Require BitLocker” ensures that data at rest is protected – if a laptop is lost or stolen, an unauthorized person cannot read the disk contents without proper authorization[1]. Options: Not configured (default, don’t check encryption) or Require (device must be encrypted with BitLocker)[1]. Setting this to “Require” is considered best practice for strong security, as unencrypted devices pose a high data breach risk[1]. In our policy JSON, BitLocker is indeed required[2], aligning with industry recommendations to encrypt all sensitive devices.

Require Secure Boot – This ensures the PC is using UEFI Secure Boot (Require Secure Boot: Yes). Secure Boot forces the system to boot only trusted, signed bootloaders. During startup, the UEFI firmware will verify that bootloader and critical kernel files are signed by a trusted authority and have not been modified[1]. If any boot file is tampered with (e.g. by a bootkit or rootkit malware), Secure Boot will prevent the OS from booting[1]. Options: Not configured (don’t enforce) or Require (must boot in secure mode)[1]. The policy requires Secure Boot[2], which is a best-practice security measure to maintain boot-time integrity. This setting helps ensure the device boots to a trusted state and is not running malicious firmware or bootloaders[1]. Requiring Secure Boot is recommended in frameworks like Microsoft’s security baselines and the CIS benchmarks for Windows, provided the hardware supports it (most modern PCs do)[1].

Require Code Integrity – Code integrity (a Device Health Attestation setting) validates the integrity of Windows system binaries and drivers each time they are loaded into memory. Enforcing this (Require code integrity: Yes) means that if any system file or driver is unsigned or has been altered by malware, the device will be reported as non-compliant[1]. Essentially, it helps detect kernel-level rootkits or unauthorized modifications to critical system components. Options: Not configured or Require (must enforce code integrity)[1]. The policy requires code integrity to be enabled[2], which is a strong security practice. This setting complements Secure Boot by continuously verifying system integrity at runtime, not just at boot. Together, Secure Boot and Code Integrity reduce the risk of persistent malware or unauthorized OS tweaks going undetected[1].

By enabling BitLocker, Secure Boot, and Code Integrity, the compliance policy ensures devices have a trusted startup environment and encrypted storage – foundational elements of a secure endpoint. These Device Health requirements align with best practices like Microsoft’s recommended security baselines (which also require BitLocker and Secure Boot) and are critical to protect against firmware malware, bootkits, and data theft[1][1]. Note: Devices that lack a TPM or do not support Secure Boot will be marked noncompliant, meaning this policy effectively excludes older, less secure hardware from the compliant device pool – which is intentional for a high-security stance.

Device OS Version Requirements

Minimum OS version – This policy defines the oldest Windows OS build allowed on a device. In the JSON, the Minimum OS version is set to 10.0.19043.10000 (which corresponds roughly to Windows 10 21H1 with a certain patch level)[2]. Any Windows device reporting an OS version lower than this (e.g. 20H2 or an unpatched 21H1) will be marked non-compliant. The purpose is to block outdated Windows versions that lack recent security fixes. End users on older builds will be prompted to upgrade to regain compliance[1]. Options: admin can specify any version string; leaving it blank means no minimum enforcement[1]. Requiring a minimum OS version is a best practice to ensure devices have received important security patches and are not running end-of-life releases[1]. The chosen minimum (10.0.19043) suggests that Windows 10 versions older than 21H1 are not allowed, which is reasonable for strong security since Microsoft no longer supports very old builds. This helps reduce vulnerabilities – for example, a device stuck on an early 2019 build would miss years of defenses (like improved ransomware protection in later releases). The policy’s min OS requirement aligns with guidance to keep devices updated to at least the N-1 Windows version or newer.

Maximum OS version – In this policy, no maximum OS version is configured (set to “Not configured”)[2]. That means devices running newer OS versions than the admin initially tested are not automatically flagged noncompliant. This is usually best, because setting a max OS version is typically used only to temporarily block very new OS upgrades that might be unapproved. Leaving it not configured (no upper limit) is often a best practice unless there’s a known issue with a future Windows release[1]. In terms of strong security, not restricting the maximum OS allows devices to update to the latest Windows 10/11 feature releases, which usually improves security. (If an organization wanted to pause Windows 11 adoption, they might set a max version to 10.x temporarily, but that’s a business decision, not a security improvement.) So the policy’s approach – no max version limit – is fine and does align with security best practice in most cases, as it encourages up-to-date systems rather than preventing them.

Why enforce OS versions? Keeping OS versions current ensures known vulnerabilities are patched. For example, requiring at least build 19043 means any device on 19042 or earlier (which have known exposures fixed in 19043+) will be blocked until updated[1]. This reduces the attack surface. The compliance policy will show a noncompliant device “OS version too low” with guidance to upgrade[1], helping users self-remediate. Overall, the OS version rules in this policy push endpoints to stay on supported, secure Windows builds, which is a cornerstone of strong device security.

*(The policy also lists “Minimum/Maximum OS version for *mobile devices” with the same values (10.0.19043.10000 / Not configured)[2]. This likely refers to Windows 10 Mobile or Holographic devices. It’s largely moot since Windows 10 Mobile is deprecated, but having the same minimum for “mobile” ensures something like a HoloLens or Surface Hub also requires an up-to-date OS. In our case, both fields mirror the desktop OS requirement, which is fine.)

Configuration Manager Compliance (Co-Management)

Require device compliance from Configuration Manager – This setting is Not configured in the JSON (i.e. it’s left at default)[2]. It applies only if the Windows device is co-managed with Microsoft Endpoint Configuration Manager (ConfigMgr/SCCM) in addition to Intune. Options: Not configured (Intune ignores ConfigMgr’s compliance state) or Require (device must also meet all ConfigMgr compliance policies)[1].

In our policy, leaving it not configured means Intune will not check ConfigMgr status – effectively the device only has to satisfy the Intune rules to be marked compliant. Is this best practice? For purely Intune-managed environments, yes – if you aren’t using SCCM baselines, there’s no need to require this. If an organization is co-managed and has on-premises compliance settings in SCCM (like additional security baselines or antivirus status monitored by SCCM), a strong security stance might enable this to ensure those are met too[1]. However, enabling it without having ConfigMgr compliance policies could needlessly mark devices noncompliant as “not reporting” (Intune would wait for a ConfigMgr compliance signal that might not exist).

So, the best practice depends on context: In a cloud-only or lightly co-managed setup, leaving this off (Not Configured) is correct[1]. If the organization heavily uses Configuration Manager to enforce other critical security settings, then best practice would be to turn this on so Intune treats any SCCM failure as noncompliance. Since this policy likely assumes modern management primarily through Intune, Not configured is appropriate and not a security gap. (Admins should ensure that either Intune covers all needed checks, or if not, integrate ConfigMgr compliance by requiring it. Here Intune’s own checks are quite comprehensive.)

System Security: Password Requirements

A very important part of device security is controlling access with strong credentials. This policy enforces a strict device password/PIN policy under the “System Security” category:

  • Require a password to unlockYes (Required). This means the device cannot be unlocked without a password or PIN. Users must authenticate on wake or login[1]. Options: Not configured (no compliance check on whether a device has a lock PIN/password set) or Require (device must have a lock screen password/PIN)[1]. Requiring a password is absolutely a baseline security requirement – a device with no lock screen PIN is extremely vulnerable (anyone with physical access could get in). The policy correctly sets this to Require[2]. Intune will flag any device without a password as noncompliant, likely forcing the user to set a Windows Hello PIN or password. This is undeniably best practice; all enterprise devices should be password/PIN protected.
  • Block simple passwordsYes (Block). “Simple passwords” refers to very easy PINs like 0000 or 1234 or repeating characters. The setting is Simple passwords: Block[1]. When enabled, Intune will require that the user’s PIN/passcode is not one of those trivial patterns. Options: Not configured (allow any PIN) or Block (disallow common simple PINs)[1]. Best practice is to block simple PINs because those are easily guessable if someone steals the device. This policy does so[2], meaning a PIN like “1111” or “12345” would not be considered compliant. Instead, users must choose less predictable codes. This is a straightforward security best practice (also recommended by Microsoft’s baseline and many standards) to defeat casual guessing attacks.
  • Password typeAlphanumeric. This setting specifies what kinds of credentials are acceptable. “Alphanumeric” in Intune means the user must set a password or PIN that includes a mix of letters and numbers (not just digits)[1]. The other options are “Device default” (which on Windows typically allows a PIN of just numbers) or explicitly Numeric (only numbers allowed)[1]. Requiring Alphanumeric effectively forces a stronger Windows Hello PIN – it must include at least one letter or symbol in addition to digits. The policy sets this to Alphanumeric[2], which is a stronger stance than a simple numeric PIN. It expands the space of possible combinations, making it much harder for an attacker to brute-force or guess a PIN. This is aligned with best practice especially if using shorter PIN lengths – requiring letters and numbers significantly increases PIN entropy. (If a device only allows numeric PINs, a 6-digit PIN has a million possibilities; an alphanumeric 6-character PIN has far more.) By choosing Alphanumeric, the admin is opting for maximum complexity in credentials.
    • Note: When Alphanumeric is required, Intune enables additional complexity rules (next setting) like requiring symbols, etc. If instead it was set to “Numeric”, those complexity sub-settings would not apply. So this choice unlocks the strongest password policy options[1].
  • Password complexity requirementsRequire digits, lowercase, uppercase, and special characters. This policy is using the most stringent complexity rule available. Under Intune, for alphanumeric passwords/PINs you can require various combinations: the default is “digits & lowercase letters”; but here it’s set to “require digits, lowercase, uppercase, and special characters”[1]. That means the user’s password (or PIN, if using Windows Hello PIN as an alphanumeric PIN) must include at least one lowercase letter, one uppercase letter, one number, and one symbol. This is essentially a classic complex password policy. Options: a range from requiring just some character types up to all four categories[1]. Requiring all four types is generally seen as a strict best practice for high security (it aligns with many compliance standards that mandate a mix of character types in passwords). The idea is to prevent users from choosing, say, all letters or all numbers; a mix of character types increases password strength. Our policy indeed sets the highest complexity level[2]. This ensures credentials are harder to crack via brute force or dictionary attacks, albeit at the cost of memorability. It’s worth noting modern NIST guidance allows passphrases (which might not have all char types) as an alternative, but in many organizations, this “at least one of each” rule remains a common security practice for device passwords.
  • Minimum password length14 characters. This defines the shortest password or PIN allowed. The compliance policy requires the device’s unlock PIN/password to be 14 or more characters long[1]. Fourteen is a relatively high minimum; by comparison, many enterprise policies set min length 8 or 10. By enforcing 14, this policy is going for very strong password length, which is consistent with guidance for high-security environments (some standards suggest 12+ or 14+ characters for administrative or highly sensitive accounts). Options: 1–16 characters can be set (the admin chooses a number)[1]. Longer is stronger – increasing length exponentially strengthens resistance to brute-force cracking. At 14 characters with the complexity rules above, the space of possible passwords is enormous, making targeted cracking virtually infeasible. This is absolutely a best practice for strong security, though 14 might be considered slightly beyond typical user-friendly lengths. It aligns with guidance like using passphrases or very long PINs for device unlock. Our policy’s 14-char minimum[2] indicates a high level of security assurance (for context, the U.S. DoD STIGs often require 15 character passwords on Windows – 14 is on par with such strict standards).
  • Maximum minutes of inactivity before password is required15 minutes. This controls the device’s idle timeout, i.e. how long a device can sit idle before it auto-locks and requires re-authentication. The policy sets 15 minutes[2]. Options: The admin can define a number of minutes; when not set, Intune doesn’t enforce an inactivity lock (though Windows may have its own default)[1]. Requiring a password after 15 minutes of inactivity is a common security practice to balance security with usability. It means if a user steps away, at most 15 minutes can pass before the device locks itself and demands a password again. Shorter timers (5 or 10 min) are more secure (less window for an attacker to sit at a logged-in machine), whereas longer (30+ min) are more convenient but risk someone opportunistically using an unlocked machine. 15 minutes is a reasonable best-practice value for enterprises – it’s short enough to limit unauthorized access, yet not so short that it frustrates users excessively. Many security frameworks recommend 15 minutes or less for session locks. This policy’s 15-minute setting is in line with those recommendations and thus supports a strong security posture. It ensures a lost or unattended laptop will lock itself in a timely manner, reducing the chance for misuse.
  • Password expiration (days)365 days. This setting forces users to change their device password after a set period. Here it is one year[2]. Options: 1–730 days or not configured[1]. Requiring password change every 365 days is a moderate approach to password aging. Traditional policies often used 90 days, but that can lead to “password fatigue.” Modern NIST guidelines actually discourage frequent forced changes (unless there’s evidence of compromise) because overly frequent changes can cause users to choose weaker passwords or cycle old ones. However, annual expiration (365 days) is relatively relaxed and can be seen as a best practice in some environments to ensure stale credentials eventually get refreshed[1]. It’s basically saying “change your password once a year.” Many organizations still enforce yearly or biannual password changes as a precaution. In terms of strong security, this setting provides some safety net (in case a password was compromised without the user knowing, it won’t work indefinitely). It’s not as critical as the other settings; one could argue that with a 14-char complex password, forced expiration isn’t strictly necessary. But since it’s set, it reflects a security mindset of not letting any password live forever. Overall, 365 days is a reasonable compromise – it’s long enough that users can memorize a strong password, and short enough to ensure a refresh if by chance a password leaked over time. This is largely aligned with best practice, though some newer advice would allow no expiration if other controls (like multifactor auth) are in place. In a high-security context, annual changes remain common policy.
  • Number of previous passwords to prevent reuse5. This means when a password is changed (due to expiration or manual change), the user cannot reuse any of their last 5 passwords[1]. Options: Typically can set a value like 1–50 previous passwords to disallow. The policy chose 5[2]. This is a standard part of password policy – preventing reuse of recent passwords helps ensure that when users do change their password, they don’t just alternate between a couple of favorites. A history of 5 is pretty typical in best practices (common ranges are 5–10) to enforce genuine password updates. This setting is definitely a best practice in any environment with password expiration – otherwise users might just swap back and forth between two passwords. By disallowing the last 5, it will take at least 6 cycles (in this case 6 years, given 365-day expiry) before one could reuse an old password, by which time it’s hoped that password would have lost any exposure or the user comes up with a new one entirely. The policy’s value of 5 is fine and commonly recommended.
  • Require password when device returns from idle stateYes (Required). This particularly applies to mobile or Holographic devices, but effectively it means a password is required upon device wake from an idle or sleep state[1]. On Windows PCs, this corresponds to the “require sign-in on wake” setting. Since our idle timeout is 15 minutes, this ensures that when the device is resumed (after sleeping or being idle past that threshold), the user must sign in again. Options: Not configured or Require[1]. The policy sets it to Require[2], which is certainly what we want – it’d be nonsensical to have all the above password rules but then not actually lock on wake! In short, this enforces that the password/PIN prompt appears after the idle period or sleep, which is absolutely a best practice. (Without this, a device could potentially wake up without a login prompt, which would undermine the idle timeout.) Windows desktop devices are indeed impacted by this on next sign-in after an idle, as noted in docs[1]. So this setting ties the loop on the secure password policy: not only must devices have strong credentials, but those credentials must be re-entered after a period of inactivity, ensuring continuous protection.

Summary of Password Policy: The compliance policy highly prioritizes strong access control. It mandates a login on every device (no password = noncompliant), and that login must be complex (not guessable, not short, contains diverse characters). The combination of Alphanumeric, 14+ chars, all character types, no simple PINs is about as strict as Windows Intune allows for user sign-in credentials[1][2]. This definitely meets the definition of best practice for strong security – it aligns with standards like CIS benchmarks which also suggest enforcing password complexity and length. Users might need to use passphrases or a mix of PIN with letters to meet this, but that is intended. The idle lock at 15 minutes and requirement to re-authenticate on wake ensure that even an authorized session can’t be casually accessed if left alone for long. The annual expiration and password history add an extra layer to prevent long-term use of any single password or recycling of old credentials, which is a common corporate security requirement.

One could consider slight adjustments: e.g., some security frameworks (like NIST SP 800-63) would possibly allow no expiration if the password is sufficiently long and unique (to avoid users writing it down or making minor changes). However, given this is a “strong security” profile, the chosen settings err on the side of caution, which is acceptable. Another improvement for extreme security could be shorter idle time (like 5 minutes) to lock down faster, but 15 minutes is generally acceptable and strikes a balance. Overall, these password settings significantly harden the device against unauthorized access and are consistent with best practices.

Encryption of Data Storage on Device

Require encryption of data storage on deviceYes (Required). Separate from the BitLocker requirement in Device Health, Intune also has a general encryption compliance rule. Enabling this means the device’s drives must be encrypted (with BitLocker, in the case of Windows) or else it’s noncompliant[1]. In our policy, “Encryption: Require” is set[2]. Options: Not configured or Require[1]. This is effectively a redundant safety net given BitLocker is also specifically required. According to Microsoft, the “Encryption of data storage” check looks for any encryption present (on the OS drive), and specifically on Windows it checks BitLocker status via a device report[1]. It’s slightly less robust than the Device Health attestation for BitLocker (which needs a reboot to register, etc.), but it covers the scenario generally[1].

From a security perspective, requiring device encryption is unquestionably best practice. It ensures that if a device’s drive isn’t encrypted (for example, BitLocker not enabled or turned off), the device will be flagged. This duplicates the BitLocker rule; having both doesn’t hurt – in fact, Microsoft documentation suggests the simpler encryption compliance might catch the state even if attestation hasn’t updated (though the BitLocker attestation is more reliable for TPM verification of encryption)[1].

In practice, an admin could use one or the other. This policy enables both, which indicates a belt-and-suspenders approach: either way, an unencrypted device will not slip through. This is absolutely aligned with strong security – all endpoints must have storage encryption, mitigating the risk of data exposure from lost or stolen hardware. Modern best practices (e.g. CIS, regulatory requirements like GDPR for laptops with personal data) often mandate full-disk encryption; here it’s enforced twice. The documentation even notes that relying on the BitLocker-specific attestation is more robust (it checks at the TPM level and knows the device booted with BitLocker enabled)[1][1]. The generic encryption check is a bit more broad but for Windows equates to BitLocker anyway. The key point is the policy requires encryption, which we already confirmed is a must-have security control. If BitLocker was somehow not supported on a device (very rare on Windows 10/11, since even Home edition has device encryption now), that device would simply fail compliance – again, meaning only devices capable of encryption and actually encrypted are allowed, which is appropriate for a secure environment.

(Note: Since both “Require BitLocker” and “Require encryption” are turned on, an Intune admin should be aware that a device might show two noncompliance messages for essentially the same issue if BitLocker is off. Users would see that they need to turn on encryption to comply. Once BitLocker is enabled and the device rebooted, both checks will pass[1][1]. The rationale for using both might be to ensure that even if the more advanced attestation didn’t report, the simpler check would catch it.)

Device Security Settings (Firewall, TPM, AV, Anti-spyware)

This section of the policy ensures that essential security features of Windows are active:

  • FirewallRequire. The policy mandates that the Windows Defender Firewall is enabled on the device (Firewall: Require)[1]. This means Intune will mark the device noncompliant if the firewall is turned off or if a user/app tries to disable it. Options: Not configured (do not check firewall status) or Require (firewall must be on)[1]. Requiring the firewall is definitely best practice – a host-based firewall is a critical first line of defense against network-based attacks. The Windows Firewall helps block unwanted inbound connections and can enforce outbound rules as well. By ensuring it’s always on (and preventing users from turning it off), the policy guards against scenarios where an employee might disable the firewall and expose the machine to threats[1]. This setting aligns with Microsoft recommendations and CIS Benchmarks, which also advise that Windows Firewall be enabled on all profiles. Our policy sets it to Require[2], which is correct for strong security. (One thing to note: if there were any conflicting GPO or config that turns the firewall off or allows all traffic, Intune would consider that noncompliant even if Intune’s own config profile tries to enable it[1] – essentially, Intune checks the effective state. Best practice is to avoid conflicts and keep the firewall defaults to block inbound unless necessary[1].)
  • Trusted Platform Module (TPM)Require. This check ensures the device has a TPM chip present and enabled (TPM: Require)[1]. Intune will look for a TPM security chip and mark the device noncompliant if none is found or it’s not active. Options: Not configured (don’t verify TPM) or Require (TPM must exist)[1]. TPM is a hardware security module used for storing cryptographic keys (like BitLocker keys) and for platform integrity (measured boot). Requiring a TPM is a strong security stance because it effectively disallows devices that lack modern hardware security support. Most Windows 10/11 PCs do have TPM 2.0 (Windows 11 even requires it), so this is feasible and aligns with best practices. It ensures features like BitLocker are using TPM protection and that the device can do hardware attestation. The policy sets TPM to required[2], which is a best practice consistent with Microsoft’s own baseline (they recommend excluding non-TPM machines, as those are typically older or less secure). By enforcing this, you guarantee that keys and sensitive operations can be hardware-isolated. A device without TPM could potentially store BitLocker keys in software (less secure) or not support advanced security like Windows Hello with hardware-backed credentials. So from a security viewpoint, this is the right call. Any device without a TPM (or with it disabled) will need remediation or replacement, which is acceptable in a high-security environment. This reflects a zero-trust hardware approach: only modern, TPM-equipped devices can be trusted fully[1].
  • AntivirusRequire. The compliance policy requires that antivirus protection is active and up-to-date on the device (Antivirus: Require)[1]. Intune checks the Windows Security Center status for antivirus. If no antivirus is registered, or if the AV is present but disabled/out-of-date, the device is noncompliant[1]. Options: Not configured (don’t check AV) or Require (must have AV on and updated)[1]. It’s hard to overstate the importance of this: running a reputable, active antivirus/antimalware is absolutely best practice on Windows. The policy’s requirement means every device must have an antivirus engine running and not report any “at risk” state. Windows Defender Antivirus or a third-party AV that registers with Security Center will satisfy this. If a user has accidentally turned off real-time protection or if the AV signatures are old, Intune will flag it[1]. Enforcing AV is a no-brainer for strong security. This matches all industry guidance (e.g., CIS Controls highlight the need for anti-malware on all endpoints). Our policy does enforce it[2].
  • AntispywareRequire. Similar to antivirus, this ensures anti-spyware (malware protection) is on and healthy (Antispyware: Require)[1]. In modern Windows terms, “antispyware” is essentially covered by Microsoft Defender Antivirus as well (Defender handles viruses, spyware, all malware). But Intune treats it as a separate compliance item to check in Security Center. This setting being required means the anti-malware software’s spyware detection component (like Defender’s real-time protection for spyware/PUPs) must also be enabled and not outdated[1]. Options: Not configured or Require, analogous to antivirus[1]. The policy sets it to Require[2]. This is again best practice – it ensures comprehensive malware protection is in place. In effect, having both AV and antispyware required just double-checks that the endpoint’s security suite is fully active. If using Defender, it covers both; if using a third-party suite, as long as it reports to Windows Security Center for both AV and antispyware status, it will count. This redundancy helps catch any scenario where maybe virus scanning is on but spyware definitions are off (though that’s rare with unified products). For our purposes, requiring antispyware is simply reinforcing the “must have anti-malware” rule – clearly aligned with strong security standards.

Collectively, these Device Security settings (Firewall, TPM, AV, antispyware) ensure that critical protective technologies are in place on every device:

  • The firewall requirement guards against network attacks and unauthorized connections[1].
  • The TPM requirement ensures hardware-based security for encryption and identity[1].
  • The AV/antispyware requirements ensure continuous malware defense and that no device is left unprotected against viruses or spyware[1].

All are definitely considered best practices. In fact, running without any of these (no firewall, no AV, etc.) would be considered a serious security misconfiguration. This policy wisely enforces all of them. Any device not meeting these (e.g., someone attempts to disable Defender Firewall or uninstall AV) will get swiftly flagged, which is exactly what we want in a secure environment.

*(Side note: The policy’s reliance on Windows Security Center means it’s vendor-agnostic; e.g., if an organization uses Symantec or another AV, as long as that product reports a good status to Security Center, Intune will see the device as compliant for AV/antispyware. If a third-party AV is used that *disables* Windows Defender, that’s fine because Security Center will show another AV is active. The compliance rule will still require that one of them is active. So this is a flexible but strict enforcement of “you must have one”.)*

Microsoft Defender Anti-malware Requirements

The policy further specifies settings under Defender (Microsoft Defender Antivirus) to tighten control of the built-in anti-malware solution:

  • Microsoft Defender AntimalwareRequire. This means the Microsoft Defender Antivirus service must be running and cannot be turned off by the user[1]. If the device’s primary AV is Defender (as is default on Windows 10/11 when no other AV is installed), this ensures it stays on. Options: Not configured (Intune doesn’t ensure Defender is on) or Require (Defender AV must be enabled)[1]. Our policy sets it to Require[2], which is a strong choice. If a third-party AV is present, how does this behave? Typically, when a third-party AV is active, Defender goes into a passive mode but is still not “disabled” in Security Center terms – or it might hand over status. This setting primarily aims to prevent someone from turning off Defender without another AV in place. Requiring Defender antivirus to be on is a best practice if your organization relies on Defender as the standard AV. It ensures no one (intentionally or accidentally) shuts off Windows’ built-in protection[1]. It essentially overlaps with the “Antivirus: Require” setting, but is more specific. The fact that both are set implies this environment expects to use Microsoft Defender on all machines (which is common for many businesses). In a scenario where a user installed a 3rd party AV that doesn’t properly report to Security Center, having this required might actually conflict (because Defender might register as off due to third-party takeover, thus Intune might mark noncompliant). But assuming standard behavior, if third-party AV is present and reporting, Security Center usually shows “Another AV is active” – Intune might consider the AV check passed but the “Defender Antimalware” specifically could possibly see Defender as not the active engine and flag it. In any case, for strong security, the ideal is to have a consistent AV (Defender) across all devices. So requiring Defender is a fine security best practice, and our policy reflects that intention. It aligns with Microsoft’s own baseline for Intune when organizations standardize on Defender. If you weren’t standardized on Defender, you might leave this not configured and just rely on the generic AV requirement. Here it’s set, indicating a Defender-first strategy for antimalware.
  • Microsoft Defender Antimalware minimum version4.18.0.0. This setting specifies the lowest acceptable version of the Defender Anti-Malware client. The policy has defined 4.18.0.0 as the minimum[2]. Effect: If a device has an older Defender engine below that version, it’s noncompliant. Version 4.18.x is basically the Defender client that ships with Windows 10 and above (Defender’s engine is updated through Windows Update periodically, but the major/minor version has been 4.18 for a long time). By setting 4.18.0.0, essentially any Windows 10/11 with Defender should meet it (since 4.18 was introduced years ago). This catches only truly outdated Defender installations (perhaps if a machine had not updated its Defender platform in a very long time, or is running Windows 8.1/7, which had older Defender versions – though those OS wouldn’t be in a Win10 policy anyway). Options: Admin can input a specific version string, or leave blank (no version enforcement)[1]. The policy chose 4.18.0.0, presumably because that covers all modern Windows builds (for example, Windows 10 21H2 uses Defender engine 4.18.x). Requiring a minimum Defender version is a good practice to ensure the anti-malware engine itself isn’t outdated. Microsoft occasionally releases new engine versions with improved capabilities; if a machine somehow fell way behind (e.g., an offline machine that missed engine updates), it could have known issues or be missing detection techniques. By enforcing a minimum, you compel those devices to update their Defender platform. Version 4.18.0.0 is effectively the baseline for Windows 10, so this is a reasonable choice. It’s likely every device will already have a later version (like 4.18.210 or similar). As a best practice, some organizations might set this to an even more recent build number if they want to ensure a certain monthly platform update is installed. In any case, including this setting in the policy shows thoroughness – it’s making sure Defender isn’t an old build. This contributes to security by catching devices that might have the Defender service but not the latest engine improvements. Since the policy’s value is low (4.18.0.0), practically all supported Windows 10/11 devices comply, but it sets a floor that excludes any unsupported OS or really old install. This aligns with best practice: keep security software up-to-date, both signatures and the engine. (The admin should update this minimum version over time if needed – e.g., if Microsoft releases Defender 4.19 or 5.x in the future, they might raise the bar.)
  • Microsoft Defender security intelligence up-to-dateRequire. This is basically ensuring Defender’s virus definitions (security intelligence) are current (Security intelligence up-to-date: Yes)[1]. If Defender’s definitions are out of date, Intune will mark noncompliant. “Up-to-date” typically means the signature is not older than a certain threshold (usually a few days, defined by Windows Security Center’s criteria). Options: Not configured (don’t check definitions currency) or Require (must have latest definitions)[1]. It’s set to Require in our policy[2]. This is clearly a best practice – an antivirus is only as good as its latest definitions. Ensuring that the AV has the latest threat intelligence is critical. This setting will catch devices that, for instance, haven’t gone online in a while or are failing to update Defender signatures. Those devices would be at risk from newer malware until they update. By marking them noncompliant, it forces an admin/user to take action (e.g. connect to the internet to get updates)[1]. This contributes directly to security, keeping anti-malware defenses sharp. It aligns with common security guidelines that AV should be kept current. Since Windows usually updates Defender signatures daily (or more), this compliance rule likely treats a device as noncompliant if signatures are older than ~3 days (Security Center flag). This policy absolutely should have this on, and it does – another check in the box for strong security practice.
  • Real-time protectionRequire. This ensures that Defender’s real-time protection is enabled (Realtime protection: Require)[1]. Real-time protection means the antivirus actively scans files and processes as they are accessed, rather than only running periodic scans. If a user had manually turned off real-time protection (which Windows allows for troubleshooting, or sometimes malware tries to disable it), this compliance rule would flag the device. Options: Not configured or Require[1]. Our policy requires it[2]. This is a crucial setting: real-time protection is a must for proactive malware defense. Without it, viruses or spyware could execute without immediate detection, and you’d only catch them on the next scan (if at all). Best practice is to never leave real-time protection off except perhaps briefly to install certain software, and even then, compliance would catch that and mark the device not compliant with policy. So turning this on is definitely part of a strong security posture. The policy correctly enforces it. It matches Microsoft’s baseline and any sane security policy – you want continuous scanning for threats in real time. The Intune CSP for this ensures that the toggle in Windows Security (“Real-time protection”) stays on[1]. Even if a user is local admin, turning it off will flip the device to noncompliant (and possibly trigger Conditional Access to cut off corporate resource access), strongly incentivizing them not to do that. Good move.

In summary, the Defender-specific settings in this policy double-down on malware protection:

  • The Defender AV engine must be active (and presumably they expect to use Defender on all devices)[1].
  • Defender must stay updated – both engine version and malware definitions[1][1].
  • Real-time scanning must be on at all times[1].

These are all clearly best practices for endpoint security. They ensure the built-in Windows security is fully utilized. The overlap with the general “Antivirus/Antenna” checks means there’s comprehensive coverage. Essentially, if a device doesn’t have Defender, the general AV required check would catch it; if it does have Defender, these specific settings enforce its quality and operation. No device should be running with outdated or disabled Defender in a secure environment, and this compliance policy guarantees that.

(If an organization did use a third-party AV instead of Defender, they might not use these Defender-specific settings. The presence of these in the JSON indicates alignment with using Microsoft Defender as the standard. That is indeed a good practice nowadays, as Defender has top-tier ratings and seamless integration. Many “best practice” guides, including government blueprints, now assume Defender is the AV to use, due to its strong performance and integration with Defender for Endpoint.)

Microsoft Defender for Endpoint (MDE) – Device Threat Risk Level

Finally, the policy integrates with Microsoft Defender for Endpoint (MDE) by using the setting:

  • Require the device to be at or under the machine risk scoreMedium. This ties into MDE’s threat intelligence, which assesses each managed device’s risk level (based on detected threats on that endpoint). The compliance policy is requiring that a device’s risk level be Medium or lower to be considered compliant[1]. If MDE flags a device as High risk, Intune will mark it noncompliant and can trigger protections (like Conditional Access blocking that device). Options: Not configured (don’t use MDE risk in compliance) or one of Clear, Low, Medium, High as the maximum allowed threat level[1]. The chosen value “Medium” means: any device with a threat rated High is noncompliant, while devices with Low or Medium threats are still compliant[1]. (Clear would be the most strict – requiring absolutely no threats; High would be least strict – tolerating even high threats)[1].

Setting this to Medium is a somewhat balanced security stance. Let’s interpret it: MDE categorizes threats on devices (malware, suspicious activity) into risk levels. By allowing up to Medium, the policy is saying if a device has only low or medium-level threats, we still consider it compliant; but if it has any high-level threat, that’s unacceptable. High usually indicates serious malware outbreaks or multiple alerts, whereas low may indicate minimal or contained threats. From a security best-practice perspective, using MDE’s risk as a compliance criterion is definitely recommended – it adds an active threat-aware dimension to compliance. The choice of Medium as the cutoff is probably to avoid overly frequent lockouts for minor issues, while still reacting to major incidents.

Many security experts would advocate for even stricter: e.g. require Low or Clear (meaning even medium threats would cause noncompliance), especially in highly secure environments where any malware is concerning. In fact, Microsoft’s documentation notes “Clear is the most secure, as the device can’t have any threats”[1]. Medium is a reasonable compromise – it will catch machines with serious infections but not penalize ones that had a low-severity event that might have already been remediated. For example, if a single low-level adware was detected and quarantined, risk might be low and the device remains compliant; but if ransomware or multiple high-severity alerts are active, risk goes high and the device is blocked until cleaned[1].

In our policy JSON, it’s set to Medium[2], which is in line with many best practice guides (some Microsoft baseline recommendations also use Medium as the default, to balance security and usability). This is still considered a strong security practice because any device under an active high threat will immediately be barred. It leverages real-time threat intelligence from Defender for Endpoint to enhance compliance beyond just configuration. That means even if a device meets all the config settings above, it could still be blocked if it’s actively compromised – which is exactly what we want. It’s an important part of a Zero Trust approach: continuously monitor device health and risk, not just initial compliance.

One could tighten this to Low for maximum security (meaning even medium threats cause noncompliance). If an organization has low tolerance for any malware, they might do that. However, Medium is often chosen to avoid too many disruptions. For our evaluation: The inclusion of this setting at all is a best practice (many might forget to use it). The threshold of Medium is acceptable for strong security, catching big problems while allowing IT some leeway to investigate mediums without immediate lockout. And importantly, if set to Medium, only devices with severe threats (like active malware not neutralized) will be cut off, which likely correlates with devices that indeed should be isolated until fixed.

To summarize, the Defender for Endpoint integration means this compliance policy isn’t just checking the device’s configuration, but also its security posture in real-time. This is a modern best practice: compliance isn’t static. The policy ensures that if a device is under attack or compromised (per MDE signals), it will lose its compliant status and thus can be auto-remediated or blocked from sensitive resources[1]. This greatly strengthens the security model. Medium risk tolerance is a balanced choice – it’s not the absolute strictest, but it is still a solid security stance and likely appropriate to avoid false positives blocking users unnecessarily.

(Note: Organizations must have Microsoft Defender for Endpoint properly set up and the devices onboarded for this to work. Given it’s in the policy, we assume that’s the case, which is itself a security best practice – having EDR (Endpoint Detection & Response) on all endpoints.)

Actions for Noncompliance and Additional Considerations

The JSON policy likely includes Actions for noncompliance (the blueprint shows an action “Mark device noncompliant (1)” meaning immediate)[2]. By default, Intune always marks a device as noncompliant if it fails a setting – which is what triggers Conditional Access or other responses. The policy can also be configured to send email notifications, or after X days perform device retire/wipe, etc. The snippet indicates the default action to mark noncompliant is at day 1 (immediately)[2]. This is standard and aligns with security best practice – you want noncompliant devices to be marked as such right away. Additional actions (like notifying user, or disabling the device) could be considered but are not listed.

It’s worth noting a few maintenance and dependency points:

  • Updating the Policy: As new Windows versions release, the admin should review the Minimum OS version field and advance it when appropriate (for example, when Windows 10 21H1 becomes too old, they might raise the minimum to 21H2 or Windows 11). Similarly, the Defender minimum version can be updated over time. Best practice is to review compliance policies at least annually (or along with major new OS updates)[1][1] to keep them effective.
  • Device Support: Some settings have hardware prerequisites (TPM, Secure Boot, etc.). In a strong security posture, devices that don’t meet these (older hardware) should ideally be phased out. This policy enforces that by design. If an organization still has a few legacy devices without TPM, they might temporarily drop the TPM requirement or grant an exception group – but from a pure security standpoint, it’s better to upgrade those devices.
  • User Impact and Change Management: Enforcing these settings can pose adoption challenges. For example, requiring a 14-character complex password might generate more IT support queries or user friction initially. It is best practice to accompany such policy with user education and perhaps rollout in stages. The policy as given is quite strict, so ensuring leadership backing and possibly implementing self-service password reset (to handle expiry) would be wise. These aren’t policy settings per se, but operational best practices.
  • Complementary Policies: A compliance policy like this ensures baseline security configuration, but it doesn’t directly configure the settings on the device (except for password requirement which the user is prompted to set). It checks and reports compliance. To actually turn on things like BitLocker or firewall if they’re off, one uses Configuration Profiles or Endpoint Security policies in Intune. Best practice is to pair compliance policies with configuration profiles that enable the desired settings. For instance, enabling BitLocker via an Endpoint Security policy and then compliance verifies it’s on. The question focuses on compliance policy, so our scope is those checks, but it’s assumed the organization will also deploy policies to turn on BitLocker, firewall, Defender, etc., making it easy for devices to become compliant.
  • Protected Characteristics: Every setting here targets technical security and does not discriminate or involve user personal data, so no concerns there. From a privacy perspective, the compliance data is standard device security posture info.

Conclusion

Overall, each setting in this Windows compliance policy aligns with best practices for securing Windows 10/11 devices. The policy requires strong encryption, up-to-date and secure OS versions, robust password/PIN policies, active firewall and anti-malware, and even ties into advanced threat detection (Defender for Endpoint)[2][2]. These controls collectively harden the devices against unauthorized access, data loss, malware infections, and unpatched vulnerabilities.

Almost all configurations are set to their most secure option (e.g., requiring vs not, or maximum complexity) as one would expect in a high-security baseline:

  • Data protection is ensured by BitLocker encryption on disk[1].
  • Boot integrity is assured via Secure Boot and Code Integrity[1].
  • Only modern, supported OS builds are allowed[1].
  • Users must adhere to a strict password policy (complex, long, regularly changed)[1].
  • Critical security features (firewall, AV, antispyware, TPM) must be in place[1][1].
  • Endpoint Defender is kept running in real-time and up-to-date[1].
  • Devices under serious threat are quarantined via noncompliance[1].

All these are considered best practices by standards such as the CIS Benchmark for Windows and government cybersecurity guidelines (for example, the ASD Essential Eight in Australia, which this policy closely mirrors, calls for application control, patching, and admin privilege restriction – many of which this policy supports by ensuring fundamental security hygiene on devices).

Are there any settings that might not align with best practice? Perhaps the only debatable one is the 365-day password expiration – modern NIST guidelines suggest you don’t force changes on a schedule unless needed. However, many organizations still view an annual password change as reasonable policy in a defense-in-depth approach. It’s a mild requirement and not draconian, so it doesn’t significantly detract from security; if anything, it adds a periodic refresh which can be seen as positive (with the understanding that user education is needed to avoid predictable changes). Thus, we wouldn’t call it a wrong practice – it’s an accepted practice in many “strong security” environments, even if some experts might opt not to expire passwords arbitrarily. Everything else is straightforwardly as per best practice or even exceeding typical baseline requirements (e.g., 14 char min is quite strong).

Improvements or additions: The policy as given is already thorough. An organization could consider tightening the Defender for Endpoint risk level to Low (meaning only absolutely clean devices are compliant) if they wanted to be extra careful – but that could increase operational noise if minor issues trigger noncompliance too often[1]. They could also reduce the idle timeout to, say, 5 or 10 minutes for devices in very sensitive environments (15 minutes is standard, though stricter is always an option). Another possible addition: enabling Jailbreak detection – not applicable for Windows (it’s more for mobile OS), Windows doesn’t have a jailbreak setting beyond what we covered (DHA covers some integrity). Everything major in Windows compliance is covered here.

One more setting outside of this device policy that’s a tenant-wide setting is “Mark devices with no compliance policy as noncompliant”, which we would assume is enabled at the Intune tenant level for strong security (so that any device that somehow doesn’t get this policy is still not trusted)[3]. The question didn’t include that, but it’s a part of best practices – likely the organization would have set it to Not compliant at the tenant setting to avoid unmanaged devices slipping through[3].

In conclusion, each listed setting is configured in line with strong security best practices for Windows devices. The policy reflects an aggressive security posture: it imposes strict requirements that greatly reduce the risk of compromise. Devices that meet all these conditions will be quite well-hardened against common threats. Conversely, any device failing these checks is rightfully flagged for remediation, which helps the IT team maintain a secure fleet. This compliance policy, especially when combined with Conditional Access (to prevent noncompliant devices from accessing corporate data) and proper configuration policies (to push these settings onto devices), provides an effective enforcement of security standards across the Windows estate[3][3]. It aligns with industry guidelines and should substantially mitigate risks such as data breaches, malware incidents, and unauthorized access. Each setting plays a role: from protecting data encryption and boot process to enforcing user credentials and system health – together forming a comprehensive security baseline that is indeed consistent with best practices.

[1][2]

References

[1] Windows compliance settings in Microsoft Intune

[2] Windows 10/11 Compliance Policy | ASD’s Blueprint for Secure Cloud

[3] Device compliance policies in Microsoft Intune

Onboarding Checklist for BYOD Windows Devices (Microsoft 365 Business Premium)

bp1

Introduction

Bring Your Own Device (BYOD) programs allow employees to use personal Windows laptops for work, but this flexibility demands strict security measures to protect company data. Microsoft 365 Business Premium provides integrated tools like Azure AD (for identity), Intune (Microsoft Endpoint Manager for device management), and Microsoft Defender for Business to secure both managed and unmanaged devices[1]. A comprehensive onboarding checklist helps IT departments ensure that every personal Windows device meets the organization’s security requirements and compliance standards before accessing corporate resources. This report outlines key steps and best practices for onboarding BYOD Windows 10/11 devices under M365 Business Premium, including installing security software, configuring security policies, and protecting company information at all stages.

Key Objectives: By following this checklist, organizations can: (1) Standardize the BYOD setup process to cover all critical security configurations, (2) Enforce best practices like encryption, up-to-date antivirus, and multi-factor authentication, and (3) Ensure ongoing compliance and support, including handling lost devices and user training. Adopting these measures helps maintain data integrity and regulatory compliance while enabling employees to work productively on their own devices[2][2].

Step-by-Step BYOD Onboarding Checklist

Below is an ordered checklist of steps to onboard a personal Windows device under M365 Business Premium. Each step is crucial to safeguard corporate information on that device from the start:

  1. Verify Device Requirements and Update OS: Ensure the personal PC meets minimum security requirements before enrollment. Check that the device is running a supported version of Windows 10 or 11, and install the latest system updates and patches. If the PC is on Windows Home edition, upgrade it to Windows 10/11 Pro because advanced security features like BitLocker encryption require Pro or Enterprise editions[1]. (M365 Business Premium includes upgrade rights from Windows 7/8/8.1 Pro to 10/11 Pro at no extra cost[1].) Confirm that Windows Update is enabled so the device continues to receive security patches regularly.

  2. Enable Multi-Factor Authentication (MFA) for User Accounts: Secure user identity before granting access to company data. Require all BYOD users to set up MFA on their Microsoft 365 accounts before or during device enrollment. Microsoft 365 Business Premium supports strong authentication policies – for example, using the Microsoft Authenticator mobile app for OTP codes or push notifications[1]. Helping every user enable MFA is one of the first and most important steps[3], as it significantly reduces the risk of account breaches by adding a verification step beyond just passwords. Administrators can enforce MFA through Azure AD Conditional Access or Security Defaults. Ensure users have registered at least two MFA methods (such as authenticator app and phone) and have tested that they can log in with MFA. This guarantees that even if a password is compromised, attackers cannot easily access corporate apps.

  3. Install Microsoft 365 Apps and Company Portal: Set up work applications and tools needed for a managed, secure experience. Instruct the user to install the latest Microsoft 365 Apps (Office suite including Outlook, Word, Excel, Teams, OneDrive, etc.) on the personal device[3]. These official apps are designed to work with M365 security controls. Additionally, have the user install the Intune Company Portal app (for Windows, it’s available from the Microsoft Store or as part of Windows settings) – this app will facilitate device enrollment in Microsoft Intune (Endpoint Manager) and allow the device to receive security policies. Using the Company Portal, the employee should sign in with their work account and register/enroll the device in Intune. This enrollment marks the device as known to the organization and allows IT to apply required configurations (while respecting privacy on personal data). If full enrollment is not desired for BYOD, consider using Windows device registration (Azure AD register instead of join) along with app protection policies; however, full Intune enrollment is recommended for comprehensive policy enforcement.

  4. Enroll the Device in Azure AD and Intune: Connect the device to the company’s Azure AD for identity and enable mobile device management. During or after Company Portal installation, guide the user to join or register the device to Azure AD (work account) and complete Intune enrollment. This process may involve navigating to Settings > Accounts > Access work or school on Windows and clicking “Connect” to add the work/school account. The user will authenticate (using MFA as set up earlier) and the device will become Azure AD joined or registered, and automatically enroll in Intune MDM if configured. Once enrolled, Intune will push down the organization’s security configurations and compliance policies to the BYOD device[1][1]. Tip: Have clear instructions or an enrollment wizard for users – possibly leverage Microsoft Autopilot for a smoother experience if the device is being set up from scratch[1]. Successful enrollment allows the device to be monitored and managed remotely by IT.

  5. Apply Security Configuration and Compliance Policies: Configure the device with all required security settings via Intune or guided manual steps. After enrollment, the device should receive Intune policies that enforce the organization’s security standards. Key security policies to configure include:

    • Device Encryption: Require full-disk encryption (BitLocker) on the BYOD Windows device. Intune compliance policy can mark a device non-compliant if BitLocker is not enabled. For devices that support device encryption (a lighter form available on some Windows Home/modern devices), ensure it’s turned on[4]. BitLocker (or Device Encryption) ensures that if the laptop is lost or stolen, data on the drive cannot be accessed without proper credentials. (Note: BitLocker requires Windows Pro or higher; this is why upgrading Home editions is necessary.)
    • Antivirus and Anti-malware: Ensure that Microsoft Defender Antivirus (Windows Security) is active and up-to-date on the device[4]. Intune’s Endpoint Security policies or Microsoft Defender for Business can enforce real-time protection and signature updates. Users should be prevented from disabling antivirus. If the organization opts for a third-party security suite, that should be installed at this stage. M365 Business Premium includes Microsoft Defender for Business, an endpoint protection platform with advanced threat detection; devices can be onboarded to this service for enhanced protection against malware, ransomware, and phishing[1].

    • Firewall: Verify that the Windows Defender Firewall is enabled on all network profiles[4]. Intune can configure firewall settings or a baseline security policy. A firewall helps block unauthorized network access, and it should remain on even if an alternative firewall is in use[4].

    • Device Access Requirements: Enforce a secure lock screen and sign-in policy. Intune configuration can require a strong PIN/password or Windows Hello for Business (biometric or PIN) for device login. This ensures the device is inaccessible to others if left unattended. Also configure idle timeouts (auto lock after a period of inactivity).

    • OS and App Updates: Use Intune policies or Windows Update for Business settings to force automatic updates for Windows OS and Microsoft 365 Apps. Keeping the system updated patches vulnerabilities regularly[1]. Enable Microsoft Store auto-updates as well, so other apps (like Company Portal) stay updated.

    • Application Protection: Optionally deploy App Protection Policies (MAM-WE) for sensitive apps. For example, require that company Outlook and OneDrive apps have additional PIN or only allow saving files to company-approved locations. This can contain corporate data within managed apps even on a personal device, adding a layer of data loss prevention.

    • Conditional Access Policies: Configure Azure AD Conditional Access to complement device policies. For BYOD scenarios, set policies that allow access to company cloud resources only if the device is marked compliant with Intune or if accessing via approved client apps. Also require MFA on unmanaged or new devices. Conditional Access ensures that devices not meeting security criteria (or unknown devices) are blocked from company email, SharePoint, Teams, etc., thereby protecting data.

    By applying these policies, the BYOD PC is transformed into a trusted device: it has encryption enabled, a firewall up, active malware protection, and adherence to password/MFA rules. Intune’s compliance reports will show if any device falls out of line (e.g., encryption turned off or OS outdated), enabling IT to take action[1].

  6. Install and Verify Security Software: Deploy and confirm all necessary security software is running correctly on the device. This includes:

    • Microsoft Defender Antivirus & Firewall: As noted, ensure the built-in Windows Security suite (Defender AV and Firewall) is enabled. No separate installation is needed on Windows 10/11 because these come pre-installed, but verify real-time protection is on and virus definitions are current[4]. In the Windows Security settings, check for any alerts or needed actions (update definitions, run an initial scan, etc.).

    • Microsoft Defender for Business (Endpoint): Since M365 Business Premium includes this advanced security, onboard the device to Defender for Business if not done via Intune. This can be achieved through Intune onboarding policies or via the Microsoft 365 Defender portal by downloading an onboarding script. Onboarding allows the device to report threats and be monitored for sophisticated attacks in the Defender portal[1]. Once onboarded, verify in the Microsoft 365 Defender Security Center that the device status is healthy (showing as onboarded/active) and that no threats are detected[1][1].

    • Additional Security Tools: If your organization uses additional security software (such as a VPN client for secure remote access, endpoint DLP agents, or device management agents), install those as part of onboarding. For example, install a corporate VPN and test that it connects successfully. Ensure any browser security extensions or configurations (like enabling SmartScreen filter in Edge or Chrome) are in place as required.

    • Verify Security Settings: After installation, run a security health check on the device. This could include verifying BitLocker status (e.g., using manage-bde -status command or via Windows settings), running a test malware scan with Defender, and confirming that firewall rules/policies have applied. Many of these can be reviewed in the Intune device record (which will list compliance with each setting) or directly on the PC.

    Document that security software is in place (via screenshots or compliance reports) for auditing. This step ensures the device is not only configured to be secure but actively running protections against threats on an ongoing basis.

  7. Test Access to Company Resources Securely: Before declaring the onboarding complete, verify that the user can access work resources under the new security constraints. For example, sign into Office 365 (Outlook, Teams, SharePoint) from the device. The login should prompt MFA if not already remembered (testing that MFA is working). Access email and ensure that any email security features (like Outlook’s phishing protection or Safe Links, if configured under Defender for Office 365) are active. Try opening a company document from OneDrive/SharePoint and ensure it opens in the managed Office app. If you have set up conditional access such that only compliant devices can download certain content, confirm that this device is allowed. Conversely, attempt an action that should be blocked (for instance, downloading a sensitive file to an unapproved location or using a non-managed app to access a secure file) to verify policies are effective. This practical test ensures that all configuration from previous steps is correctly enforced and the device is ready for productive use without exposing data.

  8. Communicate Usage Guidelines to the Employee: As the final onboarding step, educate the device owner on their responsibilities and how to stay within compliance. Review the BYOD policy and security best practices with the user as part of the hand-off. Key points to cover include: keeping the device password private, not disabling security settings (e.g., not turning off the firewall or antivirus), recognizing company data vs personal data on the device, and how to report issues or lost devices. Provide the employee with support resources (like IT helpdesk contact, or a quick-start guide) for using corporate apps on their Windows PC. Emphasize that while IT has enrolled and secured their laptop, the user plays a crucial role in maintaining security—through safe browsing habits, avoiding suspicious email links, and complying with all policies. Regular training and awareness are essential, since even the best technical measures can be undermined by user actions[2]. The user should feel confident about what is expected and what steps to take in various scenarios (e.g., if they see an unfamiliar device warning or if they need to install updates). This wraps up the onboarding, ensuring the employee is ready to work securely on their BYOD laptop.

Post-Onboarding Security Practices and Policies

Onboarding is just the beginning; maintaining security for BYOD devices is an ongoing process. After the initial setup, IT departments should enforce additional measures and be prepared for the full device lifecycle. Below are key practices and policy considerations to ensure company information remains protected on BYOD Windows devices:

  • Continuous Compliance Monitoring: Once devices are enrolled and in use, IT must continuously monitor their compliance and health status. Leverage the Microsoft 365 Defender portal and Intune for visibility[1][1]. Set up alerts or periodic reports for non-compliance (e.g., a device that falls out of encryption or misses updates). Microsoft Intune provides compliance dashboards showing which devices comply with policies and which don’t. Only compliant devices should retain access to sensitive resources – use Conditional Access rules so that if a device becomes non-compliant (say antivirus turns off or OS updates lapse), the device’s access is restricted until issues are resolved. Regularly review devices’ threat status in Defender for Business; if malware was detected on a BYOD machine, ensure it was successfully remediated and investigate if any data was compromised. Monitoring tools allow administrators to run remote antivirus scans or even isolate a device if a serious threat is detected[1].

  • Security Policy Updates and Patching: Threats evolve, and so should your policies. Periodically re-evaluate security policies in Intune/Endpoint Manager to incorporate new best practices or address any gaps. For instance, if a new Windows 11 security feature becomes available (such as improved ransomware protection or driver block rules), update your configuration profiles or baselines to enable it on BYOD devices. Ensure that patch management remains enforced – devices should be getting Windows security updates at least monthly. Intune can be configured to force updates outside active hours and even auto-reboot if needed (with user warnings). The organization should also push updates for Microsoft 365 Apps and any other managed applications. Keep all software (including third-party apps) up to date to reduce vulnerabilities[1]. This may involve user education for apps not managed by Intune, reminding them to update browsers, PDF readers, etc., which could pose risks if outdated.

  • Handling Lost or Stolen Devices: Despite precaution, a BYOD laptop might be lost or stolen – swift action is vital to protect data. Prepare a clear procedure for such incidents as part of the BYOD policy. Usually, the employee must report the loss to IT immediately. IT can then remotely wipe corporate data from the lost device using Intune’s “Retire” or “Selective Wipe” function, which removes company apps, email, and data without erasing personal files. In more severe cases or if the device is fully managed, a full remote wipe/reset might be executed to factory settings. Also, revoke the device’s access in Azure AD (mark it as lost, disable it, or remove it from the list of trusted devices). Because BitLocker encryption was enforced, data on the device’s drive remains inaccessible to unauthorized parties[4]. Nonetheless, monitor the Azure AD sign-in logs or Defender alerts for any unusual attempts from that device. Document the incident, and if appropriate, have the user file a police report. The key is to ensure that a lost BYOD machine cannot be a gateway to company information, thanks to the layered protections in place.

  • Secure Data Removal and Offboarding: When an employee leaves the company or a personal device is no longer used for work, securely remove all corporate information from that BYOD device. Intune provides a Retirement option which will scrub organization data: it removes managed email profiles, de-registers the device from Azure AD, and deletes any locally cached corporate files (for instance, it can wipe the work OneDrive folder if it was marked for enterprise wipe). In addition, ensure that any company licenses or access tokens are invalidated on that device: sign the user out of Office 365 apps (you can expire user sessions from the Microsoft 365 admin center or Azure AD). If BitLocker was used and the recovery key was escrowed to Azure AD, verify that key is revoked from user’s account. Have a checklist for employee exit that includes confirming all their BYOD devices are either wiped or returned to personal-only use. Instruct the user on how to uninstall Company Portal and any work apps if necessary. The goal is to prevent any residual corporate data from remaining on a personal device once it’s out of the BYOD program. This protects company information and also respects the employee’s device ownership going forward.

  • User Education and Training: A strong BYOD security posture combines technology with informed users. Regular security awareness training is crucial, because users who understand the importance of policies are less likely to violate them inadvertently[2]. Conduct periodic training sessions or send out tips covering topics like: how to spot phishing emails, safe internet habits on a work device, proper use of VPNs, and what to do if they suspect a security issue. Also, educate users on acceptable use policies – for instance, discourage storing work files on unapproved personal cloud services or sharing work data via personal email. Make sure employees know the boundaries of IT’s access to their BYOD device (for transparency and trust, clarify that IT manages only corporate data/configuration, and personal files/apps remain private). Provide a BYOD handbook or quick-reference guide that summarizes do’s and don’ts, security steps, and contact information for support. When users understand the “why” behind each security measure, they are more likely to cooperate and less likely to attempt workarounds[2][2].

  • Clear BYOD Policies and Compliance Requirements: Develop a formal BYOD policy document that employees must read and sign. This should outline security requirements (like those in this checklist), acceptable use guidelines, and consequences for non-compliance. From a compliance standpoint, the policy helps ensure the company meets legal and regulatory obligations by extending them to personal devices. Consider data protection laws relevant to your industry – for example, if subject to GDPR or other privacy regulations, the policy should mandate encryption and access controls on any device processing personal data, even if owned by employees. Many regulations (HIPAA for healthcare, PCI-DSS for payment data, etc.) require demonstrable protection of sensitive information; extending those controls to BYOD is essential to stay compliant. Make sure the BYOD program is vetted by the compliance and legal teams so that it aligns with any certifications or standards the company adheres to. In practice, this means personal devices must meet the same security bars as corporate devices – e.g., encryption, audit logging (where feasible), secure user authentication – to protect confidential information[2][2]. Regular audits or reviews of BYOD devices can be done to ensure compliance (with the user’s knowledge and consent as per the policy). Non-compliant devices should be compelled to comply or be blocked from access. This proactive stance and clear documentation help mitigate legal risks and demonstrate due diligence in protecting data.

  • Staying Updated on Threats and Best Practices: Technology and cyber threats evolve rapidly. IT departments should stay informed about the latest security advisories, updates, and best practices, especially related to Windows and Microsoft 365. Subscribe to official Microsoft security blogs or newsletters for updates on new features in Intune, Defender, Windows, etc. Leverage the Microsoft 365 Secure Score tool – it provides suggestions to improve security posture which can highlight areas to tighten in your BYOD policy. Attend webinars or training offered by Microsoft (or reputable security organizations) to continuously improve your BYOD management strategy. It’s also wise to periodically revisit this checklist and policy: at least annually, update it to include new controls or to address any incidents that occurred. For example, if there’s news of a particular type of attack targeting BYOD scenarios, ensure your defenses cover it (perhaps by adding a new rule or user training point). By keeping both IT staff and employees up-to-date on security knowledge, the organization creates a culture of security that extends to all devices. In summary, continuous improvement and vigilance are part of the BYOD security lifecycle – the checklist is a living document that should adapt to emerging risks and technological advancements.

Conclusion

Implementing a robust onboarding checklist for BYOD Windows devices ensures that personal devices meet corporate security standards from day one. Through Microsoft 365 Business Premium’s capabilities like Intune device management, Defender for Business, and Azure AD Conditional Access, organizations can achieve a balance where employees enjoy the convenience of using their own laptops while the company’s information remains well-protected. By following the steps outlined – from enforcing MFA and installing security software to enabling encryption and configuring policies – IT administrators can significantly reduce the risk of data breaches on personal machines. Equally important are the post-onboarding practices: continuous monitoring, user training, and clear policies will maintain security over time and address challenges such as lost devices or evolving compliance requirements.

In essence, securing BYOD is a shared responsibility[2]: IT provides the tools and guidance, and employees uphold the required practices. When done right, a BYOD program with a thorough security checklist can enhance productivity without compromising on security. This report and checklist serve as a comprehensive guide for IT departments to onboard and manage personal Windows devices confidently, ensuring that sensitive company data stays safe on any device, anywhere.。[2][4]

References

[1] Secure managed and unmanaged devices – Microsoft 365 Business Premium

[2] Securing BYOD with Microsoft Intune – A Practical Approach

[3] Set up unmanaged devices with Microsoft 365 Business Premium …

[4] Protect unmanaged devices with Microsoft 365 Business Premium

How to enrol a device in Intune that has previously been joined to Entra id

Screenshot 2025-05-09 091912

When a device is Entra ID joined *before* the user has an Intune license or before automatic MDM enrollment is configured for that user/group, it won’t automatically enroll in Intune.

Here’s how to get it enrolled without needing to unjoin and rejoin Entra ID (which is the more disruptive option):

Method 1: Trigger Enrollment via Settings (Easiest & Preferred)

This is often the simplest way if automatic enrollment is now correctly configured for the user.

  1. Ensure Prerequisites:

    • Intune License: Confirm the user logging into the Windows device has an active Intune license assigned (e.g., part of Microsoft 365 E3/E5/F3, EMS E3/E5, or a standalone Intune license).

    • MDM User Scope: In the Microsoft Entra admin center (entra.microsoft.com):

      • Navigate to Devices > Enrollment > Windows enrollment.

      • Click on Automatic Enrollment.

      • Ensure the MDM user scope is set to All or a group that the licensed user is a member of. (The MAM user scope is for a different purpose, usually BYOD).
    • CNAME Records: While Entra ID join worked, it’s good to ensure your DNS CNAME records for EnterpriseRegistration and EnterpriseEnrollment are correctly pointing to Microsoft’s services. This is usually fine if Entra join worked, but it’s a foundational piece for MDM enrollment.

  2. On the Windows Device:

    • Log in as the user who has the Intune license.

    • Go to Settings > Accounts > Access work or school.

    • You should see “Connected to ‘s Microsoft Entra ID”.

    • Click on this connection, then click the Info button.

    • Look for a Sync button. Click it.

      • This action forces the device to re-evaluate its MDM enrollment status with Entra ID. If the user is now in scope and licensed, it should trigger the Intune enrollment process.
    • Wait: Enrollment can take a few minutes. You might see a notification, or you can check the Intune portal (Microsoft Intune admin center) under Devices > Windows to see if the device appears and its compliance status.

    • Reboot: Sometimes a reboot helps kickstart the process after clicking “Sync.”

Method 2: Enroll via Company Portal App

  1. Ensure Prerequisites: Same as Method 1 (License and MDM User Scope).

  2. On the Windows Device:
    • Install the Company Portal app from the Microsoft Store.

    • Open the Company Portal app.

    • Sign in with the Entra ID credentials of the licensed user.

    • The Company Portal app will typically detect that the device isn’t yet managed by Intune and will guide the user through the enrollment process. Follow the on-screen prompts.

Method 3: Enroll Only in Device Management (Less Common for this scenario but an option)

This method is typically for devices that are not Entra ID joined but you want to enroll them into Intune. However, it can sometimes nudge an already Entra ID joined device.

  1. Ensure Prerequisites: Same as Method 1.

  2. On the Windows Device:
    • Go to Settings > Accounts > Access work or school.

    • Click Connect.

    • Crucially, on the “Set up a work or school account” screen, look for a link that says something like “Enroll only in device management” or similar phrasing. Do not just type the email address in the main box, as that will try to Entra ID join it (which it already is).

    • Enter the user’s Entra ID email address and follow the prompts.

Troubleshooting & Verification:

  • Check Intune Portal: After attempting enrollment, go to the Microsoft Intune admin center (intune.microsoft.com) > Devices > Windows. Search for the device. It might take 5-30 minutes (sometimes longer) to appear or update its status.

  • Event Viewer on the Device:
    • Open Event Viewer.

    • Navigate to Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin.

    • Look for events related to MDM enrollment (Event ID 75 or 76 often indicate successful enrollment). Errors here can give clues.
  • Check MDM URLs in Registry (Advanced):
    • Open Registry Editor (regedit).

    • Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments.

    • Look for a subkey with a GUID. Inside, you should find values like DiscoveryServiceFullUrl, EnrollmentServiceFullUrl, PolicyServiceFullUrl pointing to Intune services (e.g., https://enrollment.manage.microsoft.com/...). If these are present, enrollment likely succeeded or is in progress.
  • Patience: Sometimes it just takes a little while for all the syncs to happen.

Last Resort (If the above fails and you’re sure licensing/scoping is correct):

  1. Disconnect from Entra ID and Rejoin:
    • Backup important local data if any.
    • Go to Settings > Accounts > Access work or school.

    • Click the “Connected to ‘s Microsoft Entra ID” account and click Disconnect. Confirm the disconnection.

    • Reboot the device.

    • After rebooting, go back to Settings > Accounts > Access work or school.

    • Click Connect.

    • Choose to Join this device to Microsoft Entra ID and sign in with the licensed user’s credentials.

    • This fresh join process should trigger the Intune enrollment immediately, assuming automatic enrollment is configured.

Start with Method 1 (Sync button) as it’s the least invasive. Method 2 (Company Portal) is also very reliable.

Office desktop apps include Windows Explorer

A major stumbling block for many during the transformation process from on premises to Microsoft 365 is the desire for Windows Explorer. It is understandable that people want to maintain the status quo and their current work processes, however want many don’t appreciate is that Windows Explorer like capability is built right into Microsoft Office desktop applications.

image

If we take a look a Word as an example, and then select Open from the menu on the left, we find an array of documents displayed that were recently opened as shown above. You’ll also notice that you can view recently accessed Folders from this same interface as well. There is even a Search option at the top of the page to help you locate items in this list.

image

You’ll see there is also the ability to ‘pin’ an item (file or folder) so that it will always appear as shown above.

image

A little further down you will find the cloud storage locations you are connected to as shown above, which are typically associated with your Microsoft 365 environment. If I select SharePoint here, I will then see a list of my SharePoint sites on the right.

image

If I then drill into a site, I will see all the Document Libraries it contains. If then drill into a Document Library I will see all the files and folders within, just like you do when using Windows Explorer.

image

If I right click on something like a folder, you see from the above, that I again have the ability to Pin to Recent list. This makes it easy to navigate back to that location later. It is always a good idea to do this for those locations you need to get to regularly. 

I can move up and down the list of items as I could using Windows Explorer. This therefore, should be the familiarity that many are looking for when navigating file structures.

The file displays inside this application navigation are limited to files that can be opened or view by that application. For Word this would be things like DOC, DOCX, PDF, Text files and so on.

It would be nice if Microsoft (or anyone else) took this built-in Office desktop navigation and created a stand alone desktop application that could navigate all files at once. This would then be a direct replacement for the traditional version of Windows Explorer but for locations in Microsoft 365. How handy would that be?

As yet, I have not found an application that does this but hopefully some smart developer will look ate creating something as I reckon it would be a real winner. So, for the time being, remember that you do have a simplified version of the old familiar Windows Explorer built into Office desktop application that you can use to enhance your daily workflow with the common file types you work with in Microsoft 365.

My Apps 2021

pexels-mohi-syed-50614

I am still not a big app user. I am very careful and selective about what I install on my device. Less is definitely more for me.

To see what I was using at the beginning of last year check out the article:

My Apps – 2020

My daily driver when it comes to a phone is an iPhone currently but I also have a Google Pixel as a backup. The other device that I use apps on is my iPad mini.

My most used apps on mobile devices over the last year were:

Castro on iOS to listen to all my podcasts on iOS.

Lastpass password manager and authenticator. for general password management.

Microsoft Authenticator – I use this for a number of select web sites as well as Microsoft 365.

Car Play – Connects to my daily drive to provide the ability to listen to podcasts as well as use Waze for navigation. Gotta say that it isn’t nearly as good as Android auto in my experience. However, since I’m spending an extended time in the Apple ecosystem I’ll be stick with this.

OneNote – is a must on every device I own. Syncs all my notes to every device. Allows me to not only truly have my information everywhere I am but also capture information quickly and easily.

OneDrive – This mobile app now not only allows me to manage my Microsoft 365 files but it also incorporates the more advanced Office Lens technology that scans and uploads, documents, whiteboards, etc.

Tripview – One of the few apps that I have happily paid for. I use this to let me know the Sydney train schedule to help me get around when I need to negotiate the ‘real world’. Although not much travel is happening at the moment, this app is super handy for negotiating local public transport.

Audible – If I can’t read my Kindle then I can normally always listen. This app allows me to listen to my audio books where ever I am. This and Castro on iOS are probably the most used applications on my devices.

Amazon Kindle – If I don’t have access to my Kindle then I can still read my books. In my case that will most likely be on my iPad. I also use the Kindle app on the iPad when the ebook has a lot of images that sometime don’t display well or are too small for the Kindle device.

The following as currently only iOS:

Oak – For mindfulness, breathing and meditation.

Zero – For fasting.

Rode Reporter – which I use for recording many of my presentations when I am out on the road, which ain’t so much these days but still a handy app to have.

Of course I have all the social media apps, such as Twitter, Linkedin and Facebook on my devices.

I also have all the Microsoft/Office 365 apps. The ones I use the most are probably To-Do, Outlook, SharePoint, OneDrive, Teams and Yammer, although Word and Excel also get used regularly. Just about every Microsoft Office 365 service has an app that you should have on your mobile device. On my Android I am also using Edge as the primary browser along with the new Edge Insider. I also have the Brave browser on my devices as do not use Chrome at all.

I’ve also added the Intune app to all my devices so they can be better managed.

I use the Microsoft Next Lock Screen on my Android device.

Some occasional ones I use include:

Get Pocket

Duolingo

– Uber

– Amazon music

I use the normal personal apps for things like Internet banking and so on. I also use Blockfolio for monitoring cryptocurrency. For casual entertainment and general interest I also have Minecraft Earth installed but really don’t use it much.

One my iPad, which also serves as a personal entertainment device, I have the streaming services Netflix and Amazon Prime Video.

The above are my used apps across my various mobile devices. My aim to try and keep the app standard across all the devices and as few as possible. I try and standardise as much as possible to use the Microsoft apps on all platforms. I certainly use a wide variety of apps on my devices by prefer the desktop versions if available simply because my finger are too fat and my patience too short to be productive for long stints on mobile devices. My kingdom, my kingdom for a full keyboard and screen I cry.