Creating security policies in Intune to protect Windows devices

Creating security policies in Intune to protect Windows devices

01/08/2024

This technical and educational article aims to guide security analysts, IT administrators, and systems engineers in creating and implementing robust security policies in Microsoft Intune to protect Windows devices. Microsoft Intune, part of Microsoft Endpoint Manager, provides a comprehensive solution for unified endpoint management, enabling organizations to manage devices, protect data, and ensure compliance with security policies regardless of where devices are located [1].

Introduction

In a modern workplace, where devices can be company-owned or personal (BYOD) and access corporate resources from anywhere, endpoint security is more critical than ever. Microsoft Intune simplifies the management and enforcement of security policies on Windows devices, ensuring they meet corporate standards before accessing sensitive data [2].

This practical guide will cover creating different types of security policies in Intune, such as compliance policies and device configuration profiles, focusing on real-world scenarios and providing step-by-step instructions, example configurations, and validation methods. The goal is to enable the reader to implement these policies effectively and improve their organization's security posture.

Why use Intune for security policies?

Intune provides several benefits for managing Windows device security:

  • Unified Management: Manage Windows, macOS, iOS/iPadOS and Android devices from a single console.
  • Continuous Compliance: Ensures devices meet security requirements before accessing corporate resources.
  • Automation: Automates the deployment of security settings, updates, and applications.
  • Integration: Integrates with other Microsoft solutions, such as Azure AD (Microsoft Entra ID) for Conditional Access and Microsoft Defender for Endpoint for advanced threat protection.
  • Flexibility: Supports diverse scenarios, from fully managed corporate devices to BYOD.

Prerequisites

To follow this tutorial, you will need the following items:

  1. Licensing: A valid license for Microsoft Intune. Often included in packages such as Microsoft 365 E3, E5, F1, F3, or Enterprise Mobility + Security (EMS) standalone licenses [3].
  2. Administrative Access: An account with Global Administrator or Intune Administrator permissions in the Microsoft Endpoint Manager admin center (https://endpoint.microsoft.com).
  3. Registered Windows Devices: Windows 10/11 devices already registered with Microsoft Intune. Registration can be done via Azure AD Join, Hybrid Azure AD Join, or manual registration for BYOD.
  4. User and Device Groups: Security groups in Azure AD to assign policies in an organized way.

Step by Step: Creating Security Policies in Intune

We'll create different types of policies to demonstrate the comprehensiveness of Intune.

1. Creating a Device Compliance Policy

Compliance policies define the requirements that a device must meet to be considered "compliant." Non-compliant devices can be blocked from accessing corporate resources through Conditional Access policies.

Steps:

  1. Go to Microsoft Endpoint Manager admin center.
  2. Navigate to Devices > Compliance Policies.
  3. Click Create Policy.
  4. Select the Platform Windows 10 and later and click Create.
  5. Basics: Give the policy a name (ex: Windows - Default Compliance Policy) and a description. Click Next.
  6. Compliance Settings: Here you define the rules. Examples of important settings:
    • Device Integrity:
      • Require BitLocker: Require. Ensures that the system drive is encrypted.
      • Require Secure Boot to be enabled on the device: Require. Protects against rootkits in the boot process.
    • Device Properties:
      • Minimum OS Version: Set the minimum Windows version to garaEnsure that only supported and up-to-date operating systems are used.
    • System Security:
      • Require a password to unlock mobile devices: Require.
      • Firewall: Require. Ensures Microsoft Defender Firewall is active.
      • Antivirus: Require. Ensures that an antivirus solution registered with Windows Security Center is active.
  7. Actions for non-compliance: Define what happens if a device is not compliant. The default action is to Mark device as unsupported immediately. You can add other actions, such as sending an email to the user.
  8. Assignments: Assign the policy to a group of Azure AD devices or users.
  9. Review + create: Review the settings and click Create.

2. Creating a Device Configuration Profile

Configuration profiles are used to apply more detailed security settings to devices.

Steps:

  1. In Microsoft Endpoint Manager admin center, go to Devices > Configuration Profiles.
  2. Click Create profile.
  3. Select the Platform Windows 10 and later and the Profile Type Settings Catalog. Click Create.
  4. Basics: Give the profile a name (ex: Windows - Defender Security Settings) and a description.
  5. Configuration Settings: Click Add Settings. Use the settings selector to find and set the policies you want. For example, to configure Microsoft Defender:
    • Search for "Microsoft Defender".
    • Select categories like Microsoft Defender Antivirus and Real-time Protection.
    • Enable settings like:
      • Enable real-time protection: Enabled.
      • Enable cloud-delivered protection: Enabled.
      • Protection level provided in the cloud: High blocking level.
  6. Assignments: Assign the profile to a group of devices.
  7. Review + create: Review and create the profile.

3. Applying a Security Baseline

Baselines are sets of preconfigured security settings recommended by Microsoft. It's the fastest way to enforce a robust security posture.

Steps:

  1. Go to Endpoint Security > Security Baselines.
  2. Select the baseline you want to use, for example, Security Baseline for Windows 10 and later.
  3. Click Create profile.
  4. Give a name and description.
  5. Configuration Settings: Review the default settings. You can customize them as needed, but ideally you want to stick to Microsoft's recommendations.
  6. Assignments: Assign the baseline to a group of devices.
  7. Review + create: Create the profile.

Validation and Monitoring

After policies are created and assigned, it is crucial to monitor their enforcement and device compliance.

  • For Compliance Policies: Go to Devices > Compliance Policies, select the policy, and check the Device Status and Status by Configuration to see which devices are compliant or not and why.
  • For Configuration Profiles: Go to Devices > Configuration Profiles, select the profile, and check the status reports to see if the settings were applied successfully.

Conclusion

Microsoft Intune is a powerful tool for strengthening the security of Windows devices in corporate environments. By combining compliance policies, configuration profiles, and security baselines, administrators can ensure that devices meet a high standard of security, protecting the organization's data from threats. Correctly implementing these policies is a fundamental step on the journey to a Zero Trust security architecture.

References

[1] Microsoft. (2023). What is Microsoft Intune? [2] Microsoft. (2023). Secure data and devices with Microsoft Intune. [3] Microsoft. (2023). Licenses available for Microsoft Intune.