Demo Mode

Every screen, flow, export, and remediation path is the real Veri-Guard product. The specific findings, scores, and runbooks shown are curated to illustrate a typical before/after story. Your tenant scan produces your own numbers.

Get started
Veri-Tech
← Veri-Tune

Intune Baseline Assessment (86 controls)

Registry v2.1.0windows, macos, ios, androidcorporate ownership

Job ID: demo-tune-0422

Policy Insights

We found 7 settings that exist in multiple Intune policies. Including 3 value conflicts where policies disagree on the correct setting. 3 redundant settings could be consolidated. 1 unassigned duplicates are inactive and can be cleaned up.

View Policy Insights
3 Conflicts3 Redundant1 Unassigned DuplicatesUnique settings in 2+ policies
View:

Remediation Planner

AI analyzes your assessment results and generates a remediation plan — classifying each control for auto-deployment, runbook generation, or risk exception.

  • Auto-deploy fixes for non-compliant Intune policies
  • Generate runbooks for manual remediation steps
  • Set risk exceptions and document justifications

Assessment Results

Assessment Score

Scanned: 4/22/2026, 3:06:12 PM132s

68%

Protection

Actively enforced

/

76%

Readiness

Configured correctly

60

Passing

5

Not Assigned

3

Report-Only

14

Misconfigured

4

Missing

68%protected

Score Breakdown

Protection68.0%
Readiness76.0%
86controls

Control Status

Passing60 (70%)
Not Assigned5 (6%)
Report-Only3 (3%)
Misconfigured14 (16%)
Missing4 (5%)
Platforms:🪟 windows🍎 macos📱 ios🤖 android
86 controls checked

8% gap from policies not enforced

5 controls correctly configured but not assigned to any device group. Assign these policies to close the gap.

Assign Existing Policies

JIT Active

5 controls across 5 policies are correctly configured but not assigned to any device or user group. Assigning them is a one-click fix that lifts your adjusted score immediately.

iOS2
Windows1
Android1
macOS1
⚠️

Enrollment Restriction Mismatches (1)

📱iOS

iOS personal enrollment is not blocked. Corporate devices ownership model is set but personal enrollments are accepted.

See how your protection score improves with each remediation step:

Current ScoreWhere you are now
68%
Enforce UnenforcedAssign 5 unenforced policies
76%

+8.2% gain

+ Auto-Fix Critical/HighDeploy 8 automatable fixes
90%

+13.7% gain

+ All Automatable FixesDeploy all 18 automatable fixes
98%

Control Results

86 of 86 controls

Platforms:
Showing 86 of 86 controls
SeverityControlActions
🔴 Misconfigured14
critical
ASR — Block credential stealing from LSASSVT-INTUNE-ES-001

Policy value does not match the required baseline. Current value diverges from expected; update in place or create override.

critical
Windows Firewall — block inbound RDP from publicVT-INTUNE-ES-010

Policy value does not match the required baseline. Current value diverges from expected; update in place or create override.

high
Windows minimum OS version (22H2)VT-INTUNE-DC-005

Policy value does not match the required baseline. Current value diverges from expected; update in place or create override.

high
iOS App Protection — Core Microsoft Apps L2VT-INTUNE-APP-001

Policy value does not match the required baseline. Current value diverges from expected; update in place or create override.

high
Android App Protection — Core Microsoft Apps L2VT-INTUNE-APP-002

Policy value does not match the required baseline. Current value diverges from expected; update in place or create override.

high
ASR — Block Office child processesVT-INTUNE-ES-002

Policy value does not match the required baseline. Current value diverges from expected; update in place or create override.

high
Password complexity — alphanumeric + special (Windows)VT-INTUNE-DCF-008

Policy value does not match the required baseline. Current value diverges from expected; update in place or create override.

medium
Block jailbroken iOS devicesVT-INTUNE-DC-003

Policy value does not match the required baseline. Current value diverges from expected; update in place or create override.

medium
iOS APP — block managed data saved to personal cloudVT-INTUNE-APP-013

Policy value does not match the required baseline. Current value diverges from expected; update in place or create override.

medium
Windows Firewall — enabled for all profilesVT-INTUNE-ES-009

Policy value does not match the required baseline. Current value diverges from expected; update in place or create override.

medium
Tamper Protection — enabled on DefenderVT-INTUNE-ES-011

Policy value does not match the required baseline. Current value diverges from expected; update in place or create override.

medium
Screen lock timeout — 5 minutes (Windows)VT-INTUNE-DCF-004

Policy value does not match the required baseline. Current value diverges from expected; update in place or create override.

medium
Expedited Quality Update policy (critical CVE)VT-INTUNE-UR-006

Policy value does not match the required baseline. Current value diverges from expected; update in place or create override.

low
Disable SMBv1 clientVT-INTUNE-DCF-011

Policy value does not match the required baseline. Current value diverges from expected; update in place or create override.

🟡 Not Enforced5
critical
macOS Gatekeeper — enforcedVT-INTUNE-ES-012

Policy is configured correctly but not assigned to any group. Assign to target devices/users.

high
Mobile Threat Defense integrationVT-INTUNE-DC-017

Policy is configured correctly but not assigned to any group. Assign to target devices/users.

high
iOS APP — block screenshots of managed dataVT-INTUNE-APP-007

Policy is configured correctly but not assigned to any group. Assign to target devices/users.

high
Android APP — block screen captureVT-INTUNE-APP-008

Policy is configured correctly but not assigned to any group. Assign to target devices/users.

medium
iOS — block camera for managed profilesVT-INTUNE-DCF-013

Policy is configured correctly but not assigned to any group. Assign to target devices/users.

Missing4
high
Block personal Android enrollmentVT-INTUNE-ENR-004

No matching Intune policy found. Create a new policy from the curated Veri-Tune baseline.

medium
Outlook mobile — require Modern AuthenticationVT-INTUNE-APC-004

No matching Intune policy found. Create a new policy from the curated Veri-Tune baseline.

medium
Teams mobile — restrict screen sharingVT-INTUNE-APC-006

No matching Intune policy found. Create a new policy from the curated Veri-Tune baseline.

medium
iOS — block AirDrop on supervisedVT-INTUNE-DCF-014

No matching Intune policy found. Create a new policy from the curated Veri-Tune baseline.

Passing60
critical
Require FileVault on macOSVT-INTUNE-DC-002

Configured and assigned correctly via 'Device Compliance — Require FileVault on macOS'.

critical
Block rooted Android devicesVT-INTUNE-DC-004

Configured and assigned correctly via 'Device Compliance — Block rooted Android devices'.

critical
iOS minimum OS version (17)VT-INTUNE-DC-007

Configured and assigned correctly via 'Device Compliance — iOS minimum OS version'.

critical
ASR — Block Win32 API from Office macrosVT-INTUNE-ES-004

Configured and assigned correctly via 'Endpoint Security — ASR — Block Win32'.

critical
macOS System Integrity Protection — enabledVT-INTUNE-ES-014

Configured and assigned correctly via 'Endpoint Security — macOS System Integrity Protection'.

critical
Disk encryption — recovery key escrow to AADVT-INTUNE-ES-016

Configured and assigned correctly via 'Endpoint Security — Disk encryption — recovery'.

high
Require BitLocker on Windows 10/11VT-INTUNE-DC-001

Configured and assigned correctly via 'Device Compliance — Require BitLocker on Windows'.

high
Android minimum OS version (13)VT-INTUNE-DC-008

Configured and assigned correctly via 'Device Compliance — Android minimum OS version'.

high
Device password required (Android)VT-INTUNE-DC-012

Configured and assigned correctly via 'Device Compliance — Device password required (Android)'.

high
Valid operating system (Windows)VT-INTUNE-DC-013

Configured and assigned correctly via 'Device Compliance — Valid operating system (Windows)'.

high
Valid operating system (macOS)VT-INTUNE-DC-014

Configured and assigned correctly via 'Device Compliance — Valid operating system (macOS)'.

high
Require compliant device for sign-inVT-INTUNE-DC-018

Configured and assigned correctly via 'Device Compliance — Require compliant device for'.

high
Android App Protection — require app PINVT-INTUNE-APP-004

Configured and assigned correctly via 'App Protection — Android App Protection —'.

high
iOS APP — block copy/paste to unmanaged appsVT-INTUNE-APP-005

Configured and assigned correctly via 'App Protection — iOS APP — block'.

high
Android APP — block copy/paste to unmanaged appsVT-INTUNE-APP-006

Configured and assigned correctly via 'App Protection — Android APP — block'.

high
Android APP — offline grace period 12hVT-INTUNE-APP-012

Configured and assigned correctly via 'App Protection — Android APP — offline'.

high
Android APP — block managed data saved to personal cloudVT-INTUNE-APP-014

Configured and assigned correctly via 'App Protection — Android APP — block'.

high
Windows Defender — real-time protection onVT-INTUNE-ES-006

Configured and assigned correctly via 'Endpoint Security — Windows Defender — real-time'.

high
Windows Defender — cloud-delivered protection onVT-INTUNE-ES-007

Configured and assigned correctly via 'Endpoint Security — Windows Defender — cloud-delivered'.

high
macOS XProtect — latest signaturesVT-INTUNE-ES-013

Configured and assigned correctly via 'Endpoint Security — macOS XProtect — latest'.

high
Disk encryption — BitLocker XTS-AES 256VT-INTUNE-ES-015

Configured and assigned correctly via 'Endpoint Security — Disk encryption — BitLocker'.

high
Disable AutoPlay on all drivesVT-INTUNE-DCF-010

Configured and assigned correctly via 'Device Configuration — Disable AutoPlay on all'.

high
Android — block debugging from work profileVT-INTUNE-DCF-016

Configured and assigned correctly via 'Device Configuration — Android — block debugging'.

high
Autopilot deployment profile — user-drivenVT-INTUNE-ENR-001

Configured and assigned correctly via 'Enrollment — Autopilot deployment profile —'.

high
Enrollment restrictions — require hardware attestationVT-INTUNE-ENR-005

Configured and assigned correctly via 'Enrollment — Enrollment restrictions — require'.

medium
macOS minimum OS version (14)VT-INTUNE-DC-006

Configured and assigned correctly via 'Device Compliance — macOS minimum OS version'.

medium
Device password required (Windows)VT-INTUNE-DC-009

Configured and assigned correctly via 'Device Compliance — Device password required (Windows)'.

medium
Device password required (macOS)VT-INTUNE-DC-010

Configured and assigned correctly via 'Device Compliance — Device password required (macOS)'.

medium
Device password required (iOS)VT-INTUNE-DC-011

Configured and assigned correctly via 'Device Compliance — Device password required (iOS)'.

medium
Defender ATP risk score — cleanVT-INTUNE-DC-015

Configured and assigned correctly via 'Device Compliance — Defender ATP risk score'.

medium
Android Google Play Protect healthyVT-INTUNE-DC-016

Configured and assigned correctly via 'Device Compliance — Android Google Play Protect'.

medium
iOS App Protection — require app PINVT-INTUNE-APP-003

Configured and assigned correctly via 'App Protection — iOS App Protection —'.

medium
iOS APP — require biometric re-authenticationVT-INTUNE-APP-009

Configured and assigned correctly via 'App Protection — iOS APP — require'.

medium
Android APP — require biometric re-authenticationVT-INTUNE-APP-010

Configured and assigned correctly via 'App Protection — Android APP — require'.

medium
iOS APP — offline grace period 12hVT-INTUNE-APP-011

Configured and assigned correctly via 'App Protection — iOS APP — offline'.

medium
Edge — block personal syncVT-INTUNE-APC-002

Configured and assigned correctly via 'App Configuration — Edge — block personal'.

medium
Outlook mobile — block external mail forwardingVT-INTUNE-APC-003

Configured and assigned correctly via 'App Configuration — Outlook mobile — block'.

medium
Microsoft Authenticator — require password-less sign-inVT-INTUNE-APC-005

Configured and assigned correctly via 'App Configuration — Microsoft Authenticator — require'.

medium
ASR — Block obfuscated scriptsVT-INTUNE-ES-003

Configured and assigned correctly via 'Endpoint Security — ASR — Block obfuscated'.

medium
ASR — Block persistence via WMI event subscriptionVT-INTUNE-ES-005

Configured and assigned correctly via 'Endpoint Security — ASR — Block persistence'.

medium
Windows Defender — PUA blockingVT-INTUNE-ES-008

Configured and assigned correctly via 'Endpoint Security — Windows Defender — PUA'.

medium
Block USB mass storage (Windows)VT-INTUNE-DCF-001

Configured and assigned correctly via 'Device Configuration — Block USB mass storage'.

medium
Require TPM 2.0 presentVT-INTUNE-DCF-002

Configured and assigned correctly via 'Device Configuration — Require TPM 2.0 present'.

medium
Secure Boot enabledVT-INTUNE-DCF-003

Configured and assigned correctly via 'Device Configuration — Secure Boot enabled'.

medium
Screen lock timeout — 5 minutes (macOS)VT-INTUNE-DCF-005

Configured and assigned correctly via 'Device Configuration — Screen lock timeout —'.

medium
Screen lock timeout — 2 minutes (Android)VT-INTUNE-DCF-007

Configured and assigned correctly via 'Device Configuration — Screen lock timeout —'.

medium
Block guest account accessVT-INTUNE-DCF-012

Configured and assigned correctly via 'Device Configuration — Block guest account access'.

medium
Android — require Work ProfileVT-INTUNE-DCF-015

Configured and assigned correctly via 'Device Configuration — Android — require Work'.

medium
Windows 10/11 Update Ring — PilotVT-INTUNE-UR-001

Configured and assigned correctly via 'Update Rings — Windows 10/11 Update Ring'.

medium
Windows 10/11 Update Ring — BroadVT-INTUNE-UR-002

Configured and assigned correctly via 'Update Rings — Windows 10/11 Update Ring'.

report-only3
medium
iOS APP — minimum app version (Outlook)VT-INTUNE-APP-015

Policy is deployed in report-only mode. Flip to enforced when ready.

medium
Android APP — minimum app version (Outlook)VT-INTUNE-APP-016

Policy is deployed in report-only mode. Flip to enforced when ready.

medium
Feature Update — defer 30 daysVT-INTUNE-UR-003

Policy is deployed in report-only mode. Flip to enforced when ready.

Registry v2.1.0 | Tenant: demo-ver... | Powered by Veri-Tune