Intune CIS Benchmark for Windows, Mac, and mobile.

A Microsoft-curated baseline of hundreds of Windows hardening settings (UAC, SmartScreen, attack surface reduction, credential protection) deployed as an Intune policy and pinned to a recent version.

Reinventing a Windows hardening baseline is two weeks of engineering time you do not need to spend. Microsoft publishes one and updates it. Skipping it is the difference between secure-by-default and the registry equivalent of "factory settings."

In Microsoft Intune admin center > Endpoint security > Security baselines > Windows Security Baseline, click Create profile. Accept the recommended settings, scope to All Devices excluding Personal, and watch the deployment metrics.

The Microsoft Defender for Endpoint baseline applied through Intune. Configures EDR, automated investigation and response, Defender SmartScreen, and tamper protection to recommended values.

A Defender license without the baseline is like a smoke detector without batteries. The baseline is what turns the EDR sensor on, points it at the cloud, and stops users from disabling it.

In Microsoft Intune admin center > Endpoint security > Security baselines > Microsoft Defender for Endpoint Baseline, create the policy and assign to your managed Windows group. Verify Tamper Protection shows On in the Microsoft Defender portal device inventory.

A Defender ASR rule policy that blocks the most-abused malware behaviors: Office macros launching child processes, credential dumping from LSASS, executable content from email, abuse of WMI and PsExec, JavaScript download patterns.

ASR rules are the single highest-leverage control on a Windows endpoint. Properly tuned, they stop most commodity ransomware in a way no antivirus signature can. They are also the control most often left in audit mode forever.

In Microsoft Intune admin center > Endpoint security > Attack surface reduction > Create policy > ASR rules, set the Microsoft-recommended block rules to Block (not Audit). Pilot on a 50-device ring for one week, address exclusions, then roll out org-wide.

Windows Local Administrator Password Solution rotates the local admin account password on every managed device on a schedule and stores the rotated password in Entra ID for audited retrieval.

A static local admin password shared across the fleet is the lateral-movement gift that keeps on giving. LAPS turns one compromised endpoint into one compromised endpoint, not a ransomware blast radius.

In Microsoft Intune admin center > Endpoint security > Account protection > Local admin password solution (Windows LAPS), create a policy with Backup directory = Azure AD only, Password complexity = Large letters + small letters + numbers + special characters, Password age = 7 days.

A BitLocker policy that silently encrypts the OS volume on every managed Windows device, with recovery keys escrowed to Entra ID.

A laptop in a TSA tray, a stolen kit from a hotel, a returned device on eBay. Encryption is the single thing that turns a hardware loss into an inconvenience instead of a HIPAA notification.

In Microsoft Intune admin center > Endpoint security > Disk encryption > Create policy > BitLocker, set Encryption method = AES-256, Configure Encryption Methods = Yes, Compatible TPM startup = Required, Recovery Key escrow to Entra ID.

A compliance policy that defines what "compliant" means: BitLocker on, firewall on, antivirus reporting, OS minimum version, secure boot enabled.

Conditional Access can require a compliant device. Without a compliance policy, "compliant" defaults to "any enrolled device," which means non-compliant. The policy is the floor under your CA rule.

In Microsoft Intune admin center > Devices > Manage devices > Compliance, create a Windows 10/11 compliance policy with device health checks (BitLocker, Secure Boot, Code Integrity), platform configuration (firewall, antivirus), minimum OS version, and a 24-hour grace period for new devices.

An Intune EDR policy that onboards every managed Windows device to Microsoft Defender for Endpoint and configures sample submission, telemetry level, and sensor health.

An EDR license without onboarded devices is shelfware. The policy is the wire that connects the sensor to the cloud and lights up the device in the Defender portal.

In Microsoft Intune admin center > Endpoint security > Endpoint detection and response > Create policy > Microsoft Defender for Endpoint, use the auto-generated onboarding blob (from Microsoft Defender portal > Settings > Endpoints > Onboarding). Sample sharing = All, Telemetry = Expedite.

A macOS FileVault policy that enforces full-disk encryption on every managed Mac, escrows the personal recovery key to Intune, and rotates it after retrieval.

macOS without FileVault is a clear-text laptop. Same threat model as a Windows device without BitLocker. The recovery-key escrow is the operational difference between a managed fleet and a hope.

In Microsoft Intune admin center > Devices > macOS > Configuration profiles > Create profile > Endpoint protection > FileVault, enable FileVault, Personal recovery key = Yes, Escrow to Intune. Assign to all macOS devices.

The macOS equivalent of the Windows compliance policy: minimum OS version, FileVault required, system integrity protection on, gatekeeper enabled, password requirements.

Same logic as Windows. Conditional Access cannot enforce "compliant Mac" if no policy defines what compliant means. Macs without compliance walls drift fast and quietly.

In Microsoft Intune admin center > Devices > macOS > Compliance policies, create a policy with Device Health (System Integrity Protection on, FileVault on), Device Properties (minimum OS version), and Password (require, length, complexity, max minutes after lock).

An App Protection Policy (APP) that wraps the managed apps on personally owned iPhones and iPads (Outlook, Teams, OneDrive, Word) without enrolling the device itself in MDM.

The right answer for personal iOS is MAM, not MDM. APP isolates the work container, requires PIN, blocks copy-paste to non-managed apps, and lets you wipe just the corporate data if the phone goes missing. Forcing a personal device into Intune enrollment is the wrong threat model.

In Microsoft Intune admin center > Apps > App protection policies > Create policy > iOS/iPadOS, set Targeted apps = Microsoft 365 set. Under Data protection: Backup org data to iCloud = Block, Send org data to other apps = Policy managed apps. Under Access requirements: PIN for access = Require.

The Android twin of the iOS APP. Wraps managed apps on personal Android devices with the same data-protection and access controls.

Personal Android is the largest unmanaged endpoint surface in most tenants. APP turns it into a managed application surface without requiring full enrollment, which Android users (correctly) refuse to accept.

In Microsoft Intune admin center > Apps > App protection policies > Create policy > Android, set the same Microsoft 365 app set. Data protection settings same as iOS. Access requirements: PIN for access = Require, Block screen capture = Yes.

Update rings that stage Windows quality and feature updates across pilot, broad, and broad-late groups with appropriate deferrals and restart schedules.

Patching every Patch Tuesday is the most common cause of "every laptop reboots at 2pm Tuesday and the help desk gets buried." Rings give you a controlled cadence: pilot tomorrow, broad next week, late deployment two weeks out. Same patches, fewer fires.

In Microsoft Intune admin center > Devices > Manage updates > Windows updates > Update rings for Windows 10 and later, create three rings with quality update deferral (0, 7, 14 days) and feature update deferral (30, 60, 90 days). Restart settings: pause Active hours, deadline 7 days post-install.