Step 4 - Configure device features and settings to secure devices and access resources

So far, you set up your Intune subscription, created app protection policies, and created device compliance policies.

In this step, you're ready to configure a minimum or baseline set of security and device features that all devices must have.

Diagram that shows getting started with Microsoft Intune with step 4, which is configuring devices features and security settings.

This article applies to:

  • Android
  • iOS/iPadOS
  • macOS
  • Windows

When you create device configuration profiles, there are different levels and types of policies available. These levels are the minimum Microsoft recommended policies. Know that your environment and business needs can be different.

  • Level 1 - Minimum device configuration: In this level, Microsoft recommends you create policies that:

    • Focus on device security, including installing antivirus, creating a strong password policy, and regularly installing software updates.
    • Give users access to their organization email and controlled secure access to your network, wherever they are.
  • Level 2 - Enhanced device configuration: In this level, Microsoft recommends you create policies that:

    • Expand device security, including configuring disk encryption, enabling secure boot, and adding more password rules.
    • Use the built-in features and templates to configure more settings that are important for your organization, including analyzing on-premises Group Policy Objects (GPOs).
  • Level 3 - High device configuration: In this level, Microsoft recommends you create policies that:

    • Move to password-less authentication, including using certificates, configuring single sign-on (SSO) to apps, enabling multifactor authentication (MFA), and configuring Microsoft Tunnel.
    • Add extra layers of security using Android common criteria mode or creating DFCI policies for Windows devices.
    • Use the built-in features to configure kiosk devices, dedicated devices, shared devices, and other specialized devices.
    • Deploy existing shell scripts.

This article lists the different levels of device configuration policies that organizations should use. Most of these policies in this article focus on access to organization resources and security.

These features are configured in device configuration profiles in the Microsoft Intune admin center. When the Intune profiles are ready, they can be assigned to your users and devices.

Level 1 - Create your security baseline

To help keep your organization data and devices secure, you create different policies that focus on security. You should create a list of security features that all users and/or all devices must have. This list is your security baseline.

In your baseline, at a minimum, Microsoft recommends the following security policies:

  • Install antivirus (AV) and regularly scan for malware
  • Use detection and response
  • Turn on the firewall
  • Install software updates regularly
  • Create a strong PIN/password policy

This section lists the Intune and Microsoft services you can use to create these security policies.

For a more granular list of Windows settings and their recommended values, go to Windows security baselines.

Antivirus and scanning

Install antivirus software and regularly scan for malware

All devices should have antivirus software installed and be regularly scanned for malware. Intune integrates with third party partner mobile threat defense (MTD) services that provide AV and threat scanning. For macOS and Windows, antivirus and scanning are built in to Intune with Microsoft Defender for Endpoint.

Your policy options:

Platform Policy type
Android Enterprise - Mobile threat defense partner
- Microsoft Defender for Endpoint for Android can scan for malware
iOS/iPadOS Mobile threat defense partner
macOS Intune Endpoint Security antivirus profile (Microsoft Defender for Endpoint)
Windows client - Intune security baselines (recommended)
- Intune Endpoint Security antivirus profile (Microsoft Defender for Endpoint)
- Mobile threat defense partner

For more information on these features, go to:

Detection and response

Detect attacks and act on these threats

When you detect threats quickly, you can help minimize the impact of the threat. When you combine these policies with Conditional Access, you can block users and devices from accessing organization resources if a threat is detected.

Your policy options:

Platform Policy type
Android Enterprise - Mobile threat defense partner
- Microsoft Defender for Endpoint on Android
iOS/iPadOS - Mobile threat defense partner
- Microsoft Defender for Endpoint on iOS/iPadOS
macOS Not available
Windows client - Intune security baselines (recommended)
- Intune endpoint detection and response profile (Microsoft Defender for Endpoint)
- Mobile threat defense partner

For more information on these features, go to:

Firewall

Enable the firewall on all devices

Some platforms come with a built-in firewall and on others, you might have to install a firewall separately. Intune integrates with third party partner mobile threat defense (MTD) services that can manage a firewall for Android and iOS/iPadOS devices. For macOS and Windows, firewall security is built in to Intune with Microsoft Defender for Endpoint.

Your policy options:

Platform Policy type
Android Enterprise Mobile threat defense partner
iOS/iPadOS Mobile threat defense partner
macOS Intune Endpoint Security firewall profile (Microsoft Defender for Endpoint)
Windows client - Intune security baselines (recommended)
- Intune Endpoint Security firewall profile (Microsoft Defender for Endpoint)
- Mobile threat defense partner

For more information on these features, go to:

Password policy

Create a strong password/PIN policy and block simple passcodes

PINs unlock devices. On devices that access organization data, including personally owned devices, you should require strong PINs/passcodes and support biometrics to unlock devices. Using biometrics is part of a password-less approach, which is recommended.

Intune uses device restrictions profiles to create and configure password requirements.

Your policy options:

Platform Policy type
Android Enterprise Intune device restrictions profile to manage the:
- Device password
- Work profile password
Android Open-Source Project (AOSP) Intune device restrictions profile
iOS/iPadOS Intune device restrictions profile
macOS Intune device restrictions profile
Windows client - Intune security baselines (recommended)
- Intune device restrictions profile

For a list of the settings you can configure, go to:

Software updates

Regularly install software updates

All devices should be updated regularly and policies should be created to make sure these updates are successfully installed. For most platforms, Intune has policy settings that focus on managing and installing updates.

Your policy options:

Platform Policy type
Android Enterprise organization owned devices System update settings using Intune device restrictions profile
Android Enterprise personally owned devices Not available

Can use compliance policies to set a minimum patch level, min/max OS version, and more.
iOS/iPadOS Intune update policy
macOS Intune update policy
Windows client - Intune feature updates policy
- Intune expedited updates policy

For more information on these features and/or the settings you can configure, go to:

Level 1 - Access organization email, connect to VPN or Wi-Fi

This section focuses on accessing resources in your organization. These resources include:

  • Email for work or school accounts
  • VPN connection for remote connectivity
  • Wi-Fi connection for on-premises connectivity

Diagram that shows an email, VPN, and Wi-Fi profiles deployed from Microsoft Intune to end user devices.

Email

Many organizations deploy email profiles with preconfigured settings to user devices.

Automatically connect to user email accounts

The profile includes the email configuration settings that connect to your email server.

Depending on the settings you configure, the email profile can also automatically connect the users to their individual email account settings.

Use enterprise level email apps

Email profiles in Intune use common and popular email apps, like Outlook. The email app is deployed to user devices. After the app is deployed, you deploy the email device configuration profile with the settings that configure the email app.

The email device configuration profile includes settings that connect to your Exchange.

Access work or school email

Creating an email profile is a common minimum baseline policy for organizations with users that use email on their devices.

Intune has built-in email settings for Android, iOS/iPadOS, and Windows client devices. When users open their email app, they can automatically connect, authenticate, and synchronize their organizational email accounts on their devices.

Deploy anytime

On new devices, we recommended you deploy the email app during the enrollment process. When enrollment completes, then deploy the email device configuration policy.

If you have existing devices, then deploy the email app at any time, and deploy the email device configuration policy.

Get started with email profiles

To get started:

  1. Deploy an email app to your devices. For some guidance, go to Add email settings to devices using Intune.

  2. Create an email device configuration profile in Intune. Depending on the email app your organization uses, the email device configuration profile might not be needed.

    For some guidance, go to Add email settings to devices using Intune.

  3. In the email device configuration profile, configure the settings for your platform:

  4. Assign the email device configuration profile to your users or user groups.

VPN

Many organizations deploy VPN profiles with preconfigured settings to user devices. The VPN connects your devices to your internal organization network.

If your organization uses cloud services with modern authentication and secure identities, then you probably don't need a VPN profile. Cloud-native services don't require a VPN connection.

If your apps or services aren't cloud-based or aren't cloud-native, then deploy a VPN profile to connect to your internal organization network.

Work from anywhere

Creating a VPN profile is a common minimum baseline policy for organizations with remote workers and hybrid workers.

As users work from anywhere, they can use the VPN profile to securely connect to your organization's network to access resources.

Intune has built-in VPN settings for Android, iOS/iPadOS, macOS, and Windows client devices. On user devices, your VPN connection is shown as an available connection. Users select it. And, depending on the settings in your VPN profile, users can automatically authenticate and connect to the VPN on their devices.

Use enterprise level VPN apps

VPN profiles in Intune use common enterprise VPN apps, like Check Point, Cisco, Microsoft Tunnel, and more. The VPN app is deployed to user devices. After the app is deployed, then you deploy the VPN connection profile with settings that configure the VPN app.

The VPN device configuration profile includes settings that connect to your VPN server.

Deploy anytime

On new devices, we recommended you deploy the VPN app during the enrollment process. When enrollment completes, then deploy the VPN device configuration policy.

If you have existing devices, deploy the VPN app at any time, and then deploy the VPN device configuration policy.

Get started with VPN profiles

To get started:

  1. Deploy a VPN app to your devices.

  2. Create a VPN configuration profile in Intune.

  3. In the VPN device configuration profile, configure the settings for your platform:

  4. Assign the VPN device configuration profile to your users or user groups.

Wi-Fi

Many organizations deploy Wi-Fi profiles with preconfigured settings to user devices. If your organization has a remote-only workforce, then you don't need to deploy Wi-Fi connection profiles. Wi-Fi profiles are optional and are used for on-premises connectivity.

Connect wirelessly

As users work from different mobile devices, they can use the Wi-Fi profile to wirelessly and securely connect to your organization's network.

The profile includes the Wi-Fi configuration settings that automatically connect to your network and/or SSID (service set identifier). Users don't have to manually configure their Wi-Fi settings.

Support mobile devices on-premises

Creating a Wi-Fi profile is a common minimum baseline policy for organizations with mobile devices that work on-premises.

Intune has built-in Wi-Fi settings for Android, iOS/iPadOS, macOS, and Windows client devices. On user devices, your Wi-Fi connection is shown as an available connection. Users select it. And, depending on the settings in your Wi-Fi profile, users can automatically authenticate and connect to the Wi-Fi on their devices.

Deploy anytime

On new devices, we recommended you deploy the Wi-Fi device configuration policy when devices enroll in Intune.

If you have existing devices, you can deploy the Wi-Fi device configuration policy at any time.

Get started with Wi-Fi profiles

To get started:

  1. Create a Wi-Fi device configuration profile in Intune.

  2. Configure the settings for your platform:

  3. Assign the Wi-Fi device configuration profile to your users or user groups.

Level 2 - Enhanced protection and configuration

This level expands on what you configured in level 1 and adds more security for your devices. In this section, you create a level 2 set of policies that configure more security settings for your devices.

Microsoft recommends the following level 2 security policies:



  • Intune includes hundreds of settings that can manage devices features and settings, like disabling the built-in camera, controlling notifications, allowing bluetooth, blocking games, and more.

    You can use the built-in templates or the settings catalog to see and configure the settings.

    • Device restrictions templates have many built-in settings that can control different parts of the devices, including security, hardware, data sharing, and more.

      You can use these templates on the following platforms:

      • Android
      • iOS/iPadOS
      • macOS
      • Windows
    • Use the Settings catalog to see and configure all the available settings. You can use the settings catalog on the following platforms:

      • iOS/iPadOS
      • macOS
      • Windows
    • Use the built-in administrative templates, similar to configuring ADMX templates on-premises. You can use the ADMX templates on the following platform:

      • Windows
  • If you use on-premises GPOs and want to know if these same settings are available in Intune, then use Group Policy analytics. This feature analyzes your GPOs and depending on the analysis, can import them into an Intune settings catalog policy.

    For more information, go to Analyze your on-premises GPOs and import them in Intune.

Level 3 - High protection and configuration

This level expands on what you configured in levels 1 and 2. It adds extra security features used in enterprise level organizations.


  1. Set up Microsoft Intune
  2. Add, configure, and protect apps
  3. Plan for compliance policies
  4. 🡺 Configure device features (You are here)
  5. Enroll devices