Start with cloud security
Nowadays, organizations rely more on cloud-based services and servicing to enable users to get their work done and foment hybrid collaborations. As documents and data are synced to the cloud and applications and virtual devices run entirely in the cloud, managing your environment’s security becomes ever more complex. This introduces new types of vulnerabilities and threats, such as credential theft over remote connections. But you can configure your organization’s Windows devices to work with Microsoft cloud services, such as Microsoft Intune, to protect your endpoints, infrastructure, and networks. This will illustrate a Zero Trust approach to safeguarding data while controlling access and mitigating threats.
Let’s see how you can implement modern device management by way of Microsoft Intune and apply it to the selection of chip-to-cloud features. In this module, we’ll advance much of your security posture with either security baselines or the settings catalog in Intune.
Get started with security baselines in Intune
A security baseline is a recommended collection of configuration settings, which also details their security impact. You can use the Microsoft MDM security baseline to configure policies like the following:
- Restricting the use of legacy technology
- Restricting remote access to devices
- Setting credential requirements for passwords and PINs
Use Intune to deploy security baselines to configure Windows devices in compliance with your organization’s security standard or the desired Zero Trust level. To begin, deploy and manage the following security baselines to configure Windows devices:
To manage security baseline profiles in Intune, your account must have the Policy and Profile Manager built-in role, which allows you to manage compliance policy, configuration profiles, and security baselines, among others. In this role, Intune will allow you to create the profile, change, duplicate, or remove a security baseline, and learn what to do with older baseline versions or co-managed devices. Use group policy baselines for on-premises domain controllers.
Get started with settings catalog in Intune
The settings catalog in Intune is a list of all the settings you can configure in one place. Use this mobile device management (MDM) solution to simplify how you create a policy and configure settings at a granular level, similar to on-premises Group Policy Object (GPO).
To create a policy in the Microsoft Endpoint Manager admin center, select Devices > Configuration profiles > Create profile. In the properties, enter your operating system for Platform and “settings catalog” for Profile.
After you confirm creation of the policy and enter the basics for it, use Configuration settings to add settings from a settings picker.
See Create a policy using settings catalog in Microsoft Intune to get ready to apply this method in the following units. At this point, it’s helpful to know the various ways in which you can browse thousands of settings available to you:
- Use Add settings > Search
- Search by category (for example, browser)
- Search by a keyword (for example, Office)
- Search for specific settings
Additional cloud-based protections
Here are some helpful cloud-based modern device management services and capabilities that you can use to protect your environment and improve your security posture:
Remote wipe
Configure remote wipe through modern device management via Microsoft Intune to remotely wipe data on devices in case they’re lost or stolen.
Config Lock
Config Lock is a feature you can enable in Secure-cored PCs that equips you to protect the operating system by blocking users from changing configurations, which can create configuration drift over time.
Microsoft Azure Attestation Service
Another good practice is to use the Microsoft Azure Attestation Service to comprehensively review your organization’s device health and monitor the trustworthiness of your devices. We’ll learn more about its applications in the unit on operating system security.
