Applying security policies to the computers in your organization is a foundational security practice. It’s especially important now that more employees are using these devices away from the office. To make it easier for you to protect your organization’s devices, we’ve added a new setup experience to the Microsoft 365 admin center that allows you to establish a security baseline for all of the Windows 10 PCs in your organization in just a few clicks.
This new experience is available to customers with Microsoft 365 Business Premium. It has begun rolling out and will reach all eligible customers within the next few months. Let’s take a closer look at what’s new.
To access these new capabilities, in the Microsoft 365 Admin Center, open Setup on the left menu.
In the Sign-up and Security section, find Secure your Windows 10 computers, and click the View button.
On the Secure your Windows 10 computers page, you can read about the streamlined process for securing Windows 10 devices and access relevant documentation. As the page notes, this experience is built with small and medium-sized businesses in mind. It simplifies the process of setting up Intune-powered devices policies. Larger enterprises and advanced users can go to the Endpoint Manager admin center instead. Click the Get Started button to continue.
The pane that appears on the right side shows the five policies recommended for applying a security baseline. The policies that you can enable here are a lightweight set designed to elevate your protection while minimizing user impact and limiting management complexity. They were selected based on input from IT partners who serve small and medium sized businesses, telemetry on the most commonly applied Intune policies, and feedback from customers.
The recommended security settings are:
Help protect PCs from viruses and other threats using Windows Defender Antivirus: Requires that Windows Defender Antivirus is turned on to protect PCs from the dangers of being connected to the internet.
Help protect PCs from web-based threats: Turns on settings in that help protect users from malicious sites and downloads. It also prevents the launching off applications with Microsoft Office.
Prevent network access to potentially malicious content on the Internet: Network protection helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the internet.
Help protect files and folders on PCs from unauthorized access with BitLocker: BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.
Turn off device screen when idle for this amount of time: Makes sure that company data is protected if a user is idle. A user may be working in a public location, like a coffee shop, and step away or be distracted for just a moment, leaving their device vulnerable to random glances. This setting lets you control how long the user can be idle before the screen shuts off.
When you click Apply Settings, the system will create these policies in Intune. For these policies to actually take effect, the conditions noted in the gray box must be true.
The most important of these is that the user’s computer must be enrolled in Intune. That is how the computer knows to check the cloud to see which settings should be applied. For information about Intune enrollment in an environment where PCs are joined to an on-premises Active Directory domain, see Enable domain-joined Windows 10 devices to be managed by Microsoft 365 Business Premium, an article that we recently improved based on customer feedback.
Note: You typically will not need to change Azure Active Directory settings noted in the gray box unless you have previously customized them.
After the policy setup is complete, you can access and modify the policies at any time by clicking Devices and then Policies.
The policy called “Device Policy for Windows 10” is the one created in the setup experience. You can modify that policy or create additional ones.
When you edit the settings, you’ll notice the original settings plus additional ones you can activate; related to keeping devices up to date, allowing users to download apps from the Microsoft store, and so on.
Advanced users who are familiar with Intune can also edit these policies and create others in the Endpoint Manager admin center, which is accessible in the left navigation.
We’re rolling these capabilities out right now, and are eager for you to put them to work to secure the devices in your organization. If you have questions about the new setup experience, or feedback for the team, let us know here in the Tech Community.