Applying security policies to the computers in your organization is a foundational security practice. It’s especially important now that more employees are using these devices away from the office. To make it easier for you to protect your organization’s devices, we’ve added a new setup experience to the Microsoft 365 admin center that allows you to establish a security baseline for all of the Windows 10 PCs in your organization in just a few clicks.
This new experience is available to customers with Microsoft 365 Business Premium. It has begun rolling out and will reach all eligible customers within the next few months. Let’s take a closer look at what’s new.
To access these new capabilities, in the Microsoft 365 Admin Center, open Setup on the left menu.
In the Sign-up and Security section, find Secure your Windows 10 computers, and click the View button.
On the Secure your Windows 10 computers page, you can read about the streamlined process for securing Windows 10 devices and access relevant documentation. As the page notes, this experience is built with small and medium-sized businesses in mind. It simplifies the process of setting up Intune-powered devices policies. Larger enterprises and advanced users can go to the Endpoint Manager admin center instead. Click the Get Started button to continue.
The pane that appears on the right side shows the five policies recommended for applying a security baseline. The policies that you can enable here are a lightweight set designed to elevate your protection while minimizing user impact and limiting management complexity. They were selected based on input from IT partners who serve small and medium sized businesses, telemetry on the most commonly applied Intune policies, and feedback from customers.
The recommended security settings are:
When you click Apply Settings, the system will create these policies in Intune. For these policies to actually take effect, the conditions noted in the gray box must be true.
The most important of these is that the user’s computer must be enrolled in Intune. That is how the computer knows to check the cloud to see which settings should be applied. For information about Intune enrollment in an environment where PCs are joined to an on-premises Active Directory domain, see Enable domain-joined Windows 10 devices to be managed by Microsoft 365 Business Premium, an article that we recently improved based on customer feedback.
Note: You typically will not need to change Azure Active Directory settings noted in the gray box unless you have previously customized them.
After the policy setup is complete, you can access and modify the policies at any time by clicking Devices and then Policies.
The policy called “Device Policy for Windows 10” is the one created in the setup experience. You can modify that policy or create additional ones.
When you edit the settings, you’ll notice the original settings plus additional ones you can activate; related to keeping devices up to date, allowing users to download apps from the Microsoft store, and so on.
Advanced users who are familiar with Intune can also edit these policies and create others in the Endpoint Manager admin center, which is accessible in the left navigation.
We’re rolling these capabilities out right now, and are eager for you to put them to work to secure the devices in your organization. If you have questions about the new setup experience, or feedback for the team, let us know here in the Tech Community.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.