Intune

Section Purpose: The security section shows recommend security controls for Teams based on the CIS Controls. Each control contains the following subsections:

  • Description

  • Policy Definition

  • Licensing Considerations

  • Set Up Instructions

  • End-User Impact

  • PowerShell Scripts

  • Video Tutorials

Policy
End-User Impact
License

Personal Devices should be restricted from enrolling into the MDM solution

Medium

Standard

Devices shall be deleted that haven’t checked in for over 30 days

Low

Standard

Devices compliance policies shall be configured for every supported device platform

Medium

Standard

Noncompliant devices shall be blocked from accessing corporate resources

High

Azure AD P1

MFA Shall be required for Intune Enrollment

Medium

Azure AD P1

Security Baselines should be configured for Windows Devices

Medium

Standard

Windows Update Rings shall be configured for Windows Devices

Medium

Standard

Update Policies shall be configured for Apple Devices

Medium

Standard

App Protection policies should be created for mobile devices

Medium

Standard

Mobile devices shall only be able to access corporate data through approved client apps

Medium

Azure AD P1

Lockout screen and password settings shall be configured for each device

Medium

Standard

Encryption shall be required on all devices

Low

Standard

Windows Hello for Business should be configured where applicable

Low

Standard

Authorized Applications shall be configured for Single Sign-On

Low

Standard

Device Use Shall be restricted until required applications are installed

Medium

Standard

Devices and Applications shall be wiped when a user leaves the organization or reports a lost/stolen

None

Standard

PreviousLegacy Authentication SHALL Be BlockedNextPersonal Devices should be restricted from enrolling into the MDM solution

Last updated