Cyber Essentials for Microsoft Intune: configuration guide

Cyber Essentials for Microsoft Intune: configuration guide

Microsoft Intune is one of the cleanest ways to evidence Cyber Essentials v3.3 across Windows, macOS, iOS, and Android. The scheme requires enforced secure configuration, password policy, firewall on, auto-updates on, and user-access control - Intune delivers each via compliance policies and security baselines. The common failure is partial enrolment (a tail of BYOD devices unmanaged) or skipping the Security Baseline in favour of a hand-rolled profile that misses specific v3.3 clauses.

1. Enrolment scope first

Every device that touches organisational data must be in scope. That includes:

• Corporate laptops and desktops (Windows, macOS)
• Corporate-issued mobiles (iOS / iPadOS, Android Enterprise)
• BYOD used for work email or Teams - covered through App Protection Policies (MAM) without needing full MDM enrolment

Missing devices are the #1 failure cause. Before applying policies, reconcile Intune's All devices list against HR's active users, Entra ID joined devices, and M365 active-sign-in telemetry.

2. Windows - baseline + compliance

Apply the built-in Windows Security Baseline (Settings > Endpoint security > Security baselines > Windows 10/11 security baseline). The baseline already enforces:

• Microsoft Defender Antivirus active, real-time protection on, cloud-delivered protection on
• Windows Firewall on for all profiles
• BitLocker required on system and fixed drives
• Credential Guard enabled
• SmartScreen enabled

Add a Compliance Policy for Windows requiring:

• Minimum OS version (Windows 11 22H2 or later, or Windows 10 22H2 with ESU)
• BitLocker encryption confirmed present
• Firewall active
• Defender signatures less than 3 days old
• Password: minimum 12 characters

Update Rings: create a Quality Update deferral of 0–7 days and a Feature Update deferral that keeps devices on a supported build. Cyber Essentials v3.3 requires high/critical patches within 14 days - Quality Update deferrals above 7 days are risky.

3. macOS

macOS Security Baseline (preview) or a manual configuration profile covering:

• FileVault required and the recovery key escrowed to Intune
• Firewall on with stealth mode
• Gatekeeper enabled, automatic updates on
• Screen lock after 10 minutes, password on wake
• Minimum OS: macOS 14 (Sonoma) or later for the supported-OS clause

4. iOS / iPadOS

Device Compliance Policy:

• Minimum OS: iOS 17 or later (Apple's N-1 security-update window)
• Passcode: minimum 6 characters, non-simple, auto-lock 2 minutes, grace period 0
• Block jailbroken devices
• Require data protection at class B or higher (default on supported OS)

Automatic updates: push Automatic Software Updates via a Device Restrictions profile so OS patches install within the 14-day window.

5. Android Enterprise

Use Fully Managed for corporate devices and Work Profile for personal devices.

• Minimum OS: Android 13 or later (older OEMs drop below the supported-OS window)
• Require device encryption
• Password: minimum 6 characters, complexity high, auto-lock 2 minutes
• Google Play Protect required, verified boot required
• App install only from Managed Google Play

6. App Protection Policies (MAM)

For BYOD laptops and phones that you cannot fully manage:

• PIN required to access Outlook / Teams / OneDrive / SharePoint
• Copy/paste between managed and unmanaged apps blocked
• Encrypt app data at rest
• Wipe app data on un-enrolment or jailbreak detection

App Protection Policies let BYOD devices satisfy Cyber Essentials's user-access-control and secure-configuration requirements for email and collaboration without full MDM.

7. Common failure points

1. A tail of 5–15% of staff devices not enrolled. Close this before assessment - assessors randomly sample the user list and ask for device records.

2. Compliance Policy set but not attached to an Entra ID group that covers all users. Check coverage explicitly.

3. Quality Update deferral set to 14+ days - miss-able by a couple of days against the v3.3 clock.

4. BYOD phones accessing email via IMAP (Exchange Online still permits this unless blocked). Block legacy auth and require Outlook mobile.

Evidence assessors expect

• Compliance report export for each platform
• Security Baseline configuration summary
• Intune device enrolment count matched against Entra ID user count
• Update Ring configurations
• App Protection Policy export

What Fig checks

Our CE readiness scan reads Intune compliance state via read-only Graph API scopes and flags the specific clauses above before you pay a penny. Intune-managed estates pass first-attempt at >96%.

Start Cyber Essentials - from £299.99 + VAT | Pricing tiers | Book a CE Plus slot