UPDATED 27/4-2024
The Disk encryption section is updated. The setting is moved from a template to the disk encryption setting under endpoint security. Some settings are available in the endpoint section and these setting are not available in the template.
In this part we will apply settings for the endpoints. These setting will be different from company to company. But I believe that the setting below is a good starting point. Also I recommend that you have a dialog with the security department regarding the security setting that should be applied in you environment.
Timezone during Autopilot
By default, the timezone on the pc that is enrolled by autopilot is “PST (Pacific Standard Time)”. That can be automated by looking up the location of the pc when it is enrolled. Nickolaj Andersen from MSEndpointMgr have en article that descripts how to do it. This is just a rewrite of the article. All credits goes of course to him! This is the link to the original article:
| Setup Azure Maps | |
| Login to Azure: portal.azure.com | |
| Search for azure maps -> Click Azure Maps Accounts |  |
| Click Create |  |
| Enter data -> Click Next |  |
| Click Next |  |
| Click Next |  |
| Click Next |  |
| Click Create |  |
| Wait for the deployment to finish -> Click Go to resource |  |
| Click Authentication |  |
| Copy the Primary Key to somewhere temporary as it is going to be used in a powershell script. |  |
| Download Set-WindowsTimeZone_v2.ps1 from https://github.com/chamtl/rolig-dk | |
| Edit the script and enter the Primary Key from Azure Maps and save it. |  |
| Create script in Intune | |
| Login to Azure: intune.microsoft.com | |
| Click Devices |  |
| Click Scripts and remediations |  |
| Click Platform scripts |  |
| Click Add -> Windows 10 and later |  |
| Enter a name -> Click Next |  |
| Choose Set-WindowsTimeZone_v2.ps1 and change the settings as the screenshot. Click Next |  |
| Add the Autopilot groups (we created them in a earlier post) and click Next |  |
| Click Add |  |
| You can see the script in the overview. It will automatically run during Autopilot. |  |
Security Baselines
Security Baseline for Windows 10 and later is a set of setting that Microsoft provide. It is a good starting point, but your company might want to secure the endpoints even more with ex. CIS 18.
| Go to Endpoint security |  |
| Click Security baselines |  |
| click Security Baseline for Windows 10 and later |  |
| Click Create profile |  |
| Enter a Name -> Click Next |  |
| Choose the setting that you want to apply. I my case, I just want to apply what Microsoft recommend. Click Next |  |
| Click Next |  |
| Add the Groups that you want this security profile to be applied on. click Next |  |
| Review the setting -> Click Create |  |
| In the overview you can see the newly created security baseline and it is assigned. |  |
Security Baseline for Microsoft Edge is like the Windows Secure baseline, a set of setting that Microsoft provide. It is a good starting point, but be sure to involve your security team to make sure you apply the right settings for your company.
| Go to Endpoint security | |
| Click Security baselines | |
| Click Security Baseline for Microsoft Edge |  |
| Click Create profile |  |
| Click Create |  |
| Enter a Name -> Click Next |  |
| Choose the setting that you want to apply. I my case, I just want to apply what Microsoft recommend. Click Next |  |
| Click Next |  |
| Add the Groups that you want this security profile to be applied on. click Next |  |
| Review the setting -> Click Create |  |
| In the overview you can see the newly created security baseline and it is assigned. |  |
Configuration profiles
Disk encryption setting is to make sure that the files are encrypted with BitLocker.
| Go to Endpoint security > Disk encryption -> Create Policy |  |
| Choose Windows 10 and later -> BitLocker -> Click Create |  |
| Enter a Name -> Click Next |  |
| Apply the setting that fit your company security policy -> Click Next |        |
| Click Next |  |
| Add the Groups that you want this security profile to be applied on. click Next |  |
| Click Create |  |
Allow location is to be able to let windows detect where in the world the device is located. And will be used in the timezone detection. I suggest that you talk to your legal department about this setting because of GDPR.
| Navigate to Devices -> Windows -> Configuration profiles. Click Create -> New Policy |  |
| Choose Windows 10 and later and Settings catalog Click Create |  |
| Enter a name -> Click Next |  |
| Click Add setting |  |
| search for privacy Click Privacy Mark Let Apps Access Location |  |
| Search for allow location Click System Mark Allow Location |  |
| Choose these setting -> Click Next |  |
| Click Next |  |
| Add the gruops that you want to apply the setting on -> Click Next |  |
| Click Create |  |
Microsoft Edge can be configured with a lot of settings. The settings below are just a small set of setting that I think could make sense in scenarios’.
| Navigate to Devices -> Windows -> Configuration profiles. Click Create -> New Policy | |
| Choose Windows 10 and later and Settings catalog Click Create | |
| Enter a name -> Click Next |  |
| Click Add settings |  |
| Search for Edge -> Click Microsoft Edge Enable with the following settings: – Force synchronization of browser data and do not show the sync consent prompt: — Enabled – Hide the First-run experience and splash screen — Enabled – Manage Search Engines — [{“suggest_url”: “https://www.google.com/complete/search?output=chrome&q={searchTerms}”,”image_search_url”: “”,”name”: “Google”,”keyword”: “google”,”is_default”: true,”search_url”: “https://www.google.com/search?q={searchTerms}”},{“image_search_url”: “”,”suggest_url”: “https://www.bing.com/qbox?query={searchTerms}”,”search_url”: “https://www.bing.com/search?q={searchTerms}”,”name”: “Bing”,”keyword”: “bing”},{“image_search_url”: “”,”suggest_url”: “”,”search_url”: “https://www.startpage.com/do/dsearch?query={searchTerms}”,”name”: “Startpage”,”keyword”: “startpage”},{“image_search_url”: “https://www.duckduckgo.com/images/detail/search?iss=sbiupload”,”suggest_url”: “”,”search_url”: “https://duckduckgo.com/?q={searchTerms}”,”name”: “DuckDuckGo”,”keyword”: “duckduckgo.com”}] – Notify a user that a browser restart is recommended or required for pending updates — Required – Show…………. – Set the time period for update notifications — Enabled: 3600000 |  |
| Search for extension -> Click Microsoft Edge\Extensions Enable with the following settings: – Allow specific extensions to be installed — Disabled |  |
| Search for edge update -> Click Microsoft Edge Update\Applications Enable with the following settings: – Update policy override default — Enabled: Automatic silent updates only |  |
| Search for applications -> Click Microsoft Edge Update\Applications\Microsoft Edge Enable with the following settings: – Update policy override — Enabled: Automatic silent updates only |  |
| Search for applications -> Click Microsoft Edge Update\Applications\Microsoft Edge Enable with the following settings: – Auto-update check periode override — Enabled: 1400 |  |
| Click Next |   |
| Click Next |  |
| Add the groups that you want to apply the setting on -> Click Next |  |
| Click Create |  |
If you want to have reporting for Windows updates and Endpoint analytics, you need to configure Intune data collection policy
| Navigate to Devices -> Windows -> Configuration profiles. Click Create -> New Policy | |
| Choose Windows 10 and later -> Templates -> Search for Health monitoring -> Select Windows health monitoring -> Click Create |  |
| Select Enable -> Select Windows updates + Endpoint analutics -> Click Review + save |  |
| Click Save |  |
| Locate the Intune data collection policy -> Click on it to open it |  |
| Click Assignments |  |
| Add the groups that you want to apply the setting on -> Click Review + save |  |
| Click Save |  |
Windows Update For Business (WUFB) are setting to control the behavior on how the devices should act when Microsoft updates are installed.
| Navigate to Devices -> Windows -> Configuration profiles. Click Create -> New Policy | |
| Choose Windows 10 and later and Settings catalog Click Create | |
| Enter a name -> Click Next |  |
| Click Add settings | |
| Search for delivery -> Click Delivery Optimization Enable with the following settings: – DO Download Mode — HTTP blended with peering behind the same NAT. |   |
| Search for system -> Click System Enable with the following settings: – Allow Commercial Data Pipeline — Enabled – Allow device name to be sent in Windows diagnostic data — Allowed – Allow Telemetry — Full – Allow Update Compliance Processing — Enabled – Allow WUfB Cloud Processing — Enabled – Configure Telemetry Opt In Change Notification — Disable telemetry change notifications. – Configure Telemetry Opt In Settings Ux — Disable Telemetry opt-in Settings. – Limit Diagnostic Log Collection — Enabled – Limit Dump Collection — Enabled Click Next |    |
| Click Next |  |
| Add the groups that you want to apply the setting on -> Click Next |  |
| Click Create |  |
Before you create the Onedrive setting, you need to find Tenant ID: (Device) and Tenant Association Key: (Device) as these GUIDs are going to be used in the config file.
To get the Tenant Association Key: (Device), you need to have Global admin or Office apps admin security rights!
| Tenant ID: (Device) | |
| Login to Azure: portal.azure.com | |
| Search for microsoft entra id -> Click Microsoft Entra ID |  |
| Copy the Tentent ID and paste it in notepad or simular for later use. |  |
| Tenant Association Key: (Device) | |
| Login to Azure: config.office.com | |
| Click Setup |  |
| Copy the Tenant Association Key and paste it in notepad or simular for later use. |  |
| Navigate to Devices -> Windows -> Configuration profiles. Click Create -> New Policy | |
| Choose Windows 10 and later and Settings catalog Click Create | |
| Enter a name -> Click Next |  |
| Click Add settings | |
| Search for onedrive -> Click OneDrive Enable with the following settings: – Set the sync app update ring — Enabled – Silently move Windows known folders to OneDrive — Enabled: Show notification….. = No – Tenant ID: (Device) — Paste the tenant id you copied earlier – Silently sign in users to the OneDrive sync app with their Windows credentials — Enabled – Sync Admin Reports — Enabled – Tenant Association Key: (Device) — Paste the tenant association key you copied earlier – Use OneDrive Files On-Demand — Enabled Click Next |   |
| Click Next |  |
| Add the groups that you want to apply the setting on -> Click Next |  |
| Click Create |  |
I will create a blog post later where I will go thought setting up “OneDrive Sync reports” as that was one of the setting in the onedrive config profile. Stay tuned….
Continue to part 5 (Basic compliance settings)
