UPDATED 27/4-2024

The Disk encryption section is updated. The setting is moved from a template to the disk encryption setting under endpoint security. Some settings are available in the endpoint section and these setting are not available in the template.


In this part we will apply settings for the endpoints. These setting will be different from company to company. But I believe that the setting below is a good starting point. Also I recommend that you have a dialog with the security department regarding the security setting that should be applied in you environment.

Timezone during Autopilot

By default, the timezone on the pc that is enrolled by autopilot is “PST (Pacific Standard Time)”. That can be automated by looking up the location of the pc when it is enrolled. Nickolaj Andersen from MSEndpointMgr have en article that descripts how to do it. This is just a rewrite of the article. All credits goes of course to him! This is the link to the original article:

Setup Azure Maps
Login to Azure: portal.azure.com
Search for azure maps -> Click Azure Maps Accounts
Click Create
Enter data -> Click Next
Click Next
Click Next
Click Next
Click Create
Wait for the deployment to finish -> Click Go to resource
Click Authentication
Copy the Primary Key to somewhere temporary as it is going to be used in a powershell script.
Download Set-WindowsTimeZone_v2.ps1 from https://github.com/chamtl/rolig-dk
Edit the script and enter the Primary Key from Azure Maps and save it.
Create script in Intune
Login to Azure: intune.microsoft.com
Click Devices
Click Scripts and remediations
Click Platform scripts
Click Add -> Windows 10 and later
Enter a name -> Click Next
Choose Set-WindowsTimeZone_v2.ps1 and change the settings as the screenshot.

Click Next
Add the Autopilot groups (we created them in a earlier post) and click Next
Click Add
You can see the script in the overview.

It will automatically run during Autopilot.

Security Baselines

Security Baseline for Windows 10 and later is a set of setting that Microsoft provide. It is a good starting point, but your company might want to secure the endpoints even more with ex. CIS 18.

Go to Endpoint security
Click Security baselines
click Security Baseline for Windows 10 and later
Click Create profile
Enter a Name -> Click Next
Choose the setting that you want to apply. I my case, I just want to apply what Microsoft recommend.

Click Next
Click Next
Add the Groups that you want this security profile to be applied on.

click Next
Review the setting -> Click Create
In the overview you can see the newly created security baseline and it is assigned.

Security Baseline for Microsoft Edge is like the Windows Secure baseline, a set of setting that Microsoft provide. It is a good starting point, but be sure to involve your security team to make sure you apply the right settings for your company.

Go to Endpoint security
Click Security baselines
Click Security Baseline for Microsoft Edge
Click Create profile
Click Create
Enter a Name -> Click Next
Choose the setting that you want to apply. I my case, I just want to apply what Microsoft recommend.

Click Next
Click Next
Add the Groups that you want this security profile to be applied on.

click Next
Review the setting -> Click Create
In the overview you can see the newly created security baseline and it is assigned.

Configuration profiles

Disk encryption setting is to make sure that the files are encrypted with BitLocker.

Go to Endpoint security > Disk encryption -> Create Policy
Choose Windows 10 and later -> BitLocker -> Click Create
Enter a Name -> Click Next
Apply the setting that fit your company security policy -> Click Next












Click Next
Add the Groups that you want this security profile to be applied on.

click Next
Click Create

Allow location is to be able to let windows detect where in the world the device is located. And will be used in the timezone detection. I suggest that you talk to your legal department about this setting because of GDPR.

Navigate to Devices -> Windows -> Configuration profiles.

Click Create -> New Policy
Choose Windows 10 and later and Settings catalog

Click Create
Enter a name -> Click Next
Click Add setting
search for privacy

Click Privacy

Mark Let Apps Access Location
Search for allow location

Click System

Mark Allow Location
Choose these setting -> Click Next
Click Next
Add the gruops that you want to apply the setting on -> Click Next
Click Create

Microsoft Edge can be configured with a lot of settings. The settings below are just a small set of setting that I think could make sense in scenarios’.

Navigate to Devices -> Windows -> Configuration profiles.

Click Create -> New Policy
Choose Windows 10 and later and Settings catalog

Click Create
Enter a name -> Click Next
Click Add settings
Search for Edge -> Click Microsoft Edge

Enable with the following settings:
– Force synchronization of browser data and do not show the sync consent prompt:
— Enabled

– Hide the First-run experience and splash screen
— Enabled

– Manage Search Engines
— [{“suggest_url”: “https://www.google.com/complete/search?output=chrome&q={searchTerms}”,”image_search_url”: “”,”name”: “Google”,”keyword”: “google”,”is_default”: true,”search_url”: “https://www.google.com/search?q={searchTerms}”},{“image_search_url”: “”,”suggest_url”: “https://www.bing.com/qbox?query={searchTerms}”,”search_url”: “https://www.bing.com/search?q={searchTerms}”,”name”: “Bing”,”keyword”: “bing”},{“image_search_url”: “”,”suggest_url”: “”,”search_url”: “https://www.startpage.com/do/dsearch?query={searchTerms}”,”name”: “Startpage”,”keyword”: “startpage”},{“image_search_url”: “https://www.duckduckgo.com/images/detail/search?iss=sbiupload”,”suggest_url”: “”,”search_url”: “https://duckduckgo.com/?q={searchTerms}”,”name”: “DuckDuckGo”,”keyword”: “duckduckgo.com”}]

– Notify a user that a browser restart is recommended or required for pending updates
— Required – Show………….

– Set the time period for update notifications
— Enabled: 3600000
Search for extension -> Click Microsoft Edge\Extensions

Enable with the following settings:
– Allow specific extensions to be installed
— Disabled
Search for edge update -> Click Microsoft Edge Update\Applications

Enable with the following settings:
– Update policy override default
— Enabled: Automatic silent updates only
Search for applications -> Click Microsoft Edge Update\Applications\Microsoft Edge

Enable with the following settings:
– Update policy override
— Enabled: Automatic silent updates only
Search for applications -> Click Microsoft Edge Update\Applications\Microsoft Edge

Enable with the following settings:
– Auto-update check periode override
— Enabled: 1400
Click Next


Click Next
Add the groups that you want to apply the setting on -> Click Next
Click Create

If you want to have reporting for Windows updates and Endpoint analytics, you need to configure Intune data collection policy

Navigate to Devices -> Windows -> Configuration profiles.

Click Create -> New Policy
Choose Windows 10 and later -> Templates -> Search for Health monitoring -> Select Windows health monitoring -> Click Create
Select Enable -> Select Windows updates + Endpoint analutics -> Click Review + save
Click Save
Locate the Intune data collection policy -> Click on it to open it
Click Assignments
Add the groups that you want to apply the setting on -> Click Review + save
Click Save

Windows Update For Business (WUFB) are setting to control the behavior on how the devices should act when Microsoft updates are installed.

Navigate to Devices -> Windows -> Configuration profiles.

Click Create -> New Policy
Choose Windows 10 and later and Settings catalog

Click Create
Enter a name -> Click Next
Click Add settings
Search for delivery -> Click Delivery Optimization

Enable with the following settings:
– DO Download Mode
— HTTP blended with peering behind the same NAT.


Search for system -> Click System

Enable with the following settings:

– Allow Commercial Data Pipeline
— Enabled

– Allow device name to be sent in Windows diagnostic data
— Allowed

– Allow Telemetry
— Full

– Allow Update Compliance Processing
— Enabled

– Allow WUfB Cloud Processing
— Enabled

– Configure Telemetry Opt In Change Notification
— Disable telemetry change notifications.

– Configure Telemetry Opt In Settings Ux
— Disable Telemetry opt-in Settings.

– Limit Diagnostic Log Collection
— Enabled

– Limit Dump Collection
— Enabled


Click Next




Click Next
Add the groups that you want to apply the setting on -> Click Next
Click Create

Before you create the Onedrive setting, you need to find Tenant ID: (Device) and Tenant Association Key: (Device) as these GUIDs are going to be used in the config file.

To get the Tenant Association Key: (Device), you need to have Global admin or Office apps admin security rights!

Tenant ID: (Device)
Login to Azure: portal.azure.com
Search for microsoft entra id -> Click Microsoft Entra ID
Copy the Tentent ID and paste it in notepad or simular for later use.
Tenant Association Key: (Device)
Login to Azure: config.office.com
Click Setup

Copy the Tenant Association Key and paste it in notepad or simular for later use.

Navigate to Devices -> Windows -> Configuration profiles.

Click Create -> New Policy
Choose Windows 10 and later and Settings catalog

Click Create
Enter a name -> Click Next
Click Add settings
Search for onedrive -> Click OneDrive

Enable with the following settings:

– Set the sync app update ring
— Enabled

– Silently move Windows known folders to OneDrive
— Enabled: Show notification….. = No

– Tenant ID: (Device)
— Paste the tenant id you copied earlier

– Silently sign in users to the OneDrive sync app with their Windows credentials
— Enabled

– Sync Admin Reports
— Enabled

– Tenant Association Key: (Device)
— Paste the tenant association key you copied earlier

– Use OneDrive Files On-Demand
— Enabled


Click Next


Click Next
Add the groups that you want to apply the setting on -> Click Next
Click Create

I will create a blog post later where I will go thought setting up “OneDrive Sync reports” as that was one of the setting in the onedrive config profile. Stay tuned….

Continue to part 5 (Basic compliance settings)

twitterlinkedin

By Claus