Using Microsoft Intune to help with Cyber Essentials compliance
This blog post will help you work towards those requirements of Cyber Essentials as well as working towards the End-user Device Strategy Framework by the NCSC through primarily using Microsoft Intune. However, it is noted that some work through Group Policy will also be expected to fully automate all the requirements. Before deploying into production, you should ensure that you have the appropriate policies and procedures in place for your staff and to ensure that people are aware of what they should and should not be doing.
The Cyber Essentials scheme is a standard that has been designed by the UK government and is ran by the NCSC and IASME. To achieve Cyber Essentials as well as the audited Cyber Essentials Plus certification, you need to ensure that you meet certain requirements when it comes to the security of your devices and your users.
Microsoft Intune, if you did not already know, is a way to configure and manage your Windows devices as well as your mobile devices centrally ensuring that they meet your compliance configuration settings. You can read more about Microsoft Intune here: https://docs.microsoft.com/en-us/mem/intune/
Disclaimer: InfoSec Governance are not responsible for any issues that are caused by following these guidelines, these are for information purposes only and it is recommended that you test this in a controlled environment before starting.
Microsoft Intune
Note: Before doing this across your entire estate, test and configure a small subset of machines to ensure that there are no unfortunate side effects and that these settings work with your business without any compatibility issues. What works for one business may not work for another, a lot can depend upon what version of Windows / Office 365 you are using.
This guide was tested against Windows 10 Professional and Windows 10 Enterprise versions against build 2004.
These MDM settings will help your business comply with the requirements for Cyber Essentials as well as cyber security best practice in line with NCSC recommendations, such as:
- Password Policies
- Antivirus
- Disk Encryption
- Security updates
- Application blocking
To start configuring your Microsoft Intune settings you will need to navigate to the Microsoft Intune website which can be found at https://endpoint.microsoft.com. Please note that Microsoft occasional change the layout of their Intune website, and what is listed here may not be in the same place after this blog article is released.
Compliance Policy
Click on the ‘Devices’ option, then select ‘Compliance Policies’, then select ‘Create new policy’, for the platform, select ‘Windows 10 and later. Set a name for your policy, such as ‘Cyber Essentials Computer Security compliance’.
Device Health
- Require Bitlocker: Require
System Security
- Require a password to unlock mobile devices.: Require
- Password type: Device default
- Minimum password length: 8
Device Security
- Firewall: Required
- Trusted Platform Module (TPM): Required (Only to be selected if your machines have TPM modules)
- Antivirus: Required
- Antimalware: Required
Defender
- Microsoft Defender Antimalware: Required
- Microsoft Defender Antimalware security intelligence up-to-date: Required
- Real-time protection: Required
Then click on the Create button to create the policy
Configuration Policy – Endpoint Security
Click on the ‘Devices’ option, then select ‘Configuration Policies’, then select ‘Create new policy’, for the platform, select ‘Windows 10 and later’’, select Profile and select ’Endpoint Protection. Set a name for your policy, such as ‘Cyber Essentials Computer Security Configuration.
Microsoft Defender Smart Screen
- SmartScreen for apps and files: Enable
Interactive Logon
- Minutes of lock screen inactivity until screen saver initiates: 10
- Require CTRL + ALT + DEL to log on: Enable
Local device security options
Accounts
- Guest account: Block
Network access and security
- Anonymous access to Names Pipes ad Shares: Block
- Anonymous enumeration of SAM accounts: Block
- Anonymous enumeration of SAM accounts and shares: Block
- LAN Manager hash value stored on password change: Block
- Insecure guest logons: Block
User Account Control
- Elevated prompt for app installations: Enabled
Windows 10 Update rings
Click on the ‘Devices’ option, then select ‘Windows 10 update rings’, then select ‘Create profile’, set a name for your policy, such as ‘Cyber Essentials Update Configuration.
- Servicing channel: Semi-annual
- Microsoft product updates: Allow
- Windows drivers: Allow
- Quality update deferral period (days) : 3
- Feature update deferral period (days): 7
- Automatic update behaviour: Auto install at maintenance time
- Active hours start: 9 am
- Active hours end: 5 pm
- Restart checks: Allow
- Option to pause Windows updates: Enable
Other items
Although the following isn’t configured with Intune, you should look at performing the following:
- Disabling auto-run – This can be performed via Group Policy
- Blocking the execution of applications from %userprofile%\download folder
- Setup OneDrive to help backup files
- Ensuring antivirus is enabled and configured for scanning
- Enable account lockout, to lock after 5 incorrect attempts – This can be performed via Group Policy