Skip to Content
DevicesSecurity PoliciesEndpoint Security Overview

Endpoint Security Overview

Configure comprehensive endpoint protection policies in Microsoft Intune. Endpoint security provides a focused view of security settings for antivirus, disk encryption, firewall, endpoint detection, and attack surface reduction.

Security Policy Types

Antivirus

Microsoft Defender Antivirus settings: real-time protection, cloud protection, exclusions, and scan schedules.

Platforms: Windows, macOS

Disk Encryption

BitLocker (Windows) and FileVault (macOS) configuration. Recovery key management and encryption requirements.

Platforms: Windows, macOS

Firewall

Windows Defender Firewall profile settings and custom rules. Domain, Private, and Public network profiles.

Platforms: Windows

Endpoint Detection and Response

Microsoft Defender for Endpoint onboarding, sample submission, and telemetry configuration.

Platforms: Windows, macOS, Linux

Attack Surface Reduction

ASR rules, exploit protection, web protection, and controlled folder access to prevent common attack techniques.

Platforms: Windows

Account Protection

Windows Hello for Business, Credential Guard, and local administrator password management (LAPS).

Platforms: Windows

Antivirus Configuration

Real-Time Protection

  • Monitor file and program activity
  • Scan all downloaded files and attachments
  • Monitor behavior for suspicious activity
  • Enable on-access scanning

Cloud Protection

  • Cloud-delivered protection level: High
  • Extended cloud check timeout
  • Block at first sight
  • Submit samples consent: Send safe samples automatically

Exclusions

  • File extensions to exclude
  • Files and folders to exclude
  • Processes to exclude

Warning: Minimize exclusions — each one reduces protection coverage.

Disk Encryption

BitLocker (Windows)

  • Require device encryption
  • Encryption method: XTS-AES 256-bit
  • Startup authentication: TPM + PIN
  • Recovery key escrow to Azure AD
  • Encrypt used space only or full disk

FileVault (macOS)

  • Enable FileVault encryption
  • Number of times to defer enabling
  • Recovery key escrow to Intune
  • Personal recovery key rotation

Firewall Settings

Firewall Profiles

Configure settings per network type: Domain, Private, Public. Public networks typically have strictest settings.

Default Actions

Block inbound connections by default. Allow outbound by default. Log blocked connections for troubleshooting.

Custom Rules

Define specific inbound/outbound rules by application, port, protocol, and remote address.

Attack Surface Reduction

ASR Rules

Block common attack behaviors:

  • Block credential stealing from LSASS
  • Block executable content from email
  • Block Office from creating child processes
  • Block untrusted USB processes
  • Use advanced ransomware protection

Controlled Folder Access

Protect important folders from ransomware and unauthorized apps. Only trusted applications can modify protected folders.

Exploit Protection

Apply exploit mitigation settings to the operating system and individual applications. Includes DEP, ASLR, SEHOP.

Policy Deployment

  1. Create Policy — Select policy type and platform.
  2. Configure Settings — Set security options for the policy type.
  3. Assign to Groups — Target device or user groups.
  4. Monitor Deployment — Track policy application status on devices.

Security Reports

Antivirus Agent Status

View which devices have antivirus enabled, up-to-date definitions, and real-time protection active.

Detected Malware

List of malware detections with threat name, severity, and remediation status.

Encryption Status

Devices with BitLocker or FileVault enabled, encryption progress, and recovery key availability.

Firewall Status

Firewall enabled/disabled status per device and any policy conflicts.

Best Practices

  • Enable all protection features — Turn on real-time protection, cloud protection, and tamper protection.
  • Require disk encryption — BitLocker on Windows, FileVault on Mac. Escrow recovery keys.
  • Deploy ASR rules — Start in audit mode, then enable blocking for vetted rules.
  • Monitor policy conflicts — Avoid overlapping policies that could cause unexpected behavior.

API Reference

  • GET /api/devices/endpoint-security/policies — List all endpoint security policies
  • GET /api/devices/endpoint-security/antivirus — Get antivirus status summary
  • GET /api/devices/endpoint-security/encryption — Get encryption status for devices
  • POST /api/devices/endpoint-security/policies — Create endpoint security policy
  • GET /api/devices/endpoint-security/detections — Get malware detection events
Last updated on
LAPSSecurity Baselines