title

Configure Microsoft Intune for increased device security

description

Secure devices with Microsoft Intune to support your Zero Trust journey.

ms.topic

reference

ms.date

10/20/2025

ms.author

brenduns

author

brenduns

ms.reviewer

ramical

ms.collection

tier 1

M365-identity-device-management

Configure Microsoft Intune for Zero Trust: Secure devices (Preview)

Securing endpoints is a critical part of a Zero Trust strategy. These Intune recommendations help protect your network perimeter and devices through policy-driven controls that enforce encryption, restrict unauthorized access, and reduce vulnerability exposure. By applying configuration and security policies across platforms, these checks align with Microsoft’s Secure Future Initiative and strengthen your organization’s overall security posture.

Zero Trust security recommendations

Local administrator credentials on Windows are protected by Windows LAPS

[!INCLUDE 24560]

Local administrator credentials on macOS are protected during enrollment by macOS LAPS

[!INCLUDE 24561]

Local account usage on Windows is restricted to reduce unauthorized access

[!INCLUDE 24564]

Data on Windows is protected by BitLocker encryption

[!INCLUDE 24550]

FileVault encryption protects data on macOS devices

[!INCLUDE 24569]

Authentication on Windows uses Windows Hello for Business

[!INCLUDE 24551]

Attack Surface Reduction rules are applied to Windows devices to prevent exploitation of vulnerable system components

[!INCLUDE 24574]

Defender Antivirus policies protect Windows devices from malware

[!INCLUDE 24575]

Defender Antivirus policies protect macOS devices from malware

[!INCLUDE 24784]

Windows Firewall policies protect against unauthorized network access

[!INCLUDE 24540]

macOS Firewall policies protect against unauthorized network access

[!INCLUDE 24552]

Windows Update policies are enforced to reduce risk from unpatched vulnerabilities

[!INCLUDE 24553]

Security baselines are applied to Windows devices to strengthen security posture

[!INCLUDE 24573]

Update policies for macOS are enforced to reduce risk from unpatched vulnerabilities

[!INCLUDE 24690]

Update policies for iOS/iPadOS are enforced to reduce risk from unpatched vulnerabilities

[!INCLUDE 24554]

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Configure Microsoft Intune for Zero Trust: Secure devices (Preview)

Zero Trust security recommendations

Local administrator credentials on Windows are protected by Windows LAPS

Local administrator credentials on macOS are protected during enrollment by macOS LAPS

Local account usage on Windows is restricted to reduce unauthorized access

Data on Windows is protected by BitLocker encryption

FileVault encryption protects data on macOS devices

Authentication on Windows uses Windows Hello for Business

Attack Surface Reduction rules are applied to Windows devices to prevent exploitation of vulnerable system components

Defender Antivirus policies protect Windows devices from malware

Defender Antivirus policies protect macOS devices from malware

Windows Firewall policies protect against unauthorized network access

macOS Firewall policies protect against unauthorized network access

Windows Update policies are enforced to reduce risk from unpatched vulnerabilities

Security baselines are applied to Windows devices to strengthen security posture

Update policies for macOS are enforced to reduce risk from unpatched vulnerabilities

Update policies for iOS/iPadOS are enforced to reduce risk from unpatched vulnerabilities

Related content

FilesExpand file tree

ref-zero-trust-devices.md

Latest commit

History

ref-zero-trust-devices.md

File metadata and controls

Configure Microsoft Intune for Zero Trust: Secure devices (Preview)

Zero Trust security recommendations

Local administrator credentials on Windows are protected by Windows LAPS

Local administrator credentials on macOS are protected during enrollment by macOS LAPS

Local account usage on Windows is restricted to reduce unauthorized access

Data on Windows is protected by BitLocker encryption

FileVault encryption protects data on macOS devices

Authentication on Windows uses Windows Hello for Business

Attack Surface Reduction rules are applied to Windows devices to prevent exploitation of vulnerable system components

Defender Antivirus policies protect Windows devices from malware

Defender Antivirus policies protect macOS devices from malware

Windows Firewall policies protect against unauthorized network access

macOS Firewall policies protect against unauthorized network access

Windows Update policies are enforced to reduce risk from unpatched vulnerabilities

Security baselines are applied to Windows devices to strengthen security posture

Update policies for macOS are enforced to reduce risk from unpatched vulnerabilities

Update policies for iOS/iPadOS are enforced to reduce risk from unpatched vulnerabilities

Related content