Most environments I walk into already have Microsoft Intune deployed—but very few are actually secure.
Devices are enrolled, policies exist, but critical controls like BitLocker, firewall enforcement, and local admin restrictions are either inconsistently applied or missing entirely. Even worse, IT teams often assume compliance policies alone equal security—they don’t.
The real issue is this: baseline security controls are either misconfigured, unenforced, or bypassed entirely.
Without:
- Disk encryption (BitLocker)
- Host-based firewall enforcement
- Removal of persistent local admin access
…your endpoints are wide open to data theft, lateral movement, and ransomware.
In this article, I’ll walk through:
- How to build a real Intune compliance baseline (not just tick-box policies)
- How to enforce BitLocker and firewall properly
- How to remove persistent local admin access without breaking support
- Practical lessons from real-world deployments
Quick Fix Summary
If you need a fast security uplift:
- ✅ Enforce BitLocker encryption with recovery keys backed up to Entra ID
- ✅ Enable and lock down Windows Defender Firewall across all profiles
- ✅ Remove persistent local admin rights using Intune policies
- ✅ Use compliance policies to block non-compliant devices from access
- ✅ Validate everything with reporting and device checks
Why Intune Baselines Often Fail
The Reality (From Experience)
Common issues I see:
- BitLocker enabled manually, not enforced
- Firewall disabled for “troubleshooting” and never re-enabled
- IT staff granted permanent local admin access
- Compliance policies configured but not tied to Conditional Access
Result:
- Devices appear compliant—but aren’t secure
Core Components of an Intune Security Baseline
| Control | Why It Matters |
|---|---|
| BitLocker | Protects data at rest |
| Firewall | Prevents unauthorized network access |
| Local Admin Control | Stops privilege escalation |
| Compliance Policies | Enforces minimum security standards |
| Conditional Access | Blocks risky devices |
Step-by-Step: Enforce BitLocker with Intune
Step 1: Create BitLocker Policy
Go to:
Intune Admin Center → Endpoint Security → Disk Encryption
Create policy:
- Platform: Windows 10/11
- Profile: BitLocker
Step 2: Configure Key Settings
| Setting | Recommended |
|---|---|
| Require Encryption | Yes |
| Encryption Method | XTS-AES 256 |
| Recovery Key Backup | Entra ID |
| TPM | Required |
Step 3: Assign Policy
- Target:
- All corporate devices (or pilot first)
Step 4: Verify Encryption
On endpoint:
manage-bde -status
Or:
Get-BitLockerVolume
Real-World Tip
I’ve seen devices report “encrypted” but only partially. Always verify:
- Protection status = On
- Percentage encrypted = 100%
Step-by-Step: Enforce Windows Defender Firewall
Step 1: Create Firewall Policy
Navigate:
Endpoint Security → Firewall → Create Policy
Step 2: Configure Profiles
Enable:
- Domain Profile: On
- Private Profile: On
- Public Profile: On
Step 3: Lock Down Settings
- Block inbound connections by default
- Allow outbound connections
- Disable user ability to turn off firewall
Step 4: Validate
On device:
Get-NetFirewallProfile
Expected:
Enabled : True
Step-by-Step: Remove Persistent Local Admin Access
Step 1: Audit Current State
Get-LocalGroupMember -Group "Administrators"
Step 2: Create Local Group Membership Policy
Go to:
Endpoint Security → Account Protection
Configure:
- Administrators group = approved accounts only
Step 3: Remove All Non-Essential Accounts
Keep:
- Built-in Administrator (managed via LAPS)
- Emergency break-glass account
Step 4: Enforce with Intune
- Assign policy to all devices
- Monitor conflicts with GPO if hybrid
Step 5: Validate
net localgroup administrators
Step-by-Step: Configure Compliance Policies
Step 1: Create Compliance Policy
Devices → Compliance Policies → Create Policy
Step 2: Configure Requirements
- BitLocker: Required
- Firewall: Required
- Secure Boot: Recommended
- Minimum OS version
Step 3: Integrate with Conditional Access
Block:
- Non-compliant devices from accessing:
- Exchange Online
- SharePoint
- Teams
Real-World Deployment Strategy
Phase 1 – Audit
- Identify devices without BitLocker
- Find users with admin rights
Phase 2 – Pilot
- Deploy policies to IT group first
- Validate impact
Phase 3 – Rollout
- Gradually expand to all users
- Monitor compliance reports
Phase 4 – Enforcement
- Enable Conditional Access restrictions
- Remove exceptions
Additional Tips / Pro Tips
✅ Pro Tip: Use Windows LAPS with Intune
- Rotate local admin passwords automatically
- Store securely in Entra ID
⚠️ Warning: Hybrid Environments Can Conflict
- GPO vs Intune policies can override each other
- Use policy precedence carefully
✅ Pro Tip: Monitor Compliance Drift
- Devices fall out of compliance over time
- Set alerts and reporting
⚠️ Warning: Don’t Ignore User Experience
- Firewall misconfig = app failures
- Test business-critical apps
✅ Pro Tip: Combine with Endpoint Detection & Response
- Defender for Endpoint enhances visibility
Troubleshooting Common Issues
BitLocker Not Enabling
Check:
Get-BitLockerVolume
Common causes:
- TPM not ready
- Policy conflict
- Device not Azure AD joined
Firewall Disabled After Policy
Check:
Get-NetFirewallProfile
Possible issue:
- Local override or script disabling firewall
Users Still Have Admin Rights
Check:
- Conflicting GPO
- Incorrect group membership policy
Device Showing Non-Compliant
Check:
- Sync status:
dsregcmd /status
FAQ Section
1. Does Intune enforce BitLocker automatically?
Only if configured via policy. Manual encryption is not sufficient for compliance.
2. Can users disable the firewall?
Not if policies are properly configured to prevent user changes.
3. How do I remove local admin rights safely?
Use phased rollout and provide elevation tools to avoid breaking workflows.
4. What happens if a device is non-compliant?
Conditional Access can block access to corporate resources.
5. Is BitLocker enough to protect data?
No. It protects data at rest, but not against credential theft or active attacks.
Conclusion / Actionable Takeaways
A proper Intune baseline isn’t about ticking boxes—it’s about enforcing real controls that reduce risk.
Next Steps
- Deploy BitLocker enforcement across all devices
- Enable and lock down firewall policies
- Remove persistent local admin access
- Implement compliance policies tied to Conditional Access
- Continuously monitor and refine
From experience, the biggest gains come from consistency. Even basic controls, when properly enforced, dramatically reduce your attack surface.
Last Updated
April 2026 – Reflects latest Microsoft Intune, Windows 11, and Microsoft 365 security baseline capabilities.
From my early days on the helpdesk through roles as a service desk manager, systems administrator, and network engineer, I’ve spent more than 25 years in the IT world. As I transition into cyber security, my goal is to make tech a little less confusing by sharing what I’ve learned and helping others wherever I can.