Microsoft Intune for Cyber Essentials Plus, the Per-Control Policy Mapping

Net Sec Group is an IASME and NCSC certification body. Across our 800-plus engagement history, Microsoft Intune (now Microsoft Endpoint Manager / Intune) is the dominant device-management platform UK SMEs deploy on Microsoft 365 estates, which makes Intune Cyber Essentials Plus configuration the engineering question we field at the highest volume. This article is the per-control mapping: each Cyber Essentials Plus control onto the Intune policy set the assessor accepts as evidence, the policy export format, and the three Intune-specific evidence rejects we see at audit.

For the Windows endpoint hardening reference this article references throughout, see Windows 11 hardening for CE Plus. For the macOS equivalent, see macOS Cyber Essentials Plus checklist (Intune for Mac is supported and follows the same evidence pattern). For the broader CE Plus reference, see the CE Plus Assessment Guide on netsecgroup.io.

The 5-row CE-control-to-Intune-policy table

Each row names the CE Plus control, the Intune policy type that evidences it, the specific settings the assessor expects, and the policy export format.

| Control | Intune policy type | Settings the assessor expects | Policy export format | |---|---|---|---| | Boundary Firewalls and Internet Gateways | Endpoint Security > Firewall policy (Windows) and Configuration profile > Network firewall (macOS) | Default-deny on inbound for Domain, Private, Public profiles (Windows); Application Firewall on with documented exception list (macOS); policy assigned to "All devices" or to the specific in-scope device collection | Intune Admin Centre > Endpoint Security > Firewall > Policy > "Per-setting status" report; CSV export of policy assignment | | Secure Configuration | Configuration profile (Settings catalog or Templates), Microsoft Security Baseline | Microsoft Security Baseline for Windows (current version, e.g. 24H2 or 23H2) applied; macOS Security Configuration profile applied; Smart App Control on (Windows 11 24H2 fresh installs) or AppLocker policy delivered via Settings catalog | Configuration profile JSON or XML export; Security Baseline assignment report; per-device compliance status report | | User Access Control | Compliance policy + Conditional Access | Compliance policy requires BitLocker on, FileVault on (macOS), passcode/password requirements meeting IASME minimum, OS version compliant; Conditional Access policy gates access to in-scope cloud apps on device-compliance status; MFA enforcement on every admin sign-in | Compliance policy export; Conditional Access policy export; per-device compliance report; FileVault / BitLocker recovery key escrow report | | Malware Protection | Endpoint Security > Antivirus + Endpoint Security > Attack Surface Reduction | Microsoft Defender Antivirus on with cloud-delivered protection on, automatic sample submission on, Tamper Protection enabled (Windows); ASR rules in block mode (Microsoft Security Baseline default set); Defender for Endpoint console reporting healthy per device | Antivirus policy export; ASR policy export; Defender for Endpoint device-health report; per-device Defender state via Get-MpComputerStatus | | Security Update Management | Windows Update for Business policy (Update rings, Feature Update profile, Quality Update profile) | Quality Update deferral within IASME 14-day window for critical and high severity; Feature Update channel on supported version; macOS Software Update policy delivering security updates within 14 days | Update ring policy export; Feature Update policy export; Intune compliance report showing "Update compliant" per device; Windows Update for Business reports workspace export |

Per-control engineering detail and assessor accept/reject

Boundary Firewalls

Accept: Intune Endpoint Security Firewall policy with all three Windows profiles (Domain, Private, Public) configured to default-deny inbound, default-allow outbound (with exception list), and the policy assigned to a device group containing every in-scope device. The Intune compliance report shows 100% policy applied. macOS application firewall on via Configuration profile, with documented exception list and assignment.

Reject: a Firewall policy created in Intune but not assigned to any group; a policy assigned to a "Pilot" group that contains 5 devices when the in-scope estate is 50; a policy applied to Windows but with macOS devices in scope unassigned; an exception list with overly broad inbound rules ("RDP from any source") that the firm cannot justify.

Secure Configuration

Accept: Microsoft Security Baseline (current version, e.g. Windows 11 24H2 baseline) deployed via Intune with the standard exceptions documented; configuration profiles for additional hardening (BitLocker, password policies, browser hardening) layered on top; macOS Configuration profile referencing the documented standard build. The Intune Admin Centre shows policy assignment and compliance per device.

Reject: a "draft" Security Baseline that has been imported into Intune but not assigned; a Security Baseline assigned to one user group while the in-scope device population is identified by device group (no overlap); configuration profile conflicts with the Security Baseline (overlapping settings with different values producing per-device unpredictable behaviour); macOS Configuration profile created but not deployed because the macOS devices are out of MDM enrolment.

User Access Control

Accept: Compliance policy enforcing BitLocker on, OS version current, passcode requirements; Conditional Access policy "Require compliant device for all cloud apps in scope"; Conditional Access "Require MFA for all administrators" with admin role assignments evaluated. BitLocker recovery keys escrowed to Entra ID via Intune compliance.

Reject: a Compliance policy created but not assigned to a device group; Conditional Access in "Report-only" state instead of "On"; admin Conditional Access scoping omitting break-glass accounts (the assessor reads break-glass without MFA as a control gap); BitLocker enforced via Compliance but recovery key escrow is to a third-party vault that Intune cannot read on demand.

For the local-admin-restriction detail, see the Remediation Guide: Local Admin Restrictions on netsecgroup.io.

Malware Protection

Accept: Endpoint Security Antivirus policy enforcing Defender on, Tamper Protection on, cloud-delivered protection on, automatic sample submission on; Endpoint Security ASR policy with rules in block mode (Microsoft Security Baseline default set or custom set with documented justification). Defender for Endpoint console shows every in-scope device reporting healthy with current definitions.

Reject: ASR rules in audit mode without a documented plan to move to block mode; Tamper Protection off because "the firm's third-party AV needs to manage Defender" without the third-party AV configured properly; Defender for Endpoint console shows orphan devices (enrolled in Intune but not reporting to Defender) and the assessor flags the gap.

Security Update Management

Accept: Windows Update for Business Update Ring policy with quality update deferral inside the IASME 14-day window (typically 0 to 7 days for the production ring); Feature Update profile on a supported channel (24H2 General Availability or 23H2 LTS where applicable); macOS Software Update policy delivering security updates within 14 days. Intune compliance report shows >95% of in-scope devices "Update compliant".

Reject: an Update Ring policy with quality update deferral set to 30 days "for stability"; Feature Update profile pointed at a Feature Update version Microsoft has stopped supporting; Windows 10 still in scope without a documented Feature Update plan to Windows 11; macOS devices on macOS 12 Monterey (no longer receiving security updates).

For the patching window mechanics, see the Cyber Essentials 14-day Patching Guide on netsecgroup.io.

The three Intune-specific evidence rejects at audit

Across our engagement history, three patterns recur as Intune-specific failures.

Reject 1, deployment scope set to a pilot group

The applicant has built a complete Intune policy set covering every CE Plus control, but the assignment is to a "Pilot" device group containing 5 to 10 devices when the in-scope estate is 50 to 200. The assessor reads the policy as well-designed but un-deployed at scale. Fix: change the assignment from the Pilot group to the production device group covering every in-scope device, validate via the per-device compliance report, then re-evidence.

Reject 2, compliance policy created but not assigned

The applicant has a Compliance policy with the right settings (BitLocker on, OS version current, passcode requirements) but the assignment field is empty or assigned to a group that does not include in-scope devices. The assessor reads the policy and the un-assignment together as a partial deployment. Fix: assign the policy to the in-scope device group, wait for the next compliance evaluation cycle (typically 8 hours), regenerate the compliance report.

Reject 3, configuration profile in conflict with security baseline

The applicant deploys both the Microsoft Security Baseline and additional Configuration profiles, but the two have overlapping settings with different values. Intune resolves the conflict per-device unpredictably; the per-device compliance report shows mixed states. The assessor flags the inconsistency and queries which policy is authoritative. Fix: identify the conflicting settings via the Per-setting compliance report, decide per setting which policy should own it (typically the Security Baseline owns OS-level hardening, additional Configuration profiles own firm-specific settings on top), remove the conflict.

Practitioner observations from 800-plus engagements

Three observations decide Intune CE Plus pass rate in practice.

1. The Per-setting compliance report is the assessor's preferred Intune evidence, because it shows per device whether each setting in the policy applied successfully. Engineers who only export the policy-definition JSON without the Per-setting compliance report leave the assessor reading a policy without proof it took effect on the fleet. Pull both: the policy export plus the compliance report.

2. Conditional Access in Report-only mode is not enforcement. Several Intune-managed estates we have assessed had a perfectly designed Conditional Access policy in Report-only mode that the engineering team intended to switch on "after testing". The assessor reads the policy as not enforcing; CE Plus User Access Control fails. Switch to "On" before the assessment day, validate via sign-in logs.

3. Defender for Endpoint and Intune have to talk to each other. The Microsoft Defender for Endpoint console reads device health from Intune-managed devices, but only when the Intune-Defender connector is configured and the devices are onboarded to Defender for Endpoint. We see estates where Intune deploys Defender Antivirus settings but the devices are not onboarded to Defender for Endpoint, so the central console shows zero devices and the assessor sees no malware-protection evidence. Configure the connector before the engagement.

Common questions

Does Intune for Education or Intune Plan 1 vs Plan 2 affect CE Plus evidence?

Intune Plan 1 (the default Microsoft 365 Business Premium / E3 inclusion) covers the policy types in the table above. Intune Plan 2 adds Endpoint Privilege Management and Advanced Endpoint Analytics; these are nice-to-have for CE Plus but not required. Intune for Education is functionally the same as Plan 1 for CE Plus purposes.

Can I use Intune to manage non-Microsoft devices for CE Plus?

Yes for macOS (full feature parity for CE Plus controls), iOS / iPadOS (limited; treat as BYOD), Android (limited; treat as BYOD), and Linux (limited; supplementary management typically required). For non-laptop platforms, see the BYOD Device Classification reference.

What about Group Policy estates that are migrating to Intune?

Hybrid Entra-AD-joined estates with co-management between GPO and Intune are acceptable for CE Plus. The evidence pack has to show which policy authority owns each control on each device; a setting managed by GPO on some devices and Intune on others is fine if documented. Estates fully on AD with no Intune are also acceptable; the evidence is GPO export plus per-device verification, which is more work than Intune.

Where do we book CE Plus?

Book a Cyber Essentials Plus assessment with Net Sec Group. The booking form lets you describe the Intune topology and connector state; the assessor confirms the engagement timeline.

Reference material

Where this fits on this site

This article is the Intune spoke under the platform-specific pillar. The other platform-specific spokes are Windows 11 hardening for CE Plus, macOS Cyber Essentials Plus checklist, and Google Workspace for CE Plus. For per-control foundation references, see Secure Configuration, User Access Control, and Patching and Updates on this site.