Cleaning up your Intune environment doesn’t have to be a massive project - small tweaks can go a long way in improving security, compliance, and device management. Whether you’re dealing with lost BitLocker keys, outdated Windows devices, or devices that just aren’t checking in, these 12 best practice settings will help you tighten up your set-up.

For a disaster scenario, make sure BitLocker keys are escrowed

BitLocker keys act as a backup key to unlock an encrypted hard drive in case a system encounters a failure scenario that prevents it from automatically unlocking. Unmanaged devices may back up their key to a personal Microsoft account, or nowhere at all. For AD registered devices, BitLocker keys don’t automatically back-up, and it is important to confirm this is the desired behavior, or evaluate rejoining those devices to get the benefit of BitLocker keys.

Zip automatically escrows BitLocker keys, and they can be accessed directly in platform. Upon revealing the BitLocker key, Zip will generate a new one to ensure you maintain positive control over access to your data.

For users not working with Zip, BitLocker keys can be managed through the disk encryption policy in Intune. See this help article for more information.

For day-to-day ease of use, make sure devices are checking in with Intune

Some devices fail to register or stop checking in with Intune, and it is important to re-register any devices that have fallen off. By auditing enrollment regularly, you ensure that you maintain control of all your devices and can off-board or reuse devices as needed.

Zip’s real-time reporting dashboard shows you which devices are enrolled and checking in, as well as which are missing. These are tied directly to employee names through our integration with our clients’ identity providers, making it seamless to identify who is using each device in the fleet. For any devices not currently under management or checking in, Zip allows you to send enrollment instructions directly from within the Zip platform, helping you get to and stay at 100% enrollment.

Device details can be viewed directly in the Microsoft Intune admin center. We recommend creating and maintaining a device inventory map to ensure you can tie devices to employees, verify devices are checking in as expected, and make changes as needed.

For ensuring the security of your fleet…

Double check for Windows Home and personally registered devices

We often see during onboarding that there are a number of devices using Windows Home and personal Microsoft accounts in a fleet. This often happens unintentionally - it’s really easy to mistakenly purchase a computer with Windows Home rather than Windows Professional - but it is important to migrate them to Windows Professional to ensure Intune management functionality.

Zip users can see a list of device types in their fleet on the devices page, and can send emails with Home to Professional migration instructions directly in platform (you can also view those instructions here). For employees using personal devices that should be on corporate devices, we recommend drafting and sharing device policies with employees to ensure proper compliance.

Non-Zip admins should also have their employees with Home devices migrate to Professional using the instructions above, and then enroll them in Intune to get full management functionality.

Ensure all accounts require passwords

It is important to ensure that all corporate devices require passwords to prevent unauthorized access.

Complex passwords can be enforced via the ‘Password Protection’ control in the Zip platform. For users working directly out of Intune, configure local settings to apply a password policy.

Enable firewalls and apply port management policies

Firewalls act as a first line of defense, blocking malicious inbound and outbound traffic. Restricting unnecessary ports shuts down an infiltration vector from malicious outsiders. Together, they reduce the attack surface and improve endpoint protection.

Zip auto-enforces firewall activation and a sensible port-access policy, ensuring that managed devices are appropriately shielded from public access. Other configurations that admins might consider are:

• Blocking high-risk ports like 445 (SMB), 23 (Telnet), 21 (FTP), and 22 (SSH) if your business can manage it (FTP and SSH are often necessary for business purposes, so restricting traffic may be difficult)
• Add restrictions to inbound/outbound traffic (e.g. blocking insecure connections)
• Use conditional access & network segmentation to control device access
• Monitor firewall logs for anomalies using your EDR

See this Intune help article for more information about how to enable firewalls and apply port management policies.

Restrict personal OneDrive accounts

We’ve seen employees accidentally link personal OneDrive accounts, leading to automated syncing of sensitive corporate data. This is risky for a variety of reasons:

• Data leakage: data exfiltration risks increase when private cloud storage is involved, especially if employees leave the company.
• Compliance: many regulations like HIPAA, SOC 2, and ISO 27001 require businesses to control where sensitive data is stored. Personal OneDrive accounts lack enterprise-grade security policies, making compliance harder to enforce.

There are a few ways to restrict personal OneDrive accounts in Intune:

• Use App protection policies to block access to personal OneDrive accounts in Microsoft apps
• Configure conditional access to allow OneDrive login only with company-managed identities
• Use Windows Information Protection (WIP) to prevent copying corporate files to unmanaged locations
• Block third-party cloud storage apps to limit exfiltration risks

Set-up secure access to machines for IT administrators

Local admin accounts are often set up with a shared, non-complex password, making them a prime target for attackers. These accounts provide backdoor access for software installation, OS troubleshooting, and emergency logins, and if compromised, allow attackers to move laterally across the organization using Pass-the-Hash (PtH) techniques.

We recommend utilizing Microsoft’s Local Administrator Password Solution (LAPS) to fix this issue:

“Microsoft Local Administrator Password Solution (LAPS)… [sets] a complex password for the local administrator account that is unique for each domain-joined device. This local administrator account password set by Microsoft LAPS will automatically rotate according to password policy. The new passwords will be saved in Entra/Active Directory and authorized engineers can retrieve passwords from Entra/the Active Directory server when needed.”

This is a free tool from Microsoft, and instructions on how to set this up can be found here.

Restrict removable storage

Removable storage devices such as USB drives pose a significant security threat by enabling unauthorized data transfers and introducing an attack vector for malware.

Zip users can configure USB policies through CrowdStrike, configuring device access by category based on company policy.

For instructions on how to set these restrictions directly in Intune, see this help article.

For saving money, audit user licenses

Microsoft bills on a per license basis so it is important to regularly audit licenses and re-assign or delete as necessary (i.e. in the event that an employee leaves your organization).

Zip users can see what devices are currently registered with Intune in the “Device Enrollment” control in the Zip platform. Licenses can be managed directly in the Microsoft admin portal (note this link is gated - only a user with Microsoft admin rights for your organization can view).

It’s also important to ensure that your organization is purchasing the right licenses for your businesses needs. There are two main licenses and use cases we recommend:

• Microsoft Business Premium: this includes licenses to download Microsoft Office apps (Excel, Powerpoint, Word) AND Intune.
• Enterprise Security & Mobility: this is an Intune-only license that we recommend for employees that don’t need Microsoft Office apps. You do not need this license if you have Microsoft Business Premium licenses.

One license we often see our users confused by is the Microsoft Business Standard license. This includes access to web-based Microsoft Office apps (can’t download) but does not include an Intune license. We recommend upgrading to Microsoft Business Premium in this case rather than purchase the Enterprise Security & Mobility license plus the Microsoft Business Standard license.

For using the latest tech, auto-enforce Windows updates

Operating system updates often contain security patches that protect against critical vulnerabilities, and it is important that your fleet stay up to date. By auto-enforcing Windows updates, you don’t have to actively monitor or chase after employees to stay up to date.

Zip allows you to auto-enforce updates in the “OS Version” control. Simply toggle “Auto Enforcement” to on in the Configuration tab, and set major and minor soak periods as well as reboot deadlines for post-installation (we recommend 14 days for major and minor, and 7 days for reboot).

Operating system updates can be managed through Intune policies using Update rings. See this help article for an overview.

For real time threat protection, verify EDR is installed and functioning

Endpoint Detection and Response (EDR) continuously monitors and collects data from endpoints to detect, investigate, and respond to security threats in real time, and is a vital part of every business’ security arsenal. Intune can remotely deploy and enforce EDR installation on enrolled devices, making it a great partner for zero-touch deployment and management. It is important to regularly audit EDR agents to ensure they’re checking in and functioning, and that endpoints stay protected.

In the Zip console, “Endpoint Detection and Response” controls show you the status of CrowdStrike EDR across your fleet. You can respond directly to threats within the platform, and auto-enforce sensor updates, detection policies, and prevention policies.

Microsoft’s Intune help site offers many articles and how-to guides on threat defense. Access the articles here.

For help, reach out to Zip Security

Managing and securing your Intune environment can be complex, but you don’t have to do it alone. Zip Security streamlines device management, enforces best practices, and helps you close security gaps—without the manual work. Whether you need help with BitLocker key escrow, device compliance, or enforcing security policies at scale, our platform simplifies and automates the process.

If you're ready to take the guesswork out of Intune management, reach out to Zip Security today. Our team can help you assess your current setup, identify gaps, and implement best-in-class security controls to keep your organization safe and compliant.