Using Microsoft 365 security features, small businesses can consistently apply and manage the security polices of all their Windows 10 PCs from a single location.
In a world where your entire business could be shut down and your data held for ransom from a single absent-minded click of a malicious link in an email, the security of every personal computer in your organization is of paramount importance. Large enterprises can employ an army of administrators and engineers to ensure the security of their networks and PCs, but small businesses often must fend for themselves.
SEE: Checklist: Securing Windows 10 systems (TechRepublic Premium)
To make life easier and safer for small businesses using Microsoft 365, there are several security features built into the administrative applications of that productivity suite. Unfortunately, many small businesses fail to properly take advantage of these security tools because they either don’t know they exist, or they don’t understand how they work.
This how-to tutorial shows you how to activate the built-in security features of Microsoft 365 and apply those features to all Windows 10 PCs in your organization.
SEE: Microsoft Surface Go 2: A cheat sheet (free PDF) (TechRepublic)
How to secure Windows 10 PCs with Microsoft 365
The first step in securing Windows 10 computers in your small business organization with Microsoft 365 is to log into the admin portal with the proper credentials. We are going to assume that you have established your domain and setup your email server.
In the left-hand navigation bar, select Setup and scroll down the list in the right-hand windowpane until you find the Device section, as shown in Figure A.
Click the “Secure your Windows 10 computers” link to reach the configuration screen shown in Figure B. As you can see, completing this configuration will be able to enroll all Windows 10 computers with Microsoft Intune, which is the company’s consolidated administrative tool for businesses using Microsoft 365 or Azure.
We are going to create a baseline security policy for all Windows 10 computers operating in our organization. Just like a large enterprise, small businesses can apply these policies consistently across all Windows 10 devices, saving them the time it would take to configure each PC individually.
It is important to scroll down the page and take note of how the policy will be applied.
Policies only apply when the following are true:
- Set Users may join devices to Azure AD to All or Some in Azure Active Directory
- Set MDM user scope to All or Some in Azure Active Directory
- Computers are running Windows 10 Pro, version 1703 or later
- Computers are not running any other virus protection or device management programs
- Computers are enrolled in Microsoft Intune (see User impact)
Assuming we are going to meet all those stipulations, click the Get Started button to start the process.
The system will take a few seconds to work up the baseline policy and then ask you to click the Apply Settings button to confirm, as shown in Figure C. The default value for turning off an idle screen is too low for my tastes, but I left everything else at their default values.
Click Apply Settings when your choices are complete. You should get a message that the baseline policies have been applied. Click the X to close out the window.
To enroll a Windows 10 PC already in use in your organization, open the Settings on that PC and navigate to the Accounts section. Click on the “Access Work or School” item in the left-hand navigation bar to add the device, as shown in Figure D.