Set device protection settings for Windows 10 PCs

Secure Windows 10 devices

View a video on how to secure Windows 10 devices with Microsoft 365 Business:

  1. Go to the admin center at

  2. On the left nav, choose Devices > Policies > Add.

  3. On the Add policy pane, enter a unique name for this policy.

  4. Under Policy type, choose Windows 10 Device Configuration.

  5. Expand Secure Windows 10 Devices > configure the settings how you would like. See Available settings for more information.

    You can alway use the Reset default settings link to return to the default setting.

    Add policy pane with Windows 10 Device configuration selected

  6. Next decide Who will get these settings? If you don't want to use the default All users security group, Choose Change, search for the security group who will get these settings > Select.

  7. Finally, choose Done to save the policy, and assign it to devices.

Available settings

By default all settings are On. The following settings are available.

See How do protection features in Microsoft 365 Business map to Intune settings for more information.

Help protect PCs from viruses and other threats using Windows Defender Antivirus
Requires that Windows Defender Antivirus is turned on to protect PCs from the dangers of being connected to the internet.
Help protect PCs from web-based threats in Microsoft Edge
Turns on settings in Edge that help protect users from malicious sites and downloads.
Use rules that reduce the attack surface of devices
When turned On, attack surface reduction helps block actions and apps typically used by malware to infect devices. This setting is only available if Windows Defender Antivirus is set to On. See Reduce attack surfaces to learn more.
Protect folders from threats such as ransomware
This setting uses controlled folder access to protect company data from modification by suspicious or malicious apps, such as ransomware. These types of apps are blocked from making changes in protected folders. This setting is only available if Windows Defender Antivirus is set to On. See Protect folders with COntrolled folder access to learn more.
Prevent network access to potentially malicious content on the Internet
Use this setting to block outbound user connections to low-reputation Internet locations that may host phishing scams, exploits or other malicious content. This setting is only available if Windows Defender Antivirus is set to On. See Protect your network for more information.
Help protect files and folders on PCs from unauthorized access with BitLocker
Bitlocker protects data by encrypting the computer hard drives and protect against data exposure if a computer is lost or stolen. See Bitlocker FAQ for more information.
Allow users to download apps from Microsoft Store
Lets users download and install apps from the Microsoft Store. Apps include everything from games to productivity tools, so we leave this setting On, but you can turn it off for extra security.
Allow users to access Cortana
Cortana can be very helpful! She can turn settings on or off for you, give directions, and make sure you're on time for appointments, so we keep this On by default.
Allow users to receive Windows tips and advertisements from Microsoft
Windows tips can be handy and help orient users when new features are released.
Keep Windows 10 devices up to date automatically
Makes sure that Windows 10 devices automatically receive the latest updates.
Turn off device screen when idle for this amount of time
Makes sure that company data is protected if a user is idle. A user may be working in a public location, like a coffee shop, and step away or be distracted for just a moment, leaving their device vulnerable to random glances. This setting lets you control how long the user can be idle before the screen shuts off.