HomeBuild items › Endpoint protection encryption
Build items · Secure

Endpoint protection & encryption

Intune's Endpoint Security node is where half-finished tenants hurt most: protection that exists on paper but does not hold under pressure. This section is how Decolla builds antivirus, encryption and local-admin control as one coherent, plan-approved set.

Why this matters

The Endpoint Security node is where most Intune tenants quietly decay. A Defender antivirus policy exists, but Tamper Protection was never enabled — so anything running with admin rights can simply switch the protection off. BitLocker shows as enabled, but nobody verified that recovery keys actually escrowed to Entra, which is discovered the day a laptop demands a key that was never stored. Local admin rights were granted "temporarily" during a rollout and never revoked.

Assessors are also less forgiving than they used to be: Cyber Essentials, CIS benchmarks and NCSC guidance now expect a broader set of hardening controls than many tenants have ever formally configured. Each control is individually simple. The failure mode is a half-built set: controls that exist in isolation, do not back each other up, and leave the admin unable to say with confidence what is actually enforced.

What a good build does

Decolla's secure phase mirrors the Endpoint Security node itself, so what you approve maps directly onto what you will later manage in Intune — and it pairs controls that only work together. The antivirus baseline is delivered alongside Tamper Protection, because a Defender baseline without it is bypassable by design. Silent BitLocker encryption is paired with Entra key escrow, including a stricter variant that blocks encryption until the recovery key has demonstrably escrowed.

Anything capable of breaking line-of-business software ships in a staged posture: attack surface reduction rules carry an explicit Audit/Warn/Block parameter, and the other behaviour-restricting controls follow the same audit-before-enforce pattern. Local admin is treated as one problem rather than three settings — Windows LAPS paired with restricted Administrators membership, with the privilege-management route clearly flagged as requiring its add-on licence rather than presented as free.

Every item appears in the written plan before anything runs: delivery method, reversibility class, irreversible steps flagged. Afterwards, each change Decolla made can be rolled back per item — Decolla's own changes, honestly scoped, not a promise to unwind your whole tenant.

Where it bites people

Block mode on day one. ASR rules enforced without an audit period are the classic self-inflicted outage: CAD packages, macro-heavy finance workbooks and legacy installers start failing, and the panicked response — disable everything — leaves the tenant less protected than before the project began. Audit, read the reported events, then enforce.

Encryption before escrow. Silent BitLocker can start encrypting before the recovery key lands in Entra; a firmware quirk or a join hiccup means the key never arrives, and you find out at a recovery screen holding a director's laptop. That is precisely why the block-until-escrowed pairing exists — and why "BitLocker: enabled" on its own proves very little.

What's in this section (21 items)

ItemTierDeliveryReversibility
BitLocker - silent + Entra key escrowRecommendedendpointSecurityreverse
BitLocker block-until-key-escrowed-to-EntraRecommendedendpointSecurityauto
Windows LAPS (local admin)RecommendedendpointSecurityauto
Restricted local Administrators membership (pairs with LAPS)RecommendedendpointSecurityauto
Endpoint Privilege Management (remove local admin safely)OptionalendpointSecurityauto
Device-side account lockout (Account Protection)RecommendedendpointSecurityauto
Machine inactivity auto-lock (DeviceLock InactivityLimit)RecommendedsettingsCatalogauto
Defender for Business (only if no 3rd-party AV)OptionalendpointSecurityauto
Defender AV baseline (RTP + cloud + PUA + tamper)StandardendpointSecurityauto
Defender AV exclusions (curated, minimal - over-exclusion guarded)OptionalendpointSecurityauto
3rd-party AV exclusions (deep-link to vendor cloud console)Optionalmanualauto
ASR rules (Defender; can break CAD)OptionalendpointSecurityreverse
Controlled Folder Access (audit-first)OptionalendpointSecurityreverse
Exploit Protection (DEP/ASLR/CFG/SEHOP)RecommendedendpointSecurityreverse
App Control for Business / WDAC (audit-first)OptionalendpointSecurityreverse
SmartScreen (Explorer + Edge + network)StandardsettingsCatalogauto
Defender Tamper ProtectionStandardnativereverse
Defender Network ProtectionRecommendednativereverse
Defender Web Content FilteringRecommended · Defender for Business/MDE P1manualreverse
Removable media / USB device control (Defender)Recommended · Defender for Business/MDE P1nativereverse
Windows Firewall (all profiles on, default inbound block)Standardnativeauto

Reversibility: auto reverses when unassigned · reverse reversible with a documented step · irreversible flagged before you approve the plan.

See it on a real device.

Decolla is in private build — early-access members see a build defined, deployed and rolled back first.

Get early access