Cyber Essentials with Intune: A Complete Setup Guide for UK Small Businesses
If your business is going for Cyber Essentials certification - or you need it for a contract - this guide covers exactly how to meet all five technical controls using Microsoft Intune and Microsoft 365. No fluff, just the settings that matter and where to find them.
What is Cyber Essentials?
Cyber Essentials is a UK government-backed certification scheme run by the NCSC (National Cyber Security Centre). It covers five core technical controls that protect against the most common cyber threats.
It comes in two levels:
- Cyber Essentials - a self-assessed questionnaire, verified by a certifying body. Valid for 12 months.
- Cyber Essentials Plus - includes everything above, plus a hands-on technical audit carried out by a qualified assessor.
A growing number of central government contracts, NHS frameworks, and MOD supply chain agreements now require at least Cyber Essentials as a minimum. Some insurers also offer reduced premiums for certified businesses.
Which Microsoft 365 licence do you need?
Microsoft 365 Business Premium is the recommended licence for Cyber Essentials compliance. It includes everything you need:
| Feature | Business Basic | Business Standard | Business Premium |
|---|---|---|---|
| Microsoft Intune | - | - | ✓ |
| Defender for Business | - | - | ✓ |
| Entra ID P1 (Conditional Access) | - | - | ✓ |
| BitLocker Management | - | - | ✓ |
| Azure Information Protection P1 | - | - | ✓ |
If you already have Business Basic or Standard and don't want to upgrade the full estate, you can add Microsoft Defender for Business and Microsoft Intune Plan 1 as add-ons, though upgrading to Premium is usually cheaper per user once you factor in both.
Control 1 - Firewalls
Cyber Essentials requires a firewall (or equivalent boundary device) on all internet-facing connections, and a software firewall on every device.
For Windows devices managed by Intune, the Windows Defender Firewall is your software firewall. You need to confirm it's enabled on all three profiles - Domain, Private, and Public.
Set the following for each network profile (Domain, Private, Public):
- Firewall enabled - Allowed (default on)
- Block all incoming connections - Not required for CE, but recommended for Public profile
- Display notifications - Yes
For Cyber Essentials, there is no requirement to manage specific inbound/outbound rules via Intune - the assessors are checking that a firewall exists and is active, not auditing every rule. The compliance policy setting Firewall: Required counts as evidence.
Control 2 - Secure Configuration
This control is about removing unnecessary software and functionality, changing default passwords, and ensuring devices are configured securely out of the box. Intune handles this through configuration profiles and the compliance policy.
Password requirements
Cyber Essentials requires a minimum password length of 8 characters (or 6 if the account locks after 10 attempts). Set this in your compliance policy:
- Password required - Yes
- Minimum password length - 8 characters
- Password expiry - Leave disabled (NCSC guidance recommends against forced rotation)
- Maximum sign-in failures before wipe - 10
Secure Boot and TPM
Cyber Essentials Plus assessors will check that Secure Boot is enabled. Set this in your compliance policy:
- Require Secure Boot to be enabled on the device - Required
- TPM - Require TPM (version 1.2 minimum, 2.0 recommended)
Disable unnecessary features via Configuration Profiles
Create a Settings Catalog profile in Intune to lock down common attack surfaces:
Key settings to configure:
- Disable autorun for removable media - prevents USB-based malware execution
- Disable Remote Desktop (RDP) unless your business actively uses it
- Disable macro execution in Office - or restrict to signed macros only
- Disable Windows Script Host if PowerShell and scripts aren't needed by users
Control 3 - User Access Control
This control requires that user accounts have only the access they need, admin accounts are separate from standard user accounts, and MFA is used for all accounts (required since Cyber Essentials v3.1 in April 2023).
MFA for all users via Conditional Access
This is the most important change since the 2023 update to the scheme. Every user account that can access your M365 data must have MFA enforced.
Create a Conditional Access policy with these settings:
- Users - All users (exclude break-glass accounts)
- Cloud apps - All cloud apps
- Grant - Require multi-factor authentication
Use the Intune Compliance Builder to download ready-to-import CA policy JSON files for MFA, compliant device, and legacy auth blocking.
Local administrator accounts
Cyber Essentials requires that local admin accounts on devices are not used for day-to-day work. Use Windows LAPS (Local Administrator Password Solution) via Intune to manage local admin accounts with unique, rotating passwords stored in Entra ID.
Privileged accounts
Admin accounts (Global Admin, Intune Admin, etc.) should be cloud-only accounts not used for email or day-to-day browsing. Require MFA on every sign-in for these roles - create a separate Conditional Access policy targeting admin directory roles with no trusted location exclusions.
Control 4 - Malware Protection
Cyber Essentials requires that all devices run up-to-date malware protection with real-time scanning enabled. Microsoft Defender Antivirus, included with Windows 10/11, meets this requirement when properly configured.
Key settings to configure in your Defender Antivirus policy:
- Turn on real-time protection - Enabled
- Turn on behaviour monitoring - Enabled
- Enable network protection - Enabled (Block mode)
- Cloud-delivered protection level - High
- Check for signature updates before running a scheduled scan - Enabled
- Signature update interval - 4 hours (or less)
Set the following in your compliance policy to enforce the requirement:
- Microsoft Defender Antivirus: Required
- Real-time protection: Required
- Antivirus signatures up to date: Required
Control 5 - Patch Management
Cyber Essentials requires that all software on in-scope devices is licensed, supported, and kept up to date. Specifically, high and critical patches must be applied within 14 days of release.
Windows Update for Business via Intune
Create an Update Ring policy in Intune to manage when Windows updates are deployed to devices.
Recommended settings for Cyber Essentials compliance:
- Quality update deferral - 0 days (apply immediately, or maximum 14 to stay within CE requirement)
- Feature update deferral - 30-180 days depending on your testing tolerance
- Automatic update behaviour - Auto install and restart at maintenance time
- Deadline for quality updates - 7 days (forces install even if user keeps postponing)
- Deadline for feature updates - 14 days
- Grace period - 2 days
Microsoft 365 Apps updates
Don't forget that the Cyber Essentials patching requirement covers all software, not just Windows. For Microsoft 365 Apps (Word, Excel, Teams etc.), configure the update channel in Intune:
Set the update channel to Monthly Enterprise Channel - this receives security updates once per month on the second Tuesday, which keeps you within the 14-day window for critical patches.
Pre-submission checklist
Before you submit your Cyber Essentials self-assessment, run through this list to confirm you have all five controls covered in Intune:
I audit your Microsoft 365 tenant against the Cyber Essentials controls and produce a written report showing exactly what needs fixing, in priority order. Fixed price, no surprises.