Introduction #
This policy checks for the following requirements of Windows 10 and later devices to ensure the Device is healthy and has the following baseline protections enabled:
Policy Settings #
Device Health
| Require BitLocker | Require |
| Require Secure Boot to be enabled on the device | Require |
| Require code integrity | Require |
System Security
| Firewall | Require |
| Trusted Platform Module (TPM) | Require |
| Antivirus | Require |
| Antispyware | Require |
Actions for Non-Compliance #
We recommend allowing 1 day as a grace period before the device is marked as noncompliant. This is due Windows telemetry errors caused by due to Device Health Attestation
| Mark device noncompliant | 1 day |
Assignments #
Users, Groups and Devices
| Includes | – All Users |
