Cyber Essentials Plus: Automating the Technical Verification via Intune
Cyber Essentials Plus (CE+) remains the UK government's preferred baseline security certification, and for good reason. Unlike its self-assessment sibling, CE+ demands an independent technical verification where an assessor physically tests a sample of devices. The five control themes - firewalls, secure configuration, user access control, malware protection, and security update management - must be demonstrably enforced, not merely documented.
Most organisations treat CE+ as a periodic scramble: IT teams spend days manually checking devices, exporting screenshots, and praying that the sample set happens to be compliant. This approach is fragile, unscalable, and fundamentally incompatible with hybrid work. Microsoft Intune transforms this into a continuous, programmatic assurance model.
Control Theme 1: Firewalls
CE+ requires that every device connecting to the internet has a correctly configured firewall. For Windows endpoints managed by Intune, this translates to an Endpoint Security firewall profile. Navigate to Microsoft Intune admin centre > Endpoint security > Firewall and create a profile targeting Windows 10/11. The critical settings are:
- Domain, Private, and Public profiles: all set to enabled
- Inbound connections: blocked by default
- Stealth mode: enabled to prevent ICMP response
- Firewall rule merging: disabled for local rules, ensuring only centrally managed exceptions apply
For macOS endpoints, deploy a custom configuration profile using the com.apple.alf payload to enable the application firewall and block all incoming connections except those required for essential services. The compliance policy should then check that the firewall state reports as active - any device failing this check is marked non-compliant and blocked from corporate resources via Conditional Access.
Control Theme 2: Secure Configuration
The assessor will verify that default passwords have been changed, unnecessary services are disabled, and auto-run is off. In Intune, create a Settings Catalogue profile under Devices > Configuration > Create > Settings catalogue. Key settings to enforce:
- AutoPlay default behaviour: set to "Do not execute any autorun commands"
- Remote Desktop Services: disabled unless explicitly required
- SMBv1: disabled via the Windows Features configuration
- Guest account status: disabled
- Local administrator account: renamed and disabled (or managed via Windows LAPS)
For browsers, deploy an Intune browser configuration profile that disables password saving, enforces SmartScreen, and blocks pop-ups. The assessor will test these directly, so ensure the configuration profile is assigned to all device groups without exclusions.
Control Theme 3: User Access Control
CE+ mandates that users operate with least-privilege accounts and that administrative access is tightly controlled. Intune works in concert with Entra ID here. First, ensure no standard user holds local administrator rights. Deploy Endpoint Privilege Management (EPM) policies to handle the rare cases where elevation is needed.
Configure Entra ID Conditional Access to require MFA for all users, with phishing-resistant methods (FIDO2, Windows Hello for Business) mandated for administrators. Create an Intune compliance policy that checks:
- Password minimum length: 12 characters (aligning with NCSC guidance)
- Password complexity: required
- Maximum minutes of inactivity before screen lock: 5 minutes
- Number of sign-in failures before wiping device: 10 attempts
The compliance state feeds directly into Conditional Access. A non-compliant device cannot obtain a token, meaning the control is enforced at the authentication layer, not merely at the device layer.
Control Theme 4: Malware Protection
The assessor will verify that anti-malware software is installed, active, and up to date on every sampled device. Microsoft Defender Antivirus, managed through Intune, satisfies this requirement comprehensively. Under Endpoint security > Antivirus, create a Microsoft Defender Antivirus profile with:
- Real-time protection: enabled
- Cloud-delivered protection: enabled with high protection level
- Automatic sample submission: enabled (send all samples)
- Potentially unwanted application (PUA) detection: block mode
- Signature update interval: every 4 hours
Critically, also create an Antivirus compliance policy that marks a device non-compliant if Defender reports as inactive or if definitions are older than 48 hours. This ensures the assessor sees real-time enforcement rather than a policy that could have been applied moments before the audit.
Control Theme 5: Security Update Management
This is where most CE+ failures occur. The assessor will check that all high-risk and critical patches have been applied within 14 days of release. Intune's Windows Update for Business policies handle this:
- Quality update deferral: 0 days (no deferral for security updates)
- Feature update deferral: set per organisational risk appetite, but irrelevant for CE+
- Deadline for quality updates: 7 days (forces installation before the 14-day CE+ window)
- Grace period: 2 days
- Auto-restart behaviour: required after deadline
For third-party applications, CE+ now explicitly includes browser and productivity software patching. Use Intune's built-in app update capabilities for Microsoft Edge and Microsoft 365 Apps. For third-party applications like Adobe Reader or Zoom, integrate a patch management solution (such as a Win32 app deployment with detection rules checking the installed version).
Create a compliance policy that marks devices non-compliant if the OS build version does not match the required baseline for the current month. This is the single most impactful control for CE+ pass rates.
Preparing for the Assessor Visit
When the IASME assessor arrives for technical verification, they will select a representative sample of devices and test each control theme. With Intune, your preparation becomes:
- Export compliance reports: Navigate to Intune > Reports > Device compliance > Compliance status and export the full dataset showing all devices in a compliant state.
- Run a pre-audit sweep: Use the Remediations feature (formerly Proactive Remediations) to run a PowerShell script across all devices verifying firewall state, Defender status, and patch level. Log the results to a Log Analytics workspace.
- Demonstrate real-time enforcement: Show the assessor that connecting a non-compliant device triggers an immediate block via Conditional Access. This is more compelling than any PDF evidence pack.
- Prepare the scope boundary: Ensure your Intune device groups exactly match the CE+ scope. Devices outside scope must be documented as excluded with justification.
The fundamental shift is from periodic compliance to continuous assurance. Every device, every day, is assessed against the CE+ control themes. The assessor visit becomes a formality rather than a crisis - you are simply showing them a system that has been enforcing compliance since the day it was deployed.