Glow Cloud Solutions

Intune

A sane Intune compliance baseline for small teams

Most Intune guidance is written for enterprises with a dedicated endpoint team. Here is a right-sized baseline for a small or mid-sized team that protects company data without a six-month project.

18 April 2026

Microsoft Intune can do an enormous amount, which is exactly why small teams stall on it. The official baselines assume a dedicated endpoint team and a long programme. Most organisations do not have that, and do not need it. Here is a sane starting point.

Start with compliance, not lockdown

The instinct is to lock everything down. Resist it. Start by defining what “compliant” means and reporting on it, before you start blocking. A compliance policy that simply requires encryption, a PIN or password, and a minimum OS version already tells you which devices are a risk, without breaking anyone’s day.

A right-sized baseline

For a small or mid-sized team, this covers most of the real risk:

  • Enrolment. Get company devices enrolled, and decide your stance on personal (BYOD) devices early.
  • Compliance policy. Encryption on, a screen-lock requirement, minimum OS version, and a check that the device is not jailbroken or rooted.
  • Disk encryption. BitLocker on Windows, FileVault on macOS, enforced and reporting back.
  • Update policy. A reasonable update ring so devices are not running last year’s OS.
  • Conditional access. The piece that makes the rest matter: require a compliant device to reach company data.

That last point is the hinge. Compliance policies only describe a device. Conditional access is what actually uses that description to allow or block access.

What to leave out, for now

You do not need app protection policies on every app, kiosk configurations, or elaborate device-configuration profiles on day one. Add those when a real need appears. Starting narrow and widening is far healthier than deploying a huge configuration you do not understand and cannot support.

Roll it out in stages

Never apply a new baseline to everyone at once. Pilot it on a small group, including a few non-technical users, watch what breaks, then widen. A baseline that locks people out of their work will be switched off within a week, which is worse than no baseline at all.

If you would rather not build this from scratch, Intune setup is one of the things we do, and a free health-check will tell you where your current device posture actually stands.

← All resources

Start with a free health-check.

Read-only. The whole tenant. One clear report.

Get your free health-check →