Company Portal device setting requirements for Windows

This article describes the Windows device setting requirements in Intune Company Portal. Company Portal enforces these requirements on behalf of your workplace or school to ensure your device is secure while accessing their network. Requirements are specific to each organization. You only need to update the device settings that Company Portal flags.

Update operating system

To get the latest updates for Windows, see Microsoft Support: Get the latest Windows update.

We recommend keeping the operating system (OS) on work and school devices up-to-date. Before updating a device, back up all of the information on it. Keep a backup so that you can recover your data if something interrupts the update, or transfer your information to a replacement device.

Operating system isn't supported

The operating system (OS) version running on your device isn't supported. The current version of Windows might not work with your organization's apps, tools, or other internal infrastructure. To resolve this issue, either upgrade or downgrade to an OS version supported by your organization. OS requirements vary by organization. Contact your IT support person to find out what requirements you need to meet.

For information about how to upgrade to Windows 11, see:

• Upgrade to Windows 11: FAQ
• Getting ready for the Windows 11 upgrade

Enable anti-malware protection

Anti-malware is an important factor in making sure your device is protected. To meet this compliance requirement, enable the anti-malware software and features required by your organization. On devices running Windows 10 and later, the built-in anti-malware software is Microsoft Defender Antivirus.

Remember to only download apps from verified sources, such as the Company Portal app and the Microsoft Store. For more information about anti-malware for Windows, see Microsoft Support: Getting started with anti-malware in Microsoft Defender.

Enable Window Code Integrity

Contact your IT support person to enable code integrity on your work or school device. Code integrity is a threat protection feature that checks the drivers and system files on your device for signs of corruption or malicious software. For it to work on your device, another security feature called Secure Boot must be enabled. Your IT support person can also help you enable Secure Boot, which will in turn trigger code integrity the next time you start up your device.

Turn on Windows Defender Firewall

Windows Defender Firewall helps prevent hackers and malicious software from gaining access to your work or school device through the internet or a network. Your organization might require you to turn it on before you can access their network resources.

For more information and how-to instructions, see Microsoft Support: Turn Microsoft Defender Firewall on or off on Microsoft Support.

Access point restrictions not set up

Your company applied access point restrictions on your device. This setting requires the Company Portal app to verify a few network settings on your device. Tap Resolve and wait while the Company Portal app checks for an approved network connection.

Not connected to an approved network

Your device is connected to a network that isn't approved for work access. While connected to this network, you can't access work email, apps, and other protected resources. To meet this compliance requirement, connect to a company-approved network. Then tap Resolve in Company Portal to retry.

Restrictions couldn't be enforced

Company Portal can't determine if your device is connected to an approved network. This error could be a result of poor network connectivity, low battery, battery saver mode, or a Company Portal error. To resolve, verify that you have a strong network reception. Turn off battery saver mode and make sure your battery life has at least 30% remaining. Then tap Resolve in Company Portal to retry.

Enable Secure Boot

Secure Boot is a security standard developed by members of the PC industry to help ensure that a device boots using only software that's trusted by the original equipment manufacturer (OEM). Your organization might require you to enable it. We recommend reaching out to your IT support person for help with enabling Secure Boot on a work or school device.

Secure Boot settings are available in Windows Security and UEFI BIOS settings. For information about accessing the UEFI menu on a Surface device, see Manage Surface UEFI settings. For information about how to boot other devices into UEFI BIOS mode, see the manufacturer's documentation.

Turn on virus and threat protection

Microsoft Defender Antivirus is an antivirus software included in Windows that protects against viruses, malware, and other threats. Your organization might require you to turn on specific antivirus features on your device before you can access their network.

• Turn on real-time protection: Real-time protection enables Microsoft Defender Antivirus to scan for threats on your device. To turn on real-time protection, go to Start > Windows Security > Virus & threat protection.

• Turn on cloud-delivered protection: On your device, go to Start > Windows Security > Virus & threat protection. Turn on cloud-delivered protection.

• Update antivirus definitions: On your device, go to Start > Windows Security > Virus & threat protection. Then check for new protection updates. If you don't see the option to check for updates, turn on real-time protection and cloud-delivered protection, and then try again.

For more information, see Microsoft Support: Virus & threat protection in Windows Security.

Change User Access Control setting

The User Access Control settings prevent potentially harmful programs and software from making changes to your device. To meet this compliance requirement, adjust User Access Control so that your device has more protection. User Access Control settings are in Control Panel under System and Security. For more information, see Microsoft Support: User Account Control settings.

Next steps

If you're having trouble resolving a compliance requirement, contact your IT support person or IT administrator for help. They can help you quickly identify the problem and solution so that you can use your device for work or school again. To find your organization's contact information, sign in to the Company Portal app or Company Portal website.