Guide
🇬🇧 UK Focus 📅 Loading…
UK Compliance Beginner ⏱ 10 min

Cyber Essentials Plus: Which Tools Tick Which Boxes?

Cyber Essentials is a UK government-backed certification scheme. This guide maps each of the five technical controls to the tools you likely already have — and highlights gaps you need to address.

Covers: intune defender entra fortinet meraki

What is Cyber Essentials?

Cyber Essentials is a government-backed scheme that helps UK businesses guard against the most common cyber threats. There are two levels: Cyber Essentials (self-assessment) and Cyber Essentials Plus (independently verified).

CE+ requires an assessor to verify that controls are actually implemented — not just documented. Many UK public sector contracts and supply chain requirements mandate CE or CE+ certification.

Control 1: Firewalls

All devices must be protected by a properly configured firewall. This applies to your network perimeter AND individual devices.

💡
  • Network firewall: Cisco Meraki MX or Fortinet FortiGate both meet requirements if configured with deny-all inbound by default.
  • Host-based firewall: Windows Firewall (managed via Intune) satisfies the endpoint requirement.
  • Check that remote workers have their firewall on — enforce this via Intune compliance policy.

Control 2: Secure Configuration

Devices must be configured securely: no unnecessary software, no default passwords, unnecessary ports and services disabled.

💡
  • Intune security baselines (Windows Security Baseline) provide a CE-compatible starting point.
  • Use CIS Benchmark Level 1 as your configuration target — Nessus and Qualys both have CIS audit templates.
  • Disable AutoRun, guest accounts, and remote registry via Intune configuration profiles.

Control 3: User Access Control

Only authorised users should have access, with privilege limited to what they need. Admin accounts must not be used for everyday tasks.

💡
  • Entra ID: separate admin accounts for all IT staff — no using your daily account for admin tasks.
  • Intune: restrict local administrator rights on endpoints.
  • Use Privileged Identity Management (Entra ID P2) for just-in-time admin elevation.

Control 4: Malware Protection

All devices must have malware protection enabled and up to date.

💡
  • Microsoft Defender (included in Windows and M365 Business Premium) meets CE requirements for most organisations.
  • CrowdStrike Falcon also satisfies this control and provides significantly stronger protection.
  • Verify Defender is not disabled by any other security product — check via Intune compliance policy.

Control 5: Patch Management

All software must be patched within 14 days of a high/critical patch being released. This is the control most organisations struggle with.

  1. Configure Windows Update for Business (via Intune) with a 7-day deferral for quality updates
  2. Set a deadline of 14 days — devices must install patches by then regardless of user action
  3. Use Intune compliance policies to flag devices that haven't patched in 14 days as non-compliant
  4. Use Nessus or Defender Vulnerability Management to verify patch status across all devices
  5. Don't forget third-party apps — browsers, PDF readers, and Java are common CE failure points

The 14-day patch window catches many organisations out at CE+ assessment. Set your Intune Update Rings to enforce deadlines, not just offer updates.