Click devices on the right, then further down click compliance policies
Now, click create policy
Select Windows 10 and later, then click create
Name the policy then click next
Now choose the settings you would like to enforce, I have attached a screenshot below of my configuration
This configuration will enforce all windows computers to have at least the October 2021 update, have BitLocker enabled, require a password to unlock the device, require encryption of data on the device, have the windows firewall enabled, have windows defender enabled, windows defender must be up to date, and windows defender real-time protection must be on.
Once you have your settings picked click next then next again
Choose all users at the top for assignments
Click next then create
Checking compliance and making devices compliant
The status of a device's compliance can be found under all devices
If a device is not compliant the user will be notified on the machine
Below is a screenshot of the user's computer after the policy was applied and they did not have encryption enabled.
If a device is not compliant there will be an alert on the dashboard and it will show the following when viewing devices
Once a device is compliant it will show in all devices that it is
Setting up automatic updates for enrolled computers
From the endpoint admin center go to devices, then scroll down to "update rings for windows 10 and later"
Click create profile, name the profile then click next
For servicing channel choose Semi-Annual, this will push updates as soon as they are released for the public
Leave the rest of this section as default and continue onto user experience settings
Set automatic update behavior to "auto-install and restart at maintenance time"
Set the active hours for users then configure as needed. Below is a screenshot of my configuration as an example
After this, click next, then choose "Add all devices at the top" click next again
