8 characters or more, some special, throw some numbers in there, and rotate often.
Pretty much the standard advice for creating passwords for as long as computer systems have existed. I want to talk about why this logic isn’t important anymore, providing you’ve got other controls and training in place.
In Active Directory, the Default Domain Group Policy Object will have a password policy with the following settings:
Enforce password history: 24
Maximum password age: 42 Days
Minimum password age: 1 day
Minimum password length: 7
Complexity requirements: Enabled
How many of you look at that now and wince a bit?
In Entra ID (formerly Azure Active Directory) the standards are:
Enforce password history: 1
Maximum password age: 90 Days
Minimum password age: 0 days
Minimum password length: 8
Complexity requirements: Enabled
Slightly better, but still not what good looks like.
While this has been “best practice” for many years, too much of the focus today is still on how the actual password is comprised, rather than adopting multi-factor authentication and Self-Service Password Reset.
Many organisations out there today will have highly specific requirement: some might want 12 characters minimum, others encourage pass-phrases, and if you’re really unlucky, ridiculously short expiry times.
Passwords aren’t the important bit anymore
As Gabe Newell demonstrated with the introduction of Steam Guard over 10 years ago, it’s the MFA element that protects him.
Our industry has not yet caught up with this idea, hence the slurry of external regulators and insurers demanding standards that they haven’t questioned or revised recently.
What you should be doing
If Entra ID is your identity provider:
Leave the default password creation policy as it is – Go configure a banned password list if you really want to
Create a Conditional Access policy to enforce MFA for All Cloud Apps for All Users*
Disable password expiry from the M365 Admin Portal
Configure Self-Service Password Reset and target to ALL USERS
*There are legitimate exceptions to make in Conditional Access, but they are not to be made for end-users (Your C-Levels are just like everybody else).
…There are other CA policies I’d recommend, but that isn’t for this post.
Expanding on those suggestions
Conditional Access Policy
Pretty straight forward, although if you’ve never implemented this before, might be best to use “report-only” for a week or two.
Disabling password expiry
This option is over at https://admin.microsoft.com –> Org Settings –> Security & Privacy
Self-Service Password Reset
Assuming you’ve made the migration to Entra ID Authentication Methods, you’ll have a few options to choose from for users to use to reset their own passwords without calling the helpdesk:
Third-party software OATH tokens
(Eventually Security Questions will be available too, although some of those are pretty weak. I recently saw a custom one added which was: “What is your favourite colour?”)
I always recommend requiring two of the above methods for a password reset.
Once configured, users will be able to add methods for SSPR over at https://aka.ms/mfasetup
It’s all well and good being the snarky sysadmin creating these strong policies, but you also need to tell people about them. Number-matching MFA has done a lot to prevent mistakes of people approving prompts without thinking, however users need to be to informed about the new login experience.
For example, tell them:
Don’t approve or proceed stuff you aren’t expecting
As technology progresses, the idea is that our time as administrators is freed up so we can focus on other aspects of IT, such as cyber security.
I’ve mentioned in my other posts how the days of imaging machines is pretty much over, so now that our endpoint setup is handled over the internet, how do we keep the builds as lean as possible?
We utilise self-service tools like Company Portal.
What is Company Portal?
Company Portal is a desktop app that you can push to your endpoints via Intune. The focus in this post is to demonstrate the application deployment features so you can be better informed before configuring for your organisation.
Company Portal is very similar to Software Center which you may have deployed using SCCM.
The big idea
User machines should broadly have a baseline set of applications that everyone needs. Your current new machine deployment process might be totally manual, totally zero-touch, or somewhere in between.
When utilising the Microsoft 365 Business Premium license, we are able to take once Enterprise considered features into the SMB and Windows Pro market with Company Portal.
The applications that everyone might need include:
Microsoft Office 365 suite
Adobe Reader (although arguably Edge does an adequate “read only” job now)
Deploying Company Portal
As of some fairly recent Intune changes, this bit is really easy.
Deploy a Microsoft Store app (new) … app
Search for Company Portal and make it a ‘required’ app for all devices.
How do you deliver the additional apps people need to do their jobs?
The short answer is by wrapping and making everything available via Intune as a .intunewin application.
I specify the folder I just created along with the full name of the MSI file. I also want the output to appear in the same folder. My options are shown below.
What is the .intunewin extension?
Think of it as a packaged container with all the bits you need to install your software; you can call upon items inside that container using the Install Command field in the deployment options section on the Intune portal, and if your .intunewin contains PowerShell, you can run that too.
I then upload the resulting .intunewin file to Intune
For a more detailed guide on this process, check out Dean’s video
I am also quite fussy about having high-quality logos for the Store image
I go back to the KeePass XC website and grab the SVG which I later convert into a PNG
Because the source file was MSI, all of the details are pre-populated
You can set the minimum OS details as shown
And again, the MSI detection rules auto-populate if you select MSI
The crucial step for Company Portal freedom is to make the app ‘available’ instead of ‘required’ to your users or groups
When you complete the wizard and create the app, it shall begin to upload. Within 30 minutes or so it will be available for your users to install for themselves.
What if my app doesn’t install with an MSI file?
You will still end up with a .intunewin file, but you have to do some work before you get there.
If you only have an exe file, you’ll need to search for or figure out the silent installation commands/switches. I do this using PowerShell on a VM.
For example, Notepad++ comes as a .exe, but I managed to get it to install (and uninstall) using the following commands:
Using the content prep tool, I wrap only the .exe file and upload it as a .intunewin app.
How about multi-part installers that have dependencies?
The short rule is, if you can figure it out with PowerShell, it can be deployed as an .intunewin package.
When you’re done experimenting and have success locally, wrap it up in a single folder and call your PowerShell in the install command box like this:
Of course, you’ll also need to figure out a detection rule too. You can rely on the registry locations if you know where it’ll install, or for more complex installers, write a PowerShell detection script.
Intune is my tool of choice over RMM products. If I have a problem I’m trying to solve, I think about how it can be achieved using what I have at my disposal. There are some fantastic community articles out there that are solving repetitive tasks using .intunewin packages.
For our smaller customers, I’ve started pushing out printers by following this guide on MSEndpointMgr.
You can also use them to uninstall bloatware, I’m looking at you McAfee Antivirus…
Think of this as a more intelligent scripting method to use instead of the PowerShell blade in Intune.
Making the transition to Intune is a big challenge, especially if the way you’ve always provisioned computers has been to image them with MDT or Config Manager.
With the end-of-life date for Windows 10 approaching, now is the time we should become familiar of what the new process looks like – not just us as the administrator, but our end-users too.
If you’re wondering what Autopilot is and what role it plays, there are dozens of community resources that explain it. It’ll also be one of the first episodes of any Intune YouTube tutorial, but the TL;DR answer is:
Autopilot governs the Out-of-Box-Experience for a Windows device. As soon as the user signs in, the configurations are coming from Intune.
Autopilot is a user-driven process
I see many discussions within my role and throughout online tech communities about how businesses have transitioned to Autopilot to begin the configuration of devices with the user-driven method applied.
I have to say, most of them are getting it wrong.
They are still having IT run through Autopilot with the user, or worse, running through the whole experience (even doing something whacky with MDT first) without the end-user present. The menus and UI are designed for the end-user to run through. The steps the end-user takes are very similar to the ones they take every year or so when they get the latest smartphone. Are you telling me they are incapable of selecting their language and passing the MFA challenge?
(you don’t have to answer that…)
What is the role of IT with tools like Autopilot and Intune?
IT are there to configure Intune and ensure that the device they are about to hand over to the user is Autopilot registered – If your company puts physical asset tags on the device, do this too.
I used to obsess over having a perfect “Golden Image” using MDT. I would tweak the task sequence for hours at a time, making the process as slick as possible. If that sounds a bit like you, time to start obsessing over Intune. It can be used to achieve the same goal, but you don’t have to configure multicasting or deployment share paths.
Intune is actually easier to configure than Microsoft Deployment Toolkit and Group Policy Objects. As soon as my employer finds this out, my perceived value will go through the floor!
It is unrealistic to expect people to suddenly switch what they’re used to doing without a proper communication strategy. Communication is the thing that can make or break a company. It’s both the best and worst thing about human interaction.
It’s often a nice feeling to have your presence requested with the preface that something new is coming. That can be quickly dampened if a tremendous amount of work or laborious process follows.
Luckily, Autopilot is not that.
Getting users involved
Not everyone enjoys internal IT news, but the least you can do is notify them of your intentions. There are also some (often self-labelled) power users who ask us all sorts of questions about what we do.
If you’re an M365 house, think about establishing a channel to communicate updates. That could be by implementing an org-wide MS Team, or by having news posts delivered on a SharePoint Intranet. Stay away from email, because that’s the inbox of boring stuff no one reads.
Create internal content with screenshots and emojis, people love it. Explain the process, summarise the benefits, and where end-users should go for help. You won’t get everyone, but action is better than inaction.
“We do not break user-space”
This is a direct quote from Linus Torvalds (creator of Linux), and while it has quite a deep technical meaning about the depths of software creation itself, I like to give another meaning to this in my approach to how I configure the end-user experience for Windows via Intune.
It is our job to prevent end-user actions that could harm the business or cause inadvertent mistakes. It is not our job to dictate exactly how the end-user experience should look and feel.
For example, in an earlier role I would lock down the Control Panel, set taskbar pins, create start menu layouts and desktop shortcuts etc. When we configure our Autopilot profile so that users are not Local Administrators, there is little harm they can do to their system. I no longer lock stuff down unless it serves some form of business requirement. Why? Because what I realised was that by disabling the Cortana and Search button on the taskbar, I was preventing people using Windows in a way that might be better for them.
Likewise in Windows 11, I’ve had requests from customers to realign the taskbar to the left. I ask why. “Because that’s what they’re used to” – We need to break away from mollycoddling end-users, and allow them to run their own experience.
Don’t be afraid to set the scene
If you are the person in charge of the endpoint build process internally or for your customers, you have earned a certain level of trust to be in that position. You are therefore able to give consultative advice on how to best move forward using the tools at your disposal.
Question everything about why you build laptops the way you do, you’ll get responses like:
I don’t know
It was like that when X was in charge
That’s the way we’ve always done it
Because that’s what our security team says we should do
That’s what framework X recommends
Something might break if we change that
Not a single one of these things above are actual answers you can work with.
One approach you could take is working out what your end-users need for their job, and build a totally new process and pitch it as “this is what good looks like”.
If you’re stuck on how to start doing this via Intune, check out the Open Intune Baseline created by SkipToTheEndpoint
The baseline is largely a collection of Settings Catalog configurations that will give you a good starting point from the endpoint security stance. From there you can tweak and work out your custom business requirements.
Condensing the thoughts
Configure Intune to meet the end-user requirement, with all the apps and settings they need
Communicate that things change, and you’re there to help
Get the end-user to follow the Autopilot user-driven enrolment process
Don’t break the user-space unless it meets a real business requirement
Like smartphones and desktop operating systems, one’s chosen web browser is always a topic of fierce emotional debate. It is very hard to convince someone to make the switch when they’ve been using something that’s pretty good for the best part of a decade. It took a while for Microsoft to add enough of the end-user expectations in Edge to make it a worthy alternative as people have gotten so used to extensions, profile syncing, themes, and the compatibility that Chromium offered them.
Today, I feel that Microsoft Edge is the best browser for business, not only because it wins in performance and security tests, but also because it simplifies life for both users and admins.
Compatibility & Performance
Since 2020, Edge has been running on Chromium. That’s the same one used by:
+ many more
Given this fact, it mostly* nulls the argument around how Edge is comparatively worse than Chrome, since the fundamental functions are shared.
*There are a small number of sites that require Google Chrome by developer choice.
Since Microsoft has a large enterprise customer base to cater for, Edge also has Internet Explorer mode built in which IT admins can configure to allow users to retain access to legacy sites that aren’t compatible with modern standards.
Microsoft Edge puts tabs to “sleep” when you’re not using them. This boosts your browser’s performance by releasing system resources like memory and CPU, to help ensure that the tabs you’re using have the resources they need.
I’ve seen people using Chrome or Firefox extensions to achieve the same thing. It’s native in Edge, and fully customisable by the admin or end-user. For example, you may wish to add your Dynamics 365 URL to the list of sites that shouldn’t sleep.
We’ve all seen the memes…
Microsoft has done a lot to address this issue and Toms Guide tested this back in 2021.
For the IT admins
You only need manage one browser!
While Intune has the settings available for both Chrome and Edge, you still need to manually upload ADMX files to handle Firefox. The more browsers you have, the more you increase the attack surface within your org. Firefox does not have the same granularity of security controls as Chrome or Edge and it’s missing SmartScreen, your end-user’s first line of defence if they happen to find themselves on the wrong side of the internet.
For the end-users
You only need to use one browser!
In addition to ensuring legacy compatibility, we’re able to configure Edge to force synchronisation of the browser profile, meaning the experience is the same wherever you sign in with the work account (more on this later). We can push a managed favourites folder right on the bookmarks bar to give users a consistent experience when they need to navigate to work resources.
What about Add-ons and extensions?
For the big ones, there’s likely an Edge equivalent in the store – if it’s not there, extensions from the Google store can be permitted to run in Edge.
If you decide to enforce web content filtering included with many of the Microsoft SKUs, like Business Premium for example, Edge will give the end-users the clearest indication of why something has been blocked.
If the end-user has strict notification settings, they may not even see it on Firefox or Chrome.
If nothing else, this is the bit of this article that should get your attention.
Using Microsoft Edge exclusively is a method of data loss prevention.
Picture this: a user installs Chrome, Firefox, or another unknown browser on their work device, and they sign into it using their personal Google account (in the case of Chrome), then they sync their personal stuff onto the work device.
Firstly, we don’t want personal stuff on work devices. If you haven’t locked Chrome down, all those unknown extensions are about to get installed, what data is that looking at?
The user begins working with various company tools, where are all those passwords synced…? To their Google account, and eventually their home computer.
We have no visibility of where those credentials might be used, and we don’t know if the user’s home computer is already compromised. Why should we care? We’re not responsible for it.
We are responsible for the company data.
“We can lock down Chrome/Firefox to prevent this”
Yes you can.
In my view, to make it secure you’d disable sync, block saving of passwords, prevent extensions being installed, and disable all the other convenience features that create a slick end-user experience across multiple devices, while creating additional work whenever that user changes their PC.
By the time you’ve done this, third-party browsers will operate in a de facto guest mode, adding resistance to the user’s day.
Edge allows the company browsing experience to remain inside a corporate owned account.
Limit egress with Conditional Access
We create a policy that says: a work account can only signed into Edge on a compliant, company-owned device.
The user cannot go home and sync data to their personal device, and when they leave the company the account and all associated data is cleared. In addition, we should tweak our internal IT policy so that it states corporate-owned devices shouldn’t be used for personal affairs.
The end result is both your end-users and IT teams have an easier job when it comes to browsing the web.
For next level security, we can use Edge Application Guard windows… but that’s for a future post.
This isn’t supposed to be a sales pitch, but an insight to how the single pane of glass approach can both fortify your company’s security posture while also being a win for the financial chart enjoyers.
It’s become a bit of an internal meme/joke that I’m always pushing for Business Premium so I thought it was time to explain myself in writing.
My journey to modern endpoint management
Our focus today will be for Windows + BYOD iOS/Android.
The days of imaging workstations are pretty much over. The Microsoft Deployment Toolkit was released in 2003 and served us well all the way up until Windows 10.
In my first job we had on-premises Active Directory and a Windows Deployment Server working with Microsoft Deployment Toolkit. One of my jobs as an IT apprentice was to image laptops for new starters or refresh existing hardware to resolve performance issues.
Our MDT server worked, but the golden image hadn’t been updated in a while and it added about two hours onto every build while I waited for Windows 7 to finish updating (yes Windows 7 was where my professional life began, apologies if that makes you feel old). This bothered me because it meant I had to babysit each machine until it was ready to go. This is where my journey into endpoint management started.
I took it upon myself to figure out how MDT worked since the guy who set it up had left, and I relied on blog resources like 4Sysops and Deployment Bunny as well as various YouTube videos to get the job done. Initially I broke it, no one could image anything, we were back to USB installation and everything beyond that was manual for a while. I panicked a bit, and the fear of being sacked drove me to properly work this stuff out.
A few months pass and I’m at a point where we have a new MDT instance using the Total Control method of driver installation, deploying all the apps and task sequences we needed, joining to our domain, applied the correct Volume License key. Win!
So this is great, I no longer have to manually build machines. Now what? Those machines are joining a domain where we have a whole list of Group Policy Objects being applied to them, Windows Server Update Services governing updates, and a centrally managed AV product (which I will not name) hosted on-prem which they need to contact for definition updates. What happens when users take those laptops home and don’t connect to the VPN?
Nothing. They are AWOL. We didn’t have any RMM software, and some of those users wouldn’t connect in for weeks/months depending on their role.
This bothered me. I remember thinking to myself “I can’t be the only one who has these concerns.” I didn’t have the industry experience to know of anything better. Of course now you could enforce always-on VPN, paired with GPOs that tell clients to get Windows updates via Microsoft’s CDN and pick an AV product that isn’t stuck in 2001, but you get the idea.
Fast forward a few years later where I was now working for an MSP. We have lots of different environments and endpoints to look after. The customers were at various levels of modernisation. But something was changing. I wasn’t looking after 400+ computers anymore; smaller user bases and budgets meant that not everyone could justify having enterprise equipment. It made them more agile.
My role adapted from purely tech to having to think about which Microsoft licenses to provision. I read the spec sheets comparing the three main M365 Business SKUs, trying to work out what exactly the customers would be getting for their £X per month…
Intune? What’s this?
A cloud MDM that allows you to manage updates, policies, and custom application deployments from a web portal without the expense of enterprise servers! It’s like cloud GPOs! (future blog will clarify what I mean on the GPO bit) I always did enjoy making those on AD – I did not enjoy waiting weeks with no easy way to tell if people got my new settings.
Using our MS Partner Action Pack benefits, I got myself a CDX tenant which is pre-hydrated with M365 Business Premium and demo users, and spun up a Hyper-V VM with Windows 10 and spent a few weeks playing around with Autopilot and Intune.
We configure Intune to be our “Golden Configuration”, we register our devices into Autopilot, and hand it over to the end-user to complete the OOBE.
This is what I’ve been looking for. This is the future.
The catalyst for remote working
So, there was this big thing that happened in 2019 or something, it lead to scenes where people were taking their entire office setup home: chairs, computers, staplers, biscuits, and teabags etc.
Wait, they were taking their computers into their home network? The same computers that are behind our uber next-gen firewalls here in the office?
Yeah, just login as normal and carry on, we'll send you VPN instructions via email. - Flustered IT Professionals | Location: Global
The trouble is, this changed things forever. We won’t delve into what a cyber security catastrophe this caused, but we’ll focus on what it meant for workplace modernisation.
Microsoft had record numbers of Teams users, it expedited the development of that product significantly, I’d say it also it greatly contributed to their decision to include Defender for Business within Business Premium, since SMBs represent %90 of businesses worldwide. IT departments had to pivot their device lifecycle strategies to assume the endpoints are always operating in unknown territories and networks.
Consolidating your product stack
IT Managers and financial decision makers, this bit is for you!
A very common scenario I see is where prospective customers have Microsoft licensing entitlements to use Defender for Endpoint but aren’t using it. Sometimes they also have every device in their environment Intune enrolled too.
When I’m on these sorts of discovery calls, this is where the educational bit comes in. I ask how and why they picked a particular third-party vendor, and often it’s because that’s what they’ve always used. They haven’t had any major security incidents, it’s a set and forget exercise, and it ticks a box for their internal assessments.
Then I ask what other vendors they have.
We have web content filtering with X
We have spam filtering with Y
We have vulnerable app detection with Z
How much is that costing you? Not just raw $$$s, but time too. Those are three products, with potentially three login portals (although hopefully they allow Azure AD SSO) and three additional things to teach your helpdesk to use – none of which talk to each other.
Some of the Business Premium flavours of those features are the starting point in the Microsoft stack, for example the web content filtering won’t let you have different blocking groups by devices etc. But the main point here is that BP is the baseline suite of products for a good security posture. We haven’t even got onto identity protection yet.
Peas and Carrots
Intune and Defender for Endpoint work really well together. They’re designed to!
Once you’ve done that, your onboarding blob under the Endpoint detection and response blade in the Intune portal will know where to send your devices once they get the config profile applied.
Is that it?
A common phrase I use when talking to people about these products is that Microsoft provide the best tools, but they rely on teams of dedicated and engaged people to be able to deploy them properly. Defender for Endpoint is not a one-click installation.
How should Defender be managed?
If you refer to this document over on Microsoft Learn, you’ll see that most of the management boxes for DfE are ticked on the Intune column. That’s my preferred route of configuration, maintenance, and troubleshooting.
Bringing the focus back to Business Premium, you have an enterprise-grade AV/EDR solution right at your fingertips, and each user can have multiple protected devices.
This article isn’t designed to duplicate information you can find easily available from Microsoft resources but aims to help you challenge your internal processes and vendors.
Watch the Microsoft Mechanics overview to learn more –
Cloud MDM and AV, what else?
We’ve got secure devices, how do we ensure that end-users have the security they need?
A hot take is that if you have nothing else enforced, and if you only did CA policies well, you’ll prevent the vast majority of cyber-attacks within your business.
Business Premium gives you the product: Azure AD Premium P1. This lets you enforce Multi-Factor Authentication with customised and automated policy control.
“But security defaults are switched on with my Exchange Online Plan 1 license”
They aren’t the same thing. While Security Defaults will block legacy auth methods and enforce MFA, there’s no customisation around locations, apps, users or device types. It probably means you’re on Azure AD Free too, which only gives you 7 days of log data.
I’ve seen all sorts of scenarios where companies have tried to PowerShell their way around limitations of the Security Defaults settings. The end result is usually user error and could cause a breach if dealt with promptly.
I’m going to talk about Intune again.
Within Intune you can create a device compliance policy. For example, do Windows enrolled devices meet the following criteria:
Defender risk score – be careful with this one
BitLocker drive encryption
If a device doesn’t meet those requirements, we can prevent it from accessing anything that relies on the Microsoft 365 account login using Conditional Access. The other benefit of this policy is that it prevents access from non-company owned devices.
A monumental red flag that I hardly see any businesses protecting from is access to work resources from personal machines. Even IT providers don’t have this stuff enabled most of the time.
I made a post on LinkedIn recently to get people thinking about this.
Bring your own device
On the subject of being all modern with BYOD, how do we manage this aspect? People want the flexibility of viewing emails and Teams chats away from the PC, but again, how are we preventing that data leaking out via their personal phones?
App Protection Policies backed by Conditional Access
In my opinion, personally owned Windows and macOS devices are simply out of the question when it comes to directly accessing work data from them. My CA policy would require a compliant Intune managed corporate owned device.
For mobile devices, there are secure controls for it. Using Intune App Protection Policies, we can define a secure, containerised environment for our corp data to be accessed from the personal Android/iOS device. One of the default policy types is a profile to protect all data that is accessed via M365 apps.
We can enforce encryption, and require secondary access requirements like prompting for biometric input or PIN before the work app is launched.
These policies prevent data from being copy/pasted into apps like WhatsApp or Facebook messenger. If the user leaves or loses their phone, we’re able to remove the corporate data right from the Intune portal.
Without these policies in place, if an employee is suddenly made to leave the company, they can quickly egress data to other mediums that could include company secrets and intellectual property.
Manage this with Business Premium!
We haven’t even talked about productivity
You already know about Microsoft Office and Exchange Online, that was the big project for you five years ago.
The big project for you now is managing a remote workforce and the new security challenges that come with it, which is why smart IT companies have made the pivot to offering cyber security services as a priority product although the main product isn’t actually cyber security, it’s business availability assurance.
The days for companies only selling email and access to Office 365 desktop applications are numbered. Providers who engage proactively with the latest trends and recommendations are not only the best choice for their customers, but also securing their own future and growth.
If you are part of an organisation who still implements on-premises Active Directory servers for every single client no matter scope or size, then it’s only a matter of time before the directors at your client companies hear something more exciting from their friends and begin the hunt for a provider who can modernise them.
Microsoft 365 Business Premium, in my view, is the single best package out there to make a start on the modern workplace journey if you’ve got under 300 users (tenant limit from MS).