This isn’t supposed to be a sales pitch, but an insight to how the single pane of glass approach can both fortify your company’s security posture while also being a win for the financial chart enjoyers.
It’s become a bit of an internal meme/joke that I’m always pushing for Business Premium so I thought it was time to explain myself in writing.
My journey to modern endpoint management
Our focus today will be for Windows + BYOD iOS/Android.
The days of imaging workstations are pretty much over. The Microsoft Deployment Toolkit was released in 2003 and served us well all the way up until Windows 10.
MDT doesn’t list Windows 11 in its list of supported client devices. Take that as the hint to modernise your approach.
What does Intune do and why is it exciting?
In my first job we had on-premises Active Directory and a Windows Deployment Server working with Microsoft Deployment Toolkit. One of my jobs as an IT apprentice was to image laptops for new starters or refresh existing hardware to resolve performance issues.
Our MDT server worked, but the golden image hadn’t been updated in a while and it added about two hours onto every build while I waited for Windows 7 to finish updating (yes Windows 7 was where my professional life began, apologies if that makes you feel old). This bothered me because it meant I had to babysit each machine until it was ready to go. This is where my journey into endpoint management started.
I took it upon myself to figure out how MDT worked since the guy who set it up had left, and I relied on blog resources like 4Sysops and Deployment Bunny as well as various YouTube videos to get the job done. Initially I broke it, no one could image anything, we were back to USB installation and everything beyond that was manual for a while. I panicked a bit, and the fear of being sacked drove me to properly work this stuff out.
A few months pass and I’m at a point where we have a new MDT instance using the Total Control method of driver installation, deploying all the apps and task sequences we needed, joining to our domain, applied the correct Volume License key. Win!
So this is great, I no longer have to manually build machines. Now what? Those machines are joining a domain where we have a whole list of Group Policy Objects being applied to them, Windows Server Update Services governing updates, and a centrally managed AV product (which I will not name) hosted on-prem which they need to contact for definition updates. What happens when users take those laptops home and don’t connect to the VPN?
Nothing. They are AWOL. We didn’t have any RMM software, and some of those users wouldn’t connect in for weeks/months depending on their role.
This bothered me. I remember thinking to myself “I can’t be the only one who has these concerns.” I didn’t have the industry experience to know of anything better. Of course now you could enforce always-on VPN, paired with GPOs that tell clients to get Windows updates via Microsoft’s CDN and pick an AV product that isn’t stuck in 2001, but you get the idea.
Fast forward a few years later where I was now working for an MSP. We have lots of different environments and endpoints to look after. The customers were at various levels of modernisation. But something was changing. I wasn’t looking after 400+ computers anymore; smaller user bases and budgets meant that not everyone could justify having enterprise equipment. It made them more agile.
My role adapted from purely tech to having to think about which Microsoft licenses to provision. I read the spec sheets comparing the three main M365 Business SKUs, trying to work out what exactly the customers would be getting for their £X per month…
Intune? What’s this?
A cloud MDM that allows you to manage updates, policies, and custom application deployments from a web portal without the expense of enterprise servers! It’s like cloud GPOs! (future blog will clarify what I mean on the GPO bit) I always did enjoy making those on AD – I did not enjoy waiting weeks with no easy way to tell if people got my new settings.
Using our MS Partner Action Pack benefits, I got myself a CDX tenant which is pre-hydrated with M365 Business Premium and demo users, and spun up a Hyper-V VM with Windows 10 and spent a few weeks playing around with Autopilot and Intune.
We configure Intune to be our “Golden Configuration”, we register our devices into Autopilot, and hand it over to the end-user to complete the OOBE.
This is what I’ve been looking for. This is the future.
The catalyst for remote working
So, there was this big thing that happened in 2019 or something, it lead to scenes where people were taking their entire office setup home: chairs, computers, staplers, biscuits, and teabags etc.
Wait, they were taking their computers into their home network? The same computers that are behind our uber next-gen firewalls here in the office?
Yeah, just login as normal and carry on, we'll send you VPN instructions via email. - Flustered IT Professionals | Location: Global
The trouble is, this changed things forever. We won’t delve into what a cyber security catastrophe this caused, but we’ll focus on what it meant for workplace modernisation.
Microsoft had record numbers of Teams users, it expedited the development of that product significantly, I’d say it also it greatly contributed to their decision to include Defender for Business within Business Premium, since SMBs represent %90 of businesses worldwide. IT departments had to pivot their device lifecycle strategies to assume the endpoints are always operating in unknown territories and networks.
Consolidating your product stack
IT Managers and financial decision makers, this bit is for you!
A very common scenario I see is where prospective customers have Microsoft licensing entitlements to use Defender for Endpoint but aren’t using it. Sometimes they also have every device in their environment Intune enrolled too.
When I’m on these sorts of discovery calls, this is where the educational bit comes in. I ask how and why they picked a particular third-party vendor, and often it’s because that’s what they’ve always used. They haven’t had any major security incidents, it’s a set and forget exercise, and it ticks a box for their internal assessments.
Then I ask what other vendors they have.
- We have web content filtering with X
- We have spam filtering with Y
- We have vulnerable app detection with Z
How much is that costing you? Not just raw $$$s, but time too. Those are three products, with potentially three login portals (although hopefully they allow Azure AD SSO) and three additional things to teach your helpdesk to use – none of which talk to each other.
Some of the Business Premium flavours of those features are the starting point in the Microsoft stack, for example the web content filtering won’t let you have different blocking groups by devices etc. But the main point here is that BP is the baseline suite of products for a good security posture. We haven’t even got onto identity protection yet.
Peas and Carrots
Intune and Defender for Endpoint work really well together. They’re designed to!
You can start by enabling this relationship over at https://security.microsoft.com
Once you’ve done that, your onboarding blob under the Endpoint detection and response blade in the Intune portal will know where to send your devices once they get the config profile applied.
Is that it?
A common phrase I use when talking to people about these products is that Microsoft provide the best tools, but they rely on teams of dedicated and engaged people to be able to deploy them properly. Defender for Endpoint is not a one-click installation.
How should Defender be managed?
If you refer to this document over on Microsoft Learn, you’ll see that most of the management boxes for DfE are ticked on the Intune column. That’s my preferred route of configuration, maintenance, and troubleshooting.
Bringing the focus back to Business Premium, you have an enterprise-grade AV/EDR solution right at your fingertips, and each user can have multiple protected devices.
This article isn’t designed to duplicate information you can find easily available from Microsoft resources but aims to help you challenge your internal processes and vendors.
Watch the Microsoft Mechanics overview to learn more –
Cloud MDM and AV, what else?
We’ve got secure devices, how do we ensure that end-users have the security they need?
A hot take is that if you have nothing else enforced, and if you only did CA policies well, you’ll prevent the vast majority of cyber-attacks within your business.
Business Premium gives you the product: Azure AD Premium P1. This lets you enforce Multi-Factor Authentication with customised and automated policy control.
“But security defaults are switched on with my Exchange Online Plan 1 license”
They aren’t the same thing. While Security Defaults will block legacy auth methods and enforce MFA, there’s no customisation around locations, apps, users or device types. It probably means you’re on Azure AD Free too, which only gives you 7 days of log data.
I’ve seen all sorts of scenarios where companies have tried to PowerShell their way around limitations of the Security Defaults settings. The end result is usually user error and could cause a breach if dealt with promptly.
I’m going to talk about Intune again.
Within Intune you can create a device compliance policy. For example, do Windows enrolled devices meet the following criteria:
- Firewall enabled
- AV enabled
- Defender risk score – be careful with this one
- BitLocker drive encryption
- Complex password
If a device doesn’t meet those requirements, we can prevent it from accessing anything that relies on the Microsoft 365 account login using Conditional Access. The other benefit of this policy is that it prevents access from non-company owned devices.
A monumental red flag that I hardly see any businesses protecting from is access to work resources from personal machines. Even IT providers don’t have this stuff enabled most of the time.
I made a post on LinkedIn recently to get people thinking about this.
Bring your own device
On the subject of being all modern with BYOD, how do we manage this aspect? People want the flexibility of viewing emails and Teams chats away from the PC, but again, how are we preventing that data leaking out via their personal phones?
App Protection Policies backed by Conditional Access
In my opinion, personally owned Windows and macOS devices are simply out of the question when it comes to directly accessing work data from them. My CA policy would require a compliant Intune managed corporate owned device.
For mobile devices, there are secure controls for it. Using Intune App Protection Policies, we can define a secure, containerised environment for our corp data to be accessed from the personal Android/iOS device. One of the default policy types is a profile to protect all data that is accessed via M365 apps.
We can enforce encryption, and require secondary access requirements like prompting for biometric input or PIN before the work app is launched.
These policies prevent data from being copy/pasted into apps like WhatsApp or Facebook messenger. If the user leaves or loses their phone, we’re able to remove the corporate data right from the Intune portal.
Without these policies in place, if an employee is suddenly made to leave the company, they can quickly egress data to other mediums that could include company secrets and intellectual property.
Manage this with Business Premium!
We haven’t even talked about productivity
You already know about Microsoft Office and Exchange Online, that was the big project for you five years ago.
The big project for you now is managing a remote workforce and the new security challenges that come with it, which is why smart IT companies have made the pivot to offering cyber security services as a priority product although the main product isn’t actually cyber security, it’s business availability assurance.
The days for companies only selling email and access to Office 365 desktop applications are numbered. Providers who engage proactively with the latest trends and recommendations are not only the best choice for their customers, but also securing their own future and growth.
If you are part of an organisation who still implements on-premises Active Directory servers for every single client no matter scope or size, then it’s only a matter of time before the directors at your client companies hear something more exciting from their friends and begin the hunt for a provider who can modernise them.
Microsoft 365 Business Premium, in my view, is the single best package out there to make a start on the modern workplace journey if you’ve got under 300 users (tenant limit from MS).
Thanks for reading!