Last month, I released an article about why you should consider Microsoft for your IT Security. I talked about how Microsoft’s solution has matured and how it can help organisations do more with less. Now I would like to talk about what that solution could look like as an end-to-end suite of tools that can help protect your identities, endpoints, data, applications, and infrastructure.
To do this, I aim to release a series of articles that introduce each pillar of the Microsoft Security Suite, with an overview of its capabilities, features, and what role it performs in the solution.
The Microsoft Security suite of products contains the following:
- Microsoft Defender 365 – Defend across the Attack Chain to protect against external threats.
- Microsoft Sentinel – Collect, analyse, and respond to alerts and incidents picked up by your security tools, such as Defender, Entra and Purview.
- Microsoft Entra – Identity and Access Management platform that can protect your identities and access to your corporate resources.
- Microsoft Intune – Endpoint Management platform that manages and secures all endpoints in your estate.
- Microsoft Purview – Secure your sensitive data and protect against internal threats.
- Microsoft Priva – Manage the risks of handling sensitive information within Microsoft 365.
The fourth pillar is Microsoft Intune, which I will discuss in this article. Intune is Microsoft’s cloud-native endpoint management solution. It allows you to manage enrolled devices, install applications and configure endpoints to secure them and protect your users and data from threats. Intune can manage endpoints including Windows, iOS, iPadOS, Android, macOS, Chrome OS and Linux.
Your endpoints are your window into your corporate environment to access your resources. It is important that these resources are protected at the endpoint layer, as a compromised endpoint is a major risk. Intune has many features available to it, but I want to focus on those that are security focused and should be considered to integrate alongside the other components of the Microsoft Security solution.
Zero touch deployments
The deployment of managed endpoints may not seem like a security component, but I believe it plays a big part. Microsoft’s Digital Defence Report 2023 showed that “80-90% of all compromises originate from unmanaged devices”. And what’s the first thing that happens to a managed device? It is “built” in some way, whether that be through a gold image, such as Windows with Configuration Manager or through zero-touch deployment methods such as thee below options that integrate with Intune:
- Windows Autopilot
- Google Zero Touch
- Apple Automated Device Enrolment
The main security benefit with zero touch deployments, is that once the endpoint completes it’s Out of the Box Experience (OOBE), it is enrolled into Intune and all policies, whether they be security or configurational as well as applications.
This ensures that endpoints will have the required configuration and be enrolled into Intune (and therefore managed) from the moment the user starts to use it.
The use of zero touch deployments does require good management of your endpoints. They must be onboarded into each program for them to be deployed properly.
Compliance Policies play a large part in securing access to your corporate resources and securing your endpoints. Within Intune device compliance policies are applied to devices and act as a check against the endpoints to ensure that they meet your minimum-security requirements. For example, your policy may state that Windows devices must have antivirus installed and the hard drive must be encrypted. Or for Mobile devices, a password must be configured, and it must meet the minimum Operating System Level.
Once a policy is assigned to an endpoint, the compliance of that endpoint is checked around every 8 hours. If a device does not meet the configuration set out in the policy, it is marked as noncompliant. When a device is marked as noncompliant, you can perform some actions automatically, such as notify the end user or even add it to the retire list.
This is the most basic use of device compliance, and you can generate reports showcasing what devices are noncompliant in your environment for action to be taken. However, the real power of Compliance Policies comes from when they are integrated with Microsoft Entra Conditional Access.
My previous article has more information on Conditional Access, but put simply, it allows you to control how your users can access your corporate resources when they authenticate through Microsoft Entra. One of the key access controls is endpoint compliance. For instance, you can have a policy that only allows your users to access applications integrated with Microsoft Entra (such as Microsoft 365) if their endpoint is listed as compliant. If their endpoint is not compliant, for instance, their Operating System does not meet the minimum set in the policy, then they will be prevented from accessing their applications.
Compliance policies and Conditional Access can also work well with Microsoft Defender for Endpoint (MDE). MDE allows for endpoints to be given a risk level. This risk level is based on any threats that may occur on the endpoint and can be used as a condition in tour policies. For example, you may wish to require that endpoints have a risk level of low or below to be compliant.
All the above examples help prevent endpoints that do not meet your security standards from accessing your applications or data and protects them from potentially risky devices.
Intune provides several ways to manage the security of your endpoints:
- Security Baselines
- Endpoint Security Policies
- Integrate with Microsoft Defender for Endpoint
Microsoft Intune comes with 5 security baselines that can be applied to Windows endpoints. These baselines provide Microsoft recommended configuration for your endpoints and can be used to provide an initial baseline for you to configure and work with, or something to compare against with your current configurations. The 5 baselines provided are:
- Security baseline for Windows 10 and later – This baseline provides the minimum recommended security configuration for Windows 10 and 11 endpoints.
- Microsoft Defender for Endpoint Baseline – This baseline extends the recommended security configuration for Windows 10 and 11 endpoints and includes recommended configuration for Defender features such as Attack Surface Reduction and Microsoft Defender.
- Security Baseline for Microsoft Edge – The baseline for Edge provides the recommended configuration to keep users safe when browsing the Internet via Microsoft Edge.
- Windows 365 Security Baseline – Recommended configuration for Windows 365, Microsoft’s virtual Windows 11 endpoint solution.
- Microsoft 365 Apps for Enterprise Security Baseline – This baseline provides the recommended security configuration for Microsoft 365 Apps for Enterprise and includes settings for Word, Outlook, Excel, PowerPoint, Project, Visio, Access, and Publisher.
These policies provide an excellent baseline to work with. They deploy in the same way normal Intune policies deploy and you do not have to use all settings within the baseline. They can be tailored to your requirements and used alongside your own policies.
The baselines are updated by Microsoft, so you may find that a new baseline with different settings becomes available. This is generally fine when working with just the baselines, but if you have other policies deployed, you will need to do some testing to ensure there are no conflicts in deployment.
Endpoint Security Policies
If the security baselines do not work for you, then you can configure the security of your endpoints yourself through the Endpoint Security Policies. There are several policies available, briefly detailed below:
- Antivirus – Configures the local antivirus agents on Windows, macOS or Linux endpoints.
- Disk Encryption – Configures the encryption settings of the local disks in Windows and macOS endpoints.
- Firewall – Configures the local firewall settings on Windows and macOS endpoints.
- Endpoint Privilege Management – Configures the ability for users to complete tasks that require elevated privileges on the endpoint. This is an add-on feature for Intune that needs to be licensed separately. It applies to Windows endpoints only.
- Endpoint Detection and Response – Configures MDE settings on Windows and Linux endpoints.
- App Control for Business – Configures the apps that are allowed to run on Windows endpoints. This policy is currently in preview.
- Attack Surface Reduction – Configures the settings to reduce the attack surface of your Windows endpoints through Exploit Protection, App and Browser isolation and Device Control. Available for Windows endpoints only.
- Account Protection – Configure policies for Local user group membership, Windows Local Admin Password Solution (LAPS), Windows Hello for Business and Credential Guard. Available for Windows endpoints only.
These policies provide much more granulation of settings that the baselines and can be tailored to your requirements. They can be used alongside baselines, but it can be a challenge to find conflicts and resolve them.
Defender for Endpoint
I covered Microsoft Defender for Endpoint (MDE) in my first article in this series. But it should be mentioned again here as it integrates directly with Intune and helps to increase the protection of your endpoints.
There are several components of MDE that can protect different types of endpoints, with Windows (10 and 11), Windows Server, macOS, Linux, iOS and Android all being supported. With all managed endpoints being onboarded in to MDE you gain increased visibility (especially if the full XDR platform is used) about any threats in your environment.
Keeping your endpoints software and applications up to date is a fundamental of cyber hygiene. Microsoft’s Digital Defence Report 2023 showed that 57% of devices on legacy firmware are exploitable to a high number of Common Vulnerabilities and Exposures (CVEs).
Typically for managed endpoints without Intune, Windows updates could be managed by Update Policies, iOS updates could be forced with an iOS update policy and for Android Enterprise Corporate endpoints, you can manage the automatic update behaviour through an Intune Device Restriction policy.
The most modern method for managing updates on Windows endpoints is through Windows Autopatch. Autopatch is a step up from Update policies in Intune, and the very manual approach to updates with Configuration Manager. Autopatch automatically applies the following updates to your registered endpoints:
- Windows Quality Updates
- Windows Feature Updates
- Microsoft 365 Apps for Enterprise
- Microsoft Edge
- Microsoft Teams
- Windows Drivers and Firmware
Autopatch takes away the manual task of managing which updates are installed and when, or what devices are in what groups. This frees up your time from complex, time consuming monthly patch schedules. It also helps to ensure that your Windows endpoints remain up to date and secure, not just for Windows, but for drivers, firmware, M365 Apps for Enterprise, Teams, and Edge.
There have also been some recent improvements to how you can manage iOS, iPadOS and macOS updates through Declarative Device Management (DDM). This allows you to configure a specific update for endpoints to use and enforce deadlines. This is a new feature that has just been released and more information can be found here.
In the modern IT world, we don’t have to worry about just managed endpoints anymore. Since the pandemic, remote work using personal endpoints has become more common. Users prefer to have the flexibility to work from anywhere, and if personal endpoints are to be considered, there needs to be a level of management to secure your corporate resources.
There are two ways Intune can manage personal endpoints. The devices can be enrolled into Intune and managed just like a corporate endpoint. However, in this article I want to discuss how we can protect corporate data on personal endpoints without enrolling them. App Protection Policies allow for us to manage the data that is containerised in apps on personal devices, specifically iOS, Android, and (more recently) Windows.
As App Protection Policies work at the application layer, the endpoint does not need to be enrolled. This allows us to be able to open access to services such as Email, Teams, SharePoint in our Microsoft 365 tenants and protect the data by enforcing certain behaviours in the apps. Actions such as preventing cut, copy, paste between unmanaged apps, requiring a PIN or biometric to open, preventing save to local device and more can be configured to protect the data hosted in the app.
It’s an ideal blend of allowing users to use their personal endpoint and securing your resources. However, this will not work for everyone. Maybe you have users that work with very sensitive data that should not be accessed outside of any managed endpoint. There are still ways to provide limited access from personal devices using a combination of Microsoft Intune App Protection, Microsoft Entra Conditional Access, and Microsoft Purview Information Protection. That may be an article for another day though.
I’ve highlighted the areas that I believe are crucial to security when managing endpoints through Microsoft Intune. Intune does have much more available to offer as an endpoint management solution but the areas I have discussed here fit in to the end-to-end security stack offered by Microsoft.
The next post in this series will be focused on Microsoft Purview, which is the platform you can use to protect your data and adhere to legal and compliance regulations.