In the previous parts of this series I have covered:
Office 365 Mobile MDM – Modern Device Management with Microsoft 365 Business Premium–Part 1
We still have some additional device configuration options available to us thanks now to Microsoft Endpoint Manager.
As well as Intune MDM and MAM policies we now have extra Endpoint security policies.
You’ll find these under the Endpoint security menu item on the left and then under the Manage heading as shown above. In there you will find the following options that you can go and configured policies:
– Disk encryption
– Endpoint detection and response
– Attack surface reduction
– Account protection
When you do create an Attack surface reduction policy, for example, you’ll get the option to target device control, attack surface reduction rules, app and browser isolation and so on, as shown above.
If you configure the attack surface reduction rules, as shown above, you’ll see the now familiar configuration settings that you choose from and then save to the policy. You then finally target the policy that you create to a user and/or a device, again just like Intune.
In essence, you now have a number of additional policies, largely focused on Windows 10 device security for now, that can also be applied to your environment.
The challenge here becomes, some of these Endpoint Manager policy settings are unique and some overlap with existing Intune policies that you may have set. If there is a mismatch in the policy settings you have between Endpoint Manager and Intune, these will report as conflicts in the Endpoint Manager portal. So, the trick is to either use the duplicate Endpoint Manager policy settings BUT ensure they are the SAME as what is set in Intune or only have one set of policies (Endpoint Manager or Intune) for the desired option. My opinion would be that if the desired setting option is available in Endpoint Manager policies, set it there and don’t set it in any Intune policy. It is my understanding, that in the long run, Endpoint Manager policies are were Microsoft is investing the most in currently.
In summary then, it is possible to use three sets of policies for your devices:
1. Intune device policies
2. Intune application policies
3. Endpoint Manager policies
You can set any combination of the three, but be careful about creating conflicts as they can be challenging to track down as some settings overlap.
All of these policies can be implemented and accessed with PowerShell, however I would suggest not ‘basic’ PowerShell like you might be used to with Exchange Online for example. Think more of accessing the settings via the Microsoft Graph with PowerShell, which is a little more complex than ‘standard’ Microsoft 365 PowerShell with commands like get-msoluser for example.
There are still more considerations with device management that will be covered in the next article. Hopefully, by now you are beginning to appreciate the power and granularity that is possible with device management from Microsoft 365. However, as they say, “With great power comes great responsibility” (and I would add a lot more complexity).