Modern Device Management with Microsoft 365 Business Premium–Part 5

Previous parts in this series are:

Office 365 Mobile MDM – Modern Device Management with Microsoft 365 Business Premium–Part 1

Intune MDM – Modern Device Management with Microsoft 365 Business Premium – Part 2

Intune MAM – Modern Device Management with Microsoft 365 Business premium – Part 3

Endpoint Manager – Modern Device Management with Microsoft 365 Business Premium – Part 4

One of the biggest challenges with the availability of all these policies via Intune MDM and MAM as well as Endpoint security is getting to a ‘best practices’ state.

image

One of the benefits that Endpoint security provides is the ability to implement Security baselines as shown above. There is a baseline for Windows 10 security, Microsoft Defender ATP and Microsoft Edge already. Microsoft recently announced that an Office baseline will soon be available.

image

The idea is that Microsoft will publish a ‘best practices’ baseline, as shown above for Edge, and that you can create a policy or ‘profile’ as it is called here, from this to use across your environment just like any other policy we have already spoken about.

image

The idea is that, rather than you having to work out and apply a range of best practice settings across all the individual policies, you can simply implement these baseline policies from Microsoft as a starting point.

Another benefit is, as updated baselines are released by Microsoft, you can simply update any existing ‘profile’ you have created with these baselines to incorporate these updated settings.

image

When you look at the settings available in these baselines, as shown above for Edge, you’ll notice that they basically contain many of the same settings available to you in individual Endpoint security policies. Thus, setting once via a baseline ‘profile’ is a much faster method of implement these settings. Otherwise, you’d probably have to create multiple individual policies to achieve the same level of protection.

You can, of course, adjust any baseline ‘profile’ that you create and when a new baseline is available it can be applied to existing ‘profile’ you have created while maintaining any custom settings you have made in that ‘profile’. You can also create a range of different ‘profiles’ from baselines and target them to different audiences in your environment just as you can with other individual policies from Intune MDM, MAM and Endpoint security.

If you already have individual Endpoint security and Intune policies deployed you will need to be careful if you then start to deploy baseline policies. If there are differences in the settings between the baseline policies and those configured in Intune MDM, MAM and Endpoint security you’ll end up with a conflict. Thus, you will either need to make sure that the settings are identical between all the policies that you use or stop using some of the conflicting policies. Generally, I would suggest that just using the baseline policy for the setting is a best practice approach.

Why do I believe this? If you look at the volume of policy settings that can be made across all options like Intune MDM, MAM and Endpoint security, it makes more sense to me to start with what Microsoft believes is best practice first and adjust from there. Doing so is going to:

1. Reduce the amount of individual settings in individual policies that you need to make.

2. Reduce setting conflicts across all your policies.

3. Allow you to more easily to update to new best practices when they become available.

With this in mind and looking back across what we have talked about so far with MDM and MAM, Intune and Endpoint security, I would suggest this as a new best practice approach to configuring device security is, in order:

1. Implement all Microsoft baseline security policies.

2. Make any required customisations to the deployed baseline ‘profiles’ in your environment.

3. Implement individual Endpoint security policies for additional settings not covered by the baselines.

4. Implement MDM compliance policies for additional settings not covered by baselines or individual Endpoint security policies.

5. Implement MDM configuration policies for additional settings not covered by baselines, individual Endpoint security and MDM compliance policies.

6. Implement MAM application protection polices for additional settings not covered by baselines, individual Endpoint security, MDM compliance and MDM configuration policies.

7. Implement MAM configuration policies for additional settings not covered by baselines, individual Endpoint security, MDM compliance, MDM configuration policies and MAM application protection policies.

in short, start with baselines, then implement individual Endpoint security policies, then Intune MDM policies, then Intune MAM policies.

At this stage, no single policy is going to provide all the protection required. Thus, you need to use a mix of policies across baseline, Endpoint security and Intune to suit your needs. However, in the long run, I see baselines and Endpoint security policies as being the future and suggest you start there rather than the traditional approach that was to start with Intune. If you already have Intune in place, for example, then you’ll need to think about migrating to baselines and Endpoint security policies as I am currently doing. It will be frustrating at times tracking down the duplicates at times, but I suggest doing so will position you better for future improvements in the device management space.

Success with device management is not merely about select the right setting in a policy, it is also about deploying it effectively into your organisation. That’s what I’ll take a look at in the next article.

As something else to consider, I’d suggest you have a read of my article:

The changing security environment with Microsoft 365

In light of the recommendation to apply Microsoft baselines. The questions to think about are – in the future why can’t Microsoft simply apply these baseline policies automatically and use AI to fill the gaps with additional settings? Where does that then leave those who are setting device polices today?

Modern Device Management with Microsoft 365 Business Premium – Part 6

Modern Device Management with Microsoft 365 Business Premium–Part 4

In the previous parts of this series I have covered:

Office 365 Mobile MDM – Modern Device Management with Microsoft 365 Business Premium–Part 1

Intune MDM – Modern Device Management with Microsoft 365 Business Premium – Part 2

Intune MAM – Modern device Management with Microsoft 365 Business premium – Part 3

We still have some additional device configuration options available to us thanks now to Microsoft Endpoint Manager.

image

As well as Intune MDM and MAM policies we now have extra Endpoint security policies.

image

You’ll find these under the Endpoint security menu item on the left and then under the Manage heading as shown above. In there you will find the following options that you can go and configured policies:

– Antivirus

– Disk encryption

– Firewall

– Endpoint detection and response

– Attack surface reduction

– Account protection

image

If look inside any of these Endpoint option, here Attack surface reduction, you see that you can set policies just like what has already been covered around Intune device and application policies.

image

When you do create an Attack surface reduction policy, for example, you’ll get the option to target device control, attack surface reduction rules, app and browser isolation and so on, as shown above.

image

If you configure the attack surface reduction rules, as shown above, you’ll see the now familiar configuration settings that you choose from and then save to the policy. You then finally target the policy that you create to a user and/or a device, again just like Intune.

In essence, you now have a number of additional policies, largely focused on Windows 10 device security for now, that can also be applied to your environment.

The challenge here becomes, some of these Endpoint Manager policy settings are unique and some overlap with existing Intune policies that you may have set. If there is a mismatch in the policy settings you have between Endpoint Manager and Intune, these will report as conflicts in the Endpoint Manager portal. So, the trick is to either use the duplicate Endpoint Manager policy settings BUT ensure they are the SAME as what is set in Intune or only have one set of policies (Endpoint Manager or Intune) for the desired option. My opinion would be that if the desired setting option is available in Endpoint Manager policies, set it there and don’t set it in any Intune policy. It is my understanding, that in the long run, Endpoint Manager policies are were Microsoft is investing the most in currently.

In summary then, it is possible to use three sets of policies for your devices:

1. Intune device policies

2. Intune application policies

3. Endpoint Manager policies

You can set any combination of the three, but be careful about creating conflicts as they can be challenging to track down as some settings overlap.

All of these policies can be implemented and accessed with PowerShell, however I would suggest not ‘basic’ PowerShell like you might be used to with Exchange Online for example. Think more of accessing the settings via the Microsoft Graph with PowerShell, which is a little more complex than ‘standard’ Microsoft 365 PowerShell with commands like get-msoluser for example.

There are still more considerations with device management that will be covered in the next article. Hopefully, by now you are beginning to appreciate the power and granularity that is possible with device management from Microsoft 365. However, as they say, “With great power comes great responsibility” (and I would add a lot more complexity).

Modern device Management with Microsoft 365 Business Premium – Part 5