This organisation manages UK waterways, controlling traffic, managing the environment and ensuring safety.
Microsoft Intune
Windows Autopilot
Microsoft Defender Suite
Microsoft Autopatch
Following an upgrade to Active Directory, this organisation was interested in moving to modern management solutions such as Microsoft’s endpoint security solutions, Intune management, and Windows Autopilot. However, it did not have a full understanding of the implications of this change, so we were asked to provide a review and recommendations.
As part of this review, we looked at:
“We have been working with Microsoft solutions for over 30 years so have significant experience in design, implementation and configuration. With the introduction of modern solutions like Microsoft 365 and Intune, we are now using that experience to help our customers transition to modern management.”
Several modern management solutions have already been deployed by this authority but it appears that they are either not fully enabled, not fully configured or only partially deployed.
In the first instance, all the Windows devices in this organisation are connected to Azure Active Directory through hybrid join, which is a key requirement for modern management.
To provide device management, Intune has been enabled but is predominantly used for Android and iOS device configuration and only a small number of mobile apps have been published. No Intune configuration profiles or security baselines have been deployed for Windows devices (baselines are Microsoft-provided profiles that enable typically beneficial security parameters). Some of these controls have been managed through traditional Group Policy, though.
Intune Conditional Access policies, which allow only suitably-configured and secured devices to connect to the authority’s environment, have been enabled but they were created several years ago and the general requirements, technology and usage have changed in the meantime. Consequently, this is an area that needs further review.
As we find with many legacy Active Directory deployments, there are several hundred Group Policies that have been configured, which are modifying over a thousand application, Windows and device settings. Of these, we found that half of them were ready for migration to Intune policies, with the other half not suitable (such as printer management policies).
Where policies cannot be migrated, there are generally opportunities to replace the policy with another technology solution (such as a script or, in the case of printers, Universal Printing). There is, of course, also the option to decide that a particular policy is no longer required. In some cases, though, there may be no option other than to retain a small number of group policies, at least until such time as there is a modern management replacement available.
Regardless of whether the organisation does move to Intune policies, there are many optimisations that could be performed on the existing Group Policies to reduce the number, to remove unnecessary setting and to apply them more appropriately.
Windows Updates are currently managed by ManageEngine, but the Microsoft Autopatch solution provides a simpler and zero-cost alternative, which is worth considering, particularly as it provides a more hands-off, reduced admin solution when compared to how ManageEngine operates.
Windows operating system builds are currently provided by Microsoft Deployment Technologies (MDT), a decidedly legacy solution that is feature-poor compared to newer technologies. In this case, Windows Autopilot is a much more flexible and powerful deployment solution, offering over-the-internet builds, flexible driver management and other features to allow hands-free deployments. Autopilot requires the Microsoft Always-On VPN (AOVPN) to be deployed, another technology not currently used in this organisation. However, the implementation of AOVPN would also provide a significant user benefit because of its automatic and entirely transparent nature.
Centralised application deployments for Microsoft and third-party apps are presently provided by ManageEngine. As part of a consolidation of technologies, the application deployments could be managed by Intune, but Intune is not suitable for managing the third party app updates so our recommendation is that ManageEngine should continue to be used for this function until such time as Microsoft hopefully provides this capability.
Finally, Microsoft Defender for Endpoint has been implemented by this organisation but only for a small pilot group with the remainder of devices running basic Defender Antivirus. However, critical elements of Defender’s capabilities have not been implemented or were not being monitored appropriately. For example, Attack Surface Reduction is not enabled, there are no application control policies, several devices are reporting insecure configurations, Defender Antivirus is not configured, and device threat status is not being used for compliance.
This organisation has already implemented some elements of modern management, but it has been rather disjointed and, consequently, the full value is not being realised.
As an example, Intune has been implemented, but only a fraction of its full capabilities have been exploited and there are a number of key functions that would provide the organisation with improved device management, configuration and policy deployment, and improved security.
The replacement of the legacy MDT deployment solution with Windows Autopilot would provide an advanced and flexible device deployment option that would enable computers to be built anywhere an internet connection is available.
From a general management perspective, the ManageEngine solution that provides patch management, application deployment and other management functions could be replaced with Intune, Autopatch and other Microsoft management solutions although it needs to be retained for now to provide the third-party application updates, a function which is not within the current capability of any Microsoft tools.
Microsoft Defender for Endpoint is a highly capable endpoint security solution which is only partially deployed and, even then, only with a fraction of its available features enabled. A full deployment of this solution will provide the organisation with a level of security and protection from malware and malicious activity far in advance of any capabilities that have already been deployed. Indeed, if the organisation only took one recommendation from our review, the full enablement of Defender for Endpoint should be it.
In addition to Defender for Endpoint, Defender for Cloud Apps and Defender for Office 365 should also be deployed. On their own, each of the Defender solutions provides protections from specific cyber threats but, by working together they form an Extended Detection and Response (XDR) solution to provide an even higher level of security protection.
Even though there are some questions that need to be resolved, such as how to manage printers outside of Group Policies, the path to modern Microsoft management for this organisation is relatively straightforward, especially when considering that many of the recommended changes expand on existing solutions like Intune, or are enabled by the use of existing Microsoft 365 E3 and E5 licences.
In terms of next steps, the organisation is happy with the outcome of the review and is considering our recommendations and will be making decisions over the next few weeks.
“The capabilities of solutions like Intune, Autopatch, Autopilot, Defender and other new technologies enable a level of capability, flexibility and security that is simply not achievable using legacy solutions. Modern management is clearly the way forward and especially so for those organisations that have invested in E3 and E5 licences.”
Pete Holland, Lead Security Consultant, Silversands
Power Platform delivers a maternity leave solution for a large utility company
Professional Services Company Welcomes Passwordless Login with Windows Hello
Accountancy firm taxed by external access vulnerabilities
