Windows Updates are currently managed by ManageEngine, but the Microsoft Autopatch solution provides a simpler and zero-cost alternative, which is worth considering, particularly as it provides a more hands-off, reduced admin solution when compared to how ManageEngine operates.
Windows operating system builds are currently provided by Microsoft Deployment Technologies (MDT), a decidedly legacy solution that is feature-poor compared to newer technologies. In this case, Windows Autopilot is a much more flexible and powerful deployment solution, offering over-the-internet builds, flexible driver management and other features to allow hands-free deployments. Autopilot requires the Microsoft Always-On VPN (AOVPN) to be deployed, another technology not currently used in this organisation. However, the implementation of AOVPN would also provide a significant user benefit because of its automatic and entirely transparent nature.
Centralised application deployments for Microsoft and third-party apps are presently provided by ManageEngine. As part of a consolidation of technologies, the application deployments could be managed by Intune, but Intune is not suitable for managing the third party app updates so our recommendation is that ManageEngine should continue to be used for this function until such time as Microsoft hopefully provides this capability.
Finally, Microsoft Defender for Endpoint has been implemented by this organisation but only for a small pilot group with the remainder of devices running basic Defender Antivirus. However, critical elements of Defender’s capabilities have not been implemented or were not being monitored appropriately. For example, Attack Surface Reduction is not enabled, there are no application control policies, several devices are reporting insecure configurations, Defender Antivirus is not configured, and device threat status is not being used for compliance.