Friday 21 June 2019

O365 and AAD using InTune

Overview:  Our company has gone away from traditional on-prem. networking and we use Azure.  We use AAD, Azure Domain Services, Intune and O365 with all laptops and PC's using Windows 10 Pro.  It is so easy and removes so much administration.

Intune: If your users have O365 or E365 licences Intune is included, with E3 accounts you can add on for £7.50 per month.  Intune allows me to deploy a setup that historically would have used GPO to manage the individual machines referred to as "Configuration".  I can verify all my users are compliant with my policies such as Windows 10, ensure they are patched to a certain level.  Defender works brilliantly thru Intune.  I've pulled off our old anti-virus/malware on end-user devices because with Intune it's better with Defender.  I ensure all our PC's and laptops have BitLocker.  Checking all devices my users are using is done thru Intune using "Compliance".

  • I can wipe any PC or device remotely.
  • With the user logins, I can see activity and it provides a great end to end management solution.
  • I haven't used team viewer as we still us LogMeIn for remote support but I'd personally lean to TeamViewer as it's fully integrated with Intune.
  • BYOD devices are also controllable using Intune.
Summary:  Intune is easy to use and roll out and provides good control of end user devices.

Example Policy for Windows 10 devices:

Health Service Setting
  1. Require BitLocker
Required
  1. Require Secure Boot to be enabled on the device
Disabled
Device Properties Setting
  1. Min OS Version
1809
System Security  Setting
  1. Require a password to unlock mobile devices
Required
  1. Simple passwords
Block
  1. Password Type
AlphaNumeric
  1. Min password length
8
  1. Max time of inactivity before password is required
10
  1. Password expiration (days)
45
  1. Number of previous passwords to prevent reuse
12
  1. Require password when device returns from idle state
Required
  1. Encryption of Data storage on device
Required
  1. Device Security - Firewall
Required
  1. Device Security – Antivirus
Required
  1. Device Security – Antispyware
Required
  1. Defender – Windows Defender Antimalware
Required
  1. Defender – Min version
1.295.933.0
  1. Defender – Antimalware intelligent up-to-date
Required
  1. Defender – Real-time protection
Required
Windows defender ATP  Setting
  1. Require the device to be at or under the machine risk score
Medium

Update: 2022-June-20

"BigFix automates discovery, management, and remediation of all endpoints whether on-premises, mobile, virtual, or in the cloud" - product by HCL.  

Competitor is Microsoft Endpoint Manager (MEM).  MEM is useful for patching and monitoring Windows 10/11 devices.  Can setup policy to ensure different notification for the end user to install and cn force if the end user does not install the patch.