Friday, 21 June 2019

O365 and AAD using InTune

Overview:  Our company has gone away from traditional on-prem. networking and we use Azure.  We use AAD, Azure Domain Services, Intune and O365 with all laptops and PC's using Windows 10 Pro.  It is so easy and removes so much administration.

Intune: If your users have O365 or E365 licences Intune is included, with E3 accounts you can add on for £7.50 per month.  Intune allows me to deploy a setup that historically would have used GPO to manage the individual machines referred to as "Configuration".  I can verify all my users are compliant with my policies such as Windows 10, ensure they are patched to a certain level.  Defender works brilliantly thru Intune.  I've pulled off our old anti-virus/malware on end-user devices because with Intune it's better with Defender.  I ensure all our PC's and laptops have BitLocker.  Checking all devices my users are using is done thru Intune using "Compliance".

  • I can wipe any PC or device remotely.
  • With the user logins, I can see activity and it provides a great end to end management solution.
  • I haven't used team viewer as we still us LogMeIn for remote support but I'd personally lean to TeamViewer as it's fully integrated with Intune.
  • BYOD devices are also controllable using Intune.
Summary:  Intune is easy to use and roll out and provides good control of end user devices.

Example Policy for Windows 10 devices:

Health Service Setting
  1. Require BitLocker
  1. Require Secure Boot to be enabled on the device
Device Properties Setting
  1. Min OS Version
System Security  Setting
  1. Require a password to unlock mobile devices
  1. Simple passwords
  1. Password Type
  1. Min password length
  1. Max time of inactivity before password is required
  1. Password expiration (days)
  1. Number of previous passwords to prevent reuse
  1. Require password when device returns from idle state
  1. Encryption of Data storage on device
  1. Device Security - Firewall
  1. Device Security – Antivirus
  1. Device Security – Antispyware
  1. Defender – Windows Defender Antimalware
  1. Defender – Min version
  1. Defender – Antimalware intelligent up-to-date
  1. Defender – Real-time protection
Windows defender ATP  Setting
  1. Require the device to be at or under the machine risk score

Update: 2022-June-20

"BigFix automates discovery, management, and remediation of all endpoints whether on-premises, mobile, virtual, or in the cloud" - product by HCL.  

Competitor is Microsoft Endpoint Manager (MEM).  MEM is useful for patching and monitoring Windows 10/11 devices.  Can setup policy to ensure different notification for the end user to install and cn force if the end user does not install the patch.