โ€œWe needed to find solutions to a variety of issues whilst being a complex business, operating in a 24/7 environment. Stripe OLT listened and understood immediately the challenges we faced.โ€

IT Operations Manager
Simon Darley
Trusted by industry leaders

Let's Talk

Call us on one of the numbers below, we cover the whole of the UK, so call the nearest office.

BriSTOL HQ & The South West

London & Surrounding Areas

Manchester & the North

โ€œWe needed to find solutions to a variety of issues whilst being a complex business, operating in a 24/7 environment. Stripe OLT listened and understood immediately the challenges we faced.โ€

IT Operations Manager
Simon Darley
Trusted by industry leaders

Request a Call-back.

First we need a few details.

ENQUIRY - Contact Popup DEPRECIATED (#3)

Keep up to date with the experts

Get insights directly to your email inbox

MAIL LIST - Newsletter, Exit Intent Popup (#13)

Follow us on social

โ€œWe needed to find solutions to a variety of issues whilst being a complex business, operating in a 24/7 environment. Stripe OLT listened and understood immediately the challenges we faced.โ€

IT Operations Manager
Simon Darley
Trusted by industry leaders

Request a Call

First we need a few details.

ENQUIRY - Popup w/ Captcha for light backgrounds (#21)
Expert Intel

A Journey to Modern Endpoint Management

Published: January 30, 2023
Updated: September 04, 2024
Expert: Lewis Barry
Role: Senior Cloud Engineer
Specialises in: Microsoft 365
What you will learn:
Our focus today will be for Windows + BYOD iOS/Android. Basically, why you NEED Business Premium for all the extra good stuff.
The Microsoft Deployment Toolkit was released in 2003 and served us well all the way up until Windows 10... We're now on Windows 11.

Microsoft 365 Business Premium is the baseline.

This isnโ€™t supposed to be a sales pitch, but an insight to how the single pane of glass approach can both fortify your companyโ€™s security posture while also being a win for the financial chart enjoyers.

Itโ€™s become a bit of an internal meme/joke that Iโ€™m always pushing for Business Premium so I thought it was time to explain myself in writing.

My journey to modern endpoint management

Our focus today will be for Windows + BYOD iOS/Android.

The days of imaging workstations are pretty much over. The Microsoft Deployment Toolkit was released in 2003 and served us well all the way up until Windows 10.

MDT doesnโ€™t list Windows 11 in its list of supported client devices. Take that as the hint to modernise your approach.

What does Intune do and why is it exciting?

In my first job we had on-premises Active Directory and a Windows Deployment Server working with Microsoft Deployment Toolkit. One of my jobs as an IT apprentice was to image laptops for new starters or refresh existing hardware to resolve performance issues.

Our MDT server worked, but the golden image hadnโ€™t been updated in a while and it added about two hours onto every build while I waited for Windows 7 to finish updating (yes Windows 7 was where my professional life began, apologies if that makes you feel old). This bothered me because it meant I had to babysit each machine until it was ready to go. This is where my journey into endpoint management started.

I took it upon myself to figure out how MDT worked since the guy who set it up had left, and I relied on blog resources like 4Sysops and Deployment Bunny as well as various YouTube videos to get the job done. Initially I broke it, no one could image anything, we were back to USB installation and everything beyond that was manual for a while. I panicked a bit, and the fear of being sacked drove me to properly work this stuff out.

A few months pass and Iโ€™m at a point where we have a new MDT instance using the Total Control method of driver installation, deploying all the apps and task sequences we needed, joining to our domain, applied the correct Volume License key. Win!

So this is great, I no longer have to manually build machines. Now what? Those machines are joining a domain where we have a whole list of Group Policy Objects being applied to them, Windows Server Update Services governing updates, and a centrally managed AV product (which I will not name) hosted on-prem which they need to contact for definition updates. What happens when users take those laptops home and donโ€™t connect to the VPN?

Nothing. They are AWOL. We didnโ€™t have any RMM software, and some of those users wouldnโ€™t connect in for weeks/months depending on their role.

This bothered me. I remember thinking to myself โ€œI canโ€™t be the only one who has these concerns.โ€ I didnโ€™t have the industry experience to know of anything better. Of course now you could enforce always-on VPN, paired with GPOs that tell clients to get Windows updates via Microsoftโ€™s CDN and pick an AV product that isnโ€™t stuck in 2001, but you get the idea.

Fast forward a few years later where I was now working for an MSP. We have lots of different environments and endpoints to look after. The customers were at various levels of modernisation. But something was changing. I wasnโ€™t looking after 400+ computers anymore; smaller user bases and budgets meant that not everyone could justify having enterprise equipment. It made them more agile.

My role adapted from purely tech to having to think about which Microsoft licenses to provision. I read the spec sheets comparing the three main M365 Business SKUs, trying to work out what exactly the customers would be getting for their ยฃX per monthโ€ฆ

Intune? What’s this?

A cloud MDM that allows you to manage updates, policies, and custom application deployments from a web portal without the expense of enterprise servers! Itโ€™s like cloud GPOs! (future blog will clarify what I mean on the GPO bit) I always did enjoy making those on AD โ€“ I did not enjoy waiting weeks with no easy way to tell if people got my new settings.

Using our MS Partner Action Pack benefits, I got myself a CDX tenant which is pre-hydrated with M365 Business Premium and demo users, and spun up a Hyper-V VM with Windows 10 and spent a few weeks playing around with Autopilot and Intune.

We configure Intune to be our โ€œGolden Configurationโ€, we register our devices into Autopilot, and hand it over to the end-user to complete the OOBE.

This is what Iโ€™ve been looking for. This is the future.

The catalyst for remote working

So, there was this big thing that happened in 2019 or something, it lead to scenes where people were taking their entire office setup home: chairs, computers, staplers, biscuits, and teabags etc.

Wait, they were taking their computers into their home network? The same computers that are behind our uber next-gen firewalls here in the office?

Yeah, just login as normal and carry on, we’ll send you VPN instructions via email.

Flustered IT Professionals | Location: Global
business premium meme

The trouble is, this changed things forever. We wonโ€™t delve into what a cyber security catastrophe this caused, but weโ€™ll focus on what it meant for workplace modernisation.

Microsoft had record numbers of Teams users, it expedited the development of that product significantly, Iโ€™d say it also it greatly contributed to their decision to includeย Defender for Businessย within Business Premium, since SMBs represent %90 of businesses worldwide. IT departments had to pivot their device lifecycle strategies to assume the endpoints are always operating in unknown territories and networks.

Consolidating your product stack

IT Managers and financial decision makers, this bit is for you!

A very common scenario I see is where prospective customers have Microsoft licensing entitlements to use Defender for Endpoint but arenโ€™t using it. Sometimes they also have every device in their environment Intune enrolled too.

When Iโ€™m on these sorts of discovery calls, this is where the educational bit comes in. I ask how and why they picked a particular third-party vendor, and often itโ€™s because thatโ€™s what theyโ€™ve always used. They havenโ€™t had any major security incidents, itโ€™s a set and forget exercise, and it ticks a box for their internal assessments.

Then I ask what other vendors they have.

  • We have web content filtering with X
  • We have spam filtering with Y
  • We have vulnerable app detection with Z

How much is that costing you? Not just raw $$$s, but time too. Those are three products, with potentially three login portals (although hopefully they allow Azure AD SSO) and three additional things to teach your helpdesk to use โ€“ none of which talk to each other.

business premium meme

Some of the Business Premium flavours of those features are the starting point in the Microsoft stack, for example the web content filtering wonโ€™t let you have different blocking groups by devices etc. But the main point here is that BP is the baseline suite of products for a good security posture. We havenโ€™t even got onto identity protection yet.

peas & carrots

Intune and Defender for Endpoint work really well together. Theyโ€™re designed to!

You can start by enabling this relationship over at https://security.microsoft.com

Microsoft intune deployment

Once youโ€™ve done that, your onboarding blob under the Endpoint detection and response blade in the Intune portal will know where to send your devices once they get the config profile applied.

Is that it?

No.

A common phrase I use when talking to people about these products is that Microsoft provide the best tools, but they rely on teams of dedicated and engaged people to be able to deploy them properly. Defender for Endpoint is not a one-click installation.

How should Defender be managed?

If you refer to this document over on Microsoft Learn, youโ€™ll see that most of the management boxes for DfE are ticked on the Intune column. Thatโ€™s my preferred route of configuration, maintenance, and troubleshooting.

The product

Bringing the focus back to Business Premium, you have an enterprise-grade AV/EDR solution right at your fingertips, and each user can have multiple protected devices.

This article isnโ€™t designed to duplicate information you can find easily available from Microsoft resources but aims to help you challenge your internal processes and vendors.

Watch the Microsoft Mechanics overview to learn more โ€“

Cloud MDM and AV, what else?

Weโ€™ve got secure devices, how do we ensure that end-users have the security they need?

The product

A hot take is that if you have nothing else enforced, and if you only did CA policies well, youโ€™ll prevent the vast majority of cyber-attacks within your business.

Business Premium gives you the product: Azure AD Premium P1. This lets you enforce Multi-Factor Authentication with customised and automated policy control.

โ€œBut security defaults are switched on with my Exchange Online Plan 1 licenseโ€

They arenโ€™t the same thing. While Security Defaults will block legacy auth methods and enforce MFA, thereโ€™s no customisation around locations, apps, users or device types. It probably means youโ€™re on Azure AD Free too, which only gives you 7 days of log data.

Iโ€™ve seen all sorts of scenarios where companies have tried to PowerShell their way around limitations of the Security Defaults settings. The end result is usually user error and could cause a breach if dealt with promptly.

Device Control

Iโ€™m going to talk about Intune again.

Within Intune you can create a device compliance policy. For example, do Windows enrolled devices meet the following criteria:

  • Firewall enabled
  • AV enabled
  • Defender risk score โ€“ be careful with this one
  • BitLocker drive encryption
  • Complex password
  • etc.

If a device doesnโ€™t meet those requirements, we can prevent it from accessing anything that relies on the Microsoft 365 account login using Conditional Access. The other benefit of this policy is that it prevents access from non-company owned devices.

A monumental red flag that I hardly see any businesses protecting from is access to work resources from personal machines. Even IT providers donโ€™t have this stuff enabled most of the time.

I made a post on LinkedIn recently to get people thinking about this.

Bring your own device

On the subject of being all modern with BYOD, how do we manage this aspect? People want the flexibility of viewing emails and Teams chats away from the PC, but again, how are we preventing that data leaking out via their personal phones?

App Protection Policies backed by Conditional Access

In my opinion, personally owned Windows and macOS devices are simply out of the question when it comes to directly accessing work data from them. My CA policy would require a compliant Intune managed corporate owned device.

For mobile devices, there are secure controls for it. Using Intune App Protection Policies, we can define a secure, containerised environment for our corp data to be accessed from the personal Android/iOS device. One of the default policy types is a profile to protect all data that is accessed via M365 apps.

We can enforce encryption, and require secondary access requirements like prompting for biometric input or PIN before the work app is launched.

These policies prevent data from being copy/pasted into apps like WhatsApp or Facebook messenger. If the user leaves or loses their phone, weโ€™re able to remove the corporate data right from the Intune portal.

Without these policies in place, if an employee is suddenly made to leave the company, they can quickly egress data to other mediums that could include company secrets and intellectual property.

Manage this with Business Premium!

We havenโ€™t even talked about productivity

You already know about Microsoft Office and Exchange Online, that was the big project for you five years ago.

The big project for you now is managing a remote workforce and the new security challenges that come with it, which is why smart IT companies have made the pivot to offering cyber security services as a priority product although the main product isnโ€™t actually cyber security, itโ€™s business availability assurance.

The days for companies only selling email and access to Office 365 desktop applications are numbered. Providers who engage proactively with the latest trends and recommendations are not only the best choice for their customers, but also securing their own future and growth.

If you are part of an organisation who still implements on-premises Active Directory servers for every single client no matter scope or size, then itโ€™s only a matter of time before the directors at your client companies hear something more exciting from their friends and begin the hunt for a provider who can modernise them.

Microsoft 365 Business Premium, in my view, is the single best package out there to make a start on the modern workplace journey (if youโ€™ve got under 300 users – tenant limit from MS).

Want to know more about how this powerful solution can support your business? Get in touch and speak with our experts.