Modern Endpoint Management in the Cloud

by Rhoddy McKown

by Rhoddy McKown

January 10 Blog

It is that time of year again when we get a peek at the future and all the goodies that Microsoft has in store for us! Microsoft Ignite 2023 was a doozy with all things AI, Azure, and Security. I specifically want to focus on Microsoft’s direction towards cloud-only endpoint management. Microsoft Intune has been under constant development (and many name changes) and has become a true one-stop-shop for all things endpoint management-related.  In the Ignite 2023 session titled, “Modern Management Innovation Shaping Endpoint Security”, the Microsoft team highlighted their suite of tools and upcoming features that represent an incredibly holistic approach to endpoint management.

The Things That Are

While this seemed like a thing of the future not that long ago, fully cloud-only managed devices are now the norm. Creating “gold” images and thick provisioning systems is now considered legacy and the time to modernize those processes is now. Desktop engineering gold images is time consuming (believe me, I know), and they are out-of-date the moment the image is sealed. With Windows Autopilot in Intune, you can achieve a “drop ship” scenario in that the brand-new laptop can be shipped directly to remote end-users and it will self-provision as soon as the user logs in – no need to wipe the device and install an old version of Windows. This frees up IT staff to spend time working on other critical business functionality instead of imaging laptops. I myself have designed various Autopilot scenarios to fit different organizational needs, and the process is quite seamless and flexible.

Combine Windows Autopilot with Entra ID identity management and the rest of the Intune Suite and you have a fully Azure cloud-based, end-to-end lifecycle, endpoint management solution. With Intune alone an organization can apply quite granular controls over Android, iOS, Mac, Linux, and Windows endpoints. In a world where remote work is here to stay and a globally distributed “chasing the sun” workforce may be required for business continuity, cloud-only managed endpoints will be a necessity sooner rather than later. A few of my favorite Intune features are:

• Conditional Access policies – These can either prevent access to or require additional steps in order to access resources if specified requirements are not met.
• Configuration Profiles – These are akin to traditional GPOs but only require an internet connection and not domain connectivity.
• Endpoint Protection – Critical security policies such as BitLocker encryption and Privileged Identity Management for “just-in-time” local admin escalation for approved end-user actions.
• Apps – Package and deploy applications to Android, iOS, Mac, and Windows.
• Update Management – Control when endpoints receive Windows Updates and how users interact with reboots.

Microsoft Intune also seamlessly integrates with Microsoft Defender for Endpoint which is a best-in-class cloud-based security monitoring, alerting, and response platform. Intune can onboard devices to Defender for Endpoint and security hardening baselines can be applied to instantly improve overall security.

The Things That Shall Be

As a longtime Endpoint Management SME with a background in Configuration Manager, it is exciting to see how Intune has finally come into its own. Microsoft has created a robust toolset for a defense in depth security posture, and it feels like the time has finally arrived when Intune meets (and, in many areas, surpasses) Configuration Manager in terms of features. A few of the teased upcoming features due in February 2024 are:

• Cloud PKI for complete PKI lifecycle management.
• Advanced analytics for real-time device query and pivot data using KQL.
• Enterprise Applications Management, which is a catalog of pre-packaged apps ready to deploy (hallelujah!) as well as control updates.
• Mac management, which I am sure Jamf is not too excited about.
• Security Copilot in Intune is also due “soon” which is a game changer in terms of assisting with information security processes. Security co-pilot in Intune can receive plain language input and create recommendations and take actions such as creating Intune policies to strengthen an organization’s security policy.
• And additional specialty device/frontline worker device management functionality.

How To Get There

Microsoft Intune offers a swath of endpoint management tools, but the reality is that it is just the tip of the iceberg in the depths of Microsoft’s offerings. Many organizations are already paying for these tools with their current licensing structure but are unable to fully leverage them. Cloudforce has guided many of our clients on their cloud adoption journey and endpoint management is a keystone requirement every organization wrestles with. With SMEs in Autopilot, Intune, Entra ID, Microsoft 365 Admin Center, Defender for Endpoint, Microsoft Sentinel, and the full gamut of other Microsoft tools, Cloudforce has the expertise to design and execute any size endpoint management scenario.

______

Microsoft Ignite 2023: Modern Management Innovation Shaping Endpoint Security
Ramya Chitrakar, Steve Dispensa, Jeff Pinkston