Managing security in the cloud through Microsoft Intune

For many years, the Group Policy feature of Microsoft’s Windows has been the go-to solution for controlling workstations, providing deployment, and in general, making a network manageable by information professionals. It does, however, require a traditional domain with an Active Directory deployment — many users already have an Active Directory (AD) and will have an AD domain for many years into the future.

What if you didn’t have such a domain to deal with, or were starting over fresh with a totally distributed network linked together only by cloud connections? You would probably turn to Microsoft’s Intune, a cloud-based unified endpoint management service for both corporate and bring-your-own-device technology. Intune extends the functionality of some Active Directory features and that of the Microsoft Endpoint Configuration Manager to the Microsoft Azure cloud.

New Intune features

Intune has slowly but surely been chipping away at the differential between on-premises control tools and cloud-based tools and recently Microsoft has announced several new features. First up is an additional emphasis on least privilege. Microsoft is continuing to improve and advance the solutions to ensure that we stay one step ahead of attackers. For many years, Microsoft provided a toolkit to ensure that network administrators could keep local administrators on workstations more secure. We would often use the same local administrative password to begin the deployment of workstations.

But attackers knew we were doing this and would use our common local password to perform lateral movements in a network. The local administrator password solution (LAPS) was introduced to randomize these passwords, but that required a domain and an active directory — what if your network was all cloud-based and didn’t have a domain? In addition, there are already known tools designed to go after the LAPS solution on your network. While running without administrative rights is a goal, the reality is that we still need, at times, elevated privileges to perform certain tasks.

Enter the Intune suite of additional add-ons. First, the bad news for all of you who currently subscribe to various Microsoft 365 offerings: this is an additional license over and above what you already have. Currently, the price tag for this offering is $10 a month. However, it does appear that Microsoft may have some options if you are a larger company.

While many appreciate the new offering and see the need for a bundle of settings and new tools, the largest feedback item has been the fact that it is yet another additional subscription on top of the E5 subscription. Intune Plan 2 will offer a lightweight VPN solution for Android and iOS devices (out now) and Management of Specialty devices (out at a later date).

Intune endpoint privilege management

Microsoft recently announced the Microsoft Intune Endpoint Privilege Management as part of the additional Intune suite which is in public preview at this time and generally expected to be available in April  2023. Endpoint Privilege Management (EPM) allows you to set rules about who is allowed to run with elevated rights as needed and when.

While I applaud Microsoft for recognizing and providing additional tools to ensure that attackers don’t continually use our lack of credential hygiene as a means to attack us, the fact that the Microsoft 365 E5 license is no longer the full security suite we once thought it was going to be is a concern. Vendors love subscription models. We, the buyers of software, do not. This is currently out in public preview with general release in April 2023.

Also included in the Intune suite add-on is Advance Endpoint Analytics which adds anomaly detection, and enhanced device timeline. Remote Help is getting integration with ServiceNow and is expected in April.

Intune features in the development stage

When deploying and reviewing the features in Intune you’ll want to also keep an eye on the features that are still in the development stage. Microsoft has a page that you can bookmark to review with the release timeline for various new features. One advantage that Intune has over traditional active directory is the investment in alternative platform control apart from Windows operating systems. From Apple to Android, Intune is designing features specifically to manage and control such devices. Any of the Intune offerings can be used for 30 days for free. Microsoft offers 250 seats as a test site.

Windows Software Update Service (WSUS) is another veritable premise offering that hasn’t been updated in years. At first a separate download and now a with role in Windows server, WSUS made perfect sense when we were all in offices connecting to a centralized network. Now that we are distributed throughout the world, many of us are looking for alternatives. Even now, Microsoft has not put any additional effort or coding and each year it needs third-party add-ons to be a usable product. Enter Windows Update for Business and the corresponding reporting. Do note that because it relies on telemetry it does not align with US Government Community Compliance and is thus not available for Department of Defense customers.

Prerequisites for Intune

The prerequisites for Intune include:

• An Azure subscription with Azure Active Directory
• Devices must be Azure Active Directory-joined and meet the below OS, diagnostic, and endpoint access requirements.
• Devices can be Azure AD joined or hybrid Azure AD joined.
• Devices that are Azure AD registered only (Workplace joined) aren’t supported with Windows Update for Business reports.
• The Log Analytics workspace must be in a supported region.
• Data in the driver update tab of the workbook is only available for devices that receive driver and firmware updates from the Windows Update for Business deployment service.

For firms that are consumers of Microsoft as well as developers on the Microsoft platform, you’ll want to sign up for the Microsoft 365 Developer program. The offering supplies a 25-user license for a Microsoft 365 E5 subscription so that developers in your organization can learn, create automation, and develop applications on the platform. You should use this for development and testing and not for business, so ensure that the users in your organization are using this test setup on a specific Microsoft account for development purposes. It provides a firm with the tools to test single sign-on with SAML/OIDC and to build appropriate documentation. Often the site on Microsoft 365 will not provide you with the information you need unless you are running the appropriate license. The testbed is renewable every 90 days. You can then get an overview of your network patching and reporting.

The bottom line is that Microsoft knows that more and more of us are needing tools and techniques to control and manage devices that don’t check in with a traditional active directory domain. It’s up to you and your firm to decide if Microsoft is the vendor you decide to be your cloud tool vendor going forward. Microsoft is clearly hoping that its history with your Active Directory deployments means you will consider them first.