Today, endpoint laptops are more important to security yet harder than ever to manage.  Users are still performing most of their corporate duties from a Windows computer.  Every installation of Windows from the lightest and thinnest laptop to the largest server is running a copy of the largest operating system in the world with all its yet-to-be-discovered vulnerabilities and sprawling attack surface.

Contributing Factors

Adding to the complexity of the issue is the fact that user endpoints are exposed to far more risk than your typical server.  This is because users are constantly downloading, opening, parsing, rendering, and otherwise processing untrusted content from the Internet in the form of web pages, documents, media, and other files. 

Moreover, most users aren’t cybersecurity professionals savvy to all the ways you can fall victim on the Internet – they are more-or-less non-technical users just trying to get their job done. 

These factors create the perfect storm, creating an environment that is easier for bad guys to infiltrate and establish a foothold in an organization by achieving Execution (MITRE ATT&CK T???) on one user’s PC.  That all-important foothold then allows them to work on lateral movement to other systems and accounts. 

Current Landscape

This isn’t a new problem per se – securing hundreds or thousands of workstations on typical corporate campuses has always been a challenge.  Which in turn, has created a niche for IT professionals to become specialized in Group Policy, MS Systems Management, and alternative third-party products to protect their organization. 

The reality is, remote employees and working situations are here to stay. Unfortunately, I’m confident in my position that most organizations – even those with mature management in place – have regressed in terms of endpoint security, partly due to the pandemic as well as the subsequent rush to implement remote work solutions. 

Regardless of how confident someone is in the remote access work portal/gateway for their organization – the fact remains there are probably a ton of laptops out there not centrally managed and secured.  A highly secure remote access service provides little protection against a compromised endpoint where the attacker “becomes” the trusted, authenticated users. 

Taking Action for Your Organization

Active Directory domain membership with group policy management was a traditional method. However, the effectiveness over the internet is reduced unless the endpoint is already joined to the domain, and Windows DirectAccess or a robust VPN was implemented and always connected. 

Logically, one must explore other ways to manage those endpoints, with many options and technologies to consider.  Third-party mobile device management providers are attempting to fill the gap by extending their functionality to manage Windows endpoints – not just phones and tablets. 

Microsoft has responded with a confusing array of options with varying levels of integration and overlap with traditional on-prem technologies. As far as Active Directory is concerned, there are four different ways to connect a Windows endpoint to Active Directory whether on-prem or Azure AD:

Normal on-prem AD joined

This is the method we’ve known (and some of us loved) for several decades that supports group policy.  Remote endpoints are pretty much neglected unless you have a robust always-on VPN or DirectAccess.

Azure AD joined

This is for corporate-owned PCs.  You log in with Azure AD account which can originate on on-prem AD via Azure AD Connect.  No group policy is available.

Hybrid Azure AD joined

This pertains to corporate-owned PCs as well.  Azure AD Connect is a requirement here because your account must exist in both Azure AD and on-prem AD.  This provides SSO to the cloud and on-prem network.  It requires a “line of sight” to your domain controllers which means either a local network connection or some type of VPN. 

Recently, Microsoft has added the ability to allow remote users to hybrid join a laptop fresh from the factory, if the appropriate VPN is available and everything set up correctly in Azure AD, on-premises network, and Microsoft Intune.  When all these factors are properly aligned, group policy is an option.

How to quickly install and configure Azure AD Connect

Azure AD registered

This pertains to personally owned PCs that also need to be available for individual work purposes.  This makes it more convenient for users to access corporate resources with their Azure AD account and allows some management by Microsoft Device Management. 

Remote Endpoint Management

Currently, Microsoft is attempting to unify classic Configuration Manager with Microsoft Intune, all under the umbrella of Microsoft Endpoint Manager.  Configuration Manager is the classic on-premises management solution to manage Windows systems.  Intune is Microsoft’s cloud-based mobile device management (MDM) for controlling applications, features and settings on Android, Android Enterprise, iOS/iPadOS, macOS, and Windows 10 devices.  You are likely familiar with the existence of both technologies since they’ve been around for years, however, the more recent development is “co-management”. 

Co-management enables you to manage Windows 10 devices with both Configuration Manager and Microsoft Intune and is appropriate for organizations with an investment in Configuration Manager especially those utilizing features of Configuration Manager that Intune doesn’t support. 

One of the biggest such disparities is operating system deployment, but Configuration Manager is also important for advanced configuration scenarios, software metering, and server management.

Bottom Line

It’s evident there are many options for endpoint security, but at the end of the day, every endpoint must be secure whether it’s on the organization’s network or not, and whether it’s “owned” or not. 

I will be discussing this topic in more depth during my session at TEC: Questions Laptops Ask, and I’ll help make sense of the technologies out there to determine the best way approach for your organization.

Windows Laptops, Remote Work and Today’s Threat Landscape

About the Author

Randy Franklin Smith

Randy Franklin Smith is an internationally recognized expert on the security and control of Windows and Active Directory security who specializes in Windows and Active Directory security. He performs security reviews for clients ranging from small, privately held firms to Fortune 500 companies, national, and international organizations. Randy has written over 300 articles on Windows security issues, which appear in publications like Information Security Magazine and Windows IT Pro where he is a contributing editor and author of the popular Windows security log series. In 2003 Randy received the Apex Award of Excellence in the category of How-to Writing for his security feature “8 Tips for Avoiding the Next Big Worm.” He is also the publisher of and the Patch Observer newsletter which provides same-day, independent analysis of Microsoft security bulletins.

Leave a Reply