Today, endpoint laptops are more important to security yet harder than ever to manage. Users are still performing most of their corporate duties from a Windows computer. Every installation of Windows from the lightest and thinnest laptop to the largest server is running a copy of the largest operating system in the world with all its yet-to-be-discovered vulnerabilities and sprawling attack surface.
Adding to the complexity of the issue is the fact that user endpoints are exposed to far more risk than your typical server. This is because users are constantly downloading, opening, parsing, rendering, and otherwise processing untrusted content from the Internet in the form of web pages, documents, media, and other files.
Moreover, most users aren’t cybersecurity professionals savvy to all the ways you can fall victim on the Internet – they are more-or-less non-technical users just trying to get their job done.
These factors create the perfect storm, creating an environment that is easier for bad guys to infiltrate and establish a foothold in an organization by achieving Execution (MITRE ATT&CK T???) on one user’s PC. That all-important foothold then allows them to work on lateral movement to other systems and accounts.
This isn’t a new problem per se – securing hundreds or thousands of workstations on typical corporate campuses has always been a challenge. Which in turn, has created a niche for IT professionals to become specialized in Group Policy, MS Systems Management, and alternative third-party products to protect their organization.
The reality is, remote employees and working situations are here to stay. Unfortunately, I’m confident in my position that most organizations – even those with mature management in place – have regressed in terms of endpoint security, partly due to the pandemic as well as the subsequent rush to implement remote work solutions.
Regardless of how confident someone is in the remote access work portal/gateway for their organization – the fact remains there are probably a ton of laptops out there not centrally managed and secured. A highly secure remote access service provides little protection against a compromised endpoint where the attacker “becomes” the trusted, authenticated users.
Taking Action for Your Organization
Active Directory domain membership with group policy management was a traditional method. However, the effectiveness over the internet is reduced unless the endpoint is already joined to the domain, and Windows DirectAccess or a robust VPN was implemented and always connected.
Logically, one must explore other ways to manage those endpoints, with many options and technologies to consider. Third-party mobile device management providers are attempting to fill the gap by extending their functionality to manage Windows endpoints – not just phones and tablets.
Microsoft has responded with a confusing array of options with varying levels of integration and overlap with traditional on-prem technologies. As far as Active Directory is concerned, there are four different ways to connect a Windows endpoint to Active Directory whether on-prem or Azure AD:
Normal on-prem AD joined
This is the method we’ve known (and some of us loved) for several decades that supports group policy. Remote endpoints are pretty much neglected unless you have a robust always-on VPN or DirectAccess.
Azure AD joined
This is for corporate-owned PCs. You log in with Azure AD account which can originate on on-prem AD via Azure AD Connect. No group policy is available.
Hybrid Azure AD joined
This pertains to corporate-owned PCs as well. Azure AD Connect is a requirement here because your account must exist in both Azure AD and on-prem AD. This provides SSO to the cloud and on-prem network. It requires a “line of sight” to your domain controllers which means either a local network connection or some type of VPN.
Recently, Microsoft has added the ability to allow remote users to hybrid join a laptop fresh from the factory, if the appropriate VPN is available and everything set up correctly in Azure AD, on-premises network, and Microsoft Intune. When all these factors are properly aligned, group policy is an option.
Azure AD registered
This pertains to personally owned PCs that also need to be available for individual work purposes. This makes it more convenient for users to access corporate resources with their Azure AD account and allows some management by Microsoft Device Management.
Remote Endpoint Management
Currently, Microsoft is attempting to unify classic Configuration Manager with Microsoft Intune, all under the umbrella of Microsoft Endpoint Manager. Configuration Manager is the classic on-premises management solution to manage Windows systems. Intune is Microsoft’s cloud-based mobile device management (MDM) for controlling applications, features and settings on Android, Android Enterprise, iOS/iPadOS, macOS, and Windows 10 devices. You are likely familiar with the existence of both technologies since they’ve been around for years, however, the more recent development is “co-management”.
Co-management enables you to manage Windows 10 devices with both Configuration Manager and Microsoft Intune and is appropriate for organizations with an investment in Configuration Manager especially those utilizing features of Configuration Manager that Intune doesn’t support.
One of the biggest such disparities is operating system deployment, but Configuration Manager is also important for advanced configuration scenarios, software metering, and server management.
It’s evident there are many options for endpoint security, but at the end of the day, every endpoint must be secure whether it’s on the organization’s network or not, and whether it’s “owned” or not.
I will be discussing this topic in more depth during my session at TEC: Questions Laptops Ask, and I’ll help make sense of the technologies out there to determine the best way approach for your organization.