Hey guys It's Nick Welcome to another episode of T-minus 365. If you guys are curious about best practice around securing your devices within your organization, stay tuned Because in this episode I'm gonna be walking you through the best practices around the security settings and controls for Microsoft Intune in the Intune admin center. Additionally I'll be giving you some resources such as a matrix where I map these controls to the CIS controls and I'll supplement a blog post as well too with more enablement material like video tutorials and all of these settings. And additionally the end user impact as well because I think that's really important. As we're walking through this video scroll down to the comment section and comment what you're doing today in Microsoft in tune to secure your environment. And as always at this content sell full, go ahead and like subscribe to the channel. Otherwise let's go ahead and dive in … Just a quick note before we get into it here I will link this below in the blog posts. which is this matrix you can use as your checklist. They're all the controls that we're going to be covering today. And you can use this across your own tenant or the tenants that you manage. And you can simply say whether or not you've configured this barrier setting and configure some justification reasons. Maybe you're using a third party tool Maybe you don't have the correct licensing in certain cases. So this is just really giving you the flexibility to use this in one to many tenants. And I have things here like the importance level the end user impact level the licensing considerations for what you need to do. And then we have all of our CIS controls here as well too with the…Two three. Uh rankings as well too or selections for each one of these controls. So it's definitely a helpful resource I am building this out across the entire suite offering and I will have a form on my blog post where you can sign up for early access to that as well too. If you guys want to get this across all of the suite offerings from Microsoft as you can see here, Did he Intuit here though I'm going to be going pretty quickly because we have a lot of controls to cover Just note like I mentioned the blog post will have a lot more in-depth information for you to check out around how to set these policies up and how it impacts end users. But I will be going through each one of these briefly. So the first one you want to talk about here is personal devices being restricted from enrolling in the MDM solution. If you're an organization you definitely want to make sure that you have all of your solutions stack. At on these devices so that they're protected And that includes things like your AB protection your endpoint protection maybe your RMM tool for troubleshooting things like that. So you don't necessarily want to have personal devices and roll into the organization and an access corporate data on a device that could be compromised. So within the endpoint manager admin center here where the Intune admin center as it's now known. We can go under the devices section. And we can go under the device enrollment enroll devices, click on the device platform restrictions, and you could technically modify the default policy or create a new policy here, but essentially within the platform settings section you would want to configure this to block for all. So it's just assuring that you only have corporate owned devices that are enrolling into Intune. And this is going to obviously impact end users who are trying to access corporate data Maybe if you're enforcing a device compliance policy which we'll get into, but essentially I believe you would only want corporate devices enrolled in your organization. The next thing I want to talk about is removing devices that haven't checked in in over 30 days. So basically just removing stale devices out of our main instrument there we only want authorized devices and we don't want to have stale inventory That's kind of messing with all of our metrics here as far as reporting. And goes so under the device section you can come and you could scroll down here on a device clean up rules, and you can set this to yes as far as the last check-in date time. And you can specify this 30 days is a good one to put in here. But you might also want to do 60 to 90 depending on if there's people who are accessing devices for that period of time potentially in the organization that you're configuring this for. And additionally if you're using Intune as a source of truth for inventory management, there's some additional considerations with that as well too. So this is an important setting as well too just to clean up stale devices to make sure we only have authorized devices in our inventory. The next recommended control for you here is to configure a device compliance setting for every device platform that you're going to be supporting. So within here you're going to go into the devices section And under there you have your compliance policies. And from here you have the ability to go ahead and create policies and define the O S or the platform that it's going to be supporting. So in most cases here you're always going to create ones for your windows devices You may also create ones for Mac OS if you're supporting them, but essentially here you're defining what makes a device compliant within your organization. And this includes all the system security settings the encryption settings on the device. So it's extremely important that you can figure that to understand what devices are meeting your compliance standards in. ones are falling outside of compliance. Another more restrictive setting here for end users that we're gonna get into next is setting a device compliance policy, which removes or restricts access to users whose devices are fall out of compliance and noncompliant. So essentially here you can go under the endpoint security section and you can create a conditional access policy here. And we're going to create multiple as part of the controls that we'll be showing you today here but you can name this something like device compliance, and you could add the users or groups. But the main thing here under the grant section is that you're going to require the device to be marked as compliant to grant access to corporate resources And so most likely you'd want to scope this to all users or groups in all applications. But you'd want to have a break glass account in there just to make sure you don't get locked out of the account. So this is a really restrictive setting If a user has a device that falls out of compliance. They won't be able to access any of the corporate data They won't be able to log in. So it's the thing that you needed to notice They need have a way to contact you as far as the help desk or support desk goes so that they can remediate that device issue get it back into compliance so they can then access corporate data again. The next setting is requiring MFA for device enrollment into Intune. And we're thinking about devices enrolling We want authorized users authorized devices. Coming on to our network and accessing corporate resources potentially they're pushing down from Intune. So we wanna enforce additional security there with two factor authentication. And the portal here you can go back into the end point security section back on your conditional access. And we can create a new policy here, Nikki called this something like MFA for device enrollment …And you could scope that to all users or groups again but the main thing here in the cloud app section is under user actions We're going to say register or join devices, and that's where we're at a grant control but require multifactor authentication. So these are just some settings here that you can configure to help ensure that users are prompted for that second factor When they're enrolling a device. And additionally if this is a new device out of the box and they're trying to enroll it here and it's not already through the windows autopilot program, you can look at something like a temporary access pass which I'll link for information purposes in the blog post as well. Next we want to make sure our devices are configured securely and there's a lot of ways to do that within the Microsoft Intune admin center. But one of the ways that Microsoft provided here is more of a accelerated approach is under endpoint security here in security baselines This is at least for windows 10 in. And greater advices here. So within here and you can configure a security baseline and just going to call this test…Or close to test as I can get there. And then below you have all of your various security settings which are pre-configured with Microsoft recommendations. The recognizing that the landscape as far as all the settings that you can configure is constantly changing. There's a lot to keep up with there from just a knowledge perspective So they're giving you these recommendations. And additionally you can configure these in multiple different ways through configuration profiles or things like that within the Intune portal. So I'll also link below some of the ways you want to basically avoid any type of conflicts with the policies you're creating but at minimum you should be deploying a security baseline to all of your devices here. And obviously with this type of scope meaning that there's so many different settings that you're pre configuring here. You obviously want to test us on a scaled approach out to the end users. Much like patch cycle or you do it in a small deployment to your champions and then move solely out from there, just to make sure that these settings are going to break anything like line of business applications or really disrupt user workflows. The next two controls we'll talk about is related to patching. So within the endpoint manager or the internet admin center we have the ability to push out patch cycles. One of which for windows devices is the windows update rings or the windows update rings for business However you want to label that, but essentially in here we're able to create a profile. in which we're establishing the rings. And we're establishing the deferral periods for both the quality and feature updates And so there's a lot of configuration settings that you have here from a windows perspective. Can also control how much the user could delay those as well too before they're automatically pushed out in the times of which they're updated. This may be a setting that you're using or configuring today within your armed men tool But again this is how you could do this within the Intune admin center. The next control was also related to patching but for Mac iOS or apple devices. And so within here you can go back under the home section go into devices and underneath the sections here for by platform, you could go under this section here for. NACO S and you could see the update policies from maca west which you can configure, and you can configure the configuration type as far as how that's being deployed Much like the windows update rings. And then back on the devices section you also have the iOS I. iPad. Uh configuration settings you can use as well too. For the updates to those devices. Next we're going to get into the app protection policies that you can create for mobile devices, so that users don't have to enroll their personal cell phones for instance to get access to corporate data, but you can still protect and wipe that corporate data remotely off of that device. Without actually remotely wiping the entire device itself, so provides a lot of protections there and it allows you to implement additional security for the corporate data that people are accessing such as requiring additional pin metrics for getting into the application or. Uh actually restricting cut copy paste capabilities to unmanaged applications that you define So thinking of copying a word document and pasting it into a personal one drive for instance or saving it into a personal one drive and be blocked from doing so with the settings that you're configuring. So within your you have the app section and you have app protection policies here, and you can scope them by. again here So you'd want to create one for both the iOS and Android side of the house here. So whenever you do so again just quickly going through these, you can choose whether this is for a managed or unmanaged devices depending on how you deploy that. Within your organization. And then underneath here I definitely recommend to scope this to all Microsoft apps or core Microsoft apps or be selective with the apps that you're choosing here. Um all Microsoft apps is a good recommendation because that's likely where you have all your data. You may have some other third party applications you want to add to this list, but that's a good one to start off with here. And then you can choose the backup protection or the data protection settings here. Along with the access requirements as well too. So this can encrypt the data on that actual device You can do other things here like requiring the pin for accessing the data as well too. And then you could actually wipe that remotely or when something happens. the devices geo broken for instance. So a lot of cool controls here but a great way to manage data on devices that are fully under management. So in a similar vein we also want to dictate what applications that user is accessing our corporate data on from a mobile perspective. And a clear instance of that are clear Example of that is giving the user the ability to be redirected from the native mail client on their iPhone For instance into the outlook application that we can control We can encrypt we can remotely wipe as well from a data perspective. So that they don't have the silo data on their personal device for instance So to configure this setting where to go under endpoint security or to go under conditional access here and we're going to create a new policy. I'll just call this one client approved apps. You can scope this to the appropriate users groups appropriate cloud apps things like that But under the grant controls here. The main setting is that you're going to require a client approved app. And you can also as you can see here require the operative. policy as part of this as well too. It's a good combination to use and you can see the list of client approve apps which is basically the ones that I've touched on as the example like your basic Microsoft suite like outlook word Excel PowerPoint. For instance versus using some type of third-party tool to open a third party application I should say, to open that particular piece of information or or or portion of the client data next another high level setting you always want to implement across your devices is controlling a lockout screen and password requirements for each device platform that you're going to support. And Microsoft into and this can be configured a variety of different ways through various configuration profiles compliance policies or security baselines. And I've documented that in the blog post So definitely check that out as far as where you can configure these settings and making sure that you don't create device conflicts whenever you're setting those up. But as an example here I could go into devices and I can go into the compliance policies here. And underneath there I can create a policy And let's just say I'm doing this. Mac iOS this time. I'll go ahead and create this and I'll just call this test again. And then underneath you you have your system security settings in which you can define the password requirements And the minutes of inactivity before password is required. So this is just this one example but you can do this across the…platforms that you may be supporting like Android Obviously windows is probably most common along with iOS as well too. Next another basic one you should always be configuring Environments is enforcing device cryption or description. Whenever you're looking at the devices you have under management. So this one's pretty straightforward Under the end point security section, you can go under description and you can create a policy for both maca Wes and for windows 10. And so I have one already here for BitLocker but if you didn't that quest so it'll walk you through the five volt settings. Just note again consistent theme here You are able to configure this in other locations like a configuration profile for instance, and you don't want to have settings that conflict with each other cause it'll create some problems most likely within your environment. For our iOS and Android devices you could set up the encryption settings via the compliance profiles or the configuration profiles that you have here. And additionally if you're using a protection policies, you can configure encryption of that data without the device being fully managed And we touched on that a little bit earlier. I just want to touch on all the different ways that you can Crip from both a disc perspective and an application perspective Next setting here for windows devices You want to configure windows hello for business If it's available on that actual device, just the additional second factor, another factor that isn't reliant on passwords in the future So it's a biometric that you can use here for some additional security on windows Windows devices. But if you want to configure that you can come under devices you can go under windows. And you can go under windows enrollment and you'll have this windows hello for business here And this is where you can configure all of the settings again consistent theme This is also located in different places around. the application like configuration profiles that you can tap into but I'll link some documentation as well too So you can see how to set this up next We're going to shift into another policy related to applications. So within Intune you can push out applications to all your devices here And this includes things like win 32 apps could include line of business applications as you have. It could be applications that you find from the Microsoft store. Or that our custom here that you want to deploy. And Tim can manage both the deployment and the updates of those applications as well to within your environment. And ideally we want to push down all of the applications in which we're securing our devices here Again like our AVR. End point protection policies maybe our RMM tool as well too. Just to have that fully on the device and have those authorized applications in the inventory of them. Um going out to newly owned devices through windows autopilot or ones that are joined to our corporate network through the out of box experience as well. So within Intune here you go into the app section and under all apps you can see a list of the applications that you've deployed. And you can go ahead and add them by device type. And there's some newer functionality in here that Microsoft introduced integrating directly into package managers Like Winget. So that instead of having kind of a clunky process through deployment, you can actually go through and search for applications as well. That you may want to deploy and Microsoft using the native integration with Winget can actually keep that application up to date as well too Over time. So this is definitely something that you want to configure for all the devices and the applications you want to support within the organization or the organizations that you manage today in a similar vein for new devices that code through the out-of-box experience We do want to define. The experience for that user in that they are not able to start leveraging the device until our approved applications are required Applications are actually installed on that device. So just thinking of a user accessing a device maybe even before our security protections are in play. It's not necessarily something that we want to do cause it could be compromised in a short matter of time. Before the applications have finished installing. So within here you can go under the devices section here and you can go under windows devices. And you can click on the windows enrollment and you can click on the enrollment status page here. And so within here you can go ahead and click on create. And I'll just say test again …And then when you have you click on yes Here for show app and profile configuration progress you have a lot more settings that you can use here. And there's a couple of settings you can see here that relate to applications One of which is blocked device use until apps and profiles are installed. And then this other one here is a little bit more granular specifically to applications. Where you're requiring certain applications to be installed. A good thing to note here is if you have a lot of applications in your environment, You may just want to say that you have these three blocking apps that may be your secure. applications that are protecting that device. Um before the user actually gets up and running. So just another way to kind of help secure them immediately as far as whenever they're first accessing that device, the last setting here is more related to process but it's heavily important and it's related to remotely wiping both devices and applications Whenever a user leaves an organization or. They have the device lost or stolen. So within the Intune portal here you can go under a particular device for instance and you can click on that device in general and you can click on wipe. Which will remotely wipe the device here as well sort of get that data off of the device and the configuration. Additionally for windows devices you could use the ability within windows autopilot to do a windows autopilot reset for devices which I'm not going to get into here. But the last one I wanted to show here is just the app selective wipe. So if you have the app protection policy set up and you want to remotely wipe data, Uh off of a personal device you could create a white ProQuest here and that would remove the data the corporate data off of that device And so when the user goes to reaccess outlook for instance, They won't be able to see any of that information or do anything with it there as well too So. Just additional protections there especially around change management in that experience. Finally just as a bonus here the CIS benchmarks have come out here with a new benchmark for Microsoft Intune, as it relates to both the windows 10 and windows 11. Yes platforms. So you can see this here you have your windows 10 benchmark and windows 11 benchmark. They used to are extremely verbose and including incredible amount of detail on how to go ahead and manage or the configuration settings you could have for these particular devices. And it's a little outside the scope from a high level view that I wanted to provide in this video, but I would definitely recommend checking it out or getting somebody in your organization to kind of review this over time to see if there's any of these security settings that you could implement within your organization for best practice. But I just wanted to touch on that as well too because it is important It is related to the mappings that I've already created for the CIS controls, with everything that I've shown you today. Okay guys that's everything I wanted to showcase in today's video Definitely check out my blog post below with a lot more of this material in depth, as far as all the enablement content the end user impact PowerShell scripts, along with the checklist that you can use for your own environment to make sure you're checking off these controls And that's all mapped to CIS as well. I recognize that there's heavy asterisk next to these best practices depending on your environment. There's a lot of different use cases out there but these are just ones that I recognize as well too for more of a cloud first approach to securing devices It leveraging Microsoft Intune on the backend. If you have any questions or comments about anything I covered today definitely leave those below. And like I mentioned at the beginning of the video, like and subscribe if you guys want to see more content around Microsoft and the MSP space. Thanks guys Have a great day …