A Journey to Holistic Cloud Protection with the Microsoft 365 Security Stack Part 3 - Devices
Published Mar 30 2020 06:42 AM 2,794 Views

For our second stop on the journey to holistic cloud protection with the Microsoft 365 security stack we will be discussing Device security.  For anyone new joining us on this journey please ensure you check out Part I: Overview and Part II: Identity Security to get caught up prior to reading Part III: Device Security which will be discussed during this article.


When speaking about devices we use to only concentrate corporate issued Windows desktops or laptops, but times have changed.  Devices now could mean anything from corporate issued to personal owned devices running Windows, MacOS, iOS or Android.  The diversification of platforms and ownership of devices requires a two-pronged approach to device security.  During this stop we will be focusing on device management where devices are enrolled.


Microsoft Endpoint Manager:

  • What defines a secure device?
  • What configurations are required in order to connect to your corporate data?
  • If a device is lost or an employee goes rouge what can be done to mitigate the loss of data?

All of these questions are common among organizations.  With the Microsoft 365 security stack we leverage Microsoft Endpoint Manager (Intune + SCCM) as the device management solution.  Whether your devices are cloud only or split between SCCM using co-management, you can leverage the cloud to ensure devices are protected no matter where they go.  Below are some common scenarios where Microsoft Endpoint Manager increases your security posture for devices:


Issue #1: Only secure devices should access corporate data - The path to restricting access to corporate data revolves around the compliant status.  If a device is capable of enrolling into Microsoft Endpoint Manager, then it has the potential to become a compliant device which leads to the potential access of corporate data.


Solution: Enforce device restrictions, apply compliance policies and require compliant devices to access corporate data.

  1. Device enrollment restrictions need to be set to ensure only the device platforms, platform versions, and method of enrollment (personal/corporate) are allowed.
  2. Device compliance policies need to be assigned to create a security governance standard for all device platforms.  What defines a safe device?
    • Should devices that have no compliance policy assigned to them be noncompliant?
    • Should a Windows 10 laptop have BitLocker encryption?
    • Should an Android device require Google Play Protect to run?
    • Should an iOS device be jailbroken?
  3. Azure AD Conditional Access can be used to block access to corporate data from devices that are not compliant.


Issue #2: Group policy management is impossible with all these remote devices - The struggle to ensure devices receive group policies that rarely come back to the office or connect back inside the domain is real.  Creating solutions, workarounds or asking employees to come back into the office can be frustrating.


Solution: With Microsoft Endpoint manager there isn’t a need to come back into the office or connect back to the domain.  There are built-in capabilities to deploy configuration profile settings, over 1700 administrative templates, PowerShell scripts, and 100’s of custom CSP (configuration service provider) settings that can apply the same legacy group policies settings.  Common scenarios include:

  1. Using administrative templates to manage the OneDrive sync client by blocking personal account sync, enabling Known Folder Move and block sync from specific organizations.
  2. Using configuration profiles to require BitLocker encryption, Windows Hello for Business or blocking USB use.
  3. Branding the device with desktop background image, locked screen image and interactive login screen title with disclaimer message.  If options are not available in the UI use custom profiles with Windows CSP Policies.


Issue #3: Really wish I could do … remotely… - Ever needed to perform a remote action against a workstation or mobile device, but it was 100’s of miles away?  What about force a restart so an application could install?  How about wipe a device back to factory settings for someone or just remove all the corporate files to hand off the device to another user?


Solution: Multiple remote tasks are available in Microsoft Endpoint Manager which allows for quick resolution in times of security incidents or when an end user needs a helping hand.  A few scenarios are below:

  1. Factory wipe a device that was lost or stolen to reduce data loss.
  2. Enable “Lost Mode” for iOS that will lock the device, add a disclaimer message, enable “Locate Device” and even enabled “Sound Alert” during locate device mode to increase the chance of it being found.
  3. Rename a corporate owned Windows 10, iOS/iPadOS, or MacOS along with enforcing it to restart after rename.
  4. Reset Windows 10 PIN when using Windows Hello for Business .
  5. Rotate BitLocker keys for Windows 10


Microsoft Defender for Endpoints:

Malicious attackers threatening your endpoints are no longer strictly concerned with your Windows platform. The sophistication of attacks span across other platforms not only for the direct attack, but to compromise non-Windows platforms with the goal to compromise Windows devices.  There is a reason Windows Defender ATP was rebranded as Microsoft Defender ATP.

  • Defender for Endpoints for Windows 10 went GA in 2016
  • Defender Endpoints for MacOS went GA in June 2019
  • Defender Endpoints for Linux went GA in 2020
  • Defender for Endpoints for iOS and Android went GA in 2020

Microsoft Defender for Endpoints provides next generation protection on top of an already existing AV (Microsoft Defender AV for optimized integration), multi-dimension endpoint detection plus response, and automated investigation with remediation.


Issue #1: We don’t know what we don’t know!?!?! - Many organizations and teams don’t have the visibility to see what the organization’s current security posture is. How do you prepare for attacks and reduce your threat areas with little to no visibility?



  1. Leverage the Exposure Score and Configuration Score to understand the weaknesses discovered on devices, likelihood of a device to get breached, which devices have a higher value to the organization than others and understand how resilient your devices are to cybersecurity threat attacks.
  2. Discover software inventory being used across your endpoints, review each weakness found in the software along with specific versions and have direct access to remediation steps to resolve using security tasks through integration with Microsoft Endpoint Manager.
  3. Review security recommendations and see a prioritized list related to which changes will have the biggest security impact for roadmap creation.
  4. Using the Evaluation Labs you can simulate different forms of attacks using pre-built scripts and walkthroughs on virtual machines created within the Microsoft Defender Security Center.  This allows for organizations to create security game plans to initiate when real threats occur.


Issue #2: Need more options for response when a detection is triggered - Sometimes when a threat on an endpoint is detected you have a short amount of time to implement a remediation.  Some threats require more aggressive actions while others may be more passive until the bigger picture is realized.  Below is a subset of responses available in Microsoft Defender for Endpoints (may vary for each platform).



  1. Manually initiate an automated investigation when there isn’t an automated security playbook to trigger the investigation.  This will begin building out the incident graph and pull in additional evidence from the impacted endpoints, IP addresses, users and other integrated telemetry.  Additional integrated telemetry could be coming from Azure Information Protection, Microsoft Cloud App Security, Azure Sentinel or Microsoft Threat Protection.
  2. Isolate the machine from the network.  With full isolation this will disconnect the device from all network sources while maintaining connectivity to Microsoft Defender for Endpoints.  If isolation is selected, you can still allow connectivity to Outlook, Microsoft Teams and Skype for Business.
  3. Initiate a live response session using a remote shell connection.  Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.
  4. Enforce code integrity using restrict app execution to prevent running of files that aren’t signed by a Microsoft issued certificate.  This can lock down a device and prevent subsequent attempts of potentially malicious programs from running.


Issue #3: We are not threat experts!?!?!? - Many organizations have a limited number of real threat experts.  Relying on third party ad-hoc assistance or lengthy research sessions can only get you so far.


Solution: Threat Analytics brings the knowledge of Microsoft’s security researchers straight to you with continuously updated threat reports related to emerging threats along with outbreaks as they are identified.  These reports allow for you to assess the impact of these threats to your environment, learn how to detect specific threats and create an action plan to contain them.  Most threat report contain the following:

  1. Executive Summary: Provides a history of the threat, platforms affected and how it is delivered.
  2. Analysis: See a visual representation of the attack and how Microsoft 365 security features are used through the entire kill chain, adding layers of security to prevent, detect and respond.
  3. Attack Techniques Observed: Documentation and videos related to the initial access, execution, persistence and impact of the threat.
  4. Mitigation: Detail what steps an organization can take to reduce the impact of the threat.
  5. Detection Details: How anti-virus detects based on implants and components along with how endpoint detection and response occurs.
  6. Advanced Hunting: Pre-created threat hunting queries for how to locate payloads or query additional details of the threat.
  7. References: Additional links to third party articles related to the threat.


As we prepare for our next adventure on our journey to holistic cloud protection with the Microsoft 365 security stack…, I want to reflect on the importance of device security.  Your devices should play a huge role in your overall security posture as it allows you to define what is a safe device along with ensuring only a specific security baseline is allowed to access your organization’s data.  By becoming knowledgeable in the ever-evolving threat landscape you take the power back from the malicious attackers and increase your overall security posture.


Thank you so much for joining me during this stop while we discussed device security.  Our next stop in this journey will be discussing Application security and how to increase our security posture when applications are accessing our corporate data using the Microsoft 365 security stack

Version history
Last update:
‎Feb 11 2021 10:58 AM
Updated by: