The most important tool in Microsoft 365 that you can adopt in 2021Alex Fields
I get it. The universe is expanding so rapidly these days that it can be difficult to know where you should focus your efforts. If you are having trouble “catching up,” do not worry, you are not alone. The IT industry is working on this issue collectively as we move through some growing pains together.
On the one hand, you can rest a little, knowing that you do not have to “stick your neck out” into uncharted territory whenever new software drops. You don’t have to be the one to take on the risk of unknown challenges and adoption hurdles. For example, just announced is a new product called Microsoft Viva, which at first glance appears to be a re-imagined company intranet, with a set of intranet apps built on pieces of Microsoft 365 that have long been available. But who cares? In 6 months this will probably still feel pretty new, and it’s hard to say right now how much value this product will be able to deliver in the SMB space. So let someone else figure that out.
Consider another example: some people will never need to ponder whether they should move to a platform like Windows Virtual Desktop (WVD), because all of their apps already support a native cloud-first, mobile-first experience which allow similar capabilities on any device natively (desktop or mobile). WVD would only be required to support legacy “Windows Server and Desktop-bound” apps. On the other hand, if that does describe you, and want an alternative to the cost and complexity of running VDI in your own datacenter, then maybe you would want to check it out.
Now those two examples aside, what is worth focusing on this year? For the small and mid-sized organizations of the world (who are most often under the care of a Managed Services Provider), I am going to recommend you prioritize exactly one tool, if you haven’t already: Microsoft Endpoint Manager (Intune for the SMB; not ConfigMgr which is more on the Enterprise side). This is included in Enterprise Mobility + Security SKU’s and Microsoft 365 Business Premium or Enterprise E3/E5 plans.
The answer is simple, though there are many reasons for it.
If you look at my teachable courses or any of my other materials on meeting the CIS Critical Security Controls, you will notice that no tool will accelerate you more quickly down the path of modern management with a solid security baseline. Most people want to jump right into the “advanced” security stuff like Microsoft 365 Defender and Azure Sentinel. But you gloss over the basics at your own risk.
For example, ensuring that your hardware and software inventory is square, removing local admin privilege, and enforcing the installation of your security and monitoring tools. For the first time in history, you can guarantee that every device (personal and corporate) is included in your inventory and made compliant with your baseline before granting access to corporate data. This is known as Device-based Conditional Access. That is extremely powerful (especially in this work-from-home era). Most service providers today cannot look me straight in the face and guarantee that every device storing and processing corporate information is properly protected and accounted for in their management tool.
Once you have enrolled devices into the Intune cloud service, organizations can start to make decisions about just how much access they want to extend with regard to Office 365 and other cloud apps connected to to Azure AD. Devices that are not recognized by Azure AD and Intune can be limited or barred from entering certain areas. Customers love that feature.
Intune is also the defacto replacement for Group Policy in the cloud. If you want to push configuration profiles, security policies and so on, then this is how you are going to accomplish it.
I still run into people who claim they cannot do the same “stuff” with Intune that they could with GPO. Really? Remember first of all that you should not attempt to map 1-1 GPO for Intune config. Very often you do not need to bring the relics of yesteryear into the technologies of today. Instead, start fresh by creating the policies you actually care about. Try to find something that cannot be accomplished in Intune. I dare you.
“But it is not as easy,” you might say.
To this I reply, “Even if that sentiment were true (and often I find it is not), so what?”
Nothing is ‘easy’ the first time you do it, but that doesn’t mean you shouldn’t move forward anyway. Like I said, this tool has more than earned its place at the table by this point: it is no longer a new thing, and I would suggest further that there is more risk to ignoring it. We are way past the early adopters. Yet in the SMB space, few have implemented it (and even fewer have done so correctly). Many of us already have Intune as part of their subscription (either via Microsoft 365 Business Premium, or Enterprise Mobility + Security E3), and yet they are not taking advantage of it (or not taking full advantage anyway).
I have two live courses coming up here in February and again in March on Microsoft Endpoint Manager (Intune). The first session will focus on mobile devices and the second on Windows 10. Both will contain some basic tutorials and other materials to help you get familiar with the “basics” of the product. If you are joined up for the full year of learning and expanding your cloud practice with Microsoft 365, then these sessions are already included. If you want to join the practice development year, the registration will only remain open through the end of the month (February 28). All the content we covered in January (Migrating to Azure AD) is also already available in the teachable portal for replay.
If you do this right, then you will have a simple process for enrolling both corporate and personal devices so that you can have control over apps and data on each and every device that connects to your corporate resources in the cloud. If you do it really right, then when a user first unboxes and powers on a new corporate device, all they have to do is sign in with their credentials, and Autopilot will take over from there, delivering all the apps and data that they need directly to their machine. It also shrinks your deployment (and re-deployment) time dramatically. (Note: Autopilot is not ‘magic’; someone has to set it up and get it working properly, and maintain the device and application lifecycles over time–this is a real MRR opportunity).
One more point on this topic: Intune is a critical consideration when expanding your consumption of management and security features in the Microsoft cloud further. So much more opens up once you have this piece in place. It really is the bedrock of your modern management strategy.
Does this replace my RMM?
The short answer is No. There has been some speculation out there to this effect, but it is just not true. Not at this stage in the game, anyway. It does not replace the RMM but it does enhance the RMM. Microsoft has already indicated they would rather work with the RMM vendors to integrate their tools, rather than attempt to re-invent the wheel and become a competitor.
We are looking forward to more development of the Multi-tenant management tool, Microsoft 365 Lighthouse, which will allow service providers to work with devices and policies across all of their customers. Of course, this is still very early stages (it was just announced this past year at Ignite). But, that does not mean you cannot start getting instant benefit from implementing the tool as it stands right now, today. In fact, do you have a multi-tenant tool to manage your GPO’s across all customers for on-prem AD? Probably not. This is no different then, for the time being. In the future, this could all look different, but that’s all speculation today.
The first thing I would suggest you do is get a handle on the basic concepts of MDM, including Compliance policies, and Conditional Access. After that, learn how to deploy device configuration profiles, endpoint security profiles, and finally learn how to push applications and apply app protection policies (MAM). All of this is explained in my Microsoft 365 Best Practices guide, which includes material for Intune, Conditional Access, Azure AD and more. And the live courses I mentioned in February and March will likewise cover these items, with an opportunity for Q+A.
Again, this is no longer a new tool; it has years of history now, and wide adoption (especially in the Enterprise). So do not be afraid of embracing modern management! It is the best and fastest way to establish your complete endpoint inventory, and gain a higher level of confidence in your devices (whether corporate owned or personal).
I leave you with a question: if you are not going to accomplish these outcomes with your Microsoft 365 subscription (such as Microsoft 365 Business Premium or Enterprise plans), then how will you accomplish it? You should have an answer to this. I argue that Intune is going to be the best situated, as it ties in natively with Azure AD, is available in many Microsoft 365 subscriptions (which are ubiquitous), and of course it boasts out-of-box Conditional Access, which is something many other solutions still cannot offer.
Alex. Slightly off topic.
We are trying to adopt Windows Defender Endpoint for out customers but we have come across a roadblock you can’t install Windows Defender Endpoint on a server unless you purchase 50 Windows defender user licences! The really messes up deployments when the customer has a legacy LOB and 30 users we can install AV on the server!
Any idea why Microsoft have this restriction?
I do not know why, no. But if you are sub-50 seats your target should be 100% SaaS apps anyway (no more servers). Yes, some are still tied down to legacy Windows Server apps, but more and more it is becoming optional to remain so. It just takes someone’s dedication and work to translate what used to be into what is and what will be moving forward.
Hi Alex! As always, great article. We’re doing our best to deploy Intune and believe strongly that it will continually get better with time. One issue we have had that I wanted to run past you was around the syncing of SharePoint Document Libraries. We were able to successfully map these with Intune and get them showing up in our users Windows Explorer (familiarity helps with user adoption), but then found that removing permissions isn’t as simple. Ultimately, we had to build a policy that removed all the sync relationships and redeploy the correct ones. You can imagine this challenge when some users have gotten comfortable syncing familiar libraries on their own that aren’t part of the policy.
Have you had any experience with Intune managing these libraries?
Thanks for all the work your doing and putting out here for us. Much appreciated.
Hey Will, good to hear from you! Yes, I can comment. In general the OneDrive client sync policies aren’t really up to snuff in my opinion. To use them correctly today means that you have to have all of the libraries you want to sync in a single policy for each user/group. If you try to have multiple policies targeted against the same user/group that are all asking the OneDrive client to map some SharePoint location(s), it sees this as a conflict and will not resolve it (you have to manually do this). This makes the management somewhat cumbersome as of today. I have also seen instances where people use PowerShell scripts to work with the OneDrive client; that may be somewhat better but again more cumbersome. For the time being, in the SMB at least, I do not recommend mapping any shared locations, and suggest that all such syncing should be done to each user’s own preference. Some may choose not to sync shared locations at all and just work within the apps such as Teams to access the file locations they need. I think this is where it is going anyway, as Windows desktop fades into the background and becomes less central.