Domain Controllers, SCCM, Active Directory, Group Policy, and ... err ... Pain, are all terms administrators will be familiar with, when supporting an on-premises Windows deployment. But, with a little bit of SaaS (Software as a Service) thrown into the mix, most of the above can become a distant memory...
You're thinking 'lies!' right? Too good to be true? Well, this is possible with a modern Windows 10 deployment. But don't just take my word for it, continue reading and decide for yourself.
One of the advantages of SaaS solutions is that functionality and capability should improve over time, and this remains true for device management. Around a year ago we released the ALPHA MDM guidance for Windows 10 devices. This guidance was the first of its kind for us and demonstrated how you could complete a Windows 10 deployment by utilising just a mobile device management (MDM) solution .
There are a few assumptions from that guidance which are still true today:
- The guidance is based on a cloud-only deployment. It may work in a co-management deployment but has not been tested. It will not work if you are deployed in a hybrid scenario.
- Identities are exclusively stored in the cloud. For testing we used Azure Active Directory (AAD).
- The guidance utilises the Configuration Service Providers (CSP) interface for all device configuration.
- This final one is pretty obvious. You will need an MDM that is capable of managing Windows 10 devices. We are using Microsoft Intune, but any MDM that can interface with the CSP programme will work for this guidance.
So, what’s new?
Well we've updated the ALPHA guidance to take advantage of the latest features and security controls available in the Windows 10 April Update (1803) which is available here - see below for a summary of these changes:
- You can now configure most of the Windows Defender suite. This includes Windows Defender Antivirus, SmartScreen, Exploit Guard, Application Control, and some of the Windows Defender Firewall.
- We have updated the System hardening configuration to better represent the current NCSC and MSFT enterprise baselines with settings that are relevant for MDM managed EUDs.
- We have added details on Zero-touch deployment and how this can be achieved when using Autopilot.
Differences in risk between MDM and Traditional Windows 10 management
It’s worth noting that there is still some difference in risk when managing Windows devices via an MDM over the traditional on-premise management. This has been clearly labelled in the guidance, but to recap:
- Outbound firewall rules are used to ensure all traffic from the EUD goes via the VPN. Traditionally, with Group Policy, this is achieved by blocking all connections when the VPN is not active. Currently, you can only partially manage the Windows Defender Firewall with the CSP interface (Firewall CSP). We will update this guidance once we believe the CSP can satisfy the configuration needs and can guarantee all traffic leaving the EUD will go via the VPN.
- BitLocker PIN controls are recommended for a variety of reasons which help mitigate certain types of risk. These could be lock screen bypasses, DMA attacks and potential bugs in wireless interfaces. Although it is possible to setup pre-boot authentication with the BitLocker CSP it requires some additional configuration and an administrator to be present on the device. Devices that support automatic encryption upon AAD join will need to have this disabled.
A helping hand
Administrators get a tough deal most of the time and trying to configure this guidance will take some time. So, to help, we've provided the entire guidance configuration in JSON, which can then be imported into your MDM with the following PowerShell script. Unfortunately, this is only available if you are using Microsoft Intune as your MDM.
Before you go
You may have seen recently we published a blog discussing our EUD guidance and version numbers. I recommend taking a read of that if you are ever debating whether or not you should hold off updating your EUDs based on available guidance from the NCSC. Just to be clear: you should always roll out feature updates and use the most up-to-date guidance to configure that platform.
Oh, and one last thing…
We are always looking to see and learn from organisations utilising our guidance. If you are in the early stages of a cloud-only roll out of Windows 10 and would be willing to share some details in the form of a case study in exchange for some NCSC technical advice to help get things moving, please get in touch.
And as always, feel free to add comments below or get in touch if you have any suggestions on how we could improve our guidance, or if you think we've missed anything.
EUD Security Research
P.S. – We are currently updating our traditional on-premise Windows 10 guidance to include all the new features in the Windows 10 April Update (1803). We will post a blog once this guidance has been published.