Improve security posture with Microsoft Intune

  • 6 minutes

To understand how to improve your organization’s overall level of security, it's important to review the definition of security posture and the methods that can be used to measure and improve it. You can measure your evolving security posture from chip to cloud through the existing Zero Trust assessments and the Microsoft Secure Score. In this module, we’ll focus on how servicing and security work together to continually advance your Zero Trust security posture based on the Windows 11 chip-to-cloud layered security model. In particular, we’ll learn how to use Microsoft Intune to simplify this ongoing process and do more with less.

Review of Zero Trust

The Zero Trust security posture consists of the following principles: verify explicitly, use least privilege access, and assume a breach. These principles are meant to be reflected across all parts of an organization’s environment, including: identities, endpoints, networks, applications, data, infrastructure, policy optimization, policy enforcement, and threat protection. These environment components roughly correspond to the chip-to-cloud layered security model, which enable Zero Trust.

Review of chip-to-cloud layered security model

The chip-to-cloud model represents how hardware and software security work together for protection and productivity (see the Windows 11 Security Book). Keeping your organization protected and productive is the mission of Windows, which offers us tools like Microsoft Intune to enable Zero Trust from the moment you power on through to the cloud.

The Zero Trust architecture can be represented through layers as shown below:

A diagram shows the Windows 11 chip-to-cloud security layers (based on Windows 11 Security Book).

Besides the layered chip-to-cloud security model for Windows 11 that we’re using in this module, Windows as an operating system is underpinned by a secure foundation:

  • Offensive research

    Microsoft secures its development lifecycle using secure processes, so that Windows is protected from its inception. An important part of the secure development process is collaboration with researchers across the globe through the Microsoft Windows Insider Preview bounty program.

  • Certification

    Microsoft products are externally validated against global regulatory product security standards and certifications.

  • Secure supply chain

    Windows relies on an end-to-end Windows supply chain that starts from developer check-ins to components such as chips, to firmware, OS, non-Microsoft apps, factory manufacturing, all the way up to security updates.

Implement modern device management

We recommend using modern device management to configure your organization’s devices with all the applications and settings that your users need to securely do their work. Windows enables you to use Microsoft and non-Microsoft modern device management solutions to help manage your devices, and many of these solutions are compatible with Microsoft Intune. What was previously known as Microsoft Endpoint Manager brings together the capabilities of Microsoft Intune, Configuration Manager, Endpoint Analytics, Autopilot, and more to help you secure access, protect data, and respond to risk across all of your organization’s devices. Let’s get you set up.

Microsoft Intune

The Microsoft Intune is a Mobile Device Management (MDM) solution built on Zero Trust to help secure all endpoints and to continually advance your security posture. It provides a unified endpoint device management platform across the cloud, on-premises, and multiple OS versions. This solution is an essential strategy for business environments of all sizes that leverage hybrid business models, spanning physical and virtual machines.

Since Windows servicing updates will always keep you moving in the optimal direction of the Zero Trust maturity model, Microsoft Intune will help you deploy and monitor them across your hybrid estate.

To implement modern device management through Microsoft Intune, let’s join your devices to Microsoft Entra ID and set up or move to Microsoft Intune. Then we’ll introduce ways in which you can secure and manage your device population.

Join or register devices with Microsoft Entra ID

Microsoft Entra ID is a cloud-based identity service. You can use it to manage identities, directories, and to protect resources and apps your users need to access.

Windows has built-in settings that you can use to sync and add your organization’s user accounts to Microsoft Entra ID. Use the deployment guide to plan your Microsoft Entra device join journey. Then use its granular security controls, which we'll cover in the following units:

  • Single sign-on
  • Multifactor authentication
  • Conditional access policies
  • Identity protection
  • Identity governance
  • Privileged identity management

This way, you can provide secure-access, single sign-on for apps and services, and identity management, no matter where your users might be working from.

Set up or move to Microsoft Intune

Use the planning and deployment guide for Microsoft Intune. If your organization holds a Windows license for Enterprise Mobility + Security (EMS) or Microsoft 365, Intune is automatically part of your service. In all other cases, it can be added on separately. Ensure that your account has been delegated Intune Service Admin privileges.

There are several methods to enroll your devices in Intune, including the following:

  • Use Windows Autopilot to automate Microsoft Entra join and enroll new corporate-owned devices into Intune through a simplified, out-of-box experience.9 Deploy company PCs to remote employees, preconfigured with corporate security policies. Rapidly set up and preconfigure new devices, repurpose devices, and recover devices.
  • Enable Auto Enrollment in Microsoft Entra join or automatically enroll devices with Microsoft Entra hybrid join.
  • Bulk enroll large numbers of new corporate-owned devices to Microsoft Entra ID and Intune.
  • Enroll your existing Configuration Manager managed devices into Configuration Manager Co-management.

In this module, we’ll enable or configure a representative selection of features from the Windows 11 chip-to-cloud layered security model to advance the security posture of your organization. The Microsoft Intune tools apply to each of the security levels to streamline your security policy management, so we’ll walk through advancing your security posture one feature at a time. Whereas we’re referring to the familiar chip to-cloud structure established in the Windows 11 Security Book, in this module, we’ll use the reverse order, given that cloud services map across all Zero Trust pillars and that’s where our management solution comes from.

The workflow diagram shows our progress - we've joined Microsoft Entra ID and enrolled in Microsoft Intune.