Checklist: Secure Endpoints Using Microsoft Endpoint Manager

Does your company have a plan to secure endpoints across your organization for both normal day-to-day operations and emergencies? Microsoft Endpoint Manager (MEM) aspires to maximize the organizations security footprint for these unexpected circumstances.

Richard Hay, Senior Content Producer

January 15, 2021

6 Min Read
endpoint security and endpoint protection
Getty Images

Having secure endpoints is one of the biggest challenges for any organization, but there are tools available that can help secure those endpoints as well as the company/customer data on those physical devices. With the pandemic-assisted shift to a more mobile work environment, plus the prospect of a bad actor grabbing a laptop and using it to access proprietary information, it’s important to set up a standard process for endpoint security in an organization.

ITPro Today spoke to Ulf Lundh, a system deployment, security and related infrastructure IT specialist. He currently works for a local municipality in Sweden – which is equivalent to a typical county government here in the U.S. – and manages approximately 3,500 IT systems. His background and experience spans across identity and device management, using Microsoft tools such as Active Directory (AD), System Center Configuration Manager (SCCM), Microsoft Intune, and Microsoft Endpoint Manager (MEM). Currently, he directly supports all aspects of security, policy and usability for more than 3,500 endpoints, including Windows 10, Windows Server, Android and iOS mobile devices.

The focus of our discussion was to identify a handful of steps that organizations can use to insure they have secure endpoints in their organization. While these steps focus on using Microsoft Endpoint Manager (MEM), any equivalent software or service for endpoint security will have similar options available.

Step One: Map Out Physical Security Measures

Depending on the level of risk associated with the theft of an endpoint device, physical security may rely on locked doors or code/card-based entry access points. Locking down desktop/laptops using a device such as a Kensington cable lock would also prevent the easy pilfering of a device in case those physical barriers are breached.

Step Two: Deploy Encryption

Most modern enterprise devices now include security hardware as a standard feature on desktops and laptops. These chips, commonly referred to as Trusted Platform Modules (TPM), help secure endpoints through encrypting the hard drive data by hosting device specific encryption keys for hardware authentication. These encryption keys are used in combination with hashes associated with the device hardware, plus unique user identity information such as a password. Without proper credentials, no access is granted to the device. Even if the encrypted hard drive is removed from the system, it is inaccessible without the TPM hardware keys to create the verified hash. This encryption process helps to ensure the security of all data on the system hard drive and has a minimal impact on the user experience on the device in daily use.

Alternatively, Windows 10 devices without TPM chips can be encrypted for similar data protection via Bitlocker. Options are available in Bitlocker to allow auto unlocking of the encrypted hard drive once valid user credentials are provided for the system to minimize user workflow starting up their device.

TPM or Bitlocker based encryption can be mandated utilizing Group Policy on managed devices from the MEM management portal.

Step Three: Be Sure There’s a Device Lock Policy

Another area that can help secure endpoints is to mandate devices' timeouts before the system automatically locks and requires user credentials to log back in. This setting, which is managed through MEM, needs to be a balance of security and user convenience – especially with complex passwords.

Lundh also recommended user training and awareness for using keyboard shortcuts to lock devices as users step away from their desks. For example, users could type WINDOWS + L or CTRL + ALT + DELETE, then select to lock the device.

Another aspect of this approach is to allow and encourage the use of biometric logins to devices. Windows Hello on Windows 10 supports facial and fingerprint recognition for this purpose and many modern devices include one or both options. Windows Hello authentication data is encrypted and maintained only on the local device and without the matching face or fingerprint is useless.

Requiring a PIN – another Windows Hello option that is required if facial or fingerprint biometrics are used – is another method to secure device access only to authorized users. As Lundh pointed out, we have been using PIN’s on cash dispensing ATM’s for quite some time and although anything can be eventually broken, there is enough complexity in 4-to-6-digit PIN’s to make this a viable option for users. The use of any of these Windows Hello options helps with the user experience tremendously to enable more secure endpoints.

The simplicity of logging in using facial or fingerprint recognition could encourage users to lock their devices when stepping away from their desk because it will be easy to log back into them. (Besides, they’re already used to the measures from the security on their mobile phones.) Admins could also then institute shorter automatic locking of devices since it will be simpler for the user to log back in afterwards. This maintains a good balance of endpoint security and user convenience.

Step Four: Enable Two-Factor Authentication (2FA)

Enabling the use of two-factor authentication (2FA) to access Active Directory- or Azure Active Directory-based accounts is a simple step to add an extra layer of identity security in an organization. Lundh recommends beginning with text-based 2FA because it is easier for most users to understand and access.

For users with accounts that have access to more sensitive company/user data or users with privileged access to systems and services, implementing app-based 2FA or hardware-based security keys is the right approach for additional security protections.

Step Five: Sweat These Small Things

Other areas that can help secure endpoints in an organization of almost any size might be considered small in nature but add up quickly when looking at a company’s overall cybersecurity profile. These include, but are not limited to:

  • Prohibit or do not install local admin accounts on user devices. These unlock access to all accounts on any device.

  • Set user policies to tightest options by default, but whenever possible, give users options such as using a Windows Hello PIN, facial recognition or fingerprint as log-in options next to their password.

  • Establish a policy for the maximum number of log-in attempts using any method to unlock the device. This can be adjusted to a temporary or permanent lock out based on the user and device.

  • Mobile devices are more secure in many ways as they are automatically encrypted, but managing them via a system like MEM allows oversight and remote access to wipe a stolen or lost device easily.

  • Plan and get all devices registered in a remote management tool to begin increasing that endpoint security profile. Have a plan for when it’s necessary to shut down and wipe devices via remote management.

Read more about:

Microsoft

About the Author

Richard Hay

Senior Content Producer, IT Pro Today (Informa Tech)

I served for 29 plus years in the U.S. Navy and retired as a Master Chief Petty Officer in November 2011. My work background in the Navy was telecommunications related so my hobby of computers fit well with what I did for the Navy. I consider myself a tech geek and enjoy most things in that arena.

My first website – AnotherWin95.com – came online in 1995. Back then I used GeoCities Web Hosting for it and WindowsObserver.com is the result of the work I have done on that site since 1995.

In January 2010 my community contributions were recognized by Microsoft when I received my first Most Valuable Professional (MVP) Award for the Windows Operating System. Since then I have been renewed as a Microsoft MVP each subsequent year since that initial award. I am also a member of the inaugural group of Windows Insider MVPs which began in 2016.

I previously hosted the Observed Tech PODCAST for 10 years and 317 episodes and now host a new podcast called Faith, Tech, and Space. 

I began contributing to Penton Technology websites in January 2015 and in April 2017 I was hired as the Senior Content Producer for Penton Technology which is now Informa Tech. In that role, I contribute to ITPro Today and cover operating systems, enterprise technology, and productivity.

https://twitter.com/winobs

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like