This is an updated blog that was originally published on May 30, 2018
With the launch of Windows 10 almost five years ago, Microsoft touted modern management as an approach that drives improved security and nimble IT operations, resulting in happy users and lower cost for organizations. With Windows 7 hitting end of life earlier this year, the number of devices now running Windows 10 has surged to over 1 billon. Yet, fully realizing the promised benefits of modern management still remains elusive for most organizations. Simply put, it requires more than Microsoft can deliver. Endpoint privilege management solutions pick up where Microsoft leaves off and help fulfill the modern management promise of improved security, nimble IT operations, and satisfied and productive users for the organization.
Windows 10 modern management: The evolution of IT
Modern management, according to Microsoft’s aspirational view, is enabled with a single platform that manages all kinds of Windows 10 devices. The legacy way of deploying the Microsoft Windows operating system was to leverage Active Directory (AD), Group Policy (GPO) and System Center Configuration Manager (SCCM) for desktops and an enterprise mobility management (EMM) solution for deploying across mobile devices.
EMM solutions allow for simpler deployment and better management of mobile devices that are not only on the network, but also those that no longer need to be connected to the traditional corporate network by workers to do their jobs—resulting in a better user experience compared to what traditionally had been done for desktops. Microsoft sought to bring this cloud-based EMM experience to the desktop world – allowing for desktops and mobile devices to be deployed and managed in a single, unified approach with Windows 10.
The modern way of deployment and management (aka “modern management”) is through the cloud Specifically, it is done with what Microsoft calls Enterprise Mobility and Security (EMS), which is comprised of Azure Active Directory, Microsoft Intune, Azure Information Protection, and other tools. This allows the worker—no matter where they are, as long as they have an internet connection—to just turn on their computer the first time they get it and have updates to their installed Windows OS, other software installs, and system configurations automatically deploy. Microsoft is executing on a vision of a minimal software world, where business applications like Office 365 are accessed through the cloud and through the Windows Store for Business.
What is driving Microsoft’s vision for modern management?
Worker expectations and the benefits of the cloud have been the two main drivers behind the Microsoft modern management approach. Workers continue to demand simpler and superior experiences when using enterprise software. Consequently, Microsoft customers are demanding solutions to meet these needs. This is particularly true with the proliferation of new kinds of device form factors, bring your own device (BYOD) to work and corporate-owned personally-enabled device (COPE) trends. In recent times, the COVID-19 pandemic has also accelerated the need to support remote and mobile workforces at scale, an endeavour that is made simpler to securely achieve via a modern management approach.
Almost every major software vendor is transitioning to the cloud (or creating a complementary cloud offering), to better meets the needs of consumers, and saves IT resources (e.g. infrastructure costs, management costs, etc.), and they need to keep up. Microsoft has clearly been at the forefront of cloud movement. Many organizations may have moved to the cloud for business applications, but infrastructure solutions, such as OS deployments, had traditionally lagged in adoption.
While Windows 10 adoption is not itself a requirement for modern management, it has presented a great opportunity for organization’s to improve management of IT infrastructure and increase their endpoint security. Also, many organizations, particularly larger enterprises, will possibly adopt a hybrid “co-management” approach, using both modern management and traditional tools like AD, GPO and SCCM in tandem, allowing for a more gradual transition from traditional to modern management tools and techniques.
Where Microsoft falls short in modern management
Back in 2015, Microsoft announced their Local Administrator Password (LAPS) solution which provided a basic password rotation solution that could help in stopping cyber-attacks and lateral movement. However, we have covered why there are some shortfalls in using LAPS alone. Similarly, while Microsoft has painted a vision and roadmap for enterprises to transition to a cloud-based modern management approach, they have fallen short in at least two key areas:
- Security
- Operations
While Microsoft has improved security in Windows 10 and continues to make further enhancements with each update, it still lacks the ability to deliver security diverse enterprise endpoints and to users with dynamic and evolving requirements. Consequently, Windows 10 alone is insufficient for the security needs of complex enterprises. And best-in-class security is absolutely essential for modern management.
Windows 10 does not achieve the balance of removing admin accounts from employees and usability, since many commons tasks and applications will require admin rights to work. Workers will either need to be completely locked down-- thus sacrificing the user experience-- or operate completely unconstrained, allowing them to install applications or perform privileged tasks as part of their jobs--but sacrificing security and exposing the business to cyberthreats.
As the Microsoft Vulnerabilities Research Report has shown, removing admin rights will mitigate more than 80% of all critical Microsoft vulnerabilities reported last year. So, this is an essential piece to get right to condense your organization’s threat surface. Privilege management with it’s broad, far-reaching risk-reduction and productivity enhancement capabilities should be the centrepiece of your endpoint security.
Microsoft’s modern management approach makes it easier to deploy and manage Windows 10 for remote, off-the-network employees, but does not address the need for these remote workers to quickly and easily install needed applications in a manner that balances the security needs of the company and the user-friendly experience they expect. IT workers cannot as easily get on a network to help users install needed software when admin rights are removed, degrading the user experience.
BeyondTrust PAM picks up where Microsoft leaves off
BeyondTrust picks up where Microsoft leaves off and helps complete the vision of Windows 10 modern management by enabling:
- Best-in-class security: BeyondTrust’s Privilege Management for Windows & Mac solution allows organizations to harness the security of standard user accounts on Windows 10 by removing the need for full admin accounts and applying a more granular layer of control. Simple policy rules grant workers access privileges when they need them to perform work seamlessly. The solution’s application control capabilities also make whitelisting in Windows 10 more effortless by removing admin rights and allowing organizations to put rules in place for trusted, approved applications and allow flexible, user-friendly exception handling.
- Nimble management of IT operations: our endpoint privilege management solution enables least privilege management and application control across Windows and Mac, ensuring IT teams remain efficient and remote workers receive the best experience possible. BeyondTrust’s Privilege Management solution is available in both on-premises and SaaS deployments. The SaaS privilege management solution has the same robust features as the on-premises solution, plus it allows IT organizations to manage endpoint security for Windows 10 through the cloud and leverage subscription-based pricing.
With BeyondTrust, helpdesks can focus on what they do best: serving the IT needs of the workers in the organization.
Here are a few ways to learn more about BeyondTrust’s Privilege Management for Windows & Mac solution:
