On Prem or Cloud Only for initial Setup

Question

We are a small startup company with 50 plus users geographically distributed and a data center in the US with 50+ Servers. The users connect to the data center using the VPN. We have Office 365 Business standard license and currently would like to move to the next level in terms of securing, managing the entire infrastructure and making it more compliant.

There is currently no DC setup in the organization. The desktops and servers are a mixture of Windows and Linux. Since this is a new setup, would like to get advice and suggestions from you the experts.

I understand that security and compliance is a vast topic on its own and can be approached in multiple ways based on how compliant a company needs to become. We would like to do it in an iterative way progressing to towards the end goal.

In terms of the security and compliance policies we would like to start initially with the following

1. Manage the infrastructures' patches, updates
2. Harden the system configurations
3. General user access restriction like removable drive restriction, Not able to move the user data from the company user to the personal user space in the computer, no guest access, no admin access etc.,
4. About general audit information of when the user logged in and what resources was accessed etc.,
5. Providing endpoint protection
6. Easier manageability by the IT Team
7. Can you suggest if I can go just with the cloud only solution and if Intune and O365 E3 will be able to help me achieve this? How do we manage the On Prem Infrastructure, How do we handle the Linux Desktops/ Servers
8. If this needs a DC to be configured, would you suggest an On Prem DC or look at the Azure ADDS service. Again need to know how we could handle the Linux Desktops/ Servers
9. We tried Azure WVD and thought of it as a solution at least for the desktops but with the user's running CPU intensive applications, the monthly costs are on the higher side. We could not go with the Pooled Desktops because of the nature of work

Answer 1

@Sabarigirisan Shankar Thanks for the reply. For the steps outlined previously, I would like to confirm which one is, in your first reply or the second reply.

If the steps are in the first reply, from Intune side, based as I know, step 1,2,3,4,5,6 can accomplish from Intune. For the steps 7,8. As Nick mentioned, maybe Configuration manager can accomplish this. If so, we can deploy co-management. Co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Microsoft Intune. For co-management, here is an article for the reference:
https://learn.microsoft.com/en-us/mem/configmgr/comanage/overview

If the steps are in the second reply, based on my understanding, most are the steps with AD, Azure AD, Configuration manger. As I am Intune support, I am not familiar with these Products. For such consulting related with many products, Premier consulting support may be better for you. Here is the link to find Premier support
http://originw2.cms.ms.akadns.net/en-us/microsoftservices/support.aspx

Hope it can help.

---

If the response is helpful, please click "Accept Answer" and upvote it.

Answer 2

Some points that may help:

1. You can use ConfigMgr or Intune to deploy software updates (or co-management if you use both products and want to switch workloads)
2. You can use Security Baselines in Intune for Windows 10
3. You can look at using Windows Information Protection in Intune for Windows 10
4. Either product should do this
5. Yes you can do this with Intune or ConfigMgr (or look at Co-management)
6. Intune is probably easier to manage if you do not have ConfigMgr experience
7. You can't use Intune to manage Windows server or Linux today. Also see point 8 below for network requriements if you go for ConfigMgr in the cloud. For Linux, you can look at Azure update management https://learn.microsoft.com/en-us/azure/automation/update-management/update-mgmt-overview
8. For ConfigMgr you require Active Directory, and Azure AD DS isn't supported but if you do deploy ConfigMgr in Azure as IaaS then you can have a VM that has AD DS installed. To view requirements for ConfigMgr in Azure (such as VM's and Active Directory and networking etc) see https://learn.microsoft.com/en-us/mem/configmgr/core/understand/configuration-manager-on-azure

Answer 3

Hi @Nick Hogarth

Thanks for your response. Since most of my infrastructure (physical servers and close to 40% of the desktop users ) is on premises, and if we go with The Office 365 E3, Can you please confirm if the following tasks will enable us to accomplish our needs

1. Install Primary DC in On Premises
2. Install a backup DC in Azure
3. Install Configuration Manager On Premises This link says that the license of Config Manager is part of Microsoft E3. Can you please confirm
4. Use Azure AD Connect to sync On Premises and Azure AD with password hash syncronization (SSO Enabled)
5. Domain Join the Laptops/ PCs and the Servers
6. Create OUs and GPOs in AD and making sure that the resources including O365 apps are available only to AD Joined devices
7. Use Config Manager and Intune to manage the Joined devices
8. Use Config Manager/ Azure Update Manager to manage the updates, patches

I assume that users will be able to use their AAD Credentials to authenticate to domain as SSO is enabled.

Kindly let me know if I am missing anything here.

Answer 4

For your questions, it involves many products. For Intune. Based as I know, Intune can only manage the following Microsoft Operating System:

• Surface Hub
• Windows 10 (Home, S, Pro, Education, and Enterprise versions)
• Windows 10 Enterprise 2019 LTSC
• Windows 10 Mobile
• Windows 10 IoT Enterprise (x86, x64)
• Windows 10 IoT Mobile Enterprise
• Windows Holographic for Business
• Windows 10 Teams (Surface Hub)
• Windows 10 1709 (RS3) and later, Windows 8.1 RT, PCs running Windows 8.1 (Sustaining mode)

We can see more details in the following link:
https://learn.microsoft.com/en-us/mem/intune/fundamentals/supported-devices-browsers

Intune can provide the supports like below::

• App protection policy, allows you to manage and protect your organization's data within an application
• Deploy Windows 10 software updates policy
• Manage apps and devices
• Manage endpoint security in Microsoft Intune

Here are some articles for the reference:
Microsoft Intune documentation
https://learn.microsoft.com/en-us/mem/intune/

Manage Windows 10 software updates in Intune
https://learn.microsoft.com/en-us/mem/intune/protect/windows-update-for-business-configure

Control USB devices and other removable media
https://learn.microsoft.com/en-us/windows/security/threat-protection/device-control/control-usb-devices-using-intune

App protection policy
https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy

Manage endpoint security in Microsoft Intune
https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security

For other servers like Linux, Windows server, we can consider migrating to Azure as well. Here are some articles for the reference:

Linux migration
https://azure.microsoft.com/en-us/migration/linux/

Windows Server migration
https://azure.microsoft.com/en-us/migration/windows-server/

If you have questions on other products on Azure, we can ask the questions here:
https://learn.microsoft.com/en-us/answers/products/azure?product=all

Hope it can help.

---

If the response is helpful, please click "Accept Answer" and upvote it.

Answer 5

@Crystal-MSFT Thanks for your response. So now that it is clear that just by having intune alone will not suffice our needs may be in the current scenario. Will the steps outlined previously by me help us accomplish our goals?