Evaluating Intune Against Workspace ONE Windows Edition: Part Three Security

Now, we have arrived at the final part of our three part series on evaluating Intune against Workspace ONE in a battle of two of the shining starts of UEM. With this final installment, we cover security, which is arguably the most important one. We are going to cover a few different areas of huge importance: how Windows 10 provides security, Workspace ONE’s security capabilities on Windows, and Intune’s security capabilities on Windows.

Windows 10 Security

When we discuss Windows 10 Security, there are certain areas we can focus on. I am by no means an expert in Windows 10 Security, but as a technologist there are specific areas I will mention. I’m sure that I will miss something, but as I said I’m not “the expert.”

tv land doctor GIF by nobodies.

We will discuss a few areas in Windows 10 security that you should be aware of: CSPs, Windows Information Protection (WIP), EDR, and Conditional Access. I have no doubt that there are may more areas you could target/focus on, but I think these are of great importance.

Configuration Service Providers

In Windows 10, CSPs are how device settings and configurations are deployed to devices. They can occur via SyncML or WAP. You will find that one of the best articles about CSP capabilities is the Microsoft CSP reference documentation which covers the available CSPs, their supported operations, and characteristics. A nice example of the objects involved can be seen below:

activesync csp (cp)

It’s easiest to think of CSPs as a modernization of GPOs that are built to travel well over the air. Most UEMs will surface CSPs in a few fashions (1) MDM Profiles and (2) Baselines as you read about in the first part of our series. Inevitably the success or failure of CSPs is based on the vendor’s dedication toward Profiles or Baselines.

Windows Information Protection

Windows Information Protection (WIP) is a widely undervalued feature that we don’t seen as often. It’s ironic with the major focus on data leakage in mobile that Windows’ focus is more steadily on hacking, subterfuge, encryption, etc.

WIP has a number of benefits that great enhance your DLP strategy in Windows 10:

  • Separation of personal and corporate data in an obvious fashion.
  • Provides data protection without needing to update or modify apps.
  • Ability to wipe corporate data while leaving personal data alone in Intune.
  • Auditing for issues and remediation.
  • Ties directly into Intune or your UEM platform.

A few of the other benefits of WIP are:

  • WIP encrypts data from managed areas e.g. SharePoint, network shares, enterprise web locations.
  • Direct control over where data can be copied e.g. only between WIP-protected apps.
  • Varying levels of data access, such as blocks, allowing overrides, or audit mode.
  • Blocks sync/copies to things like DropBox
  • Ability to remove corporate data from personal apps instead of removing the apps altogether

A nice video demo can be found below showing how WIP works in action:

With all of that said, WIP also has some gaps. One of the key bugs that I have found thanks to some feedback is that WIP has a few bugs e.g. you can paste content into bars such as Windows Run/Searchbars. I guess this isn’t so different from some of the iOS loop holes.

We can see in Word:

But, when we try in the Windows Search bar:

Endpoint Detection and Response

One of the/if NOT the hottest areas in EUC right now is EDR. You can simply define EDR as a system that records system events and activities on endpoints and provides security teams with enhance visibility needed to identify incidents that would typically be invisible. If you read Gartner, they will tell you that EDR focuses on a few key areas:

  • Incident data search and investigation
  • Triaging of alerts and validation of suspicious activity
  • Suspicious activity detection
  • Threat hunting or data exploration
  • Stopping bad actors and their activity

I won’t get too much deeper on EDR, but Crowdstrike also has a nice article that digs deep into it here. For simplicity sake, think of EDR has the next evolution of anti-virus technology. EDR is a major focal point for every enterprise today and must be included in your Windows endpoint management strategy.

Conditional Access

Conditional Access is an area that I have covered in the past so I won’t beat a dead horse. Basically the idea is around an “if” statement known as a Signal in Azure, a decision to be made, and where/how it’s been enforced. In layman’s terms, “If Jon accesses SharePoint from an external network on his PC that is not trusted only give him read only access.”

Conditional Access is hugely important today in the Windows 10 security landscape, which continues to evolve every day. We will encounter situations where we want to make sure we only grant access to untrusted devices to specific applications if they are using MFA, compliant, or potentially enrolled into the Windows landscape in a specific way. We will continue to focus on conditional access heavily as Microsoft widens its net with inclusivity.

Workspace ONE’s Windows Security Capabilities

Microsoft is largely playing with a loaded deck when it comes to Windows security, but VMware tries to play with the crayons it has at its disposal. Workspace ONE’s capabilities cover a few key areas we can discuss: MDM profiles and baselines, Carbon Black, Workspace ONE Intelligence, and Azure AD Conditional Access.

Workspace ONE MDM Profiles and Baselines

I covered at length the core MDM capabilities in part one of our series so I don’t want to waste a ton of time, but I will re-hash a single point. Microsoft gives you a collection of CSPs to play with and you HAVE to do it strategically. You can either go deep into the baseline side of the house or go deep into MDM profiles. In “theory”, you could do both but people don’t.

A major issue that I have with how VMware has approached this is their overall substandard approach to Baselines. They went hard into baselines, but fail to keep them up-to-date. I will give them some credit that they support custom baselines coupled with LGPO, however their current baseline for Windows is for 1909, which released 14 months ago. I completely respect not focusing as much on MDM profiles and trying to empower users with baselines, but you have to be committed. Windows 10 is not a “side piece.” You have to be all in otherwise it will be a major failure. As of this writing, we have found many aspects of their baselines work, but many of them also do not work. It’s an area of major disappointment for me so far.

Workspace ONE Profiles and Baselines Score: 7

Carbon Black

VMware made a splash in 2019 when they purchased Carbon Black, a highly-regarded platform in the EDR space. Primarily my focus is on their Cloud Native Endpoint Protection platform. The offering in itself is really nice. They have four aspects to Carbon Black:

  • Next-Generation Antivirus and behavioral EDR: analyzes bad actor behavior patterns to build a baseline and detect and stop new attacks from malware attacks to more remedial and simplistic attacks.
  • Managed Detection: provides 24-hour visibility from the Carbon Black team who validate, contextually analyze for root cause, and provide regular reporting.
  • Real-time Device Assessment and Remediation: provides the ability to easily audit the current system health and state to track/harden your managed device security posture.
  • Enterprise EDR Functionality: proactively hunts for outliers using threat intelligence and customizable detection

From within vExperts, we are still waiting for access to dig deep into Carbon Black, which I am very much looking forward to digging deep into. One of the smart things that VMware did was bundle Workspace ONE Intelligence and Carbon Black into a new suite called VMware Workspace Security, but a concern that I have is they are missing a big opportunity here. The list price at this juncture for the Enterprise EDR is about $10.50 per device or $17.50 per user. Microsoft’s offering is priced at a suprisingly much lower mark. That will create some issues more like than not. Check out a neat demo below on Carbon Black.

Carbon Black Score: 8.5

Workspace ONE Intelligence

VMware Workspace ONE’s lifeblood is built around Workspace ONE Intelligence. One of the offerings that makes this so strong is Zero Trust User Risk Scoring.

VMware’s Risk Analytics scores user behavior and device posture to calculate a risk score for all devices and users in the system. The risk score is used by admins to enforce conditional access for application and data access e.g. requiring MFA based on the device posture.

The risk scoring itself is very interesting because they mark devices are being more risky based on behaviors like postponing OS updates, security settings being turned off, how many apps that are installed within a certain time period, or even the types of apps. It’s amazing because it’s similar to how EDRs and other security products assess risk building nice synergy.

One other area that I wanted to highlight is the Workspace ONE windows patch remediation which you can use for quickly handling zero day vulnerabilities and monitoring their status simply and easily. This flowchart below shows you how it works while leveraging a number of great technologies like P2P delivery of patches, CVE feeds, and the IFTTT functionality inside of Intelligence.

Prevent 'Bad Neighbor' Vulnerability that Affects Windows 10 Systems Using Workspace  ONE | VMware

One other area that I would be remiss in skipping are Workspace ONE Sensors, which you can find some samples for here. The idea is that you write a script to collect data and then store it in an object to be used inside of Workspace ONE intelligence. I cannot say enough about the power of these sensors. I wrote a sensor to capture what version of the Office 365 client that users are on, which Intelligence would trigger a script to force Office to check for and apply updates. It’s an amazing capability that I love.

Using Sensors with Intelligence – Part 1 Creating a Sensor – EUCSE Blog

Workspace ONE Intelligence overall is a great offering that VMware continues to build on similar to Microsoft’s building of their Power platform. Cost is still a concern, but my hope is VMware will continue to improve in that arena.

Workspace ONE Intelligence Store: 9.50

Azure AD Conditional Access with Workspace ONE

As I wrote about some time back, VMware and Microsoft finally work together nicely to deliver Azure AD Conditional Access. I would suggest following the link to get the major details, but the gist is that we can now feed our WS1 compliance data to Intune to deliver a great experience.

You can build policies in Azure to enforce more frequent sign-ins, device compliance, MFA, and much more. Now, we can make sure that only compliant devices can launch our office apps, which is a game changer.

A short demo of the AAD-CA experience can be seen below, which I thought might be helpful:

Azure AD Conditional Access with Workspace ONE Score: 9.5

Intune’s Windows 10 Security Capabilities

Microsoft has done a nice job of building a solid security posture for Windows 10. We are going to focus on MDM profiles and Baselines, Microsoft Defender for Endpoint, and WIP. I thought it would be best to spread it out since there is very little point in duplicating features that are available in both, but to focus on the overall security posture delivered by their platforms.

Intune’s MDM Profiles and Baselines

As we have highlighted previously in part one and earlier in this article, Intune has done a masterful job with much better profiles than Workspace ONE, such as:

  • More settings in caching, with the ability to delay downloads, advanced caching settings, setting RAM, disk, battery, and content sizes.
  • Deeper Bios/UEFI configuration to let you disable hardware components and boot capabilities.
  • Substantially deeper in device restrictions (read more here as there’s too many).
  • Domain Join
  • Edition Upgrade Profiles
  • Endpoint Protection Profiles
  • Deeper Windows Hello with PIN expiration, PIN recovery, anti-spoofing, and support for certificate trust
  • Defender ATP Onboarding
  • Network Boundaries
  • Shared Device Profiles
  • Deeper BitLocker settings e.g. recovery key rotation and hiding prompts

Additionally, Microsoft’s baseline is caught up back to August 2020, which is a huge improvement over Workspace ONE. They may not support custom baselines, but they easily fill that gap with a stronger posture on MDM profiles.

Intune’s MDM Profiles and Baselines Score: 9.75

Microsoft Defender for Endpoint

Microsoft’s foray into EDR has been largely a work-in-progress, but they have made some great advances in recent months. One of my favorite aspects of it is the ability to fully configure it via a baseline inside of Intune. VMware take the hint! Build a baseline or something similar to setup your EDR.

Defender offers many great capabilities similar to other EDRs:

  • Embedded behavioral sensors in Windows 10 that collect and process behavioral signals from the OS and send them to the Microsoft Security Center for analysis.
  • Cloud security analytics using device-learning and Microsoft optics across the Windows ecosystem, cloud products, and online assets, they translate into insights, detections, and recommended actions to take against threats of all sizes.
  • Microsoft builds threat intelligence generated by their teams of experts to identify attacker tools, techniques, procedures, and create alerts at the time of attack in sensor data.

For a deeper dive into ATP, I suggest reading my article here where I dug deep into it because I think Defender ATP is a huge surprise and a great job by Microsoft to deliver an affordable EDR that provides value. Their new pricing structure exposing it outside of E5 licensing for just $5-ish is a great strategic move that shows Microsoft is starting to listen.

Microsoft Defender for Endpoint Score: 9

Windows Information Protection

I have to admit it’s hard to find security capabilities to discuss for Intune. Microsoft Defender is such a huge part of their strategy now that it covers a large majority of the attack surface. Another area which I wrote about a few months back are App Protection Policies which I think are worth mentioning.

Windows works a bit differently than what I had covered previously. Windows 10 App Protection Policies implement WIP, which involves specifying the apps you want to protect:

Deciding what protection mode you want:

Additionally, add some advanced settings like what domains are considered to be protected:

WIP overall as we discussed earlier, is a great feature that is supported inside of Intune, which creates a really strong perimeter and protects your organization against DLP.

Windows Information Protection Score: 9.75

Final Thoughts

Overall, part three was a bit challenging to write. A major issue that I run into is the large degree of overlap, which doesn’t lend much to discussing Windows 10 security. Realistically, the real discussion is: Carbon Black and Workspace ONE Intelligence vs. the Microsoft Defender Suite. I would presume that eventually VMware will address their baselines or so I would hope so.

When it comes to security, I have to side with Microsoft and their Intune platform. One of the things that Microsoft has done a great job of is making the management experience within Intune more organic. I absolutely love how they have their own “Endpoint Security” section inside of Intune:

The supportability and level of training needed to support Intune is far less and lets companies get up and running faster. This is a great thing for our small and medium businesses. Additionally, I think the onboarding process for EDR is much easier with Defender, which is certainly a boon.

On the other side, Workspace ONE Intelligence is becoming a disruptor very quickly. It started as this cute little project that has grown into an advanced AI platform leveraging sensors and other aspects of the operating system to remediate security risks far quicker than anything else on the market. They continue to build their integrations for aggregating risk scores and building a “risk profile” of a user or device that helps them be more effective. You “could” argue that Microsoft Power Automate sort of does this, but not really.

At the end of the day, the cost play really comes into play here. Intune is just a smarter play at this juncture when it comes to security between cost and simplicity. Sadly, we know that cost matters in our COVID-filled world now. I would say if you were to score it that Intune wins 9-8. It’s a narrow victory but a victory nevertheless.

Final Thoughts on the Series

As we are have made it to the end of this series, I didn’t think I would say this but Intune appears to be a better platform overall for Windows Management at this juncture. It comes down to a few key areas for me that they are just edging out WS1 at:

  • Cost
  • Simplicity
  • App Deployment
  • Core Capabilities

The major area that bothers me the most is probably a tie between Baselines and App Deployment friction. We can hope that we keep pushing VMware to be better and do better to close that gap and unify their excellence from iOS and Android to Windows 10.

6 thoughts on “Evaluating Intune Against Workspace ONE Windows Edition: Part Three Security”

  1. One this you could focus on, though, is comparing the compliance policies and remediation steps in WS1 vs Intune, since this is security.
    Or comparing VMware Tunnel vs MS Tunnel on Mobile and Win10.
    Or maybe spending more time on BitLocker and patching.

    And it beats me how Intune can win in App Deployment for Win10 if it still cannot deploy EXE based installers w/o SCCM or VM-bassd repackaging. Or did I miss some news?

    1. You use MSIX to deploy EXE based installers with Intune.

      We already covered compliance policies in part one.

      The Microsoft tunnel outside of being a carbon copy of VMware is still a very new product and isn’t even close to the VMware tunnel. You do bring up a good point and I’ll likely write something on the Microsoft tunnel in a few months once it matures. One of my main issues with it is that you need azure express route to use it to on premise which is a big fail

  2. Man, before calling WIP “security” you should check the MS own docs. The thing is “accidental leak protection”. It is full of holes (try circumventing copy-paste prevention via Start->Run dialog).

    I had a customer in Russia testing it, filing TONS of tickets with MS, most of which were closed with
    “won’t fix – works as intended”.

    Just forget about it. WIP is NOT security. Just some extra safety from accidental mishap.

    1. I appreciate the sentiment, but DLP is an aspect of security. I’m sure WIP is not perfect and has some areas to improve on but it does provide some mitigation.

      All DLP has ways to circumvent regardless of platform, but it’s still better than punting on it DLP is more of a deterrent then a true prevention mechanism

      1. DLP s an aspect of security indeed. But then – your customers are your responsibility. Just trying to issue a friendly warning here…

        Maybe there is a fundamental difference of understanding, but I don’t see how
        >which creates a really strong perimeter and protects your organization against DLP
        combines with
        > All DLP has ways to circumvent regardless of platform

        So is DLP a strong perimeter? (btw, you may want to reword the “protection against DLP” – why would you protect against it?)

        WIP’s implementation of DLP s like a condom with a tiny hole. Looks solid, until you get his by the consequences of the leak. Again, it won’t be my responsibility – you decide. I had a fair share or yelling from that customer already 🙂

    2. I wanted to circle back and say you’re right so I appreciate you bringing it up.

      I updated that section with some of my testing. I disagree that WIP is as useless as you feel it is. WIP may not be perfect but it does mitigate “some” security risk. Apple has similar issues where it considers all of the native iOS apps to be trusted.

Leave a Reply

Scroll to Top
%d bloggers like this: