AttackSurfaceAnalyzer VS TheDSCBook

Solid comments here, on the client side you might like MS Attack Surface Monitor. https://github.com/microsoft/AttackSurfaceAnalyzer

Also take a look at MS attack surface anaylzer it has similar and additional capabilities. https://github.com/microsoft/attacksurfaceanalyzer

Maybe try Attack Surface Analyzer as well.

Basically, anything is better than giving local admin, even if you have to give Domain Users full control to the app folder(s) and reg keys. The tricky part is finding the required perms but home grown apps are usually pretty simple. An app like Attack Surface Analyzer may be able to help. Or just run the app as a standard user and use a tool like ProcMon to find the denied locations. I would probably first loosen up the ACL on the Program Files folder and that alone often fixes it.

For Mac, I recommend people be familiar with how Google manages Macs even if they decide to go a different direction, like Mosyle or Jamf. For Windows, be familiar with [DSC]() and know that the first-party Intune service is basically a DSC-Pull service.

Whether these instances should be under a CM system like DSC or Ansible, where parameters can be set centrally.

Our Linux and Mac users have long used RDP to log into Windows. That's largely obsolete, so the plan is for the remaining Windows to be Infrastructure-as-Code via DSC.

Intune is basically a DSC Pull service, and you can roll your own if you're so inclined.

Intune is a SaaS MDM that leverages DSC, which you can do yourself, if you want. In fact, DSC even supports Linux, to some degree. Nobody uses that, but it's there if someone wants to unify their client management with it.

Intune is a subscription service that uses the Desired State Configuration component built into Windows 10+, and DSC-Pull Service.

On Windows hosts, we use a DSC Pull-based Configuration Management system, which is the same thing that Microsoft's "Intune" subscription CM runs on. You could think of it as the open-source version of Intune -- more understanding to implement, but without the vendor baggage. I believe that DSC is present on "Home" versions of Windows, whereas "Home" versions cannot join an MSAD domain and are otherwise purposely feature-limited.

You can invoke DSC directly, if you'd like. Microsoft is quietly burying it now because they've been successful in pushing their userbase into subscription cloud services, but you can implement a DSC Pull Server and implement your own in-house version of Intune. An extremely good resource is The DSC Book, now free on Github.

DSC LCM and Intune claim to support Linux, for what it's worth. The document that says Intune supports Linux, Android, etc., conspicuously doesn't say that Intune supports 11 SE, interestingly. One wonders if the DSC client, the LCM, is present in 11 SE.