Ignite day 2 – Modern Management recap

Computergenerierter Alternativtext: Microsoft Intune Configuration Manager Other Endpoint Management Tools Integrated solution for IT admins to understand and take action across all endpoints in their estate Microsoft Endpoint Manager Status and alerts

Today was day 2 of the Microsoft Ignite in Orlando. Today I was in the focus in sessions about modern management on the move. That means, for example, Microsoft Intune, but especially the newly announced function of the “Microsoft Endpoint Manager”.

Computergenerierter Alternativtext:
Microsoft Intune
Configuration Manager
Other Endpoint
Management Tools
Integrated solution for IT admins to understand and take
action across all endpoints in their estate
Microsoft Endpoint Manager
Status and alerts
Photo: Fabian Niesen – Ignite 2019: Endpoint Manager

Microsoft Endpoint Manager

With the Microsoft Endpoint Manager, Microsoft wants to unite all endpoint management systems. For example, the administration of SCCM and Intune in co-management should be simplified. Through the Cloud-based Endpoint Manager, you can also administrate pure SCCM managed devices. This is made possible by some new functions in the co-management of SCCM and Intune.

Advertisements
Computergenerierter Alternativtext:
Cloud Attach
DEP 40 - Thu 12:45pm
Supercharge PC and mobile device management:
Attach Configuration Manager to Microsoft Intune and the
Microsoft 365 cloud
e Cloud intelligence drives management
e Unified endpoint management
e Web based admin for Config Manager
Microsoft Endpoint Manager Admin Center
Intune
Config Manager
Photo: Fabian Niesen – Ignite 2019: Cloud Attach

A benefit of the Endpoint Manager is that it supports role-based administration (RBAC). The Helpdesk with a suitable authorization role can also use this interface and only sees the information made available to it. This makes the permissions management much easier compared to set the SCCM permissions, the Intune permissions, the AzureAD permissions and others. It also provides a consolidated, web-based console. This implies no more admin software or administrative password hashes or tokens on the system. RBAC can also be used to hide certain security settings that may be managed by a dedicated security team.

Endpoint Manager and Licensing

Computergenerierter Alternativtext:
Announcing new co-management licensing
What
• Cloud attach Config Manager PCs without an Intune license (co-managed)
• Config Manager SA and AAD PI required
• Mobility Management (iOS, Android, macOS) not included
When
• December 1, 2019
How
• Set up your AAD tenant (already done if you use Office 365)
• Use Config Manager to enable Co-management
• See your PCs in Microsoft Endpoint Manager
Photo: Fabian Niesen – Ignite 2019: Co-management licensing

To provide a better motivation to customers, Intune licensing for SCCM customers with Software Assurance will also be facilitated. For these customers, Intune will soon be free of charge. Only an Azure AD P1 plan is needed in order to provide Intune as MDM for the systems and to extend the Azure AD with further necessary functions.

Security Admin

Computergenerierter Alternativtext:
Trusted by IT and fully integrated
Teams
Productivity
4
Microsoft 365
Admin Center
admin.microsoft.com
Identity and
Access
My Dashboard v
OKo
Email
Security
Compliance
Endpoint
anagement
1880
10
Photo: Fabian Niesen – Ignite 2019: Admin Center

The Security Admin also has an extension in the pipeline. Security baselines have been around since last year, but they are now being extended. Also, security guidelines for Edge and Office 365 Pro Plus are announced.

Computergenerierter Alternativtext:
Encryption Management
BRK 3083 Wed 2:00 prn
Unified endpoint security management With Microsoft
Defender ATP and Microsoft Endpoint Manager
Windows, macOS, iOS, Android
e Cloud and on-premise
Key recover and rotation
e Rich configuration and reporting
Readiness
Compliance
& Reporting
Windows
Encryption
Management
Lifecycle
macOS
iOS
Android
Configuration
Recovery Key
Management
Cloud On-prem
Photo: Fabian Niesen – Ignite 2019: Encryption Management

Also new are the rules for device encryption, at least for some operating systems. macOS is now also supported, including the management of the recovery key.

A lot has happened with Windows 10 as well. MBAM is already discontinued for the future. Now Intune finally gets the necessary controls to make it easy. Including saving the recovery key and recreating a recovery key via Intune. This is handy once it has been released to the customer.

Computergenerierter Alternativtext:
x
• More
eset passcode
Status
Restart
(ID Autopilot Reset
Fresh Start
Primary User
• June Branch
June Branch
Enrolled by
Compliant
Compliance
Windows
Operating system .
Virtual Machine
Device model
Date/Time
Quick scan
Full scan
'C Update Windows Defender s...
BitLocker key rotation
BitLocker key rotation
Rename dev
Q) New Remote Assistance Sessi...
Photo: Fabian Niesen – Ignite 2019: Recovery Key rotation

This function can be found in the Troubleshoot menu item in the Security Console.

Computergenerierter Alternativtext:
Endpoint Security Admin
BRK 3083 - Wed 2:00 pm
Unified endpoint security management With Microsoft
Defender ATP and Microsoft Endpoint Manager
BR K3156 - Thu 10:15 am
Security in overdrive: best practices for configuring Microsoft
Defender A TP
Dedicated Sec Admin workspace
Cross persona workflows
Covers both cloud and on-prem endpoints
Integrated With Microsoft Defender ATP
O Security •
Photo: Fabian Niesen – Ignite 2019: Endpoint Security Admin

Experience Score

Computergenerierter Alternativtext:
User experienceanalyocs•Start X 8 Microsoft Secure Score • M•crot X -i-
O https}/devicemanagement.microsoft.com/#blade/Microsoft_lntune_Enrollment/UXAnatyticsMenu/bootPerformance
Microsoft Endpoint Manager Admin Center
Oashboard > Reports (preview) > User experience analytics - Startup performance
User experience analytics - Startup performance
Q O LDay@Iyüte2019h-otyn—
x
p Search (Ctrt•/)
Overview
O Settings
Reports
Startup performance
Proactive remediations
Recommended software
Type here to search
Startup score : Model performance
Device perfor mance
Improve startup performance to optimize -time from power-on to productivity-.
Startup score O
Learn more
Baseline O
I All organizations (median)
Insights and recomrnerxiations O
71
50
Score breakdown
Metric
Core boot score O
Core sign-in score (D
Average startup phases (seconds)
Startup phase
Core boot time O
Group Policy boot time Q)
Score/baseline
Duration/baseline
Pais
72.0 / 50.0
70.0 / sco
4-1 / —
anai•ytxs - S.tEüC —
O
O
o
You have 564 devices using HOOS On average, these devices
boot 91.16 seconds slower and sign in 30.58 seconds sJower than
your SSO dev'ices.
Upgrading these devices will boost your score by 1 S points.
Learn more
You have 1989 devices With sign-in times slowed by Group Poiicy.
On average, these devices spend 14.51 seconds processing
Group Policies-
Reducing Group Policy overhead will boost 'jour score by 11
points- Learn more
You have 1064 devices With boot times slowed by Group %lky.
On average. these devices spend 6126 seconds processing
Group Policies-
—ö Reducing Group Policy overhead wal boost y•our score by S
points Learn more
You 4CA denkes mth slcw sign-in times. On average. these
sign 40.61 seconds than jour other
Cettir•g these to sign in in a normal range wil boost
score 7 points- Learn
Photo: Fabian Niesen – Ignite 2019: Experience Score

This new feature should help the IT department to find optimizations on the devices for better usability. Telemetry data and other signals of the devices will be analyzed. Possible recommendations are SSD instead of HDD or changes to the configuration. It is also interesting that these data can be sorted according to many criteria. Model-based analyses can also be performed, such as which hardware model has the longest boot time.

There are also scripts that are executed automatically to improve performance. The preview currently contains 6 scripts:

  • Check Network Certificates
  • Clear stale certificates
  • Check VPN
  • Restart stopped Office activation
  • Restart stopped Office Click-2-Run Services
  • Update stale Groupe Policy
Computergenerierter Alternativtext:
User experienceanalyt•cs -Pro.) e MRrosottSeaneScote - X
https1/devicemanagement.microsoft.com/#bIade/Microsoft_Intune_Enrollment/UXAnalyticsMenu/proactiveRemediations
Microsoft Endpoint Manager Admin Center
Dashboard > Reports (preview) User experience analytics - Proactive remediations
User experience analytics - Proactive remediations
o
O 9horvre
Recurred O
7
7
65
6
2
x
x
Refresh -f- Create Script
Columns
Run script packages on devices to proactively find and fix the top support issues in your organizations. You can create
Script packages by pasting your scripts directly, importing a JSON file or duplicating an existing script package. Learn
Overview
Settings
Startup performance
Proactive remediations
Recommended software
Type here to search
moré.
„O Search by Script name
Script name
Check network certificates
Clear stale certificates
Custom created: Check VPN •
Restart stopped Office activa.„
Restart stopped Office C2R
Update stale Group Policies
Status
O Active
O Active
O Active
O Active
Active
Active
No issue
502
519
737
160
64 S
453
Issue found
10
2
447
13
7
Lise expenerce anaiytk:s •
Issue fixed
6
4
6
5
Photo: Fabian Niesen – Ignite 2019: Proactive remediations

Non-Windows Management

There are separate break-out sessions for non-Windows 10 devices.

macOS Management

Computergenerierter Alternativtext:
macOS Management
THR3028
Thu 9:35 am
MacOS device management With Microsoft Intune
App deployment, device configuration,
certificates, VPN, WiFl
e Protection With device wipe, encryption,
Defender AT p
Limit access to compliant Macs
e Complex management support available
With Jamf
macOS Deployment Scenarios
Intune managed
Jamf managed, Intune compliant
Zajamf
+ EMS
Photo: Fabian Niesen – Ignite 2019: macOS Management

A special feature, which I would like to mention here and which was shown briefly, Intune Management for macOS devices. Until now, this was only possible through the integration of the third-party solution JAMf. At the beginning of next year, a beta for the Native solution will be released. Microsoft also said that Native will contain only one basic configuration and that JAMf will continue to be the right solution for more complex scenarios.

Another session on the subject of non-Windows devices is:

Android OS Management

Computergenerierter Alternativtext:
Personally Owned
Android Management
BRK 3082
Wed 3:15 pm
Android Device Management With Microsoft Intune
Flexible deployment scenarios
e Zero-touch and Knox Mobile Enrollment
e Management of OEM-specific features
beyond the Android platform
e Customizable end user experience With
Microsoft Launcher
Intune APP
7:51-
AE Work Profile
Company Owned
AE Dedicated
14:45
HOUSE
AE Fully Managed
Photo: Fabian Niesen – Ignite 2019: Android Management

Mobile Application Management can now also be used to block the execution of corporate applications, or applications in the corporate context when a device is not secure. An example is the use of Lookout for companies to detect unauthorized or dangerous applications.

iPhone / iPad Management

Computergenerierter Alternativtext:
iOS & iPadOS Management
BRK 3219
Wed 12:45 pm
iOS and iPadOS Management With Microsoft Intune.
e Multiple deployment options
Best-in-class, configurable enrollment
Comprehensive device configuration and
management
e Current iOS management applies to
iPadOS devices
Intune APP
0000
oeo
—oog
Device Enrollment
User Enrollment
Automated Device
Enrollment (i.e. DEP)
Photo: Fabian Niesen – Ignite 2019: iOS & iPadOS Management

Mobile Application Management is now also supported by iPads and iPhones. A new feature is that the customers are guided by an assistant during setup. This also establishes a federation between the Apple ID and Azure AD for this user. This allows for some SSO functions.

Computergenerierter Alternativtext:
iOS & iPadOS Data Protection
BRK 3219
Wed 12:45 pm
iOS and iPadOS Management With Microsoft Intune.
Comprehensive security and data protection
Best-in-class, configurable enrollment
Better Together: User Enrollment and
Intune App Protection Policies
e Smart card "derived" credentials give
passwordless resource access
Personal Volume
s
Corporate Volume
Corporate Data
1
LOB
Photo: Fabian Niesen – Ignite 2019: iOS & iPadOS Data Protection

Office Pro Plus Management

Computergenerierter Alternativtext:
Office Pro Plus Management
https://aka.ms/endpointmanager
Provide the best Office Experience
Driven by cloud intelligence
Security and configuration management
Cloud content optimization
Intune
Office 365
Content
Intelligence
Config Manager
Installation
Configuration
Reporting
Content Optimization
Photo: Fabian Niesen – Ignite 2019: Office Pro Plus Management

In the software assignment for Office Pro Plus, the individual programs can now also be selected for installation. The update rings can also be defined here, and other settings that were previously only possible via a config.xml can be made.

Computergenerierter Alternativtext:
App Sude Settings - Microsoft X MoosoftSecureScore• Mtcrol X
O https://devicemanagement.microsoft.com/#blade/Mictosoft_lntune_DeviceSettings/AppsMenu/alIApps
Microsoft Endpoint Manager Admin Center
Dashboard > Apps - All apps Add app > App Suite Settings
o
1
x
Add app
App type
Windows 10
Use this type to assign Office 365 ProPlus
apps to Windows 10 devices With Intune.
This Suite of applications will appear as
App Suite Settings
These settings appty to all apps you have
selected in the suite. Learn more
Architecture
32-blt
64 •brt
Update channel
Select one
o
Select one
Vetsion to install on end usct devtccs,
Learn more
Speclfic version
Remove other versions of Office (MSI)
from end user devices. Learn more
No
Automatically accept the app end user
license agreement
( Yes
Use shared computer activation
Yes
OK
x
one app in your apps list-
Leam more.
Settings format
Configuration designer
OApp Suite Information O
App suite information is confi...
OConfigure App Suite@
10 apps selected
•App Suite Settings O
Gfigure installation options f.«
Scope (Tags)
O scope(s) selected
o
Microsoft has changed the
for send'ng ser•oce and
Type here to search
>
Sute Settrgs - —
Photo: Fabian Niesen – Ignite 2019: Office configuration

To get an exact overview of the 2169 possibilities of the administrative templates for Office, I recommend a look at the article “Administrative templates in Intune – incl. list“.

Microsoft Edge

Computergenerierter Alternativtext:
Secure Enterprise Browsing
BRK 3253 - Fri 10:1 sam
Protected, productive mobile browsing With Microsoft Edge mobile
and Microsoft Intune
BRK2230 - Wed 10:15 am
One browserfor modern and legacy web apps: Deploying Microsoft
Edge and Internet Explorer mode
e Delightful mobile productivity experiences
Enterprise-grade security and manageability
e Dual ID With easy transition between work
and personal accounts
OS
App store
4.6
Google Play
4.6
Microsoft
Ignite
Windows
Photo: Fabian Niesen – Ignite 2019: Secure Enterprise Browsing

Microsoft Edge is now available for Windows 10, iOS, Android and macOS, on some of these systems still in beta. As previously described in the article “News from Edge Chromium”, it is now based on the Chromium Engine. Now it can easily be distributed to the different device types via Intune. It is possible to select the channels of the Edge Browser, for example, Beta or Release. Depending on the OS you can also make further settings. For Windows 10, the Edge can currently be controlled via 472 administrative templates. The list can be found again in the article “Administrative templates in Intune – incl. list“.

A new feature is the possibility to define business URLs in the Edge by the IT department. These are opened in the work profile and are subject to the MAM rules. All other pages are opened in the Personal Profile.

New in Autopilot

In the first sessions, only functions that were already known were reported:

  • WhiteGlove (GA 2020)
  • AzureAD Hybrit Join
  • Administrative Vorlagen

This has changed, as expected in the session of Michael Niehaus. And here were some important and in my opinion long overdue announcements made.

Also practical is the listing of the costs for autopilot at the various OEMs. Even though I already knew them for Dell.

Computergenerierter Alternativtext:
Windows Autopilot // Major OEM status
OEM
Device registration
(Targeting later CY19)
$5/device
Free
Clean images
$30/PC offering
$0.01 option
Free; additional offerings at
SS/PC and $8-35/PC
Free
Notes:
Dell: Free registration. Additional $30/PC offering
includes clean image or custom image Ioading, and
choice of N, N-1, or N-2 Windows 10 releases.
Lenovo: $5/PC registration fee. Clean image by
default. Additional $5/PC offering removes most
apps from the OS; $8-35/PC offering allows choice of
N, N-1, N-2 Windows 10 releases and offers
preloading of up to five Win32 apps.
HP: Pilot program available today for device
registration. Additional $O.OI/PC fee for clean image.
Surface: Free registration. Clean image by default.
Photo: Fabian Niesen – Ignite 2019: Autopilot OEM status

Reseller support

Computergenerierter Alternativtext:
Windows Autopilot // Coming soon
3mrn
jrnm 10, 121
NOTE
NOTE 2
Autopilot Product Key
Microsoft Product Key ID
1234561234567
46rnm (1 811
Photo: Fabian Niesen – Ignite 2019: Autopilot Product Key

One of the innovations that are interesting for many resellers is that Microsoft has created a possibility for manufacturers to apply a product ID for Autopilot to the packaging. With this product ID, resellers can add the computer to the customer’s Azure Device Directory. How exactly this works and when Microsoft will provide the interfaces for manufacturers to generate the ID and resellers to add it to the customer Azure AD, is not clear yet.

Network optimization

Another essential change is that in future the SCCM distribution point can also serve as a cache for Intune, Office, Windows Updates 4 Business and Microsoft Store. This is especially important for larger deployments to prevent the Internet line from collapsing. Unfortunately, there is no specific timeline known here.

SCCM-Integration in Autopilot

Computergenerierter Alternativtext:
Windows Autopilot // Cross-scenario features
AVAILABLE in 1803+
Enrollment
status page
Track progress of:
Policies
Certificates
Win32, MSI and
UWP apps
Office
New! Disable for
Nth users
Coming soon!
Integration With
ConfigMgr
(HICY20)
Coming soon!
Options for skipping
user ESP, targeting
users and computers
AVAILABLE in Intune
Device lifecycle
management
Register and de-
register devices
Coming soon!
Improved
performance
Coming soon!
Edit
group tags
(Q4CY19)
Coming soon!
Assign computer
names (Q4CY19)
AVAILABLE in Intune
Reporting and
monitoring
See information
about Windows
Autopilot
deployments
Coming soon!
Windows Autopilot
deployment report
(Q4CY19)
Coming soon!
Windows Autopilot
log collection
ONGOING
Windows and
device config
Make it easier to set
up Windows 10
defaults, features,
firmware
configuration, etc.
New! DFCI firmware
configuration
Planned! Remove
list of in-box apps
Planned! Add
language packs and
features
ONGOING
Delivery
optimization
Cache content so it
doesn't need to be
downloaded
repeatedly from the
server
New! Office 365
ProPlus install
support (preview)
Planned! Automatic
Connected Cache
discover for white
glove
AVAILABLE in 1903+
Windows
Autopilot update
Automatically install
the tatest Windows
Autopilot features
and updates
Windows 10 1903
(September
04517211 +) or later
Photo: Fabian Niesen – Ignite 2019: Cross-scenario feature

Another change in Autopilot related to SCCM is that in future SCCM task sequences can also be executed on the client via Autopilot / Intune. This allows for some very interesting possibilities.

Updates for Autopilot

What actually works is that the autopilot can now download updates for autopilot when you run it and can thus be extended by functions on-the-fly. This is especially helpful when the OEM only provides images of the respective RTM versions. Prerequisite is 1909 or 1903 with the September update.

VPN support

With this feature, all I can say is, “FINALLY!!!!!”.

Computergenerierter Alternativtext:
Windows Autopilot // Deployment Scenarios
AVAILABLE in 1703
User-driven
mode With
Azure AD Join
Join device to Azure
AD, enroll in
Intune/MDM
AVAILABLE in 1809
User-driven
mode With
Hybrid Azure
AD join
Join device to AD,
enroll in Intune/MDM
Coming soon!
Deploy over VPN
(preview in QICY20,
1903+)
AVAILABLE in 1903
Windows
Autopilot white
glove (preview)
White glove partners
or IT staff can pre-
provision Windows 10
PC to be fully
configured and
business-ready for an
org or user
General availability
targeting CY20
AVAILABLE in 1903
Self-deploying
mode (preview)
No need to provide
credentials,
automatically joins
Azure AD
General availability
targeting CY20
AVAILABLE in 1809
Windows
Autopilot for
existing devices
Windows 7/8.1 to
Windows 10
ConfigMgr task
sequence, followed
by Windows
Autopilot user-driven
mode
New! Hybrid Azure
AD Join support
Photo: Fabian Niesen – Ignite 2019: Deployment Scenarios

Announced is the VPN support for autopilot for Q1 2020 and requires an autopilot with the update function. The update function can be used to update the autopilot afterwards with this feature. This eliminates the need for the hybrid domain joins to have a direct connection to a domain controller. This means that users can finally perform the Hybrid-AD Join at home. In combination with White-Glove, the autopilot can finally be used even with narrow bandwidths. The important requirement is that the VPN client is packaged and distributed as Intune Software. The VPN client must also be able to connect to the tunnel before the user logs in.

Have I said already? Finally!!!!

Modern Authentication in Autopilot

Soon Autopilot will also support the log in via Authenticator App on the mobile phone or via FIDO2 Token.

Names are not so important, are they?

In the future, the naming scheme for autopilot and hybrid domain join will be aligned. It will also be possible for IT to specify selected names directly for a device.

Overview slides by Michael Niehaus on the innovations

Computergenerierter Alternativtext:
Windows Autopilot // Top 10 new features coming soon
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
User-driven Hybrid Azure AD Join over the internet — VPN support (QI CY20 preview)
Integration With Configuration Manager for running task sequences (Hl CY20)
Group tag editing (Q4CY19)
Direct computer name assignment (Q4CY19 for Azure AD)
Windows Autopilot deployment report (Q4CY19)
Aligned naming options for Azure AD and Hybrid Azure AD (CY20)
Guided scenarios to help With initial setup and configuration
ESP enhancements for targeting, disabling user ESP, Nth user
Full network documentation (URLs, IP addresses, etc.)
Windows 10 configuration for features, language packs, in-box apps
Photo: Fabian Niesen – Ignite 2019: Top 10 new features coming soon
Computergenerierter Alternativtext:
Windows Autopilot // Top 6 future investment areas
1.
2.
3.
4.
5.
6.
Troubleshooting and logging improvements
Migration of apps and settings from an Old computer
Provisioning performance - the need for speed
Configuration of Windows 10 preferences and defaults (vs. just policy/setting
Device lifecycle management improvements
Better handling of OS languages
Photo: Fabian Niesen – Ignite 2019: Top 6 future investment areas

New in Intune

Computergenerierter Alternativtext:
Policy Sets and Guided
Scenarios
THR 3026 - Tue 11:30 am
Keep it simple: Microsoft 365 device and app management
Create standard configurations
Get up and running quickly
Assign and report in aggreate
Apps
App Config
App Protection Policy
Device Config Profites
Device Compliance Policies
Photo: Fabian Niesen – Ignite 2019: Policy Sets

One of the new features in Intune is Policy Sets. These bundled applications, application configurations, and application protection policies together. This is intended to simplify administration for administrators. So only one Policy Set has to be assigned, instead of everything individually.

Also new is the so-called “Guides Scenarios”. These are a guided wizard through individual steps for certain scenarios and end in a finished policy set. The target group for this are new administrators or generalists who are looking for a simple start.

Note on transparency

At the time of writing, I was working for Dell Technologies. However, this article reflects my own personal opinion, and was not sponsored, influenced or rewarded by my employer in any way. Only the trip to Ignite was paid by Dell. #Iwork4Dell

This article first appeared on Infrastrukturhelden.de in German.

This article is a translation of the Infrastrukturhelden.de article “Ignite – Modern Management” (Published- 2019-11-06). Links may refer to other Infrastrukturhelden.de articles, these may also be available in English language.

Also it can be, that I still use screenshots of German systems. However, where it is possible for me with little effort, I insert screenshots of English systems.

Advertisements

Author: Fabian Niesen

Fabian Niesen has been working as an IT consultant for years. Here he writes privately and independently of his employer. Among others he is certified as MCSA Windows Server 2008 / 2012, MCSA Office 365, MCSA Windows 10, MCSE Messaging, MCT and Novell Certified Linux Administrator. Since 2016 he is also MCT Regional Lead for Germany. His hobbies are social media, blogging, medieval markets, historical songs and house building.

Leave a Reply

Your email address will not be published. Required fields are marked *