modernizing windows management with configuration manager ... · intune/sccm auto-enroll into...
TRANSCRIPT
WORKPLACE
Modernizing
Windows
Management
with Configuration
Manager and Intune
Kent Agerlund
Peter Daalmans
WORKPLACE
Kent @Agerlund
Principal Consultant @
CTGlobal
Enterprise Mobility MVP &
Microsoft Regional Director
WORKPLACE
Peter Daalmans
Senior Consultant @ CTGlobal
Enterprise Mobility MVP
@pdaalmans
WORKPLACE
Session Objectives • Understand the benefits of modernizing Windows
management • Immediate benefits of extending SCCM to the
cloud
• Conditional Access for SCCM managed PCs
• Modern provisioning with Intune and AutoPilot
• And more
• Learn about what’s coming
WORKPLACE
More than 115M enterprise
Windows devices managed by
Configuration Manager Current
Branch
A commercial PC is
upgraded to Win10 via
ConfigMgr every
0.98s
on average
Businesses require
powerful device
management tools
WORKPLACE
Changes in technology and the workplace introduce new management challenges
Users working from anywhere
Users want to choose the technology they work with
Advanced security threats
Cadence changes for Windows and Office
Cloud infrastructure opportunities
WORKPLACEComplement existing tools by lighting up cloud value
Modern Provisioning
Automated Update
Simplified App
Management
Integrated Access
Control, Security, and
Compliance
Lower
Infrastructure costs
WORKPLACE
Modern Provisioning
Automated Update
Simplified App
Management
Integrated Access
Control, Security, and
Compliance
Lower
Infrastructure costs
Cloud Enlightened Management Features
• Protect corporate
data - Conditional
Access for PCs
• Make any new PC
enterprise-ready via
a simple self-service
experience.
• Simplify update
deployments with
cloud insights
• Manage Store
Applications and
convert existing
applications
• Manage clients over
the internet
• Protect against
advanced threats
• Lower TCO for
single purpose
devices
• Keep Windows up
to date from the
cloud
• Conditional Access
for SCCM managed
apps
• Azure hosted
management and
identity
• Control remote PCs
with wipe, scan, and
other commands
• Troubleshoot your
employee’s PCs
anywhere
WORKPLACE
Modern Provisioning
Automated Update
Simplified App
Management
Integrated Access
Control, Security, and
Compliance
Lower
Infrastructure costs
Cloud Enlightened Management Features
• Protect corporate
data - Conditional
Access for PCs
• Make any new PC
enterprise-ready via
a simple self-service
experience.
• Simplify update
deployments with
cloud insights
• Manage Store
Applications and
convert existing
applications
• Manage clients over
the internet
• Protect against
advanced threats
• Lower TCO for
single purpose
devices
• Keep Windows up
to date from the
cloud
• Conditional Access
for SCCM managed
apps
• Azure hosted
management and
identity
• Control remote PCs
with wipe, scan, and
other commands
• Troubleshoot your
employee’s PCs
anywhere
WORKPLACEWORKPLACE
Integrated Access Control,
Security, and Compliance
WORKPLACE
On-premise data
Control data access
App
Mobile app is managed
Mobile app reputation
SaaS app sensitivity
Other
Network location
Breach detected
Device
Managed (Intune or CM)
Compliant
Risky behavior
User
Group memberships
Auth strength (MFA)
Risky behavior
Conditional access
with EMS
WORKPLACE
Roadmap
Intelligent Security – Conditional Access
based on Device Risk signals from
Defender ATP
■Currently in public preview
WORKPLACE
WDATP CONSOLE
INTUNE CONSOLE
ALERT
THREAT
DETECTED
THREAT
DETECTED
CONDITIONAL
ACCESS
CONDITIONAL ACCESS
STOP O365 ACCESS
WORKPLACE
ALERTCONDITIONAL
ACCESS
WDATP CONSOLE
INTUNE CONSOLE
MALWARE
DETECTED
MALWARE
DETECTED
CONDITIONAL ACCESS
EMAIL ACCESS
SECOPS OR HEXADITE REMEDIATIONCONDITIONAL
ACCESS
THREAT
REMEDIATED
THREAT
REMEDIATED
Goal: Ensure only trusted and secure Win10 devices have access to corporate data.
WORKPLACE How Microsoft Delivers Integrated Access
Control, Security, and Compliance
Protect corporate data - Conditional Access for PCs Intune, AAD, O365
Protect against advanced threats Intune, ATP
WORKPLACEWORKPLACE
Modern Provisioning with
Intune and AutoPilot
WORKPLACE
Traditional PC provisioning
S E T T I N G S P O L I C I E S
O F F I C E &A P P S D R I V E R S
Time
Money
+ =
WORKPLACE
Modern PC provisioning
WORKPLACEWORKPLACE
Vision
WORKPLACE
Brad, your new Surface Laptop has arrived.
It’s time for unboxing…
WORKPLACEOOBE Challenges
• Non-trivial decision making (Personal vs Org Owned disambig,
Privacy Settings, OEM Registration) generates Helpdesk calls
• Time for configs and apps to install. Block access, show progress
• OOB account is always Admin – majority of enterprises want
standard accounts on corp-owned devices
ANNA [email protected]
OEM/Reseller
Ship
Off-the-shelf and Shrink-wrapped Devices Employee unboxes device, self-deploys
Deliver direct to Employee
WORKPLACE
OEM/Reseller
Harvest Device IDs
Microsoft Intune with AutoPilot
Upload
Device IDs
Configure AutoPilot Profile
Employee unboxes device, self-deploys
Ship Deliver direct to Employee
Self
Deploy
IT Admin
Existing Devices
Device IDs
WINDOWS AUTOPILOT
WORKPLACE
OEM
Microsoft Intune with AutoPilot
Upload
Device IDs
Configure AutoPilot Profile
Employee unboxes device, self-deploys
Ship Deliver direct to Employee
Self
Deploy
IT Admin
Device IDs
WINDOWS AUTOPILOT
WORKPLACE
OEM
Upload
Device IDs
Configure AutoPilot Profile
Employee unboxes device, self-deploys
Ship Deliver direct to Employee
Sync
IT Admin
WINDOWS AUTOPILOT
AutoPilot Service
Intune Service
Self
Deploy
Harvest Device IDs
Existing Enrolled Devices
WORKPLACE
OEM support for Windows Autopilot
WORKPLACEWORKPLACE
1803 aka RS4 aka build 17134
aka latest Windows 10
experience
WORKPLACE
WORKPLACE
United Arab Emirates
United Kingdom
United States
Let’s start with region. Is this right?
YesYesYes
WORKPLACE
Is this the right keyboard layout?
US
United States-Dvorak for left hand DVORAK L
United States-Dvorak for right hand DVORAK R
United States-International QWERTY
Albanian QWERTZ
YesYesYes
WORKPLACE
SkipAdd layout
Want to add a second keyboard layout?
SkipSkip
WORKPLACE
Now let's get you connected to a network. That way you get updates, apps and cat videos as soon as possible. How about the first one on the list? Want to use that one?
Skip for now
Let’s connect you to a network
Network4
Contoso Corp
ContosoMNGuestWiFi
Connect
Contoso Corp 2
Connect automatically
WORKPLACE
Now let's get you connected to a network. That way you get updates, apps and cat videos as soon as possible. How about the first one on the list? Want to use that one?
Skip for now
Let’s connect you to a network
Network4
Contoso Corp
ContosoMNGuestWiFi
Connect
Contoso Corp 2
Connect automatically
WORKPLACE
Agree & Connect
Welcome to our Guest Wi-Fi
By clicking on the connect button you agree to our Terms
of Service and have reviewed the Contoso Privacy Policy.
WORKPLACE
Agree & Connect
Welcome to our Guest Wi-Fi
By clicking on the connect button you agree to our Terms
of Service and have reviewed the Contoso Privacy Policy.
WORKPLACE
Just a moment…
WORKPLACE
Now we can go look for any updates
WORKPLACE
Next
Welcome to ContosoMN!Enter your ContosoMN email
Change account
Need help?
Please sign in with your ContosoMN email address
Privacy & Cookies Terms of Use
WORKPLACE
Next
Welcome to ContosoMN!Enter your ContosoMN email
Change account
Need help?
Welcome to ContosoMN
Privacy & Cookies Terms of Use Next
WORKPLACE
Next
Welcome to ContosoMN!Enter your ContosoMN password
Change account
Need help?
Welcome to ContosoMN
Privacy & Cookies Terms of Use
……….
Next
WORKPLACE
Setting up your device for workThis could take a while and your device may need to reboot.
Device setup
Device preparation Show details
Show details
WORKPLACE
Setting up your device for workThis could take a while and your device may need to reboot.
Device setup
Device preparation Show details
Show details
WORKPLACE
Setting up your device for workThis could take a while and your device may need to reboot.
Device setup
Device preparation Show details
Show details
WORKPLACE
We’re getting everything ready for you
WORKPLACE
This will just take a moment
WORKPLACE
Leave everything to us
WORKPLACE
Almost there
WORKPLACE
Setting up your device for workThis could take a while and your device may need to reboot.
Device setup
Account setup
Device preparation Show details
Show details
Show details
WORKPLACE
Setting up your device for workThis could take a while and your device may need to reboot.
Device setup
Account setup
Device preparation Show details
Show details
Show details
WORKPLACE
Setting up your device for workThis could take a while and your device may need to reboot.
Device setup
Account setup
Device preparation Show details
Show details
Show details
WORKPLACE
We’re getting everything ready for you.
WORKPLACE
This might take several minutes.
WORKPLACE
We want everything to be ready for you.
WORKPLACE
Let’s Start!
WORKPLACE
AutoPilot
Customize OOBE
Remove Admins
Pre-MDM Settings
Azure Active Directory
Azure AD AuthN
Azure AD Join
Intune/SCCM
Auto-enroll into Intune
Configure Policies, Settings
Install SCCM agent for Co-Mgmt
Office, SfB, WUfB
Install Office 365
SfB Apps
Configure Updates
Business Ready
Self-driven deployment
Windows Activation
Step Up from Windows Pro to
Windows Enterprise
Modern Provisioning –phases & components
WORKPLACE
What’s coming• Autopilot Self-Deploying mode
• Autopilot Reset
• AutoPilot into Hybrid AADJ
• Win7 -> Win10 “rip and reuse”
• Forced enrollment
• Remove OEM bloatware
• Auto-register enrolled devices into AutoPilot
• Block personal devices
• Device renaming w/out reboot
• User personalization
WORKPLACEWORKPLACE
co-management
WORKPLACE Co-management requirements & Benefits
Requirements
• Devices joined to AD and
Azure AD.
• Enable automatic MDM
enrollment for Windows 10
• Intune Standalone
Out of the box benefits
• Remote actions
• Factory reset
• Selective wipe
• Delete devices
• Restart device
Controlled workloads
• Compliance policies
• Resource access policies
• Windows Update policies
• Endpoint Protection
WORKPLACE Cloud Management Gateway Requirements & Benefits
Requirements• Azure subscription
• Certificate(s) depends on your choice
• Internal PKI, Public provider, AAD auth
• Install Win10 clients• AAD (and most likely AD) User
discovery
• Azure service for ConfigMgr
• Client settings
Benefits• Support for Road Warriors
• Support Windows Autopilot
Features supported• Software updates and
endpoint definition
• Inventory
• client activity
• Compliance settings
• Software distribution
• Windows 10 in-place upgrade task sequence
WORKPLACE
ConfigMgr client cmdCCMSETUPCMD=
/noCRLCheck
/mp:https://VIA166CMG.CLOUDAPP.NET/CCM_Proxy_MutualA
uth/72057594037927965
CCMHTTPState=31
CCMHOSTNAME=VIA166CMG.CLOUDAPP.NET/CCM_Proxy_M
utualAuth/72057594037927965
SMSSiteCode=PS1
SMSMP=https://CM02.CORP.VIAMONSTRA.COM
AADTENANTID=5172DCF5-EEC5-4E5A-A1A6-499A0EAA9759
AADCLIENTAPPID=a0107f2f-99a6-47ef-ac36-65acb47214e7
AADRESOURCEURI=https://ConfigMgrService
• https://docs.microsoft.com/en-us/sccm/core/clients/manage/co-management-prepare#command-line-to-install-configuration-manager-client
• https://docs.microsoft.com/en-us/sccm/core/clients/deploy/about-client-installation-properties
Useful SQL views• vProxy_Roles (MutualAuthPath)
• ProxyServiceName
• RoleServerName
• vSMS_AAD_Application_Ex• AppclientID
• AADRESOURCEURI
Client registry keys• Computer\HKEY_LOCAL_MACHINE\SOFTW
ARE\Microsoft\SMS\Client\Internet Facing
• Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM
WORKPLACE
Co-Management Roadmap
Enable all workloads: • Device settings
• Modern Apps
• Office
• End User Portal
Settings baseline exceptions
WORKPLACEDo you want to gain more
knowledge about Microsoft
technology?
The Future Ready Skills program
offers online courseware, online
labs, live Q&A’s and expert
sessions, so you can acquire
your official Microsoft Certificate
in the most efficient way.
For more information:
aka.ms/frsblog
FUTURE READY
SKILLS
WORKPLACE