Event banner
Unpacking endpoint management: ask Danny & Steve anything
Event details
Looking for tips and tricks to help you optimize and simplify the way you manage your endpoints? Come to this live Q&A session!
Danny Guillory and Steve Thomas are bring their "Unpacking endpoint management" web series to Tech Community and answering your questions live about device configuration and management. Co-management, tenant attach, the cloud management gateway questions? Bring them! Blockers or struggles? Bring them!
Submit your questions during this live hour--or submit questions early (by posting a Comment below) and catch up when it's convenient for you.
82 Comments
- Dylan_SnodgrassSilver Contributor
Thanks for joining us today for an AMA on Unpacking endpoint management. We appreciate your questions and feedback—and look forward to continuing the discussion on the Windows community!
- GlenntjaBrass ContributorWill you be working on solving the issue of Autopilot hanging if you deploy both Win32 and LOB applications? -> This is a common issue that is easily replicable and makes using Autopilot stressfull over just Intune enrollment during setup
- Jason_Sandys
Microsoft
This was answered in another reply on this AMA. Basically, the root cause here is outside of Autopilot's control and there is a fairly easy work around: only use Win32 apps. While this adds some overhead and time, it adds capabilities and prevents the possibility of any conflicts. This is our recommended path to address this.
- Christian ZenzanoBrass ContributorAdoption of Cloud and Web app is problematic from a compliance perspective and validating that users are using corporate identity on SaaS services. What features does Windows 11 have to manage and monitor new cloud based apps that are used.
- Jason_Sandys
Microsoft
With respect to Windows, stayed tuned for future documentation and announcements. For monitoring and controlling web and SaaS apps, check out MCAS: https://www.microsoft.com/en-us/security/business/cloud-app-security
- Dennis_EwaldBrass ContributorI might have missed this information but will Autopilot enable us out of the box to also install the latest windows updates (including drivers) to the clients especially in the whiteglove process ?
- Jason_Sandys
Microsoft
This is a delicate balancing act between admin desire/security and end-user experience. For this reason, the path to achieving this is non-trivial and is still in the investigation phase. We do understand ask and in general share the concern here, but we need to find the best path forward as well.- Dennis_EwaldBrass ContributorI could imagine that a good middle way is that the normal user-driven mode continues as usual without Windows updates and only when you start Whiteglove as an IT admin or service provider the Windows update process is started. Because my expectation is that when a device is prepared with Whiteglove, I basically don't care if it takes 5, 15 or 60 minutes. Whiteglove is there to perform these time consuming actions before the device is at the user, but it would probably be good to be able to enable/disable this feature via the Autopilot profile (similar to the keyboard configuration). This would still ensure that when a user needs to go through the Autopilot process on their own, it happens as quickly as possible but at the same time when the device is being prepared for them in the normal process, the admin / security requirements can be met.
- surbentoCopper ContributorDoes Intune license requires for MAM to be deployed on devices? and does enrollment into Intune requires to enable MAM on devices? is MAM user based or Device based? How do we deploy application to use MAM?
- Jason_Sandys
Microsoft
There are no additional licensing requirements for using MAM in Intune. MAM can be used with or without device enrollment. Deployment of apps to devices not enrolled requires the user to login to the web-based company portal. See https://docs.microsoft.com/en-us/mem/intune/apps/mam-faq and https://docs.microsoft.com/en-us/mem/intune/apps/app-management for details on MAM aka APP.
- trebelowBrass ContributorWe need to use co-management today because we need ConfigMgr for software metering. Are there plans to transfer the software metering capabilities to MEM?
- Danny_Guillory
Microsoft
What are you using metering for? This is an awesome question and something I would love to investigate. Feel free to ping me via DM. I don't know of anything exactly related to the metering capabilities we are working on so yes doing it through ConfigMgr might be the best option.- Jason_Sandys
Microsoft
In addition to Danny's answer here, there are capabilities that simply don't lend themselves well to being delivered from a pure cloud service like Intune as they require a lot of costly overhead. For this reason, co-management is still a preferred solution and will be for the foreseeable future.
- David_SwensonSteel ContributorEndpoint Analytics question: First off - Love this feature. Thank you. Are there plans to include additional out-of-box remediation templates?
- Zach Dvorak
Microsoft
Hey David, thanks for your question! We're constantly working to improve EA, including Proactive Remediations! (For instance, we just enabled export for script results a few weeks back! https://docs.microsoft.com/mem/intune/fundamentals/whats-new#export-option-for-proactive-remediations-). Are there specific remediations you'd like to see natively in the tool? I'm happy to pass your feedback along to the team! And in the meantime, don't forget that you can create your own custom remediations as well (and there are countless examples you can use as templates available on IT Pro blogs 🙂).- David_SwensonSteel ContributorAbsolutely Zach! Thank you. There are three scripts we have developed and include in all deployments. They cover items like: 1. Duplicate Edge & Teams Desktop Shortcuts (context: all our clients are required to maintain OneDrive KFM - this can cause duplicates across their Windows devices), 2. Ensuring Flash is disabled in Adobe Products 3. Fixing the auto-restart switch for Application guard updates These three have been very successful for us and we would love to see them built-in OOB
- Jason_Sandys
Microsoft
Hi David_Swenson, the short answer here is yes, that's our intention. The currently provided remediations are based on internal Microsoft experience and there are others we are evaluating to add to this set as well. There are no public details on what these are or will be though.
- jjgreinCopper ContributorWindows firewall used rules based on Domain, private and public networks. Is there a way to specify the "Domain" Subnets for azure ad joined only PC? or is it is just one ore thing requiring a device to be domain-joined.
- Jason_Sandys
Microsoft
Hi jjgrein, there is nothing built-in to automatically accomplish this, however, the standard path for most orgs is to deploy a script to configure the interface as Private and utilize that profile in your firewall rules as necessary.
- jjgreinCopper ContributorI considered such an approach but worried about the user switching or answering the Prompt to allow the machine to be discoverable wrong.
- Dennis_EwaldBrass ContributorWill we get LAPS for cloud devices ?
- Jason_Sandys
Microsoft
Hi Dennis_Ewald, there are ongoing investigations for a cloud-based LAPS solution and we, in general, understand the requirement and desire for this solution. There is nothing to share or announce at this time though.
- Dennis_EwaldBrass ContributorWill we have the ability to set a different Display Name (Company Portal) for an Intune App then what I as a Admin see from the Endpoint Portal ?
- Jason_Sandys
Microsoft
Hi Dennis_Ewald,
I've not specifically heard of this as a request before but it can certainly add value. Please add this as feedback directly in the MEM admin console to ensure it has greater visibility.