Securing Windows devices away from the corporate network
During the current public health situation, ensuring that devices can still be effectively managed and secured in what can be called "the new normal" is of utmost priority. As a result, I wanted to share with you the first chapter in a new web series where we will discuss what you, as an IT professional, can do immediately, in the next few weeks, and over the next few months to properly maintain the security of your organization's devices while users are working away from your corporate networks. We will look at sample timelines for accelerated approaches, including ways to optimize the impact of virtual private networks (VPNs) and minimize overall workflow disruption. Learn more Here are links to the resources mentioned in this session. We've also included a list of frequently asked questions below. OSHA COVID19 guidance Configure and Deploy Security Baselines Setup/Configure Azure AD Connect Set up a Cloud Management Gateway Enable OneDrive for Business Switch to Split-Tunnel VPN Policies Enable ConfigMgr Co-Management Shift update and servicing workloads to the cloud (Windows Update for Business, Office 365 CDN) Begin OneDrive for Business Known Folder Migration Configure and Enable Azure AD Conditional Access Set up Azure App Proxy Replace Perimeter trust with Zero Trust Enhance MFA by issuing FIDO2 Keys Consider Further Advanced Cloud Security Solutions Leverage the power of Analytics: User Experience & Productivity Score Shift line of business (LOB) application workloads Configure and Deploy Security Baselines Begin piloting and shifting Policy, Compliance, and EP to the cloud Enable asset protection through Office ATP and MCAS Managing remote machines with cloud management gateway in Microsoft Endpoint Configuration Manager Azure Multi-Factor Authentication Conditional Access Data Leak Prevention Intune Migration Guide Zero Trust strategy—what good looks like How to implement Multi-Factor Authentication (MFA) Microsoft Cloud Security solutions provide comprehensive cross-cloud protection Blog: Brad Anderson Blog: Jared Spataro While not mentioned specifically in this session, here are some additional resources you might find helpful: Microsoft COVID-19 response site Enabling Remote Work Microsoft Endpoint Manager remote work blog Work remotely, stay secure 2 weeks in: what we’ve learned about remote work Frequently asked questions Q: How are others offloading patching traffic to Microsoft sources for full-VPN clients, like split tunneling (since Windows Update IPs aren’t clearly published)? A: We are seeing customers move all Internet traffic away from VPN and that’s what we do internally as well. There are a couple resources on this for WSUS (see 2.1.1) and Windows Update. Q: Are there instructions to shift Office updates from Configuration Manager to the cloud? A: Yes. Here's guidance on how to Manage Office 365 ProPlus with Configuration Manager. Q: Regarding disabling password expirations, do you have any formal documentation that can be provided for our security team? A: Here are some resources that are available on the topic: https://www.microsoft.com/security/blog/2019/07/11/preparing-your-enterprise-to-eliminate-passwords/ https://techcommunity.microsoft.com/t5/azure-active-directory-identity/your-pa-word-doesn-t-matter/ba-p/731984 https://www.microsoft.com/en-us/security/business/identity/passwordless Q: Do you have any formal statements endorsing Split-Tunnel VPN? A: Statement below from: https://www.microsoft.com/en-us/itshowcase/enhancing-remote-access-in-windows-10-with-an-automatic-vpn-profile Split tunneling Split tunneling allows only the traffic destined for the Microsoft corporate network to be routed through the VPN tunnel, and all Internet traffic goes directly through the Internet without traversing the VPN tunnel. In the VPN connection profile, split tunneling is enabled by default. Q: How can we evaluate the potential cost of the cloud management gateway (CMG)? A: Refer to the Configuration Manager documentation here: https://docs.microsoft.com/en-us/configmgr/core/clients/manage/cmg/plan-cloud-management-gateway#cost Q: For split tunneling all Internet traffic out, how do you perform URL filtering for compliance? A: We use Microsoft Threat Protection across Office ATP and Microsoft Defender ATP. Specifically, the Endpoint Detection and Response (EDR) component. Feedback We hope you find this first session useful. We'd love your feedback and ideas for future sessions so please fill out this short survey. Thank you!Managing Windows 10 updates for a remote work world
During a global public health crisis in which working remotely has become the new normal, managing the Windows 10 operating system helps ensure remote users stay safe, secure, and productive. One of the most important issues is how best to configure a management approach for Windows 10 updates that will protect endpoints without adversely impacting device performance or user productivity. Here, we will focus on options for delivering feature and quality updates to remote worker endpoints, how to configure those endpoints to receive updates you designate as important, and how to maintain a desired level of control—all while minimizing infrastructure impact. Update types To help ensure device compliance and user productivity, Microsoft sends different types of updates including: Quality updates. These monthly updates include bug fixes and security enhancements. Because quality updates are cumulative and don’t require a complete reinstallation, the packages are smaller, and they download and install quickly. Feature updates. These twice-yearly updates include new features and significant enhancements to the Windows operating system. Feature updates are essentially a new version of Windows 10, and as such they require a complete reinstallation. While they are larger in size than quality updates, the only files downloaded are those necessary to complete the update, so staying current with updates has advantages. Device driver updates. These small pieces of software are the updates made to the device drivers by original equipment manufacturer (OEM) vendors. Microsoft Update is used as a channel for distributing these updates. Microsoft Defender definition updates. These updates include current threat information for Microsoft Defender. To support remote worker scenarios, we recommend that remote endpoints obtain approved updates via the internet. In such cases, split-tunnel VPN can help reduce traffic. For delivery of Windows 10 updates, there are three primary mechanisms to consider: Windows Update, Windows Update for Business, and Microsoft Endpoint Configuration Manager. Each mechanism has different benefits and limitations that you will need to assess to make the best selection for your specific scenarios. We will look at each of these mechanisms in more detail, but the basic comparison in the table below provides our starting point. Update mechanism IT pro control Update delivery Windows Update Low Internet Windows Update for Business Medium Internet Microsoft Endpoint Configuration Manager High On premises/Internet Windows Update Windows Update is a Microsoft service for Windows operating systems that automates the download and installation of updates over the internet. Windows Update provides update files for the Windows operating system, device drivers, and other products such as Microsoft Defender. While Windows Update is primarily used for feature and quality updates for consumer devices, given its effectiveness and global scale, many enterprise customers use Windows Update as the update mechanism for their devices. For the remote worker scenario, it’s the most cost effective. However, it provides the least management control for IT pros. To allow end users to update the endpoint using Windows Update policy through the Computer Configuration\Policies\Administrative Templates\Windows Update pathway, select either Not Configured (default setting) or Disabled under “Do not connect to any Windows Update Internet locations.” cy configuration options for "Do not connect to any Windows Update internet locations” Quality updates There are several control options in Windows Update for quality updates. Options on the Windows Update agent include checking for quality updates, pausing them, setting active hours, viewing update history, and advanced options, as shown below. After selecting Check for updates, the status of update downloads and installation is shown on the Windows Update agent. When you select Pause updates, update installation is paused for seven days by default. It is also possible to change the timeframe for the pause by selecting Advanced options and entering the necessary information. To avoid possible disruption caused by updates, you can set active hours for devices. Windows can also determine active hours automatically based on activity. Under Advanced options, there are additional settings related to update delivery. Along with pause timing mentioned above, advanced options include preferences for receiving updates for other Microsoft products, using metered connections such as 3G or LTE for downloading updates, and defining restart actions and notifications to complete updates. Feature updates Windows Update provides limited control over twice-yearly feature updates. Each endpoint should be configured to be in the Semi-Annual Channel by the end user. However, for Windows Update to be the active mechanism for updates, there should not be a policy or configuration in place for deferral branch, days, or pausing updates. If these policies are configured, devices are considered to be using Windows Update for Business, which we will discuss more in the next section. Update deferral can be configured from Advanced options by designating the number of days a feature update is deferred, as shown below. Windows Update for Business Windows Update for Business is the same Windows Update service described above but with one key differentiator: devices are managed and configured through centralized policies. This gives the IT pro more granular management capabilities, including deferral of feature updates for up to 365 days. Based on direct customer feedback, Microsoft continues to invest in new capabilities and features to make Windows Update for Business an enterprise friendly solution from a granular management perspective. Windows Update for Business can be configured using several different options. Among them are Active Directory Group Policy Objects, Microsoft Intune, and Microsoft Endpoint Configuration Manager. Group Policy Objects IT pros can manage Windows Update for Business using Group Policy Objects in Active Directory. Windows Update for Business policy objects are found through the Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update\Windows Update for Business pathway. Different policies are used to defer quality updates and feature updates. The “Select when Preview Builds and Feature Updates are received” policy defines the update channel and deferral period for preview builds and feature updates, as shown below. Similarly, the “Select when Quality Updates are received” policy is used to determine options for when quality updates will be received. Windows Insider Program for Business Companies can also manage joining Windows Insider Program through the “Manage preview builds” policy. Microsoft Endpoint Configuration Manager Configuration Manager is another option for creating and deploying Windows Update for Business policies. Under Software Library\Overview, you’ll find the Windows 10 Servicing node, where servicing plans and updates for Windows 10 can be managed. The Windows Update for Business Policies console is also located in this node. You can create new Windows Update for Business policies by using the task in the ribbon or via the Software Library tree by locating Windows Update for Business Policies and right-clicking to select “Create Windows Update for Business Policy Wizard.” In the wizard, your first step is to specify a name and description for the policy. You can then set deferral policies for feature updates and quality updates. You can also opt to install updates for other Microsoft products and whether to include drivers with Windows Update. After you create policies for Windows Update for Business, they can be deployed to the collections within the Configuration Manager environment just like any other policy. While deploying the update, the endpoint will be configured during maintenance windows unless you select “Allow remediation outside the maintenance window” in the Deploy Windows Update for Business Policy wizard. The deployed policy is listed in the Configurations tab of the Configuration Manager client agent. The device will be evaluated and remediated according to the deployment configuration for the policy. Microsoft Intune Windows Update for Business also can be managed through Microsoft Intune without any on-premises infrastructure components. Microsoft Intune is a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM). Intune integrates with Microsoft Azure Active Directory, and it can be used as a stand-alone cloud service or for co-management with Configuration Manager. You can configure updates and create Windows 10 update deployment rings through the Software updates node in the Microsoft Intune dashboard. In Intune, creating update rings is a four-step process. In Step 1: Basics, you will name the ring and provide a description. After naming the ring, you will move to Step 2: Update ring settings, where you will configure the servicing channel, whether to include updates for other products and drivers, and, importantly, deferral settings for quality and feature updates. You can also manage the user experience by defining active hours, restart checks, the ability to pause updates, and automatic update behavior settings. After the update ring settings are configured, you will move to Step 3: Assignments, where you assign the ring to a group of devices. In Step 4, you will review and apply the update ring settings you have created. When users review Windows Update settings from a managed device, they will see clear indication that some settings are managed by the organization. Users can also view policies for optional and required updates. When users select View configured update policies from the Windows Update settings screen, they can review details for the update policies that are applied to the mobile device. As shown in the list above, some of the many policies administrators can define for Windows Update for Business include “Branch readiness level,” “Quality update deferral period,” and “Feature update deferral period.” Microsoft Endpoint Configuration Manager Microsoft Endpoint Configuration Manager provides the greatest control and flexibility over servicing Windows. Administrators can approve which updates are distributed, which set of devices they should be distributed to, and when these updates should be deployed. It is possible to extend the Microsoft Endpoint Configuration Manager environment to support remote worker scenarios using granular controls through cloud services such as Cloud Attached Management and Co-Management. Let’s dig deeper into the different options and components for Configuration Manager and cloud services management scenarios. Cloud management gateway and cloud distribution points. The cloud management gateway (CMG) and cloud distribution points (CDPs) extend Configuration Manager capabilities for internet-based devices. To learn more, see Plan for the cloud management gateway in Configuration Manager. When managing remote machines, it is important to configure a split-tunnel VPN and Configuration Manager. For more information, see Managing remote machines with cloud management gateway in Microsoft Endpoint Configuration Manager. A CMG can be managed through the Administration\Overview\Cloud Services path in the Configuration Manager dashboard. You will find the list of content files for internet-based distribution points and endpoints in Properties, under the Content tab. A CMG is listed as a regular distribution point (DP) in the Configuration Manager hierarchy. IT pros can use a CMG and CDPs to deploy apps and other content to remote endpoints just as you would to deploy content for on-premises clients using on-premises DPs. Although a CMG does not block copying of update content, deployment of updates through a CMG is not recommended. Instead, internet-based clients get their updates from Microsoft Update cloud service as documented here. A CMG and CDPs can also be used to execute task sequences in remote endpoints. Content is distributed to CDPs and task sequences are deployed to a collection of remote devices just as they are for on-premises managed clients. Co-management When co-management is enabled in Configuration Manager, you can manage workloads for an endpoint by configuring different authorities. Co-management is located through the Administration\Overview\Cloud Services pathway in Configuration Manager. You will designate policies and configurations settings in the Workload tab for co-management properties. For example, in the screenshot below you can see that Windows Update policies are managed by Configuration Manager, so IT needs to review, approve, and distribute the updates to the distribution points in the Endpoint Manager hierarchy. IT can shift management of these policies to Intune by using the slider. Summary During these extraordinary times in which many organizations have embraced digital transformation in order position themselves with modern and cloud management, Microsoft is dedicated to helping businesses of all sizes succeed. The global pandemic has forced many organizations to embrace new solutions and endpoint management approaches in order to keep remote workers safe, secure, and productive while maintaining compliance with company policies. Microsoft will continue to evolve endpoint management solutions to address challenges IT pros experience, simplify processes, and ensure success. Additional resources For more details on how Windows Update works with different types of updates, see Get started with Windows Update. For more information on split-tunnel VPN, see how to quickly optimize Office 365 traffic for remote staff & reduce the load on your infrastructure. You can check your network configuration using the Office 365 Network Onboarding tool to validate split tunnel configuration. To learn more about Windows Update for Business, visit What is Windows Update for Business? For more about optimizing Windows Update, see Optimize Windows monthly update deployment for remote devices. For more information on deploying Windows 10 remotely, see Deploying a new version of Windows 10 in a remote world. For more on managing quality updates and Patch Tuesday, visit Managing Patch Tuesday with Configuration Manager in a remote work world.Provision Windows devices from anywhere to support a mobile workforce
In this, our second chapter of the Enabling Remote Work for IT Pros web series, we focus on practical tips to help you effectively provision Windows devices from anywhere. We walk through a variety of strategies, from simple to complex, to help you better understand how to leverage Azure AD Join with Microsoft Intune, or Configuration Manager co-management and task sequences. We then present you with a clear list of the steps you can take now, start soon, or work on in the future. Learn more Here are links to the resources mentioned in this session: Automatic MDM enrollment Using Windows Hello for Business to Access On-Premises Resources Enable Kerberos Managing remote machines with cloud management gateway in Microsoft Endpoint Configuration Manager While not mentioned specifically in this session, here are some additional resources you might find helpful: Microsoft COVID-19 response site Enabling Remote Work Microsoft Endpoint Manager remote work blog Work remotely, stay secure 2 weeks in: what we’ve learned about remote work Frequently asked questions Q: For Hybrid Azure AD join, if we have a line of sight with the domain controller, is the Intune connector required? A: Yes, it’s what gathers an offline domain join blob from your domain controller. Q: Is there a way to define the complete computer name for devices provisioned via Windows Autopilot? A: For Azure AD Join devices, yes, there is a graph API. For Hybrid Azure AD devices, no, there is only the ability to prefix something onto the name. Q: Is there a list of supported VPN clients? A: We don’t have a supported list because we don’t support the configuration of third-party VPN clients. Customers will need to figure out if your VPN works in this scenario. The real question to ask is ‘does your VPN support pre-logon/start before logon auth?’ or some sort of AOVPN. If so, it will work. These are some of the VPN providers we expect to work: Cisco AnyConnect (Win32 client): “Start before Logon” Pulse Secure (Win32 client): “Credential Provider” GlobalProtect (Win32 client): “Pre-logon” Checkpoint (Win32 client): “Auto Connect/Always Connected” Citrix NetScaler (Win32 client): “Always on” SonicWall (Win32 client): “NetExtender on Startup” Note: We do not document or support how you configure your VPN as it is a third-party configuration. Q: Is there a way to get the device enrolled in Windows Autopilot remotely? A: The only way is if it’s currently managed through Intune. You can assign a Windows Autopilot profile with the “Convert devices to Autopilot” option enabled, and the hardware has will be automatically harvested at the next check in. Q: Are there any alternatives to enroll multiple devices, already deployed, besides Windows Autopilot and Bulk enroll using provisioning package files (PPKG)? A: All of the possibilities are documented here: https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-enrollment-methods Q: Is there a way to use White Glove deployment with standard applications without pre-assigning the device to a particular user? A: If you target your applications to devices, then you don’t need to. If the apps are assigned to users, then you need to assign a user. Q: Are we able to deploy the provisioning package files through Intune? A: No, this is not currently supported. Feedback We hope you find this session useful. We'd love your feedback and ideas for future sessions so please fill out this short survey. Thank you!Cloud attach and Microsoft Endpoint Manager
Today we take an in-depth look at Cloud Attach and Microsoft Endpoint Manager, as modern management becomes increasingly crucial. After a quick overview of cloud attach, we dive into the phases of cloud attach and finally tenant attach. This session is packed with valuable information including prerequisites, licensing information, dashboards and more. Learn more While not mentioned specifically in this session, here are some additional resources you might find helpful: Microsoft COVID-19 response site Enabling Remote Work Microsoft Endpoint Manager remote work blog Work remotely, stay secure 2 weeks in: what we've learned about remote work Frequently asked questions Q: Is co-managed the same as cloud attach? A: Co-management is fully managed by both Configuration Manager and Microsoft Intune with explicit admin intent on which workload is managed by either Configuration Manager or Intune. Cloud attach is Configuration Manager only managed devices that show up in the cloud portal. Q: When you enable co-management in the wizard, the Microsoft docs state that a Global Admin account is required to login. Is that really the case or can we use an Intune licensed account that has the Intune Administrator role? A: Yes, the Global Admin account is required. There are a couple of specific Azure AD object that are created (app registrations to be specific) that require this. Q: What has changed or been added/improved with Microsoft Endpoint Manager since Ignite 2019? A: Keep in mind that Intune and Configuration Manager, while becoming more integrated, are still two separate entities with different release schedules. Intune releases new functionality every month while Configuration Manager releases new functionality approximately every four months. For Intune, see What's new in Microsoft Intune and for Configuration Manager see What's new in Configuration Manager. Q: Should I start Cloud Attach without Cloud Management Gateway first and then do it later if I need? A: You could go this route. Attaching to the cloud allows your devices to take advantage of cloud features; CMG allows Configuration Manager to manage your devices directly over the internet. Q: I have a CSP sandbox tenant where creating VMs in Azure is now allowed. This is a permanent testing environment. Can I still populate the CMG there or will that also be forbidden? A: Unfortunately, CSP-based subscriptions do not support CMG. You need a separate non-CSP subscription to support CMG. This is documented in the Azure Resource Manager section of the article, "Plan for the cloud management gateway in Configuration Manager"(see the note). Q: Should Azure AD sync be what onboards the co-management? Or the Configuration Manager client? A: AD Connect syncs identities, so that is required to enable your devices to be hybrid Azure AD joined. Once your devices have a cloud identity (they are hybrid Azure AD joined), Configuration Manager will coordinate the enrollment to Intune, based on your co-management settings in the ConfigMgr console. Feedback We hope you find this session useful. We'd love your feedback and ideas for future sessions so please fill out this short survey. Thank you!Cloud management gateway deep dive
Following up on last week's episode, Cloud management gateway: what you need to know & what’s next, today we're taking an in-depth look at the cloud management gateway and offering general CMG enablement guidelines as well as tips on how to reduce reliance on VPN. We'll also provide some immediate next steps you can take to design a CMG plan for your Configuration Manager environment. Learn more Here are links to the resources mentioned in this session: Cloud management gateway: what you need to know & what’s next Cloud management gateway: addressing common challenges Client to cloud distribution point Configure Windows Update content to pull from Microsoft Configure boundary groups Deploy co-management Windows Servicing Deploy cloud management gateway & Cloud Distribution Point Managing remote machines with CMG CMG prerequisites Azure services Plan for the cloud management gateway in Configuration Manager Managing remote machines with cloud management gateway in Microsoft Endpoint Configuration Manager Prefer cloud distribution points over distribution points Configure Azure services for use with Configuration Manager Security and privacy for the cloud management gateway Internet access requirements Certificates for the cloud management gateway Token based authentication for cloud management gateway (2002) While not mentioned specifically in this session, here are some additional resources you might find helpful: Microsoft COVID-19 response site Enabling Remote Work Microsoft Endpoint Manager remote work blog Work remotely, stay secure 2 weeks in: what we’ve learned about remote work Frequently asked questions Q: What is the minimum version of Configuration Manager that is required to utilize the cloud management gateway? A: The CMG role is supported in all currently supported versions of Configuration Manager Current Branch (CB). Currently, that is version 1810+. If you’re on a version of Configuration Manager older than 1810, you are running an unsupported version of Configuration Manager CB. Q: What is the connectivity requirement for the CMG and on-premises site server? We have a single primary server in South Africa and want to build CMGs in Europe and Latin America. Would that work over busy WAN links? A: The CMG communicates with on-premises through the connector that is installed at the site level. We use a level of filtering to make sure CMG traffic for a primary site goes to the connector for that site. Those connectors make outbound connections to the CMG, so there’s no internal traffic requirement. Connectivity requirements are outbound only. For more details, check out Ports and data flow. Q: Our VPN only supports split-tunneling via IP addresses, not fully-qualified domain name (FQDN). What is the suggestion around this given Microsoft doesn’t have IP addresses for software updates? A: Windows Update relies on multiple CDN partners. We recommend if you have a hard requirement to leverage the CMG to store the content in your Azure subscription and then point to the Azure IP ranges. Take a look at the recent blog post from Rob York for more information. Q: Is there a good resource to configure split tunneling with Windows Update for Business/Microsoft Update? A: Yes - Managing Patch Tuesday with Configuration Manager in a remote work world. Q: Does the “Windows Update content to pull from Microsoft” require Windows Update for Business and Windows update co-management workload slider to be set to Intune for co-managed clients? A: No, it doesn’t. Q: Can we control what content (packages/apps) we want to sync on the Cloud DP? A: Yes, you distribute content to CMG/Cloud DP just like you would any other distribution point in your infrastructure. Q: What will be the cost of using Cloud DP per GB of data? A: For insight into the costs related to CMG usage, see the Cost section of Plan for the cloud management gateway in Configuration Manager. Q: Can Microsoft provide a list of IP address ranges (not URLs) to split out? A: For guidance around this, see Managing Patch Tuesday with Configuration Manager in a remote work world. Q: Do we have a way to report, on a client basis, who is downloading what from the CMG and Windows Update for billing purposes? A: It doesn’t show Windows Update, but it does show the CMG. See Monitor cloud management gateway for more details. Q: Would Microsoft suggest altering or adjusting BITS client settings at all to control software updates across VPN? A: If you need to reduce pressure on the VPN, then yes, that’s one way to throttle the traffic. Low Extra Delay Background Transport (LEDBAT) is another option. Q: What if internet-based client management (IBCM) is currently being used and the CMG is set up? Does that conflict; does IBCM need to be removed? A: No, there is no conflict. Similar to having two management points (MPs) or two distribution points (DPs), the clients will randomly choose between the two if they are both currently configured for a single site. We would recommend moving to the CMG if possible. It requires no ports to be opened from the CMG to the site server (the CMG Connection Point reached out). For IBCM, the MP needs to be able to reach into the environment. Q: Do you need CMG Connection Points for secondary sites? A: No, secondary sites have no part in a CMG. Feedback We hope you find this session useful. We'd love your feedback and ideas for future sessions so please fill out this short survey. Thank you!Cloud management gateway: what you need to know & what’s next
Today, as part of our Remote Work for IT pros series, I'm bringing in two amazing experts from Microsoft’s Customer Acceleration Team – Danny Guillory and Jason Sandys. Danny and Jason work with customers daily and are passionate about sharing key learnings to empower IT pros during these uncertain times. Together, they'll walk you through some simple things you can do to sidestep potential issues as you enable the cloud management gateway to manage your Configuration Manager clients on the internet, along with some highlights on what to do next. Make sure to check out the timestamps at the beginning of the video to jump to the content most valuable for your scenario. Learn more While not mentioned specifically in this session, here are some additional resources you might find helpful: Microsoft COVID-19 response site Enabling Remote Work Microsoft Endpoint Manager remote work blog Work remotely, stay secure 2 weeks in: what we've learned about remote workManaging quality updates via Windows Update for Business
In this chapter of our Remote Work for IT pros series, we take a look at how to manage quality updates using Windows Update for Business. Customers are at different stages, leveraging different services whether through Microsoft Intune, Configuration Manager or Group Policy and we want to ensure our IT pro community is equipped with options and resources to ensure updates remain on track and your end users have the best experience possible. A brief overview of Windows Update for Business is covered, along with live demos of different environments to walk through how you can set them up and take action today or in the future. Learn more Here are links to the resources mentioned in this session: Managing remote machines with cloud management gateway in Microsoft Endpoint Configuration Manager Windows Update for Business documentation Manage Windows 10 software updates in Intune While not mentioned specifically in this session, here are some additional resources you might find helpful: Microsoft COVID-19 response site Enabling Remote Work Microsoft Endpoint Manager remote work blog Work remotely, stay secure 2 weeks in: what we’ve learned about remote work Frequently asked questions Q: Can Windows Update for Business be used to manage server endpoints for patching? If so, is it only Server 2016 or higher? What about Server 2012 R2? Or is this only for Windows 10 endpoints? A: Windows Update for Business settings can be used on Server 2016 and higher. For more information, see Configure Windows Update for Business. Q: If we want to use a task sequence to install a feature update, is there a way to not offer (rather than pause) feature updates through Windows Update? A: Yes, if you set a target update to match the current OS version the device is on in Intune, it will essentially pause the update. In order to do this, you need to enable co-management in Configuration Manager, then configure the feature update so it essentially stays put, then quality updates and drivers will flow from Intune. Q: How does Windows Update for Business compare to Unified Update Platform? A: Windows Update for Business is a set of policies on top of the delivery channel. For Windows 10, Windows Update gets content from both the Microsoft Update and UUP channels. UUP aim to shrink the size of updates while Windows Update for Business is intended to tailor the experience of Windows Update on devices you manage. For more information, see Introducing Unified Update Platform (UUP) Q: Can we configure policy per quality update? A: The deferral is possible at the feature update or quality update level. It is not specific to one particular quality update but rather all the quality updates at this time. Feedback We hope you find this session useful. We'd love your feedback and ideas for future sessions so please fill out this short survey. Thank you!Reimagining IT to support the hybrid workforce: five months later
As I sit here in my home office, eight months into this new normal…wait, check that, that’s how I started the first in this series of blogs on Reimaging IT to support the hybrid workforce…five months ago. I have to admit that, as remote work scenarios have evolved over time, it would be a disservice if I didn’t discuss how things have evolved when it comes to supporting a hybrid workforce, or even my own remote work situation. Like many of you, I thought my remote work situation was temporary. I set up a makeshift office in my bonus room, which is now a permanent fixture. I thought I had a good work-life balance that included plans to get off the laptop periodically, but it just wasn’t enough. After five months of working from home, it was also evident that I was getting a little too sedentary, which caused some back issues. Fast forward to today. I now have a standing desk, something which I recently discovered, thanks to a team all-hands meeting, is a hot topic of discussion and has become the norm for many. I’m forcing myself to get outside on a more regular basis. I’ve also turned my dining room into a recording studio for the various presentations and sessions I deliver on a regular basis. In my first blog, I outlined Microsoft's internal business continuity framework, with its first two phases focused on “react” and “recover.” Based on customer engagements and conversations over the last three months, I can see that many organizations are starting to enter the final phase of the framework, or what we call “re-imagining IT.” I’ve received a lot of requests from customers to help address specific pain points, around patching and updating Windows, for example. From a timing perspective, I believe our first virtual Microsoft Ignite was a factor in organizations starting the process of moving into that final phase given all the announcements and discussions around embracing the hybrid workforce of the future. While Microsoft Ignite was a fantastic forum for new announcements, and there were many, each session was very solution-centric. I didn’t see anything pulling together a holistic and strategic discussion on supporting the hybrid workforce. With that in mind, my focus here will be on pulling together that holistic vision alongside recent announcements and new resources. Below you will find a high-level architectural view of how I see IT re-imagined and progress on the move towards cloud and modern management to support the hybrid workforce, which is what we’re doing today here at Microsoft. As a recap, whether it is an on-premises or remote worker endpoint, the goal is to keep devices in your organization safe, secure, and productive with minimal user impact. To achieve that goal, IT organizations need: Efficiency and regular rhythm when applying drivers and firmware Rhythm when deploying quality updates and OS feature updates Management and protection protocols when protecting data at rest and in transit Efficiency when access to Office, productivity tools, and updates Hands-off provisioning of hardware for remote workers and even internals Securing browser access by using the new https://blogs.windows.com/windowsexperience/2020/09/22/whats-new-in-web-experiences-ignite-2020-need-to-secure-your-remote-workers-choose-microsoft-edge-as-your-browser-for-business/?ocid=FY21_soc_omc_br_tw_Edge_security Prioritization of security and compliance Management of line-of-business (LOB) and other applications, including secure connectivity for mobile iOS and Android devices The foundation and success of this cloud and modern approach hinges on a zero-trust network and split tunnel capability to direct mission critical business traffic via VPN, all while pushing all other non-essential traffic directly to the internet, including Office and Windows updates coming from the Microsoft infrastructure, network, and CDNs. A recent blog on the Microsoft 365 Connectivity principles does a great job in outlining this recommended approach of managing the split tunnel concepts while the https://www.microsoft.com/en-us/itshowcase/transitioning-to-modern-access-architecture-with-zero-trust and https://www.microsoft.com/en-us/security/business/zero-trust can assist companies in adopting the concept. Certainly securing devices is at the core, but it’s also inclusive of securing and protecting the users https://www.microsoft.com/security/blog/2020/09/22/microsoft-identity-ignite-rising-challenges-secure-remote-access-employee-productivity/. Hot off the presses from Ignite, we also announced the Microsoft Tunnel Gateway, which closes the gap around secure LOB connectivity from your iOS and Android devices. While addressing the security topic, check out the latest release of the https://www.microsoft.com/en-us/download/details.aspx?id=101738, which outlines the latest threat intelligence and guidance, with a special section dedicated to securing the remote worker and endpoints. With security architecture in place, it covers the need to protect your company’s IP and data while in transit and at rest, assuming https://www.microsoft.com/en-us/itshowcase/microsoft-defender-atps-antivirus-capabilities-boost-malware-protection?elevate-lv&_lrsc=f626206a-fe85-4077-8108-e39909195a41 and a hearty https://docs.microsoft.com/microsoft-365/compliance/endpoint-dlp-getting-started?view=o365-worldwide&WT.mc_id=linkedin are in place on the end point. As the Defense Report calls out, it’s important to realize that as company data is being stored off premises, a heightened awareness on endpoints is critical. I also recommend leveraging the security baselines that get published with every Windows 10 update and other solution releases to ensure that as they’re deployed, your policies either remain active or are incremental with the new feature and capabilities. Further, leverage the https://www.microsoft.com/security/blog/2020/09/22/enable-secure-remote-work-address-regulations-microsoft-compliance/#.X2o2A2n3TjE.linkedin to ensure security and compliance requirements are met within SLAs across the application portfolio. By leveraging https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor, it also gives you insights into our safeguard holds to assist you in place to minimizing user impacts to devices that may experience https://docs.microsoft.com/windows/deployment/update/safeguard-holds which may elicit an update failure. The other benefit of deploying https://www.microsoft.com/en-us/itshowcase/enhancing-remote-access-in-windows-10-with-an-automatic-vpn-profile?elevate-lv&_lrsc=b75faebe-8f05-4ba2-a1bf-8000bc6a748e is that it provides you flexibility of leveraging a number of different update solutions, whether it be Windows Update, https://docs.microsoft.com/mem/intune/, https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb or a combination of solutions that meet your needs and requirements. https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-vpn-split-tunnel?view=o365-worldwide also offers the same benefits as Windows and still allows for some configuration flexibility to meet your requirements. In addition, by leveraging Windows Update to manage Edge browser updates, you can also bypass the corporate VPN and push those updates directly to the internet as well. Making the move to the cloud Now that we’ve discussed the https://docs.microsoft.com/security/ciso-workshop/ciso-workshop, and one that can minimize bandwidth impacts on a corporate VPN solution, let’s look deeper at a model of modern and cloud management capabilities that allows everything to be managed on a remote endpoint. A good reference model would be our own internal IT approach to endpoint management, as shown here: Internally, it starts with the https://docs.microsoft.com/mem/endpoint-manager-overview solution. Microsoft Endpoint Manager brings that concept of a single pane of management glass to life. Not only does it fully integrate with your on-prem deployment of configuration manager so you can continue to leverage it to manage on-prem devices if you so choose, it also fully integrates with Intune for remote worker endpoint scenarios. Further, while it provides management capabilities, it also becomes that all important dashboard to help drive compliance, as well as provide you endpoint data that allow you to make data-driven decisions around improving device productivity via endpoint analytics, device health and upgrade readiness via https://docs.microsoft.com/mem/configmgr/desktop-analytics/overview, and more. With Microsoft Endpoint Manager, you can then start managing remote worker scenario’s and endpoints via https://docs.microsoft.com/mem/intune/ as long as the devices are Azure AD joined. In our scenario, we https://www.microsoft.com/en-us/itshowcase/managing-windows-10-devices-with-microsoft-intune but leverage https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb to manage the https://www.microsoft.com/en-us/itshowcase/keeping-windows-10-devices-up-to-date-with-microsoft-intune-and-windows-update-for-business?elevate-lv&_lrsc=e34703f9-9a44-4854-952d-257ccb9ba332, with all still managed via Microsoft Endpoint Manager. This configuration keeps all the update traffic internet-centric, and pulls the content directly from the Microsoft Content Delivery Network (CDNs), thus eliminating impact on any corporate VPN solution. As a side note, the feature updates do not include the Windows 10 optional content such as features on demand (FODs), language packs (LPs) or the local experience packs (LXPs). In order to address that capability, a great post on Acquiring optional content was recently published that includes a highly comprehensive guide and how-to. The overall goal of this process is to ensure compliance, keep users and their devices secure and productive as possible. This requires setting up Windows Update for Business and optimizing updates in order to achieve the stated goals during any deployment to the remote worker. In the near future, we should be seeing more improvements in the ability to better support and deployments with greater granularity. This defined approach is great for supporting existing endpoints that are part of the estate. What it doesn’t do is address one of the biggest challenges of managing and supporting the hybrid workforce: the hands-off provisioning and deployment of newly purchased devices. Having said that, the foundation of supporting https://docs.microsoft.com/mem/autopilot/windows-autopilot is already in place via Microsoft Endpoint Manager, Intune and Azure AD. Windows Autopilot is exactly how we here at Microsoft address https://www.microsoft.com/itshowcase/blog/autopilot-speeds-up-windows-10-image-deployment-inside-microsoft/?_lrsc=a022715f-934b-4aec-82a9-dba6226ede8b for newly purchased devices. Devices are purchased and shipped directly to end users, who can connect to the internet, log into the machine and be fully functioning in roughly 10 minutes with out any intervention from IT. Certainly, having a light device footprint and primarily pushing down GPOs improves the user experience, so the balance becomes a decision on how many applications you may or may not want to include as part of the process. More apps mean more data to be pushed, and the greater the impact to getting the users into productive state. This segues into the application deployment discussion and challenge of how you can deploy LOB applications and manage updates to your applications. In many ways it boils down to approach: you can use a push or end user pull model. The push model is certainly one that’s supported by the aforementioned architecture, anchoring on Intune as the deployment mechanism. At the enterprise SKU level, Intune supports a broad array of https://docs.microsoft.com/mem/intune/apps/apps-windows-10-app-deploy that organizations can package up and push to remote worker endpoints efficiently with the new https://docs.microsoft.com/windows/msix/ packaging format being the recommended approach based on its flexibility. Given Intune is capable of supporting Android and iOS devices, in conjunction with MSIX, you can also deploy LOB to mobile devices. If you layer in the previously mentioned https://docs.microsoft.com/mem/intune/protect/microsoft-tunnel-overview solution, you can also provide secure mobile connectivity to those LOB applications. For the pull model, organizations have a number of options for users to pull applications including the https://docs.microsoft.com/mem/intune/apps/windows-store-for-business, a company supported portal that is externally facing. From my perspective, I would consider avoiding application deployment in the remote worker scenario, and instead leverage https://docs.microsoft.com/azure/virtual-desktop/overview as the most secure, robust and scalable approach that provides LOB application owners 100% control of delivery and support of applications in Windows Virtual Desktop including secure delivery, protecting data at rest and in transit. Optimizing delivery mechanisms With the technology foundation and architecture discussion under our belts, there is one final topic of supporting the hybrid workforce which is probably the most important: https://www.microsoft.com/en-us/download/details.aspx?id=101056 of the deployment of Windows updates. This goes beyond the technology necessary to drive deployment success, and instead covers other critical pieces of information you need to consider in the process. The first piece is to understand the best practices and considerations for the Microsoft-recommended policy considerations feature set over feature set. These are all outlined in the https://www.microsoft.com/en-us/download/details.aspx?id=101056, which, like the security baselines, represents a set of tools and guidelines that assist you in making important policy decisions to ensure deployments are optimized to their fullest. Next, ensuring the tools and guidelines for optimizing both feature updates and quality updates will ensure efficient delivery of the bits, minimize bandwidth impact and provide the greatest level of user experience. It is also important for any one in the position of deploying Windows updates, that you are fully educated on any issues Microsoft has surfaced during our normal course of business in servicing more than one billion devices worldwide via the Windows 10 release notes. Finally, leverage the Video Hub for technical deep dives on all of the aforementioned tech by leveraging the filters on your solution area of interest. Conclusion In closing, I hope this helps tie all of our solutions and services together into a cohesive storyline that provides you with that longer term, more strategic, and holistic picture of what it takes to “re-imagine IT” support for the hybrid workforce. At the end of the day, it’s all about embracing digital transformation in order to go towards cloud and modern management. This is not a technology discussion given that I believe this post shows that the technology is viable, but instead a cultural paradigm shift for many organizations with the current situation serving as a forcing function. Use the time to explore new opportunities in your estate that unlock new ways of servicing your remote endpoints and drive change in your organization that embrace service management maturity for the hybrid workforce, as it appears to be the new normal moving forward.Using Configuration Manager? Enable support for remote workers with co-management
The global health crisis has made many businesses look for ‘easy wins’ in the cloud to complement their existing device management infrastructure. Configuration Manager and Microsoft Intune are now a part of a single solution called Microsoft Endpoint Manager and what this means to businesses using on-premises Configuration Manager is that they are able to use Microsoft Intune cloud services to co-manage Windows 10 devices without additional licensing costs. Co-management may be an attractive technology for devices managed by Configuration Manager that will no longer be on-premises. By current expert estimates, the COVID-19 pandemic may result in people working from home for weeks and their PCs may not “check in” to the corporate network. Previous articles in this series discussed some ideas to enable personal PCs and pre-provision new business PCs for remote users. Now let’s talk about how you can manage work devices being used remotely to maintain their health and security using Configuration Manager and the Microsoft cloud. Check out our latest guidance hereAdapting your patch management strategy to update remote devices
The Microsoft Endpoint Manager team has published some tips to help you successfully deploy updates, like those released monthly as part of Update Tuesday, to managed devices that are no longer on premises and connecting via VPN using home broadband networks. Check out the blog post here: Managing Patch Tuesday with Configuration Manager in a remote work world
