Securing Windows devices away from the corporate network


During the current public health situation, ensuring that devices can still be effectively managed and secured in what can be called "the new normal" is of utmost priority. As a result, I wanted to share with you the first chapter in a new web series where we will discuss what you, as an IT professional, can do immediately, in the next few weeks, and over the next few months to properly maintain the security of your organization's devices while users are working away from your corporate networks. We will look at sample timelines for accelerated approaches, including ways to optimize the impact of virtual private networks (VPNs) and minimize overall workflow disruption.



Learn more

Here are links to the resources mentioned in this session. We've also included a list of frequently asked questions below.


While not mentioned specifically in this session, here are some additional resources you might find helpful:

Frequently asked questions

Q: How are others offloading patching traffic to Microsoft sources for full-VPN clients, like split tunneling (since Windows Update IPs aren’t clearly published)?

A: We are seeing customers move all Internet traffic away from VPN and that’s what we do internally as well.  There are a couple resources on this for WSUS (see 2.1.1) and Windows Update.


Q: Are there instructions to shift Office updates from Configuration Manager to the cloud? 

A: Yes. Here's guidance on how to Manage Office 365 ProPlus with Configuration Manager.


Q: Regarding disabling password expirations, do you have any formal documentation that can be provided for our security team?

A: Here are some resources that are available on the topic:


Q: Do you have any formal statements endorsing Split-Tunnel VPN?

A: Statement below from: Split tunneling Split tunneling allows only the traffic destined for the Microsoft corporate network to be routed through the VPN tunnel, and all Internet traffic goes directly through the Internet without traversing the VPN tunnel. In the VPN connection profile, split tunneling is enabled by default.


Q: How can we evaluate the potential cost of the cloud management gateway (CMG)?

A: Refer to the Configuration Manager documentation here:


Q: For split tunneling all Internet traffic out, how do you perform URL filtering for compliance?

A: We use Microsoft Threat Protection across Office ATP and Microsoft Defender ATP. Specifically, the Endpoint Detection and Response (EDR) component.


We hope you find this first session useful. We'd love your feedback and ideas for future sessions so please fill out this short survey. Thank you!



0 Replies