User Profile
Rachelle_Blanchard
MicrosoftJoined 5 years ago
User Widgets
Recent Discussions
Managing quality updates via Windows Update for Business
In this chapter of our Remote Work for IT pros series, we take a look at how to manage quality updates using Windows Update for Business. Customers are at different stages, leveraging different services whether through Microsoft Intune, Configuration Manager or Group Policy and we want to ensure our IT pro community is equipped with options and resources to ensure updates remain on track and your end users have the best experience possible. A brief overview of Windows Update for Business is covered, along with live demos of different environments to walk through how you can set them up and take action today or in the future. Learn more Here are links to the resources mentioned in this session: Managing remote machines with cloud management gateway in Microsoft Endpoint Configuration Manager Windows Update for Business documentation Manage Windows 10 software updates in Intune While not mentioned specifically in this session, here are some additional resources you might find helpful: Microsoft COVID-19 response site Enabling Remote Work Microsoft Endpoint Manager remote work blog Work remotely, stay secure 2 weeks in: what we’ve learned about remote work Frequently asked questions Q: Can Windows Update for Business be used to manage server endpoints for patching? If so, is it only Server 2016 or higher? What about Server 2012 R2? Or is this only for Windows 10 endpoints? A: Windows Update for Business settings can be used on Server 2016 and higher. For more information, see Configure Windows Update for Business. Q: If we want to use a task sequence to install a feature update, is there a way to not offer (rather than pause) feature updates through Windows Update? A: Yes, if you set a target update to match the current OS version the device is on in Intune, it will essentially pause the update. In order to do this, you need to enable co-management in Configuration Manager, then configure the feature update so it essentially stays put, then quality updates and drivers will flow from Intune. Q: How does Windows Update for Business compare to Unified Update Platform? A: Windows Update for Business is a set of policies on top of the delivery channel. For Windows 10, Windows Update gets content from both the Microsoft Update and UUP channels. UUP aim to shrink the size of updates while Windows Update for Business is intended to tailor the experience of Windows Update on devices you manage. For more information, see Introducing Unified Update Platform (UUP) Q: Can we configure policy per quality update? A: The deferral is possible at the feature update or quality update level. It is not specific to one particular quality update but rather all the quality updates at this time. Feedback We hope you find this session useful. We'd love your feedback and ideas for future sessions so pleasefill out this short survey. Thank you!Cloud attach and Microsoft Endpoint Manager
Today we take an in-depth look at Cloud Attach and Microsoft Endpoint Manager, as modern management becomes increasingly crucial. After a quick overview of cloud attach, we dive into the phases of cloud attach and finally tenant attach. This session is packed with valuable information including prerequisites, licensing information, dashboards and more. Learn more While not mentioned specifically in this session, here are some additional resources you might find helpful: Microsoft COVID-19 response site Enabling Remote Work Microsoft Endpoint Manager remote work blog Work remotely, stay secure 2 weeks in: what we've learned about remote work Frequently asked questions Q: Is co-managed the same as cloud attach? A: Co-management is fully managed by both Configuration Manager and Microsoft Intune with explicit admin intent on which workload is managed by either Configuration Manager or Intune. Cloud attach is Configuration Manager only managed devices that show up in the cloud portal. Q: When you enable co-management in the wizard, the Microsoft docs state that a Global Admin account is required to login. Is that really the case or can we use an Intune licensed account that has the Intune Administrator role? A: Yes, the Global Admin account is required. There are a couple of specific Azure AD object that are created (app registrations to be specific) that require this. Q: What has changed or been added/improved with Microsoft Endpoint Manager since Ignite 2019? A: Keep in mind that Intune and Configuration Manager, while becoming more integrated, are still two separate entities with different release schedules. Intune releases new functionality every month while Configuration Manager releases new functionality approximately every four months. For Intune, see What's new in Microsoft Intuneand for Configuration Manager see What's new in Configuration Manager. Q: Should I start Cloud Attach without Cloud Management Gateway first and then do it later if I need? A: You could go this route. Attaching to the cloud allows your devices to take advantage of cloud features; CMG allows Configuration Manager to manage your devices directly over the internet. Q: I have a CSP sandbox tenant where creating VMs in Azure is now allowed. This is a permanent testing environment. Can I still populate the CMG there or will that also be forbidden? A: Unfortunately, CSP-based subscriptions do not support CMG. You need a separate non-CSP subscription to support CMG. This is documented in the Azure Resource Manager section of the article, "Plan for the cloud management gateway in Configuration Manager"(see the note). Q: Should Azure AD sync be what onboards the co-management? Or the Configuration Manager client? A: AD Connect syncs identities, so that is required to enable your devices to be hybrid Azure AD joined. Once your devices have a cloud identity (they are hybrid Azure AD joined), Configuration Manager will coordinate the enrollment to Intune, based on your co-management settings in the ConfigMgr console. Feedback We hope you find this session useful. We'd love your feedback and ideas for future sessions so pleasefill out this short survey. Thank you!Microsoft Secure Hybrid Access: Part 2
In the final chapter of our two-part series on secure hybrid access, we walk through secure hybrid access along with an in-depth look at some key partner integrations, specifically F5, Zscaler, Akamai, and Citrix. If you haven't already, watch part one of this series, which covers Azure AD Application proxy, then delve into the detailed live demos of our partner integrations and capabilities in this session. Learn more Here are links to the resources mentioned in this session: Azure AD secure hybrid access Application migration to Azure AD Application management with Azure AD While not mentioned specifically in this session, here are some additional resources you might find helpful: Microsoft COVID-19 response site Enabling Remote Work Microsoft Endpoint Manager remote work blog Work remotely, stay secure 2 weeks in: what we’ve learned about remote work Frequently asked questions Q: There used to be a Microsoft Account API that would validate secure authentication for those who are using MSA to be able to login to my service. Is Azure App Proxy similar to that but for Azure AD? A: These are generally enterprise applications and mostly on-premises using header based/Kerberos which directly do not support MSA. However, user the Azure B2B service you can enable support for those accounts and use Azure B2B API to invite users. These users are treated as external guests in Azure AD. More details here: https://docs.microsoft.com/en-us/azure/active-directory/b2b/customize-invitation-api Q: We are a regulated organization that requires all user traffic to traverse through our web proxy. Is there a way to accomplish this via app proxy or one of the partners? A: Some of our partners like F5 and Citrix are mostly existing on premises as load balancers and handling applications traffic. You can use the Azure AD integration to secure application access, while your traffic can stay internal. Documentation here: https://azure.microsoft.com/en-us/services/active-directory/sso/secure-hybrid-access/. Azure AD Application Proxy fully supports the use of the outbound proxy server. More documentation here: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-configure-connectors-with-proxy-servers Q: Does header support all message communications dev protocols like SOAP and XML? A: Header-based is a specific legacy way of authenticating applications. Especially popular through BlueCoat and CA SiteMinder, this is to replace and bridge those systems. It has nothing to do with SOAP. Feedback We hope you find this session useful. We'd love your feedback and ideas for future sessions so pleasefill out this short survey. Thank you!Microsoft Secure Hybrid Access: Part 1
In part one of this two-part series on Secure Hybrid Access, we take an in-depth look at using Azure AD Application Proxy to support remote access scenarios with greater security. With the recent spike in remote work, we want to enable you to support your end users as they access applications still living on the corporate network. As a result, this session walks you through how Azure AD Application Proxy works and looks at some of the accompanying mobile device scenarios. Learn more Here are links to the resources mentioned in this session: How to configure Application Proxy settings for protected browsers Configure real-time application access monitoring with Microsoft Cloud App Security and Azure Active Directory MCAS brings its real-time CASB controls to on-prem apps! While not mentioned specifically in this session, here are some additional resources you might find helpful: Microsoft COVID-19 response site Enabling Remote Work Microsoft Endpoint Manager remote work blog Work remotely, stay secure 2 weeks in: what we’ve learned about remote work Frequently asked questions Q: Could this be used with SAP/BPC on prem where the connection back to on prem comes from an excel plugin? A: Application Proxy is primarily meant for browser-based apps or clients that go over HTTP/HTTPS ports. If your Excel data source pulls through port 443 it should work. One thing to test is to see if it would work with pre-authentication. Q: Can Application Proxy be used in place of SSL VPN scenarios and based on authentication further on-prem webapps can be used? A: Yes, that’s the main use case. It is per-app pre-authenticated reverse proxy. Q: If an internal web app based on HTTP has no HTTPS, will the app proxy secure the traffic over the internet routing from on prem back to the user? A: Yes, external traffic will always be HTTPS – connector is the thing that will talk to the app without SSL. You also get Azure AD Conditional Access and other Azure AD protections on the external endpoint. In addition to HTTPS, you can layer on MFA and other controls/protections. Q: In this scenario, can only managed browsers access the internal resources? It’s not accessible from other devices? A: Correct. Your app proxy app is still an enterprise app in Azure AD, so you can apply all Conditional Access policies, including required managed app on mobile OS’s. You can apply the same access controls that your VPN concentrator probably has we well. Q: Is it possible to app proxy a site for PC and not for mobile, outside of blocking the site on mobile? E.g. the site has full site and mobile site or site does not work properly on one medium but it does on another. A: If you need to block mobile clients, you will need to leverage conditional access. Rather than blocking, it might be worth trying to fix them. You can try header/body translation. Responsive design sites detect your platform based on either a JavaScript code to probe your resolution or look at your user-agent string. So only cases that we saw not working well were on the detection of the client side in the web app itself. For more information, see Debug Application Proxy application issues. Feedback We hope you find this session useful. We'd love your feedback and ideas for future sessions so pleasefill out this short survey. Thank you!Cloud management gateway deep dive
Following up on last week's episode, Cloud management gateway: what you need to know & what’s next, today we're taking an in-depth look at the cloud management gateway and offering general CMG enablement guidelines as well as tips on how to reduce reliance on VPN. We'll also provide some immediate next steps you can take to design a CMG plan for your Configuration Manager environment. Learn more Here are links to the resources mentioned in this session: Cloud management gateway: what you need to know & what’s next Cloud management gateway: addressing common challenges Client to cloud distribution point Configure Windows Update content to pull from Microsoft Configure boundary groups Deploy co-management Windows Servicing Deploy cloud management gateway & Cloud Distribution Point Managing remote machines with CMG CMG prerequisites Azure services Plan for the cloud management gateway in Configuration Manager Managing remote machines with cloud management gateway in Microsoft Endpoint Configuration Manager Prefer cloud distribution points over distribution points Configure Azure services for use with Configuration Manager Security and privacy for the cloud management gateway Internet access requirements Certificates for the cloud management gateway Token based authentication for cloud management gateway (2002) While not mentioned specifically in this session, here are some additional resources you might find helpful: Microsoft COVID-19 response site Enabling Remote Work Microsoft Endpoint Manager remote work blog Work remotely, stay secure 2 weeks in: what we’ve learned about remote work Frequently asked questions Q: What is the minimum version of Configuration Manager that is required to utilize the cloud management gateway? A: The CMG role is supported in all currently supported versions of Configuration Manager Current Branch (CB). Currently, that is version 1810+. If you’re on a version of Configuration Manager older than 1810, you are running an unsupported version of Configuration Manager CB. Q: What is the connectivity requirement for the CMG and on-premises site server? We have a single primary server in South Africa and want to build CMGs in Europe and Latin America. Would that work over busy WAN links? A: The CMG communicates with on-premises through the connector that is installed at the site level. We use a level of filtering to make sure CMG traffic for a primary site goes to the connector for that site. Those connectors make outbound connections to the CMG, so there’s no internal traffic requirement. Connectivity requirements are outbound only. For more details, check out Ports and data flow. Q: Our VPN only supports split-tunneling via IP addresses, not fully-qualified domain name (FQDN). What is the suggestion around this given Microsoft doesn’t have IP addresses for software updates? A: Windows Update relies on multiple CDN partners. We recommend if you have a hard requirement to leverage the CMG to store the content in your Azure subscription and then point to the Azure IP ranges. Take a look at the recent blog post from Rob York for more information. Q: Is there a good resource to configure split tunneling with Windows Update for Business/Microsoft Update? A: Yes - Managing Patch Tuesday with Configuration Manager in a remote work world. Q: Does the “Windows Update content to pull from Microsoft” require Windows Update for Business and Windows update co-management workload slider to be set to Intune for co-managed clients? A: No, it doesn’t. Q: Can we control what content (packages/apps) we want to sync on the Cloud DP? A: Yes, you distribute content to CMG/Cloud DP just like you would any other distribution point in your infrastructure. Q: What will be the cost of using Cloud DP per GB of data? A: For insight into the costs related to CMG usage, see the Cost section of Plan for the cloud management gateway in Configuration Manager. Q: Can Microsoft provide a list of IP address ranges (not URLs) to split out? A: For guidance around this, see Managing Patch Tuesday with Configuration Manager in a remote work world. Q: Do we have a way to report, on a client basis, who is downloading what from the CMG and Windows Update for billing purposes? A: It doesn’t show Windows Update, but it does show the CMG. See Monitor cloud management gateway for more details. Q: Would Microsoft suggest altering or adjusting BITS client settings at all to control software updates across VPN? A: If you need to reduce pressure on the VPN, then yes, that’s one way to throttle the traffic. Low Extra Delay Background Transport (LEDBAT) is another option. Q: What if internet-based client management (IBCM) is currently being used and the CMG is set up? Does that conflict; does IBCM need to be removed? A: No, there is no conflict. Similar to having two management points (MPs) or two distribution points (DPs), the clients will randomly choose between the two if they are both currently configured for a single site. We would recommend moving to the CMG if possible. It requires no ports to be opened from the CMG to the site server (the CMG Connection Point reached out). For IBCM, the MP needs to be able to reach into the environment. Q: Do you need CMG Connection Points for secondary sites? A: No, secondary sites have no part in a CMG. Feedback We hope you find this session useful. We'd love your feedback and ideas for future sessions so pleasefill out this short survey. Thank you!Cloud management gateway: what you need to know & what’s next
Today, as part of our Remote Work for IT pros series, I'm bringing in two amazing experts from Microsoft’s Customer Acceleration Team – Danny Guillory and Jason Sandys. Danny and Jason work with customers daily and are passionate about sharing key learnings to empower IT pros during these uncertain times. Together, they'll walk you through some simple things you can do to sidestep potential issues as you enable the cloud management gateway to manage your Configuration Manager clients on the internet, along with some highlights on what to do next. Make sure to check out the timestamps at the beginning of the video to jump to the content most valuable for your scenario. Learn more While not mentioned specifically in this session, here are some additional resources you might find helpful: Microsoft COVID-19 response site Enabling Remote Work Microsoft Endpoint Manager remote work blog Work remotely, stay secure 2 weeks in: what we've learned about remote workEnsure personal iOS, Android, and Windows devices are configured for security and productivity
Today, as part of our Enabling Remote Work for IT Pros web series, we're showing you the various options you can use to configure personal devices to ensure security of your corporate data. We walk through questions to consider when looking at different models for iOS, Android, and personal Windows devices such as Application Protection Policy without enrollment, iOS user enrollment and Android Enterprise work policy. Extensive resources have been provided below, which are discussed throughout the presentation. Learn more Here are links to the resources mentioned in this session: Depreciation of Device Admin Android management Create and manage Intune enrollment restrictions Assign licenses to users to enable Intune enrollment Compare Windows 10 Home and Windows 10 Pro Configuration Service Provider (CSP) support matrix Here are the links to the resources mentioned in the detailed resources portion of the session, by solution: Application Protection Policy (APP) App Protection Policy overview Create and assign App Protection Policies (APP) Monitor app protection user status QuickStart: Create and assign an app protection policy Protect Exchange Online email on unmanaged devices iOS User Enrollment Set up iOS/iPadOS User Enrollment Get an Apple MDM push certificate Create Managed Apple IDs in Apple Business Manager Android Enterprise Work Profile Connect your Intune account to your Managed Google Play account Set up enrollment of Android Enterprise work profile devices Managed Android work profile devices with Intune Enroll your device with Android work profile Conditional Access What is Conditional Access? Azure AD Conditional Access documentation How to plan your Conditional Access Conditional Access: Session Controls Building a Conditional Access Policy Best Practices Require MFA Conditional Access Policy Microsoft Cloud App Security Microsoft Cloud App Security documentation What is Cloud App Security? MCAS Data Protection Policies Information Protection Manage Information Protection Learn more about Sensitivity Labels Windows Virtual Desktop Required reading: Getting started with Windows Virtual Desktop PG Sessions and Summary Guidance All you need to know about Windows Virtual Desktop | On Demand Webcast resource guide: All you need to know about Windows Virtual Desktop YouTube sessions Azure Academy Virtual Desktop Series Optimizing your applications for Windows Virtual Desktop Azure Windows Virtual Desktop Public Preview Walkthrough Azure Windows Virtual Desktop FSLogix Profile Management Walkthrough Online tutorials Tutorial: Create a tenant in Windows Virtual Desktop Preview Tutorial: Create service principals and role assignments with PowerShell Tutorial: Create a host pool with Azure Marketplace Tutorial: Manage app groups for Windows Virtual Desktop Preview Windows 10 Virtual Desktop Integration (VDI) VDI Recommendations Optimization scripts from field are open source on GitHub and also updated for 1909 Windows Information Protection (WIP) WIP Overview and documentation WIP and Intune App Protection Policy Creation and Management EnterpriseDataProtection CSP Azure Active Directory (Azure AD) Premium license (required if MAM or WIP auto-recovery) Enlightened Microsoft apps for use with WIP BitLocker CSP While not mentioned specifically in this session, here are some additional resources you might find helpful: Microsoft COVID-19 response site Enabling Remote Work Microsoft Endpoint Manager remote work blog Work remotely, stay secure 2 weeks in: what we've learned about remote work Secure remote access to on-premises apps Frequent questions about using Conditional Access to secure remote access Frequently asked questions Q: For app protection on iOS, do you still need the intuneMAMUPN attribute in the application configurations per app for identified an application on a fully managed device? A: Yes, that is the hint to the SDK that it is an MDM managed app. For more details, see How to manage data transfer between iOS apps in Microsoft Intune. Q: For Android Enterprise Devices in COBO, we are trying to launch OneDrive for our mobile users. Inside of the App Configuration Policy for managed device, I only see the “configuration key” for allowed accounts. Is there additional documentation that has more json keys so that we can automatically configure the app for the user? A: Managed Configuration (App Configuration) in Android Enterprise is pulled from Managed Google Play directly, so if the key is there, we’ll pull it directly. That being said, the key is IntuneMamAllowedAccountsOnly because it is the same key across all apps for the Intune SDK to find it. Here is the iOS documentation and here is the Android documentation. These docs also list the applications that support single account mode (require both the Intune SDK to be integrated and in-app logic by developers to support this mode). Q: Does the application protection policy work based on source only? For example, I have a Word document saved in SharePoint, so the policy applies there. Now let’s say I have the file inside my external hard disk as well, does the policy apply there too? Does the policy apply to both external and non-cloud sources? A: The policy is targeted based on the application and the identity signed into that app. This is about protecting the app. If you need the data wherever it resides, then that is a function of Microsoft Information Protection. Assigning MIP labels would protect the data itself, regardless of location. Feedback We hope you find this session useful. We'd love your feedback and ideas for future sessions so please fill out this short survey. Thank you!Provision Windows devices from anywhere to support a mobile workforce
In this, our second chapter of the Enabling Remote Work for IT Pros web series, we focus on practical tips to help you effectively provision Windows devices from anywhere. We walk through a variety of strategies, from simple to complex, to help you better understand how to leverage Azure AD Join with Microsoft Intune, or Configuration Manager co-management and task sequences. We then present you with a clear list of the steps you can take now, start soon, or work on in the future. Learn more Here are links to the resources mentioned in this session: Automatic MDM enrollment Using Windows Hello for Business to Access On-Premises Resources Enable Kerberos Managing remote machines with cloud management gateway in Microsoft Endpoint Configuration Manager While not mentioned specifically in this session, here are some additional resources you might find helpful: Microsoft COVID-19 response site Enabling Remote Work Microsoft Endpoint Manager remote work blog Work remotely, stay secure 2 weeks in: what we’ve learned about remote work Frequently asked questions Q: For Hybrid Azure AD join, if we have a line of sight with the domain controller, is the Intune connector required? A: Yes, it’s what gathers an offline domain join blob from your domain controller. Q: Is there a way to define the complete computer name for devices provisioned via Windows Autopilot? A: For Azure AD Join devices, yes, there is a graph API. For Hybrid Azure AD devices, no, there is only the ability to prefix something onto the name. Q: Is there a list of supported VPN clients? A: We don’t have a supported list because we don’t support the configuration of third-party VPN clients. Customers will need to figure out if your VPN works in this scenario. The real question to ask is ‘does your VPN support pre-logon/start before logon auth?’ or some sort of AOVPN. If so, it will work. These are some of the VPN providers we expect to work: Cisco AnyConnect (Win32 client): “Start before Logon” Pulse Secure (Win32 client): “Credential Provider” GlobalProtect (Win32 client): “Pre-logon” Checkpoint (Win32 client): “Auto Connect/Always Connected” Citrix NetScaler (Win32 client): “Always on” SonicWall (Win32 client): “NetExtender on Startup” Note: We do not document or support how you configure your VPN as it is a third-party configuration. Q: Is there a way to get the device enrolled in Windows Autopilot remotely? A: The only way is if it’s currently managed through Intune. You can assign a Windows Autopilot profile with the “Convert devices to Autopilot” option enabled, and the hardware has will be automatically harvested at the next check in. Q: Are there any alternatives to enroll multiple devices, already deployed, besides Windows Autopilot and Bulk enroll using provisioning package files (PPKG)? A: All of the possibilities are documented here: https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-enrollment-methods Q: Is there a way to use White Glove deployment with standard applications without pre-assigning the device to a particular user? A: If you target your applications to devices, then you don’t need to. If the apps are assigned to users, then you need to assign a user. Q: Are we able to deploy the provisioning package files through Intune? A: No, this is not currently supported. Feedback We hope you find this session useful. We'd love your feedback and ideas for future sessions so please fill out this short survey. Thank you!Securing Windows devices away from the corporate network
During the current public health situation, ensuring that devices can still be effectively managed and secured in what can be called "the new normal" is of utmost priority. As a result, I wanted to share with you the first chapter in a new web series where we will discuss what you, as an IT professional, can do immediately, in the next few weeks, and over the next few months to properly maintain the security of your organization's devices while users are working away from your corporate networks. We will look at sample timelines for accelerated approaches, including ways to optimize the impact of virtual private networks (VPNs) and minimize overall workflow disruption. Learn more Here are links to the resources mentioned in this session. We've also included a list of frequently asked questions below. OSHA COVID19 guidance Configure and Deploy Security Baselines Setup/Configure Azure AD Connect Set up a Cloud Management Gateway Enable OneDrive for Business Switch to Split-Tunnel VPN Policies Enable ConfigMgr Co-Management Shift update and servicing workloads to the cloud (Windows Update for Business, Office 365 CDN) Begin OneDrive for Business Known Folder Migration Configure and Enable Azure AD Conditional Access Set up Azure App Proxy Replace Perimeter trust with Zero Trust Enhance MFA by issuing FIDO2 Keys Consider Further Advanced Cloud Security Solutions Leverage the power of Analytics: User Experience & Productivity Score Shift line of business (LOB) application workloads Configure and Deploy Security Baselines Begin piloting and shifting Policy, Compliance, and EP to the cloud Enable asset protection through Office ATP and MCAS Managing remote machines with cloud management gateway in Microsoft Endpoint Configuration Manager Azure Multi-Factor Authentication Conditional Access Data Leak Prevention Intune Migration Guide Zero Trust strategy—what good looks like How to implement Multi-Factor Authentication (MFA) Microsoft Cloud Security solutions provide comprehensive cross-cloud protection Blog: Brad Anderson Blog: Jared Spataro While not mentioned specifically in this session, here are some additional resources you might find helpful: Microsoft COVID-19 response site Enabling Remote Work Microsoft Endpoint Manager remote work blog Work remotely, stay secure 2 weeks in: what we’ve learned about remote work Frequently asked questions Q: How are others offloading patching traffic to Microsoft sources for full-VPN clients, like split tunneling (since Windows Update IPs aren’t clearly published)? A: We are seeing customers move all Internet traffic away from VPN and that’s what we do internally as well. There are a couple resources on this for WSUS (see 2.1.1) and Windows Update. Q: Are there instructions to shift Office updates from Configuration Manager to the cloud? A: Yes. Here's guidance on how to Manage Office 365 ProPlus with Configuration Manager. Q: Regarding disabling password expirations, do you have any formal documentation that can be provided for our security team? A: Here are some resources that are available on the topic: https://www.microsoft.com/security/blog/2019/07/11/preparing-your-enterprise-to-eliminate-passwords/ https://techcommunity.microsoft.com/t5/azure-active-directory-identity/your-pa-word-doesn-t-matter/ba-p/731984 https://www.microsoft.com/en-us/security/business/identity/passwordless Q: Do you have any formal statements endorsing Split-Tunnel VPN? A: Statement below from: https://www.microsoft.com/en-us/itshowcase/enhancing-remote-access-in-windows-10-with-an-automatic-vpn-profileSplit tunneling Split tunneling allows only the traffic destined for the Microsoft corporate network to be routed through the VPN tunnel, and all Internet traffic goes directly through the Internet without traversing the VPN tunnel. In the VPN connection profile, split tunneling is enabled by default. Q: How can we evaluate the potential cost of the cloud management gateway (CMG)? A: Refer to the Configuration Manager documentation here: https://docs.microsoft.com/en-us/configmgr/core/clients/manage/cmg/plan-cloud-management-gateway#cost Q: For split tunneling all Internet traffic out, how do you perform URL filtering for compliance? A: We use Microsoft Threat Protection across Office ATP and Microsoft Defender ATP. Specifically, the Endpoint Detection and Response (EDR) component. Feedback We hope you find this first session useful. We'd love your feedback and ideas for future sessions so please fill out this short survey. Thank you!
