Modernizing Windows Management With Configuration Manager And Intune

WORKPLACEModernizingWindowsManagementwith ConfigurationManager and IntuneKent AgerlundPeter Daalmans

WORKPLACEKent @AgerlundPrincipal Consultant @CTGlobalEnterprise Mobility MVP &Microsoft Regional Director

WORKPLACEPeter DaalmansSenior Consultant @ CTGlobalEnterprise Mobility MVPpds@ctglobalservices.com@pdaalmans

WORKPLACESession Objectives Understand the benefits of modernizing Windowsmanagement Immediate benefits of extending SCCM to thecloud Conditional Access for SCCM managed PCs Modern provisioning with Intune and AutoPilot And moreLearn about what’s coming

WORKPLACEBusinesses requirepowerful devicemanagement toolsMore than 115M enterpriseWindows devices managed byConfiguration Manager CurrentBranchA commercial PC isupgraded to Win10 viaConfigMgr every0.98son average

WORKPLACEChanges in technology and theworkplace introduce newmanagement challengesUsers working from anywhereUsers want to choose the technology they work withAdvanced security threatsCadence changes for Windows and OfficeCloud infrastructure opportunities

WORKPLACEComplement existing tools by lighting up cloud valueModern ProvisioningIntegrated AccessControl, Security, andComplianceSimplified AppManagementAutomated UpdateLowerInfrastructure costs

WORKPLACECloud Enlightened Management FeaturesModern ProvisioningSimplified AppManagementIntegrated AccessControl, Security, andComplianceLowerInfrastructure costsAutomated Update Protect corporatedata - ConditionalAccess for PCs Make any new PCenterprise-ready viaa simple self-serviceexperience. Simplify updatedeployments withcloud insights Manage StoreApplications andconvert existingapplications Manage clients overthe internet Protect againstadvanced threats Lower TCO forsingle purposedevices Keep Windows upto date from thecloud Conditional Accessfor SCCM managedapps Azure hostedmanagement andidentity Control remote PCswith wipe, scan, andother commands Troubleshoot youremployee’s PCsanywhere

WORKPLACECloud Enlightened Management FeaturesModern ProvisioningSimplified AppManagementIntegrated AccessControl, Security, andComplianceLowerInfrastructure costsAutomated Update Protect corporatedata - ConditionalAccess for PCs Make any new PCenterprise-ready viaa simple self-serviceexperience. Simplify updatedeployments withcloud insights Manage StoreApplications andconvert existingapplications Manage clients overthe internet Protect againstadvanced threats Lower TCO forsingle purposedevices Keep Windows upto date from thecloud Conditional Accessfor SCCM managedapps Azure hostedmanagement andidentity Control remote PCswith wipe, scan, andother commands Troubleshoot youremployee’s PCsanywhere

WORKPLACEIntegrated Access Control,Security, and Compliance

Control data accessWORKPLACEUserGroup membershipsAuth strength (MFA)Risky behaviorDeviceManaged (Intune or CM)CompliantRisky behaviorAppMobile app is managedMobile app reputationSaaS app sensitivityConditional accesswith EMSOtherNetwork locationBreach detectedOn-premise data

WORKPLACERoadmapIntelligent Security – Conditional Accessbased on Device Risk signals fromDefender ATP Currently in public preview

WORKPLACEINTUNE ONAL ACCESSSTOP O365 ACCESSWDATP CONSOLETHREATDETECTED

WORKPLACEGoal: Ensure only trusted and secure Win10 devices have access tocorporate data.INTUNE CCESSALERT OR HEXADITE REMEDIATIONSECOPSCONDITIONAL ACCESSEMAIL ACCESSWDATP CONSOLETHREATMALWAREDETECTEDREMEDIATED

WORKPLACEHow Microsoft Delivers Integrated AccessControl, Security, and ComplianceProtect corporate data - Conditional Access for PCsIntune, AAD, O365Protect against advanced threatsIntune, ATP

WORKPLACEModern Provisioning withIntune and AutoPilot

WORKPLACESETTINGSTraditional PC provisioningTimePOLICIES OFFICEAPPS& DRIVERSMoney

WORKPLACEModern PC provisioning

WORKPLACEVision

WORKPLACEBrad, your new Surface Laptop has arrived.It’s time for unboxing

WORKPLACEOOBE Challenges Non-trivial decision making (Personal vs Org Owned disambig,Privacy Settings, OEM Registration) generates Helpdesk calls Time for configs and apps to install. Block access, show progress OOB account is always Admin – majority of enterprises wantstandard accounts on corp-owned devicesANNA hipDeliver direct to EmployeeOff-the-shelf and Shrink-wrapped DevicesEmployee unboxesdevice, self-deploys

WORKPLACEWINDOWS AUTOPILOTMicrosoft Intune with AutoPilotConfigureAutoPilot ProfileUploadDevice IDsHarvest Device IDsDevice IDsOEM/ResellerExisting DevicesSelfDeployIT AdminShipDeliver direct to EmployeeEmployee unboxesdevice, self-deploys

WORKPLACEWINDOWS AUTOPILOTMicrosoft Intune with AutoPilotConfigureAutoPilot ProfileUploadDevice IDsSelfDeployDevice IDsOEMIT AdminShipDeliver direct to EmployeeEmployee unboxesdevice, self-deploys

WINDOWS AUTOPILOTWORKPLACEAutoPilot ServiceSyncHarvest Device IDsIntune ServiceUploadDevice IDsConfigureAutoPilot ProfileOEMSelfDeployExisting Enrolled DevicesIT AdminShipDeliver direct to EmployeeEmployee unboxesdevice, self-deploys

WORKPLACEOEM support for Windows Autopilot

WORKPLACE1803 aka RS4 aka build 17134aka latest Windows 10experience

WORKPLACE

WORKPLACELet’s start with region. Is this right?United Arab EmiratesUnited KingdomUnited StatesYes

WORKPLACEIs this the right keyboard layout?USUnited States-Dvorak for left hand DVORAK LUnited States-Dvorak for right hand DVORAK RUnited States-International QWERTYAlbanian QWERTZYes

WORKPLACEWant to add a second keyboard layout?Add layoutSkip

WORKPLACELet’s connect you to a networkContosoMNGuestWiFiConnect automaticallyConnectContoso CorpContoso Corp 2Network4Skip for nowNow let's get you connected to a network. That way you get updates, apps and cat videos as soon as possible. How about thefirst one on the list? Want to use that one?

WORKPLACELet’s connect you to a networkContosoMNGuestWiFiConnect automaticallyConnectContoso CorpContoso Corp 2Network4Skip for nowNow let's get you connected to a network. That way you get updates, apps and cat videos as soon as possible. How about thefirst one on the list? Want to use that one?

WORKPLACEWelcome to our Guest Wi-FiAgree & ConnectBy clicking on the connect button you agree to our Termsof Service and have reviewed the Contoso Privacy Policy.

WORKPLACEWelcome to our Guest Wi-FiAgree & ConnectBy clicking on the connect button you agree to our Termsof Service and have reviewed the Contoso Privacy Policy.

WORKPLACEJust a moment

WORKPLACENow we can go look for any updates

WORKPLACEWelcome to ContosoMN!Enter your ContosoMN emailsomeone@example.comNeed help?Please sign in with your ContosoMN email addressChange accountPrivacy & CookiesTerms of UseNext

WORKPLACEWelcome to ContosoMN!Enter your ContosoMN emailanna@contosomn.comNeed help?Welcome to ContosoMNChange accountPrivacy & CookiesTerms of UseNext

WORKPLACEWelcome to ContosoMN!Enter your ContosoMN password .Need help?Welcome to ContosoMNChange accountPrivacy & CookiesTerms of UseNext

WORKPLACESetting up your device forThis could take a while and your device may need to reboot.workDevice preparation Show detailsDevice setup Show details

WORKPLACESetting up your device forThis could take a while and your device may need to reboot.workDevice preparation Show detailsDevice setup Show details

WORKPLACESetting up your device forThis could take a while and your device may need to reboot.workDevice preparation Show detailsDevice setup Show details

WORKPLACEWe’re getting everything ready for you

WORKPLACEThis will just take a moment

WORKPLACELeave everything to us

WORKPLACEAlmost there

WORKPLACESetting up your device forThis could take a while and your device may need to reboot.workDevice preparation Show detailsDevice setup Show detailsAccount setup Show details

WORKPLACESetting up your device forThis could take a while and your device may need to reboot.workDevice preparation Show detailsDevice setup Show detailsAccount setup Show details

WORKPLACESetting up your device forThis could take a while and your device may need to reboot.workDevice preparation Show detailsDevice setup Show detailsAccount setup Show details

WORKPLACEWe’re getting everything ready for you.

WORKPLACEThis might take several minutes.

WORKPLACEWe want everything to be ready for you.

WORKPLACELet’s Start!

WORKPLACEModern Provisioning –phases & componentsAutoPilotAzure ActiveDirectoryCustomize OOBEIntune/SCCMAuto-enroll into IntuneRemove AdminsAzure AD AuthNPre-MDM SettingsConfigure Policies, SettingsAzure AD JoinInstall SCCM agent for Co-MgmtOffice, SfB, WUfBInstall Office 365SfB AppsConfigure UpdatesWindows ActivationStep Up from Windows Pro toWindows EnterpriseBusiness ReadySelf-driven deployment

WORKPLACEWhat’s coming Autopilot Self-Deploying modeAutopilot ResetAutoPilot into Hybrid AADJWin7 - Win10 “rip and reuse”Forced enrollmentRemove OEM bloatwareAuto-register enrolled devices into AutoPilotBlock personal devicesDevice renaming w/out rebootUser personalization

WORKPLACEco-management

WORKPLACECo-management requirements & BenefitsRequirements Devices joined to AD andAzure AD.Enable automatic MDMenrollment for Windows 10Intune StandaloneOut of the box benefits Remote actionsFactory resetSelective wipeDelete devicesRestart deviceControlled workloads Compliance policiesResource access policiesWindows Update policiesEndpoint Protection

WORKPLACECloud Management Gateway Requirements & BenefitsRequirementsBenefits Support for Road Warriors Azure subscription Support Windows Autopilot Certificate(s) depends on your choiceFeatures supported Internal PKI, Public provider, AADauthInstall Win10 clients AAD (and most likely AD) UserdiscoveryAzure service for ConfigMgrClient settings Software updates andendpoint definitionInventoryclient activityCompliance settingsSoftware distributionWindows 10 in-place upgradetask sequence

WORKPLACEConfigMgr client cmdCCMSETUPCMD /noCRLCheck/mp:https://VIA166CMG.CLOUDAPP.NET/CCM Proxy MutualAuth/72057594037927965CCMHTTPState 31CCMHOSTNAME VIA166CMG.CLOUDAPP.NET/CCM Proxy MutualAuth/72057594037927965SMSSiteCode PS1SMSMP https://CM02.CORP.VIAMONSTRA.COMAADTENANTID 5172DCF5-EEC5-4E5A-A1A6-499A0EAA9759AADCLIENTAPPID a0107f2f-99a6-47ef-ac36-65acb47214e7AADRESOURCEURI https://ConfigMgrService stallation-propertiesUseful SQL views vProxy Roles (MutualAuthPath) vSMS AAD Application Ex Computer\HKEY LOCAL MACHINE\SOFTWARE\Microsoft\SMS\Client\Internet FacingComputer\HKEY LOCAL MACHINE\SOFTWARE\Microsoft\CCM ProxyServiceNameRoleServerName AppclientID AADRESOURCEURIClient registry keys

WORKPLACECo-Management RoadmapEnable all workloads: Device settingsModern AppsOfficeEnd User PortalSettings baseline exceptions

FUTURE READYSKILLSWORKPLACEDo you want to gain moreknowledge about Microsofttechnology?The Future Ready Skills programoffers online courseware, onlinelabs, live Q&A’s and expertsessions, so you can acquireyour official Microsoft Certificatein the most efficient way.For more information:aka.ms/frsblog

WORKPLACE

Management Integrated Access Control, Security, and Compliance Lower Infrastructure costs Cloud Enlightened Management Features Protect corporate data - Conditional Access for PCs Make any new PC enterprise-ready via a simple self-service experience. Simplify update deployments with cloud insights Manage Store Applications and