End-users commonly experience challenges such as long boot times, application crashes, and so on. These problems may be the result of a lack of optimized software configurations, legacy hardware, and issues that may arise due to configuration changes and updates.
You’ll be able to improve user productivity as well as reduce IT costs because of the insights that you’ll receive. The latter will give you information about device setup, startup and sign-in times, and overall system performance.
Not only that, but the introduction of new features can enhance the user experience even more.
Benefits of Endpoint Analytics
Introduced in September 2020, Endpoint Analytics is the tool that can help your organization to gather significant amounts of data and thus help you to view and understand the performance of your managed Windows 10 estate. At the initial release, Microsoft Endpoint Analytics had three main areas of focus:
Startup performance: the insights provided help you understand your devices’ reboot and sign-in times and this enables IT to get users from power-on to productivity quickly without lengthy boot and sign-in delays.
Proactive remediation scripting: swiftly fix common issues before they become problematic for end-users.
Recommended software: recommendations for providing the best user experience.
To make the product even better, Microsoft has added two new features to give IT greater visibility in order to enhance the overall end-user experience.
The application reliability report
The first of the two new features is called the application reliability report (APR). This is something that will provide you with insights into potential issues for desktop applications on managed devices.
Utilizing this feature helps you to quickly identify the top applications that are impacting end-user productivity. Moreover, it also enables you to view aggregate app usage along with app failure metrics for these applications.
To take advantage of this feature, devices should be enrolled in Endpoint Analytics. And for devices enrolled from Configuration Manager, they’ll need client version 2006 or later installed.
To view the APR, you won’t need to do anything if your devices are Intune managed or co-managed. You’ll easily locate it beside the rest of the Endpoint Analytics reports in the Microsoft Endpoint Manager admin center console.
On the other hand, if you have devices enrolled through tenant attach, you need to upgrade to Configuration Manager 2006 for this report to populate.
How it works
To find your app reliability score, head over to the overview page. Here, you’ll also get the baseline score which is the median across all organizations. Below that you get a list of the apps most likely to have reduced user productivity during the previous 14 days. And then on the right column are app reliability Insights and Recommendations prioritized by which are most likely to boost your score.
To view the list of all your organization’s apps, you can go to the App performance tab. You can sort out these apps according to various criteria such as name, publisher, active devices, and app reliability score. In addition, you may also sort apps out using the mean time to failure, which is the average number of times the app can be used across the organization between crashes.
In order to see your organization’s application reliability performance, you can also leverage other pivots like the model, and OS version deployed, as well as troubleshoot application reliability issues with individual devices.
Devices will be given a device app health score that you find in device performance. This score is determined by the frequency of app crashes on a particular device during the last 14 days. To help you with troubleshooting, you can view a timeline of app crash and app hang events by clicking into each device.
Restart frequency feature
The second of the two recent additions to Endpoint Analytics is the restart frequency feature. This tool provides you with information regarding when devices are being rebooted and why.
You also get an improvement for the existing startup performance report thus helping to improve the user experience even further. All of this should enable operational and helpdesk departments to be more proactive and provide insights on end-user devices.
The data provided aims to clarify the type of reboots that occur. To achieve that, these reboots will be classified as either normal or abnormal. When we talk of normal restarts, this refers to restarts that go through the normal Windows shutdown processes such as Windows update installations.
And when we talk about abnormal restarts, this refers to those that don’t follow normal Windows shutdown processes. Because abnormal restarts can be potentially problematic they need to be looked into further. There are three categories of them:
Blue screens: This type of abnormal restart type is also known as a stop error. On average, one may expect no more than two stop errors per device per year.
Long power button press: Occurs when you hold down the power button to force a restart. This type happens less frequently than blue screens.
Unknown: The last category is for shutdowns that cannot be placed in either of the two previous categories.
Deployment of new laptops and desktops to users in an organization is a constantly ongoing process for a lot of businesses. As such, IT departments need efficient ways of managing devices and ensuring the optimization of the end-user experience.
And this is why if you’re not already enrolled you should be considering Endpoint Analytics.
End-users may face various issues in their day-to-day work that they will not report. Because of this, the user experience suffers and this will inevitably affect productivity. But, by utilizing Endpoint Analytics and its great new features, organizations can get high-level visibility into these various issues enabling them to address them quickly and efficiently.
Every business needs to be on top of its game when it comes to matters of the security of its IT infrastructure. Because even the smallest of vulnerabilities can be exploited to devastating effect.
This can potentially cause the shutting down of a business, at best temporarily. And research has shown that the cost of downtime to a company can quite easily run into hundreds of thousands of dollars.
As we can all imagine, the losses that a business would suffer would be colossal, to say the least. Hence the need to enhance one’s security to keep bad actors at bay. By using Tamper Protection, you immediately strengthen the security of your business.
Why Tamper Protection?
Arguably the greatest challenges to an organization’s IT infrastructure come in the form of malware or malicious apps that tamper with your security settings and potentially create vulnerabilities in your system.
With these changes having been made, your organization becomes a significantly easier target for cybercriminals. It is with this in mind that Microsoft introduced Tamper Protection two years ago.
Simply put, and as the name itself implies, this feature essentially locks Microsoft Defender thus preventing anyone from tampering with your security settings. Including modifications that may be made by administrators.
As a key element of Microsoft’s security strategy, Tamper Protection helps to ensure that Windows 10 clients do not need third-party anti-virus software.
However, Tamper Protection does not have an impact on third-party antivirus registration. So this means that third-party antivirus offerings will continue to register with the Windows Security application. By using Tamper Protection, you can prevent the following:
Deactivation of virus and threat protection.
Deactivation of real-time protection.
Disabling of behavior monitoring.
Disabling antivirus (such as IOfficeAntivirus (IOAV))
Blocking of cloud-delivered protection.
Removal of security intelligence updates.
Extending client coverage
With the obvious benefits that Tamper Protection brings to any organization, it only makes sense to try and extend coverage wherever possible. And this is what Microsoft did with their announcement in September last year.
This feature was extended to cover ConfigMgr 2006-only clients on both Windows 10 and Windows Server 2019, delivered via Tenant Attach. To enable Tenant Attach, the process is fairly straight forward and you can find the instructions provided here.
Having done that, you can then go to Endpoint security > Antivirus in the MEM admin center. From there you can proceed to create and deploy the Tamper Protection setting. After that, you’ll then need to configure the aforementioned setting.
This you will then deploy to a Configuration Manager collection of devices. If you want to view the policy status, go to the Monitoring >Deployments section which you find in ConfigMgr. However, you can also find it in the policy status in the Endpoint Manager Admin center
Utilizing Tenant Attach
Tenant Attach provides a method for attaching your ConfigMgr hierarchy to your tenant and leverages the capabilities available from the cloud. This includes things such as discovering cloud users and groups, synchronizing Azure AD groups from a device collection, etc.
Moreover, you can sync your on-prem only ConfigMgr clients into the MEM admin center thus enabling the delivery of Endpoint security configuration policies to your on-prem clients.
With this tool, a device does not necessarily have to be enrolled in Intune. In fact, it can be managed by either ConfigMgr or Intune. Alternatively, devices can also be co-managed.
Management of Tamper Protection
In addition to managing Tamper Protection using tenant attach as described above, there are a few other management options available. These are:
Management of Tamper Protection using the Microsoft Defender Security Center. You can turn Tamper Protection on or off for your tenant via the Microsoft Defender Security Center. This option is on by default for all new deployments and the setting is applied tenant-wide. So it affects all devices that are running Windows 10, Windows Server 2016, or Windows Server 2019.
Management of Tamper Protection using Intune. If your organization’s subscription includes Intune then Tamper Protection can be turned on or off in the Microsoft Endpoint Manager admin center.
Management of Tamper Protection on an individual device. Tamper Protection can be managed via the Windows Security app by individuals who are either home users or are not under settings managed by a security team. To do this, however, you need to have the appropriate admin permissions on your device to change security settings.
Keeping track of security data
Having preventive measures in place does not negate the need for constantly reviewing the security information.
You need to regularly check what is going on within your system so that you can stay on top of things because several tampering attempts are usually a sign of something bigger. And that may potentially be a bigger cyberattack.
Cybercriminals can attempt to alter your organization’s security settings as a way to persist and stay undetected.
Therefore, in every business, security teams should review information about such attempts, and then take the appropriate actions to mitigate threats.
The system is designed to raise alerts in the Microsoft Defender Security Center when tampering attempts are made. By utilizing tools such as endpoint detection and response and advanced hunting capabilities, you can investigate further and then implement the necessary measures to address the problem/s.
Microsoft is looking to tackle the surge in cybercrime head-on. Bad actors are constantly seeking out weaknesses in organizations’ systems and occasionally they find them. This is why businesses need to leverage the next-gen security strategies that Microsoft can offer.
With features like Tamper Protection, you get additional security to help your organization block nefarious elements from altering your security settings and leaving you vulnerable. Advanced breaches and increasing incidences of ransomware campaigns need all businesses to start getting proactive about their security. Otherwise, the consequences could prove to be very costly.
When it comes to Microsoft Endpoint Manager (MEM), there’s always a steady stream of new features that clients should be paying attention to.
Technology is constantly changing and the products that we use need to improve as well. Especially if we consider the recent surge in cybercrime as seen in the FBI’s 2020 internet crime report.
No business is immune and as such, technology companies have to consistently enhance their products to ensure that clients’ data is secure. With that said, let’s take a look at the exciting new features that Microsoft is bringing to the MEM platform.
Enhancing security through filters
Microsoft Endpoint Manager has now made it possible for IT admins to use filters to target apps, policies, and other workload types to specific devices.
By utilizing these filters, IT admins get more flexibility and can better protect data within applications, simplify app deployments, and speed up software updates.
Furthermore, it is now easier for admins to comply with their organizational policies and compliance requirements by deploying:
A Windows 10 device restriction policy only to the corporate devices of users in a particular department without including personal devices,
An iOS app to only the iPad devices for users in another department,
An Android compliance policy for mobile phones to all users in the company but exclude Android-based meeting room devices that don’t support the settings in that mobile phone policy.
Windows 10 Enterprise multi-session is a new Remote Desktop Session Host exclusive to Windows Virtual Desktop on Azure which allows multiple concurrent user sessions. With this feature, users get the benefit of a familiar Windows 10 experience. In addition, IT can benefit from the cost savings that a multi-session allows and use existing per-user Microsoft 365 licensing.
By leveraging Intune, you can manage multi-session remote desktops with device-based configurations like a shared, user-less Windows 10 client. Moreover, you can enroll Hybrid Azure AD joined VMs in Intune automatically and target with OS scope policies and apps.
This means that now you can:
Host multiple concurrent user sessions using the Windows 10 Enterprise multi-session SKU exclusive to Windows Virtual Desktop on Azure.
Manage multi-session remote desktops with device-based configurations like a shared, user-less Windows 10 Enterprise client.
Automatically enroll Hybrid Azure AD-joined virtual machines in Intune and target them with device scope policies and apps.
Policy management made simpler
Using the settings catalog simplifies the process of customizing, setting, and managing device and user policy settings. Managing policy configuration through custom Open Mobile Alliance Uniform Resource Identifier (OMA-URI) policy is not the easiest of tasks to undertake.
And so what the 2105 service release does is support your move from Group Policy Objects (GPO) or custom OMA-URI to cloud-based consolidated policies.
Clients will be happy to note that 5,000 settings have been added to the settings catalog for Edge, Office, and OneDrive, including additional settings for macOS and Windows.
Microsoft Tunnel Gateway changes
There are a couple of changes to note for the Microsoft Tunnel Gateway:
Microsoft Tunnel Gateway (MTG) is now out of preview and thus is generally available. However, while the MTG server component is out of preview, the following Microsoft Tunnel apps are not – Microsoft Tunnel standalone app (for both Android and iOS) and Microsoft Defender for Endpoint with support for Microsoft Tunnel for Android.
Custom setting support in VPN profiles for Microsoft Tunnel for Microsoft Defender for Endpoint for Android. New changes here mean that you can now use custom settings in the VPN Profile for Microsoft Tunnel to configure Microsoft Defender for Endpoint when using the Microsoft Defender for Endpoint as your Microsoft Tunnel client app for Android and as an MTD app.
Another update that is certain to make MEM clients happy is that conditional access on Jamf-managed macOS devices for Government Cloud is now available.
By using Intune’s compliance engine, you can now evaluate Jamf-managed macOS devices for Government Cloud.
All one has to do to achieve this is to activate the compliance connector for Jamf. The steps on how to do that can be found here.
New settings available
There are new settings now available when creating a device restrictions policy for iOS/iPadOS (14.5 devices and newer). Here are the updates that have been introduced:
Block Apple Watch auto unlock: You can set this to Yes and this will prevent users from unlocking their device with Apple Watch.
Allow users to boot devices into recovery mode with unpaired devices: If you want to allow users to boot their device into recovery with an unpaired device, you can set this one to Yes.
Block Siri for dictation: To disable connections to Siri servers so that users can’t use Siri to dictate text, set to Yes.
Clients will now get new tiles that show the number of app installation failures for the tenant. You can find these in the Home, Dashboard, and Apps Overview panes. All one has to do is follow a few simple steps:
Alternatively, if you want to view the Dashboard pane select Dashboard.
And to view the Apps Overview pane, select Apps > Overview.
Microsoft Endpoint Manager has many different ways that various companies can use it. It gives you a fantastic platform to gather end-point information. Also, it gives you the ability to push out Microsoft Desktop apps, Microsoft Edge as well as several other apps. And by consistently updating the features, Microsoft can help your business to operate more efficiently and enhance your data security and privacy.
With the prevailing global situation requiring more and more people to work from home, businesses need to ensure that productivity does not suffer. And to do that, you need to effectively manage remote devices. Hence the need for technology such as the Cloud Management Gateway (CMG).
By utilizing the CMG, your business has an alternative to IBCM that most would consider a significant upgrade. This creates a favorable environment that allows your organization to eliminate the obstacles of having a remote workforce. Needless to say but the CMG can play a massive role in your organization and its importance is certainly worth discussing.
Before you can use the Cloud Management Gateway you need to meet the following requirements:
An Azure subscription to host the CMG,
You need a Full administrator or Infrastructure administrator user account in Configuration Manager,
During the initial creation of certain components, the participation of an Azure admin is needed,
You need at least one on-premises Windows server to host the CMG connection point,
Depending on your client OS version and authentication model, other certificates may be required,
Clients are required to use IPv4.
When is it useful?
There are several scenarios where the CMG could come in handy and they include the following:
For management of traditional Windows 10 clients using modern identity which can either be hybrid or pure cloud domain-joined with Azure AD.
For management of traditional Windows clients with Active Directory domain-joined identity. The clients included are Windows 8.1 and Windows 10.
For installation of the Configuration Manager client on Windows 10 devices over the internet.
For new device provisioning with co-management.
Benefits to your business
CMG enables your Enterprise admins to perform several actions. Among the things they can do, they can manage the following over the internet:
Push software updates and enable endpoint protection,
Inventory and client status,
Windows 10 in-place upgrades,
Manage branch office devices over less expensive internet instead of across expensive WAN or VPN connections.
Although Internet-based client management (IBCM) has been around for years, a lot of users tend to find it complicated. CMG aims to be a simpler solution. It is an Azure-hosted service that manages internet-based clients through a new role called the cloud management gateway connector point.
By adding the CMG to your environment, you’ll get an intermediary cloud solution. And this can be your bridge to a full cloud management solution of your Windows 10 devices through Microsoft Intune.
Also, your organization doesn’t need to expose on-premises infrastructure to the internet and neither will you require additional infrastructure. So by using the CMG, you get rid of a lot of what users don’t like about IBCM.
Manage internet clients
Cloud Management Gateway helps you to easily and effectively manage clients that are on the internet. Often, there are going to be events in your environment that will require a swift response.
However, previously this was problematic for clients that would not be currently on-premises. By leveraging the CMG, you can manage clients all over the world as long as they have an internet connection.
Furthermore, it doesn’t require you to buy any additional IT infrastructure. So unlike IBCM that would need additional hardware that you need to maintain, for the CMG you just need to have Azure.
Strengthen your security
The moment you have systems that are not directly connected to your IT infrastructure, your data security is at an increased risk. This is particularly evident with remote work.
Although a lot of businesses have responded by using VPNs, you cannot adequately protect workstations through VPN channels. Hence the importance of the Cloud Management Gateway.
With it, you can better manage devices connected to the Internet and thus improve your corporate security posture. This is further enhanced by the fact that you can leverage Microsoft Azure services so that there is no need to expose your infrastructure to the internet.
Whenever you use cloud services, you will incur costs associated with your usage. And the Cloud Management Gateway is no exception. Fortunately for clients, Microsoft intends to help you to keep those costs under control. You can do this through client settings, for instance, where you can determine which clients can access the CMG.
Another feature you can leverage is virtual machine configuration. The latter enables you to choose between 1 and 16 virtual machines per instance of Cloud Management Gateway. Also, if you want to, you can stop the CMG so that it’s no longer serving clients.
Therefore, to optimize user experience for all clients, the CMG helps to reduce the unavoidable costs that come with cloud services.
Another reason why the CMG is so important is how the technology is constantly evolving. There has been a lot of innovation taking place such as the ability to automatically do a client install through the CMG.
This is a great option to have because it eliminates the need for the client to be on the intranet. In addition, the platform is adaptable to your organization’s needs. So it can handle several scenarios such as:
Traditional PC management (Windows 7, 8.1, 10),
Modern PC management (Windows 10 with modern identity),
Internet client installs.
Every organization should be looking for ways to make the most of its IT investments. Thus from the information available, we can see that every environment that uses ConfigMgr can benefit from using the Cloud Management Gateway. And you can leverage the CMG for clients all across the globe. The convenience that this provides you cannot be overstated. As the world changes and technology evolves, we need platforms that can help organizations to become more efficient and enhance productivity.
In July 2020, Microsoft announced the release of update 2007 for the Technical Preview Branch of Microsoft Endpoint Configuration Manager (MECM). And with that, came a feature that now allows you to view hardware inventory for a tenant-attached Configuration Manager device in the admin center. With most pieces of hardware in offices today being connected to the internet, being able to view hardware inventory is extremely important. Microsoft Endpoint Manager (MEM) now offers that capability and thus gives your business several advantages.
You need to have an environment that’s tenant attached with uploaded devices,
You need either Microsoft Edge (version 77 and later) or Google Chrome,
You need a user account that has been discovered with both Active Directory user discovery and Azure Active Directory (Azure AD) user discovery. Simply put, this means that the user account should be a synced user object in Azure.
In addition, the user account will require the following permissions:
Admin User role for the Configuration Manager Microservice application in Azure AD. This role will be added in Azure AD from:
Enterprise applications>Configuration Manager Microservice>Users and groups >Add user.
If you have Azure AD premium, groups will be supported.
The security of your network should be something of great concern. Especially in a world where cybercrime is increasing at an alarming rate. Having said that, we can begin to see why a hardware inventory in MEM feature could come in very handy.
Keeping track of all the hardware in your organization is no mean feat. Particularly for businesses that have also employed bring-your-own-device (BYOD) policies.
You need to have a system that can readily provide you with the necessary information on all devices. This helps your IT team to maintain high levels of network security, prevent breaches, and manage any potential issues that may arise.
By leveraging the hardware inventory feature in Microsoft Endpoint Manager, you can keep track of how devices are performing. The last thing your organization needs is to have computers worth tens of thousands of dollars operating at subpar levels.
With accurate information on hardware inventory, you can easily see how the devices in your organization are performing. You can then address any issues that may arise to ensure that productivity is optimized from top to bottom. If you are going to invest in expensive, high-tech devices, you need them to operate as they should.
Reduce overhead costs
Well-managed IT infrastructure can help your organization to reduce overhead costs. The ability to view hardware inventory in MEM is going to give IT a bird’s eye view of all your IT infrastructure. And this enables you to effectively manage all hardware from procurement till retirement.
Doing this will cut your costs by doing away with issues such as IT overspend and non-compliance. Working in this manner will fully optimize your productivity, as mentioned above, which all businesses will be happy with.
MEM’s view hardware inventory feature helps you to keep track of hardware from purchase, how it is used, and finally to its retirement. With this kind of actionable data readily available, it simplifies the decisions that you will need to make in the future such as new purchases, upgrades, and so on.
Moreover, you can easily keep track of contracts with vendors and thus know when to renew those contracts or make purchase orders. All these things add significant benefits to your business by increasing operational efficiency while minimizing risks.
Enhance IT efficiency
If there is anything that is abundantly clear from what your organization will gain from MEM’s view hardware feature it’s that it will simplify life for IT teams. Significantly. With the data available to them, it makes it far less likely for any issues to arise during audits. Also, it creates less workload by eliminating the need for manual tracking and scanning of devices. Your IT department will inevitably operate more efficiently by being able to easily keep tabs on all hardware.
Another key advantage that comes with being able to keep track of your organization’s hardware is increased asset protection. Keeping track of devices allows you to not only get performance-related data but location data as well.
And having this information will help to mitigate the risk of loss or theft of devices. Therefore, utilizing the view hardware inventory in MEM tool helps your organization to easily stay on top of the work status of an asset, its physical location, and disposition.
Better overall governance
Viewing hardware inventory is going to give you an increased degree of visibility. Because of the accurate data at your disposal concerning your IT infrastructure, you’ll have a better handle of key assets. Therefore, they are less likely to be misplaced, misused, or underutilized.
And so with all these advantages, it simplifies the process of coming up with more effective governance protocols. This is something that will hugely benefit the entire organization from top to bottom and not just your IT department.
Keeping track of assets
There’s no denying that keeping tabs on your hardware is just as important as the software management side of things. After all, technology is a huge investment for any business. And so how you keep track of your hardware will inevitably affect your bottom line.
Having real-time, accurate information about your assets goes a long way in the optimization of productivity. Not to mention enhancing the overall security of your business. Viewing hardware inventory in Microsoft Endpoint Manager is an incredible tool that should help your business become more efficient. The benefits are clear for us all to see.
It goes without saying that the year 2020, in particular, placed a new emphasis on the importance of remote work. Although a lot of organizations had already been exploring bring-your-own-device (BYOD) policies, that need is even greater today.
And so it’s not surprising to see technologies like Microsoft Intune take center stage in these discussions. Management of your remote workforce is a task that can get very complex and put your security at risk. This is why we need to look at what Microsoft Intune can offer and how remote device controls benefit you.
What does Microsoft Intune control?
Intune is a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM). It can control:
How devices such as laptops, tablets, and mobile phones are used within your organization,
The configuration of specific policies to control apps,
The use of personal devices for school or work, and enhance security by isolating organization data from personal data.
All these controls and more will improve overall device management and data security by employing strict access controls.
Use and secure multiple devices
One of the major benefits that your employees will get from Microsoft Intune is having a choice of device. They can easily enroll and register devices from a choice of several. And then they can install corporate applications on the chosen devices from the organization’s self-service portal.
The key thing, however, is that your IT team retains control over the devices that have access to the corporate network. Administrators are the people responsible for setting up compliance and enrollment policies. Therefore, your organization can maintain high levels of security and control over all devices, especially those of your remote workforce.
Limit employee access
Sometimes, an employee who needs to check their email may decide to do so from a computer in the hotel lobby, for instance. Scenarios like this can cause huge security issues in your network. To counter this, Microsoft Intune will block any devices that are not under its management from accessing corporate resources.
Remote device controls allow you to keep out any device that does not meet the criteria that administrators have put in place. Conditional access will only be granted to corporate-owned devices, BYOD devices that meet compliance regulations, and devices that follow any other criteria that you set up.
Administer mobile devices
In a world where people are always on the go, your employees may inevitably at some point need to use their mobile devices. And Microsoft Endpoint Manager provides you with several options for administering managed devices. These include:
Microsoft Teams: a platform that promotes teamwork by chatting, meeting, and collaborating regardless of location.
Quick Assist: a Windows 10 app where two people can share a device over a remote connection.
TeamViewer: a third-party program that enhances remote access and support.
Remote Control: a feature that helps you to remotely administer devices and provide assistance.
By leveraging these tools, you can have remote device controls that give you a secure platform to administer devices.
Leverage Remote Control
Remote Control is a feature of Microsoft Endpoint Configuration Manager that you can use to remotely administer, provide assistance, or view any workgroup computer and domain-joined computer. This is something that enables IT professionals to connect and interact with a customer user session.
In addition to the remote assistance that IT can offer, the remote control viewer is also available on all operating systems that are supported for the Configuration Manager console. So instead of having to wait on someone to come in person and attend to an issue, IT can provide the necessary assistance remotely.
Enhance remote management
Microsoft has a habit of teaming up with great partners that can vastly improve the user experience for their clients. To assist IT in the remote administration of Intune devices, you can use a partner program known as TeamViewer.
The latter is a fast and secure remote management tool that will help your IT team to proactively monitor client endpoints, remote systems, and networks. This comprehensive set of remote access and support capabilities can simplify life for both IT and end-users. With its easy-to-use interface, TeamViewer helps members to remain connected from various locations.
Manage device actions
We all face challenges with our various devices from time to time. We can forget our passwords, lose devices, have them stolen, etc. With Microsoft Intune, however, you have less to worry about from these potential scenarios. And this is because your admins can remotely run device actions. From the Intune portal, it is possible to restart devices, reset passcodes, locate lost or stolen devices, and more.
Following on from the above point, once a device is stolen, goes missing, is no longer needed, or is being repurposed, you’ll need to remove it from Intune. Users can also use the Intune Company Portal to issue the necessary command to Intune-managed devices. You can choose to:
Wipe the device: this action restores the device to factory settings and can remove all data, apps, and settings.
Retire the device: this action removes managed app data (where applicable), settings, and email profiles that were assigned by using Intune. The device is removed from Intune management.
Being able to perform these actions remotely helps to ensure that the wrong people don’t get access to corporate data and resources.
Remote device controls offer businesses a great degree of convenience that they previously did not have. The ability to access and manage system interfaces and files serves to create a better experience for both IT and end-users. No longer do users need to wait endlessly for assistance or IT to constantly worry about access and compliance. By using the remote control tools that Microsoft Intune delivers, organizations can improve the efficiency of their remote networks and still maintain high levels of security.
With cyber threats being such a huge problem, the last thing your organization needs is vulnerable security. And this can be worsened if malicious actors manage to disable your security.
So with that in mind, Microsoft introduced Tamper Protection to increase your organization’s security by making it significantly harder for cybercriminals to infiltrate your network.
It gives you a better security posture and allows your IT team to ensure greater protection over corporate resources. And so today we’re going to dive into what exactly Microsoft Endpoint Manager Tamper Protection is and what it can do for your organization.
What is Tamper Protection?
Microsoft Endpoint Manager Tamper Protection is a relatively new feature that was created to prevent potential attackers from making changes to the configuration of Microsoft Defender on Windows 10 clients. Therefore, this feature doesn’t allow malicious actors to disable features such as:
Removing security intelligence updates.
By blocking these actions, Tamper Protection keeps attackers from getting easy access to your data or installing malware. Without being able to do this, attackers can’t compromise your devices or exploit sensitive information.
The key thing that Microsoft Endpoint Manager Tamper Protection does for you is it locks Microsoft Defender Antivirus to keep people from making modifications to your security system. These modifications could otherwise be made through apps and methods like:
Configuring settings in Registry Editor on your Windows device
Using PowerShell cmdlets to make changes to settings
Using group policies to edit or remove security settings
However, Tamper Protection won’t stop you from seeing your security settings or affect how third-party antivirus apps register with the Windows Security app. For organizations using Windows 10 Enterprise E5, it’s the security team that will manage Tamper Protection and so individual users can’t change the setting.
How to enable Tamper Protection
Your IT admins can use Microsoft Intune to turn Tamper Protection on or off for all managed computers using the Microsoft Endpoint Manager (MEM) admin center portal. And to make changes to Microsoft Endpoint Manager Tamper Protection, admins will need to have permissions such as security or global admin. To have access to Tamper Protection, your organization should:
Have Intune licenses such as Microsoft 365 E5,
Have computers running Windows 10 versions 1709, 1803, 1809, or later,
Use Windows security with security intelligence updated to version 1.287.60.0 or later,
Have machines using antimalware platform version 4.18.1906.3 and antimalware engine version 1.1.15500.X (or later).
With all the requirements met, follow the steps below to get access:
Go to MEM admin center and sign in with the right credentials,
Select Devices and choose Configuration Profiles,
Create a profile with the characteristics below:
Once you turn on Tamper Access, you won’t have any need to turn it off unless if it affects other validated tools.
Tamper Protection for Configuration Manager
With version 2006 of Configuration Manager, you can leverage tenant attach to manage Tamper Protection settings on:
Windows Server 2016, and
Windows Server 2019.
Tenant attach allows you to sync your on-premises-only Configuration Manager devices into the MEM admin center. Following this, you can deliver endpoint security configuration policies to on-premises collections and devices. A few simple steps are all you need:
Go to the MEM admin center > Endpoint security > Antivirus,
Choose Create Policy,
You can now deploy the policy to your device collection.
Even with Microsoft Endpoint Manager Tamper Protection enabled, your admins need to have the ability to continually review your security posture. Otherwise, you won’t fully benefit if you cannot see the tamper attempts or report them.
To resolve this challenge, you can subscribe to the Microsoft Defender for Endpoint service. This will provide you with a dashboard that shows you all the security issues that you need to be aware of. These include flagged tamper attempts with all the necessary details to investigate further.
Using third-party security tools
Although Microsoft Endpoint Manager Tamper Protection can work with third-party security tools, some of these can make changes to security settings. By using real-time threat information, Tamper Protection can assess the potential risks of software and suspicious activities. Ideally, your IT admins should update your security intelligence to version 1.287.60.0 or later. And this action will protect the system security settings in the Registry and log any attempts to modify those settings without generating errors.
What about endpoint management tools?
As for endpoint management tools, you can use them with Microsoft Endpoint Manager Tamper Protection. With limits, of course. Admins retain the possibility of establishing a centralized setting for Tamper Protection using management tools.
However, other tools/platforms cannot change settings that are under the protection of Tamper Protection. For that, admins would require Windows Security to manage those.
If you have a Windows enterprise-class license or computers running Windows 10 Enterprise E5, you need to opt into global Tamper Protection. Below are some unified endpoint management platforms that cannot override Tamper Protection:
System Center Configuration Manager,
Windows System Image Manager configuration,
Any other Windows Management Instrumentation tools and administrative roles.
The key to staying ahead of cybercriminals is a continual upgrading of existing security features. And this is precisely what Microsoft is doing with Tamper Protection. With this feature, you can address one of the potential areas of weakness in your security infrastructure. You can prevent unwanted visitors from disabling critical security features.
Since Microsoft Endpoint Manager Tamper Protection was specifically designed for enterprise environments, it is ideal for enhancing organizational security and making your organization less vulnerable to attack. Class-leading security has become a necessity for all of us and features like this can play a massive role in safeguarding our enterprises.
Information is key for any business to function optimally. That is why there has been such a massive increase in the use of big data during the last decade. But, this information is not only that which you can obtain externally, it’s also information concerning your internal operations. And this is where Microsoft’s Product Lifecycle Dashboard enters the fray.
It simplifies the way your organization functions by providing you with information concerning all the products that you have installed on devices that are managed by Microsoft Endpoint Configuration Manager. This is a fantastic feature that has had some improvements added to it and that is what we’ll be going over below.
Microsoft has made a few changes over the years and from version 1806 you’ll now be able to use the Configuration Manager product lifecycle dashboard to view the Microsoft Lifecycle Policy. So what exactly does this ‘dashboard’ do?
The Product Lifecycle Dashboard is a tool that shows you the state of the Microsoft Lifecycle Policy for Microsoft products installed on devices managed with Microsoft Endpoint Configuration Manager.
Not only that, but you also receive data concerning the various Microsoft products in your environment, supportability state, and support end dates. Therefore by using both Asset Intelligence and the Asset Intelligence Synchronization Point, the dashboard can give you a clear overview of the lifecycle of each product.
By using the dashboard, you can easily find out what support is available for each product. With this information in hand, it will allow you to plan accordingly and update all products before their support expires. And then from version 1810, the dashboard also adds information for System Center 2012 Configuration Manager and later.
What are the requirements?
As a product continues to improve, the requirements to use that product will also expectedly change. For you to see data in the product lifecycle dashboard, you need the following:
Internet Explorer 9 or later
You need to install and configure a service connection point role. And the latter must be online or synchronized regularly if offline.
For hyperlink functionality in the dashboard, you need a reporting services point.
You need to configure and synchronize the asset intelligence synchronization point.
Using the dashboard
This tool is designed to make it easier for your organization to have access to up-to-date data about the products that you are using. And by leveraging the inventory data that the site collects from managed devices, the dashboard displays information about all current products. However, not all versions are supported. Only Windows Server 2008 and later, Windows XP and later, SQL Server 2008 and later, will have information displayed for OSs and SQL Server. To access the lifecycle dashboard in the Microsoft Endpoint Configuration Manager console:
1) Go to the Assets and Compliance workspace,
2) Expand Asset Intelligence,
3) Select the Product Lifecycle node.
What else do you get?
Clients will find that from the newer version of SCCM 1902, they’ll get information for installed versions of Office 2003 through Office 2016. And this data is available after the site runs the lifecycle summarization task, which is something that occurs every 24 hours. In addition, you can also benefit from using the dashboard even if you don’t have Configuration Manager. You can use Azure Monitor Logs to provide a Dashboard to help with managing the supportability of your environment.
Taking a simple look at your dashboard will allow you to see any products that need to be updated urgently. When you have several computers to deal with and you need to know which ones need upgrades, all you need to do is click on the hyperlinks found in the Number in environment column and that will show you a report.
And doing this will direct you to the Lifecycle 01A – Computers with a specific software product report. This is a huge improvement when you consider that in the past you had to investigate problem clients individually to find out whether or not an upgrade was needed.
Reports in the product lifecycle set
In addition to the dashboard, you have additional reports that are available as well. These you’ll find in the Microsoft Endpoint Configuration Manager console, where you then go to Monitoring workspace and you expand Reporting. The new reports, which are found under the Asset Intelligence category are as follows:
Lifecycle 01A – Computers with a specific software product: You can see a list of computers on which a specified product is detected.
Lifecycle 02A – List of machines with expired products in the organization: This report, which you can filter by product name, shows you all the computers which have expired products on them.
Lifecycle 03A – List of expired products found in the organization: View details for products in your environment that have expired lifecycle dates.
Lifecycle 04A – General Product Lifecycle overview: Here you can see a list of product lifecycles and filter the list by product name and days to expiration.
Lifecycle 05A – Product lifecycle dashboard: From version 1810, this report will have similar information as the in-console dashboard. All you have to do is choose a category to view the count of products in your environment as well as the days of support remaining.
Every organization needs products that will help them to optimize their time. And as the number of available products increases, the choice of which product to go for becomes harder. Microsoft’s Product Lifecycle Dashboard gives your business many benefits that businesses have needed for a long time.
Reduce the time you spend trying to keep track of all the products you have installed on countless devices with a simple, easy to use dashboard. If you’re looking for a tool that gives you a more efficient way of device management, then the Product Lifecycle Dashboard is one that is certainly worth a look.
The way that IT departments have worked for years is by having your IT professionals take up specific responsibilities to cater for. Now, however, as technology continues to evolve, you’ll find the responsibilities overlapping from one role to another. And it’s because of situations like these that we need to be reconsidering certifications across the board.
As a business, you should be looking at what changes you can make. How can you equip your IT team to become more efficient at what they do? Are there any tech companies offering potential solutions to these challenges?
Understanding key concepts
The first thing we need to do is to clear up the confusion surrounding some of these concepts so that we’re on the same page. When we talk of certification, this refers to an independent evaluation of knowledge and/or skills.
Essentially, what this means is assessing an individual to see if they have the necessary skills, and how they got them doesn’t matter. Because of this, an individual that has acquired certain knowledge and skills should be able to get certification without the need to undergo training. And quality certification is demonstrated only when:
The identity of the individual can be verified beyond any doubt,
The work has been checked to ensure that it was done by the person that submitted it,
Taking a prescribed learning path is not necessary to pass the exam,
The evaluation process has been proven to be psychometrically sound.
The difference between certification and a certificate is that the latter is what you receive on completion of a training program. Therefore, in this instance, you’ll need to take part in training after which an assessment will be carried out.
Microsoft is making changes
As already mentioned above, the complex nature of the responsibilities facing IT professionals is rapidly increasing. So to better equip your IT teams and have them operate effectively, Microsoft has made some rather significant changes. By now, most people are aware that Microsoft Technology Associate (MTA) certifications and exams are reaching the end of the road.
The reason that Microsoft has given for retiring these is that this change will help students build the technical skills they need to keep pace and succeed in emerging jobs. How? By redesigning the certifications in such a way as to align with industry and hiring trends. The recommendation is for people to start moving to the new certifications in anticipation of the retiring of MTA certifications by June 2022.
The exams listed below are the ones that will be retired:
Database Administration Fundamentals
HTML5 Application Development Fundamentals
Introduction to Programming Using HTML and CSS
Introduction to Programming Using Java
Introduction to Programming Using Python
Mobility and Devices Fundamentals
Software Development Fundamentals
Windows Operating System Fundamentals
And Windows Server Administration Fundamentals.
What is an MTA certificate?
An MTA certificate is an entry-level certification for anybody who wants to start a career in the IT industry or is thinking about changing their career to one in the IT industry.
The targets for this certification are beginners, IT generalists, and students lacking technical experience or specialization. The certification is an online-based program where people can learn new material and demonstrate their skills.
The MTA exams, which are part of the MCP program, can help beginners to boost their career progression and function as a springboard to getting advanced certifications such as MCSD, MCSE, and MCSA.
The way forward
With the above changes coming into place, students and educators alike will be wondering where they go from here. And Microsoft offers us fundamentals certifications as the place to start. The certifications you’ll find are the ones below:
Microsoft Certified: Power Platform Fundamentals
Microsoft Certified: Azure AI Fundamentals
Microsoft Certified: Dynamics 365 Fundamentals Customer Engagement Apps (CRM)
Microsoft Certified: Dynamics 365 Fundamentals Finance and Operations Apps (ERP)
Microsoft 365 Certified: Fundamentals
Microsoft Certified: Azure Fundamentals
Microsoft Certified: Azure Data Fundamentals
Microsoft Certified: Dynamics 365 Fundamentals
Microsoft Certified: Security, Compliance, and Identity Fundamentals
The above certifications should enable students to validate foundation understanding with mixed concepts and applied learning of Microsoft technologies. With these certifications, you can easily proceed to role-based training and certifications across emerging and in-demand career areas. These include but are not limited to Microsoft 365 and Dynamics, Power Platform, and Microsoft Azure.
Reasons for these changes
The modern business environment and its various problems are making greater demands on IT professionals. Because of this, it’s now very common to find responsibilities completely ignoring traditional role boundaries.
For example, when looking at the roles at Microsoft, you can often find Azure solutions architects performing some of the responsibilities of Azure data engineers, enterprise admins, and Azure admins. And this overlapping of responsibilities is visible in many different roles.
Consequently, if you’re a security administrator, for instance, you also need to be familiar with the responsibilities of enterprise admins, Azure solutions architects, and messaging administrators. Furthermore, roles work with various technologies so you’ll also need to familiarize yourself with a broad range of technologies to operate successfully in these roles.
Transitioning to role-based certifications
From the reasons stated above, it is becoming clearer as time goes on that changes need to be made. The current approach has worked well for decades but now the industry is evolving, and it is doing so at a very fast pace. And according to Microsoft, there has been plenty of feedback from its customers and other partners that have inspired this shift from product-centric certifications.
With role-based certifications, you’ll get a program that covers many different technologies instead of focusing on technologies in general.
Therefore, the new certification program is designed to offer credentials and skills that are tailor-made for jobs and areas of responsibility that are in-demand. So these role-based certifications will validate the skills that technical professionals at beginner, intermediate, and advanced level learn in any of the following job roles:
Taking your business forward
All businesses need to put themselves in a position to carry out digital transformation. And you need to be able to do this effectively. But, without the necessary skills to carry out the process, most organizations will face great difficulty when it comes to ensuring their IT infrastructure can meet their business needs.
This is why it’s crucial to reconsider the training of your IT personnel and in particular their certifications. The current way of training your IT personnel is beginning to lag behind and that could have huge repercussions in the future. With the right sets of skills available to you in-house, you can vastly simplify tasks such as digitally transforming your data centers, migrating workloads to the cloud, app development, and data integration.
New skills development methods
The changes that Microsoft is bringing in should enable the certifications program to remain current. By doing this, it will fully equip IT professionals with the knowledge and skills they need for the latest Microsoft technologies as well as those technologies that Microsoft Certified Professionals use every day.
Leveraging up-to-date certifications from technology vendors is extremely important if your organization is to retain IT professionals with the skill set to build a successful IT organization.
When considering certification programs you’ll need to look at a few things such as whether the skills on offer are evolving with technology, whether the program is relevant to your business’ needs, and whether the program will include performance-based testing among other things.
What does this mean for other certifications?
Microsoft will stop offering MTA licenses for purchase on June 30, 2021 and you’ll have until June 30, 2022 to register and take the exam. So if you pass the exam by the deadline date then you’ll earn the certification.
However, if you need to retake a failed exam after the deadline for purchasing passes, you may not be able to do so unless you have an additional purchased voucher. And for those that are pursuing exams that are retiring, you can still earn your certification provided that you pass the required exam before it expires.
Also, Microsoft won’t allow you to trade in your MTA voucher for another exam so you’ll have to make sure that you make use of it before it expires.
Furthermore, you don’t need to worry about the MTA certification that you already have because they will remain on your certification transcript and will be printable even after the exams retire. Two years after the retirement of the certifications, they will be moved to the Certification History section of your transcript.
Steps to take
Now that you know what role-based certifications are, what steps will you need to take in order to start?
Choose a learning path depending on your current role or the one you aspire to. Then, prepare for the exams with a series of courses through online learning, books, instructor-led training, etc. To check your progress, there are practice tests that you can take to assess your strengths and weaknesses.
Plan for the exam. You’ll need about 3 hours, including 30 minutes for the introduction, instructions, and comments. You can expect 40–60 questions, and, since your job is hands-on, the exams will be, too. The idea is to test you on real-world situations that you will potentially face in your day-to-day activities.
When all is said and done, you should be able to fully demonstrate the knowledge and skills you have that you have learned for you to attain your certification.
Why Microsoft certifications?
A lot of people will understandably not be too thrilled about all these changes that are taking place. So the question they will need answers to is why should they be concerned about Microsoft certifications anyway?
Well, with Microsoft certification, you can easily demonstrate your expertise, prove your skills, and thus place yourself at a great advantage as an IT professional. As a Microsoft certified professional, you can expect to receive higher recognition of your skills due to validation.
Also, 23% of IT professionals that are certified by Microsoft will earn 20% more. And if that’s not enough, up to 49% believe that having cloud certifications will increase your employability. Therefore, if the knowledge and skills alone are not enough to get you to consider Microsoft certifications, then the other potential benefits should.
For an organization to grow, you need to perform consistently at a high level. And this is what Microsoft’s role-based certifications aim to offer. You need to have IT professionals that will consistently outperform other colleagues across all roles.
As the cliché goes, time is money. So if you can have highly-skilled IT professionals, they can save you plenty of time on tasks such as setting up infrastructure, determining the scope of impact of security issues, and designing and implementing Microsoft 365 services to name a few.
Therefore it’s easy to see how certifications that focus on the broad responsibilities of the various IT roles can be of immense value to your organization.
The success of your organization may very well hinge on the skill and expertise of your IT department. In a fast-paced business environment, you need IT professionals that are capable of leveraging new technologies to boost productivity. And this is what Microsoft role-based certifications are all about.
The goal is to equip your IT professionals with all the knowledge and capabilities required to execute their day-to-day tasks. So rather than having individuals who are great with specific technologies, you can now get a group of people who are experts at performing across a wide range of responsibilities and technologies.
Gaining even the slightest advantage over your competitors can make a massive difference to the success of your business.
With so much technology available, you need to choose the right solutions for the growth of your organization. Windows Autopilot is a collection of technologies that helps you to make better use of your time. It does this by helping you to pre-configure new devices and thus reducing the time to productivity.
So, not only is this going to simplify the operations of your IT department, but it will also empower your employees. Below we’ll go over the top 10 benefits of Windows Autopilot to your business.
There are few better ways to enhance your productivity than by having new devices ready for business straight off the shelf. Any new Windows 10 devices that have been pre-enrolled in the Windows Autopilot program will be ready to use on arrival with zero-touch and no involvement from your IT team. When a user takes possession of such a device, all they’ll need to do is turn it on, connect to a network, and then wait a little.
2. No OS re-imaging
This part of setting up new devices is one that has always taken up a significant amount of time. With IT departments having to manually install apps and drivers, manage infrastructure, and set policies, the process took relatively long. But, Windows Autopilot does away with all that. By using a smart and easy pre-configuration, all of this becomes an automatic process. Once you have set up an Autopilot profile in Microsoft Intune, all the Windows devices that you have under that profile will have these settings applied.
3. Customize OOB experience
To save time, Autopilot allows you to customize the out-of-the-box experience (OOBE) in advance. All you need to do is set your organization’s preferences. And this will simplify things for end-users by eliminating entire sections during setup that previously required manual input. So now they’ll be able to get through the setup process much faster and with a lot less hassle. With this kind of capability, you can ship devices directly to end-users and they’ll be up and running in no time.
4. Enrollment status
Bypassing IT when setting up devices is something that will understandably concern some people. However, Autopilot has an enrollment status feature to alleviate those concerns. What this feature does is to ensure that a device is fully configured, compliant, and secure before the end-user gains access. That way, IT still gets to assess devices, make sure that they are properly set up, and resolve any errors when issues arise.
5. Independent of MDM
Can you use Autopilot if your organization doesn’t use Microsoft Endpoint Manager/Microsoft Intune? The answer is yes you can. Any MDM will work with Autopilot but for an optimum experience with all the features then Intune would be best. So for any business that prefers other non-Microsoft technologies, you can still reap the benefits that Autopilot offers. You may be missing out on using this fantastic technology because of some of the misconceptions that people have.
6. Available for existing devices
This is another area that often requires clarification as some existing devices can qualify. To be specific, users with Windows 1809 and above can also benefit from Windows Autopilot for existing devices. IT people can now facilitate processes like Windows 7 to Windows 10 migration through Autopilot. They can do this by using a ConfigMgr task sequence and then followed by an Autopilot user-driven mode.
7. Simple redeployment
Occasionally, certain devices will need to be given to new users or repurposed entirely. Autopilot makes wiping a device a simple process that you can do in minutes. And once that is done, you’ll have a device back in OOBE status and ready to be handed over to someone else. This new user will receive the device with the specific configurations that they need already in place. By making resetting devices this easy, Autopilot further empowers IT teams and enhances their productivity.
8. Avails latest technology
By pre-configuring devices, Autopilot enables end-users to immediately gain access to the latest versions of essential tools. These include Microsoft technologies such as Teams, Word, PowerPoint, Excel, etc. And so without the need to wait on IT, end-users will have all the essential apps they need with all the necessary settings already applied. Furthermore, you no longer need to worry about third-party bloatware that is often a nightmare to deal with.
9. No maintenance of images and drivers
Custom images require a significant time investment to create and maintain. And they will need you to wipe every single device that your organization acquires. Undoubtedly, they place a lot of work on the schedules of your IT people. With Autopilot, however, these custom images become unnecessary. All you have to do during provisioning is to get in touch with the manufacturer to get the device ID.