Author Archives: Thomas.Marcussen

About Thomas.Marcussen

Technology Architect & Evangelist, Microsoft Trainer and Everything System Center Professional with a passion for Technology

Windows 365: What You Should Know

Posted on by
6

When Windows 365 unveiled by Redmond at its Microsoft Inspire 2021 event in July, there was expectedly a lot of buzz around it. And as with most major announcements, there were a lot of questions mixed in with the excitement. Additionally, those initial questions only seemed to inspire more speculation than clear answers. Until now.

With the launch of Windows 365, clients can start to look into what exactly Microsoft is offering and why today’s businesses need it. You can now take Windows 10 or eventually Windows 11 with you on your travels, wherever those may lead.

As the workplace environment continues to evolve, this capability offers businesses a better solution to some of the challenges they have been facing. So, with that said, let’s take a deeper look into Windows 365.

Getting set up with Windows 365 Business

You’ll have to start by accessing the virtual operating system and acquiring Windows 365 licenses. To do that, go to the admin center in the Microsoft 365 account, navigate over to the ‘Billing’ section, and select ‘Purchase services’. Once there, proceed to select the configuration that is most ideal for your needs. You can then complete the ordering process as you would when purchasing other Microsoft services.

With that done, head back to the Microsoft 365 admin center console and begin assigning licenses to users. Go to the ‘Users’ section, and select ‘Active users’. From here, you can assign users in your organization a Windows 365 deployment.

For each user, select ‘Licenses and apps’ on their profile. Next, assign a Windows 365 license and then save the changes. After this, users can start using Windows 365 by going to the Windows 365 web portal and logging in with their details.

Windows 365 Enterprise

For the most part, the process for setting up the Enterprise version is not a lot different. But, because this version has extra features and tools that the Business version does not have, the process does have some variations.

To start, confirm purchases and assignment of the licenses. You’ll need an on-prem network connection to create Cloud PCs, join them to your domain, and allow you to manage them via MEM.

After that, create a group policy in the Microsoft 365 admin center. Then, choose an image and select the Windows 10 Enterprise version. Then assign the Azure AD group to apply to the provisioning policy. After this, you can save these settings and create the policy.

It’s at this point that the Azure AD group members you’ve successfully assigned to the policy will directly receive the Cloud PC licenses that you add. The Cloud PCs will need about 30 minutes before they are ready to use. And then, just like the process for the Business edition, users can start using Windows 365 by going to the Windows 365 web portal and logging in with their details.

Plans and pricing

Over the last few weeks, this topic has been hot, generating great interest. Despite all the information about Windows 365 that Microsoft had made public, one key area remained unaddressed. But now, with the product launch official, that confusion is gone.

There are two subscription options on offer, Windows 365 Business and Windows 365 Enterprise. The former is targeted at companies with no more than 300 employees. The latter is best suited for larger organizations. However, they both share the same range of features with a total of twelve Windows 365 cloud PC configurations to choose.

At the lower end, is a subscription ideal for frontline and call center workers that costs $20 per user per month. On offer is 1vCPU, 2GB RAM, and 64GB storage. This is likely adequate for the lightweight computing tasks that this group performs.

And at the other end of the pricing spectrum, you get support for 8vCPU, 32GB of RAM, 512GB of storage, and 70GB of outbound data as an option. This will cost $158 per user per month. And it’s for users who perform compute-heavy tasks.

The pricing and configuration options are consistent across both Windows 365 Business and Enterprise.

The launch has gone well

If the first few days after the launch are any indication, then Microsoft may potentially have a winner on their hands. As expected, there were doubts about whether clients would be interested in Windows 365 when they already had Azure Virtual Desktop. But, the demand for free trials was so overwhelming that Microsoft had to press pause. After only a single day of sign-ups, the service reached maximum capacity. 

Microsoft has had to come out and address the situation. “Following significant demand, we have reached capacity for Windows 365 trials,” reads a statement from the Microsoft 365 Twitter account. “We have seen an unbelievable response to Windows 365 and need to pause our free trial program while we provision additional capacity,” explains Scott Manchester, director of Windows 365 program management. It obviously would be far too premature to call Windows 365 a success. However, if it delivers as promised, then we can expect interest in the service to grow even more.

Business or Enterprise?

As already mentioned, Windows 365 has two versions on offer, Business and Enterprise. But, is the difference as simple as one is targeted at smaller businesses and the other at larger organizations? Truth is, it’s a little more than that.

Windows 365 Business is the simpler version of the two. And it’s ideal for businesses with no more than 300 users. Because everything aligns with Azure AD natively, and all the components run in the Microsoft cloud, prerequisites are simple. There are no technological prerequisites. And there is no need for an Azure subscription or a domain controller.

Windows 365 Enterprise, meanwhile, is best for larger organizations. Additionally, it offers a wider range of tools and features for maintenance and security. As a result, it’s more complex and requires greater technical expertise to deploy and manage. Features that come with the Enterprise version include the following:

  • self-serve upgrades
  • universal print integrations
  • partner and programmatic enablement
  • custom images and image management

Impact of Windows 365

Windows 365 is designed to be a simple, secure, and versatile solution that can transform your IT operations for the better. It utilizes the power of the Windows operating system and the strength of the cloud to offer businesses greater peace of mind in three key ways:

Powerful: Users can instantly boot on to their personal Cloud PCs to stream apps, data, tools, and settings from the cloud and across any device. This will give you the full PC experience in the cloud. And because of the capabilities of the cloud, you’ll get versatility in processing power and storage and this enables IT to scale up or down, based on their needs.

Simple: Windows 365 provides an all-around simplified cloud computing experience. Users can log in and pick up right where they left off across devices. And for IT pros, deployment, updates, and management are a lot less complicated to perform. Mostly because Windows 365 doesn’t require any virtualization experience.

Since the service is optimized for the endpoint, it makes the job easier for IT to procure, secure, deploy, and manage Cloud PCs for their companies just as they manage physical PCs through Microsoft Endpoint Manager.

Secure: By leveraging the power of the cloud as well as Zero Trust, Microsoft has made Windows 365 a highly secure platform. This enables businesses’ data to be kept secure on the cloud and not on devices.

Additional user information

Before signing up for Windows 365, there are a few things that clients need to be aware of. Things that they can and cannot do. For instance, you only get allowance for 1 user per license and so there is no support for multiple users on a single Cloud PC.

Another thing is that if you need to cancel your Windows 365 subscription, all you need to do is go to the Microsoft 365 admin center. However, you should know that when you cancel a subscription, all associated data will be deleted.

If you are an Enterprise client and you want to upgrade to another Windows 365 plan, use the Resize feature to upgrade the RAM, CPU, and storage size to meet the users’ needs. This can be a great benefit for users who may need a more powerful Cloud PC to run CPU-intensive apps.

On the other hand, though, you cannot as yet perform a downgrade. Also, if you have a Windows 365 Business license, you cannot convert it to Windows 365 Enterprise. The only viable way around it would be to purchase the Enterprise license.

Hybrid benefit

Microsoft also offers another feature known as Windows Hybrid Benefit that is meant to make the Windows 365 experience even better. The former is a licensing benefit that helps reduce the cost of Windows 365 Business. In actual figures, what Windows Hybrid Benefit offers clients is a discount of up to 16 percent. And this will apply to your Windows 365 Business subscription for clients that are already using Windows 10 Pro on a device.

Therefore, Windows Hybrid Benefit is a feature that you have access to if you have devices with valid Windows 10 Pro licenses. A couple of things are necessary from all users that are assigned a Windows 365 Business license with a Windows Hybrid Benefit license:

  1. The user must be the primary user of a Windows 10 Pro licensed device,
  2. The device in question needs to be their primary work device.

However, you’ll need to maintain your discounted pricing during the subscription term in which you access the Windows 365 service. And to do that you must access the service from your Windows 10 Pro licensed device at least once during that term.

What about Microsoft partners?

Over the years, Microsoft partners have played a key role in the delivery of Microsoft services to clients across the globe. The broad range of products and services in Microsoft’s portfolio translates to partners having the power to build innovative, industry-specific solutions. And Windows 365 intends to continue that trend.

The new Cloud PC offers Microsoft partners plenty of opportunities to deliver new Windows experiences in the cloud. Whether you’re an independent software vendor (ISV), managed service provider, or an original equipment manufacturer, there are opportunities to take advantage of.

Businesses still need systems integrators and managed service providers to get the best from their Microsoft products. ISVs can still create Windows apps that can enhance how businesses operate while OEMs have the opportunity to better integrate Windows 365 into their wide array of products and services. By doing this, Microsoft partners can facilitate the creation of innovative, new ways of doing business that can bring about digital transformation. Therefore, the decades-long partnership that has benefited clients so immensely will not be ending.

Conclusion

Microsoft is looking for ways to constantly improve the work experience by leveraging the power of the cloud. And with Windows 365, the idea is to provide employees with technology that is secure, efficient, and easy to use. All this while enabling employees to remain productive anywhere and using any device.

Also, by giving users a familiar experience and IT simple processes for managing and deploying Cloud PCs, this cloud-based service will optimize IT operations for everyone. However, as a recently launched service, only time will tell how exactly and to what extent Windows 365 will affect the way businesses operate.

Once most clients have had an opportunity to use and review it, then conclusions can be made. But, the early signs point towards a positive, modern transformation that will boost most businesses.

Microsoft Launches Windows 365

Posted on by
1

An argument could be made that the need for tools that not only simplify but improve remote work has never been greater than it is today. In an increasingly connected world, leveraging cloud computing can be the answer to a lot of the challenges that businesses are currently facing.

With Windows 365, Microsoft is aiming to improve on existing technologies to make the cloud experience even better. By enabling the computing to be done remotely in a data center and then streamed to users’ devices, Microsoft can offer something that can be compared to game streaming.

As a new way of using a computer as hybrid Windows for a hybrid world, there’s plenty that we need to look into.

What are we looking at?

Just when people were thinking that Windows 10 would be the last in the line of Windows versions, Microsoft gives us another one.

A platform that in Microsoft’s own words is going to take the operating system to the Microsoft cloud and stream the full Windows experience to personal or corporate devices.

This will include settings, data, and apps. It’s what Microsoft calls the Cloud PC. Simply put, this is a service that allows business clients to access cloud PCs from anywhere.

So technically speaking, we should not look at this service as a new version of Windows. Rather, we should take it for what it truly is — a platform that is designed to stream the full experience of Windows 10 or 11 to any browser.

Regardless of which operating system your device may be running. If we are to consider how Microsoft’s Software-As-A-Service (SaaS) model has evolved over the last decade, this move was probably going to be the next step.

Launch date

The announcement from Microsoft was made on the 14th of July and in that statement, it was made known that we should expect Windows 365 on the 2nd of August. This, however, will be for businesses. Chances are that at some point, Microsoft may eventually avail the service to consumers and small shops — sole proprietorships.

Giving clients virtual PCs

By providing this service, Microsoft can potentially cut partners out and provide virtual PCs directly to its clients. Rather than only offering operating systems, applications, productivity suites such as Microsoft Office, etc. Windows 365 can give Microsoft an even bigger slice of the pie. Because of the massive cloud system available with Azure servers, Microsoft won’t have a problem running virtual machines.

This can provide a great tool for the evolution of the Desktop-As-A-Service (DaaS) offering. As Microsoft CEO Satya Nadella said in a statement, “Just like applications were brought to the cloud with SaaS, we are now bringing the operating system to the cloud, providing organizations with greater flexibility and a secure way to empower their workforce to be more productive and connected, regardless of location.”

How does it work?

According to the information that has been made available so far, we know that there will be two versions of Windows 365 — Business and Enterprise. Both of these will be powered by Azure Virtual Desktop. Users will be able to use Windows 365 on any modern web browser or through Microsoft’s Remote Desktop app.

What this means is that users can gain access to their Cloud PC from a variety of devices. In a statement by one of Microsoft 365’s general managers, Wangui McKelvey, he says, “Windows 365 provides an instant-on boot experience.”

This capability simplifies how users can easily stream their Windows sessions. And Windows 365 enables them to do that with all of their same apps, tools, data, and settings across Macs, iPads, Linux machines, and Android devices. As McKelvey goes on to explain, “You can pick up right where you left off, because the state of your Cloud PC remains the same, even when you switch devices.”

Advantages to businesses

Windows 365 can enable your businesses to create Cloud PCs within minutes and assign them to employees. And this can be done without the need for expensive, dedicated physical hardware.

Without a doubt, this could prove to be a very attractive option for plenty of businesses. Especially those that may need to hire remote workers or even temporary contract staff that need to securely access a corporate network.

Because your entire Windows PC is in the cloud, your employees can work comfortably on a very secure platform. Furthermore, they won’t need to navigate VPNs or worry about security on personal devices.

Other advantages that you can get include lower maintenance costs, better protection against cyberattacks and malware, faster provisioning, less downtime in case of cyberattacks, easier patching, and far less disruptive updates.

Licensing concerns

Expectedly, clients are going to have some concerns with regards to how this will affect their current licenses. Will you have to pay more, for potentially the same services? The way Microsoft puts it, that’s not what will happen.

For instance, if you already have a Microsoft 365 E3 license, then you have paid for that service and you won’t need to do so again. This means that you can continue to use the software you have paid for and that includes Windows 10.

When it comes to Windows 365 licenses, what you’ll need to pay for is access to the virtual PC service. The latter will be maintained by Microsoft on its vast network of servers with the aim of running the software that you already have.

In a way, you could consider it similar to purchasing a computer and then purchasing the operating system and applications that you need. As a new offering, things are still hazy but hopefully, Microsoft will further clarify the concerns and confusion that people may have.

One thing that we do know are the licensing requirements and they are as follows:

  • On Windows Pro endpoints: Windows 10 Enterprise E3 + EMS E3; or Microsoft 365 F3, E3, E5 or BP (Business Premium),
  • On non-Windows Pro endpoints: Windows VDA E3 + EMS E3; or Microsoft 365 F3, E3, F5, or BP (Business Premium).

In addition, you also need to know the non-licensing requirements:

  • Azure subscription,
  • Virtual Network (vNET) in Azure subscription,
  • Hybrid Azure Active Directory (AAD) join-enabled.

Cost of service

With the licensing issues out of the way, clients need to know just how much they will need to pay to use Windows 365. Unfortunately, despite the service launching so soon, Microsoft has yet to officially provide a guideline with regards to how much clients will pay. But, during a session at its Inspire partner conference, Microsoft did inadvertently mention how much Business plans would cost. And that came down to $31 per user, per month.

For this, you will get support for 2 CPUs as well as 4GB of RAM and 128GB of storage. However, it is worth noting that we can expect at least one other plan that will cost less. Clients can look forward to having an option for 1 PC, 2GB of RAM, and 64GB storage, aimed at small businesses.

Furthermore, there will also be Enterprise plans that can offer support for 4 or 8 different PCs, in addition to 8/16/32 GB of RAM and 128/256/512GB of storage. For now, however, clients can only guess how much they will have to fork out to access these plans.

Enhancing the capabilities of hybrid work

The global pandemic has changed the way that enterprises look at some of their business practices. With people having had to spend long periods of time at home, businesses had to increase their dependence on virtual processes and remote collaboration. It was necessary to keep businesses running and retain employees.

Although the situation is getting under control in several regions across the globe, the way businesses operate may potentially change. With Windows 365, businesses can tackle head-on the challenges that cloud computing and remote work has often presented.

Organizations will be able to provide employees with greater flexibility and more options to work from different locations. All of this while still ensuring the security of the organization’s data. This is because by taking advantage of the Cloud PC, you get hybrid personal computing that can turn all of your devices into a personalized, productive, and secure digital workspace.

Having this capability will simplify the process of managing seasonal workers without the challenges of issuing new hardware or securing personal devices. As said by Microsoft itself, Windows 365 offers you a better, more modern way to deliver a great productivity experience with increased versatility, simplicity, and security.

Are we getting two Windows versions?

As mentioned above, most people were of the belief that Windows 10 would be the last version we would get. And then in June, Microsoft announced Windows 11. Barely a few weeks after that announcement, along came Windows 365. So not one, but two new versions? But, it’s not quite as simple as that.

Windows 11 is the actual successor to Windows 10. It’s a new operating system packed with new features such as a brand new Start menu that no longer uses Live Tiles. It also comes with new system requirements such as CPUs based on the x64 architecture since there is no 32-bit version of Windows 11. That’s in addition to the 4GB of RAM and 64GB of storage you’ll need to install Windows 11.

So basically, Microsoft has only actually provided one new product, Windows 11 to succeed Windows 10. Windows 365, on the other hand, is something of a hybrid between a virtual machine and Microsoft Remote Desktop.

It’s the subscription service that allows you to create Cloud PCs that run Windows 10 or eventually Windows 11. So the platform is not tied to a particular operating system version therefore you pay a monthly fee based on the hardware configuration you want your PC to have.

What about Azure Virtual Desktop?

Another point that requires clarification is with regards to Azure Virtual Desktop (AVD). Why does Microsoft feel the need to have another VDI? For starters, Windows 365 appears to be more user-friendly than AVD.

Navigation has been made easier and the process of setting up an Azure Virtual Desktop system in the Azure cloud is also significantly less complicated. This is because Windows 365 focuses more on simplicity as compared to Azure whose goal is flexibility.

With Windows 365, you can let Microsoft handle the core infrastructure and platform piece. This is because the platform comes in the form of Software-As-A-Service. On the other hand, with AVD, clients need to manage a supporting Azure subscription, configure and implement the platform services required to allow a thin-client or Remote Desktop client to connect in.

So basically Windows 365 is an automated version of AVD that is aimed at companies of all sizes, including small businesses. Unlike AVD which targets the enterprise market. Below are some guidelines that Microsoft provides for you to choose the product that best suits you.

Azure Virtual Desktop:

  • Windows 10 personalized and multi-session desktops and remote app streaming.
  • Full control over management and deployment plus options for Citrix and VMware integration.
  • Flexible consumption-based pricing.

Windows 365:

  • Windows 10 personalized desktops.
  • Management and deployment with familiar desktop tools and skills.
  • Predictable per-user pricing.

Wrap Up

Windows 365 is introducing a whole different concept to both the Software-As-A-Service and Desktop-As-A-Service environments. This new platform seeks to set the tone for a more modern computing experience that can benefit businesses as well as individuals.

It’s still early stages and there is still a lot that we don’t know.

However, what is certain is that this is more than just a cloud-based version of Windows and can offer ersatz hardware as well. All of this is definitely going to make the future of cloud computing a lot more interesting.

How Microsoft Endpoint Manager is Bringing Intune and Configuration Manager Together

Posted on by
Reply

As people get access to more and more devices, the way that businesses operate has been rapidly evolving to keep up with the technology. And with more of these devices having access to a business’ data, this can help to improve productivity. Microsoft Endpoint Manager may have been designed with these dynamics in mind.

The problem, however, is that this can easily create a situation that puts the entire organization’s network at risk. So, a solution is necessary.

One that can enable a business to get the most it can from the devices that are available to its employees without compromising data security. This is why you need a platform like Microsoft Endpoint Manager that can bring together the most effective device management tools.

Creating the solution

Microsoft already had plenty of products available to help businesses with device management. And these products included the two that we’ll be focusing on today: Intune and Configuration Manager. So why did they feel the need to change things, to add yet another product?

What Microsoft Endpoint Manager (MEM) seeks to address is the need for a comprehensive management solution. MEM can help to reduce client confusion over the multiple products that are available by giving you a unified platform for all your devices including Windows 10, macOS, iOS, and Android. By using MEM, businesses can among other things:

  • proactively manage all of their devices,
  • maintain systems and software,
  • limit exposure and respond to security threats,
  • distribute settings, and much more.

Microsoft Intune

With Intune, what you are getting is a 100% cloud-based mobile device management (MDM) and mobile application management (MAM) provider for your apps and devices. Using it enables you to have control over the features and settings on Windows 10, Apple, and Android devices.

Also, if you have on-prem infrastructure, there will be Intune connectors available. Namely the Intune Connector for Active Directory and the Intune certificate connector.

And by making it a part of MEM, Microsoft allows you to use Intune to create and check for compliance, as well as deploy apps, features, and settings to your devices using the cloud.

Configuration Manager

Whereas Intune is a 100% cloud-based solution, Configuration Manager gives you the on-premises management solution. With this, businesses can manage desktops, servers, and laptops that are on their network or internet-based. It is a flexible solution that you can cloud-enable if you want to integrate with Intune, Azure Active Directory (AD), Microsoft Defender for Endpoint, and other cloud services.

Furthermore, Configuration Manager gives you a great tool for the deployment of apps, software updates, and operating systems. Not only that, but you can also stay on top of queries and compliance issues so that you can act in real-time.

What are the requirements for Microsoft Endpoint Manager?

The beauty of Microsoft Endpoint Manager is that there is no complicated configuration or migration that you need to worry about. And this goes for the licensing as well.

If you have an existing Configuration Manager license then you can continue to use it, while simultaneously taking advantage of the Microsoft cloud-based security and compliance benefits of Intune.

Combining these two solutions has allowed Microsoft to avail Configuration Manager to clients with Intune licenses and vice versa. All of this without the usual roadblocks that you previously had to deal with.

This simplifies the process of giving clients a more comprehensive management platform. For management of non-Windows devices, however, you will need an Intune license, an Enterprise Mobility & Security (EMS) license, or a Microsoft 365 E3 or higher license

Taking advantage of MEM

There are plenty of reasons why any business should consider using MEM to improve the way it operates. As mentioned above, people now have access to plenty of different devices and businesses should benefit from that.

But, with the complexities that are involved in device management, there is no single tool that can meet all the requirements.

This is why bringing together Intune and Configuration Manager can work so well. By supporting a diverse BYOD ecosystem, MEM makes it easy to manage all endpoints. Whether they are on-premises and remote, corporate-owned and personal, desktop and mobile, MEM can handle them.

In addition, MEM is flexible enough to meet you where you are in your cloud journey and will not disrupt your existing processes. Your business can also leverage the integrations with other platforms such as Microsoft 365 and Azure AD to enhance productivity.

Combining products gives clients a lot to look forward to. Especially when you consider the simplified licensing arrangement. Overall, this combination will vastly improve the end-user experience and also allow IT teams to save costs and function more efficiently.

Addressing concerns about Microsoft Endpoint Manager

We all have our preferred tools that we use and that enable our businesses to operate optimally. So naturally, there will be concerns about combining Intune and Configuration Manager. What exactly does it mean for these products?

By bringing these products together under one umbrella, Microsoft is not doing away with Configuration Manager as many think. And the choice of name allows Microsoft to keep adding features to the platform.

Therefore if you have solutions that are built on Configuration Manager and want to continue using it, you are free to do so. But, the difference is that you’ll also get to leverage the intelligence of the Microsoft 365 cloud.

Basically, starting in version 1910 Configuration Manager now falls under the Microsoft Endpoint Manager branding. And as for the other components of the System Center suite, there are no changes to report.              

Wrap up & Microsoft Endpoint Manager

The solutions that businesses use need to continuously evolve to allow us to boost productivity and enhance data security. We need solutions that can offer the deployment of a seamless, end-to-end management solution.

And by combining Microsoft Intune and Configuration Manager into Microsoft Endpoint Manager, we can get just that. A solution that gives clients modern management and security while integrating with other Microsoft products in a way that optimizes device management.

How Endpoint Analytics Just Got Better

Posted on by
Reply

End-users commonly experience challenges such as long boot times, application crashes, and so on. These problems may be the result of a lack of optimized software configurations, legacy hardware, and issues that may arise due to configuration changes and updates. Enters Microsoft Endpoint Manager and the solution businesses need.

By using Endpoint Analytics, you can begin addressing these issues.

You’ll be able to improve user productivity as well as reduce IT costs because of the insights that you’ll receive. The latter will give you information about device setup, startup and sign-in times, and overall system performance.

Not only that, but the introduction of new features can enhance the user experience even more.

Benefits of Microsoft Endpoint Manager Analytics

Introduced in September 2020, Endpoint Analytics is the tool that can help your organization to gather significant amounts of data and thus help you to view and understand the performance of your managed Windows 10 estate. At the initial release, Microsoft Endpoint Manager Analytics had three main areas of focus:

  1. Startup performance: the insights provided help you understand your devices’ reboot and sign-in times and this enables IT to get users from power-on to productivity quickly without lengthy boot and sign-in delays.
  2. Proactive remediation scripting: swiftly fix common issues before they become problematic for end-users.
  3. Recommended software: recommendations for providing the best user experience.

To make the product even better, Microsoft has added two new features to give IT greater visibility in order to enhance the overall end-user experience.

The application reliability report

The first of the two new features is called the application reliability report (APR). This is something that will provide you with insights into potential issues for desktop applications on managed devices.

Utilizing this feature helps you to quickly identify the top applications that are impacting end-user productivity. Moreover, it also enables you to view aggregate app usage along with app failure metrics for these applications.

To take advantage of this feature, devices should be enrolled in Endpoint Analytics. And for devices enrolled from Configuration Manager, they’ll need client version 2006 or later installed.

To view the APR, you won’t need to do anything if your devices are Intune managed or co-managed. You’ll easily locate it beside the rest of the Endpoint Analytics reports in the Microsoft Endpoint Manager admin center console.

On the other hand, if you have devices enrolled through tenant attach, you need to upgrade to Configuration Manager 2006 for this report to populate.

How Microsoft Endpoint Manager works

To find your app reliability score, head over to the overview page. Here, you’ll also get the baseline score which is the median across all organizations. Below that you get a list of the apps most likely to have reduced user productivity during the previous 14 days. And then on the right column are app reliability Insights and Recommendations prioritized by which are most likely to boost your score.

To view the list of all your company’s apps, you can go to the App performance tab. You can sort out these apps according to various criteria such as name, publisher, active devices, and app reliability score. In addition, you may also sort apps out using the mean time to failure, which is the average number of times the app can be used across the organization between crashes.

In order to see your business’ application reliability performance, you can also leverage other pivots like the model, and OS version deployed, as well as troubleshoot application reliability issues with individual devices.

Devices will be given a device app health score that you find in device performance. This score is determined by the frequency of app crashes on a particular device during the last 14 days. To help you with troubleshooting, you can view a timeline of app crash and app hang events by clicking into each device.

Restart frequency feature of Microsoft Endpoint Manager

The second of the two recent additions to Endpoint Analytics is the restart frequency feature. This tool provides you with information regarding when devices are being rebooted and why.

You also see improvement for the existing startup performance report thus helping to improve the user experience even further. All of this should enable operational and helpdesk departments to be more proactive and provide insights on end-user devices.

The data provided aims to clarify the type of reboots that occur. To achieve that, these reboots will be classified as either normal or abnormal. When we talk of normal restarts, this refers to restarts that go through the normal Windows shutdown processes such as Windows update installations.

And when we talk about abnormal restarts, this refers to those that don’t follow normal Windows shutdown processes. Because abnormal restarts can be problematic they need to be looked into further. There are three categories of them:

  • Blue screens: This type of abnormal restart type is also a stop error. On average, one may expect no more than two stop errors per device per year.
  • Long power button press: Occurs when you hold down the power button to force a restart. This type happens less frequently than blue screens.
  • Unknown: The last category is for shutdowns that don’t align in either of the two previous categories.

Wrap up

Deployment of new laptops and desktops to users in an organization is a constantly ongoing process for a lot of businesses. As such, IT departments need efficient ways of managing devices and ensuring the optimization of the end-user experience.

And this is why if you’re not already enrolled you should be considering Endpoint Analytics.

End-users may face various issues in their day-to-day work that they will not report. Because of this, the user experience suffers and this will inevitably affect productivity. But, by utilizing Endpoint Analytics and its great new features, organizations can get high-level visibility into these various issues enabling them to address them quickly and efficiently.

Microsoft Defender for Endpoint Tamper Protection Extends Client Coverage

Posted on by
Reply

Every business needs to be on top of its game when it comes to matters of the security of its IT infrastructure. Because even the smallest of vulnerabilities can be exploited to devastating effect. And Microsoft Defender ATP is ready to mitigate those risks.

Not recognizing these risks can potentially cause the shutting down of a business, at best temporarily. And research has shown that the cost of downtime to a company can quite easily run into hundreds of thousands of dollars.

As we can all imagine, the losses that a business would suffer would be colossal, to say the least. Hence the need to enhance one’s security to keep bad actors at bay. By using Tamper Protection, you immediately strengthen the security of your business.

Why Tamper Protection?

Arguably the greatest challenges to an organization’s IT infrastructure come in the form of malware or malicious apps that tamper with your security settings and potentially create vulnerabilities in your system.

With these changes having been made, your organization becomes a significantly easier target for cybercriminals. It is with this in mind that Microsoft introduced Tamper Protection two years ago.

Simply put, and as the name itself implies, the Microsoft Defender ATP feature essentially locks Microsoft Defender thus preventing anyone from tampering with your security settings. Including modifications that may be made by administrators.

As a key element of Microsoft’s security strategy, Tamper Protection helps to ensure that Windows 10 clients do not need third-party anti-virus software.

However, Tamper Protection does not have an impact on third-party antivirus registration. So this means that third-party antivirus offerings will still register with the Windows Security application. By using Tamper Protection, you can prevent the following:

  • Deactivation of virus and threat protection.
  • Deactivation of real-time protection.
  • Disabling of behavior monitoring.
  • Disabling antivirus (such as IOfficeAntivirus (IOAV))
  • Blocking of cloud-delivered protection.
  • Removal of security intelligence updates.

Extending client coverage

With the obvious benefits that Tamper Protection brings to any organization, it only makes sense to try and extend coverage wherever possible. And this is what Microsoft did with their announcement in September last year.

This feature was extended to cover ConfigMgr 2006-only clients on both Windows 10 and Windows Server 2019, delivered via Tenant Attach. To enable Tenant Attach, the process is fairly straight forward and you can find the instructions provided here.

Having done that, you can then go to Endpoint security > Antivirus in the MEM admin center. From there you can proceed to create and deploy the Tamper Protection setting. After that, you’ll then need to configure the aforementioned setting.

This you will then deploy to a Configuration Manager collection of devices. If you want to view the policy status, go to the Monitoring > Deployments section which you find in ConfigMgr. However, you can also find it in the policy status in the Endpoint Manager Admin center

Utilizing Tenant Attach

Tenant Attach provides a method for attaching your ConfigMgr hierarchy to your tenant and leverages the capabilities available from the cloud. This includes things such as discovering cloud users and groups, synchronizing Azure AD groups from a device collection, etc.

Moreover, you can sync your on-prem only ConfigMgr clients into the MEM admin center thus enabling the delivery of Endpoint security configuration policies to your on-prem clients.

With this tool, a device does not necessarily have to be enrolled in Intune. In fact, it can be managed by either ConfigMgr or Intune. Alternatively, devices can also be co-managed.

Management of Tamper Protection

In addition to managing Tamper Protection using tenant attach as described above, there are a few other management options available. These are:

  1. Management of Tamper Protection using the Microsoft Defender Security Center. You can turn Tamper Protection on or off for your tenant via the Microsoft Defender Security Center. This option is on by default for all new deployments and the setting is applied tenant-wide. So it affects all devices that are running Windows 10 or Windows Server 2016 or Windows Server 2019.
  2. Management of Tamper Protection using Intune. If your organization’s subscription includes Intune then Tamper Protection can be turned on or off in the Microsoft Endpoint Manager admin center.
  3. Management of Tamper Protection on an individual device. Tamper Protection can be managed via the Windows Security app by individuals who are either home users or are not under settings managed by a security team. To do this, however, you need to have the appropriate admin permissions on your device to change security settings.

Keeping track of security data

Having preventive measures in place does not negate the need for constantly reviewing the security information.

You need to regularly check what is going on within your system so that you can stay on top of things because several tampering attempts are usually a sign of something bigger. And that may potentially be a bigger cyberattack.

Cybercriminals can attempt to alter your organization’s security settings as a way to persist and stay undetected.

Therefore, in every business, security teams should review information about such attempts, and then take the appropriate actions to mitigate threats.

The system is designed to raise alerts in the Microsoft Defender Security Center when tampering attempts are made. By utilizing tools such as endpoint detection and response and advanced hunting capabilities, you can investigate further and then implement the necessary measures to address the problem/s.

Wrap up

Microsoft is looking to tackle the surge in cybercrime head-on. Bad actors are constantly seeking out weaknesses in organizations’ systems and occasionally they find them. This is why businesses need to leverage the next-gen security strategies that Microsoft can offer.

With features like Tamper Protection, you get additional security to help your organization block nefarious elements from altering your security settings and leaving you vulnerable. Advanced breaches and increasing incidences of ransomware campaigns need all businesses to start getting proactive about their security. Otherwise, the consequences could prove to be very costly.

Microsoft Endpoint Manager – New, Exciting Features To Know About

Posted on by
Reply

When it comes to Microsoft Endpoint Manager (MEM), there’s always a steady stream of new features that clients should be paying attention to.

Technology is constantly changing and the products that we use need to improve as well. Especially if we consider the recent surge in cybercrime as seen in the FBI’s 2020 internet crime report.

No business is immune and as such, technology companies have to consistently enhance their products to ensure that clients’ data is secure. With security in mind, let’s take a look at the exciting new features that Microsoft is bringing to the MEM platform.

Enhancing security through Microsoft Endpoint Manager filters

Microsoft Endpoint Manager has now made it possible for IT admins to use filters to target apps, policies, and other workload types to specific devices.

By utilizing these filters, IT admins get more flexibility and can better protect data within applications, simplify app deployments, and speed up software updates.

Furthermore, it is now easier for admins to comply with their organizational policies and compliance requirements by deploying:

  • A Windows 10 device restriction policy only to the corporate devices of users in a particular department without including personal devices,
  • An iOS app to only the iPad devices for users in another department,
  • An Android compliance policy for mobile phones to all users in the company but exclude Android-based meeting room devices that don’t support the settings in that mobile phone policy.

To see how to make use of these filters, check out this video.

Windows 10 Enterprise multi-session support

Windows 10 Enterprise multi-session is a new Remote Desktop Session Host exclusive to Windows Virtual Desktop on Azure which allows multiple concurrent user sessions. Additionally, with this feature, users get the benefit of a familiar Windows 10 experience. In addition, IT can benefit from the cost savings that a multi-session allows and use existing per-user Microsoft 365 licensing.

By leveraging Intune, you can manage multi-session remote desktops with device-based configurations like a shared, user-less Windows 10 client. Moreover, you can enroll Hybrid Azure AD joined VMs in Intune automatically and target with OS scope policies and apps.

This means that now you can:

  • Host multiple concurrent user sessions using the Windows 10 Enterprise multi-session SKU exclusive to Windows Virtual Desktop on Azure.
  • Manage multi-session remote desktops with device-based configurations like a shared, user-less Windows 10 Enterprise client.
  • Automatically enroll Hybrid Azure AD-joined virtual machines in Intune and target them with device scope policies and apps.

Policy management made simpler

Using the settings catalog simplifies the process of customizing, setting, and managing device and user policy settings. Remember, managing policy configuration through custom Open Mobile Alliance Uniform Resource Identifier (OMA-URI) policy is not the easiest of tasks to undertake.

Moreover, what the 2105 service release does is support your move from Group Policy Objects (GPO) or custom OMA-URI to cloud-based consolidated policies.

Clients will be happy to note that 5,000 settings have been added to the settings catalog for Edge, Office, and OneDrive, including additional settings for macOS and Windows.

Microsoft Tunnel Gateway changes

There are a couple of changes to note for the Microsoft Tunnel Gateway:

  • Microsoft Tunnel Gateway (MTG) is now out of preview and thus is generally available. However, while the MTG server component is out of preview, the following Microsoft Tunnel apps are not – Microsoft Tunnel standalone app (for both Android and iOS) and Microsoft Defender for Endpoint with support for Microsoft Tunnel for Android.
  • Custom setting support in VPN profiles for Microsoft Tunnel for Microsoft Defender for Endpoint for Android. New changes here mean that you can now use custom settings in the VPN Profile for Microsoft Tunnel to configure Microsoft Defender for Endpoint when using the Microsoft Defender for Endpoint as your Microsoft Tunnel client app for Android and as an MTD app.

Device security with Microsoft Endpoint Manager

Another update that is certain to make MEM clients happy is that conditional access on Jamf-managed macOS devices for Government Cloud is now available.

By using Intune’s compliance engine, you can now evaluate Jamf-managed macOS devices for Government Cloud.

All one has to do to achieve this is to activate the compliance connector for Jamf. The steps on how to do that can be found here.

New Microsoft Endpoint Manager settings available

There are new settings now available when creating a device restrictions policy for iOS/iPadOS (14.5 devices and newer). Moreover, these are the updates that have been introduced:

  • Block Apple Watch auto unlock: You can set this to Yes and this will prevent users from unlocking their device with Apple Watch.
  • Allow users to boot devices into recovery mode with unpaired devices: If you want to allow users to boot their device into recovery with an unpaired device, you can set this one to Yes.
  • Block Siri for dictation: To disable connections to Siri servers so that users can’t use Siri to dictate text, set to Yes.

To view these settings you can go here.

App management

Clients will now get new tiles that show the number of app installation failures for the tenant. You can find these in the Home, Dashboard, and Apps Overview panes. All one has to do is follow a few simple steps:

  • Go to the Microsoft Endpoint Manager admin center,
  • To view the Home pane select Home,
  • Alternatively, if you want to view the Dashboard pane select Dashboard.
  • And to view the Apps Overview pane, select Apps > Overview.

Wrap up

Microsoft Endpoint Manager has many different ways that various companies can use it. It gives you a fantastic platform to gather end-point information. Also, it gives you the ability to push out Microsoft Desktop apps, Microsoft Edge as well as several other apps. And by consistently updating the features, Microsoft can help your business to operate more efficiently and enhance your data security and privacy.

Why Cloud Management Gateway Is So Important Now

Posted on by
Reply

With the prevailing global situation requiring more and more people to work from home, businesses need to ensure that productivity does not suffer. And to do that, you need to effectively manage remote devices. Hence the need for technology such as the Cloud Management Gateway (CMG).

By utilizing the CMG, your business has an alternative to IBCM that most would consider a significant upgrade. This creates a favorable environment that allows your organization to eliminate the obstacles of having a remote workforce. Needless to say but the CMG can play a massive role in your organization and its importance is certainly worth discussing.

Requirements

Before you can use the Cloud Management Gateway you need to meet the following requirements:

  • An Azure subscription to host the CMG,
  • You need a Full administrator or Infrastructure administrator user account in Configuration Manager,
  • During the initial creation of certain components, the participation of an Azure admin is needed,
  • You need at least one on-premises Windows server to host the CMG connection point,
  • A server authentication certificate for the CMG,
  • There needs to be an integration of the site with Azure AD to deploy the service with Azure Resource Manager,
  • Depending on your client OS version and authentication model, other certificates may be required,
  • Clients are required to use IPv4.

When is it useful?

There are several scenarios where the CMG could come in handy and they include the following:

  • For management of traditional Windows 10 clients using modern identity which can either be hybrid or pure cloud domain-joined with Azure AD.
  • For management of traditional Windows clients with Active Directory domain-joined identity. The clients included are Windows 8.1 and Windows 10.
  • For installation of the Configuration Manager client on Windows 10 devices over the internet.
  • For new device provisioning with co-management.

Benefits to your business

CMG enables your Enterprise admins to perform several actions. Among the things they can do, they can manage the following over the internet:

  • Push software updates and enable endpoint protection,
  • Inventory and client status,
  • Compliance settings,
  • Software distribution,
  • Windows 10 in-place upgrades,
  • Manage branch office devices over less expensive internet instead of across expensive WAN or VPN connections.

Eliminates complications

Although Internet-based client management (IBCM) has been around for years, a lot of users tend to find it complicated. CMG aims to be a simpler solution. It is an Azure-hosted service that manages internet-based clients through a new role called the cloud management gateway connector point.

By adding the CMG to your environment, you’ll get an intermediary cloud solution. And this can be your bridge to a full cloud management solution of your Windows 10 devices through Microsoft Intune.

Also, your organization doesn’t need to expose on-premises infrastructure to the internet and neither will you require additional infrastructure. So by using the CMG, you get rid of a lot of what users don’t like about IBCM.

Manage internet clients

Cloud Management Gateway helps you to easily and effectively manage clients that are on the internet. Often, there are going to be events in your environment that will require a swift response.

However, previously this was problematic for clients that would not be currently on-premises. By leveraging the CMG, you can manage clients all over the world as long as they have an internet connection.

Furthermore, it doesn’t require you to buy any additional IT infrastructure. So unlike IBCM that would need additional hardware that you need to maintain, for the CMG you just need to have Azure.

Strengthen your security

The moment you have systems that are not directly connected to your IT infrastructure, your data security is at an increased risk. This is particularly evident with remote work.

Although a lot of businesses have responded by using VPNs, you cannot adequately protect workstations through VPN channels. Hence the importance of the Cloud Management Gateway.

With it, you can better manage devices connected to the Internet and thus improve your corporate security posture. This is further enhanced by the fact that you can leverage Microsoft Azure services so that there is no need to expose your infrastructure to the internet.

Cost management

Whenever you use cloud services, you will incur costs associated with your usage. And the Cloud Management Gateway is no exception. Fortunately for clients, Microsoft intends to help you to keep those costs under control. You can do this through client settings, for instance, where you can determine which clients can access the CMG.

Another feature you can leverage is virtual machine configuration. The latter enables you to choose between 1 and 16 virtual machines per instance of Cloud Management Gateway. Also, if you want to, you can stop the CMG so that it’s no longer serving clients.

Therefore, to optimize user experience for all clients, the CMG helps to reduce the unavoidable costs that come with cloud services.

Constantly evolving

Another reason why the CMG is so important is how the technology is constantly evolving. There has been a lot of innovation taking place such as the ability to automatically do a client install through the CMG.

This is a great option to have because it eliminates the need for the client to be on the intranet. In addition, the platform is adaptable to your organization’s needs. So it can handle several scenarios such as:

  • Traditional PC management (Windows 7, 8.1, 10),
  • Modern PC management (Windows 10 with modern identity),
  • Internet client installs.

Wrap up

Every organization should be looking for ways to make the most of its IT investments. Thus from the information available, we can see that every environment that uses ConfigMgr can benefit from using the Cloud Management Gateway. And you can leverage the CMG for clients all across the globe. The convenience that this provides you cannot be overstated. As the world changes and technology evolves, we need platforms that can help organizations to become more efficient and enhance productivity.

Microsoft Endpoint Manager: Benefits of Being Able to View Hardware Inventory in MEM

Posted on by
Reply

In July 2020, Microsoft announced the release of update 2007 for the Technical Preview Branch of Microsoft Endpoint Configuration Manager (MECM). And with that, came a feature that now allows you to view hardware inventory for a tenant-attached Configuration Manager device in the admin center. With most pieces of hardware in offices today being connected to the internet, being able to view hardware inventory is extremely important. Microsoft Endpoint Manager (MEM) now offers that capability and thus gives your business several advantages.

Getting set up

Before you can use this feature, there are several requirements that you will need to meet:

  • You need to have an environment that’s tenant attached with uploaded devices,
  • You need either Microsoft Edge (version 77 and later) or Google Chrome,
  • You need a user account that has been discovered with both Active Directory user discovery and Azure Active Directory (Azure AD) user discovery. Simply put, this means that the user account should be a synced user object in Azure.

In addition, the user account will require the following permissions:

  • Admin User role for the Configuration Manager Microservice application in Azure AD. This role will be added in Azure AD from:

Enterprise applications  >  Configuration Manager Microservice  >  Users and groups  >  Add user.

If you have Azure AD premium, groups will be supported.

Network security

The security of your network should be something of great concern. Especially in a world where cybercrime is increasing at an alarming rate. Having said that, we can begin to see why a hardware inventory in MEM feature could come in very handy.

Keeping track of all the hardware in your organization is no mean feat. Particularly for businesses that have also employed bring-your-own-device (BYOD) policies.

You need to have a system that can readily provide you with the necessary information on all devices. This helps your IT team to maintain high levels of network security, prevent breaches, and manage any potential issues that may arise.

Optimize productivity

By leveraging the hardware inventory feature in Microsoft Endpoint Manager, you can keep track of how devices are performing. The last thing your business needs is to have computers worth tens of thousands of dollars operating at subpar levels.

With accurate information on hardware inventory, you can easily see how the devices in your organization are performing. You can then address any issues that may arise to streamline productivity from top to bottom. If you are going to invest in expensive, high-tech devices, you need them to operate as they should.

Reduce overhead costs with Microsoft Endpoint Manager

Well-managed IT infrastructure can help your organization to reduce overhead costs. The ability to view hardware inventory in MEM is going to give IT a bird’s eye view of all your IT infrastructure. And this enables you to effectively manage all hardware from procurement till retirement.

Doing this will cut your costs by doing away with issues such as IT overspend and non-compliance. Working in this manner will fully optimize your productivity, as mentioned above.

Lifecycle management

MEM’s view hardware inventory feature helps you to keep track of hardware from purchase, how it is used, and finally to its retirement. With this kind of actionable data readily available, it simplifies the decisions you make in the future. such as new purchases and upgrades.

Moreover, you can easily keep track of contracts with vendors. This is especially helpful to know when to renew those contracts or make purchase orders. All these things add significant benefits to your business by increasing operational efficiency while minimizing risks.

Enhance IT efficiency

If there is anything that is abundantly clear from what your organization will gain from MEM’s view hardware feature it’s that it will simplify life for IT teams. Significantly. With the data available to them, it makes it far less likely for any issues to arise during audits. Also, it creates less workload by eliminating the need for manual tracking and scanning of devices. Your IT department will inevitably operate more efficiently by being able to easily keep tabs on all hardware.

Asset protection and Microsoft Endpoint Manager

Another key advantage that comes with being able to keep track of your organization’s hardware is increased asset protection. Keeping track of devices allows you to not only get performance-related data but location data as well.

And having this information will help to mitigate the risk of loss or theft of devices. Therefore, utilizing the view hardware inventory in MEM tool helps your organization to easily stay on top of the work status of an asset, its physical location, and disposition.

Better overall governance

Viewing hardware inventory is going to give you an increased degree of visibility. Because of the accurate data at your disposal concerning your IT infrastructure, you’ll have a better handle of key assets. Therefore, they are less likely to be misplaced, misused, or underutilized.

And so with all these advantages, it simplifies the process of coming up with more effective governance protocols. This is something that will hugely benefit the entire organization from top to bottom and not just your IT department.

Keeping track of assets with Microsoft Endpoint Manager

There’s no denying that keeping tabs on your hardware is just as essential and important as the software management side of things. After all, technology is a huge investment for any business. And so how you keep track of your hardware will inevitably affect your bottom line.

Having real-time, accurate information about your assets goes a long way in the optimization of productivity. Not to mention enhancing the overall security of your business. Viewing hardware inventory in Microsoft Endpoint Manager is an incredible tool that should help your business become more efficient. The benefits are clear for us all to see.

Microsoft Intune: 7 Benefits of Remote Device Controls

Posted on by
Reply

It goes without saying that the year 2020, in particular, placed a new emphasis on the importance of remote work. Although a lot of organizations had already been exploring bring-your-own-device (BYOD) policies, that need is even greater today. And so it’s not surprising to see technologies like Microsoft Intune take center stage in these discussions. Management of your remote workforce is a task that can get very complex and put your security at risk. This is why you should see what Microsoft Intune can offer and how remote device controls benefit you.

What does Microsoft Intune control?

Intune is a cloud-based service that primarily focuses on mobile device management (MDM) and mobile application management (MAM). It can control:

  • How devices such as laptops, tablets, and mobile phones are used within your organization,
  • The configuration of specific policies to control apps,
  • The use of personal devices for school or work, and enhance security by isolating organization data from personal data.

All these controls and more will improve overall device management and data security by employing strict access controls.

Use and secure multiple devices

One of the major benefits that your employees will get from Microsoft Intune is having a choice of device. They can easily enroll and register devices from a choice of several. And then they can install corporate applications on the chosen devices from the organization’s self-service portal.

The key thing, however, is that your IT team retains control over the devices that have access to the corporate network. Administrators are the people responsible for setting up compliance and enrollment policies. Therefore, your organization can maintain high levels of security and control over all devices, especially those of your remote workforce.

Limit employee access with Microsoft Intune

Sometimes, an employee who needs to check their email may decide to do so from a computer in the hotel lobby, for instance. Scenarios like this can cause huge security issues in your network. To counter this, Microsoft Intune will block any devices that are not under its management from accessing corporate resources.

Remote device controls allow you to keep out any device that does not meet the criteria that administrators have put in place. Conditional access will only be granted to corporate-owned devices, BYOD devices that meet compliance regulations, and devices that follow any other criteria that you set up.

Administer mobile devices

In a world where people are always on the go, your employees may inevitably at some point need to use their mobile devices. And Microsoft Endpoint Manager provides you with several options for administering managed devices. These include:

  • Microsoft Teams: a platform that promotes teamwork by chatting, meeting, and collaborating regardless of location.
  • Quick Assist: a Windows 10 app where two people can share a device over a remote connection.
  • TeamViewer: a third-party program that enhances remote access and support.
  • Remote Control: a feature that helps you to remotely administer devices and provide assistance.

By leveraging these tools, you can have remote device controls that give you a secure platform to administer devices.

Leverage Remote Control with Microsoft Intune

Remote Control is a feature of Microsoft Endpoint Configuration Manager that you can use to remotely administer, provide assistance, or view any workgroup computer and domain-joined computer. This is something that enables IT professionals to connect and interact with a customer user session.

In addition to the remote assistance that IT can offer, the remote control viewer is also available on all operating systems that are supported for the Configuration Manager console. So instead of having to wait on someone to come in person and attend to an issue, IT can provide the necessary assistance remotely.

Enhance remote management

Microsoft has a habit of teaming up with great partners that can vastly improve the user experience for their clients. To assist IT in the remote administration of Intune devices, you can use a partner program known as TeamViewer.

The latter is a fast and secure remote management tool that will help your IT team to proactively monitor client endpoints, remote systems, and networks. This comprehensive set of remote access and support capabilities can simplify life for both IT and end-users. With its easy-to-use interface, TeamViewer helps members to remain connected from various locations.

Manage device actions

We all face challenges with our various devices from time to time. We can forget our passwords, lose devices, have them stolen, etc. With Microsoft Intune, however, you have less to worry about from these potential scenarios. And this is because your admins can remotely run device actions. From the Intune portal, it is possible to restart devices, reset passcodes, locate lost or stolen devices, and more.

Remove devices

Following on from the above point, once a device is stolen, goes missing, is no longer needed, or is being repurposed, you’ll need to remove it from Intune. Users can also use the Intune Company Portal to issue the necessary command to Intune-managed devices. You can choose to:

  • Wipe the device: this action restores the device to factory settings and can remove all data, apps, and settings.
  • Retire the device: this action removes managed app data (where applicable), settings, and email profiles that were assigned by using Intune. The device is removed from Intune management.

Being able to perform these actions remotely helps to ensure that the wrong people don’t get access to corporate data and resources.

Wrap up About Microsoft Intune

Remote device controls offer businesses a great degree of convenience that they previously did not have. The ability to access and manage system interfaces and files serves to create a better experience for both IT and end-users. No longer do users need to wait endlessly for assistance or IT to constantly worry about access and compliance. By using the remote control tools that Microsoft Intune delivers, organizations can improve the efficiency of their remote networks and still maintain high levels of security.

What You Need to Know about Microsoft Endpoint Manager’s Tamper Protection

Posted on by
Reply

With cyber threats being such a huge problem, the last thing your organization needs is vulnerable security. And this can be worsened if malicious actors manage to disable your security. So with that in mind, Microsoft introduced Tamper Protection to increase your organization’s security by making it significantly harder for cybercriminals to infiltrate your network.

It gives you a better security posture and allows your IT team to ensure greater protection over corporate resources. And so today we’re going to dive into what exactly Microsoft Endpoint Manager Tamper Protection is and what it can do for your organization.

What is Tamper Protection?

Microsoft Endpoint Manager Tamper Protection is a relatively new feature that was created to prevent potential attackers from making changes to the configuration of Microsoft Defender on Windows 10 clients. Therefore, this feature doesn’t allow malicious actors to disable features such as:

  • Real-time protection,
  • Anti-virus protection,
  • Cloud-delivered protection,
  • Removing security intelligence updates.

By blocking these actions, Tamper Protection keeps attackers from getting easy access to your data or installing malware. Without being able to do this, attackers can’t compromise your devices or exploit sensitive information.

Functionality

The key thing that Microsoft Endpoint Manager Tamper Protection does for you is it locks Microsoft Defender Antivirus to keep people from making modifications to your security system. These modifications could otherwise be made through apps and methods like:

  • Configuring settings in Registry Editor on your Windows device
  • Using PowerShell cmdlets to make changes to settings
  • Using group policies to edit or remove security settings

However, Tamper Protection won’t stop you from seeing your security settings or affect how third-party antivirus apps register with the Windows Security app. For organizations using Windows 10 Enterprise E5, it’s the security team that will manage Tamper Protection and so individual users can’t change the setting.

How to enable Tamper Protection

Your IT admins can use Microsoft Intune to turn Tamper Protection on or off for all managed computers using the Microsoft Endpoint Manager (MEM) admin center portal. And to make changes to Microsoft Endpoint Manager Tamper Protection, admins will need to have permissions such as security or global admin. To have access to Tamper Protection, your organization should:

  • Have Intune licenses such as Microsoft 365 E5,
  • Have computers running Windows 10 versions 1709, 1803, 1809, or later,
  • Use Windows security with security intelligence updated to version 1.287.60.0 or later,
  • Have machines using antimalware platform version 4.18.1906.3 and antimalware engine version 1.1.15500.X (or later).

With all the requirements met, follow the steps below to get access:

  • Go to MEM admin center and sign in with the right credentials,
  • Select Devices and choose Configuration Profiles,
  • Create a profile with the characteristics below:

Once you turn on Tamper Access, you won’t have any need to turn it off unless if it affects other validated tools.  

Tamper Protection for Configuration Manager

With version 2006 of Configuration Manager, you can leverage tenant attach to manage Tamper Protection settings on:

  • Windows 10,
  • Windows Server 2016, and
  • Windows Server 2019.

Tenant attach allows you to sync your on-premises-only Configuration Manager devices into the MEM admin center. Following this, you can deliver endpoint security configuration policies to on-premises collections and devices. A few simple steps are all you need:

  • Set up tenant attach,
  • Go to the MEM admin center > Endpoint security > Antivirus,
  • Choose Create Policy,
  • You can now deploy the policy to your device collection.

Continuous reviewing

Even with Microsoft Endpoint Manager Tamper Protection enabled, your admins need to have the ability to continually review your security posture. Otherwise, you won’t fully benefit if you cannot see the tamper attempts or report them.

To resolve this challenge, you can subscribe to the Microsoft Defender for Endpoint service. This will provide you with a dashboard that shows you all the security issues that you need to be aware of. These include flagged tamper attempts with all the necessary details to investigate further.

Using third-party security tools

Although Microsoft Endpoint Manager Tamper Protection can work with third-party security tools, some of these can make changes to security settings. By using real-time threat information, Tamper Protection can assess the potential risks of software and suspicious activities. Ideally, your IT admins should update your security intelligence to version 1.287.60.0 or later. And this action will protect the system security settings in the Registry and log any attempts to modify those settings without generating errors.       

What about endpoint management tools?

As for endpoint management tools, you can use them with Microsoft Endpoint Manager Tamper Protection. With limits, of course. Admins retain the possibility of establishing a centralized setting for Tamper Protection using management tools.

However, other tools/platforms cannot change settings that are under the protection of Tamper Protection. For that, admins would require Windows Security to manage those.

If you have a Windows enterprise-class license or computers running Windows 10 Enterprise E5, you need to opt into global Tamper Protection. Below are some unified endpoint management platforms that cannot override Tamper Protection:

  • Microsoft Intune,
  • System Center Configuration Manager,
  • Windows System Image Manager configuration,
  • Group Policy,
  • Any other Windows Management Instrumentation tools and administrative roles.

Wrap up

The key to staying ahead of cybercriminals is a continual upgrading of existing security features. And this is precisely what Microsoft is doing with Tamper Protection. With this feature, you can address one of the potential areas of weakness in your security infrastructure. You can prevent unwanted visitors from disabling critical security features.

Since Microsoft Endpoint Manager Tamper Protection was specifically designed for enterprise environments, it is ideal for enhancing organizational security and making your organization less vulnerable to attack. Class-leading security has become a necessity for all of us and features like this can play a massive role in safeguarding our enterprises.