Microsoft have been busy showing off some of their current and upcoming work across the Microsoft stack of solutions this week but with so much information flowing, what’s worth paying attention to specifically in the world of IT Pro and Management solutions?
This post highlights some of my personal choices of areas to dig deeper into as they develop, along with a smattering of other related areas that are just too cool not to mention!
(If you’re short on time, use the menu on the left to skip ahead)
Microsoft Endpoint Manager (MEM)
Custom Compliance Checks
Now this is extremely interesting! While we’ve had compliance checking forever, it’s been limited to simple checks across Device Health, Version, System Security or Risk. If you wanted a bit more flexibility you had to co-manage with ConfigMgr and create Baselines to check for additional bits.
We now have a public preview within MEM which allows custom PowerShell scripts to be run to calculate compliance! It looks like even custom remediation messages are possible too!
Think about scripts that can check for specific BIOS versions, certain applications present, etc. Hey, it’s PowerShell, so the possibilities are almost unlimited!
Policy (or Profiles) has been on a journey for a while now in MEM. The Settings Catalog made it much easier to find settings and configure policies with much greater flexibility, but then we had choices between Device Restriction Templates, Endpoint Security Settings, Baselines and Settings Catalog…
Microsoft are looking to simplify this and regardless of where you start, it will end up as a policy that can be further customised and controlled at a more granular level.
It’s early days with this, so time will tell, but it may also unlock other interesting scenarios when it comes to policies hopefully around conflict resolution etc.
MEM has had the ability to integrate with Team Viewer for remote control purposes for some time, but this obviously relied on having licenses for Team Viewer, which not everyone did or could afford.
ConfigMgr has always had the ability to remotely control devices over the LAN/VPN and there was remote control via the Cloud Management Gateway (CMG) in development, but that went mysteriously AWOL…
Now Microsoft have announced a new Remote Control solution rolling out as a public preview that will allow remote management of devices anywhere, as long as they have an Internet connection.
While the core remote control app looks like a customised version of Quick Assist, this isn’t a bad thing per se as it adds some much needed validation of who’s connecting and being connected to, along with integration of RBAC model to more finely tune allowed activities such as view vs full control and the right to elevate (UAC).
It also nicely integrates into the MEM portal, allowing full reporting on remote control activities and audit capabilities.
One important thing to be aware of though, this is going to be an additional addon cost, i.e. it’s not (currently) part of your E3 licensing (no idea about E5…)
Linux Desktop Management
While I still very rarely encounter Linux as a desktop OS within customers, it’s still an important addition to MEM as it further consolidates toolsets and brings visibility across all areas of an environment (Windows, Mac, Linux, iOS, Android) to the teams that need to manage them.
MacOS DMG Application Deployment
Again, closing the gap on multi device management, Microsoft are looking to preview in Q1 of 2022 the ability to upload and deploy (Required, Uninstall and Available with Enrollment) DMG type apps via MEM to Mac devices.
Note, this does bring in the requirement of the Intune MDM agent for Macs.
Surface Management Portal
A bit niche, as it depends if you’re a heavy Surface device user or not, but within the MEM console there’s now a new view dedicated to just Surface devices. The main nice bit about it is a quick view into warranty information for those devices as well as support ticket raising and tracking for them.
I hope this gets expanded to at least Dell, HP and Lenovo in the future, but I’ll not hold my breath…
Windows Lifecycle Management
Driver and Firmware Deployment Public Preview
Drivers and Firmware have been available through Windows Update for some time, but unless you live in the wild west and don’t control your updates, these weren’t available when using MEM (Intune or ConfigMgr).
Microsoft have been working for a while now on providing the ability to selectively control which drivers and firmware should be offered to managed devices, giving control to standardise on versions while testing and controlling deployment.
In addition to providing a web app that admins wanting an early look at the service during preview can deploy to manage the updates, Microsoft have also been working on providing reports via Workbooks for the Update Compliance solution to give insight into impact and recommendations.
Public Preview of the web app/Microsoft Graph controls and Reporting is expected Jan 2022 while Public Preview of the controls inside MEM rather than a standalone web app is expected Spring 2022.
Test Base for Microsoft 365 now Generally Available
While not officially touted as a Windows Lifecycle Management tool for IT Pros (it’s currently aimed at vendors or organisations writing in-house code) I for one thing this is something to look at.
Test Base allows you to upload an application with installation and uninstallation scripts, along with additional test scripts if needed (or possible) to then let the service automate the process of installing and testing the application across various builds of Windows while tracking installation and functionality along with resource usage, specifically to identify issues or regressions when new OS updates or versions are released.
This could potentially be a very nice tool in your WaaS Lifecycle process to automate the compatibility and performance testing ahead of quality or feature update deployments.
Improvements to Windows Update for Business
As Microsoft are rolling out Windows 10 last year, they added further scheduling capabilities to the way the update is offered to devices. This sees devices pushing their diagnostic data to the service analysed and automatically ordered within their defined update ring to, in effect, add another layer of piloting or staged deployment across that deployment cycle. This has now been extended to Windows 11, giving you more protection and confidence as you being to plan for this next milestone upgrade.
So this first announcement from Microsoft kind of falls into both the MEM and Security news, but it’s security-focused so I’ll talk about it here…
Manage Unenrolled Defender for Endpoint Devices
Microsoft are introducing the ability to pull devices that are enrolled within Microsoft Defender for Endpoint (MDE) but not explicitly enrolled in Intune for Mobile Device Management (MDM) into the Microsoft Endpoint Manager (MEM) console.
This is very similar to what Microsoft did with Tenant Attach in ConfigMgr, allowing you to see MDM managed and ConfigMgr managed devices in the same portal, except this time Microsoft are also bringing in the ability to allow you to deploy security management policies, currently for these areas:
- Firewall Rules
- Endpoint Detection and Response
I think the other interesting bit here is that it also appears that this allows Server OS’s (in Preview) to be brought into the MEM world and also be targeted for these policies! Linux and MacOS are also planned for 2022.
Supported Devices: https://docs.microsoft.com/en-us/mem/intune/protect/mde-security-integration#supported-platforms
Note: Domain Controllers and Server Core are not supported as they can’t be Hybrid AAD Joined.
Microsoft Defender for Business
A much needed simplification of Microsoft’s enterprise grade security tools, specifically targeted at organisations with up to 300 users. Available as both a standalone purchase and also included within the M365 Business Premium license.
With a simplified configuration and client onboarding experience, it’s much easier to get started with securing your environment and keeping an eye on your security posture.
Main key features, similar to the full fledged Microsoft Defender for Endpoints include:
- Threat & Vulnerability Assessment
- Discover and prioritise software vulnerabilities and misconfigurations for remediation to build a secure environment.
- Control and Protection
- Antimalware and Antivirus protection with attack surface reduction across ransomware mitigation, application control, web protection and network protection
- Detection and Response
- Behavior based detection and alerting to identify threats with automated investigation and response
Desktop Virtualisation (AVD and Windows 365)
Hot off the heels of the Windows 365 launch, Microsoft are rapidly providing enhancements to the service. Most of the things talked about at Ignite were already announced, but a couple of incoming features that you will want to keep an eye on include:
- Web Client Improvements
- Performance and reliability improvements
- Local Resource Redirection and in-session editing of these settings
- Native Azure AD Join
- Remove the requirement for vNet and Domain Controller access
- Windows 11
- UEFI and Secure Boot support with Virtual TPM, which also enables BitLocker support
Azure Virtual Desktop (AVD) Autoscale
While we at PowerON have been designing and deploying AVD for quite some time, we have always used our own custom solution built around Logic Apps and Azure Automation to achieve auto scaling to deliver just in time density requirements.
Microsoft have now announced a preview of a native scaling solution that allows plans based across the following pivots:
- Time of day
- Specific days
- Session limits per host
We’ll be doing some testing on this to ensure it meets our customers requirements, but it’s always nice to see Microsoft bringing much needed features natively to the solution.
Speak to us for more Information, or check out the Microsoft Docs:
On-premises AVD Session Hosts
Don’t get too excited on this one, it’s not a free for all spinning up of VMs to power your AVD deployment, you can only do this if you have Azure Stack HCI hardware.
Useful for various scenarios, but you’ll need to invest in the new hardware/Azure Stack if you really need it.
There’s obviously a lot more covered during Ignite, but here’s a few honorable mentions that may be of some interest.
A new solution/app that helps pull information together from multiple sources to make collaboration easier
Teams Connect aka Shared Channels
I’m (im)patiently waiting for this to be rolled out. It allows a channel to be created and shared with an external organisation and will appear alongside other channels within the external organisation, meaning no more switching tenants to collaborate!!!!!
It’s not due for preview until the 1st quarter of 2022 though 😭
Lots of other cool new things coming to Teams, such as webinar improvements, increased chat density, message scheduling, more Dynamics integration, Rooms features etc
Conditional Access: Filter for Devices
Not sure if this was specifically announced at Ignite, but while pulling bits together for this post I ended up down this particular rabbit hole…
This new feature for Conditional Access (CA) allows conditions to be set based on properties within Azure Active Directory (AAD), including the ability to use the Extension Attributes which you can set to anything you want via the Microsoft Graph.
This opens even more scenarios for CA where you could mark devices as Admin specific, think Privileged Access Workstations (PAW), or legacy devices, or pending decommissioning etc etc.
There’s also a raft of other new things for Conditional Access (and identity in general) go check out more here: