字幕列表 影片播放 列印英文字幕 Welcome to Microsoft Mechanics. Coming up, we take a look at your options for managing Windows 10 devices using traditional management strategies with configuration manager and cloud base modern management with Microsoft Intune. We'll explore the end-to-end lifecycle from new ways to deploy Windows PCs without having to create your own images. To new options for keeping your users productive while configuring and securing your companies Windows 10 devices. Microsoft Mechanics So, I'm joined today by Mark Florida, an expert in traditional Windows management configuration manager and model management with Microsoft Intune. Mark, welcome. Thanks, it's great to be on the show. To start off with the release of Windows 10, there have been lots of enhancements that expand what's possible in terms of the management of both the main joint PC's with configuration manager. And with Azure Active Directory joint PCs with Microsoft Intune. Can you bring us up-to-date on what's been happening in this space? oh yeah, sure. So last December we released a new version of configuration manager, We call it our current branch. It aligns with the windows 10 servicing model. Let me show you what that kind of looks like here in the demo. As you can see we've implemented some new features aligned with Windows 10, such as the ability to measure your health state of your Windows 10 devices. So we're basically kind of keeping up and lighting up new features that come here with Windows 10. The other thing that we've been working on is making it much easier to upgrade. This new release of configuration manager has been one of our fastest updating releases ever. We already have it installed on over 44 million clients and over 23,000 different customers. And that's not all. With windows 10 and the enhancements that have been made in the inbox MDM agent, we've also enhanced Intune to better leverage those capabilities. Let me show you what that looks like here. What we've done is modified Intune to incorporate many of the new policies that are now available in Windows 10. So what you see right here is an ability to configure these new policies, such as set in addition upgrade which is super critical for customers who need to move from a lower-end sku to a much higher-end sku. You can set up additional policies here like a VPN profile and other changes as well. In this last piece here there are very significant changes around Windows information protection. Windows information protection really affords a customer the ability to protect their corporate information to ensure that it doesn't move out of their environment without their knowledge or control. I know a lot of poeple watching this are actually considering that longer term management structure. Some folks may be looking to shift some of that management capability to the cloud Other folks might be more comfortable with sticking to traditional configuration manager. How should people be weighing up all the different management options? Sure, you know whether you choose traditional or modern, for us it's really about lowering the overall cost of managing your windows devices. It's not a question of one or the other. I think what customers will find is that, given their environment they can likely apply both in different situations. So Mark, can you give us some examples of what those decision points really are? Yes, there are three key areas. The first being your imaging and how you get Windows 10 deployed. The second being applications and identity and the third is software updates. Okay, let's deep dive in. What about the first of those provisioning? Yeah, so if i look at a typical imaging model today let's face facts, it's pretty heavy. You have to get a machine in and you have to re-image it. You have apply all your new drivers and it takes hours and usually requires a lot of manpower. What we've done with Windows 10, is we now allow you to get devices deployed much more quickly, and much easier for the end user to be able to work off those devices. Let me show you what this looks like in a demo. So what you're seeing here on the screen is just a device that comes right out of box. And what you'll notice is a real key change here, is I have an option to join this device to Azure Active Directory which is new because most people are joining into local Active directory. So, the first thing I'm going to do is enter in my credentials. These are the same credentials I would use for accessing corporate email. So the end user is very familiar with having to do this. Now behind-the-scenes what's going on is this device is joining to Azure Active Directory. And as part of that we're going to start to now get management policies coming down. The very first policy that you see here is a multi-factor authentication. This is a good way to validate that my identity is who I am when I'm trying to log into this device. I'll enter that code there to attest that this is truly myself. And this next piece that you're seeing here is where Intune comes into play. So this pin isn't part of the regular out-of-box experience? This is actually Intune policy telling Windows to require a pin. Oh yeah, absolutely that's kind of the beauty of it. To the end-user they don't know that they're going through a real disjointed experience at all. But, it's getting the device prepped and ready for them with the right policy so that the IT administrator can feel secure that the device is protected. Now I'm going to show you a few other cool things. First, you'll notice a substantial change here. which is when a typical system comes back up, you'll notice that it's being managed through local active directory. Not the case here, this is now being managed through Azure Active Directory. The last thing I want to show you is It's right here. So what you notice here is this device also has the configuration manager agent installed on it. So what we've done is we've really integrated the management experience for a customer, so that they can use Intune to help provision this device. They can use Azure Active Directory to help get this device registered and managed. But, they can also use configuration manager in this environment if they still need traditional management scenarios. That sounds like a pretty good idea. So what do you actually have to do to make that work? Well all I really had to do was go into the Intune console and use Intune to provision the SCCM client. SCCM exec just needed to be installed and that was it. The second area that you spoke of was around identity and applications. What are the decision points that you suggest for folks here? Sure, it really just comes down to technology. It's a comparison between domain join and what's available there and what's available with Azure Active Directory. When I speak with customers, it generally comes down to what are using group policy for? If you're using it for security settings and making sure that those policies are adhered to, then really take a look at what's available in Windows 10 with the inbox MDM agent Because it can cover many of, if not all of those needs. And then with applications, it just comes down to the type of applications that you are deploying. And if you're primarily using web applications or SAAS applications, you will find that Azure Active Directory provides many of the same needs that you're accomplishing today with your domain join machines such as your ability to authenticated and attest who the user is. So I guess you'd be looking at Intune as the management provider in that case. Can you show us what this looks like? Yeah sure, I'd love to. So for a little bit of context, this device that we're on right now has just a local account. So it's not managed and you can almost think of it as a home PC or a BYOD device that was brought to work. I'm going to attempt to access my work email. Go up here into outlook. I'm going to do a couple things that are just pretty standard which I think most poeple are use to which is typing in your credentials. So you can get to your email. Okay and you'll notice I'm blocked. And that's by design. And the reason being is because I previously enacted a policy in Intune to prevent access to email unless the device is managed. So what I'm going to do is now make that happen. I'm doing something very similar to what you saw in the previous demo, which is adding your Azure Active Directory account to this device. So click done here and now what you'll notice is there is a work account that has been added to the machine. I should be able to go back and get a look at my email. I'll close that out. I still can't get access. Now the reason that I showed this was to make a key point that it's important that the device is fully configured and compliant before getting access. What you'll notice is now that I've given the system a little bit of time to behave, the browser when I first launched is now showing me my email. It logged me in using single sign-on. That's all possible because the device has joined Azure Active Directory. I can see here, I've got my work email and I'm good to go. And that's only possible because of our conditional access checks were validated. And I can be sure that the device is trusted before allowing the user to get access to corporate information. Excellent, it looks like there might be some extra policies that have applied there as well. I can see a little briefcase icon up there. Yes, that is Windows Information protection. The edge browser is defined as a managed application. It's one where the company has full control over, is a good way to think about it. So what's kind of neat about this feature is, let me go down to the secret email that you sent me here. And you can see that there is some text on our secret recipe that we want to make sure stays protected. What I'm going to do is attempt to move that information out of a corporate managed application. That little briefcase. And move that over to a non-protected more personal application. So let me launch Notepad. Notepad has not been declared as a corporate application. Thus, you don't see that briefcase or anything like that. But, what you'll notice when I attempt to hit paste is that the system is prompting me: "Do you want to allow this to happen?" I as the end user can say: "Sure, I want to make that happen." I presume it gets audited if you actually say that you want to change that to personal data? Oh yeah definitely and it's actually richer than that. It would have been a pretty lame demo to show you, but you can actually make this as an IT administrator. You can just block it completely. So if you don't want to allow the information to go out, you can just stop that. If you want to you can make this silent so I could paste it out into a personal application. But, continued to audit that as well. So there's different kinds of sets of options depending on who your user base and your scenarios are. I'll just allow this paste to happen. So now you see it went through. Your audit message that you described earlier will be recorded And this last piece is to show you how it would work with just a fully managed application. In this case, Wordpad. You can see it has the briefcase up above and that means it's a corporate management application. You have to paste the information in there. That went on without any end user intervention. So in summary, if you're still leading the complexity of domain join you can continue to use configuration manager for those devices. And at the same time blend this with simpler more cost effective management with mobile device management. Mark, you also mentioned software updates. Yes, so the two previous areas are really a choice the customer can make. The reason I call out software updates is because of the new model that has been released with Windows 10. They've moved to a cumulative update model which greatly simplifies the update process for a customer to keep their Windows devices up-to-date. It's something a customer should take a look at if they haven't done so already. Why don't I give you a glimpse of what that looks like. What I'm going to do is show you Configuration Manager. Where we have built an experience in there for you to manage Windows 10 servicing. So there's a few kind of key concepts I'll talk about which is that you can define how successful a deployment is. As well as monitor in your environment the various levels of windows that you might have deployed. And track the progress there. The other thing that you can do is create a ring. The ring is the ability for you to stage a role out of a given new update that Windows releases. This is very valuable when you think about things like application compatibility testing. I'll create a service plan for you in a ring in essence to get the update out of the door. So first thing I got to do here is type in a name. Windows plan. Now I'm picking the set of devices that I want to target. So New York branch is the one that we have just a small number of users for. I then get to select what type of update from Windows I want to deploy. I'll choose the business one and now I will create that. Once that's created, let me show you a little bit of the internals of what a servicing plan looks like. A lot of it for a config manager customer is going to be very familiar and some will be different. So, here's your deployment settings. Your servicing plan again it's really just the group of devices you want to target. And this is probably the most significant change if you're used to software updates management and configuration manager. We built an experience where you can choose if you want updates to go out right away when Windows releases them. That would be the zero option. Or you can put a buffer in place. And this basically allows you maybe wait for the rest of the world to test out an update before you decide to take it on yourself. You can just automate this away. You don't have to come back on day 52 to do a manual deployment. Let us do that for you and take it over. So the first thing that come to mind when I think about Windows 10 is that there is a difference between feature updates and security updates. Does this cover both of those? yes, absolutely it does. It goes back to that same kind of mechanic that we have in configuration manager. It's used for both. So you can deploy your cumulative updates with this. You can deploy your critical and we have that covered. That sounds amazing actually, it's really great set of features for being able to do software updates and deployments in line with Windows servicing model. So that covers the core management scenarios around provisioning identity and applications and software updates. What else is in store? Well we're going to continue to expand what we do with MDM management with Intune. And we're also going to continue to invest in configuration manager. All with the premise that we want to be able to support the management needs that our customers have. And we realize that there's a blend of both a need for modern management and traditional management . And we'll keep investing in both to make sure our customers are happy. Cool and how can people learn more? As you start to roll out Windows 10 for your organization, it is a great time to familiarize yourself with the management strategy. You can learn more in the link below. Great, thank you very much for taking the time to come on the show. And keep watching Microsoft Mechanics for the latest in tech updates. Thanks for watching and bye for now. Microsoft Mechanics www.microsoft.com/mechanics
B1 中級 美國腔 現代Windows 10管理策略,使用配置管理器和Microsoft Intune。 (Modern Windows 10 management strategies, using Configuration Manager and Microsoft Intune) 22 1 tivenchou 發佈於 2021 年 01 月 14 日 更多分享 分享 收藏 回報 影片單字