Co-management and Tenant Attach - Jason Sandys (MSFT) - TXSMUG

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
oh there he is take away sir I decided to dress up my video is not upside-down I'll have to figure out Michael's secret there we all have lots of secrets to learn from Michael as usual so thank you for having me thank you for everyone joining I think I saw in our background chat that we've had over 600 concurrent users most of the day so that's really awesome so thank you for you for everybody you know it's exciting being part of Microsoft now and seeing the enthusiasm you know as an MVP I always was part of that enthusiasm and maybe I stoked the fires a lot but now I was being part of engineering and seeing folks using our stuff and getting real-world stuff done that's even cooler to me so for those of you that don't know I joined Microsoft about three months ago I'm now part of the mem engineering group and I work on customer issues really so somewhat similar to what I did before but my focus is really about figuring out what's stopping customers from being successful with our products and going figuring out how we can change that so the customers can be successful right we all know that not everything is perfect code is code anyone who's written a two-line script knows that there's always going to be some type of issue with even that two line script and every customer is different and so that's what we really need to figure out right it's one of the reasons that Intune has really taken off is because we focused on it we've gone and asked customers we work with customers constantly to figure out why things aren't working for them all right sometimes that means going to Apple Google sometimes it going means going to our own product teams and figuring out exactly what that is and that's exactly what I'm focused on doing so that's a little bit about me and where I am and how I've gotten to where I am so let me go ahead and start my slide deck so you guys can see the title here real quick let me make sure I pick the right screen no idea what screen this is right now screen two there we go okay so I will not switch to presenter mode I will just leave it in this mode and do this just so it was a little bit easier for me to navigate around here the topic today mainly hope everyone saw this in the agenda is Co management and tenets attached so as the time of year kind of alludes to clouding the enemy of on-prem for so long we heard this a long time ago most people remember Steve Ballmer giving up and in an hour session said cloud maybe who knows right a thousand times and people were counting and having games around that's probably not the best thing to do but at the time everyone thought he was totally off his rocker and maybe who was to a certain extent but maybe not for this reason cloud has clearly become super important today as well right one of the things that we've seen I'll skip past the agenda there real quick I'll put up the wonderful pigs fly one of the things we've seen in the past three months and we've heard this name over and over and over again from a lot of customers they gave us this message loud and clear we will never ever do cloud for whatever reason right they were regulatory reasons there were so-called technical reasons and we've heard this message loud and clear over the past three months yeah remember we told you we're gonna do cloud yeah it's really important for us now or some of them are like yeah maybe we need to rethink that sense and so that's really where this pigs fly it is all about because you know the world's changed we all know that the world's changed significantly it's not how it was just a year ago and so folks need to reconsider this the other kind of interesting piece and this is something that I kind of ponder on a lot in my spare time I guess I'm kind of boring that way but is how would we handle this scenario ten years ago all right I think I don't know what would have happened I think the world would have just crumbled right because no one would have been working from home well you know people were kind of be panning in there were some VPN technologies out there but we couldn't manage devices we couldn't do anything and of course nobody had mobile phones there's lots of different things that are completely outside the scope that I don't know how the world would have survived but if you went back ten years ago if you you know took a time machine whatever could talk to yourself ten years ago and you knew that this was coming exactly what you wanted to have designed to handle this scenario is kind of where we're at no one had a crystal ball I don't think it couldn't had any clue that something like this to this magnitude was coming but where we're at today is the cloud right the cloud enabled us to push through these last three months whether you use Microsoft technologies whether you use Google technologies you know people have used zoom pretty much ubiquitously now all of these different technologies are cloud-based right cloud in this sense really and in all senses it's just a big data center that everyone can get to across the internet right but without the cloud you know the last three months I don't know where we we would have been so that brings us to config managers specifically right for all the folks that are out there I don't want to call out the bottom half of this slide I actually I saw thread this morning which was really kind of serendipitous I serendipity has been really an interesting thing over the past few months I've seen the same comments and all kinds of different places like the same comment will come in from different sources within a day of each other it's really kind of interesting and so this popped up today in a thread which was basically hey config managers dead and where are we going well clearly anyone who's been attended any any sessions from any Microsoft person all the way from Sasha to Brad who was you know who owes up next to DJ who's up next as well to all of us in the MVP community and now those folks and engineering compute manager is not going anywhere we have no plans of removing that from your environment we know how critical and how key it is to people's environments and it's not going anywhere what we're doing is we're continuing to iterate value we know that where we're at today is great most people are in general pretty happy with what we have and what we've provided for them but now we need to start doing newer things and the cloud opens that door right we can almost sit and do all these additional cool new things when we attach config manager to the cloud so that's really what is that about right we want to add value now the other key piece on here is if you're still in that boat you're a nuclear power plant you're the Submariner I don't know if you folks have submarines out there some type of isolated environment that for whatever restrict reason security regulatory right can't attach the cloud that's fine right as Microsoft we want to make a product for you that works for you but we're not gonna make you move right if you're where you are if where you're at is happy and and suits your purposes great we're happy for you right we can continue improving there as well we're not going to force you to go but if you can would really encourage you to go this way because it does open so many different doors so that really brings us to both of these right the cloud attached in the co-management and that's exactly what we're talking about you kind of see in this slide it's got a nice little picture there in the bottom which is really a really generic but it's about managing those devices right in various different ways enabling that additional capability we all know that things from you know in tune doesn't exactly overlap would config manager right but what if we can put those together and that's what some of this is right is being able to do both of those things at the same time now another key piece in here and we hear this is a clearly a common theme over the past few months as well is hey I need to manage my own systems remotely right it's amazing how many organizations had no remote management capabilities none whatsoever no VPN no no nothing right no remote control another thing like Bomgar no nothing right based on all their users home like everyone else didn't in general but they had no way of doing anything for or for those users or to the systems that they set them home with that's a reoccurring thing so one of the things that's come up a lot is hey we need to manage these devices that are remote we want to do co-manager that's not the right answer here co management can help you in that scenario but for that and Aaron talked about this earlier so I'm not going to go into it a ton I don't think you talk about at a time either but hopefully this is something that everyone's familiar with that's what the cloud management gateway is for if you're sitting on config manager today right adding co-management to the mix isn't really about extending your config manager management to the cloud or to those internet-connected devices it's about adding cloud to those devices and there's clearly some overlap right so if we drew out a Venn diagram here there would be a little bit of overlap for that but it's not really where you want to be the first step if that's truly your base requirement is to go purser to pursue the cloud management gateway I think so that that cloud management gateway is of course complimentary to co-management right because our devices and the whole scenario here particularly you know I'll say it again and I think everyone's probably heard it a lot over the past few months the whole scenario here is that we need to be able to manage those devices remotely so CMG is definitely the place to start so once again all about value where do we get that value from and that's what these two pieces are all about so the first one is code management so I put it in the title here specifically because there's a lot of confusion over what Co management is and what tenet attaches they both kind of sound like they're attaching to the cloud and what's the difference between so they both are attaching to the clouds so that's really key here we can get lost in kind of the verbage here right because we hear attacks in so many different ways but we'll focus on Co management here first in and what's here in the title is attaching the clients we're not attaching config manager in any way to the cloud we're attaching the clients themselves to config Mamet or two engines all right and and really to the bigger men so if you remember back going to ignite we announced mem right the whole system Center suite has kind of departed or moved away from config manager really the reverse config manager has moved away from the system Center suite and we created this new sweet mountain private Microsoft endpoint manager and we moved config manager into it we moved in tune into it autopilot and desktop analytics as well and so this is starting to be some of that convergence as well all right we're wanting to make sure that all of these products integrate with each other and they take advantage of each other as well so here what's on here is I thought that well you know what and okay sorry confuse myself because it was actually some arrows building on here so I slightly confused myself basically with arrows would have built on here is your first step is attaching your Active Directory right over here to your Azure Active Directory if you haven't done that that's the basic first step to started getting cloud valley why because everything we do is built on identity like yourselves core security tenet is about the users identity and the devices identity at the end of the day so when you move out to the Internet how do you have identity well your on-prem domain controllers you've almost certainly not exposed to the Internet so how do they get identity maybe they VPN in but now you're not really on the internet anymore necessarily so what about all those other devices right all those workers that we just set home all those folks that are working from BYOD devices all those folks that are working from temporary devices right over the last three months we've heard that it as a recurring story is hey we don't have devices it's at home with our users go to Best Buy and buy a bunch and send it home with the users so how do we control security in those scenarios when we don't explicitly have control over those devices it's all about identity so that's the first step here attach ad to ad your ad this is basically free we're not charging anyone for this right you just need an address description you set up your ID ready tenant so the Badger ad connect it sounds like I had a full of steps there and it is but it's nothing overly difficult and now we get your identity synced between your on-prem ad and your ad rady and now we've enabled these scenarios and a whole bunch more so step two is now exactly what this slide is about which is the client attached alright as noted before or like I said before he do does some things that config manager doesn't do so well or doesn't do it all and I'll point a few of these out in a minute here as well when we up it in the demo and then of course vice-versa config manager because it was long history right we have 25 years of history of config manager managing Windows it does a whole host of things that in tune doesn't do and may never do right our intention is not to replace config manager with into our intention is to provide a different way of managing your Windows devices that may or may not be suitable for your organization but at the same time that doesn't mean that both don't work better together and that's really the scenario here right is we want them both to to give you value and to continue iterating on that value so basically we're just attaching your device is down here wherever they may be right we generally want to have and this arrow right here right that goes between your site and your devices we want that to be connected using CMG all right so that you have that continuous management matter where the systems are at and then we connected to intro as well so we get that value so let's actually hop into the demo here let's see if I have to login again yes I do I got my password right so this was always noted as being something very easy to do in general it is conceptually there's a lot of hurdles to overcome particularly we have firewalls and you have proxy just normal things that we normally have to go through in an enterprise environment but as far as config manager goes it really is going through this one single wizard here right I can't go through the wizard again because I already have it configured in this tenant but if we open the properties for this and I'll use demeanors here as well here in a minute how many people need that in a remote world but I will do it so these same tabs will actually come up when you run through the wizard there's really not much to it you clearly need right we clearly need this right we need an add your tenant you got to have this stood up so that's why that's always step one we want to make sure they have a deter and Azure ad stood up and that you have a valid subscription however you purchase that subscription so that is curtain so I'm just get this tab because this tab is actually specific to tenant attached we won't actually talk about that one right now next really week what we can do is we can say hey I want to do all and it helps to hold down the ctrl key I want to do all or I maybe just want to do pilot systems so this is another kind of core tenant of what we're doing here as well we don't want to force you to go all-in right not every organization wants to go all-in or it does it even make sense for them to go all-in plus of course there's some scariness here right for organizations who haven't done anything in the con before or all of a sudden right if you have six figures numbers of devices or interview only have 100 devices still putting them all into something relatively new like this is scary and rightly so so that's why we have the ability to specify just a subset of your systems so I can change it right I can say none I can say pilot or I can say all and clearly I have pilot here in my lab and I chose a collection pretty basic stuff right if you're familiar with config manager next we have these workload sliders I won't go into explicit details right now we'll talk about those in a little bit more detail in a minute but basically when we talk about having two management systems managing the same device right this is exactly what Co management is here right we've attached our config manager managed devices to in tune there is overlap yes once again you know config matter do those things and in tune doesn't do and vice versa but there's clearly overlap here and we always have had this issue you know in various methods or various forms even with group policy if there's two things trying to set the exact same registry value the exact same setting regardless of where that setting lives who wins how do we resolve the conflict that question sometimes is a coin flip right because it may be something that we never explicitly designed or tested so how do you control that well that's the explicit purpose of these sliders we want to make sure that we avoid conflicts because we don't want to get into that scenario where it may be like well it's supposed to win in this case but then there's all these weird caveats where it may not win right and there's other places that we actually have that continuing to happen unfortunately but this is one thing we did we wanted to avoid that when it came to in turning config manager we wanted it to be very deterministic we wanted you to know exactly which one was going to be applying those settings and so that's what these sliders are right we have a middle ground once again pilot we don't want to necessarily force you to do everything everywhere right off the bat if you're not comfortable or maybe you're never going to want to do everything that way you know it's totally up to you based on your requirements where you're going as an organization and what you think is best we're not going to force any of this down your throat in a way pilot here may not even be the best word right we may need to come up with a better word here and replace this because you may be in pilot mode forever if you're in pilot mode forever is it really a pilot anymore no not really and pilot gives the implication that we're forcing you off of that we're not in any way so you can kind of see the sliders most of the sliders are for the most part self-explanatory but I'll talk a little bit more about those in a second here as well and last and this is relatively new if you have an older version of config manager first upgrade right if you're not upgrading config manager on a relatively frequent basis I won't explicitly say you're doing it wrong but I will imply that you're doing wrong at the very least so so for each of those sliders we can also set it up for collection right so if you have different requirements for different subsets of your systems we can come in here now in my environment I haven't even said anything over to pilot yet so all of this is grayed out but I can go fast in some areas go slow in other areas or choose not to go with all in other areas right totally up to you completely under your control to be able to do these kinds of things okay so let's hop over to and I thought I had done this but I did so if I hop over to my ashore portal here we go and I go to my all devices that's not my all devices oh that's portal sorry using myself so this is want to go to the endpoint portal which has clearly been logged out so let me start a whole new place so if we want to go to anything in the mem console right so if we go back to our unification part of this is having a unified enterprise the admin experience as well and so we've moved everything under endpoint Microsoft comm so that's why I where I'll navigate to here right now and this is going to be focused specifically on endpoint on mem right all of the mem workloads are going to be explicitly in here and for our Comanche devices all right I'm gonna go into devices I'm gonna go into Windows remember this is in tune and config manager config manager doesn't manage anything else but Windows and kind of Mac OS but we don't really talk about that too much so we're really talking about Windows here right so we're gonna see all of our Windows devices you can see these bottom three devices here they all say Co managed this is relatively new this is another one of those if you have an upgraded config manager recently it says something different and I don't remember exactly what it is offhand but I don't think it says co-managed so you know we're refining based on customer feedback that hey this terminology was confusing and even sometimes internally we get confused by it so we we make adjustments there so always keep up with the latest is another thing there but notice I can go in here I'm good in one of micromanage devices there we go just taking a second and I can see some interesting information about this device right but I have these additional features up here and these are the big things you zoom in on those these are the big things that in tune in general does that config manager doesn't do that you may want to do right clearly we have some auto pilot integration so that's a good thing Michael talked a lot about that you know right before me or actually two sessions before me but we can do these other things like retire and wipe we can initiate a policy sync we can actually send a reset down or a restart down now at this point because in tune is cloud-based it doesn't matter where our devices are so let's say in the wipe scenario right so someone steals our device in general this would probably be an insider right someone who's not necessarily overly intelligent because they have to connect it back up to a network somewhere it's not connected to a network we can push all the signal we want out from into and it's never gonna get there since we like employee theft insider theft something like that they take it home and hook up to their Wi-Fi alright maybe they got fired whatever right however we can send a wipe signal down to it so now we can wipe all of the users data and get rid of it so that's one definite thing there and a lot of folks are looking for that right because BitLocker may or may not be enough and so this is just another layer of protection that adds to it and of course we can come into not compliance into device configuration here as well and I don't have any policies that are set up because I haven't moved any sliders over but basically all of the policies that are available to us and in tune we can now push down to those co-manage devices as well once again there's potentially some overlap that's why we have the sliders you have to carefully plan this out what makes sense for you to push down being in tune versus what makes sense for you to push down via config manager it's up to you and you do a little bit of analysis to figure out exactly what is and isn't there the other thing we can do is we can set device compliance now there is a built-in device compliance policy and this leads into conditional access it just kind of also comes back down to the identity of the device in Azure Active Directory or having it there right when a user logs in from a device we want to make sure that that device is compliant with a few things maybe that it hasn't antivirus version on it may be that it has specified not a virus but a version of Windows itself maybe we want to make sure that its domain joined right this is how we can control potentially those BYOD scenarios so if you've dealt with conditional access on iOS or Android very similar concept this is kind of a carrot and stick approach to managing our devices or really managing the axis that our users have to our our data so specifically a user logs into system doesn't matter what system it is and let's say I have a compliance policy actually set up here so once I set up a compliance policy the when the user logs in they log in through Azure ad so this is about Azure services things that user authentication once they log into Azure ad so let's say it's Exchange Online right they're not going to exchange online they put their password and their credentials across at that point there are some claims that get sent across as well and we can check that we can say hey what version operating system you're running on do you have any virus do you have your firewall turned on are you domain join but and that's up BYOD scenario do we want to get rid of that BYOD scenario and if none of those things are true at that point we can say oh we're not going to send the authenticate authentication token back down to you you're not coming in right and so that's a way of controlling once again right it's all about the users identity at that point in time and making sure that they're on a compliant device so if you don't have your systems co-managed then that's a challenging scenario co-management leads into that and allows you to take advantage of conditional access another interesting point about code management is in addition there's some rigid signals that we can we can set so we actually go into it here real quick and the compliance policies in my adage of portal if you haven't seen this before I can create a compliance policy select my platform in this case of course Windows is all we're worried about we will just call this test because I'm not going to finish this and now we have all these different settings so some of the ones I alluded to right I didn't talk about BitLocker but that's in here these are things that we can check on that device that the user is trying to log into a minimum OS version where our system security all right this is all about the things that get registered in the Security Center in Windows including password encryption firewall antivirus all of these things that we can check but these are all relatively rigid checks right we can't really do a whole lot of customization like the most we can custom I here is actually putting in free text for a minimum OS version there's not much else we can do now once we actually do co-management and we'll see if I have any baselines in here I didn't actually check and we come in here and I don't have a baseline but if I created a baseline there's actually a checkbox on the baseline so this is in config manager so totally open-ended right our baselines can be based on WMI we can have registry based baselines of course we can have powershell which is the ultimate piece of flexibility there we can create a baseline now that does anything we want and that compliance information now gets set up to in tune as well and becomes part of that determination whether the device the user is accessing that Azure resource from is actually compliant it's completely open-ended checks here and I set add your resource right that's not really the exact correct statement here it's anything that uses add your ad for authentication all right so there's a ton of applications out there outside of Microsoft the Microsoft ecosystem to actually use Azure as its source of authentication so it's pretty it's it's like you said it's that carrot and stick approach here and basically we're not allowing the user to access something and forcing them to make sure their device is compliant joined to the main right that's probably one of the more specific ones or after 80 to main joined right once you go and fully embrace the cloud story but it enables the user to do that at their leisure and and but we're still maintaining a high level of security right we're not just letting them go get a compromised device all right when we talk about the iOS and Android world things like jailbreaking become important it's a little bit of a different story on the windows side but it's conceptually exactly the same let's make sure that the user is coming from a secure device okay let's go back real quick and let's talk about those sliders just briefly you guys kind of got a feel for that with the policies try to briefly talk about the policies and in tune and it's the same thing here right it's it's determining which pieces that we want to slide over so that specifically is this device configuration right and notice there's a couple of stuff points under here but until we move this over nothing from in tune actually comes down as far as the normal configuration policies go there are also endpoint protection and resource access policies so those specifically refer to nodes in the config manager console right so if we go to assets and compliance and we go down under compliance settings and we go to company resource access notice that the name is exactly the same resource access so that slider is specifically about all of these settings right those settings are either managed by config manager or Intune based upon where you have that slider app and same with the endpoint one endpoint protection right there's a handful of nodes under here all right those are controlled by either into your config manager once again based upon exactly where that slider is so let's see here that I actually leave it up yes I did then we have our compliance policies so exactly what I just showed you before this who actually owns this now this slider is indifferent if I move this over to in tune it just enables compliance and in tune but it doesn't disable compliance completely in config manager it still allows you to select that tech box on the baseline itself this is hey use this for in tune compliance I don't remember the exact terminology on the check box but it's something to that effect so that's why each of these sliders are slightly different so you definitely have to read up on them and make an intelligent just choice about where you want to move them to claps this is allowing the line of business applications which are msi applications and msi x applications from in tune win32 applications which are those that you've used that in tune packaging tool to package up as well as scripts right so wherever this is that if we don't have it set over to in - none of that will actually come down from in tune now similar to the compliance policies setting the slider over here - in tune doesn't mean we can't deploy from config manager this is one that really doesn't have a lot of overlap right um it could right you could create say I don't know a 7-zip application on both sides and of course deploy it from both sides in that case you kind of consciously shot yourself in the foot and we're not really going to prevent you from doing that because there's really no way for us to arbitrate that we don't have an explicit way of acquainting a package on both sides - saying that these are overlapped so basically we're just giving you the ability to control hey I want to use in tune or not but in this case right I still may want to use config matter because config manager traditionally has been a much richer way to deploy applications so we're not gonna prevent you from using config matter did you do that office very similar where do you want office apps to be deployed from and met and and updated config manager or in tune this is definitely an or choice here this is an enjoys and then finally Windows Update do we want Windows Update for business in use and that's the in tune side or do we want config manager to control those so once again all of these are up to you control we're not going to force you to go one way or the other one of the older pieces of messaging we had was that our goal was to have everyone move over here you know I think I think I just build that pretty clearly at the beginning here that's not true if you guys want to be over here great right and it works for you I guess that's the real important point if you guys have moved everything over here and it doesn't work for you go ahead and move it back you know as long as we're able to help you and get these things done great that's that's our end goal now if you want to be over here and it's not working and you do it you're dead set on being over here let us know right let us help you figure out why it's not working it could be by design it could be a bug it could be a lot of different things but let us know we want to be able to help you figure these kinds of things out but the end of the day it's your choice about where you want these all to be at okay so let's go back here back to my slide right so all about client attacks that's co-management when you think about co-management it's all about the clients if I make these slides available there are a couple of hidden slides in here that talk about the management loads or the workloads think they are down here here we go sorry sorry be the clicking around but it has a little bit more description and of course the documentation has a lot more description as well so this slide was all about immediate value right it really is pretty quick and easy for this to happen so within a day you'll probably get a lot of your systems up and we've had a couple of organizations we have one really large organization recently that one of my colleagues started working with and really large just think really large that's the only thing you need to think of and he was working with them and they were talking ok should we do Co management should be not good jouko management and so he's like yeah that's a good thing let's go ahead and do it and that's terminal in Pilot well before you knew it they decided to turn it on everywhere so pretty much overnight there is some scaling that happens so it's not like all of their devices got enrolled so it took them a couple of weeks because they have that many number devices for them to get enrolled but they pretty much all it rolled overnight and and it didn't impact anybody so that's another common question we get on this is hey if I turn this on is it going things and of course we never say never right strange things are possible lots of different code paths are possible but to the best of our knowledge and I've never heard of any issue either to the best of my technical knowledge about how all this works this won't affect any of your clients until you start moving those sliders over that's the time when you're going to start impacting what exactly is having happening on those clients so with even without moving those sliders over and that's kind of the intent of this slide here if you're gonna have that wipe you're gonna have that retire you're gonna have some of the basic information about that client in the mem console and so now you can actually see those things from the mem console you no longer need the config manager console for these very specific client centric things okay so about half done here so the next portion here is the tenant attached so this is brand new for 2002 it wasn't preview of course before that but this is exactly similar this is one of the reasons I called it out right so Co management is attaching your clients to the cloud tenant attach is attaching your config mat and your site to the cloud and it's really these blue dotted lines I don't know if you guys can actually see that those are blue but this one right here and this one right here it's about attaching that to the cloud so attaching config manager to the mem console and starting to expose config manager via Azure and the Andrew portal and the mem portal really so one of the questions and I don't know if this is one of Dee Jim's favorite questions but he's answered it lots and lots of times that I've heard a mansard over the years which means he's probably answered it even more than that is when are we gonna have a web console and his answer always was well it's gonna take me probably you know a couple hundred man years to be able to do something like that and I think there's more valuable things to work on and and so that answer is still true right they're never gonna be able to replicate the entire console it took them a long time just to port the MMC from config manager 2007 to what we have today in the current admin console in 2012 and current branch it took him a couple of years just to do that as it was and I don't know how many developers he had on that you know they were probably like four or five developers on that one instead of a long time as really the core and it doesn't make sense for them to redesign all of that when there's a lot of other stuff that they should be tackling or they think they should be we think we should be tackling really but now that we have this wonderful Azure portal that has all the constructs done that in general most people like that is accessible from anywhere so that's another cool piece about it right we can be anywhere we want we don't have to you know load a console on one of our systems we can you know be maybe at an employee's desk and we can launch it in private browser we can be in a home potentially there's lots of different variables here I think there's even an iOS app probably an Android app as well I don't think the BEM council is there yet but um you know the the moral there is that you know it's access anywhere and we don't have to be worrying about that specifically and so that's what the you know Azure portal has started opening the door and and we realize that hey wow we can take advantage of this now same mantra though we're never gonna replicate the entire admin console that's a ton of work we don't think that there's a ton of value in doing everything right if we had to start from day zero today and that's where we were sure that would probably be the place to start but it just doesn't make sense to do that today but if we can surface certain workloads that's the moral here so what are the important things or what are some easy things that we can initially enable and then we'll continue to iterate on it but what are some initial of easy things we can do so the first one was a help desk scenarios you know how this folks constantly need like one or two little things right in the console and so most organizations are very hesitant to dish out the console to those type folks so if we can start enabling some of those small things that we need and continue to iterate on that right this is you know I think I've said a bunch of times that's a huge piece here as well we're not going to give everything at one time right this isn't 2007 where we work for five years to get 2012 out the door we want to be able to give you small bite-sized things and continue to build on that as we go along and so that's exactly what's going on here as well so I think I've stayed on that slide for a little bit too long here so let me go and I'll actually start showing you someone so may I should go to my console here and I'm gonna go to this one and I think I have it here yes so these devices you guys may have seen this when I pulled up my devices before I have other devices in here besides those ones that were just co-managed right so I have these all up here notice they don't say that they're co-managed well you may be able to guess from the name but I'll show you explicitly I click on Apple 1 or app one here right there mean zoom in over here notice it's a server and that doesn't mean that I'm managing it remember this is the site that is actually communicating with Azure it's not the client itself basically what I'm doing is surfacing site data imagers so that I can see things so I have some basic inventory here clearly not a ton yet right this is v1 maybe a little bit generous this might be be point one or so however you want to characterize it doesn't really matter but this was our first go at doing all of this right and now I can see my servers here so me as a helpdesk person I may not be managing servers or maybe just my server I've been right most organizations have server admins that don't go into config manager either but still may need to do some helpdesk type of things I can do that I can go into the mem portal I don't have to have the full admin console so I can do this from anywhere and the first three things that get surfaced right off the bat so this is what's in 2002 today are these three client notification pieces all right we have our Sigma Sheen policy or sync user policy and our app about cycle those are once again some of the most common things that the help desk folks do we just want to sync that policy down so that's in there great pretty easy there is a hardware tab here so we can see a little bit more information on this system as well not a ton more and some of this just I think because my systems are all VMs some of these would fill in but not all of them are so if I go back here notice I can get the same things on my code manage devices but these are complementary or really supplementary I don't know one of the two but they're not overlapping clearly they're both creating a record or updating the same object in our mental but their functionality is slightly different so I have all these things that I had up here before from from Co management but if I do my ellipses I have these three things way over here again hopefully you guys can see that now same three things those are those same three client notification actions the other thing that's in here and this is at the bottom here right because this is co-managed we can see the into manage workloads as you guys saw I don't have any of my sliders slid over so I don't actually have anything in there but then right above this this is coming from tenet attached here and I can actually see that my client is healthy I can see the last time the client checked in so it's one of those other common helpdesk things hey when's the last time I've even seen this client why am i trying to troubleshoot this client the site hasn't even talked to in like four months right whatever someone stopped it in a drawer why am I trying to troubleshoot something that someone's stuffed in a drawer alright and this is going to help them answer those kinds of questions so that's kind of this scratching the surface of what we can do a tenant attached now the cool thing about tenant attacks here as well it is part of you go back here in the console it is part of co-management remember I said before you guys saw me skip over a tab in the properties for Co management this configure upload it is here technically part of Co management but it is literally just a single check box all right that's it now I can all or nothing' once again in my environment I decided to not do all actually I did do all because I put everything in this collection but I just wanted to test out having the collection so I limited to a specific collection so maybe there's some devices you totally don't want to touch right domain controllers I don't know exchange servers other things that you just don't want to have that information up right everyone has their own reasons great we've given you the flexibility to be able to do that now the one thing that does kind of come up here though is hey this is part of Co management which means I'm not ready to attach my clients because maybe they're not hybrid Azure ad domain joined yet that is a prerequisite for Co management maybe I'm not ready to do that again well we can still set up Co management and on the enablement page we just set this to none right we do all the things that we normally would for Co management which connects your site and allows your site to communicate with with in tune but we just set this to none and that way we're not doing code yeah we set it to none we come over here to configure upload we turn this off and now the site itself is simply sending data straight from the site to mem or and surfacing it through the mem console pretty simple pretty quick and easy to actually do this one is super easy to do.how three a two thousand two like I said but if you haven't done this one and you have as you're already knew you know people aren't afraid of a new organization highly encourage you to do this one right off the bat now there's not a ton of functionality in there today oops I don't want the timeline you know like you said it's just these three things down here right the different client notification actions but once again this is really just the beginning we are going to iterate on this and iterate on this like crazy probably because it opens up so many cool possibilities so that opens up what are the cool possibilities and this was going to take me a second to log in here this is a different lab this is a TP lab of a colleague so it takes a second for it to actually log in here but if you've read the what's new for the 2005 the 2005 TP this is going to show you what some of that stuff is so it's the only launch to console if you happen to be running with 2005 TP there is a bug where that a console shuts down every hour so that's why I didn't have it open right away but if we go in here and we go to our devices and this isn't going to be the end experience and experience is it's definitely going to be integrated in with the normal mem console but because of the preview and because we're doing lots of preview which type stuff we have to get to it in a slightly special way so I'm just going to choose one of these clients and I'm gonna go to the ever confusing Start menu and and if any of you have ever worked with anyone else and told them to go to the Start menu and of course they gravitate down here you can feel my pain there because that happens quite often with me so let's go to the admin center preview I click that really quick hopefully you guys saw that I'll just do that again once again this isn't the normal workflow there will probably be something along these lines in the final workflow or you know one of the clothes that are coming up but for now this was the easiest way to do it because we can't directly navigate to this in the mem portal so once I clicked on that it opened very similar to the men portal this is a preview portal right it says preview up here if you actually look at the URL preview and as all this other preview words in there but all these blades will eventually get integrated in so I click on this specific client here I have no idea what this client is FN but you can see some of the basic information that we actually have in here but now we can start of seeing some other interesting things one of the things we added in 2002 was being able to track boundaries we can see that here in the portal so once again those helpdesk type tasks that's our first pass at this lets surface that up here so that we don't have to have the console other cool things and a lot of people are starting to wait for this there's a new piece that we're working on it's called endpoint analytics and point analytics is explicitly about telling you things like when did the system reboot and you can actually see on this system here I think one of the other systems has some more interesting information but and the documentation gives you all the different events that we're tracking now but you can see this guy booted I'll zoom in just so maybe you can read that one a little bit better could just be my bad eyes maybe everyone can actually read well but notice that we initiated a shutdown there so we can actually see when these events happen as well things like app crashes blue screens group policy or time time to boot right and dividing that time to boot into group policy time or alternate time there's there's other times it happened during boot I think driver loads I don't remember all the details that are in there but those are all gonna show up is events in here and then they're all gonna show up in this Timeline view up here so now once again helpdesk scenario user whatever right is having issues and of course this is all going to be collected data so it's not like we're gonna be focused on just a single system and all of a sudden if we see who knows Google Chrome I don't know pick on them has started crashing in our environment and we've got 5,000 crashes of Google Chrome in our 6000 person environment in the last day hey we've got an issue we've got some type of issue we need to go figure that out tracking that kind of data today totally possible right most of this stuff is just in the event log there's no easy tool to be able to collect it or show it in as nice time by going back to that help desk scenario how awesome would it be you as a help desk you know level 1 level 2 type person to go in here and say oh yeah it looks like your system blue screen this morning maybe that's why you're having issues maybe there's a driver issue and now they can start asking these additional questions right this dent of itself isn't going to answer any other questions about what's wrong with the user system or why they're having problems but it gives them information to continue to start asking new questions that they never even thought that they could have asked before or should have asked before because now we know hey you know you user why are you rebooting your system every two hours right and these who may be like well there's some weird instability and I need to do that but the user probably would've never mentioned that before so it's all about servicing this additional data that was never visible before another thing in is showing collections we added this on the tabs in the console a little while ago but hey if I want to see collections I can see that in here now another thing we added I think this came in in 1902 but wasn't fully realized until 1906 was being able to do on-demand application installs I don't think any of these are actually enabled for it so if I click to install it probably won't work but this is the on demand application installed piece that we added right in 1902 we had to use a PowerShell script to trigger it but in 1906 it was fully realized in the console so now Mina's helped us Gavin once again you know I get the call from whoever right John Doe whatever happens to be his name you go find the application that they're requesting assuming they're approved over no real approval process you know you need to handle that through your own ticketing system and that kind of stuff but I want to kick it off boom I hit install this goes down through client notification right the same thing we've been doing on the back end it's gonna take slightly longer because of course this is an azure the signal has to get sent down to your site first and your site has to send the signal out but we're not talking like minutes or anything here we're talking seconds in most cases that it's going to take an additional here I think and I can click install and the users gonna have that installation while they're on the phone right they're not going to have to wait for the policy refresh they're not gonna have to wait to be dropped into a collection they're not gonna have to wait for any of that basically that instant gratification that most people have in general been asking for for I don't know 20 years that I've worked with SMS and config manager we in config manager and now we've surfaced it directly here in the men portal as well pretty cool I'm gonna skip seeing pivot for a second I'll come back to that so scripts right we added PowerShell scripts a while ago 18:06 was probably when it came out of preview and not that I ever remember anymore but same thing right we can send scripts down to do whatever we want on our systems now using the run scripts feature that's in config manager will notice here there's only one script in this environment but I can actually run this script I can't say I've done that in this environment but I'm gonna go ahead and click on it anyway and we'll see what exactly happens just by the name look it's describing device architecture I think this was just a W my query I noticed the scripts running and we should get some feedback here in a second I probably won't wait for too long on it oh there we go look at that so and and give it a little bit of context I mean that came back in I don't know how long did I talk maybe four seconds I know I'm long-winded sometimes but it still wasn't very long that was on one device if you played with run scripts before all and config manage you know that it's relatively parallel it's not completely parallel because that doesn't make sense but it is relatively parallel we would have gotten the same result from all the systems as well and it would have come back in relatively the same timeframe and of course this was me sitting in Azure right so I am remoted into a box and running now but I could have from my box here at home logged into the azure portal the exact same way sent that signal to my site wherever my site happened to be you know could be across the country it could be across the world and then that could send the signal out to wherever the clients are whether those clients are on Prem this works over CMG as well right they could have sent that out now all directly here from the ad report and have to install anything I just had out of bright credentials and the right permissions which of course is why you should be using MFA as well but that's a whole separate side topic so the last one is cm pivot for those of you who haven't played around with cm pivot cm pivot is a way to do ad hoc queries in real time very simple it's similar to to powershell scripts they're not really open-ended like powershell scripts but it's like querying entities right on the system so you're kind of querying WMI in a way it's more than WMI those so that's that's not necessarily the best thing to say and it sends that query out in real time all right very similar to what we just saw with scripts there we go so okay this one actually gave me a time the previous one may have given me a time as well but in 17 seconds I just queried this system and I got all the stuff back from the win32 operating system class in this case this one does directly correspond it every mine but not all of the entities do correspond to it so I could run this potentially we haven't wired all of this up yet this is still a technical preview for these pieces but I could run this against as many systems as I wanted to run it against write anything that's managed in the config manager world is now going to be surfaced up here and I can run this against them right all the coolness all the power of CM pivot that's always been there once they always added that relatively recently as well and now we can see all of that information this is still a work in progress so it's you know it's kind of basic right we don't have our entity chooser we don't have a lot of those things that were used to in the normal seem to it but we got that information back and once again this can be all our systems on the internet if they're connected via CMG it's kind of going back to that your very first statement of hey we just sent all of our users home now what well this was wired up a big deal right initially I don't even have to have the console installed anywhere I just log into the azure portal and I can start doing these kinds of things not all real necessarily today but that's where we're going with it right and so now even you like your helpdesk people right you know you go to Sea World I had this happen when I was an FTE for an organization I went to SeaWorld with the family of course and and when I got home I had like 60 text messages because the entire data center had shut down so in a way I was really glad I missed all those text messages but let's pretend we're today and I actually got a text message and I had a mobile device with me capable of getting to this portal I could have actually gone in and maybe and done some help right I could actually you know send these kinds of things query things and whatever right you with all kinds of crazy scenarios I think it's pretty unbounded there okay so that's cool that's TP for those of you haven't played with teepees anyone can do that they're limited to ten clients and and pretty cool to be able to do so okay so back to the slides I think I talked about everything that's on this slide does not require CMG but clearly some of those things in there right if you have zmg they get even cooler that's really what it comes down to here's the you know the thing I pointed out even though it is on the co-management configuration piece here you don't really have to have co-management it literally is just this one checkbox whether you have code and if you already have code management it's it's you know you don't even have to go through the code management wizard it's just this checkbox I had a customer do that to me this week actually I had a Monday morning meeting with them and he had already started doing co-management on their devices I don't know they done about 8,000 or so already and I had we talked about tenet attached for you know 20 minutes or so and he said that's cool when I go get approval for doing that by the time I met with him on Wednesday again he had it enabled and all of his devices were showing up in the mountain console his tenant attached including all of his servers so it was pretty cool pretty easy to do almost zero impact writing and I say almost because once again right strange things are possible but in their environment they saw no impact everything just worked so so that's you know what it is in public preview today so the other you know the other piece and I've alluded to this a bunch of times here this is this is just the beginning this is just the beginning of our error process on both co-management and tenets attached clearly tenon attached I think has further to go because there's so many things we can do in the admin console right and all of those things are possibilities to move over to mem and for those tenant attached scenarios but even with co-management right in tune itself there's a new release of in tune every single month and there's new features within in tune every single month so all of those things we have to account for as well because we don't want to create conflicts and as in tune adds new things right there's going to be killer things that into comes up with it only makes sense to run from the cloud right that we want to be able to take advantage of on our system without throwing out config manager right because we love config manager we all want to use to big manager still and so we want to have the best of both worlds the better together story is absolutely true here but it is just the tip of the iceberg and so this is another upset it a couple times here as well if you're not keeping up with your config manager builds you're really missing out you really have to work on any leadership folks that have a problem with this DJ I may throw up some statistics he does it every and most of his conferences about the velocity that we have on folks that upgrade with no problems right we have telemetry around all the folks is upgrade to the latest builds all of the issues they have we have ways of pushing out fixes dynamically so most folks don't realize this you don't have to install hotfix sometimes sometimes these fixes actually do come down dynamically those are typically around set up though alright so if there's an issue during setup itself but we see staggeringly low numbers of issues that happen during setup they still happen right every environments different when you're dealing with a hundred thousand different environments they have all their own variables there's going to be a couple of issues here and there but we respond to those really quickly so just encourage you to stay up-to-date on config manager in tune kind of cool stays up-to-date all by itself right so there's not what you actually have to do there that's kind of a blessing and a curse sometimes because all of a sudden that check box you were counting on being there is not there anymore be as your tenant cut roll down depending upon where your tenants up it may be in one tenant and not another tenant so you got to keep you got to keep track of it on the inside as well but that's cool right we're continuing to work on both of them we're continuing and make sure that better together story is certainly there I think I talked about everything in here so this is mainly about right just making sure that you guys have it in the slides I think the main thing is this statement up here right this is never going to be intended to replace the admin console completely as far as tenant attach goes we are surfacing some things and and we've got we're always looking for ideas here as well right the help desk scenario is clearly the the low-hanging fruit or the one that that's most common that it has the most bang for the buck but there are tons of other scenarios and so folks have like this specific scenario that they think everyone can benefit from we need these specific features you know put it in the feedback put it you know for those of you that don't know so just to make sure right if you go up here and you're config manager console and you hit the smiley face hmm we look at this we really seriously look at this go put that feedback in it goes into our devs pipeline they love seeing smiley faces - they probably don't see enough smiley faces you know just to see how appreciated we they are and what kind of cool stuff they do so okay I think this is the last meaningful slide I have here and this is also just a summary I doubt that I talk about every little piece that's on here what's in the green box is really what we talked about right if you want to say on premises great like I said at the beginning we're not going to force you off you know we want to make sure that you're getting what you need and if you're getting what you need out of what we're doing for you great we're happy right kind of thing with all the way on the right there right if you want to do MDM full internet media management on your clients great we're happy that you're gonna do that I will say that I think they're potentially some shortcomings there are lots of organizations that are successfully doing this so don't think that it's you know something that you're gonna fall flat on but there are gaps right particularly with expectations right if you're used to config manager and you moved it into it's gonna at the very least be quite different right for certain things and so you may run into a few things you know this fully understandable would want to improve those kinds of things but if you're in the middle right you want config manager and you know that all this additional value has benefits for you crate and that's where these two pieces come in there's clearly kind of some overlap there and you can see those first few check boxes there are a little bit of overlap but they both do provide value in both Co management and cloud or intended attached for about tons of a bit for organizations and they're really at the end of the day super simple to do I think the biggest thing that's or the thing that's the most difficult to do in most organizations is to get started particularly with that add ready connecting getting your device's hybrid and ready to main joined because convincing people what it is why it won't break everything in their environment that's the first hurdle and a lot of that's more political and logistics than it is actually technical once you get going on to these kinds of things and become second nature in your organization it just it becomes exactly that second nature people start accepting it people start seeing the value from it and it becomes that much easier to start checking those additional checkboxes to continue to add that additional value just some links here at the end right there's actually some walkthroughs there's actually a click-through walkthrough co-management it actually shows you everything so if you're still not convinced and you want to see it in a little more detail that's there right there is a whole series a whole series on code management as well and then there's some partners stuff there as well and that in a nutshell is cloud attached and Co management so hopefully you guys will all go turn that on if you haven't done it already or it goes stand up a TP site and go see the coolness that I kind of showed you the tip of the iceberg up there that's it for me thank you very much everybody and I will go through the the QA I think Rob and some other folks have been going to the QIO as well and I put my Twitter all the way at the beginning sorry let me go right back to that definitely reach out to me on Twitter and I'd love to hear feedback from folks having tons of issues or one issue that that's just a showstopper for you New York
Info
Channel: HASMUG
Views: 1,153
Rating: undefined out of 5
Keywords: Microsoft Endpoint Manager, TXSMUG, CTSMUG, HASMUG, DFWSMUG, SASMUG, Work From Home, Jason Sandys, Configuration Manager, Cloud Attach, Tenant Attach
Id: 1o2dnFDAbjA
Channel Id: undefined
Length: 59min 9sec (3549 seconds)
Published: Sun Jun 14 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.