Off The Cuff - ConfigMgr Cloud Management Gateway, Co-Management & VPN for Remote Devices - (I.T)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

so hi I am Adam gross and I have lost my mind clearly and then we've got Brian dam hey Brian I've never had it plus we've got a whole bunch of other cool folks so thanks for joining us a very very very short notice and so what Brian and I just just got decided over discord about one minute before you guys all got on here was hey let's I think I just talked him into it he's been drinking a little bit this this evening said hey let's let's see if we can maybe get some clients to you know do some do some talking over cloud management gateway and look at options for code management when you're doing things over the VPN stuff like that for all of our folks working from home so so yeah that's kind of what we're gonna do and I'm sorry I am trying to spin up all of my resources we've kind of started everything before I got I'm seeing that I don't have internet connectivity that's what's I'm trying to sort out here so Brian fill some time while I do that sure you should share out I know Cheryl Rob's yeah I was gonna start with the fact that you know all of a sudden the last for no reason at all in the last couple days everyone's suddenly interested about hey what about my you know my co-workers we're come home how do I make that happen and so we were kind of spitballing some different ideas and then I was literally in the middle of of writing a blog post and then Rob York of course went and screwed that all up by doing it much better than I would have done and so you haven't seen I'm gonna go ahead and paste this in the course everyone here has but let me share my screen here and he just goes down the list and before you all yell at me and yes you need split tunneling I mean and that's an interesting like this anybody here really really worried about actual split tunneling from a security perspective like I looked at that this afternoon and I'm I only play a network and on no TV I'm not on TV but whatever I'm on that's where I play a network admin but I looked into it I just don't I don't see the I kind of get it but in the zero trust model we have these days I just don't understand what what the argument is against enabling split tunneling well so so Brian let's talk about what in the world is split tunneling for those who don't give a flip about networking and have nobody even look at this you would like to define the relationship yeah yeah so I mean you have full tunneling and split tunneling and it's and I'm sure different vendors refer to those at different things but the the main concept is what's the traffic flow right and so when you're connected to a VPN so if you're connected to a VPN you have full tunneling than all of your all of your traffic every single packet is flowing through that VPN and ostensibly the whole point of that is so it's flowing through your through your organization's you know security stuff right so they can do deep packet inspection they can make sure your you know behind their proxies so on and so forth now the downside of that is when you need to get a crack you know content like for instance updates right you're talking gigabytes of data times every one and that's the shitshow that's going on right now and so split tunneling in theory says okay instead of just routing all the traffic how about I just route the traffic that actually needs to be local right so it again this is just going to feel legacy but like you know when you talk about file this is this is where it all started right I have an on chain on-premise exchange server I have an on-premise file server and my people going to go home and they need access to it well okay great so why don't you just tunnel that traffic to through the VPN and then everything else well they have a great internet connection so why don't we just use that right so if they want to surf reddit why would why would we route reddit through our own exactly right keeps YouTube the hell off the VPN that is what split company is again full tunneling all the traffic goes through over your VPN connections into your into your organization's network and then back out of your organization's network right it's a double hit whereas split tunneling is let's split that tunnel so that only the traffic that needs to come from the organization comes from it everything else just goes off the normal minute the obvious reason to do that is to lower the mean all there's non-essential traffic if you will to not route it over your not clog up your precious resource of your internet connection for your organization now I got to push back as well that's it's a big security hole and I kind of looked at it in and I try to dig in and again I'm not gonna tend to be an expert here but the idea is like well if you split tunnel then you have this machine that's all on the internet right unprotected just out of the wild and yet it has this protected connection into your right and so that's you know that that becomes this vector for infecting your internal network and I kinda kind of get it like I understand the rationale and yet I think we're in a day and age when you know everything is it's a vector right like just your computer is going to go off the network and it's going to get infected and then come back on the network so it just seems like a weird thing but yeah I mean there's gonna be there's gonna be some the military yeah there's there's some places where it's like it has to be though and I get it yeah so I mean I think some of the stuff that has come out recently though has been this this idea that if you're if your idea of securing your your network is having tunneling for VPN like if that's if that's your only control and your endpoints I mean are you are you really secure because I know for us we allow users to turn off the VPN - because there's times where the VPN does not bathe properly and we don't want it to do what it's doing so you know that's it's I don't know like if we let our users turn off the VPN then how are we actually securing them like what's the point there so like there should definitely be another another mechanism for keeping your other other defense-in-depth right so more more things helping protect your devices than just your VPN and making sure it's tunneling back so the moment you let that device out the door you already were opening it up to security holes tunneling tunneling your internet traffic seems hardly to be the main concern you should have over it device security right yeah and again I am NOT network security guru but I know I mean I know the people where I used to work a pretty smart at what they do and they were like yeah split tellings not a big problem in a part of it convinced we don't trust that system but I get it right there are you know when we talk about this people like well you know it's it's a standard right like like like O'Reilly is saying it's it's standard in military and government and those contractors so I get it right and that's where I think that's where CMG want to say the CMG commit no Sam she doesn't help you there either basically without split toning we're screwed and we had an argument not really an argument but they happened out today you know guys like how do I solve this problem but I can't I can't turn on I can't turn on spit tunneling so how do I not route information through my organization yeah good luck right like that's a showstopper yeah all right so Brian has been buying me some time and I I feel like I'm squandering squandering on this uninstall here but I'm hoping I can get it there we go thinking I can get it sorted my I had to reboot my domain controller here in the lab it's not liking me and late so so Jonathan right you're saying it's a couple people it had that response right let's just know she's like in the military they just don't give you access well yeah that's essentially what it boils down to I don't know if you can hear me now we can have it issues earlier yeah a lot of they have he's very heavily entrenched this is how we're gonna do it and and the problem with those is is that you need to rebuild the castle inside the castle and then get rid of the other castle so doing that you like castles is basically because it's this whole concept of we're gonna take we're going to take identity and make it Thrym etre but organizations they need do a lot of stuff to get ready for that and so you can't just easily say alright we're gonna start down that road and at the same time turn this off and it's not a faster it's not a quick journey contrary to what some people might tell you it takes time and so it's not somebody can just say oh we're gonna turn that off right now alright so I've got my lab sort of spinning here so I should have co-management enable already in my lab and so we're not going to walk through like actually configuring those things I should also have that cloud management gateway set up but let's at least talk about this for a moment here so okay so first of all I'm running config manager current branch the latest of whatever whatever 1910 I believe and I've just gone through the the setup wizard to enable co-management I've also got the into an enrollment piece configured here so I can actually autopilot devices into in tune and I've also got all of my sliders slid over here and so one of the things that we're looking at Monster is the well you know I'm testing I'm looking at stuff right so the great thing about this is the way I mean the way I is that you can you can still deliver like so let's talk about client apps for a minute this is an easy one so client apps you can deliver into naps or you can deliver config manager apps well the machine is running config manager if it's so if I've got an azure ad joined machine and I want to manage it with in tune I can during autopilot I can install the config manager client on that machine and then it will I can enroll it into config manager and co-manage and in tune device and config manager and then I can deploy into naps to it either from into earth I'd apply apps to it in general either from in tune or from config manager and so same thing I've got Windows Update policy so I can govern the how that Windows updates get applied either from config manager or from Intune on this device or on any devices that are Co managed and so you can also even if I wanted to slide this to pilot so if you slide into sliders to pilot and then you then in here you can in staging you can then target each of those sliders to an individual collection that you want to you know test those particular things on so you don't have to do it it's not a this is a really great thing with the staging piece here that allows you to slice and dice this up a little bit so I'm just going to leave those where they are so that's that's kind of I've got co-management enabled and enabled for all of my devices and then also as part of that whenever you're configuring your code management you can enable a cloud management gateway as well as part of that process and so I think there's this at least my my feeling anyway is that there is this mysterious you know thing about the cloud management gateway that people are just like I don't know what that is it's just it's out there and it's a thing and I'm not sure so it's simply just an azure resource that gets fun I think a lot of it comes from you know that face client management right like that was I tried reading those Docs and I just wanted to basically end my life okay yeah yeah it was like well so so inside inside my config manager client there we just we can see the you can see the name of I'll fix my RDP session here okay so you can see the name of the cloud service all right so then inside of azure I can go and I can see all of my cloud services and I can see that I have the same named service here and all that is is a remote it's just it's just a server spinning up in the cloud and in fact you can enable RDP to it and so I'm just gonna give this a shot just because we're here and why not oh I don't have her certificate for it oh no okay that's fine and oh I got to give it up stronger password I hate to interrupt and make mention of the fact that it is very unsupported to do anything to the CMG beyond his troubleshooting once you log into it I've seen many a customer attempt to install their security software on it and then wonder why disappear oh really oh yeah yeah so we definitely are just doing this as a proof of concept just to just you know to illustrate what is going on here but essentially and I don't know that I even did the roles correctly here I probably should drop that down as I did this but but it is like it's key right like the way I've always understood CMG and you guys can fight me on this it is it's it's an innate base client management it is that it's just you're running a VM and you're reading at a VM sorry you're running the VM running at a proxy client that's all it is it's just a server look it's a standard a 2v2 VM running in Azure that just automatically gets spun up and provisioned it's got an IP address and it's got a proxy service running on it that will it's just got is running and you can manage it and do things with it it's just a the machine so that's all really change the background yeah probably and I've probably hosed it up I do in the by messing up this remote desktop settings but we'll see how that goes so that's really all you've got here from the CMG perspective and so the CMG is the proxy service but then and i misstated here not it what you don't set up the CMG when you're setting up co-management you set up your cloud distribution point is you can and you can configure your cloud management gateway to act as a cloud DP when you set it up sorry I was thinking the wrong thing there so then so you have to set both of these things up configure both of them pretty straightforward configuration you can even tell it you want more than one VM in the cloud and it will it would create more than one there there's some special things you do here with your certificates so depending on if you're using a CA on-premise ta from ad you can generate a certificate there or you can use a public wildcard sir or even it doesn't have to be wildcard it's just easier to do especially lab wise and then depending on the type of cert that you create it would then generate a specific deployment name here so so this one is telling me that I'm using a CA generated cert because this is giving me a deployment name of a cloud app net name for it so then my fold URL to the proxy would be a SD CMG one cloud app net and I want to say if I go back over here so once you set up your cloud management gateway and you go back into your Co management settings this is where you get the command line that's listed there should include that cloud app net address which is my my proxy for the cloud management gateway that kind of all makes sense I'm just going to look at the comments to see if the comments are shaking their heads okay so long just to spin up but here you go okay so so then I've got a public URL that I set up on my domaine and I toggle back and forth on CA while our CA cert versus wildcards our public versus private and it changes the the way you can configure these but essentially this is this is an address that points to my CMG as to tell my client where its gateway is so it kind of makes sense so far you'll have to speak up because I'm not and or Brian they'll have to read the comments to make sure I'm not missing anything there but my case if you don't want me commenting it so my personal preference on is doing a custom domain name but doing a specific certificate for that name issued enema public CA just because as you do things down the road it gives you a little more flexibility is oh I want to install this random client over here I don't need to worry about oh I need to load my certificate chain at the same time wild-card certificates not such a great idea from a security perspective you can avoid them yes you do would you do a sub-domain Riley like what you do cm G dot my org com yeah while you one of the limitations with the app service is that this the name the subdomain would have to be my CMG org name dot mydomain.com because that the sub domain has to be unique yes and that's a good point I'm so used to just playing around with it in the lab and you know it's just I'm not paying for public non wild-card search that's a hassle so but when you use the wild-card sir you still have to give it give it a full you can still customize that URL that you generate there okay so then the so then you know once you've got that set up it's kind of the next piece is okay so number one you've got a you've got a VM now in Azure that is generating some cost and if Rob was in here Rob would tell us how much that cost is and he looks like he already left so I'm really sad but the penny is a client pennies and you know it's one of those things where I was thinking about us saying you know why why does Microsoft even bother charging us for it if it's so cheap just you know why don't you just say it's free and I think people will just start adopting it a lot more but yeah that's a whole different thing so the cloud management gateway itself is really just proxying the traffic it's it's winged you then want to host content on the cloud distribution point that I think it becomes more costly because then you've got clients pulling content from there and so let's look at that for just a moment so if I go into my site configuration distribution point it's down here it's been like a couple of weeks since I've even open the console so this is fun okay so you can see it's just listed as another another dish distribution point and I can look to see information about it and it will even tell me you know I've got I know I've got content pushed to it I know why everything's taking so long to open I opened them but so I can see I've got all this content sitting there so it's just a regular DP sitting in the cloud all right well that's cool so then I've got a VM here that is currently on my domain but now here's the difference at least so you're gonna have to imagine that we have VPN enabled because I don't have VPN in my lab and but what we what I want to demonstrate is that we can what I like I know what I want to say but I can't seem to say it um sorry okay so so why my client is on the domain it's it's hitting the my distribution point that's on my domain but once it goes over VPN it's a question of where do I want that client to pull its traffic from do I so if you don't have split tunneling enabled and your client is connected with VPN then the client is still going to identify itself as being on the domain so if you look at the article that raw pointed here our rope here encour see ya on the intro intranet correct I was looking at him I'm on my phone ok so the client evaluates to is Internet equals one or is Internet equals zero and this is the decider that tells it doesn't need to go to CMG or not well if you if you don't have split tunneling enabled though your client isn't going to know to go out to the internet it's going to still route everything as if it's sitting on on your domain and so what Rob goes through here is setting up a different boundary for your VPN you can even like so in our environment we went into ad and we configured ad sites - sorry somebody's asking for the link Kudo Jeremiah so we our network team created new ad sites for us for each each VPN concentrator at each of our facilities and so so now when a client connects to a particular VPN concentrator it gets put into a particular boundary group and it has specific resources assigned to that boundary group and so then by by doing that by segregating that traffic and identifying that this is VPN versus this is on Prem then you can do this where you can configure your your boundary group to prefer cloud based sources over on Prem sources and but before you skip over that right yeah so for me the whole mind-blowing thing is scroll down to that setting right that that setting got renamed in 1902 was prefer cloud distribution point over on-premise distribution point or something like that right it was along those lines and and I knew that I knew that existed but in 1902 they revamped this to say cloud based sources over on Prem sources and specifically that includes Windows updates or the up includes update data yes exactly and so so that's a very definitely the key point here so the you don't need to publish your security updates to your cloud management or to your cloud distribution points because Windows Update content for cloud managed devices will pull content from Windows Update from the cloud so I mean if we think about and Brian you're the you're the mastermind behind Windows updates the security updates and things but when we look at security updates in config manager all you're doing is creating a list of approved updates that clients can install we're not we're not saying you can only install this particular media that we have that we're hosting for you we're just saying here's a list and we and we're providing it to you so you're not going to the internet by default but your if you're already on the Internet go get it from the closest source so that you're not pulling content all the way through the tunnel right that's the Train that is the dream man if he goes down go click on an update right like go to software update just go to the properties of an update and I don't care which one right you'll see you'll see that the content right there yeah it tells you where it's gonna go get it from the internet right yeah in Stowe in it when you look at the logs this basically becomes you'll actually see it like distribution point equals this right it it's just returning it's the content lookup and so the key thing whether you're using a VPN or a cloud management gateway is that the client still needs to reach an MP right it needs to run it reach an MP it needs to do a Content lookup that and that MP needs to return it a list of content that includes this URL that points to Microsoft's or the Windows Update you know see we go go yeah and so so that source path or something very very much like it is exactly what you'll see in the logs as your DP and the trick is to I mean I don't i'm ryan can pretend to fully understand how the client prioritizes and orders what source what source it uses right it's a we really need another deep dive I think at MMS for that but that that that setting that that Rob talks about and that blew my mind thanks again Doug changes that prioritization right so it's still gonna get yeah I could explain really fast I let prioritization works because it's really simple vaccine on since 10 seconds because the client looks to see if the CD if these if a CMD is in the badger group is if CMT's in the battle group it uses the CM it uses the cloud source if not it doesn't know it's nothing complicated ok fair enough a debt level but I mean like but then you get down into if you go the full stack right not just CMG verses not-c mg like it goes down to like eight it prefers sites over IP it like if you got everything you got PSN to me like I mean like yeah I remember you talking about client yeah Clank yeah exactly if you want to go like how does the client do it you know resolve the full stack of client look up it's it's painful and and this this setting alters that right at the end of the day this setting alters that logic to say oh you got this list of cut you couldn't conceivably get this whole list of content sources it could be a DP could be a peer Microsoft itself is one of those things and all this all this setting is doing is saying we're gonna switch their priority right if you hit so so it needs to be part of the list which is why when we're probably talking you know when you make that deployment you have to say hey let let clients if they can't get the car 10 but Divi let them get it for Microsoft because that's what gets it into the list of distribution points or sources and then this that setting will say ok but then also we prioritize or prefer Microsoft as a as a Content source versus our distribution point and Brian Mason is pointing out quite right I mean the other thing you could do is just not there's a new option when in your ad ours is just to not download the content in the first place right so you can you cannot have if we want every client in the entire organization to go straight to Microsoft you can now simply just never download it right and that wasn't an option before there was no way to deploy an update without the UI forcing you to download the content into a planet package that I'm not saying it's a downside though but but the key thing to understand that is then then it's not available for any like you're not downloading at all so if you have people that are still in the office they're all going to download it from you they're gonna download it from Microsoft too if you don't have it on any any distribution point if you don't download it at all then they're all gonna go to Microsoft which you may not want correct and then the and part of this all came out of people like ok well how do I get online high bpn clients I only want them to download it from Microsoft and people were spitballing well you could create a specific distribution point just for your VPN clients and you will have to manage your content so that update content doesn't get on that IDP and configure fail back in a bunch of ways you know and then just by luck hopefully they won't they don't have a DP available so they go to Microsoft right and that's Timmy strikes me struck me as like that's a lot of overhead like I don't want a distribution point that I have to kind of manage to make sure that it gets everything but my update content like I'm just too lazy for that we should just have a setting and then okay Cody Mathis was like well that exists dumbass yes that last word was a key one so Brian okay you're talking slick puddles office oh I see okay I was taking Microsoft Office yeah right so I mean so Brian's making some good points here so it's absolutely an infrastructure and you know you have to look at the entire holistic picture of of your environment so you have to look at your network concerns your security concerns the types of pipes you've got the types of connectivity you've got so like we've got some really remote sites that have to traverse you know a couple of states to come back through our VPN tunnel to get back out and it's like why do we force them to do that why don't we just allow these these machines to just go you know to go out to the internet and go you know the closest closest route out and you know I mean that's I think that's definitely a thing to consider but if you've got your clients sitting in an office that has a you know a small DSL connection and you need to manage the speed at which that contents coming or you want to do peer cache or you know throttling or you know things then yes you want to control how that content gets trickled out to that client but when that client is on VPN or not on VPN at all and you still want them to get patched well just you know let them get it wherever they can get it from but once they're on your business network then obviously you want to have a little bit more control over you know where that client is getting their content from I am trying to see if I can get it's going to show how this works but my client is not flagged as co-manage for some reason and so I'm trying to see where my co management settings that were configured because it's not getting them got a second machine here Co management is disabled so what my goal here is Brian is to spend one machine up on the business network which this one is which would mimic either on-prem or VPN I don't have the infrastructure set up to demonstrate two different subnets going to different places but just imagine that that's how we would do that and then on a dis say I want to connect this machine a second machine directly to the internet and bypass the my on Prem Network and show what that looks like and you'll notice that it should look pretty similar but just for the purposes of showing it we're gonna do that but my all of my stuff is running really slow need to just disable incoming video from you guys or something here idea how this works sorry I don't normally do teams meetings like this so we're just winging it keep the questions coming or just the trolling yeah I mean we're so add them off to the side and we were talking about boundaries right and so and so that's another key thing to talk about and Riley and Ryan Mason we're all right it's all about the boundaries right and if your boundaries are just on muddled shitshow then there's nothing there's nothing we can do for you you have you have to get your head around that in some amount of sanity right like you know to start with right if you're gonna have VPN when we talk go to the VPN scenario like you need a boundary group that's reliably for your VPN and then you get into fallback right if your fallback if you're allowing clients to fall back to your default boundary group or neighbor group like that all that all plays into this and so I'm not sure that I have fully had my head around if you had a super complex scenario and you've decided to overlap boundaries guys don't know I don't know I don't know what you do just don't do that yeah I mean I think the general guidance obviously we don't have best practices or anything but don't make me sick the best practices but on you Adam yeah but I mean let's not let's not get into the practice of overlapping boundaries because that's just bad news you're just asking for trouble trying to configure all that stuff I mean it's just that's awful yeah yeah there's a track down why your clients didn't get what you thought they were supposed to get and all those sorts of things I mean it's just this is it's not good so this I guess let me ask the audience is this does anyone not understand what we mean by overlapping boundaries does anybody want us to dig in to look at site boundaries and go over that or does everybody kind of have a general idea what what we're talking about there we won't publicly flogged you but we will tag you when we publish this so the interwebs that you didn't know or I can just we just do it because I can't seem to get my boy oh my my whole Lab is just awfully slow a steaming pile yes the one thing I will say about boundaries I think it's gonna I've seen this catch people off-guard and Riley you might pipe it and tell me if you're seeing that too and some of the engagements you've had like well it goes back to like 1702 where they that could made some changes and created the default boundary and people I've seen people still kind of get caught by that right they're like Oh some stuff change and I haven't really thought about it and I just keep adding new roles and you do have the concept of the default foundry group and falling back to it is something that some people do need to still get I found a couple of people that's really good to head around that yeah for sure especially because a lot of people will drop like say their primary site server in that boundary route and a lot of people have a DP role on that and then all of a sudden every client is coming back to court or coming back to the data center over over T once to get content and you're kind of having a problem there yeah so I'm a very very simple you know ad site going on here so it doesn't really can't really do much here but so in a production environment so let's say that we you know we potentially would have a second ad site or at least another boundary that we create for our VPN clients I would say okay so if a client is in we create a new a new range and we assign a assign that range to a boundary group and assign that group to a particular set of resources so the idea here is that you want to look at your ranges that are part of your ad sites or however you do it so like so a lot of folks say well don't do ad site because you can't trust your networking guys and they always screw it up because they also can put your you know consolidate and collapse all your boundaries and all your subnets into the same ad site and screw you screw you up so so you could look here so I've got ten or I got 5.1 and 6.1 so I could break each of these into their own boundary group and so I could say all the clients from 5.1 would go to one boundary group and 6.1 would go to another and so but if I put this one and this one into the same well then I'm gonna overlap boundaries because then that means that I've got clients from the 5.1 which are included in my Houston ad site they're gonna be hitting the resources that I've assigned to both of these boundary groups so that's kind of what we're talking about it's overlapping boundaries so you want to make sure that the IP ranges that you choose for your subnets to for your boundary groups do not overlap so you're not including the same ones in multiple places and what you're showing here like what you have set up is it's like what I think we're saying is hard mode right like you you set up two different types of boundaries and nothing in here really tells you what the hell's in Houston so like you can't tell from here whether you just screwed something up well it's sort of yes that's true so number one I've got I've got eighty site discovery or I've got ad discover you enabled and I've got it set up to create to auto create boundaries based on my discovery and so that's what's that's what I've got going on there I want to say this is it yep so this is where you configure that so automatically create IP range boundaries for IP subnets when they're discovered so and then also Auto create extra directory site boundaries so the two different ones you saw there the IP subnets and the 80 site subnets were both auto-generated by discovery so if I were to delete them and then uncheck one of these then I would only get one or the other so so yeah it's an optional either-or kind of thing you can you can do all of it but like you're saying it's if you want to keep it clean pick one I would hesitate to do to say oh go manually create them but sometimes you do need to do that whenever you're trying to slice things up a certain way but you have to be really careful because those network guys are freaking sneaky yeah I and Riley just said what I was gonna say which is so why don't you say it Riley I personally I enabled the creation of ranges based on sites when I'm first setting out a new hierarchy and then I turned that off and it's it real easy it was just spread it in let me explain why and then you can tell me if you do it for different reasons right which is any way you slice it the networking team is gonna bone you like it is gonna happen and so the question is is how does that happen and and how do you want to deal with it and the way that I've always chosen to deal with it is things deployments will fail and I don't like I don't like it but they're gonna screw something up and deployments are gonna fail but usually it's not going to fail in a way that takes down my network right we're gonna deploy something we're to it to a new remote location and they've added a new subnet in that location and people will be like hey stuffs not stuff not getting there this machine isn't getting this deployment it's supposed to have and like step one and the troubleshooting is tell me what the IP address what's the what boundary is this thing in and if and if I've done purely IP ranges it's dead simple to do it's really easy to figure out that range doesn't exist or they did something weird yes in nations do the networking teams generally play with ad sites and services I have I have never seen one meaning granted I haven't seen every organization I've never seen one only time I've seen it is whether using Infoblox and they're doing an infobox integrating sites and services which is does get really really nice not gonna lie but then the only time I've ever seen networking game play if 82nd services so what I would say to that point is that what we see in our environment is more of a deal where our network team will go stand up a bunch of new subnets at a particular site and then they won't tell anyone but they'll connect all the clients over to a new a new site r2 to the new subnets and they're not assigned to a particular ad site or the or to the wrong one more specifically and so then that's when we have to engage the ad team to go in and the server team which however what it however whatever level of hierarchy you've got but we'll get those guys to add the appropriate site to correspond to the new subnets that got generated that kind of makes sense yeah yeah it's a it ends up being a it's a process question right it's done it to me it becomes it's not a it's not a technical problem somewhere somebody has to have a list of subnets and that needs to be maintained in config manager I would love right right when I first when I did the first set up and somebody explained ad sites and this is great we should we should we should do the hell out of this thing and I can make the networking people to it right and that went nowhere right it just didn't go anywhere and so somewhere in your organization need a process for how do we how do we want to identify boundaries and if part of me says if you want to do it in AV sites then it's going to be your job right like it becomes your job to do it in 80 sites instead of doing it in config manager where you're specifying the individual IP ranges in many they're gonna tell you no we're not gonna we're not gonna let you do that and so then it's gonna fall to you and and you got need to do your best to get your networking team whoever's creating those subnets to keep you in the loop that's the best I know how and there's reporting reporting yeah go for it Jonathan right what's the link for it you can monitor DC's for clients that are appearing from subnets that aren't mapped and basically alert and assign abilities based on that ice so so you're kind of doing what the discovery is doing comparing that to what's in config manager then alerting on the discrepancies in most organs to be the one that caused the problems especially if you can very visibly assign this is going to be the issue that this causes stop doing it communicate with me and we can get it fixed and that's how you build the process otherwise it's just they're whining about something that they need to put in and it's done yeah I hear you we did our best at my org I try to do the best I could like hey widen this work it's like it's the networking right and what happened over time is people actually kind of rocked the first thing I need to check in this scenario is the boundaries and that's just where for me having all like doing the IP ranges made it really really easy we literally had I want to say three on how many on ranges did we have we had hundreds of them we had a lot of ranges it was crazy but you could just look at it you can be like it is this IP address enter in a known range and it was it was very very easy to figure that out okay so thank you for stalling again no it's great so okay what I'm discovering is my lab machines do not seem to be as radioing so they're not getting hyper joined so I need two hybrid join them and I think I can do that with Deus reg command maybe or at least just go and add my what's my fastest way to do this I've got every way I'm not working over here and it's not working fastest way is gonna be da edge CMD wack join okay this is what I've seen in fact that's really gonna be the only way how we just go ahead and give Riley just control every computer well I mean I think secretly what we were attempting to do here was to to get Riley to do this session for us and so that's what we've accomplished at this point so yeah I'm excited so by the way is a Microsoft former PFE DSC all-around amazing Microsoft II who we hang out with on the win admins discord channel and if you're not on win admins discord you can go to aka.ms/offweb I do not do that because no not allowed yeah but there is plenty of excellent people there that will help you got your problem both people from Microsoft people with the community yes and by the way I told Brian that I had my lab probably working and so willingly jumped in on this endeavor with me with zero whatever I didn't I didn't prove well it was before we started but he knew it he's fully promised on on this being a total wreck check check status as well after you do the join I didn't see if you were doing that or not so just whack status there's that works okay so because let's be honest this is exactly what we would do in our real environments anyway scroll up so well these are 1903 right or not yeah but I think they're not I think yeah I don't think my sure ad Connect is working I think it should have been able to do an instantaneous join without as your ad Connect needing to work yes is something else those the most so let me try one of these guys cuz I've got several different build states maybe look for the one that's take twerking here's here's the list you want to figure out which one we should turn on next just all of them see how much say much resources you got yeah actually I think one of these Mike thank you for bearing with us everyone maybe you are I don't know dude they were bearing with us from the start falling asleep at the wheel and you're just gonna stick around till we disconnect you it's gonna turn into a troubleshooting hybrid a dreary joint no it's gonna turn into well join us next time when we actually have something working yeah you need to open the chat there literally so there's a debug mode right that you can do right yeah you need to use PS exact running his system and if you if you check the logs the event logs and look under Microsoft Windows aad this oh wait wait that one's good okay so I knew I had something working here all right good was dates on and miscellaneous probably consider someone was trying to speak there that was unintelligible yeah was anybody speaking I got some garbled I think it was just you okay that's quite possible okay so check out those guys down so I can get some resources back but I've got a second one over here that should be in the same state start that guy up too and okay so what we're gonna do is we're going to take a peek at the control panel and we're going to verify that the machine is in fact co-managed and see how this goes all right so yeah okay so you can see I've got 195 co-management capabilities all that sort of stuff okay so it connection type currently intranet all right so for this machine just assume that I'm telling you the truth that it would work on the regular it's on the domain and would work just fine on the domain and so now we're going to connect it straight out to the interwebs not on the domain okay and then I'm going to so I like to go the long way around I'm going to restart the CCM exec service which I don't think you have to do but it just is gonna give us a clean clean break here come on typing is not working oh yeah you're welcome for that okay all right so at this point we should be able to look at the client logs and see where we're pointing fairly smart so what it should show up in the control panel there right yes as well it will do that as well try and show both both ways Wow okay but I don't really know what long it's gonna try it over it I'll see this all thinks it's intranet that's not true all right so it should be client location I think is that the right one location services there's location services in there's client location I just always does anybody else just click through all of them that seem right until you find the right one I just starts typing until and I'm get kind of close sometimes yeah try I was good at google and type in sem logs and then go to the docs page and then search for time trying to find yes yeah so there we go yeah it's not being Jake I don't really want to keep my MVP that badly current internet management point all right so let's go and check here and see if it tells us again in the client in the control panel because it should currently internet all right so yeah we are now cooking with gas all right we're all subs okay so then let's go up and up software center and see we can get some some stuff working here see it what's that easy you just need to find one box that's working well bazillion commands yeah yeah this totally works at scale people totally could have we could have if we had to organize this we could have demoed this in about well the length of Rob's blog post probably because that's that's yeah it's not it's not really that much more complex than what he's got in his blog post we just made it more complex all right so now I'm waiting for software Center to do whatever it's gonna do to go through the interwebs and find all the things it's going to find so gotta give it a minute maybe come on don't let me down here please yeah yeah well I mean they should just title this we should just title this whole thing like prep as preparation is highly overrated this is preparation age yes like what I did these engagements I would literally spend three to four days just doing this stuff really well so that and fixing PKI I just say accept it each step of the way it's like well we need to talk to another team and they hate us yeah if anyone has ever watched any of the content that Steve Hosking and I have done on in tune dot training you will know that especially in our early versions of the videos we never really got successful demos we just got you close this document but we were just trying to have commentary and maybe demo some stuff so anyway that's kind of kind of what we've what we're doing here I think to some degree but ultimately win this loads if this loads I mean I think I'm at the mercy of teams and my poor internet and everyone working from home and all that sort of stuff but eventually I will see some applications load here and should be able to install one of them over the cloud management gateway over the Internet so in this in this scenario this would be the equivalent to a machine running on VPN with split tunneling for wealth I mean technically this is this is a machine just floating out on the internet with nothing with no VPN no nothing because technically it can't talk to anything but the difference is very minimal in between an internet only client that doesn't have any internet any VPN connection enabled right now or a client with tunneling split tunneling enabled the client would be able to get some domain resources but then we're specifically telling it we want this traffic to go through the cloud so if we attempt to install one of these things maybe some of them aren't installed already and so we should be able to go and see some log somewhere tell us where that's pulling it from so it is the management point it's using so you can see it's it's talking through the proxy through the cloud management gateway proxy and then that proxy is actually talking to your internal management point to give it information and then if we go and look at the content downloader logs Wow VM suck come on yeah somewhere somehow they're gonna work it didn't work says back to install well it's possible I don't have the edge dev content published out onto that DP either so there you go so failed but I mean assuming we had all this configure correctly this should just work and whatever so and because it should work it did yeah just imagine that it did look here we'll try to recast tools cuz their stuff always works come on Staller shout out to recast right-click tools the only company that give you a shark onesie if you work for them see I just want a shark onesie yeah yeah why not um anyway uh yeah I don't know how this is working but it's the way life goes here but ultimately you kind of got to see the bits and pieces right so you're seeing the client talking over the management point the we talked about the fact that your do that see it's it's downloading its gonna install this is awesome let's see if we can find a log that has some info about that huh which one's gonna tell me what DP or where my content was coming from is that a CI downloader there are three that were just posted in the chat so content transfer matted your calves log or data transfer service take your pick they'll all have information all we really want to see is verification that they're coming from where we think they're coming from so cats that log is gonna be your best place to look okay all right see what we got was found in the cache that we got content from the club manual gateway and it's downloaded and it's doing things with it magic it really is so I mean that's kind of it hey good job Jonathan you win the prize yeah meet your address and I'll send you some stickers with my face on it or something I want six of your face on it I've got a pile of stickers tons of stuff and the guys at the Austin user group gave me some some new Texas PowerShell stickers so I got they've well this is the VM mug so this is the VMware user group oh it's nice and blurry you know and I got the Austin Tx PowerShell group ATX power so almost see that yep and then obviously a training where's the co-management content what are you talking about okay show your face Jake just throwing that out there and just gonna leave us hanging you favorite damn it it's not yeah the background does I guess there are some bugs work out Jake you missed the very first middle and end part where we did co-management and cloud management gateway okay so if we talk about co-management for just a moment because really the co management piece we kind of glossed over that just a wee bit but ultimately if I was to get my if I was to publish a list of updates to my workstations now okay so I should go create a software update group and publish those two but you're talking about management so like if I went to the in tune and configured a policy and in tune sorry yes right yeah I mean like exactly if you're using Co management I interpret that to mean I'm using Co management and I'm moving the you know software update slider to do make in tune to it and then you're just there's no there's no CMG involved there's you're just literally using Windows Update for business but you still need like if you have a VPN running again it would go back to the whole split tunneling thing right like you if you're still if you're using Co management or just in tune straight right or you're using Windows Update for business with group policy you really had better be frickin split tunneling cuz otherwise you're gonna pull all that data twice right you're gonna tunnel all that information from Microsoft into your organization and then across the VPN down to your client right and so yeah so if you were doing so if we talk about shifting our workloads and do the club do Co management shift so this is this is where you do that so if you want a lot more information about this and just apply this to code management go watch into not training we've gone through a whole lot of these configuration options and stuff it's that that channel is specifically targeted to doing in tune only and not looking at config manager things but it's the same concept you simply are just going to go and create a profile so this is this is just to configure Windows Update so we can we can do Co management and we can go and set our update ring settings now the difference here is that you are configuring things in a in a way that is is much different than what you do in config manager you don't have nearly the granularity over what you are allowing to have installed because you're essentially saying just give me updates when they become available and all you get to do is set a deferral from the date that they get released to the channel that your clients are assigned to so if I say I'm on semiannual channels and you're basically on your the regular general release ring so every patch Tuesday you're gonna get some updates and then you can say okay so now the ignore the feature update bits for a minute here and just look at the quality updates and things so then you're you're setting it you're setting a deferral time for those guys but then you're essentially just telling the client when it can install the latest round of Windows updates just like if you were configuring those on your home PC and going into settings and configuring your Windows Update options right so hey look right click tools installed yeah so if we were going or Windows Update settings here I should just go ahead and shortcut that updates and why you do that like what I'd like to talk about those settings like it's it's just enough like I called it just enough sort of administration with right because when you're using intent you're specifically limiting yourself to just Windows 10 right it's just workstations just Windows 10 yes I know Windows 7 was supported for a while but in maybe hey one but shut up it you're really limiting yourself just to Windows 10 and Windows 10 is from the ground up updates right like there's really nothing to choose either gonna apply this one scheme this update we're not ever going to apply updates again so yes it's a loss of granularity but I'd argue it doesn't matter the there's two parts where I think it really one part for sure work matters a lot I think I'm going to talk about feature updates in a second right like that's the okay yeah I mean so so when it first came out my biggest gripe with it was well okay great I don't really want it I don't I don't I don't want to micromanage updates anymore just fine just whatever the hell you want to install just go install it but feature updates I don't care how much they try to tell me feature updates are just a different animal for a while until I go through like five years of just rock-solid releases where I don't even notice that you deploy to F you to me then I'm gonna care and so I really look that was the push back and and they did that I don't know if you have your if your tent if you're in your tenant with that public preview but and he added it great yeah so so they've gone and split that out and and that's great and then the other feedback I've given them as part of me wants to say I'd like to see the non OS updates split out to like dotnet and dot it's the big one but there's other applications right okay here's the question are you not going to patch their billing multiple botnet vulnerabilities over the past several years are you not going to patch those well it's not an option not to patch well but yeah but there are definitely so okay so there's a I think there's the you know that pipe dream of well we should do this but then there's the reality of yeah but we work for a bunch of people that have differing opinions about how this stuff needs to be treated and so depending on what sector you work in your bosses are and stuff you get your hands tied a lot on what can and can't be pushed because you've got bad application practices you've got things that are poorly built that you still support that were built before most people's children were born and stuff like why are we still doing this and so I think that's at least part of the the risk or the scary factor here and I know that the config manager team is doing a lot to help help us get past that with like you know so look at desktop analytics so you know that's the whole thing there is designed to show you device readiness and help you deal with compatibility for drivers and applications and things and help you feel more comfortable with hey look this stuff all looks good why not push out the updates to your business but still the business still has been bitten a few too many times to be okay with just letting everything roll out the feature updates I mean I love future updates I'm probably the biggest proponent of future updates a listener media community I'd like in letting them just happen with servicing but doing it this way where you say just install them when they become available that that's a big trust factor that's a big leap for most companies because I mean we're gonna spend a couple of months testing applications and slowly rolling this out to different rings of users until we feel comfortable and looking at DEA and doing the pilot rings and things like that so so this this new feature updates preview they supposed to and we're still I've got some some issues open with the product group and Brian and I as well so we are trying to make sure that this works properly but essentially you should be able to configure this policy to say I want to lock a particular set of targeted devices so you configure the policy and you deploy this you assign this policy to a particular set of workstations and when you assign this to those workstations then those workstations will always be on that particular ring or feature update until you move it so I could go create a group of all of my you know high-risk users and I say okay I'm locking you guys in on 89 and that can make me another ring that's my you know fly out of the seat of the pants guys and they're gonna get latest and greatest every time rob probably wouldn't even configure a policy for them because they're just gonna get it automatically but so what this lets you do is target a particular feature update to a particular group of devices and it locks them in on that feature update so that then when you configure Windows Update rings then you can you can safely deploy all of the other updates to those devices but you can specifically choose a feature update to leave those devices on until you're ready to move forward but yeah so when you do co-management though you are definitely kind of taking your hands off the wheel a little bit and saying yeah so it's Windows 10 there's only a handful of updates and when's the last time you didn't push them all out every month like let them let her rip and go and so you set up your policies deploy those to your clients co-management takes over and let you handle things if you want more control slide the slider back over for some of your machines and/or I mean you have to actually configure it into pilot at that point but you say okay I'm going to I'm gonna not allow those devices to get updates from here so anyway a bit kind of rambling on about that but that's yeah can we get back to rampart again what no one does that joke not landing I've Riley got me oh yeah we thank you yeah point being code management I creating that feature update and allowing us to like I think that is a hurdle removed in terms of remote you know dealing with software updates in a remote user situation right if if you already have I mean if you're if you're ready to be if you're set up to be able to move that slider I think it is actually a real aha no I doubt people are going to do it right now given the situation but I think it is an option but it still needs split tunneling yeah I think they I mean I don't know that we had a plan for this but if we had to create a plan for what this was supposed to be the like the closing argument here is it's like look you have options and you should explore those options and choose the options that are most beneficial to your organization if you're concerned over cloud management Gateway are really specifically cloud distribution points is bandwidth talk to Rob York talk to anybody posted out on Twitter and say how much does a con distribution point cost let's just shut up or just like shut up just do it just turn it on and he he actually he actually replied to us to the thread and posted all this stuff and I think the killer for me on that whole CMG COS thing is you can only just put a dollar value you can put a value at it and there's be like it stops at this value so if you're worried just put a value in it and you won't go beyond it yeah you can get bigger your subscription and things to you know to block them from costing you money too much money or whatever and but but if it's a if it's a difference between keeping your device's secure allowing your devices to get content while you're in this quarantine state of not being able to you know everybody's working from home and you may or may not have reliable VPN or your network guys are you know not playing nice and you can still you can still manage your devices I mean so we've kind of been talking about this from a perspective of so you're you want when a client is connected on VPN you want it to behave a certain way well let's talk about it for a minute of like what if your users aren't on VPN and you still want to manage them well this is great this is a great option for it cloud mitigate way and cloud distribution point lets you do all of the things to that device whether or not they're connected to your business network period they do not have to be on VPN they do not have to be connected physically to your location but you still get to have full control over those devices and do whatever you need to do to them and that should is managed any device anywhere have full control over it use the tools that exist in these products to do that and if you haven't been looking at this this should be that wake-up call to say you know we should probably spend up some test cases of this stuff because it's really affordable you're not going to break the bank guarantee it go do it yeah III like I like what you're laying down there right like I'm gonna try and summarize it which is if you - no VPN option right you don't have a VPN or you just don't trust your users to turn on the VPN then CMG or co-management and moving them over to software updates to in tune that's one of those are your best options go down one of those roads yeah and here's I mean even kind of the next piece of that is look you know there's a whole lot of questions about hybrid Azure dady join and an azure ad join and this whole deal of well I still need to get I need to do hybrid because I need to access XYZ resources okay well let me stop you and ask you have you tried doing it with just as your ad John have you tried to Azure ad join a device and then have it on your network and access company resources because it works and you could do it and there's a simple thing that you can do if for some of the things so if you enable hello for business which is really a thing you should be doing as well you can enable a hybrid key trust once again go to into training look up hybrid key trust or what I think is hello for business is the the session and we talk about enabling a hybrid key trust so that your devices can pass through your azure ad credentials to your domain it syncs those credentials to your on-prem resources so that when you try to browse to a file share and you've used hello to log in it you don't it doesn't prompt you for your domain password credit devayne credentials in order to access those resources so if you haven't looked at that because look if you do that you don't even need VPN you just well well I mean you could get away with it you sorry you do have to have VPN sorry you could be as ready joined physically on your business network or you could be as ready joined with the VPN author your company network and still get to company resources but it opens up the opportunity for you to ship out boxes to users because you can't do hybrid autopilot from the user's house you can do regular autopilot and not not to mention that Hybrid has already joined brings in with it as host of complications and I've worked with couple customers that have looked very hard at doing straight as Rainey joins and for them and when we did our pilot of it it worked great they their main line of business application was s AP and day one less than six hours in we autopilot a device and it installed there s AP client and they hit they connected it to the wireless and they watched it no authentication prompts nothing just worked out of the box because you get a Kerberos ticket ntlm authentication for the most part works so there's at a surety joint is not cloud only as Rudy join can still be cloud hybrid without having to worry about oh I have these legacy applications over here nine times out of ten those legacy applications will probably work yeah and from what I was just showing you so if you're doing so we showed how you can take an on-prem resource and you can manage it in in two but you can also take it into an only resource and Azure ad join machine and you can Co manage it back into config manager so you still get all your visibility you still get the opportunity to manage those devices and do things to them even though they're not part of your they're not regular domain join so you know you've still got an opportunity to do it I want to say that I've got several machines in my lab here that exist in that state that I've got yes somewhere in here some of these I want to say that like these machines I've built these for my kids so these are hyper these are as rating machines that I've enabled co-management on and now I've got the config manager client running on them but they don't have EPN they're just sitting on my home Wi-Fi it's important we step back for a second and we observe the fact that Adam has his kids laptops managed by India I needed to have a real-world test case for doing this stuff and so this was a perfect way to do it it's great it's wonderful so anyway so I want to interject here right cuz cuz you guys had a whole bunch of stuff which which is like awesome like don't get me wrong I love it like more sessions more sessions from here because this but part part of why we were this whole topic comes up the reason we're we're talking just because people have this all of a sudden there's this problem right and so I kind of doubt that if if if right now you're taking down your your VPN connection right if you're taking down your your connection into your environment they're gonna go whip out as your ad join and and completely architect and so hopefully in somewhere in all of this mess you figured out like a quick fix to stop the bleeding right and if you don't have VPN like if you don't have VPN at all I think like CMG right if you're a config manager and I'm in and your VPN just isn't reliable I think I think your your quickest shot is go get CMG and if you want to go figure out all the other stuff later great go do that but I think without too much pain you get it same gene you know what holy crap if you only need it for a few months just to stop the bleeding then just go stop the bleeding you can it's not a one-way thing right so if you're literally taking down your network right now shut up about the cost just tell your boss I can fix this we'll worry about that stuff later just go do it ya know and and the costs have been it's to the point that I had a customer that was in disbelief about how how cheap it is yeah it's the value proposition is do you want me to fix the network now or do you want to about like I thought whatever it is like like hundreds of dollars a month or whatever like just stop just stop I can fix this well we'll deal with the budget later go put up with CMG it's not that hard I mean okay so look in in reality I'm not doing I'm not using anything on my I mean I don't even know how to go check the costs I mean how much the stuff cost anyway it's built in cost and billing there it is calm well so so I've got you know I've got MSDN subscription so it tells me every time I log in like oh you got credit and everything so I've got several different resources and things spinning up in here and I I guarantee you my CMG is not even remotely I mean I'm not obviously I'm not using this for really anything but just a pure existence of the CMG you'd think all right that should that should burn up some resources I think the thing that's spinning that's using up all of my dollars is the fact that I no see oh yeah there it is this is a good idea all right so an idle CMG for this month has cost me $30 just sitting there so if I go back to the to the previous month last invoice let's see what it was there you go so just an idle CMG sitting there not really doing anything cost me $63 just to sit there so yeah I mean quick quit your bitching right you're running a business like the value problem how to treat your a lecture the electricity required for all the old CRT monitors sitting on your desks at this point I mean one yeah so so I I think that's right I'm just trying to think of if I were to min right now and my networking team came over and they said here's the freaking graphs I need you to fix this right now again if you don't trust people to connect to the VPN CMG shut up about the cost just go make it happen if you if you have a VPN that you know people are reliably going to connect to then I think you get into the you know you need to make sure you you got to get split toning enable right that that has to be your focus go make that happen so we've got a question in the from Ben hey Ben thanks for joining Ben okay so if the devices are already out the door and we set up the CMG will they connect to it and the answer really is if the device can contact config manager hopefully over your VPN to know about the CMG then yes they should be able to know about that the CMG exists at that point but you have to they have to they have to be able to talk to your management point first to be able to get the configuration so they have to be able to talk to your domain they're already out in the wild and you know just floating out there then come in trouble it's a little question there Ben and if you co manage them and you're really you know you're up to you're up the creek without a paddle it is certainly possible to push out something that will make them aware of a CMG but best option is to VPN it yep you're clearly up snot my hotel room this is my office slash guest room but thanks for joining Mirko you're awesome by the way Mirko MVP sup dude you're awesome I think that's who that is yeah Mirko asking the questions that should be asked he brought up like active setup in a Windows virtual desktop things like was this word active set up and I'm they just politely ignored him so okay we talked about like a case so you you you don't want to rely on under VPN I think if you do rely on to VPN again the quick hitter I think is is making sure you get the tiling enabled and then goes that you know go go sort out your bounty groups make sure that they make sense make sure you have a bound your group specifically for your repiy ends VPN IP ranges make sure that they're not falling back to some other stuff do you get content and then go enable that cloud cloud resources right I think that has to be the quick hitter and I'm not saying that's like permanent fine then go like figure out some other stuff whether that's an always on always on DPN to fix that hole I need to make sure people are connected or you set up a CMG or you go co-management like those are all great things but if you have a VPN and it's reliably connected go fix that problem to stop the bleeding yeah and here comes bringing up some good points so it's the so the cloud distribution point part of the CMG is the piece that is the the pricey bit here so so that's the it's the content right so your your your hat you you spun up a VM and your hosting content on that VM resource and then your clients have to consume that content and do the transfer of the data so it's all of those pieces well here's what I would say right if you're worried about that cuz you're right right like like it's the content cause if that a that shouldn't you should maybe we're done here it's so frickin sheep in the first place don't worry about it but let's say you were then just don't push it up there right cuz the whole point of setting it is that there is that they're not going to pull software updates right so yeah yes right the whole point of talking about seeeeemji in this scenario is to get software updates up there right and so they will the whole point of this as you set up a CMG and they won't pull data from the CMG so just don't pull just don't push any data up to your CMG now apps will fail right apps are gonna fail if there's some non OS task sequences i don't know if those work over is CMG like some other stuff will fail but again we're talking about stopping the bleeding who gives a what I care about is that Patch Tuesday happens and I don't take down my VPN right so set up a CMG don't put any content on it and get over your your you know just get over it yeah just want to make an important point on on what yeah Brian was saying there don't put the CMG default boundary group in your in your deep like a lot of customers will have a group just reach point group they distribute all their content to don't put the CD in that group don't do that don't do stupid basically because then you'll be wondering why you have two terabytes of content out there that you're now paying paying money for it yeah and again in the whole triage situation don't put just don't put content there's no reason you do not have to put content up there and you will get and you will stem the bleeding from software updates Hulme you did Adam it's a little microphone icon and has a little slash through it and you usually click it the left the left mouse button buddy the left the left one no oh geez he's gone now I don't know what that this which is great cuz he was doing the recording so that's how this is gonna work no it's no recording in theory it won't stop recording it will just land in what in his straight in his stream or send it to him as a DM after the fact hey can you hear me we can't now okay I don't know what happened but I was failing midstream there and it just died so yeah whatever I mean we've been pushing it for a while here but yeah I mean so I don't even know what you said Riley but I I mean I think it's basically the idea here is that I said you're a lovely looking man first so that your clients and enable split tunneling so that your clients can go to Microsoft to get their content yeah and then they can still pull their content from your DP locally if they need to but don't force them to get Windows Update cuz that's really the main thing that you're worried about anyway it stopped the bleeding like I unless you're deploying CAD you know Hughes Jen applications is probably not going to take down your VPN right because you don't do that it like your whole organization Lord willing isn't downloading the same app at the same time but they are going to do that for updates and I'm just gonna say it right now if you're installing CAD off of the CMV your users are probably gonna have a bad time it would work but man better ways to use everyone's time right yeah you send them a CD and move on right a carrier pigeon with a with a USB stick no turn their laptop into a DP sitting with pre-staged content on it yes yes yes and also don't put your CMD in your older group that is correct do not do that bad news I set boundary I'm at I'm at DPS group yes yeah it's late here it's correct all right well we have trudged through this one Brian I think we didn't fail as spectacularly as I was anticipating but I feel like harder because I can feel harder well I mean if you want now I'm good what what do whatever else we want to do okay so I mean we still we got I can't believe how many people showed up for this thing we had I think at some point we had almost 20 people in here still got 13 folks hanging on so Nate hey this is my this is just my everyday drink this is uh just Jim Beam this is like low-end Jim Beam weighted sharkon he likes to feel fancy so he says the fancy glass so yeah so I I plan to try to get this video uploaded as soon as I can I'll probably just host it on we never asked the question why why would you do this just know we really didn't I just felt like I needed some people to talk to you yeah and I and I do want to just make a quick statement I'm not here in a social capacity nothing I say is representative of the views of my employer I need to I'm supposed to I'm supposed to say that when I'm being recording all my views are not you know representative of respectful human being so I don't know about you guys but I mean I really I really enjoyed this format and just being able to just have a chat so if you guys you know want to do this again and you got a topic you want us to to cover let us know we'll see if we can write so we really enjoyed the complete lack of preparation that's took that's it has come from like eight months of into no training no prep to be able to feel this comfortable to the sis man squad do something like this but for that I guess oh like so basically a tips and tricks type things where we could just have everybody just do tips and tricks type live session like this mm-hmm yeah rotating live sessions yes if you want to join us in do stuff it'd be awesome juanzi ron's you talk about ipv6 yeah make stuff up there too we can spend no less than 25 percent of our time trying to forget how to share screens yeah do that I mean I've well that worked really well huh see I don't think I realized until today that this whole background thing wasn't available to most people yeah it's not so you're on the insider right for teams I'm on something employer I am on something right now not yeah like currently what's going on so some people have this awesome ability to swap their background with I'm actually doing it with third look at that you can even see it like new to blur that out I'm actually using like expletive video some third-party solution and how you doing there's like I don't know I've been doing it for but yeah yeah inside tickets teams insider you can swap instead of just blur yes I've been using Sparco cam to do mine and had a head some fun in the virtual bar at MVP summit this week put on fake glasses and all sorts of fun backgrounds equal the virtual bar is that as opposed to the Pyo bottle bring your own bottle so I it's hey sessions are over let's drink and turn on cameras and yeah that was someone set up was it Street or what's the other I don't know the other the competing video chat thing where you can do all the all the faces up at once so we had about 10 or 15 of us and you can see everybody's cams instead of just the four up like teams does which one zum-zum zum-zum okay as the live backgrounds to you can change change out your backgrounds you can do animated ones all this stuff but teams is way better because it does here I want I want gift backgrounds I know this feature is it all the way rolled out yet I but I already want get backgrounds just thank you all for everyone who stuck around I've no idea how transcripts work once we save this thing and publish it out but anyway fed of choices thank you very much to ask for hanging with us and thanks Brian and and Riley for jumpin India and co-host so I will do a really brought there's respectability to this thing yeah I think so alright stop recording well I don't

Info

Channel: Intune Training

Views: 4,633

Rating: undefined out of 5

Keywords: Microsoft, Intune, Training, Azure, AAD, MEM, MSIntune, Microsoft Endpoint Management, MEMIntune, ConfigMgr, SCCM, Co-Management, Cloud Management Gateway, CMG, VPN, COVID-19, Corona Virus, Work From Home, WFH, Windows Update, Split Tunnel

Id: RkLqVCak6Ps

Channel Id: undefined

Length: 99min 0sec (5940 seconds)

Published: Thu Mar 19 2020