S01E40 - Deep Dive into Intune Endpoint Security with Microsoft PM Matt Shadbolt - (I.T)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello and welcome to another episode of intune dot training the place to learn how to use microsoft intune the stephen adams show with ben of course uh with special guest matt shadbolt matt hello sir how are you hey guys how we doing doing great uh great great to be here thanks for having me very very excited i i watch all the videos each uh each each what fortnight so um yeah it's an honor to join a couple of aussies and and you adam all right all right fair enough fair enough i get it well well uh matt thank you for growing a beard uh for coming on the show too bad ben can't say the same um so so matt has come to talk to us about um some new features in in tune so i'm not going to spoil any of it uh but he so he's got a whole whole pile of stuff to talk about but matt before we get started tell us a little bit about yourself yeah sure so so hi everybody uh yeah my name is matt shadbolt i'm a program manager on the on the intune team or the the endpoint manager team uh i'm actually based out in uh in redmond washington uh but as you can probably tell i'm australian and and uh know a couple of these guys from from back in oz um so i work on the what we call the policy security and resource access team um it is exactly what it sounds like uh we do all of the uh all the policy frameworks within intune so all the device configuration admx backed stuff uh you know policy conflicts uh reporting around policy all that sort of stuff as well as all the security features that that we ship so our atp integration um you know the endpoint security node that that we're going to be going to be talking about today uh and then newer to our team is actually the resource access side as well so by resource access we're talking about all our vpn strategy our wi-fi and certificates and so forth so um so with policy security and resource access all kind of under the same team we you know we we see it kind of like an end-to-end solution and all of our pms working together to make sure that you know device security is is really is really the key so that's that's what i do uh specifically i actually i lead all of the endpoint security side so anything to do with atp integration anything to do with firewall and uh you know threatened vulnerability management uh windows defender av all that sort of stuff is led by me obviously in close partnership with with our microsoft defender atp folks both here in redmond and as well as as israel as well excellent that is quite quite the job description like we're busy here so you you also are one of the one of the faces behind the config manager dog's uh twitter handle is that correct that's yeah that's right so uh the config dog's been going for for like almost nine years now i think um and started as a technet blog before uh before technet went away and that was myself uh ian bartlett uh who who continues to work on the intune team alongside steve and george barakas who actually works for azure now but we all started working as config manager pfes about nine years ago and started that blog and uh and we're just you know blogging you know config manager content it shifted a little bit away from configuration manager and more towards into now that we we have a lot more focus on intune but um we don't have a blog anymore but the the company manager dogs on twitter are still really active you know i'm tweeting all day long and i actually use it as a really uh really easy way for me to tweet out that we're working on and make sure everybody's aware of the you know the the cool stuff that we're shipping and and you know use it as a channel for feedback and things as well so it's been very helpful and we've also seen that you you guys are um or at least you yourself have some blogs out on the uh microsoft endpoint um tech community blog is that right as well i say is that right i know that's right i said that yeah that's very very accurate it's called a leading question there i'm trying to conduct an interview and do it very poorly here yeah i keep talking obviously with so so obviously with tech net going away uh you know there was the you know the platforms for us to start writing and uh you know sharing technical content really moved to a couple of channels there's obviously our formal docs side where uh you know for every every feature that we have to ship we have to have you know you know really good docs that that a lot you know align with that but you know formal docs are a lot of work for us um believe it or not we have you know formal dock riders and so forth that we work with and make sure that the technical content is up to a certain standard so that you know we can stand behind it and use it as our you know our supporter configuration documents and all that sort of stuff but then there's the blog channel as well where we can it's a little bit more uh relaxed a little bit more casual for us you know it's it's quite easy for me to to knock out a blog post and go you know hey this is what i'm thinking this is this is where we're going uh without having to you know go through all the formal rigors of formal documentation so uh we we definitely you know we definitely post a lot of stuff to the the tech communities blog and it's it's another another good place to you know to be following for all those sort of updates uh much of them i retweet anyway though so uh i don't think you have to worry too much about rss feeds and things like that if you follow us on twitter you'll see all the important updates excellent well and we'll definitely include all the links uh in our description box below um so well now that we got all that out of the way let's get to the exciting bits so let's talk about endpoint security and uh atp integration and all the cool bits that uh have just gone ga let's do that so i'm just gonna share my screen let me know when you guys can see yep got it yep you're good great cool so i i always like to to start with this slide when i'm talking about endpoint security uh and you know a lot of endpoint manager and device managers kind of you know put their hands in the air and go what like why are we looking at this slide this is a you know microsoft defender atp slide i i don't work on the security team i work in the you know the device management team or the the pc management team but i think it's a really good uh uh description of the the entire microsoft security stack uh and there's you know some specific things we'll talk about as to you know how they impact you guys as device managers and endpoint manager and complementary gurus right um and this spider here kind of uh you know bucketizes the the main the six i suppose main areas where uh the security value uh within the microsoft security stack uh and some of these are like unique to e5 um so for example the endpoint detection response requires a an e5 license but much of it actually doesn't as well uh so the the microsoft defender atp kind of banner uh covers the entire security stack that's within you know within the microsoft ecosystem right so um things like av and firewall all fall under here you know the the e3 values the e3 products and e3 customers can make make the most of them but then we can we try and layer even extra value on top of the firewall and av and so forth by adding the e5 skew and and building even you know more rich and more detailed uh experiences around them so uh so this this shouldn't this presentation shouldn't preclude anybody who doesn't have e5 i suppose that was my main point so don't be worried if you're not paying for e5 there's still lots and lots of value here and and actually probably 90 of the stuff i'm going to show you guys today is all available to all intune customers who with an e3 license as well so awesome good to know that's awesome so let me just quickly walk through these six buckets and and why we actually care about them from an endpoint manager point of view um so if you haven't heard about threatened vulnerability management the first one on the left here uh tvm for short uh is a really cool feature that we shipped from the e5 side so this is an md atp product where the the atp sensor that's enabled on windows 10 devices and soon to be mac devices and so forth actually does vulnerability scanning across the network so what they'll be looking for is patch states on pcs applications that have you know that have got cvs against them uh misconfigurations in windows and so forth and uh it it does you know tvm's an entire market uh and you know there's many you know many third parties that offer tvm but this is actually built directly into atp so there's no extra agents or anything that needs to be deployed to to to gather all of these misconfigurations and vulnerabilities and so forth but we know when threats and vulnerabilities are found it's most likely the security team that's that's not going to be actually resolving those problems right you know let's say we find a vulnerability in a vlc application or a line of business application you know has got some sort of you know malicious code or something wrong with it we know that the security team aren't the ones that are going to go deploy those applications it's going to be the it team right so there's a there's a there's a play here for the it team to be still involved in the threat and vulnerability management even if it's it's most likely the security team that's going to be driving it and the same goes for the second bucket our tax surface reduction so attack surface reduction is um trying to reduce the attack surface of a client right so it's it's doing things like blocking uh uh you know ps exact on a client for you know certain certain files and things if pspf ps exec is running on your client you most likely have something something going going wrong there's a whole bunch of attack surface reduction rules and things that we we can enable to stop those uh those attacks from even occurring in the first place but when a false positive or something is found it's the i.t team that the end user calls right it's not going to be the security team it's most likely going to be the the it team who's deploying um you know exceptions the ac asr rules and so forth and take take device control for example device control falls under this attack surface reduction as well this is like you know allowing or blocking usb drives uh you know known or unknown usb drives again it's not the security team that knows what the you know the it team are purchasing in terms of the standard usb drives they're not the ones who are going to know their device ids for those it's going to be the itt team so there's a place to place to play for them there next gen production is very similar next-gen protection actually covers all of the more traditional security features in windows as well so this is your firewall the the bitlocker encryption and also the windows defender av uh again the attack surface reduction and next-gen protection are all available for e3 as well so uh there's uh you know this is all available for for the vast majority of customers but you know av exclusions are managed by the rt team they're not managed by the security team firewall ports are managed by the it team not the security team because if an application breaks because somebody's blocked a port you know who's who's going to be who's going to be screamed at it's going to be the it folks and the help desk face right endpoint detection and response is is probably the the jewel in the atp crown this is where it's doing all the behavioral analytics and so forth about what's going on with clients are we seeing past the hashes are we seeing you know lateral movement across the network and so forth um but the it teams the one who's generally going to be looking after the client health for for these clients right how many of my devices are your edr enrolled versus aunt is somebody trying to you know maliciously unenroll the edr agent do we need to go back and you know enforce that do we need to make sure that uh you know our risk scores and so forth are connected to conditional access so if atp is not active do we blocking access to exchange online and so forth so this is still a you know a place for for the it team to play there um the last two are really specific to the security teams uh auto ir is is um you know when a malicious you know actor is found or we see something malicious going on in a client how does a security team automatically react to that um the it team obviously needs to know about when when things are automatically occurring and so forth so we have some integrations there and then finally the microsoft thread experts actually a service that we offer at microsoft for e5 customers where you know when when something malicious is happening and and the sock or the security admin or the cops person doesn't quite understand what's going on they can reach out to these threat experts and actually just ask for advice and so forth um so so that's that's kind of like the that's that's the microsoft security stack uh as i mentioned like there's for each one of these silos here there's a real part that uh the the it teams need to play in that and that's really been all of the stuff that we've been working on the endpoint security node for the for the past you know close to 12 months is you know how do we complement these awesome security features from the secops team um to provide some experiences for the sec admin or the it admin who maybe isn't as you know as as deeply knowledgeable about security and provide them the tools that they need to to support their secops teams matt before you move off of this can you recap the uh e the e the license requirement for each of the categories yeah so the threat and vulnerability management is absolutely an e5 uh product uh attack surface reduction and the next gen projection is generally an e3 um you know product value if it's generally in the intune console and configurable it's something that's available for e3 um there are some caveats here so for example the the tamper protection features that we shipped just not long ago is an e5 um value as well even though that kind of fits under the next gen protection so it's not as black and white as you know these individual silos being e5 or e3 um but as i mentioned we kind of offer that step up value right so you know you've got the you know you've got the awesome defender av service and everything that comes with it but if you have e5 then you know we can provide tamper protection on top of that and happy to talk more about how temp protection things works as well uh edr auto ir and the microsoft threat experts are all e5 uh uh products and features um and you you know you won't have any any use of of using those unless you have e5 licenses anyway okay good helpful there's a that is a whole lot of tools that just come with e5 i like it it is yeah so just got a couple more slides and then let me let me jump into um into a demo um as as i mentioned like we're you know one of the the big concepts and one of the things that we're driving is trying to to really improve the the security team and it teams um you know cooperation and and uh you know ability to execute on on there the security and security postures right uh so we know that traditionally security teams and i t teams haven't liked each other right yeah uh you know us and the the endpoint manager team you know have traditionally just spoken to it folks who are really worried about end user experience they're worried about cost because they've got help desk overheads they're worried about you know deploying agents and having to keep them healthy and all those sort of things and security teams you know really don't care about a lot of that sort of stuff like they they they report into a ciso they're outside of the it org and really they're gold on just making sure that everything's secure you know if if if you asked any security folk they they you know they would much prefer to have no by they prefer to have no mobile devices they prefer to have everything locked down and contained and we know that from the and the network yeah exactly um you know you know port hardening and all those sort of things to make sure that nobody can do work you know outside of their strict control right which is which is fine that's that's what they're you know that's that's their job but we know from the i.t point of view it's just not acceptable right um so we we've we've seen a lot in the past and i'm sure you guys have had you know similar experiences where these two teams are just butting heads right you know security wants a lockdown it needs some flexibility you know security want patching done you know zero day but that's just not you know just not possible for a lot of a lot of people uh the it team don't want to be deploying all these agents and and you're managing client health and so forth so a lot of the endpoint security stuff that we've been doing with the atp team has been trying to break down break down that brick wall right uh so what we're trying to do is you know make sure that we're going agentless for example right so uh for tvm the vast majority of you know customers if they're using third party have a tvm specific agent that they need to manage they then have an av agent they have a firewall agent they do some sort of third-party disk encryption um you know they're doing attack surface reduction rules and devices you know device control rules they're doing all of these sorts of you know security features layering different agents on top of it so the first thing that we did in terms of the strategy is if somebody's by buying microsoft 365 we want to make sure that you know we we exploit the you know the integration that we have with the operating system in that we don't want to lay any more agents down we want to make sure that we're integrated with all of the business tools like office and exchange online and so forth so that you know with the tax office you know reduction and all of the dlp controls that i have in in office 365 that it's just integrated like that as well there's no extra you know uh firewalls or appliances that need to to be applied to to do email security for example and then we wanted to make sure that the management was all integrated as well you know we we don't want uh to have silos we don't want to have the security team using one tool and the it team using a different tool we want to make sure that we build the best experiences that like really exploit you know that that platform and the ability for those two teams to work together in the same console and that's that's that's the goal of the endpoint security manager um the then point security the blade within endpoint manager um we we want the all the the sec admin work so the configuration the management uh the high level reporting of the things that turned on and off to be all from the the microsoft endpoint manager console and as i mentioned we want to exploit the management stack that we already have in place too right we you know we have a a lot of a lot of devices that are managed by intune being cloud managed but also you know even more devices that are just on-prem with configuration manager as well um you know when you when you look to our competitors they don't have this platform of of enterprise customers using our management tools already so from a sec admin point of view and a security point of view when they come across their m365 e5 and want to start building you know on the the security configuration there's no more agents right that's is all just already managed we're already worrying about one client health we're not having to worry about anything else around deployment and management of that so this is the vision is for our security management and monitoring to come out of the endpoint security blade in endpoint manager a flow down to our intune standalone devices as you would expect they flow down to our intune co-managed devices for those customers who want to you know co-manage the the their windows 10 devices from config manager but then and so i'll show you some some examples of this later the future is for us to have those same sort of authoring and management experiences for totally disconnected uh you know config manager managed clients including servers right so we could have data centers full of you know windows servers and eventually linux servers that you'll be able to manage all from this this cloud console without those those you know uh those those comprehensive clients ever having to touch the internet whoa whoa i'm sorry you're gonna have to back up and say that all over again because i don't think anybody heard it and they're not going to rewind so we need to stop right here and say that one more time i'll show a demo later about about how it works but essentially what happens is you know all the authoring and management experiences come from the web console right uh when once a policy or a configuration or something is being created we actually just deliver that down to the config manager site um you know the config manager service isn't talking directly to any of these clients we deliver down a package to the company manager site and then the conflict manager clients talk directly with our management points and whatever services that they need to to be able to apply that configuration without ever having to tell intune right and then the reporting channel the reporting channel flows in the opposite direction right so the config manager clients uh send their reporting and their status to the config manager database and the configmanager database syncs it back up to us so these devices and these servers and these clients can be like totally connected from the from the internet they could be atms or they could be medical equipment or whatever they are as long as they got line of sight to their management point they can talk to conflict manager will eventually be able to do all that security management that's awesome very neat cool so it's baby steps today so uh we released a blog post uh just this week that we uh we moved to public preview for the first payload which is our endpoint detection and response payload so as i mentioned before like the first thing that the vast majority of our e5 customers want to do is is get onboarded to atp so what we're what we're allowing is in this graphic for you to be able to create those edr onboarding policies and deploy them down to those offline or disconnected and non-cloud connected clients and that's really the first payload that we're working working through uh our comfy manager and uh intune teams are working super super hard at the moment to light up those next policies that the next policy will most likely be uh the windows defender av policy which seems to be the one that everybody else wants to wants to do for their company manager clients and then shortly following that we're looking at the tamper protection policies as well which we can't do today with configuration manager standalone it's only an intune uh you know enabled feature but with this uh you know this tenant attach experience you'll be able to do tamper protection for those offline clients as well so you know you you just made me i mean my head is racing here as i'm thinking because of the possibilities here okay but i've had this thought of okay so tenant attached and i know you're going to get into a demo so tenant attaches where you can take config manager clients and it's almost co-managed but not it's where it's fully managed by config manager but it allows you to see and interact with that device object from the intune console but the important bit that i guess i didn't i wasn't quite i mean i've messed with it i've messed with the config manager admin service and i know there's some pieces in the back end that all connect to get together for that but the idea here is that your servers are not directly talking to the intune console and communicating to it and you know that's not how they're showing up in the console it's a sync to the central uh to your site server to your management point and then a sync from there into intune and when you're doing the you know sync policy from the tenant attached items in the console in the intune console you're sending that signal to the server to your config manager server and then it's triggering that signal down to those clients so it is proxying uh and so those devices are not directly talking to you exactly so that's important for you know server admins to recognize you we're not exposing your devices to the internet here that is exactly the goal of tenant attach right uh and really the like the key thing to know to understand is the client communication that's the most important part right when you when you enable co-management you swing across those sliders what happens the client does an mdm enrollment it does an azure ad join or it's hybrid joined or whatever it is but anyway there's an azure id registration from that client uh when those sliders start sliding across uh all of that configuration then starts uh you know happening from the intune service down directly to the client via the mdm channel right that's how co-management works now with tenant attached the client communication doesn't change from what it's currently doing today nothing changes right the the company manager client continues talking to configuration managers just like it is uh the difference is that config manager is now proxying all that information reporting device status and so forth up into the intune cloud so that when you come to that web console and we come to the endpoint manager console you don't really care what the management channel is right yeah there's there's a there's a coffee manager management channel and there's a co-management channel which is using you know direct you know service to client communication so uh really the the key thing to remember is the the client communication tenant attached the clients aren't talking to intune it's coffee manager that's talking to intune awesome so really what you're doing is you're moving you're moving a big co-management slider by enabling tenant attach in that you're you're your config manager servers are now co-managed essentially because you're pushing policies down to them that they then push down uh down to yeah anyway that's silly but that is what is happening uh you're moving the slider so you're you're you now can co-manage your config manager server side of things the the actual management pieces yeah moving pieces of your console to the cloud i think the important word is more more attached like if we if you keep conflating and like overusing co-management like that people get super confused you'll work out them it's good like the the core of code management is that an mdm enrollment happens from the client right that is what co-management is sliders and so forth really only tell the client what to what to you know what the authority for that particular configuration piece is right slide that endpoint security slider the input protection slider and now intune can manage all of these configuring security-related configuration policies but it's not config manager that's doing that it's really the client that is checking in and telling us what you know what uh you know what features should should intune be authority on right when it comes to the tenant attached stuff it really is the config manager server attached to the intune service and that's it like there's no communication from the client point of view at all it's just attaching and in terms of like actually attaching it's it's probably if you're using co-management today you've probably already done it anyway you just need to enable you know the device sync and and then we'll start syncing those those device objects uh but there isn't an azure ad join there is an mdm object intune has no control over the physical device in a tenant attached scenario like you would in the co-management side everything's left to configuration manager all right so i know it's it's really hard to get their head around it especially because we kind of we keep renaming stuff as well and and we try and simplify things but you know we we a lot of the efforts that we've had in the last couple of years is really trying to meet customers where they're at right you know everybody wants to continue using coffee manager there's lots of scenarios where it's not appropriate for those clients to be directly connected to the to the internet and not you know that they have no need or no desire for those banking atms or medical equipment to do an mdm enrollment so we're trying to close those gaps and provide this and we think it's it's you know it's probably a little you know a little bit more work to do but you know we think that you know the the future direction is a righteous one yeah so i i i don't know that it was it's clear on this or not so um what is the relationship between i'm trying i'm i may not already know the answer this but i'm i'm doing this for everyone else who's listening so because they may have this question right uh what is the what is the relationship between a tenant attach and in tune and in tune licensing and then the next piece of that is can we get these this type of functionality the stuff that you talked about on the first slide without tenon attach or without co-management like without going into intune so you know what what are we looking at there yeah so uh so it's always it's always risky talking about licensing so i'll be as vague as possible because uh as you guys know like i'll just get myself in trouble and you know um so you know we i believe brad anderson at ignite last year said that every configuration manager client will be will be allowed to sink into the intune service um you know and provided an intune license um so there's there's no issue in terms of syncing all these devices into the cloud um you shouldn't shouldn't be too worried about that at all as long as you're you know an e3 intune licensed customer that yeah that's that's going to be enabled and allowed for you no problem um in terms of the the the co-management piece versus tenant attach and and you know does any of this value come without co-management the other thing and the clear answer is no um you know the the the best and most um you know complete story for endpoint security that we have today is with co-management because we've built all of this for mdm already and when you swing across that endpoint security endpoint protection slider uh all of these scenarios that i'll demo shortly light up for you right so uh we absolutely want everybody to go out and enable co-management because you're going to get all the conditional access piece you're going to get all of the you know uh you know endpoint analytics stuff you're going to get all of the stuff that we've been building for for the longest amount of time so absolutely swing those those co-management sliders across and and get into and especially for security like this is such an easy thing for you to move across uh to be managing the security configuration and day one like tomorrow it'll all work nicely the tenant and attached side is really to try and complement that i think it's really there's the vast majority of organizations have a certain percentage of their clients that just can't be co-managed servers for one server is a great example we can't co-manage a server because there's no mdm stack on it right yeah so if so for that particular you know situation we know that customers still want to see the av and edr status and and have all those same things available in that same console so that's where they their tenant attached side comes in right those clients don't need to do co-management they don't need to do an azure registration or an mdm registration uh and then you know they get all that same sort of single pane of glass you know experience for those uh so continue doing co-management augment that add extra value um with with the tenant attached stuff tenant attaches is much more than just uh you know just security products too as well so i know the team have been working on things like uh you know forcing a machine checking you know software inventory hardware inventory and so forth as well so a whole bunch of those help desk scenarios are showing up in this web console so that it helped us folks don't need to install the config magic client to you know to reinstall applications and so forth so uh doing the the you know instant app approval and install from the console via config manager on tenant attach so yeah there's huge potential for us right but you know i really have to stress it's really not one of the other it's not co-management or this it's really both you know use them both to you know to build up this this management you know layer across every device in the organization so i'll ask one more and then i promise i'll let you go to the next slide uh as you can tell i'm interested in this uh this is great pick the config manager guy yeah yeah sorry uh i'm not sorry okay so because i mean i see this kind of these kind of questions come up all the time because there are still people out there that believe that you know that in the you know we're supposed to move away from config manager and it's you know they're putting microsoft's pushing us to in tune and no we're not going to intune because it doesn't have the same features and all this sort of stuff and you know and none of that none of that's true uh but i'm looking at it saying okay so if if i don't license my users for intune my i could i should still be able to do co-management because as you mentioned earlier all of our devices should if you have a config manager license you have an intune license for the device uh and then with tenant attached that allows us to handle attaching our servers and as well and any of the non-config or non-intune co-managed devices um so in theory i could not that i would i mean some people may want to do this but that you you could slice off a a small piece of this and say i just want to take what's free or what what's included in my config manager license and not go the full-blown intune management route and have users licensed and all that sort of stuff is that right yeah totally so um yeah there's this yeah as you mentioned like you know configuration manager's going nowhere right like we're we're developing on top of config manager you see all this stuff like there's there's so much development going on configuration managers it's just crazy right um you know and i don't know how many times djm has to say it's going nowhere but yeah we'll keep keep saying again it's going nowhere um again i think it's it's really um meeting customers where they're at and where they want to be right at the same time so um you know customers who want to use continue using config manager and have it isolated and not use the the you know centralized cloud console for the cloud managed as well as on-prem you're welcome to do that there's nothing nothing stopping you from from doing that if you just want to purchase config manager licenses and just run config manager then happy days not a problem at all um but you know we we have two teams working on configuration manager and intune being the the you know microsoft endpoint magic um you know console and concepts and the vast majority of the uh you know investment is coming for that for that joined experience right for the customers who do want to use you know some parts of the cloud as well as all the stuff on prem then there's a you know there's there's a lot of investment going there for them um not to say there's no investment for on-prem stuff you've seen all the you know the tar sequence changes that have been happening recently lots of you know on-prem software update uh you know features that that aren't cloud attached and aren't you know aren't connected to intune in in in any way and that will continue going as is but you know if if we want to have these rich consolidated integrated experiences with cloud and on-prem then obviously you need to connect it up to the endpoint manager console excellent this is exciting i like it should we jump into a demo and i can start showing so i don't know if you realize this map but that there's a rule on engine training the demo can't be successful yeah if it looks like it's going well just hit the power button we can't have you break our history unplug something i i feel like i'm going to faint in my right my room here actually it's so hot so if i look all red and sweaty i apologize but um it's a beautiful day here in seattle and i've been locked in my uh my bedroom which is now my home office uh since since eight o'clock this morning so um okay let's let me let me just show a demo um and we can please again jump in and stop me where wherever i'm going too fast or all these questions but um first i just wanted to show you the left nav that we we shipped with uh what was the old dmacc console the device management i can't i can't remember what the old acronym is that's the one uh which is now the microsoft endpoint um microsoft endpoint manager admin center um we shipped this let with with this new left nav uh back in i believe december time frame um so we used to have a whole bunch of stuff down the left nav like ebooks and device configuration just a whole bunch of um confusing stuff and we actually did a whole bunch of um you know market research and end user studies and things like that around what a left nav should look like and these were really the the pivots that we took based on um you know the the admin persona right so this is we know that every organization's got a device admin we know that there's an apps team that are creating line of business apps and deploying them and managing updates and things like that um we know that multiple teams need to jump in and do reporting and things like that and there's always like one or two uh people in that organization that manage the service as a whole right um so we we kind of pivoted around personas but we kind of took a big bet around most organizations will have some sort of sec admin as well they'll have somebody who is dedicated to doing security deployments and administration so we build out this endpoint security node and the the goal of this endpoint security node again is to build all those dedicated sec admin uh experiences in here much of the configuration that are in these policies and so forth are available elsewhere in the internet console like you look at the all devices list this is exactly the same as the all devices list that's in devices but we put it in here because we know that a sec admin that's coming in and looking at like av exclusions or making sure that um you know the the firewall firewalls are configured correctly and so forth need the ability to look at their device status and see what's being configured right they don't want to switch across the devices view which is you know built for the device admin they want to see it all in the one the one place so this is our all in one place right so devices uh exactly the same view as you would see over there you'll have all the same sort of um you know remote actions like uh reboot machines run you know run defender scans updates all those sort of things you know directly from in here um security baselines i'm sure you're well aware of security baselines and the the goal of our security baselines is to really give customers like a quick start on configuring those uh to what we suggest at microsoft um believe it or not uh the intune team aren't the ones who define the settings in the baselines uh we we leave that for uh for the smes across the the organization so um yeah the the same two two guys who who created the gpo baseline for windows 10 are the same ones who defined our mdm baseline they don't work for intune they don't work from them uh the atp baseline was defined by the atp team you know where we're not the product experts of atp and how you know sample submission should be configured it's the atp team that that tells us that we just really we're just really the infrastructure of delivering those settings down to them uh same as the edge baseline so that you know the new edge anaheim uh browser all the suggested security settings in there come from there from the edge team it's not us defining them uh and then the office one which is still in development at the moment is coming from the from the office team uh so we we cut new versions of these every time the you know the the the windows folks tell us hey we've got some some new guidance we've had a couple of changes the atp baseline based on customer feedback that was coming to the atp team and then the new edge baselines come out every now and then as well but i really see these as like a starting point for a lot of organizations to understand what microsoft's best practice is deploy them out and then use all of these new policies to kind of complement and fill the gaps that that the the security base lines aren't covering questions on baseline yeah yes uh so steve uh do you remember a conversation we had with someone at mms you're trying to make me remember something very descriptive yeah okay was this some jazz yeah jazz we talked to one of the product group uh folks uh about uh baselines i believe and i think it was anyway our this idea we had this idea of using bass lines in a way that you could subscribe to them um and basically see deltas you know so take the bass line so like you know it's the way we do with our gpos we take the baseline we don't touch it and then we can swap that in and out and we have our delta policy over the top but then you know having a way to subscribe to and then like adopt the new baseline maybe that is maybe that exists already um so yeah yeah yeah so so we've got it we've got a couple of things like we know change management is hard with with security based lines and we absolutely don't want to like upgrade people's baselines without them understanding what's what's changed and what the impact is right so yeah when we change you can see these different versions here from one to three to four when we change them we don't automatically update these baselines because maybe the guidance has changed and we've changed something from a you know to a true to a false uh if we went and just upgraded those baseline profiles for customers like stuff would just start breaking right so we built in some basic versioning where you can actually upgrade these particular baselines we also built some comparing functionality as well so let's say we've got you know hey old version three and version four what's what's actually changed there right so you can actually click that and we'll give you a csv output a lot of people don't know that this is available right so maybe there's there's room to you can see here there's these settings are all equal i think a couple at the bottom are not equal um yeah this this one setting was the only one that changed for this baseline version and we tell you it used to be true and now it's false right so you can go in and have a look at this and and you know make sure the the baseline is you know uh up to you know up to up to your understanding and and expectations of what's going to break and what's not going to break before actually upgrading those baselines so we built all those that functionality in there as well i believe we also added the uh the ability to duplicate these profiles as well which is something that we shift we shipped last last last month so maybe what you would want to do is uh duplicate the current baseline that you're using today upgrade it deploy it to a handful of devices and then see what happened and and use that as a trigger to to go off and update it um so we were trying to build tools to help you guys manage the the versioning and change there uh we also every time a baseline is released we uh we document all the changes in our docs site as well so if you've been to the security baseline's dock it's getting really really long because every time we cut a new version there might be you know 15 or 20 different settings going in there so i'd suggest you know monitoring those and watching those as well if you wanted to automate some of this stuff i'm not sure how far you could go with with graph in terms of doing the automation of that but we've tried to build some pretty manual tools to at least help you a little bit in terms of you know what what the risk of upgrading different baselines is very cool cool all right uh let me talk about security tasks just just really briefly this this is one of those e5 uh values that that i mentioned before this is really the integration with the threat and vulnerability management stuff that we had um so when a secops person finds a vlc or um i've just used vlc media player a thousand times yeah a vlc version you know that's that's out of date in their organization but um we're working on the configuration side as well uh but it might be a notepad plus plus it's got some you know open source binary that you know was compromised three or four years ago and there's a handful of devices that are using an old version of notepad plus plus again we don't want the security team upgrading those those applications because they don't know what the impact might be you know vlc has used uh we've got a whole bunch of open source binaries that are used in you know corporate video editing software so if we go and upgrade those there's a whole bunch of stuff going to break from the end user's point of view so um so what we wanted to do was build like a bridge between that secops guy and um or guy or girl and the security tasks here so uh so this is what this is what happens right uh the secops person uh noticed that vulnerable app they see that there's five uh five devices that have got that they go off and do the research and go like this cv is bad we need this the it team to upgrade it they click a button in the secops console and then one of these is created in the intune side so you can see here if i click on this you know the it team will will see that there's an update to vlc that's needed you can see that there's 61 known vulnerabilities you can click on the impacted devices here and we'll show you the device list of which devices actually need this update uh compared to others maybe maybe others aren't actually vulnerable and don't need it and then from the managed app if it's an app that you've already created before so if there's some version of vlc media player in your intune tenant you click on that will actually drop you directly into the app itself so from so from the itt's point of view all they need to do is go into properties uh they need to you know edit or update the um the package and then those devices that were already targeted by it you know we'll will then update install and then over in the sec up side they'll see that the um you know the update's been um you know updates have been taken we also build just like a really basic um a basic level of um like change management and tracking and and reporting here as well so you know you you can see the you know the alias or the you know the upn of this the i.t team guy who's picked up the the case and he's going to go off and do them and then they can send some status back and forth in terms of yeah this is this is mitigated it should be clear on your site now yeah nice um matt does i know you're not asking for feature requests but i'm uh asking anyway um is does it tell you who who who created the task it does so that you could go and talk to that person or whatever yep so we've got a regular okay there it is okay so we've got a requester here as well um the the team i believe is it has already shipped or is close to shipping servicenow integration from the sec opposite side as well so you can tick the box to say send it to intune but also to send it to servicenow so that it's in our tracking systems and so forth um but yeah it really it's it's just trying to make that you know the the days to mitigation and remediation as as close as possible and again as i mentioned before breakdown break down those walls between those two teams that's really cool cool okay so now it comes into the the more fun stuff and the stuff that we uh we we shipped and ga just a couple of weeks ago uh and that's our endpoint security policy types um uh so why why did we want to build these um the the main real reason is everybody hated the old endpoint protection profile right there was this old profile in device configuration that had every single configuration every single security setting in it uh it was this i call it monolith policy and you would configure firewall asr you would configure what else exploit guard credit guard yeah bit locker everything in this one policy uh and then when something failed in it it was just a pain to go and check what was causing those problems isn't that the one that we couldn't find the other day steve no problem you were looking for windows defender av and that's that's actually another good point the windows defender av isn't in the endpoint protection profile it's in the device restrictions profile uh so from a customer point of view and obviously you know it kind of vindicated all the work i've been doing when i was watching that video because you guys couldn't find the settings that you wanted you know you wanted to configure av and you couldn't find it yeah so so the the goal of this is for us to a have it in you know all in one location so it's super obvious as to where it all should be but also build like scenario specific experiences for each one of these right we know customers who are coming across from a third party uh when they're moving to n365 for security we know that they have a certain expectation of that sec admin experience right they don't want to be in the in the devices node they they want to have av reports they want to have certain things uh configuration experiences for firewall for example like that they're they're used to certain sort of things and we're trying to build you know all those experiences in this console here um so for the for antivirus for example you know you come in here and create a new policy we have mac os or windows 10 i'm just going to select windows 10. the defender antivirus policies all the av settings the windows security experience policy is all the end user experience settings that we have available in the console so you know the windows security app shows things like uh allow a user to run a quick scan or allow user to see the firewall status we can block all that sort of stuff but it also includes tamper protection as well so if we don't want to allow users to stop the you know the anti-malware services we would enable you know tamper protection that would stop that so uh that that that's all included in there but um just just for this quick demo the the defender av uh policy is what we'll start with uh let's go with just defender maybe um so rather than that big huge monolith policy we just got all the av settings and we split them out into the you know the correct categories that are really obvious as to what we're going to be doing in here you know we have the real-time protection stuff we have the av exclusions um you know how we're going to handle updates um those sort of things and that is as simple as just kind of walking through this and deploying it just like any other intune policy we also for this particular policy uh finally enabled tri-state for all of these settings as well so if you remember the old policies we had what we used to call dual state so we'd have like enable or block and then not configured and that were the only two states that we'd support we had lots of customers say why didn't you support a tri-state which is you know block allow and not configured we want to be able to block things sometimes and we want to allow them in other times without going too deep there's lots of history there in terms of how these settings were configured and built in intune but we're slowly going across all the endpoint security policies these ones that you know that i showed bef that i am showing and we're going to convert those all to tri-state as well so that you'll be able to configure and not configure as as much as you want uh so that'll that'll be coming over the coming months you know we have you know challenges around graph and like supportability of apis and things like that that make it a lot harder than it would be obvious you know we get all the time why can't you just add that extra state it's unfortunately not that simple but it doesn't over the coming months we'll be converting every one of the settings that we have in in the uh the endpoint security nodes and these new policies over to tri-state at least so that you can you can do whatever you need to do and sorry a question on that so the i mean i assume this is the way this works is so if you've previously configured it and then you now go with the not configured options uh i assume it is smart enough to be able to go and and remove those settings and you un unset them uh not necessarily uh so one of the things that we're building at the moment is uh you saw the you saw the upgrade experience that i showed you before for the security baselines we want to have a lightweight version for these sort of policies here as well so that when we do go off and and create that tri-state um we'll we won't change anything in your policy but we'll allow you to upgrade those and then at that point you can decide whether or not you want that third that third state available and you need to make sure that you know it's not going to have any impact on you on the business and at that point you can pull the trigger we we never ever want to you know force these changes on a customer because we we could never understand the you know hundreds of thousands of our customers potential impact by by changing without allowing you guys to to be in control so any any time that we you know we release a message center post saying you need to go off and do this it's because we don't want to break any of your stuff it's up to you guys to understand what the change is that we need and make sure that there's there's no risk there nice but a part of that and it's a good segue into that that duplicate uh policy feature as well one of the one of the things that we're trying to use as a way to help you guys mitigate that risk is providing policy duplication it seems really simple but we weren't able to do a lot of that until we moved into this new endpoint security node but the goal of the the endpoint security duplicate is that i can just go you know dupe i could give it a version number i could give it a date i could give it whatever i want and then whatever was configured previously in that that particular configuration policy is now available in this as well so this will allow you guys to go off and deploy those changes and check them before doing the upgrades and understand what's going on in there we also know like things like av exclusions for example are a bit of a pain to manage uh when you've got you know huge policies and you want to test uh you know test to change for example you know you want to remove that one that av exclusion today without breaking everybody you know policy duplication and things like that are really helpful from a security administrator's point of view nice so i have a really quick question on this one so now that we've now that we've got this uh sort of tri-state scenario does this solve the problem that i've ran into myself where i have a an old device restriction policy or a device endpoint protection policy or whatever i've had a setting changed from not configured to either allow or block um and the ability to un set that exactly that's that's exactly the goal of that yeah yeah of of the um of the tri-state right yeah i think a good one was uh firewall right so we would have we would have this setting called um firewall and it was either allow or not configured now not configured by default on windows is to to be turned on but the user can change it right they can turn it on or off um so we shipped the the feature to turn it on uh but not the the ability to turn it off right that's that's that that classic tri-state scenario that we're solving there right yeah um so uh in in the situation that you know a user calls up the help desk and says this app that i really need right now isn't working uh i can't turn the firewall off you know this policy being allowed to use that third state will allow you to turn it off quickly allow you know unblock the user while you understand what's going on with the app and yeah that is exactly what the goal is yeah yeah it was just funny because i was doing it i was doing it programmatically through graph and the error that i was getting back was that not configured was not a possible value in the schema even though if you just create the policy brand new the value is not configured so it's not allowed to be there not configured from a tech point of view is actually really interesting because it does a bunch of different things like in uh you know in certain cases like if you create a new policy for example i'm going way too deeply about create a new policy for example with not configured uh a setting not configured we just don't send anything to the client sure sure it makes sense right yeah uh but what if i have a setting that was set and then i go and change it not configured should i just stop sending that uh in fact the for the vast majority of the settings we actually do a delete on the client so we actually remove the previous setting so not configured is actually pushing something it's it's actually doing something in certain situations so there's you know it's it's sometimes not as obvious about the complexity of some of these settings and how they work as as you know as it might be matt you you just covered a thing that we it took us it took us a while to sort this out one day with we had um we've done a captured image a reference image and um someone had hard-coded in group policy registry entries into the you know baked it into the image as people do um for whatever reason um yeah i don't know uh and um this we kept running into this thing where we couldn't i don't remember what it was but there was a setting that needed to be not configured and because the on and the off and the not configured all three of them behaved completely differently they had different things and you from the group policy perspective not configured doesn't push doesn't remove the setting yeah and so then we couldn't we couldn't revert the registry entry we had to go and physically delete you know find find and delete them all and so i think that's very very important to be able to explicitly say you know to take every setting in that policy and say this is what i want it to be and i want it to override any other setting that exists in that space so that it's enforcing what i am setting in this policy not what some you know a conflicting policy or someone manually figured for me yeah we actually we actually call that uh we call that process tattoo removal um where we go off and we remove the the tattooing of the policy uh and it's actually one of the the value props of using mdm over group policy right like once once you send down a group policy setting they're not configured like doesn't it doesn't clean up after itself so sure you know the the tattoo removal as well as obviously the mdm you know uh status reporting is is two of the you know main reasons why our customers move to using mdm uh configuration over gpo so i'm glad you found some some value in it now just one one last one on this uh is when i uh unassign a policy or unenroll a device from intune does it also go through an and tattoo removal we should do yeah absolutely we should do um so we've we've double checked and triple checked every single configuration setting in the endpoint security node to make sure that the data removal works correctly like we we know that from a security point of view like we we can't we can't compromise in terms of what the expected state is on the client uh you know when we talk to our atp folks and uh you know customers who are using this as a security product like we need to make sure that it's it's super reliable uh i can't speak for the other couple of thousand other settings that they all work you know consistently but they should so you know if if you're finding settings that aren't doing tattoo removal raise a css support case and say this setting is not tattoo removing and then you know we'll we'll eventually you know get out the chain and somebody or somebody that's cool because i mean this literally this was a in a conversation i had uh on a forum earlier this week because someone said oh yeah it doesn't clean up after itself so you know when you unenroll and stuff so yeah good to know just just just be careful in like you know edge edge scenarios as well so like if you're seeing one device that's not tattoo removing that's maybe a problem if you're seeing all of your devices not tattoo that's removed then that's that is a problem right you know the the windows mdm stack can be a little bit unreliable sometimes especially when you're doing things like unenrollment um sometimes register keys and things don't consistently clean up um but if you're seeing a behavior where you know you've made a mistake and you want to remove that policy and it's not being removed from their clients that's uh that's a good good support case for us good enough thank you awesome uh we're going okay for time guys i can just keep talking go as long as you want people can stop the video when they want [Laughter] so let me just show you the the other thing that we shipped just this this week which is the inline reporting as well so we we know as i mentioned like um we know and like an antivirus administrator wants all their stuff together they don't want to have to go off to different nodes and different places to find uh the status and so forth so uh so in the summary screen we have our policies here and then in the windows 10 under healthy endpoints report we have a new report which shows all the devices that are unhealthy uh it's showing in in this example uh this is a report for for all the devices that don't meet the clean state which is a state that windows defender av has so if any device in my organization is either requiring a full scan a reboot manual steps offline or there's something really wrong with it they'll show up in this report and the goal of this report is first at an organizational level show that you know a handful of devices that are in a dodgy state you know these these nine devices uh need to be rebooted for the you know they're for the for the malicious you know malicious files to be cleaned up properly um and then hopefully you get into a state like like i am here where none of my devices are showing up which means everything's healthy all right so we'll be building some other reports over in the reporting node um shortly which will show all the clean status we know that you need to obviously report to csos and managers and things to say you know 100 of my devices are clean but this view here is really for that you know uh av admin to come in manage their policies manage their ex exceptions and then make sure their devices are in a clean state i like that you didn't clutter up the menu with all the or the the list with all the clean stuff that's nice that's good but having a list to provide to that manager who says well no data is no data show me the data like that's important too yeah we have at least one person that i work with that's gonna want that one so yeah we know everybody needs to justify their job right everybody everything's clean i'm doing a good job boss but we also know that a different person who is most like the one running the report it needs to come in here and actually keep these devices clean so um you know for you know for a customer like msrt our internal microsoft team uh microsoft support team they've got like 600 000 devices you know uh a list of six hundred thousand clean devices here isn't helpful for them they just wanna see the handful that they need to go off and clean up so so that's that's av we're expecting to do a similar thing uh in in the short to medium term for each one of these left nav nodes here as well so for disk encryption for example we'll have a tab for all of our bitlocker status reports and our four volt report reports uh we want to do the same thing for firewall for example so show me all the devices that don't have the firewall turned on or show me all the files the devices that don't have the domain profile you know turned on and things like that so that's all work in progress the first uh you know kind of prototype and the one that we've been focusing on has been av because uh you know we from our customers they they tell us it's the most important um but we're also doing a bunch of stuff around firewall as well so we know that the firewall management uh has been not necessarily the best uh best uh experience in the past i think it was probably only like november time time frame last year that we started supporting firewall rules um which you know is a key need for for our customers and configuration manager still doesn't support firewall rules it's just the firewall profile so um interestingly uh so what we've done is we've actually for uh obviously os mac os as well as windows 10 but what we've done for the new endpoint security profiles is actually split them out into two different policies and there's this there's good reason for that uh so what what we found is talking to customers is that they generally want to have uh one policy for the vast majority of their organization which just turns firewall on and just enables the most basic things like what's you know we want the domain private and public profile enabled for every single device um and that's going to be fair for everybody but then we want another experience where we're going to have firewall rules for different business units for example so there might be a firewall uh rule policy for the uh the devices that are in building 121 here in redmond uh there might be a different firewall policy for a firewall rules policy for the 122 because they got different subnets and different different needs and different um you know different ports that might need to be open uh or maybe they do it at the application level so maybe i have you know a firewall rule policy for everything that is in teams you know five ports need to be open for teams and these these three executables need to be need to be whitelisted so we we build those out and then obviously we want them to all to layer on top of each other so we can have you know the org wide rules you know merging with you know the the business unit specific rules and so forth uh so we found that the easiest way for us to do that is to build two different policy types so if i create a firewall uh firewall profile i'm gonna go next uh you won't see any rules in here at all there's no rules but you have all of those again tri-state configuration for these settings where i want to turn off the you know turn off the uh file the firewall uh for the the domain and the private the public uh and when you turn these on you know a whole bunch of other settings become available in tri-state form as well so uh so this is just that that you know that base policy that we see the vast majority of customers only having a handful of them uh but then they come come through and actually create all the individual firewall policy rules uh and lay those on top of each other so if i come in and create this this this preview policy for now uh and click next you don't see all of that other stuff like you know ipsec configurations domain and public private we just have the ability to add these firewall rules uh so this might be a policy with only five or six rules in it but it does this very specific thing and then we can deploy those out so this is just the the first step in terms of improving some of the the firewall experience i mentioned we want to try and have the reporting in line here as well there's still a whole bunch of stuff that we want to do to try and make these firewall rules experiences even easier um but this is uh you know this is a a key area of investment for us awesome you look good really really cool yeah yes that makes sense right it makes it makes sense that we don't want another monolith policy with all these rules in it right we want to split them out and 100 so matt uh i i've noticed that at least on like on the baselines you can export uh some of the stuff but so is there anything the ability natively and on it'd be great to on each policy to be able to just hit export for the whole whatever i've configured in that thing or and even be able to import so that i can you don't have to add the compare button everywhere you could just say hey let me just dump these or archive them or save them in source control or whatever and be able to you know report out all that information maybe you can just pull that from from graph maybe you can do a photograph yes of course you can of course you can you can do everything in graphics join us next week in the conversation you're like you can already do that yeah so i mean for customers who who are like all in on you know infras code and so forth like there are the apis and so forth but i i totally i totally get the feedback um we we often hear that we want import export uh specifically for like multi-tenant environments where maybe i have a lab and i want to create a policy and now i'm really happy with it and now i've got to go to my other tenant and i've got to manually configure all this stuff again we built the policy duplication as kind of the first step to help customers do the change management side but i think there's definitely room for us to do import export of these these policies and uh it's definitely definitely on our list yeah i mean there's there's literal businesses that exist with the sole intent of creating a lab getting it perfect and then lifting and shifting that onto client environments um they don't know how to do it but conceptually i've i've i've spoken to people that have this great idea for a business and they they get us into you know go so how do we move it from the lab um you know so it's there's a big need for it uh to make it simpler um especially when people just want to be able to press a button and you know not have to worry about how graph works which i agree with but it's also nice to sort of know how it all works under the hood yeah and we're very well very well aware of it i mean we've been talking about similar things for bass lines for a long time as well like allow me to export my bass line and share it on my blog and then you know maybe i could import it and i could have my own custom baseline so it's uh it's def definitely a friend of mine for us uh but you know we'll uh we'll continue working on that awesome so if i could just quickly move on to the edr side so this is where the coffee manager stuff starts coming in um which is cool you'll see a couple of different uh policies in here and a new column in this particular view called target which is pretty cool um so the edr policy uh we've actually done some some work to to make the onboarding super super simple for customers so if you've got the mdatp connection uh already established so if you come in here and you've got the intune tenant talking to the mdatp tenant uh you don't have to go and download the onboarding blobs or any of the workspace ids or anything like that uh we actually pull it all across uh on behalf of of your organization to make it super easy to do the onboarding um so to to to do edr on boarding all you really need to do is create this edr policy and deploy it to to a client uh when the client receives the the policy you know they receive everything that they need to do to do the registration into the atp side and then edr is automatically enabled for you and also is tvm actually so all you need to do is deploy this and all of a sudden you'll get the threat and vulnerability management this policy as i mentioned before is an e5 like it is an e5 feature if you don't have mgatp set up and you don't have the connector there's absolutely no need for you to come in here but for those customers who have got you know offline config manager clients like the servers and the you know the atms and so forth as well as cloud ones this this is the area that you need to go in and create these policies so if i just create an mdm policy really quickly so these are just my cloud cloud managements you'll see two new options in here uh in terms of the platform uh so the windows 10 and later policy is our intune mdm policy because we don't support server and our windows 10 and windows server policy is our config manager on-prem policy because we can support windows 10 and we can support windows server now so if i just create an mdm one for example we've we've made it pretty clear here in terms of the poll the the policy type but if i create this here and go next i've only got two settings here because i'm not asked for the workspace id and so forth i could leave these not configured and the onboarding will still happen uh and you'll see here in the assignments this is probably the most important bit uh this this here is the azure id group assignment like you would for any any old mdm policy right yep uh and the difference between these two policies is really the the targeting so if i now go in and create a windows 10 and windows server policy it's exactly the same name but we've got config manager you know tags on it i'm going to create this i'm going to give it a dummy name yeah it's a good naming convention you've got there yeah i've got so many policies called asdf in my town we like underscores in ours so yeah yes adam's very concise with the understores you can see those those same those same two policies uh in the those same two settings are available but the difference isn't targeting right so before we had the azure 80 groups that we're targeting this time we're looking at configuration measure collections right so if i select collections what i can then see is the collections that i've synced from my on-prem uh configuration site right uh so now any any device be they a server or a client whatever they are that's in all systems if i was to target that they're going to receive this policy if i was going to target sql servers or desktops we'd we handle them all just just like you would expect you know an mdm targeting of them to do and then once we select this and go next next next and hit complete i just won't target this to anything what we do at the uh the men's side the intune the intune side is we bundle up a coffee manager policy and we now send it down to configuration manager yeah uh and in fact we prob i could probably create one and let's let's just assign it and see if it shows up with uh what's this podcast name again youtube.training to training let's see if we can get this you wanted a demo to fail right so let's see how this goes let's go with our sql servers so just just consider this from like a like a sec admin point of view uh to do this edr onboarding for those config manager clients uh they would have to be calling their it team that would have to be like begging and you know begging and pleading for them to you know forget about all their work around patching and osd and so forth and go and do this for them just to get them into atp uh you know that now once we've got this console they can just go off and do that themselves obviously if they've got the right you know our back controls and so forth but um but you can see here now it's it's been created um it says it's undesigned i don't know why that that maybe it takes a couple seconds but there it goes there it goes uh and then let's go to configuration manager and maybe maybe we should restart the uh sms exec service to make it really really come along as well come on demo gods [Laughter] this is just a vm running on my my lenovo lenovo x1 here as well so it's not going to be super super snappy we've all got plenty riding on what at what minute mark it fails so uh who's got who's up right getting now now so this is one that i created previously um you can see here that the the policy name was the same one that was in my my uh engine console it's edr on boarding for coffee manager servers uh you can see the the reaction the action is remediate and the compliance is 100 and the way that this works is it basically uses um a lot of the dcm info that we've had in the past the device configuration right so again this this this this client that's actually showing up in here is my config manager server i don't have a windows client this is my server that's been now been onboarded to to atp because that dcm baseline is run not because the the server is talking to intune or the clients talking to intune it's everything's running by the the config manager in your infrastructure and you can see here that this is just running as compliant so every every time you uh create one of these uh configurations and deploy it to a collection you'll see a new uh like dcm style baseline show up in here let's see if it hasn't exists restarted yep let's see if this is going to show up for us wouldn't it be great console's going to freeze now i'm backing a successful demo guys bye i got a lot of money writing on this day matt so do we need to close the console before yeah maybe after a sms exec restart i don't think sometimes i don't know not often i feel like i've just time traveled back to five years ago when i was doing sscm work config manager come on out hey five years ago it was sccm that's right look at that red line i love it my laptop was doing it very slowly yeah i just had to close all of my uh edge browsers because i was redlining while we were doing this video i keep hitting 99 cpu and then it just spikes and i i can't i kill everything and it doesn't go away yeah i think because i've got uh teams running with video and everything at the moment sharing my screen it's uh yeah he's running on a surface go probably i don't wanna i don't wanna like call anyone out but in the last week teams has been uh a real memory hog uh when sharing screens yeah so how about how about we come back to this a little bit later i've restarted the the config manager console let's come back and see if it shows up it's a brand new e-button yeah so so i suppose the you know the the you know the output of this and like the you know the end state is that you know we've got this this new admin console uh that's dedicated for those sec admins uh the the clients are going to be onboarded and configured you know um whether or not they're mdm managed and cloud attached or or whether or not they're tenant attached and they're just on-prem uh and hopefully we get to this point where uh you know the sec admins can just be granted the right permissions uh in the intune console we have an outback role specifically for you know for this persona the endpoint security manager role which just gives them access to this you know that that admin can't come in and create you know uh autopilot profiles or anything they can only only manage the the security configuration that's right and then and then and then we have you know this this single pane of glass for all the security management and reporting um and uh you know we're pushing ahead with each one of those workloads being available in intent and attach as i mentioned all of this stuff will work right now for co-manage clients so continue co-managing those clients and swing them across and then you know in the future you know months and uh you know a few months we'll start enabling each one of these left nav work workloads uh down to uh to the comfy manager on-prem clients as well any questions on that guys let's see if this is coming back now at all fingers crossed sounds logical to me and it's uh awesome to see that it's coming into the platform yeah i definitely have like the big one for me is the visibility that we now get uh in the same blade so for with the av stuff as an example where we can sit there and see that information straight away and go oh these computers have issues i need to do stuff totally yeah from an operational point of view i think it's uh it's really it's been really needed as well um so yeah i mean we i'm sure you're all well aware of like all the investments we've had over reporting in the last 12 months um you know they'll start lighting up month after month and we couldn't really do that without doing that reporting work as well so um yeah i think it's it's it's it's a good time you know we can you know there's still work to be done guys that's that's for sure um under uh you know under no illusions that you know this is complete uh but i i think you know when i when i talk to customers about this vision and and how it's you know how it's heading i think uh it makes a lot of sense for customers and really resonates yeah definitely yeah this is amazing you've got your demo guys there there you go yes welcome to engine training hey what you've got to do is that when it does come up just get a screenshot put it up on twitter um so i think it's i think it's cool that you're pushing stuff the other direction um you know all that we've been doing all the stuff where it's like oh everything's moving moving to intune moving to internet it's like nope hey look we're showing that you can go back across the bridge the other way yeah that you can just use this as your central management pane which is you know the point yes we laugh internally that like config manager's now got a web console right we've been waiting for this forever right and this this is the web console that's administration service working for you right there i know it's like what do you guys call in the config manager graph now i guess it's two different components happening there is that accurate on the back end yeah i'm i'm not well versed with the the comfy manager back and uh yeah so i'm i'm not gonna get myself in any sort of trouble fair enough so that's what i got for you today guys in terms of uh like the demo and and have a poke around on all this um yeah i'm very happy to answer it i'm sure your long list of questions uh well we got some time left or did i answer them while we were where we're going well i have i have more i'm waiting to see what they have i i have it's it's not even a question it's a a it's a is this happening is it a feature that's going to be so we've got security baselines much like we have in config manager do you think do you know can you say whether we're ever going to get baseline remediation baseline remediation so okay in in config manager we have the ability to sort of report on or you know run a custom script or whatever that gives us some kind of value and then based on that value whether it's what we wanted or whether it's not what we wanted it then goes and automatically does an action that we've defined is that a thing that you reckon is going to appear uh so so like custom baseline remediation you're talking about are you talking about more like uh like our security baselines because i mean it could be it could be the custom ones that are you know sort of the the out of the box ones or it could be custom uh so so our like our security baselines in terms of the security configuration uh all do a configure right there they they all do remediation one of the challenges that we have with the windows platform is that we it's actually really hard to pull configuration without first doing the configuration sure so we have we have asks all the time on why can't we just like do a like an audit only mode for the security baselines i'd like to see what's going on out there and then and then you know tune it as i need to and the mdm platform doesn't actually give us a lot of flexibility on doing that yeah so there's other ways that we're exploring around that maybe with the you know the atp integration and things because they can they can do some uh configuration checks and so forth so security baselines we already have remediation but we don't have really audit only um i think you're more talking about like let me just arbitrarily run anything i want check uh you know to detect whether something's configured and if it isn't configured correctly then remediate it yeah uh we we don't have out of the policy team we don't have any uh you know we don't have any um any uh i kind of think of the right word we don't have anything in the in the book to to achieve that sure okay yeah we're we're really we're really looking at um you know configuration is a structured object you know it's uh this is what the platform supports is what we're going to allow yeah we should we did ship the you know the powershell configuration from uh you know a couple of years back and there might be some room to do some detection remediation as well um but from a policy configuration and a device configuration point of view i don't have anything my backlog for that okay yeah you could do that with um uh win32 apps then where you can you can do action but then you don't have the reporting exactly the problem before you actually fix it it's very easy for me to do what i'm talking about right now in a hacky way um it's more just like all the pieces exist you know we can we can push out scripts we can detect on things so all it needs is just a nice shiny front end and a little bit of reporting so that we can show that you know uh action has happened or action has been triggered this is this is kicked off um it would yeah it'd just be it'll be a huge win and i know i know a lot of people are asking it um so yeah i i know i know that there are some some efforts to to to uh to provide you know specific functions for uh for a specific reason if i can say that with like a really political uh not my i don't i don't own any of those features so i don't want to speak on behalf of anybody sure um you know there's there's work that that kind of fits into that mold that you're talking about but we don't see it as a like a policy configuration yeah um you know when it comes to policy we really want to honor what windows supports and not really try and um you know go too far out of that boundary right we don't want to recreate dcm that's that we definitely don't want to recreate dcm because then what happens is everybody's pcs slow down because the dcm baseline is running every every hour to do some remediation checks and so forth right uh you know we we have the mdm channel for our cloud managed devices and we're kind of sticking to that one time when it comes to configuration we always want to like open up more so like the admx side for example you know we we know that there's uh there's gaps in the mdm stack from the csp point of view so we wanted to open that up to admx and things as well and you know we will be you know shipping some you know some admx import features so you can do that for chrome and things as well um but for for those like i just want to run a script and and configure my device myself uh we don't have any intentions of doing that sure so i think in one of our previous videos we i it was the one where we we did our first look of this and um we went over to the azure portal and we're looking in there and saying okay so you know let's what exists in both places and things and we discovered oh yeah there's so there's new stuff that's only in the endpoint portal and i believe there was a i don't know that it was widely advertised because but there was a notice that showed up i think in the message center uh in on the microsoft the on the back in admin.microsoft um that basically said hey uh the in the access to intune through portal.azure.com is moving to endpoint.microsoft.com to the mem admin center um and so i guess the point being is that if you're watching this and you don't realize he's at endpoint.microsoft.com we did not go to portal.azure and if you go to portal to azure and go to intune you're not going to see the same things there this node does not exist and some of these features do not exist some of them are there but not all of them and that's intentional and i think they said what the date is like august it's actually if you go to if you go to the portal uh through uh portal.azure um there is a big red uh flag at the top of uh of that telling people purple sure i can't remember um but yeah there's a big red purple color oh yeah you're right it is saying hey don't go here anymore basically matt since since you're sharing your screen can you just pop over to portal at azure and do it just since we're talking about it this is the way it actually feels weird for me to come across this the old azure portal now and look at this this old left nav and uh reminisce um but yeah here we go there you go can you possibly plus plus on your browser a little bit sorry i'm not trying to drive you he is he is we've read the comments before people like us at zoom yeah so in terms of the products like i mean all of our investment um you know shifted to dmacc and then me mac if you if you will which is just the same as dmacc uh like probably 12 months ago um so yeah we're really encouraging customers to come across here and and use this obviously the the big purple or red banner telling customers to to go and do that um you know is is you know the formal you know formalizing of that you know everybody should move across um yeah as i mentioned it feels weird to be back here and seeing ebooks um you know so prominently on our left nav that must be such an important feature that that is there i'm curious to know how many people have actually deployed ebooks because i could i've only ever done one book for this video this podcast and it now lingers in the tenant because i'm going to start pushing this out to the client to to where i work now right yes but it only works on my ios devices oh okay yeah i'm sure there's lots of edu folks who love that it's on there like on the left nav for them and they won't want to come across to the mem console i'm going to put the best part of the quest that we pushed out is alice's adventures in wonderland that's the one well done steve yes i like it uh and can you clarify uh there was so just there's actually a twitter discussion about this the other day so devicemanagement.microsoft.com is that url going to just redirect to endpoint are you going to still maintain both of them i've got no idea no idea i i would assume that it's going to go away and endpoint will just be the the one but i'm i'm not the authoritative source on on the urls of intune unfortunately or endpoint manager well do you want to check your lab one more time give you one one more chance at redemption i will just on the urls i will i will say one other thing um just quickly is if you go to ak dot ms uh ford's gonna make me type here in front of everybody endpoint security uh we drop you directly into the endpoint security node as well um so for like for like sec admins or people who don't want to land in the portal and see all the other stuff it's pretty easy just to kind of collapse that and go now i've just got my dedicated security management console as well so um yeah let's uh let's have a quick look at company manager and see if that's no good come on pay up adam so there's there's some sync periods that that need to that need to go through i mean it's not uh it's not instantaneous but but it doesn't have instantaneous either i mean you know let's let's be real here once we've created the policy and we have a relatively uh strong trust in in the deployment solution if it takes five ten fifteen minutes that's how long it takes yeah we we need to kind of balance that though um i mean for an edr on boarding policy like maybe it isn't super uh super important to be timely but maybe an av exclusions policy it is so like when we're thinking about security teams who are using this we absolutely need to make sure that we're balancing it like we don't want to be running uh you know dcm baselines every five minutes um but if uh you know if if there's something that's uh if there's a threat that's starting to you know spread around my network internet yet that includes that port really quickly we need to we need to balance that so sure uh you know i don't think we've really locked on how quickly all this should happen edr isn't as important for us to to be super timely but um yeah we are thinking about we are really thinking about all this from the from the security admins point of view and what they would expect of their security products maybe they need to add a big red button to go along with the big green button for config manager uh to just instantly force the sync or something a go fast button yeah but if we all go fast then we all go slow right exactly and that's and that's the title yep yeah you can't have everything be instant or else none of it will be instant so you've got to decide what's priority help yeah but i mean that the company managed team solved this back back in the day with the bgb2 right um that was primarily designed back years ago to solve for the the endpoint protection profiles right to be able to update you know uh av clients for on-prem clients as quickly as they possibly can and that that was designed for that's used for obviously a lot more now but uh you know all that all that learnings that we've had through comfy manager over the years is definitely helping us make the the right design and engineering decisions on how we should build this so yeah it's not new to us that's for sure and the thing i like i want to point out here if it's like i mean i'm looking at this and like you didn't just sync a policy down to the console that then then i have to go in the console and do something with you literally have deployed a a policy down through the basically the configuration baselines engine for the client and it's it's as soon as those clients pull in and run that run there you you absolutely don't have to come into this console at all like you don't need to you don't need to see the server at all you can see that there's the the the policy name you can see the collections it's assigned to you can see it's going to remediate and you know when the the device when the client checks in which is the server here uh it's going to receive that baseline it's going to going to trigger it and it's going to report back up so it will will it report all the way back up to intune then and show me the compliance status there i mean i think it does i just want to verify yeah so uh so for the first the public preview that we just released um we're just showing the overall status of that that baseline so you'll see here we have a donut chart of uh whether or not how many clients were successful and not successful you'll see that there's like a devices status list missing here this is actually uh one of our summer interns is working on exposing at the device level so we can see which devices individually received and which ones failed but for the for the public preview you'll at least get the the donut chart to tell us which which client you know how many clients were successful versus unsuccessful and edr is a really basic policy too right so uh you know we think for the public preview that's enough just to see you know 100 of my devices have have successfully run it but when i think when you start looking at like av and you're wanting to make sure real-time protection is turned on and things like that we need more granular reporting so that will will come a little bit later well and i think the thing that really goes that i mean that adds on to this so if you talked about not having you know your security guide doesn't have to go into the config manager console so would you navigate over to the devices node and find a tenant attached only or i mean i guess tenant or or co-managed device either one would be a show yeah i'm not sure if i've got any synced in here let's have a look uh managed by i think i think we just configuration manager there we go there's my there's my company manager server that's the server i'm running it off so um so you can see you can see that in there again because we don't have the per device status we don't have any reporting on whether or not that was successful but that that will be worked over over the summer so but uh well sorry the thing i was going to show though is that so you had a sync policy option there and so so what you so you go to the you go to the edr you go configure it you deploy it and then once you know once it's synced uh then you can just sync your devices to sync their config manager machine policies which would then get them to check in and pull that down and start processing it how how good is that for a security team like they don't have to know the server name that they're going to log into they don't know to have to where where they're looking at that huge coffee manager console they just come in here and they see the devices and click the box yeah and they and as long as they're you know device or their security is in such a way they can log in anywhere into this portal they don't even have to be on premises at all to do this they don't have to be on a company device you can do this on your mobile phone yeah that could be quarantined it depends on if you got conditional access there yeah that's what i would say yeah so if as long as you're yeah depending on trusted device depending on your corporate security you may or may not be able to get in to do this but you could potentially very cool this is awesome matt wow we did i think we're going to delete our previous uh deep scratching the surface of this because wow we didn't do it justice this is fantastic yeah we've we've obviously worked pretty hard on trying to pull these uh you know these um experiences together i really i released a blog post just this week with a lot of like the higher level stuff around like the security and it teams as well and i'd encourage everyone to take a look at that because that's the sort of thing that's easier just to send out to the security team and say like this is the reason why we're doing this yeah um but i think for you know for the vast majority of customers that we speak to more than the vast almost 100 when when they're looking at buying you know their m365 stack and using security and management like this just makes so much sense to them um and you know every customer we talk to is really excited about it so um yeah it's uh it's a lot of work but i think it's important work and i'm glad you guys seem to seem to like it definitely no it's awesome i'm just so happy about this yeah well do you you guys have anything else i'm good no all right i do but i don't think it fits in the purview of this uh conversation so we'll we'll we'll leave it oh i'm gonna leave a teaser out there all right fair oh all right matt do you have any do you have anything else i'm good uh yeah just a big thank you to all to uh for having me um yeah looking forward to seeing the video and um follow me on twitter and feel free to ask any of the endpoint security questions that you need i can't answer all of them but i i do my best to answer most of them um and uh i hope everyone tries it out and and gives it a go it's all in ga now so you should be able to go and create those policies for the co-managed clients if you've got coffee manager and you're upgrading it to 2002 you'll see a new kb pop up i think you saw that in twitter today adam you see you noticed it um install that and all this will start working for you as well so um please please go ahead and use it and send us feedback awesome well as we mentioned in the beginning we will include the links to all the stuff that we've uh talked about um and yeah thank you so so much and you yeah come back anytime let us know if you got more more new stuff cool stuff you want to come talk about we'd love it so thank you very much matt awesome thanks

Info

Channel: Intune Training

Views: 9,830

Rating: undefined out of 5

Keywords: Microsoft, Intune, Training, Azure, AAD, MEM, MSIntune, Microsoft Endpoint Management, MEMIntune, Endpoint Security, Threat Detection, Policy Security, Resource Access, ADMX, Policy, ATP, Security, ConfigMgr, SCCM, Tenant Attach

Id: f4klwWewXe0

Channel Id: undefined

Length: 95min 7sec (5707 seconds)

Published: Mon Jun 01 2020