View Recording: Go Further With the Intune Suite

Chris Blackburn Happy Tuesday, everyone. 0:0:7.683 –> 0:0:10.643 Chris Blackburn Hope you’re June has been off to a great start. 0:0:11.373 –> 0:0:21.653 Chris Blackburn Always fun to connect with the local community on cool new technologies and we’ve done a lot of webinars around copilots. 0:0:21.723 –> 0:0:28.733 Chris Blackburn I know that’s one of a few of the fresh new technologies that Microsoft has released in the last six months. 0:0:28.783 –> 0:0:29.193 Chris Blackburn Uh. 0:0:29.203 –> 0:0:52.813 Chris Blackburn Another one is what we’ll be talking about today around the Intune suite and how to go and look at your broader endpoint management estate to see where there is potentially value to streamlining to a single platform and how that can even help with other initiatives like security etcetera, which we’ll talk about at the outset of the presentation today. 0:0:53.303 –> 0:1:2.203 Chris Blackburn For those of you that are new to concurrency and our webinars is a little bit about myself have been out Microsoft consultant for over 20 years now. 0:1:2.253 –> 0:1:5.983 Chris Blackburn I’m on the board of the Minnesota Microsoft 365 User Group. 0:1:6.373 –> 0:1:7.643 Chris Blackburn Mary have three kids. 0:1:7.953 –> 0:1:22.103 Chris Blackburn I’ve worked as a solutions architect on our modern workplace team here concurrency so that overseas everything from cloud identity, cloud security compliance and endpoint management aligns a lot of that to those zero trust pillars. 0:1:22.353 –> 0:1:34.13 Chris Blackburn And then when I’m not involved with technology from an IT perspective, I am involved with knology from a music perspective, I travel DJ as well as a love. 0:1:34.443 –> 0:1:45.93 Chris Blackburn Taking those together and finding new foods and blogging about those as well, you can reach out and find me on the web through email, through my blog and Memphis tech.net. 0:1:45.163 –> 0:1:51.403 Chris Blackburn Or you can follow me on LinkedIn as well if you have any questions after this presentation. 0:1:52.533 –> 0:2:0.143 Chris Blackburn So let’s talk a little bit about the endpoint management landscape from Microsoft perspective. 0:2:0.233 –> 0:2:16.103 Chris Blackburn Microsoft’s been in the endpoint management that space ever since the early 2000s with SMS and with SCCM, and taking that story to the cloud with Intune as it has evolved since the early 20 tens. 0:2:16.333 –> 0:2:22.343 Chris Blackburn Now taking a look at what is capabilities are in 2024, it has become one of the default. 0:2:23.343 –> 0:2:48.523 Chris Blackburn But the industry leaders, when it comes to endpoint management and to be able to take and leverage that capability and be able to add on other capabilities to eliminate other pieces of software or vendors within that stack is one of the biggest values of the Intune suite and some of the core areas that really touches on, it looks at access for your mobile devices. 0:2:48.663 –> 0:3:21.783 Chris Blackburn It looks at being able to enhance metrics which Microsoft has made a substantial investment over the last years and improving some of the reporting capabilities and Intune to be almost on par with what you might have been familiar with, with SCM being able to take your PKI and eliminate on premises certificate authorities, move those into the cloud as well as being able to support third party applications and really at its core a lot of these components that Microsoft has invested into Intune has really been to continue to enhance that security story. 0:3:21.873 –> 0:3:28.923 Chris Blackburn First and foremost, if you were to ask someone at Microsoft, they were their security company and an AI company here in 2024. 0:3:29.73 –> 0:3:36.343 Chris Blackburn And so the Intune suite really does build on top of that with bringing more security enhancements to that whole suite. 0:3:36.693 –> 0:3:52.113 Chris Blackburn And so as we look at the agenda for the next hour, I do want to highlight those core areas where the improvements in the application security to secure access to resources, device operations and support are very much rooted in security. 0:3:52.223 –> 0:4:13.373 Chris Blackburn And then as we move forward and we take a look at what licensing looks like and what some of the tooling capabilities are in comparison to what we’ve seen in other customers environments, you’ll see in a little bit of that peppered throughout the presentation to be thinking about what are other tool sets that I’m using in my environment today that the Intune suite can support. 0:4:13.603 –> 0:4:23.43 Chris Blackburn And then at the end, take a look at what are some next steps to be able to help you take that realization and look to see how Intune suite can be a good fit for your organization. 0:4:24.573 –> 0:4:30.983 Chris Blackburn So as we talk about Microsoft’s endpoint story really does encapsulate a lot of these different pillars. 0:4:31.33 –> 0:4:36.403 Chris Blackburn At its core, it really focuses on applications, identities, and devices. 0:4:36.413 –> 0:4:42.843 Chris Blackburn But in doing so, provides a wealth of capabilities from self service capabilities through the company portal. 0:4:42.993 –> 0:5:8.13 Chris Blackburn Through being able to support remote and hybrid workers through a cloud based management tool, it has rich reporting data and then provides additional integration capabilities to tools to be able to help you do more in managing your devices such as Autopilot in computer management, supporting security through defender for endpoint new capabilities and patching and staying current through auto patch. 0:5:8.103 –> 0:5:43.943 Chris Blackburn Having endpoint analytics and rich data around your device and all of that being rooted in that Microsoft 365 feature set to be able to provide those capabilities and then to add on the capabilities of the Intune suite, really you’re going to be around these six core areas around enhanced analytics around being able to have elevated privilege management, being able to have tunnel capabilities for mobile devices, remote help and then management for specialized devices and being able to all provide that zero trust capability when it comes to your endpoint security and your access as well and being. 0:5:44.3 –> 0:5:59.743 Chris Blackburn You want to take that story to your employees or students, anyone that is in your organization that you are working with, you need to collaborate and you need to be able to securely provide access to your environment and secure those access with those resources. 0:5:59.923 –> 0:6:7.53 Chris Blackburn Not only does it Intune provide a lot of that capability, but layering on the Intune suite takes it to that next level. 0:6:7.223 –> 0:6:15.663 Chris Blackburn And it provides that piece of mind for administrators to be able to protect your organization data to be able to provide secure managed user access. 0:6:15.833 –> 0:6:52.453 Chris Blackburn And to continue that story of support, no matter where users work securely and so as we take a further look and we dig down into what’s all in that Microsoft Endpoint management story here in 2024, we can see how it’s kind of segmented into a couple of different areas where the Intune admin capabilities, these are capabilities that you find natively with Intune, whether you’re you purchase, Intune plane one, whether you have Microsoft 365, whether you have the EMS add on, those are going to be some of your core capabilities along with being able to have Windows. 0:6:52.543 –> 0:6:55.653 Chris Blackburn Autopilot for computer deployment management. 0:6:56.303 –> 0:7:26.663 Chris Blackburn Then where we look at some of the integrations being able to leverage a secure identity story and the connection into intra allows us to leverage those user IDs and those devices that are enrolled through intra and be able to continue that device management story through Windows Autopilot as well as being able to leverage groups to roll out applications to roll out policies and be able to do that either through statically assigned groups or groups that are dynamically created. 0:7:26.793 –> 0:7:39.703 Chris Blackburn And then as we start to see some of the legacy device management, the a lot of the capabilities that we’re seeing inside of the Intune suite and other investments with Microsoft are just to continue to sunset that. 0:7:40.353 –> 0:7:59.623 Chris Blackburn That being able to be dependent on that on premises configuration management and to have a lot of that capability in the cloud today and to be able to leverage other integrations such as you monitoring through Azure monitor, if you have a third party mobile device defense tool sets those are capable as well. 0:7:59.833 –> 0:8:12.403 Chris Blackburn And as of this year, one of the most exciting investments from Microsoft in copilot is taking that copilot story in the security aspect of it to the next level, and being able to have a lot of that automation. 0:8:12.413 –> 0:8:23.733 Chris Blackburn So a lot of excitement area there for the remainder of our time, though we’re going to dig into really what’s inside this Intune suite and what are some of those capabilities, especially from a licensing perspective. 0:8:23.743 –> 0:8:37.113 Chris Blackburn That’s usually one of the first conversations we’re having with customers around the endpoint management real estate within the organization is how many different venues are there, when are their contracts, when is those contracts elapse in a lot of cases, they don’t. 0:8:37.123 –> 0:8:39.173 Chris Blackburn They don’t end at the same time. 0:8:39.283 –> 0:8:51.303 Chris Blackburn There’s not a lot of overlap, so being very strategic and how we look at the implementation of these tools is very important and looking at in educating around that Intune landscape is important as well. 0:8:51.313 –> 0:9:24.743 Chris Blackburn So that way our customers they know what’s in that native Intune management capability that they have today, if they needed to add on certain capabilities to be able to have some of these ad hoc as they’re looking to ramp up into that full suite capability, it is easy to add on whether it be the Intune remote help, which is a supplement for a number of the remote access tool sets, being able to give your subset of users the ability to just in time elevate access into applications, having some rich reporting capabilities which will go through and. 0:9:24.803 –> 0:9:39.693 Chris Blackburn Do a demo of later we’ll go through and do a demo of application management as well as the cloud PKI and be able to give you a look and feel of how that works with the Intune Suite license inside of your tenant. 0:9:39.783 –> 0:9:49.563 Chris Blackburn So keep these in mind as you’re thinking about what might be your organization today, where there might be opportunities to make some enhancements within each of these areas. 0:9:50.253 –> 0:9:58.663 Chris Blackburn So as we continue to look at those 3 core pillars that we talked about as we started the conversation, this first pillar is really improvements in application security. 0:9:58.933 –> 0:10:43.233 Chris Blackburn And Microsoft realized that third party patching story really was a big hurdle in where there are security risks in endpoints and in Microsoft’s digital defense report, where they were able to see that 78% of devices had applications that were unpatched nine months after a critical vulnerability was something that really fueled a lot of the conversation internally within Microsoft to ensuring that applications as they are installed on a device are constantly being kept up to date to avoid any potential risk or any potential entry point from a bad actor. 0:10:43.563 –> 0:10:49.103 Chris Blackburn And that is a key vulnerability, making a lot of organizations susceptible to cyber attacks. 0:10:49.313 –> 0:10:56.703 Chris Blackburn And so at its core, Microsoft has had some capability through the Microsoft Store to deploy applications that’s evolved to now. 0:10:56.713 –> 0:11:9.823 Chris Blackburn The new Wingit story and is really foundational, and what is feeling a lot of the Enterprise app management capabilities and the app catalog that Microsoft is rolling out into as part of the Intune suite. 0:11:10.293 –> 0:11:28.273 Chris Blackburn And at the very bottom, as you can see here, there’s a couple of applications that if you’re using them in your environment, you might have some familiarity with these capabilities in understanding that, hey, I didn’t need a third party tool, but now maybe I could look at something that is built into this management product that I’m using through Intune. 0:11:28.763 –> 0:11:36.573 Chris Blackburn So in looking at how the functionality works traditionally you would go through Intune and you would add it as an app. 0:11:36.723 –> 0:11:47.893 Chris Blackburn In this case, it’s referred to the store app or it’s referred to the new store, and if you look through there, there’s a lot of Microsoft Native applications that you can see through the store app. 0:11:48.3 –> 0:12:5.773 Chris Blackburn Now, with the introduction of the Enterprise app catalog, even as a release back in November, they were supporting 100 of the core organization applications through key organizations that are installing apps on endpoints today. 0:12:5.863 –> 0:12:16.403 Chris Blackburn Now that we are well into six months after it has been rolled out, there is over 500 applications, Microsoft’s adding 100 a month in. 0:12:16.413 –> 0:12:28.523 Chris Blackburn In talking to some of the Microsoft team, the question was asked, hey, could we just, we could light up all the applications that are currently inside of our real estate that we’ve seen that have been packaged through things like Intune whim. 0:12:28.533 –> 0:12:35.483 Chris Blackburn And the answer was yes, but as part of doing that, it’s ensuring that these applications meet a lot of those secure deployment standards. 0:12:35.493 –> 0:12:43.463 Chris Blackburn So Microsoft is working with a lot of these vendors to go through and ensure that they are meeting their deployment standards. 0:12:43.533 –> 0:12:49.963 Chris Blackburn So as you’re going through and you’re selecting an application, it’s automatically populating the right install commands. 0:12:49.973 –> 0:13:3.13 Chris Blackburn The right uninstall commands so that you as an IT team know that if I’m installing this application and from rolling out an enterprise application, Microsoft is going to take care of updating those bits behind the scenes. 0:13:3.183 –> 0:13:17.853 Chris Blackburn I don’t have to go and repackage applications and as part of doing this as you’re going through and traditionally where supersedence or the ability to install and update it, application was only available for win 32 apps. 0:13:18.243 –> 0:13:50.153 Chris Blackburn That’s now something that is native to these do enterprise applications that you can choose through a very easy to select the list to deploy to your endpoints, and it consolidates that application process as you can see in some cases where if you have gone through and you’re looking at updates for win 32 apps in the app catalog, you can see where Microsoft has provided you some visibility into seeing when those particular applications have been superseded by a new version. 0:13:52.53 –> 0:14:18.163 Chris Blackburn And then to take that story a step further and looking at how else can we enhance application security on our endpoints, a lot of that does really boil down to what applications users may be over privileged to access and what applications in your environment potentially you’re giving your end users full administrative access to their machines when they just need to access one application, they need to elevate a couple of applications. 0:14:18.373 –> 0:14:34.13 Chris Blackburn And by giving them full access, that significantly increases their attached vector and the leaves are risk on those machines where if we could just give them standard user access and they just in time elevate it, it gives them a more secure working environment. 0:14:34.163 –> 0:14:39.143 Chris Blackburn So as you can see here, there’s a couple of other applications, so you’ve got beyond trust and Cyber Ark. 0:14:39.153 –> 0:14:49.973 Chris Blackburn Those are two of the biggest competitors that have been in this space for a very long time that are in providing privileged endpoint management within windows and environments. 0:14:50.143 –> 0:14:56.383 Chris Blackburn And as you can see here, from the rollout of the technology, it is very similar to other tools. 0:14:56.393 –> 0:15:2.343 Chris Blackburn It does require an agent to run on the machine that’s labeled as the EPM agent. 0:15:2.433 –> 0:15:8.603 Chris Blackburn Once that has been deployed and pushed out, you’ll be able to see that on your endpoints. 0:15:8.653 –> 0:15:27.713 Chris Blackburn So then from there you can actually leverage additional tools to determine what apps on your users workstations that they are elevating will need to understand what their file hash is being able to take that file hash and being able to use the Microsoft PowerShell module. 0:15:27.723 –> 0:15:43.573 Chris Blackburn We can then take that information and put it into a policy so that way as users are going through and they are elevating that application on their device, it is no longer having to have them add in additional information. 0:15:43.823 –> 0:15:50.453 Chris Blackburn You’ll be able to see that by natively you’ll have administrator application access to an app, versus traditionally like with something. 0:15:50.503 –> 0:15:52.583 Chris Blackburn In this case we used command line. 0:15:52.593 –> 0:16:0.883 Chris Blackburn For example, it required you to provide additional administrative credentials for being able to elevate. 0:16:1.33 –> 0:16:4.83 Chris Blackburn So at this point I wanna make this a little interactive. 0:16:4.93 –> 0:16:5.63 Chris Blackburn Let’s make this a little fun. 0:16:5.73 –> 0:16:10.103 Chris Blackburn Let’s go and take a look at some of this in an actual working environment. 0:16:10.213 –> 0:16:19.43 Chris Blackburn So bear with me for just a second while I switch over to another window because I want to take you into a demo PC that I have here. 0:16:19.263 –> 0:16:30.673 Chris Blackburn I want to be able to kind of show you what it looks like from the application catalog perspective 1st and then we’ll take a look at the privileged elevation through Intune as well. 0:16:30.683 –> 0:16:37.953 Chris Blackburn So as you can see here I have my application catalog you can see I’ve got a number of apps from traditional MSI to win 32 apps. 0:16:38.43 –> 0:16:40.493 Chris Blackburn And down here I have the latest. 0:16:40.943 –> 0:16:46.273 Chris Blackburn I have a couple of applications in here that are the store app, so let’s go in here and take a look. 0:16:46.283 –> 0:16:53.903 Chris Blackburn I want to show you the vast number of applications that today exist inside the enterprise application catalog. 0:16:53.943 –> 0:17:21.183 Chris Blackburn So a number of vendors across the board, if I was a Citrix environment I could deploy the Workspace app without having to package it and to be able to go through and test it knowing that piece of mind that Microsoft has gone through and provided some of those capabilities, if I wanted to deploy Chrome for business, Microsoft has already gone through and prepackaged that they’ve even actually added a lot of additional capabilities inside of Intune to manage that through the settings catalog. 0:17:21.193 –> 0:17:26.233 Chris Blackburn So I everything is native into Intune for being able to manage some of those tools. 0:17:26.803 –> 0:17:55.813 Chris Blackburn They also have a number of Microsoft applications as well to be able to deploy if I wanted to deploy the Azure CLI, I can do that, which we’ll do here in just a second, but I just wanted to kind of quickly add a glance, give you visibility into the breadth of all the applications that Microsoft is working with and the organizations that Microsoft is ensuring that our packaging and deploying these applications to both both organizations, best practices. 0:17:56.123 –> 0:18:9.393 Chris Blackburn So just to show you, we did select this Azure CLI package as you can see here prepopulates lot of the information and then if I were to go into next you can see that it automatically populates the install and uninstall command. 0:18:9.643 –> 0:18:12.953 Chris Blackburn It also provides you some requirements. 0:18:13.283 –> 0:18:24.333 Chris Blackburn It will prebuild out some detection rules and this is typically one of the most challenging areas when it comes to application deployment and understanding what versions are installed is around looking at some of the detection rules. 0:18:24.813 –> 0:18:39.863 Chris Blackburn Microsoft Prepopulates those to make this process as seamless as an easy as possible, so once I go ahead and application it actually will populate it here and it’s actually bringing that content into your tenant and making that available. 0:18:39.873 –> 0:18:43.723 Chris Blackburn So that’s something that will take a little bit of time to bake in. 0:18:43.813 –> 0:18:53.73 Chris Blackburn So then, while we’re doing that, I wanted to show you in the real world access of what it looks like to elevate an application in a Windows 11 environment. 0:18:53.83 –> 0:18:54.463 Chris Blackburn I’ve got this system information. 0:18:54.923 –> 0:19:15.453 Chris Blackburn Uh, it’s a native Microsoft application, but I was able to go in and make an adjustment to the rules policy around elevating access to be able to make it where it should be able to just allow me to click in through with some business justification and launch the application to be able to show it in comparison. 0:19:16.53 –> 0:19:21.3 Chris Blackburn Umm, you’ll be able to notice that other applications like command prompts, etcetera. 0:19:21.293 –> 0:19:38.633 Chris Blackburn They’ll ask that same information, and of course, being a live demo, my policy is not updated or refreshed, but I could put in checking RAM and as you were able to just see the capabilities to elevate where natively built into the right click tools. 0:19:38.643 –> 0:19:49.743 Chris Blackburn So in the case where I’ve added in a policy, I can see that I can give the users the ability to elevate that capability, and then they’re right into the applications. 0:19:49.993 –> 0:19:58.683 Chris Blackburn And then from a rule set perspective, Microsoft has put that into the endpoint management section of the Intune portal. 0:19:58.773 –> 0:20:1.153 Chris Blackburn I then have my deployment policies and rules. 0:20:1.653 –> 0:20:14.313 Chris Blackburn I typically go to deploy the policy to all workstations so then that way I’ve got that capability to elevate through rules, but then the rules themselves, those are the ones that are going to be accustom managed in a lot of cases. 0:20:14.323 –> 0:20:40.403 Chris Blackburn If you have different business units, different departments within your organization, and you know that one particular team has to elevate an application, you can go in there and you can edit that capability where if a user has to confirm the elevation, it can do that or you can have it to where they have to provide some level of business justification and be able to allow that process to run elevated or require a rule to run. 0:20:40.413 –> 0:20:46.183 Chris Blackburn So in this case, for these applications that I’ve listed, I want to require a rule to run for that capability. 0:20:46.193 –> 0:20:53.863 Chris Blackburn Maybe there is one that I want to allow A-Team to run automatically and I don’t want to necessarily have to ask them for any business justification. 0:20:54.53 –> 0:21:1.823 Chris Blackburn I can come in here and change that to automatic and allow that child process to run so very easy to manage the rule sets. 0:21:2.33 –> 0:21:12.133 Chris Blackburn As we looked at before being able to understand what those specific file hashes aren’t very important to being able to allow those users to elevate those applications. 0:21:13.373 –> 0:21:23.563 Chris Blackburn So let’s move on and let’s continue our story here around the improvements to secure access to resources. 0:21:23.773 –> 0:21:48.813 Chris Blackburn So there’s been 2 core pieces of technology that Microsoft has introduced to be able to support not only access and secure access on mobile devices, but also secure access into managing your endpoints as well as well as being able to secure your devices through things like cloud PKI and looking at traditional PKI. 0:21:49.403 –> 0:21:58.293 Chris Blackburn It’s a very complex the actual deployment and managing of the certificate of authority in a lot of cases it’s painful and insulting. 0:21:58.523 –> 0:22:16.173 Chris Blackburn There’s a lot of different things that you have to take into consideration around deploying infrastructure to managing certificates, to templates, renewals, deploying through Gpos, having cloud based access through network policy services, managing crawls and URLs and device connectivity. 0:22:16.183 –> 0:22:22.243 Chris Blackburn So there’s quite a lot that goes into managing a PKI infrastructure. 0:22:22.373 –> 0:22:30.803 Chris Blackburn Not to mention, if you’re looking for resiliency in a lot of cases, those are becoming two and three tier with servers in a multitude of different locations. 0:22:30.873 –> 0:22:45.163 Chris Blackburn And this is just to give you an example of what A2 tier PKI solution looks like in a large organization and how many different pieces of technology are involved with that different network paths. 0:22:45.653 –> 0:23:12.463 Chris Blackburn Being able to have connectivity to Active Directory, having a hardware security module for an offline root and being able to provide service and support capabilities for osses like operating systems like Mac OSX and Windows and Linux so they can become rather complex and a lot of organizations do really rely on them for things like enterprise wireless for access to applications, etcetera. 0:23:12.713 –> 0:23:21.383 Chris Blackburn So Microsoft’s recognized that they they heard the pain from a lot of their customers in in being able to provide a more simplified solution. 0:23:21.593 –> 0:23:43.853 Chris Blackburn They’ve rolled out what’s considered their first version of Cloud PKI went GA back in March of this year and to be able to set that up is very easy and straightforward for being able to set up a root and issuing CA, being able to take that certificate and deploy it to your devices is become very simple. 0:23:44.103 –> 0:23:59.183 Chris Blackburn The only thing to call out for the cloud PKI within the first version is that it does support only user and device certificates which natively or they’re easy when you’re looking to support Wi-Fi profiles, VPN profiles, et cetera. 0:23:59.713 –> 0:24:12.203 Chris Blackburn Microsoft actively working to support SSL where I can take a CSR and upload and be able to get certificate being able to take that further into code signing and smile and being able to support applications. 0:24:12.293 –> 0:24:21.803 Chris Blackburn But for a lot of native uses where I have user devices that are Intune enrolled, I need to provide them the capability to connect securely. 0:24:21.973 –> 0:24:28.43 Chris Blackburn And if I’m a smaller organization, I understand there’s a lot of different complexities to a PKI that I may not want to manage. 0:24:28.173 –> 0:24:33.793 Chris Blackburn I can use one that’s cloud first and cloud native, so usually within 510 minutes. 0:24:33.803 –> 0:24:40.33 Chris Blackburn It’s really that easy to go through and set up the cloud PKI and be able to have that integration. 0:24:40.643 –> 0:24:59.243 Chris Blackburn Just wanted to show as a comparison to like how usual third party PKI is work when you’re looking at third party tools like an interest and how there’s still a number of integration points that have to occur not only with the provider back to the devices but also to skip profiles et cetera. 0:25:0.173 –> 0:25:9.463 Chris Blackburn If, as we look at how cloud PKI works and how that connects into the Microsoft world, what happens is from the Intune portal I’m actually deploying Cloud PKI services. 0:25:9.753 –> 0:25:15.723 Chris Blackburn Those typically will live on Azure and then from an integration perspective into Intune. 0:25:16.33 –> 0:25:25.843 Chris Blackburn I am creating a scep profile that is deployed down to the machine and then as that machine checks in, it will request their certificate from the skept service. 0:25:26.13 –> 0:25:29.913 Chris Blackburn That skept service will then validate it with the cloud PKI service. 0:25:30.303 –> 0:25:34.593 Chris Blackburn It will obtain a certificate and then it will deliver it back to the machine. 0:25:34.803 –> 0:25:41.613 Chris Blackburn So as long as you have a device that is Intune enrolled, it will provide you that capability. 0:25:41.623 –> 0:25:44.613 Chris Blackburn That’s something that Microsoft is actively looking at. 0:25:44.683 –> 0:25:56.793 Chris Blackburn What does that future being able to continue to provide that cloud PKI type connectivity without needing to have an Intune enrolled device at this point in time for devices that are Intune enroll? 0:25:56.843 –> 0:26:1.323 Chris Blackburn Those are the only ones that Microsoft supports for being able to request those certificates. 0:26:2.253 –> 0:26:5.343 Chris Blackburn As I mentioned before, configuration is a breeze. 0:26:5.393 –> 0:26:19.403 Chris Blackburn Setting up the issuer and the root SaaS being able to create your three different profiles of your root and issuing certificates which Microsoft gives you as you were setting those up, taking those and creating a scep profile. 0:26:19.533 –> 0:26:42.603 Chris Blackburn Pushing that down to a machine and then being able to have that deployment capability just through Intune natively within a matter of minutes and then invalidating you can see if you were to open up one of those certificates, you can see that that is hosted within Microsoft’s PKI infrastructure and you can see here that it obtained that issuer name from the CIA. 0:26:42.913 –> 0:26:52.603 Chris Blackburn So being able to set that up, being able to support a multitude of different extended usages for this particular profile, I just declined authentication. 0:26:52.793 –> 0:26:57.33 Chris Blackburn Microsoft does support extended key usage across a number of uses. 0:26:57.43 –> 0:27:1.133 Chris Blackburn The only thing that doesn’t support from a security perspective is a wild card. 0:27:1.143 –> 0:27:3.293 Chris Blackburn You can’t use a wild card extended usage. 0:27:3.403 –> 0:27:10.433 Chris Blackburn Microsoft wants to ensure that the security is targeted for those uses that you want to be able to add it. 0:27:10.443 –> 0:27:25.373 Chris Blackburn If you didn’t need to add extended usages, that’s where you would then go up and create other enrollments, scep certificate profiles and configure potentially other issuing extended usages within your route as well as your issue. 0:27:25.383 –> 0:27:28.223 Chris Blackburn Or as you’re thinking through and planning on those deployments? 0:27:30.273 –> 0:27:32.863 Chris Blackburn And revocation is easy as well. 0:27:33.293 –> 0:27:42.413 Chris Blackburn One thing that I would like to call out as part of the revocation is if you have devices that are Intune enrolled and those devices are deprovision, they’re removed. 0:27:42.423 –> 0:27:44.43 Chris Blackburn You remove them from the environment. 0:27:44.213 –> 0:27:47.583 Chris Blackburn What’s going to happen is it’s automatically going to go and revoke that as well. 0:27:47.673 –> 0:27:56.453 Chris Blackburn So you don’t have to worry about decommissioning and retiring devices and needing to go and revoke certificates, it’s going to do that for you automatically as well. 0:27:57.893 –> 0:28:10.743 Chris Blackburn So secure access through cloud PKI as well as secure access through Microsoft Tunnel and being able to provide a VPN gateway solution to on resources. 0:28:10.983 –> 0:28:14.3 Chris Blackburn And Microsoft is really putting a lot in this story. 0:28:14.173 –> 0:28:19.143 Chris Blackburn Not only within Intune, but also within their whole interest story as well. 0:28:19.483 –> 0:28:41.213 Chris Blackburn If you’ve heard anything about there in their private gateway as well as their public connectivity within intra, those leverage a lot of the same capability is to be able to provide your mobile devices access to the core internal network without necessarily having a traditional VP and client deployed to those devices as well. 0:28:41.873 –> 0:28:46.983 Chris Blackburn And a lot of that capability, if you are in Defender customer today, it’s built into the tool. 0:28:47.43 –> 0:28:54.93 Chris Blackburn So as long as you have that tool set deployed, you’re using defender on all of your mobile devices to be able to protect it. 0:28:54.223 –> 0:28:57.133 Chris Blackburn You have that tunnel capability built in as well. 0:28:58.23 –> 0:29:20.643 Chris Blackburn And as we talk with customers and ask, you know what, what are some of the usages and why are your mobile devices connecting in through VPN and a lot of it really does come back to that accessibility and from an ease perspective where using Microsoft Tunnel is very simple to set up with easy maintenance, but it also has that full MDM support as well. 0:29:20.993 –> 0:30:7.223 Chris Blackburn And in looking at how that infrastructure works, typically from a device perspective, I do have a management gateway installed on premise that management Gateway connects back to Intune by way of a management agent and then as a user deploys the tunnel client to the devices along with a VPN configuration policy, that particular device will pick up that configuration and then will authenticate into intra and then once it has gone through and provide that authentication and that connection, all that’s still tunneled through Intune and being able to navigate through those user resources that are internal are allowed. 0:30:7.493 –> 0:30:19.843 Chris Blackburn By way of connecting through that gateway, so then I’m not traditionally trying to come in through, you know, load balancer or a firewall and be able to do that through that agent that lives within that Microsoft environment. 0:30:19.933 –> 0:30:22.843 Chris Blackburn And then I can connect in two different resources. 0:30:22.853 –> 0:30:39.313 Chris Blackburn Internally I can get into my corporate network as necessary and all of that really just leverages from firewall perspective 443 and 22, which are very common ports for remote connectivity inbound as well as 80 and 443 outbound. 0:30:39.323 –> 0:31:7.483 Chris Blackburn So not having to open up a number of different ports to allow that connectivity into that Microsoft Tunnel Gateway, so architecture wise, very straightforward from a from a different list of different components that you typically would need within the environment as long as you’re using M365, you usually have Intune and intra having a Linux server to be able to run a Docker container that actually Powers tunnel is important. 0:31:7.893 –> 0:31:21.333 Chris Blackburn Being able to configure that management agent on the Tunnel Gateway and being able to have that authentication plugin lives on there as well, and then configuring that gateway you’re provided with a TLS certificate you are. 0:31:21.423 –> 0:31:33.693 Chris Blackburn You have that firewall connectivity to allow connection into that tunnel gateway and then that public IP address from a tunnel gateway perspective is all plugged into that tunnel configuration as well. 0:31:33.943 –> 0:31:40.993 Chris Blackburn To be able to access your corporate network from a public resource and then that device will come through and tunnel through it as well. 0:31:41.423 –> 0:31:53.123 Chris Blackburn By way of that defender agent on their devices and then just couple areas of touch on from a high level perspective, it is a dual homed machine that that runs on. 0:31:53.553 –> 0:31:56.823 Chris Blackburn You can run that in either Azure or over Express route. 0:31:57.13 –> 0:32:18.393 Chris Blackburn You must have some ports opened up to that gateway and then from a configuration perspective you know there’s a couple of steps to be able to configure it for a proxy support to do an install via Docker and then from an agent management perspective there are several commands that you can go into to crack into some of that configuration to provide connectivity as well. 0:32:19.33 –> 0:32:29.783 Chris Blackburn And then outside of just having that tunnel gateway and connected in front through your firewall, from a deployment perspective, you’re really just looking at a app configuration policy for defender. 0:32:30.153 –> 0:32:39.23 Chris Blackburn The app configuration policy for edge as well as app protection policies to be able to force it to run in a container for both iOS and Android. 0:32:39.133 –> 0:32:45.743 Chris Blackburn You must have that defender installed as well as edge in the company portal preamble to provide that capability, and a lot of cases. 0:32:45.753 –> 0:32:54.943 Chris Blackburn If these are mobile devices that are managed by your organization, these are gonna be configuration vectors that you already have within your environment and are ready to deploy at once. 0:32:54.953 –> 0:32:56.333 Chris Blackburn You have that total gateway installed. 0:32:57.873 –> 0:33:1.923 Chris Blackburn So from a connectivity perspective, what does that experience look like? 0:33:1.993 –> 0:33:10.403 Chris Blackburn I don’t have a working lab to show you, but I wanted to kind of walk through it through a number of screenshots here because it is very straightforward from that end user experience. 0:33:10.493 –> 0:33:32.653 Chris Blackburn So if we look at the Defender app and we have deployed the configuration policies through Intune and we’ll then see tunnel light up within the actual application itself, we can then go into that tunnel component of the defender application and then we can on demand turn on and turn off the VPN connectivity from there. 0:33:32.703 –> 0:33:41.143 Chris Blackburn Let’s say that I did connect into the tunnel and I wanted to go in through edge to access a internal application. 0:33:41.623 –> 0:33:50.913 Chris Blackburn That’s where I can then go and see within Microsoft Edge, it’s going to be enlightened enough to let me know that it is connected to tunnel. 0:33:51.63 –> 0:34:4.363 Chris Blackburn So then if I were to go hit an internal only resource, it allows me to access that SAS based application very effortlessly by way of proxying or conducting in through that Microsoft tunnel. 0:34:4.873 –> 0:34:11.293 Chris Blackburn And it actually is very native to being able to support boundaries between different profiles. 0:34:11.303 –> 0:34:33.213 Chris Blackburn So if I am on a workers school device and I have my end users enroll and I know that that device is personal, but then they also have enrolled it for work purposes, the end user can switch from that work profile in apps like Edge over to their personal, and then there’ll be a notification in Edge that says, hey, you’ve turned off tunnel. 0:34:33.293 –> 0:34:38.773 Chris Blackburn And if I try to access that resource from a personal profile, not able to do so. 0:34:39.743 –> 0:34:54.143 Chris Blackburn But then I can easily switch in applications like edge and then connect right back into my corporate resources that are located on premise that I’m alive my mobile users to access by way of them Microsoft Tunnel. 0:34:56.273 –> 0:35:9.823 Chris Blackburn So we talked about accessibility, we talked about accessibility through securing access to resources through VPN and through our wireless through cloud PKI. 0:35:9.953 –> 0:35:18.773 Chris Blackburn We talked about connectivity and secure connectivity for mobile devices through the the Microsoft tunnel capabilities. 0:35:19.23 –> 0:35:20.813 Chris Blackburn That’s where we would then go now, maybe. 0:35:20.823 –> 0:35:31.583 Chris Blackburn Let’s see how from an IT perspective I have improvements in being able to update and manage that operations and support and that’s where we’d have tools like promote help. 0:35:31.863 –> 0:35:50.853 Chris Blackburn Microsoft has built remote help to being able to leverage those native tools to the quick assist tools as well as their remote help tools to be able to provide secure access number of customers that we’ve worked with have tools like Beyond Trust in Teamviewer, manage engines and other one. 0:35:50.963 –> 0:36:8.513 Chris Blackburn There are number of different tool sets within the end user endpoint management in a state that can provide some of that capabilities from a Microsoft capability perspective, they do support all of the operating systems from Windows 10 all the way up through Mac inside the tenant configuration. 0:36:8.653 –> 0:36:25.43 Chris Blackburn It’s pretty easy to turn on that capability and then by way of deploying the remote health app, which we can do through enterprise application management very easily, we can then now go through and connect your remote assistance session to a device. 0:36:25.253 –> 0:36:35.563 Chris Blackburn And then by way of going into the remote help section of the tenant admin section, we were able to see where there’s active and inactive connections. 0:36:35.753 –> 0:36:45.153 Chris Blackburn I can look at where those connections have been natively as well, and then being able to see that as been enabled inside of remote help. 0:36:45.163 –> 0:36:53.503 Chris Blackburn Typically that next step is assigning your help desk users that operator role and giving the users a license giving them that remote help license. 0:36:53.513 –> 0:37:2.103 Chris Blackburn At that point, you’re ready to start supporting your end users as easily as you would go into Intune and natively make configuration changes. 0:37:2.653 –> 0:37:16.83 Chris Blackburn So by deploying that remote help app by assigning that role, your users are then able you, once they’re licensed, your admin team is then able to go through and connect into those end users environments. 0:37:16.93 –> 0:37:29.863 Chris Blackburn So from the perspective of where can I access those devices unintendedly through attended and currently right now Microsoft supports unattended only through Android. 0:37:29.953 –> 0:37:47.123 Chris Blackburn So if I have a number of kiosk devices or frontline worker devices and they need to be able to support them very easily, then remote help can provide that capability from supporting my end users that are either Mac or Windows. 0:37:47.353 –> 0:37:53.263 Chris Blackburn That’s where you would then start an attended session through the Intune portal. 0:37:53.463 –> 0:38:4.383 Chris Blackburn The end user by way of deploying that remote help application to them will receive a toast notification that you’re looking to make the connection to their device. 0:38:4.453 –> 0:38:6.103 Chris Blackburn If not, they’ll be an error message. 0:38:6.113 –> 0:38:10.923 Chris Blackburn Or if you’re connecting to a non compliant device, you’ll get a warning banner. 0:38:11.273 –> 0:38:23.23 Chris Blackburn So just to walk through that experience real quick, this is where I am I I’ve sent a push notification to that machine saying that I went to initiate a remote support session. 0:38:23.803 –> 0:38:26.353 Chris Blackburn Essentially this is what I would see as an administrator. 0:38:26.623 –> 0:38:45.293 Chris Blackburn I have am looking to connect to that machine and then from the end user perspective they would see that it’s looking for the connection and then once you have made that connection to the machine then that end user can Click to allow full control or different levels of accessibility to the machine. 0:38:45.463 –> 0:39:12.703 Chris Blackburn Once they’ve allowed you access, then there’s a number of different features and functionality that I can leverage as an IT admin to manage that machine, such as being able to elevate resources in a multi monitor scenario, I can select different monitors if I wanted to walk in user through troubleshooting without needing to take full elevated control, I can leverage things like a laser pointer and pen if I wanted to chat with that end user. 0:39:12.713 –> 0:39:20.483 Chris Blackburn I can do that as well and I can actually elevate and do a reboot or open task manager on that end user screen as well. 0:39:21.673 –> 0:39:35.933 Chris Blackburn So amount health capabilities being native into Intune is great capability to be able to help support those end users within one platform and one tool set and then finally to kind of round out some of those capabilities. 0:39:36.43 –> 0:39:38.443 Chris Blackburn We have advanced endpoint analytics. 0:39:39.3 –> 0:40:13.523 Chris Blackburn This is where Microsoft made a pretty significant advancement and essentially rewriting their whole reporting back end in Intune in 2023, and in 2024 they rolled out this capability, being able to essentially run commands on demand from my Intune portal to be able to query a device to be able to be able to pull time some real time information about specific uh areas on those devices and being able to look at some of the different enhanced reporting capabilities that has been fueled that as well. 0:40:13.593 –> 0:40:41.933 Chris Blackburn So if I have the advanced analytics, I can then be able to pull additional information in real time about the any anomalies being able to pull real time around any enhanced device timeline, battery health if I’m on a laptop, or be able to have additional device query as well which I think is where you, you’ll see a lot of really powerful capabilities from some of that in time capabilities on the device. 0:40:42.243 –> 0:40:50.953 Chris Blackburn So let’s take a quick pause here and let’s switch back over to our live demo environment to be able to walk through some of that capability. 0:40:51.493 –> 0:40:52.493 Chris Blackburn I’m going to show you. 0:40:52.503 –> 0:41:14.83 Chris Blackburn First, let’s take a look at some of that cloud PKI infrastructure and taught revisit where I made a note on how if a user’s device or a 5D provisioner retired a device, I can then see that cloud PKI is going to connect with Intune to automatically revoke that device. 0:41:14.93 –> 0:41:33.563 Chris Blackburn So in this scenario, this is where I had reprovisioned one of my Windows 365 PCs, and as doing so Intune recognize that that device is no longer being managed in the environment and revoked that certificate for it as well, which makes it really easy for device endpoint management. 0:41:33.673 –> 0:41:45.193 Chris Blackburn By way of this issuer, or this, the issuing certificate authority, in this case you can see when I set this one up, it leveraged a number of different extended key usages. 0:41:45.863 –> 0:42:0.213 Chris Blackburn Microsoft in each of these cloud picklists they have a hardware based HSM for their CNAS and so any time that a new customer facing CM has issued, this is essentially the back end. 0:42:0.223 –> 0:42:3.283 Chris Blackburn That’s hardware security managed for those environments. 0:42:3.293 –> 0:42:24.113 Chris Blackburn So as you can see here, here’s all my CRL in points, my CA Uri, and then as I’m going in and setting up a new certificate profile for my devices, I’m essentially just copying this Uri with the denotation here for the cloud PKI FDN into that policy as well. 0:42:24.343 –> 0:42:40.663 Chris Blackburn So Microsoft’s making it really easy to just do copy and paste to be able to take those over to configuration profile and to be able to make it easy to issue the certificates by way of these profile. 0:42:40.673 –> 0:42:41.663 Chris Blackburn So you can see here. 0:42:41.753 –> 0:42:43.743 Chris Blackburn Here’s my issuing profile. 0:42:43.873 –> 0:42:59.83 Chris Blackburn And then if I were to come over to here, here is my enrollment profile as well, where I’ve gone in and I’ve dropped in the skeptic URL and I had already pre uploaded the the the actual issuing and root certificates. 0:42:59.713 –> 0:43:5.383 Chris Blackburn So let’s say I wanted to take a look at some of the additional reporting on my devices. 0:43:5.393 –> 0:43:15.563 Chris Blackburn If I were to come over here and take a look at the endpoint analytics to be able to look at my battery health, this is something from a battery health perspective. 0:43:15.573 –> 0:43:17.963 Chris Blackburn This is native within the. 0:43:19.403 –> 0:43:24.913 Chris Blackburn The actual Intune suite capability is taking and extending endpoint analytics to that step. 0:43:24.923 –> 0:43:32.153 Chris Blackburn Further, I can then look at some of the different performances to be able to look at what is going on with my different laptop models. 0:43:32.293 –> 0:43:36.833 Chris Blackburn I can see what my Max capacity is and what my estimated runtime is as well. 0:43:37.83 –> 0:43:40.733 Chris Blackburn All those are native capabilities that are built into there. 0:43:41.43 –> 0:43:45.183 Chris Blackburn One thing it also adds is an enhanced device timeline. 0:43:45.193 –> 0:43:52.473 Chris Blackburn So if I were to go over and take a look at my device itself can come into Windows. 0:43:52.953 –> 0:44:0.623 Chris Blackburn And if I were to look at my one of my Windows devices here, I could then take a look at a couple of different components here. 0:44:0.753 –> 0:44:5.643 Chris Blackburn I could take a look at my device configuration. 0:44:5.773 –> 0:44:26.803 Chris Blackburn I can then look at some of my device diagnosis and I can see if there’s anything that’s been requested, but really I think one of the key areas that is going to provide some of that, the most value to you doing troubleshooting and being able to look specifically on devices is really that real time accessibility into some of these different device queries. 0:44:26.813 –> 0:44:29.203 Chris Blackburn So let’s take an example. 0:44:29.213 –> 0:44:34.163 Chris Blackburn Maybe I wanted to look and see what particular certificates were installed in real time on a device. 0:44:34.723 –> 0:44:47.83 Chris Blackburn I could easily take that information and pull down some high level details around the common name, the serial number, the issuer and then the strength. 0:44:47.153 –> 0:45:1.103 Chris Blackburn And then if I hit run, what it’s going to do is it’s going to real time go back and query that device and to be able to provide me that detail and usually what that that usually comes back in less than 15 seconds for that real time query. 0:45:1.373 –> 0:45:7.23 Chris Blackburn So as you can see here, the machine has had a number of different certificates that are enrolled on it. 0:45:7.33 –> 0:45:10.443 Chris Blackburn But as I can see here, I can then start to look at those and say maybe I wanted to. 0:45:10.493 –> 0:45:18.263 Chris Blackburn I realized that maybe I wanted to see when that particular certificate is going to expire. 0:45:18.343 –> 0:45:21.443 Chris Blackburn I could look at the two date and add that in there as well. 0:45:21.733 –> 0:45:30.903 Chris Blackburn A lot of this is additional information that Microsoft uses too, to be able to provide some of the certificate reports that live in the platform like Defender as well. 0:45:31.253 –> 0:46:3.763 Chris Blackburn So if I wanted to then use this as a tool to query my devices to see where I have certificates that are expiring, I could do that on demand and be able to easily export that through KQL as well, and then finally being able to go through and manage my devices if I were to go through and connect into to be able to provide remote support, I can easily do that right here inside of the Intune portal by being able to initiate a remote assistance session that will go through and launch a remote help window on. 0:46:3.843 –> 0:46:8.983 Chris Blackburn My machine and go through and start to initiate another one on another machine as well. 0:46:9.353 –> 0:46:24.943 Chris Blackburn So all that is native into Intune by looking at certificate management advanced reporting, not needing to have a myriad of different platforms to be able to provide those capabilities is where there’s a lot of value within that Intune suite. 0:46:25.423 –> 0:46:32.503 Chris Blackburn And so as we look to round out our conversation today, you know the question that we ask is how can we go further? 0:46:32.513 –> 0:46:35.443 Chris Blackburn How can we do more within our endpoint environments? 0:46:35.573 –> 0:46:57.53 Chris Blackburn What can we do to enhance some of those capabilities to be able to start to think of all of the different types of tooling that we might have within our enterprise environments today from enterprise application management, endpoint privilege management, cloud PKI, cloud, Microsoft Tunnel or remote access for devices, remote help and endpoint analytics. 0:46:57.183 –> 0:47:7.433 Chris Blackburn These are a couple of examples of where we’ve seen in customer environments and some of the investment that they’re paying based on where we would see as such as potentially 1000 devices. 0:47:7.583 –> 0:47:10.323 Chris Blackburn These are where some of those costs might come into play. 0:47:10.333 –> 0:47:16.143 Chris Blackburn And So what if you could take each of those and streamline them into a single tool set? 0:47:16.413 –> 0:47:25.423 Chris Blackburn That’s where we wanna definitely engage with you further to look at and help you understand where those correlations are to Microsoft tools. 0:47:25.683 –> 0:47:39.143 Chris Blackburn Maybe in some cases, as we sit down and concurrency is offering that free IT vendor assessment, maybe that’s where we’re looking at other tools in the environment too, such as what if there’s third party antiviruses, what if there’s some of those third party management tools? 0:47:39.153 –> 0:47:41.423 Chris Blackburn What are we doing for messaging? 0:47:41.433 –> 0:48:14.603 Chris Blackburn Security will provide you an output that shows what the current vendors is we work with you to understand what some of those licenses and costs are, which that’s typically the most time consuming part of doing the vendor assessment is working with you to pull together all those prices and those bills and then correlate those into what Microsoft tool might be there and then be able to provide you a breakdown of what are those net new Microsoft licensing costs that would be in your environment and where could you then start to look at some of those cost? 0:48:14.653 –> 0:48:17.683 Chris Blackburn Savings from your third party tools as well. 0:48:17.923 –> 0:48:20.453 Chris Blackburn So we love to connect with you. 0:48:20.843 –> 0:48:26.223 Chris Blackburn Inside the chat, you’ll see the survey link we love to hear from. 0:48:26.233 –> 0:48:31.633 Chris Blackburn You would love to understand what you thought of this presentation today. 0:48:31.743 –> 0:48:45.503 Chris Blackburn If there is an opportunity to connect with you to not only talk more about the Intune suite, but also to help you in guiding you down that path with free IT vendor assessment as well. 0:48:45.963 –> 0:48:48.783 Chris Blackburn So wanted to thank you all for being here today. 0:48:49.293 –> 0:48:52.723 Chris Blackburn If there’s any questions that you have, feel free to drop them in the chat. 0:48:52.733 –> 0:49:9.433 Chris Blackburn If there’s any questions that you have around the different toolings within the Intune suite, how some of those capabilities work definitely would love to connect with you more, or feel free to fill out that survey and we’ll reach out for you further as well. 0:49:10.343 –> 0:49:20.733 Chris Blackburn And with that, we love to thank you once again and hope to connect with you again soon in another one of our awesome webinars.