Microsoft Endpoint Manager updates from Microsoft Ignite.

Due to the pandemic, “work from everywhere” is the new normal. Common tasks like hardware procurement and provisioning, and help desk are radically different when users and IT teams aren’t coming into the office. People have quickly realized not all of their hardware is up to the task of enabling work from everywhere.

Microsoft Endpoint Manager updates

Brad Anderson, Microsoft 365 CVP, joins host Jeremy Chapman to walk through the latest updates for endpoint and app management, to enable secure remote work experiences from wherever your users are.

Microsoft Ignite 2020

Windows Autopilot:

Dropship devices directly to your users — whether that is a work or home address. We recently added support for co-management to Autopilot. Apps you’ve been managing from Configuration Manager can now easily be deployed as part of the Autopilot process.

Tenant attach:

You get a unified list of devices and don’t need to choose between one tool or the other. This is a huge update and simplification on enabling customers to attach the Microsoft 365 Cloud to their ConfigMgr deployment.

ADMX Templates:

We keep these up-to-date with not only the latest Windows policies, but all of the policy settings you need to manage Microsoft 365, the Edge browser, Office 2016 — which manages everything Office 2016 and newer, as well as your Office 365 apps and OneDrive policies. Now with the Office and Edge ADMX settings in there and up-to-date, it’s not just more control for non-domain-joined PCs, but a huge time saver.

Protection in Edge:

We are building more Microsoft Endpoint Manager controls into Edge, and we’ll be able to ensure the data never leaves the browser or the storage locations that you have approved. Policy management is happening directly from Edge at the app layer. This protection is now baked into Edge, which expands data loss protection to unmanaged devices.


02:28 — Windows Autopilot

03:43 — Tenant attach

06:01 — ADMX Templates

08:59 — Protection in Edge

11:32 — Endpoint analytics

14:01 — Microsoft Tunnel

15:19 — Microsoft Defender for Endpoint

Link References:

Watch our 3-part series on Edge and Search at

Get started with everything we saw in Microsoft Endpoint Manager by going to

Unfamiliar with Microsoft Mechanics?

We are Microsoft’s official video series for IT. You can watch and share valuable content and demos of current and upcoming tech from the people who build it at Microsoft.

This was part of the 2020 Microsoft Ignite lineup.

Video Transcript:

- Welcome to a special edition of Microsoft Mechanics. Coming up on the show, we catch up with Brad Anderson, Microsoft 365, CVP for a look at the latest updates for endpoint and app management, to enable secure remote work experiences from wherever your users are. So Brad, welcome back to Microsoft Mechanics.

- Thanks Jeremy, it’s great to be back.

- So this is an interesting time, I think for a lot of us, including those that work in IT, or are either working remotely at home, or maybe on rotation in the office. And the shift to hybrid work environments, is continuing now, but how is it impacting the work that we’re doing in IT, for things like managing end user experiences, devices and security?

- You know, this is just a fascinating time to be working on Endpoint management, security, end user enablement, you know, because things are changing so quickly. Think about what happened in March. In a matter of a couple of days, everyone was sent home, and then we were participating in the world’s largest work-from-home experiment ever. And you know what happened is organizations pretty quickly realized that some of their processes and some of the things that they had depended on for years, you know, such as the firewall, and actually being face to face, just did not work when your users were literally working from everywhere. Now we’re beginning to see organizations come back into the office, but you know, make no mistake, this concept of hybrid work is gonna be with us forever. We went through multiple years of cultural change in just March and April. So the design point has to be, some of our users are gonna be working in the office, and some of our users are gonna be working from home. Now from a modern workplace perspective, we have to ensure that independent of where your users are, they can get access to everything that they need to be productive and achieve, but make sure that all of your information is protected and secure.

- Why don’t we start then with hardware provisioning? So I know that there’s some changes there, but what’s new?

- Yeah, you know, one of the things that everyone realized pretty quickly when the pandemic occurred is, much of their hardware was just not up to the task. You know, think about it for a minute. Everybody went from working in the office, to now working in Teams, you know, 24 by 7. And there was a run on things like cameras and laptops. You know, in fact, in March and April, you could not find a camera or a laptop if you looked as hard as you could. If you’re in a company that takes delivery of laptops, installs Windows and apps on them, then sends out the hardware to people, you know, this process just doesn’t work if you wanted to run that type of a build lab from home. Can you imagine receiving dozens of PCs daily to your home, building a lab to provision all that, and then sending it out to your users? And this is where Windows Autopilot comes in. You can drop ship devices directly to your users, whether that’s at a work or home address, and you are in still complete control over the apps and policies that those users get once the user takes delivery. The PC has provision over the internet without having to be on the corporate network. And recently, one of the new things we added, the ability to set up co-management as a part of Autopilot. You know, before, Autopilot only supported AAD. But now you can have the device joined Active Directory and actually deploy the ConfigMgr agent as a part of Autopilot. That means that all those apps that you’ve been managing from Configuration Manager can now easily be deployed as a part of the Autopilot process. So you don’t have to migrate your Windows apps to Intune or manage them in two different places. Now, check this out. Here I have an OS deployment task sequence for a new computer, and all I have to do is disable or remove the operating system installation tasks, and all these other tasks will work the same. And if you use nested task sequences, you can even use the configuration sequences unchanged. So they’ll work via ConfigMgr, or Autopilot provisioning. No build lab is needed, Autopilot will execute all of this as expected. And as a part of the Autopilot process on the endpoint, you’ll see this execute part of the enrollment status page. It’s just one of the nine apps listed here. And if you want to, you can just see the task sequence progress UI too, but in my case, we’ve hidden it.

- Nice, so okay, we’re familiar then with the concept of co-management, or you can decide different aspects that are managed by either Intune or Configuration Manager. And last time you were on Mechanics, we actually saw something called tenant attach, where you get an unified list then of the devices and don’t need to choose kind of between one tool or the other. But you can, as you can see here, you can actually initiate things like machine policy and user policy sync directly from the MEM admin center.

- This is a huge update and simplification that enables organization, the customers to attach the Microsoft 365 Cloud to their ConfigMgr deployment. With tenant attach there’s nothing that has to happen on the endpoint. It’s all done in the Admin UI. You the IT Pro connects an Intune tenant to your ConfigMgr deployment, and we instantly give you new value, such as the ability to see and take actions on all of your devices from the Microsoft Endpoint Manager console. We’ve seen a huge uptake in cloud attach. 5% of all Windows devices managed by Microsoft Endpoint Manager a year ago, to literally 19% today. And we see this quickly getting to 1/3 of all devices a year from right now, and soon, over 1/2 of all the Windows 10 devices managed by Microsoft Endpoint Manager will be cloud attached. So if you’re not enabling cloud attach, you are falling behind. Good news is, there’s no transition needed, and you can even execute many of the Core ConfigMgr policies directly from any browser now. Microsoft Endpoint Manager admin console is literally that hub that gives you that consolidated view from all of your endpoints. And there’s some really cool new things coming. For example, with timeline, as you can see here, you get all of the interesting events that have happened on a device. This is great for troubleshooting your devices. And that’s not the only place we’ve made the addition of Microsoft cloud insights available to your on-prem ConfigMgr deployment. You know, Group Policy has been a staple for IT teams for decades in setting settings, across Windows and Windows applications. And at the core of Group Policy are these ADMX files that are used for templates that define all these settings. So last year, we added ADMX-backed policy management directly into Intune to expose thousands of additional settings. Here we’re looking at a configuration profile for Windows 10, with administrative templates selected. We now keep these up-to-date, not only with the latest Windows policies, but if you look at Computer Configuration, you see all the policy settings you need to manage Microsoft 365, the Edge browser. Office 2016, which manages everything Office 2016 and newer, as well as your Office 365 apps and OneDrive policies. And these are still delivered via the same policy configuration service or CSP. So your Windows 10 machines just need to be joined to Endpoint Manager to take advantage of all of this.

- Right, and that really blew my mind when I saw those policies light up in Intune. But now with also Office and the Edge ADMX settings in there, and up-to-date, it’s more than just control for non-domain joined PCs like you can do here, but it’s also a huge time saver.

- That’s right, and one more thing about these ADMX-backed policy files, as you can see here, you can now upload custom ADMX files. You can import third-party ADMX templates and display them in the same GUI experience I just showed you. And if you’ve been using Chrome, we’re working on a policy setting migration tool that you’ll be able to point to your Chrome settings, and it’ll automatically migrate them over to Edge. As you can see here, we’ve mapped common settings between what you’ve set in Chrome, to what we have in Edge. And you just choose what you want. And those will be migrated and enforced for Edge. This way you can start using Edge immediately. You know I’ve been saying for the last year, that Edge is by far the best browser for business. And I say that for the following reasons. It has greater privacy than Chrome, it has better compatibility because of IE mode that’s built right into it, all the management and security of Endpoint Manager and EMS is built into it. And with Microsoft Search, it also gives you that ability to search all your internet in addition to the internet. It really is the best browser for business. And my recommendation is go make it that by policy across all your devices.

- That’s right, and I love all the different Edge browser integration and deployment that you’ve built in to Microsoft Endpoint Manager. In fact, we just published a three-part series on Edge and Microsoft Search, at

- You know, the browser is such an important part of the management story that you have for your devices. The common user spends over 60% of their time in the browser, and the Office apps. That’s where they spend their time on a PC. If you are a user like me of teams, I spend over 90% of my time in the Office apps and in the browser. And that’s why we’re building all these Microsoft Endpoint Management controls directly into these apps, Edge and all the Office apps. So that you get this security, and this manageability out of the box. And there’s a principle here, it’s a lot easier to just use what’s been built into these applications for you across all of your applications and devices for security and management. Now with the pandemic, one common question we’ve got is organizations say, “Hey, we have lots of users who want to use “their personal PCs and Macs. “And we wanna enable that, but how do you do that “and still protect the data that the users are accessing “from these personal and therefore untrusted devices?” Well, today we gave a first look at something really exciting that’s coming. We’re building more Microsoft Endpoint Manager controls into Edge. These controls will enable your users to do things like, use the Edge browser to access and use any web apps like the Office web apps. And we’ll be able to ensure that data never leaves the browser or the storage location that you’ve approved. And just like you can prevent copy and paste, out of the Office application on iOS and On Android, that’s an example of a control that we’re going to enable in Edge that has these Microsoft Endpoint Manager controls built into it, for any web app. Here I have my corporate email open on my unmanaged personal device. Now I’m signed in with my Microsoft 365 account in Outlook, and in the Edge browser. If I go and I copy this text from this Edge window, and then try to paste it into another Edge window where I’m signed in with my personal account here on Twitter, you’ll see it doesn’t work. And that’s because my organization has blocked it. Again, this is an unmanaged device, and policy management is happening directly from Edge, at the app layer.

- And that’s great that this protection is now baked into Edge, which expands that data loss prevention or DLP now to unmanaged devices as well. So that changes a lot of things, but is there anything new then for the managed devices?

- You know, Jeremy as you know, one of the things that I have been on a mission for the last couple of years is helping organizations improve their end user experience. You know, as we’ve researched this, one of the things that we’ve seen is these DLP agents that have come from the traditional security vendors, are the agents that often have the biggest impact on end user experience. So what we’ve done in Microsoft 365, is we’ve built a modern DLP solution that delivers you all the DLP capabilities that you need in that protection, but it does it in a way that doesn’t have that impact on the Endpoint. We call this Endpoint, DLP, and it doesn’t just give you DLP protection and the Office apps, it gives you data protection device-wide. Now here’s an example of a confidential document, Endpoint DLP policy. In my case, even if I try to copy content into the clipboard is blocked because this document has sensitive information. On the Microsoft 365 compliance center, I only need to define one policy that spans apps and devices. Like other DLP policies, I can monitor, block with user-permitted override or outright block. You can also see, I have options here for uploading, copying to USB and printing. And again, unlike other solutions out there that dramatically slow down your PC, Endpoint DLP does not.

- Okay, so we’ve covered now the core updates for deployment, policy management, information protection and things like DLP, but what have we done, or have we done anything actually to help the day-to-day kind of help desk or desktop support professionals that are out there?

- Yeah, a massive focus for us for some time has been building analytics and insights, so we can actually give you those views into how your organization is working, and the experience you’re delivering to your users. Here you can see productivity score, which gives you recommendations on how to improve things like meetings or how your people are collaborating. Now, the part of productivity score that my team delivers is called, Endpoint analytics. And this is a place we’re putting massive investments. Endpoint analytics helps you to understand both device and app health state. We give you data-driven recommendation on how you can improve your end user experience in places such as, the boot time. Now, one thing that is brand new, that you’re gonna see in Endpoint analytics is what we call application health. Application health is a very unique capability in Microsoft Endpoint Manager. Whenever a PC crashes and the user is asked if they wanna upload that data back to Microsoft so we can learn, it comes back to what we call Dr. Watson. Now it’s interesting, the software engineer, that’s responsible for that portion of the code is notified as crashes come in, so that they can actually track and resolve the issue, then we kind of track it end to end. Now what we’ve done is we’ve wired up your Microsoft Endpoint Manager tenant to Dr. Watson, so we can now show you your personalized view of what is causing crashes in your PC estate, along with the specific actions to take, to reduce the number of crashes. And if we look across apps for app performance, you can drill into the details and see, for example, things like performance across different app versions including, what the meantime to failure is. Now let’s even take that one step further. One of the areas that we’ve been working on is give you the ability to be able to create scripts that will practically go out and remediate issues even before you see it. We call this, proactive remediations. You can reduce costs to your help desk and improve the end user experience by proactively creating automation scripts, that detect and fix issues before your users see them. You can see issue remediation trends over time. And here’s one that shows a common one to update stale group policies. And we can choose how often it runs. I can even drill into the script itself. Now customers are using these proactive remediation scripts and often seeing up to a 50% reduction in the associated help desk calls.

- Okay, so and then speaking of VPN, what are we doing then to help with VPN on our mobile devices?

- Yeah, you know, one of the other big announcements that we made today, is something that we call the Microsoft Tunnel. Microsoft Tunnel is built into Microsoft Endpoint Manager MAM controls, and it enables your users to securely access your content behind your firewall, when they launch an app that requires that on-prem access. Here you’re seeing the new Microsoft Tunnel gateway configuration in Microsoft Endpoint Manager. After you input a name, you just choose the new Microsoft Tunnel as the connector type. Then you define the connection name or IP or domain name. And we let you configure this as either an Always-on VPN, or a per-app VPN. And here am just gonna go ahead and select Edge. And this seamlessly and securely gives you access to content behind the firewall. We can enable the always-on VPN, or just have the app trigger it, as well as the proxy settings if needed. Right now, let’s take a look at the experience on a phone. So here, I’ve got my Duo, and I’m gonna go into an intranet-hosted internal app, as you can see by the IP address in Chrome here on the right hand side. And you’ll see that it doesn’t work, it’s unreachable. Now on the left screen, I’m gonna open up that same IP address in Edge, and you’ll see that it works. Simple and secure access to your data and applications behind the firewall.

- Okay, but let’s switch gears then to security. What are we doing then on the device security front?

- Now with the integration that we’ve done between Microsoft Endpoint Manager and Microsoft Defender for Endpoint, you’re gonna see how this all continues to come together. Now you might recognize this as Defender ATP, but as of today, the name going forward, will be Microsoft Defender for Endpoint. Here’s an example of Defender running on my Surface Duo. And I’m installing a test virus app here, and you can see that Microsoft Defender finds it. If we tap in, we can see that it’s unsafe. And the great thing here, is that with Microsoft Defender, you get this complete view of incidents and alerts. So I’m in the Microsoft Defender Security Center, and you’ll see the alerts are here including the one from my phone. If I click into it, you get all the rich details about what the thread is, and the details the Defender took to remediate it. Now in Microsoft Endpoint Manager, you can connect Defender for Endpoint, with Microsoft Endpoint Manager and have that complete view for your Windows, Mac, iOS, and Android devices, all in one experience.

- And all these updates you’ve presented today are really gonna help in terms of management across devices, from wherever people are working. But what are other tips would you leave people today with as they manage the user experiences, devices and security.

- You know, there are two big takeaways I really kind of encourage people to go do. The first one is go tenant attach, your ConfigMgr deployment to Intune. That enables to start a flow down all this cloud-delivered insights to you. And the second thing is go set Edge as your preferred and recommended browser for accessing your organization’s data.

- Thanks Brad, it’s always a pleasure having you on the show. And you can get started with everything that we saw in Microsoft Endpoint Manager as an Admin, by going to, and make Endpoint Manager your hub for IT. And we hope that we can answer all of your questions and also be sure to stay up-to-date with the latest tech news from Microsoft. You gonna wanna subscribe to Microsoft Mechanics. Thanks for watching, we’ll see you next time.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store