Updates to Windows management with Endpoint Manager

Cloud attach, remote help, drivers & more

Take a closer look at the latest updates to Windows management for hybrid work and what you get when you attach your device management to the Cloud to keep your users and devices up-to-date, productive, and secure. Jason Githens, from the Microsoft Endpoint Manager team, joins Jeremy Chapman to show upcoming support for driver updates, Windows 10 to Windows 11 upgrade management using Cloud-based update policies, the new enterprise grade remote help capability, and more.


01:15 — Evolution of Windows management

03:29 — Do cloud-based controls compare to on-prem?

04:35 — Update management demo with Endpoint Manager

06:24 — New driver update policies coming to Endpoint Manager

08:12 — Upgrading Windows 10 to Windows 11 at scale

09:49 — How do policy controls compare?

11:48 — New remote help experience in Endpoint Manager

12:33 — Wrap up

Link References:

To learn more about cloud attached Windows management and how to configure it at https://aka.ms/CloudAttached

Try out the new remote help experience, see how at https://aka.ms/RemoteHelpGuide

Bookmark our Windows management playlist for future deep dives at https://aka.ms/ManagementMechanics

Unfamiliar with Microsoft Mechanics?

We are Microsoft’s official video series for IT. You can watch and share valuable content and demos of current and upcoming tech from the people who build it at Microsoft.

Keep getting this insider knowledge, join us on social:

Video Transcript:

- Coming up: with the shift to hybrid work, we’re going to kick off a new series that takes a closer look at the updates to Windows management and what you get when you attach your device management to the cloud to keep your users and devices up-to-date, productive, and secure, including support for driver updates, Windows 10 to Windows 11 upgrade management using cloud-based update policies and the availability of remote help, and more. And to walk us through all the updates I’m joined by longtime Windows management expert, Jason Githens, welcome to Mechanics.

- Thanks for having me, so happy to be here.

- And thanks so much for joining us today. You know, for anyone who’s in the device management space, it’s been an interesting couple of years.

- Right, it really has. The two years have been driven by a rapid shift in how we manage devices and access to corporate resources almost overnight, especially as a majority of people were working off the corporate network and potentially connecting using personal devices and from less secure home networks. So even if you were hesitant to change how you normally would do things before, a lot of us have to embrace more cloud-based management. And this work-from-anywhere concept that was kind of forced on us, isn’t going away. In fact, the number of PCs connected to Microsoft Endpoint Manager cloud services have tripled over the past 18 months.

- Right, and you know, because of this, we’re actually kicking off a new series on Mechanics that’s fully dedicated to cloud-based Windows management. To start all this out, we thought it’d make sense to really ground everyone with what’s possible, how we got here, and maybe cover some of the updates along the way.

- Right, I mean, we’ve both been in this space for a couple of decades now, and things have evolved quite a bit. Let’s rewind the clock a few years. Everything started with a core set of services that were based on domain connectivity, where your PCs were typically connected, to manage them you had Group Policy for keeping configuration across devices consistent, and Windows Server Update Services, or WSUS, for delivering Windows updates. Those tools were the foundation for basic Windows management. Later, Configuration Manager took those things to the next level for app deployment, update management, OS deployment, and much more.

- Right, and those tools by themselves were quite powerful, you know, and you’re right. They were perfect at the time when most PCs were constantly connected to your local network or over VPN.

- Exactly, and across this environment every few years, you had updates to Windows and corresponding updates to Configuration Manager. That takes us to around on 2012. And over the last 10 years, things have changed quite a bit. In parallel, with key upgrades for things like Windows and config manager happening at a faster pace, more and more devices started connecting to online productivity and security services. In terms of connectivity, the reliance for connecting to on-prem services hasn’t gone away, but it’s certainly not where it used to be. For example, for things like online meetings using Microsoft Teams, you can’t reliably back haul all that traffic over your VPN. And so the way things have developed and as more devices can do what they need to do over the internet and web-based services, then device management from on-prem via VPN gets more challenging. So it’s important to have cloud attached device management to do this. Because ultimately you have to keep your devices configured to your requirements and up to date, productive, and secure, whether they connect to your local network or not. And even though we are now coming out of the pandemic, the shift to hybrid work is the new normal. And so device management needs to adapt and follow too.

- Makes sense. You know, and we’ve all experienced this shift, but having spent a long time in the space like you, you know, I know that there’s been a lot that you could do with local tools like Configuration Manager or Group Policy, compared to what you could do with cloud-based tools like Intune as part of Endpoint Manager, has that changed?

- Yes, it has changed. And there’s a ton more you can do now. With Endpoint Manager, when you cloud attach your existing on-prem services, you get significantly more capabilities while meeting users where they are.

- That’s right. And for example, you can keep those Windows PCs that might not be living and always on your local network configured and up to date, and you can still maintain your required level of controls across services, like update management, whether those devices are on your local AD domain or not.

- Exactly that’s right. And this lets you manage practically any device that tries to access your data, resources, or cloud services. And you can take a of cloud analytics as well as our Zero Trust defense and depth protections and so much more.

- And the big point here is that everything’s additive. You now have even more control than you had before, but I’d love to see some of these things in action.

- I’d love to show you some examples of what you can do with cloud attached. I’ll start with Windows updates. One of the fundamental workloads that’s optimized today for remote work realities and has significant advantages over on premises update constructs. And it’s a lot simpler and more intelligent. Let me show you some of the things you can do in creating an update ring policy in Endpoint Manager. So here you can define things like whether you want to receive other Microsoft product updates, deferral time period for quality and feature updates, automatic update behavior, when your PCs are typically in use by defining active hours, what your users are allowed to do in update settings when they try to delay or seek updates, and importantly all the deadline policies to get the updates installed in a timely way. So it’s a lot simpler, and regardless of where your PCs are, as long as they’re connected to the internet, they’ll receive updates based on your configurations, keeping your devices compliant.

- And there are really a ton of benefits here, especially in terms of getting critical security updates installed as quickly as possible. So what else is new then in the Endpoint Manager space for update policy management?

- Gosh, we really need to do a whole show on updates alone, because we’ve seen the adoption of updates triple over the past 18 months, as driven by the remote work realities. Most recently we’re adding the manageability for drivers, a key aspect for IT because it’s a significant cost driver to stay on top of drivers from all the various OEMs. And we’re adding that directly into Endpoint Manager.

- This is really a super critical area with driver management, you know, because I know it’s been a challenge for a lot of us in IT over many years in really finding all the drivers and packaging up the right drivers. Also managing any vulnerabilities that might exist due to having the wrong drivers in place. That’s been a challenge.

- Yeah, that’s so true. Now let me show you how this works. I’m going to create a driver update profile and give it a name. I’ll just call it Driver updates for Windows 11. And here you’re seeing the policy options in Windows Update for Business to apply driver updates. It’s pretty straightforward. After naming the policy, you simply pick manually or automatically approve. And if choosing automatically, you set an offset of days to make the drivers available. Here, I’ll just enter seven days and I can assign it to my Windows 11 group. And once that’s assigned and created from the profile list, if I show you this manual approval policy I have here, you can see I have four drivers to review for my targeted set of devices. And when I go into the details, you’ll see the driver details as well as the number of applicable devices. And if I select this one here for Microsoft appliances, then I can make driver approval decisions right from here. One of the significant benefits here is that these are the latest drivers available with manufacturers, all published into Windows Update directly, with applicability determined by Windows Update-based scans.

- Right, one of the things I’ve noticed is we’re at that point now where actually OEMs are publishing directions on their support sites, normally where you download drivers, to get people to update their drivers from Windows Update.

- I think that really proves how invested OEMs are in this update model. And of course, if your hardware vendor packages up new drivers as apps, you can push them using built-in app deployment. You have more control and flexibility than ever using cloud-based controls. And these update policies don’t just apply to quality and feature updates. It’s also a way to deliver Windows 11 upgrades. In fact, if you’re using Endpoint Manager to manage Windows 10 PCs, you can upgrade them to Windows 11 now too, by using the same Windows Update rings policy we saw earlier. Let me show you. I’m on a manage Windows 10 PC for my organization. On this machine, I’ll hop over to Endpoint analytics on the Endpoint Manager portal. If you’re new to it, endpoint analytics combines the benefits of Cloud attach with our big data analytics and machine learning from Azure to give you device specific insights. Here, you’ll find things like Startup performance, Proactive remediations to find and fix common issues, Application reliability, to assess app performance, and in the work from anywhere report I can see three devices here, including my Surface Pro. And Endpoint Manager has confirmed this device is ready for Windows 11 by marking it capable. So now that I know it’s ready for Windows 11, I can add it to my Windows 11 ready group. I’ll search for the device name. There it is, and hit Select. Now I’ll jump over to my tab where I started creating a Windows 11 upgrade ring. I just need to enable this option to upgrade Windows 10 devices to the latest Windows 11 release. Next I’ll add my group, choose Windows 11 ready, hit Select. Then finally here on the summary screen, I can create it. And we’re all set. It’s the same experience as deploying a Windows feature update. And if I go back to that device, I’ll go into settings and Windows Update and you’ll see that these settings are managed by my organization, and I can manually check for updates. And now the upgrade to Windows 11 starts automatically. Depending on the connection speed, it can take several minutes to download and kick off the installation. So we’ve sped this up a little to save time. Then once it completes, it’s running Windows 11 with all the apps and policies applied as required.

- So you’ve really come a long way in terms of making OS deployment a lot simpler than I remember. You know, if we go back though to policies, what about all the things that I can do with group policies with my domain join machine? I remember with CSPs or, you know, configuration service providers, those policies were a lot more limited and just a fraction of what you could do with GPO.

- You know, that used to be the case, but we continue to expand the policies that you can configure in Endpoint Manager and apply to Windows clients, including ADMX-backed policies. In fact, let me show you where we are with the settings catalog. I’ll create a new configuration profile, select Windows 10 and later for the platform. Choose the settings, catalog as type, then give it a name. I’ll just call this Mechanics. Now when I add settings, it lets you search for any policy, whether it’s ADMX-backed or not. And in addition to Windows policies, the latest ones for Office and Edge are there as well. For example, if I search for bitlocker, there are all the Windows settings for it. If I search for macro, you’ll see the corresponding Office settings. And if I search for sleeping tabs, a recently added Edge feature to reduce resource consumption, there are the matching Edge settings. So you don’t need to worry about getting the most recent policy files to get the latest settings, we do that here for you. And as I scroll down, you’ll see, I can also browse by category, and I’m going to select Windows Update for Business here since we’ve talked a lot about updates today. Here, you can see how flexible and expansive the controls for updates have evolved. And you’ll see 68 policy settings available here. And even though I’m showing all of the policy options for Windows Update, you typically won’t need them all. In most cases, the dozen or so settings I showed earlier in the update rings will suffice.

- Okay, so now we’ve covered a lot of the benefits in terms of getting cloud attached and what it equates to from a configuration and deployment perspective, but why don’t we switch gears to run state and kind of the operations side of things. What’s new there?

- Right, I mean, run state as you know, is incredibly important, so we should touch on that. And there are a couple of key things that we’ve added here to help with the run state, the daily operations of device management for organizations. First is our new remote help experience in Endpoint Manager. Something everyone can relate to are help desk calls. And it’s tightly integrated with Endpoint Manager and Azure Active Directory. As the person requesting help, when you launch the session, you see detailed information about the helper and sharer to build trust such as profile picture, name, company, title, and verified domain. Once the session is established, the help desk technician can securely control the PC. Additionally, the help desk can also interact with UAC, if needed, to enter alternate admin creds, to do things like install apps with elevated permissions. And of course there’s a full audit trail to track all of the activities that an organization is doing with remote help.

- It’s really great to step back and see the evolution of cloud management and some of the updates. What’s your team working on next?

- So we showed a lot today what you can do once you’ve attached device management to the cloud, and we’ll continue to harness the cloud’s analytic power to give you value with proactive insights to consistently optimize the overall health of your environment. These are all things we’ll delve into in future episodes in the series.

- Got it. So for anyone who’s watching at home right now, looking to get started on improving their Windows management, what do you recommend?

- It’s pretty straightforward. First check out aka.ms/CloudAttached to get our interactive guide that walks you through all the steps to connect your Configuration Manager infrastructure to the cloud. And most of what I showed today is either released or in preview in Endpoint Manager. Also, take a look at all of the Windows Update options we’ve added. Driver controls for update rings are also coming soon, and remote help is available today. You can check out aka.ms/RemoteHelpGuide to learn more.

- Thanks so much, Jason, for joining us today and sharing all the different Windows management updates. I’m looking forward to seeing deep dives on all these different topics and we’re going to publish every everything in the series at aka.ms/ManagementMechanics. And of course, subscribe to Mechanics if you haven’t already, and as always, thank you so much for watching.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store