Primo evento 09-06-2021 Translate existing GPOs in the cloud with Microsoft Endpoint Manager

Transcript

1. Microsoft Endpoint Manager (Intune) Marco Saracco June 9th, 2021

2. Contents ## Cloud Device Management Scenarios ## MDM Policies ##

   Device Configuration with Intune ## Group Policy Analytics ## Field Experience

3. • Joined only to Azure AD. Sign In with organizational

   account. • Suitable for both cloud-only and hybrid organizations. • SSO to both cloud and on-premises resources Device Management? • MDM or Configuration Manager Co-Management Cloud Management Scenarios 1/2 Azure AD Join

4. Hybrid Azure AD Join Cloud Management Scenarios 2/2 • Joined

   to on-premises AD and Azure AD. Sign In with organizational account. • Suitable for both cloud-only and hybrid organizations. • SSO to both cloud and on-premises resources Device Management? • Group Policy • MDM or Configuration Manager Co-Management

5. MDM Policies Configuration Service Provider (CSP) CSP – Configuration Service

   Provider is an interface to read, set, modify, or delete configuration settings on the device SyncML - File with all information to configure CSP MDM Client MDM Configuration Service Providers (CSP’s) Common Device Configurator SyncML MDM Client MDM Configuration Service Providers (CSP’s) Common Device Configurator MDM (Intune)

6. MDM Policies Group Policies Computer must be Internet connected and

   managed by Intune Require DCs in line of sight (Computer in corporate network or VPN) Feedbacks on assignments NO feedbacks on Assignments Policies are assigned to Azure AD security groups Policies are assigned to Organizational Units Client-Side Extensions policies could be managed via Powershell scripts deployed via Intune Client-Side Extensions Policies can be delivered via GPO Preferences MDM Policies and GPOs comparison

7. Device Configuration with Intune 1/5  Security baselines  On

   Windows 10 devices, Security baselines are security settings that are pre-configured to recommended values.

8. Device Configuration with Intune 2/5  Administrative templates  These

   ADMX templates are the same ADMX templates used in AD group policy, but are 100% cloud-based in Intune.

9. Device Configuration with Intune 3/5  Settings Catalog  These

   settings are directly generated from the Windows configuration service providers (CSPs). As Windows adds or exposes more settings to MDM providers, these settings are added quicker to Microsoft Intune for you to configure.

10. Device Configuration with Intune 4/5  Templates  Templates contain

    groups of settings, organized by functionality.

11. Device Configuration with Intune 5/5  Specific Configuration workspaces

12. Group Policy Analytics  Group Policy analytics is a tool

    in Intune that helps you determine how your GPOs can translate in the cloudand feature in Microsoft Endpoint Manager that analyzes your on-premises GPOs.  The output shows which settings are supported in MDM providers  Supported CSPs Group Policy analytics can parse the following CSPs: • Policy CSP • PassportForWork CSP (Hello for Business) • BitLocker CSP • Firewall CSP • AppLocker CSP  !! MDM Wins over GPO only works with “Policy CSP”. !!

13. Group Policy Analytics • Create GPO Report and import in

    Policy Analytics  Review Settings • Group Policy Migration Readiness Report

14. Field Experience  Don’t try to translate all of your

    existing group policy objects (GPOs) to Intune policies.  Don't decide to invest in hybrid authentication only to avoid reviewing the settings that you need for your Windows 10 devices.  For a cloud-managed device, there are some group policies that don't apply to the scenario.  Make sure that you're not still using settings for an app that you no longer use.  Consider this process as an opportunity to optimize the performance and configuration requirements of your cloud- managed devices.  Azure AD joined devices can still maintain single sign-on access to on-premises resources when they are on the organization's network. Devices that are Azure AD joined can still authenticate to on-premises servers like file, print, and other applications.  Security baseline, are Microsoft Best Practice, sometimes are too strict for environments, do appropriate tests.

15. This presentation is a living document, written collaboratively over time

    and is subject to change. When guidance presented in this presentation is in direct conflict with official documentation, one must defer to official documentation.