0% found this document useful (0 votes)

15 views

Managing Windows and Surface Devices 1

Uploaded by

Elias Pepe

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

15 views

Managing Windows and Surface Devices 1

Uploaded by

Elias Pepe

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 156

© Copyright Microsoft Corporation. All rights reserved.

FOR USE ONLY AS PART OF MICROSOFT VIRTUAL TRAINING DAYS PROGRAM. THESE MATERIALS ARE NOT AUTHORIZED
FOR DISTRIBUTION, REPRODUCTION OR OTHER USE BY NON-MICROSOFT PARTIES.
Microsoft 365 Virtual Training
Day: Managing Windows and
Surface Devices
Device Enrollment
Managing Device Authentication

Module Device Enrollment using Microsoft Endpoint Configuration Manager

Agenda
Device Enrollment using Microsoft Intune
Lesson 1: Managing Device Authentication
Lesson Introduction

Azure AD join

Azure AD join prerequisites, limitations and benefits

Joining devices to Azure AD

Managing devices joined to Azure AD

Azure AD Join Overview
• Windows 10 can join Azure AD
• Typical scenarios:
‒ Applications and resources are
mostly in the cloud
‒ Separate temporary accounts
‒ Enable users to join their device to
the corporate environment
• Join devices during initial setup
or later
• Hybrid Azure AD join
automatically registers your on-
premises domain-joined
devices with Azure AD
Azure AD Join Prerequisites, Differences, and Benefits

Multitenancy is very difficult to implement with AD DS

Azure AD is not a part of the core infrastructure

Azure AD has different management capabilities than AD DS

Azure AD is multitenant by design

Joining Devices to Azure AD

Joining a device to Azure AD is a simple

procedure

You can join to Azure AD during

Windows 10 installation, or you can do
it later, at any time by using Settings
pane, a script, or a number of
management tools

You need Azure AD credentials to join

device to Azure AD
Managing Devices Joined to Azure AD

Group Policy manages devices that join on-premises AD DS

Group Policy is not always available or supported for devices that join Azure AD

Azure AD supports integration with mobile device management (MDM) services such as Intune

When integration between Intune and Azure AD is configured, a device that joins Azure AD
automatically enrolls with Intune (additional licensing may be required)
DEMO: Enroll a Windows 10 device automatically
Lesson 2: Device Enrollment using Microsoft
Endpoint Configuration Manager
Lesson Introduction

Introduction to Microsoft Endpoint Manager

Deploying the Microsoft Endpoint Configuration Manager Client

Monitoring the Microsoft Endpoint Configuration Manager Client

Managing the Microsoft Endpoint Configuration Manager Client

Microsoft Endpoint Manager
Manage on-prem endpoints in the cloud at your own pace

Microsoft Endpoint Manager

Configuration Microsoft
Manager Intune

Win Server

On-premises Clients Windows 10 Windows, macOS and

and Servers CM + Intune mobile devices

Tenant Attach Co-management Native cloud management

Why Deploy the Configuration Manager Client?

Benefits for IT administrators

Track software present on the device
Access inventory information in relation to hardware
Update the device with Quality and Feature updates
Manage and deploy the OS and LoB applications

Benefits for end users

Browse a feature rich self-service catalogue of
software that empowers the user to choose software
to install
Configure working hours to ensure interruptions are
minimized
Client Deployment Options

Client push Manual deployment OS deployment Microsoft Intune

Deploys the Configuration Deploys the Configuration When installing and setting up Intune drives Configuration
Manager client directly from the Manager client installation Windows 10 using a task Manager client installation and
Configuration Manager console source files and a script file sequence, slip-stream the registers the device with the
containing the install parameters Configuration Manager client Cloud Management Gateway
Device discovery (Active
into the Windows setup and
Directory LDAP integration) Executes from the ccmsetup.exe Manage each respective
provide it with the necessary
file or from the MSI that is part workload from either Intune or
Copies the files to the source installation parameters
of the client files Configuration Manager after
computer and initiates the install
Must be installed when a device installation
automatically Can be time consuming as a
is built for the first time (or
delivery mechanism
Initial copy process may increase rebuilt)
network traffic
Monitoring the Microsoft Endpoint Configuration Manager
Client

Client online status. Online (connected to its assigned management point) or offline.

Client activity. Active (it has communicated with Configuration Manager in the past seven days) or
inactive.

Primary User. The primary user of this device, calculated over a 60-day period of the most frequent
logins.

Operating System Build. See the OS version of a device without having to connect to or perform
any remote management.

Client check. State of the periodic evaluation that the Configuration Manager client runs on the
device. The evaluation checks the device and can remediate some of the problems it finds.
Managing with Microsoft Endpoint Configuration Manager

When the Configuration Manager client installs • Assigns device to a site

• Adds device to query-based Collections
• Scans device for inventory and uploads inventory data
• Scans for compliance, pushes required software, etc.
Collections • Represent devices or users that have some commonality
• Perform tasks, such as target a deployment or run a report
Other management options • Start Resource Explorer
• Start Policy Retrieval
• Add to a collection
• Client Settings RSOP
DEMO: Enroll a Windows 10 device using
Configuration Manager
Lesson 3: Device Enrollment using Microsoft
Intune
Lesson Introduction

Activating and deploying MDM services

Managing Corporate Enrollment Policy

Enrolling Windows to Intune

Managing devices with Microsoft Intune

Enroll/Unenroll devices

Remote tasks

Application Management

Inventory and Analytics

Device security and management

One consistent set of MDM capabilities across Mobile, Desktop, and IoT
Enabling Mobile Device Management
Enable Intune as the MDM Authority

Get an Apple MDM push certificate

Sign up for Apple Business if you intend to use

Apple´s Device Enrollment Program
Considerations for Device Enrollment

• Determine enrollment method

‒ Group Policy
‒ Joining Azure AD
‒ Manually (Settings, Provision
Package, Company Portal App)
• Determine devices allowed and
restrictions
• Determine if enrollment is optional
or mandatory
Managing Corporate Enrollment Policy

• Your initial Azure AD domain will follow the

model:
‒ your-domain.onmicrosoft.com
• Add one or more of your custom domain
names, i.e. Contoso.com (recommended)
• Add custom domain names in the Microsoft
365 management portal
• Configure Automatic MDM enrollment
(recommended) OR
• Create CNAME records to simplify
enrollment and device registration when
not licensed for Azure AD Premium
Enrolling Windows Devices in Intune

Many ways to enroll Windows 10 devices in Microsoft Intune:

• Add work or school account
• Modern app sign-in (user driven)
• Enroll in MDM only (user driven)
• Azure AD join (Out of Box Experience (OOBE))
• Azure AD join (autopilot – User-driven deployment mode)
• Enroll in MDM only (Device Enrollment Manager)
• Azure AD device registration + automatic enrollment Group Policy Object
• Configuration Manager co-management
• Azure AD join (bulk enrollment using provisioning package)
DEMO: Enrolling devices in Intune
Security, Compliance and Identity Blog

Azure Active Directory documentation

Join the Microsoft Endpoint Manager Community

Microsoft Endpoint Manager Blog

Microsoft Endpoint Manager documentation

Resources
Microsoft Intune documentation

Configuration Manager Blog

Microsoft Endpoint Configuration Manager Documentation

Microsoft Endpoint Manager Learning Path

Configuration Manager Learning Paths

Application Management
Lesson 1:
Deploying and Updating Applications
Lesson Introduction

Adding applications to Intune

Deploying Applications with Configuration Manager

Adding Apps to Intune

Apps must be added to Intune before you can

deploy or manage them.

Apps Supported:
• Apps from the various stores (Apple and Google)
• Apps for Windows 10 from Windows Store or an app catalog
• Microsoft 365 Apps
• Web Links
• Built-in Apps (i.e. OneDrive and Edge)
• LOB Apps
• Win32 Apps
Managing Win32 apps with Intune

Win32 Content Prep Tool used to

Devices must be joined to Azure AD
create .intunewin file

Add App to Intune

Max size 8GB per app
• App info and requirements
• Install/uninstall commands
• Rules for existing config and apps
• App return codes
32/64-bit supported
DEMO: Deploying Windows applications with
Intune
Deploying Applications with Configuration Manager
Elements of the application model

Deployment type Purpose

Requirements Revisions

Global conditions Detection method

Simulated deployment Dependency

Supercedence
Deployment applications
Application groups
Creating an Application in
Configuration Manager
To create an application:
1. In the Configuration Manager console, choose Software Library
> Application Management > Applications. Select Users and
groups, and then select All users.
2. On the Home tab, in the Create group, choose Create
Application.
3. On the General page of the Create Application Wizard, choose
Automatically detect information about this application from
installation files.
1. Type: Choose Windows Installer (*.msi file).
2. Location: Type the location (or choose Browse to select the
location) of the installation file Contoso.msi.
4. On the General Information page, you can supply further
information about the application.
5. In the Installation program field, specify the full command line
that will be used to install the application on PCs.
6. Choose Next. On the Summary page, confirm your application
settings and then complete the wizard.
Choosing an Endpoint Manager Solution for Deploying an
Application

Application Type Configuration Manager Microsoft Intune

.MSI Yes Yes

.IntuneWin No Yes

Office C2R Yes Yes

APPX/MSIX Yes Yes

Store Apps Yes Yes

M365 Apps for Enterprise No Yes

Appv Yes No
DEMO: Deploy a Windows 10 app using
Configuration Manager
Resources Microsoft Intune documentation
Deployment Using Microsoft
Endpoint Manager (Segment 1
of 2)
Assessing Deployment Readiness

Module On-Premises Deployment Tools and Strategies

Agenda

Deploying New Devices Using Autopilot

Lesson 1: Assessing Deployment Readiness
Lesson Introduction

Guidelines for an effective enterprise desktop deployment

Deployment Guidelines

• Take inventory and establish infrastructure map

• Identify devices to retire
• Strategy for supporting complex application installs
• Determine opportunities for virtualization
• Establish data migration process
• Establish method for backing up data on devices
where applicable
• Establish a deployment plan describing the
complete process
• Create a training and post-deployment plan
DEMO: Review the Windows and Office
Deployment Lab Kit (aka.ms/DeploymentLabKit)
Lesson 2: On-Premises Deployment Tools and
Strategies
Lesson Introduction

Traditional Deployment

Deploying Windows 10 using Configuration Manager

Planning In-Place Upgrades

Traditional Deployment
Default Image Custom Image
• No need to create an image • Image must be created and maintained
• Applications and settings must be applied • Applications and Settings can be included in
separately custom image
• The configuration and application requirements
• One image per architecture (x86/x64) can be used (and sometimes hardware) of each group within an
for the organization organization can typically require several images to
be created and maintained
• Updates to applications cause images to become
• Updates to applications do not require the image
stale, requiring images to be updated or re-created
to be re-built
frequently
• Overall deployment time is typically slower, as • Overall deployment time is typically faster with the
configurations must be applied, and applications configurations and applications included in the
installed after the OS image is deployed image
• When applications are installed on the reference
• Some applications can be difficult to automate the
machine, they are typically easier to deploy when
installation
included with the image
Deploying Windows 10 using Configuration Manager: Introduction

• Role of Configuration Manager in a modern desktop journey

‒ With modern management tools, such as Intune and
Autopilot, and the innovative changes to
Configuration Manager, it can now act as a bridge
between how things were done, and how things can
be done in a more modern and agile way
• Building on the foundations of MDT
‒ Access to a wider expanse of task sequence variables
with which to utilize during OS deployment
‒ MDT Rules engine offers a raft of in-built options to
aid OS deployment
‒ The ability to install Windows features without the
knowledge of code
‒ Log file collection out of a template task sequence
wizard
DEMO: Examine the Configuration Manager admin
console
Deploying Windows 10 using Configuration Manager:
Introduction
Exploring Configuration Manager

• OS Deployment • Real Time query and reporting

• Application Management • Enterprise Scalability
• Update Management • Azure AD Integration
• Servicing Management • Proactive cadence adoption through
• Device Inventory (CMDB) Desktop Analytics

• Basic License Tracking • Remote Control

• Self Service Software Catalogue • User Settings Capture and Restore

• Cloud Management capability

Deploying Windows 10 using Configuration Manager:
Introduction
Exploring the Deployment Components Configuration
Manager

• Boot images
‒ The Windows Preinstallation Environment (Windows
PE) images that are used to start a Windows 10
deployment
‒ Start boot images from a CD or DVD, an ISO file, a
USB device, or over the network using a Pre-Boot
Execution Environment (PXE) server
‒ Two default boot images: One to support x86
platforms and the other to support x64 platforms
• Considerations for customizing boot images
Deploying Windows 10 using Configuration Manager:
Introduction
Exploring the Deployment Components Configuration Manager

OS images Operating system Device drivers Software updates Task sequences

upgrade packages
Stored in the Windows You can install device Provide a set of tools Configuration Manager
Imaging (WIM) file The source setup files drivers on destination and resources that can uses task sequences to
format for an operating system computers without help manage the task of provide schedule-based
including them in the tracking and applying deployments that can be
A compressed collection You can also use this
operating system image software updates to fully automated and
of reference files and package to deliver a
that is being deployed client computers require no user
folders that are required vanilla image down onto
interaction (zero-touch
to successfully install a device Configuration Manager Configuration Manager
installation or ZTI)
and configure an provides a driver catalog builds on the basic
Import operating system
operating system on a in the Software Library offerings of MDT and Automate components
upgrade packages to
computer workspace, consisting of provides a management in Configuration
Configuration Manager
two nodes: Drivers and plane that can segregate Manager (software
You must select an from a DVD or mounted
Driver Packages updates by type or OS, update packages, the
operating system image ISO file
and work with existing application model, and
for all operating system
processes for release Cloud Management
deployment scenarios
management Gateway
Deploying Windows 10 using Configuration Manager:
Managing & Monitoring
Methods for Composing a Windows 10 Deployment using Configuration Manager

Task sequences Deployment collections

Like MDT task sequences, but can draw on other After creating the task sequence, you can target it at
elements within it, such as applications created a deployment collection to allow the successful
packages and scripts delivery
Integrate the Configuration Manager task sequence Prevents unintended delivery of an OS.
engine with the MDT binaries for greater flexibility Target unknown computers to present any new
Scenarios for using a task sequence device acquired with an ability to launch a created
task sequence
Deploying Windows 10 using Configuration Manager:
Managing & Monitoring
Troubleshooting a Windows 10 Deployment using Configuration Manager

Reporting Log files

With a reporting services point configured in Configuration Manager produces numerous log files
Configuration Manager, you can access to a set of on both the client and server side to aid with
tools and resources that help you use the advanced troubleshooting
reporting capabilities of SQL Server Reporting Examples:
Services (SSRS) and Power BI Report Server
• Ccmsetup.log
• SMSTS.log
• AppEnforce.log
• Execmgr.log
Planning In-Place Upgrades

Recommended path to Windows 10

Preserves all data, settings, apps, and drivers

Can be rolled back at any point

Leverages Windows setup

Use task sequences leveraging either MDT or Configuration Manager

Considerations for in-place upgrades

Scenario In-Place Upgrade Fresh Installation

Move from 32-bit operating system to 64-bit No Yes
(e.g. Windows 7 32-bit to Windows 10 64-bit)
Move from one version of Windows to a lower target version No Yes
(e.g. Windows 10, version 21H1 to version 1909)
Existing device meets minimum hardware specifications Yes Yes
(including free disk space)
Existing apps are compatible with the target version Yes Yes

Existing OS language is the same as the target version Yes Yes

Intend to multi-boot/dual boot operating systems No Yes

Intend to use the standard install.wim No Yes

Requires creating and maintaining operating system images No Yes

(or a clean ISO file which then needs to be updated with apps, drivers,
and settings
Lesson 3: Modern Deployment Using
Windows Autopilot
Lesson introduction

Modern Deployment using Autopilot

Requirements for Windows Autopilot

Preparing Device IDs for Autopilot

Device Registration and OOBE Customization

Modern Deployment using Windows Autopilot

• No images, drivers, or infrastructure

• Customize the out-of-box-
experience
• New devices typically have Windows
10 installed
• Device refresh
Modern Deployment using Windows Autopilot
Comparing Autopilot with Traditional Methods

Traditional deployment Modern deployment

Deploys Windows 10 images Yes No

Can be used with any preinstalled Yes No

operating system
Requires a previous Windows 10 No Yes
installation
Uses an on-premises infrastructure Yes No

Tools for preparing the deployment Windows ADK, Windows Windows Configuration
Deployment Services, Designer and Windows
Microsoft Deployment Toolkit Autopilot
(MDT), and Configuration
Manager
Requirements for Windows Autopilot

Devices must have Windows 10 Devices must be registered to the

preinstalled: organization:
• Windows 10 Pro, Enterprise, or • Device-specific information uploaded to
Education the cloud

Devices must have internet connectivity: Organization must be using Azure AD:
• Windows Autopilot is a cloud service • It must also use Microsoft Store for
Business or Intune

Intune or other mobile device Access to required URLs

management service (optional):
• For managing deployed Windows 10
devices
Preparing Device IDs for Autopilot
Upload device IDs
Windows Autopilot service

Create
deployment Deploy Self-
Upload deploy
profile device IDs

Existing devices
Hardware vendor Device IDs

Employee unboxes
device and self-deploys
Device Registration and OOBE Customization

Step 1 Step 2
Create a Windows Autopilot deployment file Apply a deployment profile

Until you apply the deployment profile, Windows Autopilot doesn’t

A required profile that specifies the settings to apply to the devices
manage the OOBE setup phase on the device

You can create and use multiple deployment profiles with Windows Windows Autopilot takes control of the OOBE setup phase on the
Autopilot, but can only use a single profile to deploy each device devices to which you apply the profile
Windows Autopilot Documentation

Module Three Join the Windows Community

Resources Windows IT Pro Blog

Windows technical documentation

Windows Learning Paths

Deployment Using Microsoft
Endpoint Manager (Segment 2
of 2)
Deploying New Devices Using Autopilot

Module
Agenda Dynamic Deployment Methods
Lesson 1:
Deploying New Devices Using Autopilot
Lesson introduction

Demo Windows Autopilot

Autopilot Scenarios

Troubleshooting Windows 10 Autopilot

DEMO: Create and apply an Autopilot deployment
profile
Autopilot Scenarios

Windows Autopilot user-driven mode

Windows Autopilot Self-Deploying mode

Autopilot for Existing Devices

Windows Autopilot for pre-provisioned deployment

Windows Autopilot Reset

Comparing the default and Autopilot OOBE experience

Default OOBE setup phase OOBE setup phase with Windows Autopilot
Dynamic provisioning methods

Subscription activation Mobile Device Management Provisioning packages

Change the edition of Windows 10 Auto-enroll existing Windows 10 devices to Apply configuration settings to a Windows 10
apply configuration policies and applications devices using either removable media or
installed downloaded directly to the device
DEMO: Review Subscription Activation and
Provisioning Packages
Troubleshooting Windows 10 Autopilot
When troubleshooting Windows Autopilot, the key things to understand are:
Autopilot flow 1. Network connection established
2. Autopilot profile downloaded
3. User is authenticated (user-driven deployment mode only)
4. Azure AD join occurs
5. Auto MDM enrollment
6. Settings applied
Profile download 1. Ensure user connected device to the internet
2. Ensure profile exists and is assigned
1. If a blank profile downloaded, check Microsoft Endpoint Manager admin
center and assign a profile
2. New profile can be downloaded by rebooting the device
3. Ensure only one profile is assigned to the device
Key actions to perform 1. Review Azure AD and Microsoft Intune for proper licensing and profile and user
assignments
2. Look for Azure AD join issues and MDM enrollment issues
3. Gather troubleshooting logs mdmdiagnosticstool.exe –area Autopilot –cab <path>
Lesson 2: Dynamic Deployment Methods
Lesson Introduction

Azure AD Join with Automatic MDM Enrollment

What it is
• Registers devices in Azure AD and auto-
enrolls them into Intune
• Simplifies provisioning of devices
• Applies to BYOD/CYOD scenarios

Using Azure AD/MDM, you can:

• Join devices to Azure AD automatically
• Auto-enroll your users’ devices into MDM
services
• Configure the joined devices by using MDM
policies
DEMO: Automatic Azure AD Join with
MDM Enrollment
Lesson 3: Planning a Transition to Modern
Management
Lesson Introduction

Co-Management – A Practical Path to Modern Management

Prerequisites for Co-Management

Modern Management Considerations

Modern Management Upgrade or Migration

The Modern Transition: Migrating Data

The Modern Transition: New Devices with Intune

Co-management: a practical path to modern
management

• Simplifies the transition to modern

management
• Benefits of modern management from day
one
• Devices managed using both on-premises
Configuration Manager and Intune
• Even when not connected to on-premises
environment, devices can be managed by
Intune
Prerequisites for Co-Management

Devices must be hybrid Azure AD joined

Latest Azure AD connect must be installed and configured to sync computer accounts to Azure AD

Intune MDM must be setup and automatic enrollment configured

All users must have Enterprise Mobility + Security (EMS) or Intune license assigned

Windows 10, version 1709 or later must be used

Azure AD automatic enrollment enabled

Planning Co-Management
Transitioning Workloads to Intune

• Resource access policies • Endpoint Protection

‒ Email profile ‒ Windows Defender Application Guard
‒ Wi-Fi profile ‒ Windows Defender Firewall
‒ VPN profile ‒ Windows Defender SmartScreen

• Certificate profile ‒ Windows Encryption

• Windows Update policies ‒ Windows Defender Exploit Guard

‒ Windows Defender Application Control
• Device Configuration
‒ Windows Defender Security Center
• Microsoft 365 Select-to-Run apps
‒ Windows Defender Advanced Threat
Protection
‒ Windows Information Protection
‒ BitLocker
DEMO: Configuring Co-Management
Modern Management Considerations
Modern Transition Considerations
MDT Configuration Windows
Manager Autopilot
Require the creation golden images Yes Yes No
Ability to rebuilt or reset the device Yes Yes Yes
Ability to perform a bare-metal build Yes Yes No
Can be used with any preinstalled operating system Yes It will wipe the Yes It will wipe the Yes
preinstalled preinstalled
operating system operating system
Installation of applications when device is being built Yes Yes Yes
Deployment of applications post build No Yes Yes
Migration of user data (USMT) Yes Yes No Recommend to
use OneDrive Known
Folders
Perform an in-place upgrade No Yes No Deployment
only
Using Imaging with Modern Methods

Scenarios that may require you to use imaging with • A device cannot boot into Windows, resulting in the
modern management need for a bare-metal build
• Bare-metal deployments
• Client storage drive replacements
• A device is procured with a newer version of
Windows 10 than has been standardized in your
company

OFFICE & APPS

DRIVERS POLICIES

SETTINGS

Build a custom image, gathering Deploy image to a new computer

everything else that’s necessary to deploy
The Modern Transition: Upgrade and Migration
Migrating user state and data

Migrating user data • Device replacement

• Device is being upgraded from an older OS to
Windows 10 and an in-place upgrade is not possible
(e.g. 32-bit Windows to 64-bit Windows)
• A clean installation is needed
Migration scenarios • Side-by-side: source and destination computer are
different
• Wipe-and-load (refresh migration): source and
destination computer are the same
Migrating user data the traditional way
Using USMT with Configuration Manager

Create a USMT Package from Setup a State Migration Point Task Sequence Use USMT Templates for
Configuration Manager (Configuration Manager Site Migration
Can include USMT
System Role)
Create a custom USMT package xml templates that control data
Occurs in the task sequence
or use the default package Acts as a file share to store data that is collected in a user’s
when:
profile:
Stores a unique hash:
• Capturing settings
• MigApp.xml
• Device that allows data to be
• Reinstating the settings for a
captured • MigDocs.xml
user depending on selected
• Device upgraded options • MigUser.xml
• Relevant data to be restored • ConfigMgr.xml
Migrating user data the modern way
Known Folder Move - A Modern Alternative to Managing User Settings

Automatically migrate user files to OneDrive

Prompt or Silent operation

Be mindful of bandwidth when implementing

Can’t use KFM if using Folder Redirection or

unsupported file types
The Modern Transition: Upgrade and Migration
Considerations for Migrations

In-Place upgrade Migration

Preserves the environment Provides a standardized environment

Doesn't need to reinstall apps or transfer data You can control what migrates

Upgrade can be rolled back if needed Cleans up the environment

Only certain upgrade paths are possible You must reinstall the apps

You must use the in-place Windows 10 image You can use a custom Windows 10 image
In-Place Upgrades

Adapt modern desktop deployment with Windows

Autopilot for an existing, legacy device
Transform a traditional domain joined endpoint into
an Azure AD managed device and perform a rebuild,
all within the same piece of automation
The Modern Transition: Workload Migration
Migrating client management to Intune

Start moving to cloud- • Simplifies the transition to modern management

management • Benefits of modern management from day one
• Devices managed using both Configuration Manager and Intune
• Even when not connected to on-premises environment, devices can be
managed by Intune
Smaller or new organizations • The OS configuration capabilities provided by Intune meet the needs
should start in the cloud • Applications are modern and relatively simple installs
• There is not an excessive amount of existing legacy applications
• The existing configuration management deployment is relatively simple

Configuration Microsoft
Manager Intune

Tenant Attach Co-management Native cloud

management
Windows Autopilot Documentation

Join the Windows Community

Resources Windows IT Pro Blog

Windows technical documentation

Windows Learning Paths

Surface Deployment with Autopilot
St r e a m l i n e d Complete device Intelligent
Deployment Management Security
+Secure hardware

Familiar IT challenges
Management
Surface Devices across the lifecycle: Windows Autopilot and White Glove
Microsoft 365

Endpoint
2 Manager
Azure AD
Microsoft
Endpoint Manager
Office 365 Windows Autopilot
1 Device information
(Automated Process)

device serial #
Autopilot profile Zero-touch Provisioning
4 • Driven by corporate login
Device actions
• Remote wipe • Windows
User Enterprise
settings & configurations Partner / reseller or
• Autopilot reset Security configuration & policies
•
• User targeted applications customer’s IT staff
• UEFI configuration & management
•• Quicker provisioning
Microsoft time
365 Apps & Teams
Lessofbandwidth
•• Line strain
business applications
• Intercept and pre-provision
• • User privileges
Consistent user experience! • Device settings & configurations
• Software updates
• Hardware & security configuration
5 • Device targeted applications
3
Full lifecycle Reseal
management On demand

Deprovisioning
(EOL)
Steady use Fulfill and deliver

Warranty
Replacement
Windows Autopilot on Surface
End-users are immediately productive with Surface!
Deployment Management Security

Streamlined deployments

25
78%
Windows Autopilot
White Glove

Autopilot: Windows image Apps, settings,

and drivers and policies

Autopilot
Device apps,
White Glove: Windows image
settings, policies;
User settings
and drivers and profiles
user apps
Demo
Modern Management on Surface
Help my users
collaborate
remotely

Help me stay safe I’m drowning in I want happier

and secure complexity! users

Help me succeed Help me balance

in a hybrid control and
environment flexibility

Common themes from IT leaders in businesses

IT Pros love Microsoft
Surface + M365 because
it reduces cost and
complexity
St r e a m l i n e d Complete device Intelligent
Deployment Management Security
+Secure hardware

Familiar IT challenges
Deployment Management Security

Intune Zero-touch
UEFI Management
Deployment Management Security

Surface Enterprise
Management Mode (SEMM)
Deployment Management Security

Intune Zero-touch
UEFI Management
Deployment Management Security

Modern management

15%

78%
Demo
DFCI + INTUNE
DEMO
Deployment Management Security

Tenant Lockdown
Surface continues to implement
Microsoft 365 technologies 1st and Best
Deployment Management Security

Best-in-class security

80%
50%
Deployment, Management, and Security
The User Lies at the center of deployment,
management and security
Removing the barriers

five hours

21%

76%
Our Surface Family
Teamwork without boundaries

The ultimate creative studio

Powerhouse Style and speed Ultra-light versatile Portable power

performance

.
Surface to Chip Cloud Security
Today’s workplace
needs an integrated
security solution
✓ Organizations are pivoting to remote work
✓ Current network infrastructures were not built
with today’s security in mind

✓ Increasingly sophisticated and targeted attacks,

specifically at a firmware level

✓ Customers need an added layer of security to

ensure comprehensive protection as they adapt
to remote work
The increasing costs of data breaches

$3.86M >$124B 190 $10B

USD USD DAYS USD
average total cost of data will be spent worldwide average mean time it will be spent globally
breach to companies for information security takes to identify a data on security awareness
worldwide, +6.4% from in 2019 2 breach 1 training for employees
2017 1 in 2027 3

1NASCIO, Ponemon Institute’s 2018 Cost of a Data Breach Study, September 2018. 2Gartner, Gartner Forecasts Worldwide Information Security to Exceed $124 Billion in
2019, August 2018. 3https://www.cpomagazine.com/cyber-security/11-eye-opening-cyber-security-statistics-for-2019, June 2019.
Did you know? Security effects more than just IT
C-Suite & Product HR & Legal
Finance Development Operations

40% 96% 24x LAWSUITS

& FINES
Three years after an 96% of cybercriminals The average cost of Companies can be sued
attack, breached attack to gather downtime is 24 times by customers whose PII
companies underperform intelligence such as higher than the average has been stolen; and
the index by a margin of proprietary IP. 4 ransom amount. 4 fined by regulatory
over 40%. 4 agencies. 11

1 300+ Terrifying Cybercrime and Cybersecurity Statistics & Trends [2020] EDITION] – Comparitech, July 2020, https://www.comparitech.com/vpn/cybersecurity-cyber-crime-statistics-facts-trends/
2 https://www.blackstratus.com/risk-liability-assessment/
There is a clear need for device protection.
The answer? Layered security with Microsoft Surface.