Microsoft Endpoint Manager and Intune already have the tools you need to configure and manage PCs so they’re secure, up to date and only carry the applications employees need. But, especially for organizations that didn’t have to think about remote staff and people working from home before the pandemic, setting up endpoint management can look complicated. Some teams even lack the expertise to use the workbooks that cover some of these settings.
The new Windows 10 Cloud Configuration tool packages up all the best practices, settings and configurations that Microsoft recommends on a managed endpoint for employees who need a standard PC setup, and makes that easy for organizations to apply to new or existing PCs.
Simplifying endpoint management
If you looked at the announcement of Cloud Config and wondered what was different from the way you’re already managing devices in Intune and Endpoint Manager, it might not be for you. Built from components that already exist, it’s a guided scenario in Intune, which is part of Endpoint Manager and needs an EMS E3, Microsoft 365 E3 or E5 licence. It works on new and existing Windows 10 devices running Windows 10 Pro, Pro for Education, Pro for Workstations, Windows 10 Enterprise, and Windows 10 Education, and users are registered in Azure Active Directory. You also need a Microsoft 365 Apps licence for each user to do Known Folder Redirection with OneDrive for Business.
The key breakthrough is making all this much easier to use for an audience that didn’t need to use them before.
Many organizations had to make the switch to cloud management of PCs since those devices were no longer in the office. But as they looked at handling the mix of office and remote work, especially for frontline workers, they were asking Microsoft for help, director of product marketing for Microsoft Endpoint Manager Melissa Grant told TechRepublic.
“They were saying ‘as we start to move into hybrid, we need something a little simpler, a little faster to value and a little bit more streamlined for some of our workforce that is working in between physical and virtual environments; sometimes working from home, sometimes coming back on-site’.” That was especially true for large organizations with a mix of information workers, firstline workers and seasonal or temporary workers.
When the Endpoint Manager team asked a group of customers if they’d be interested in an easy, zero-touch option for setting up the recommended configuration and a curated set of apps on a PC, they got two reactions. Half noted that they already did that — it was just the way to have a well-managed endpoint. The other half wanted to do the same thing but said they didn’t know how.
SEE: Checklist: Securing Windows 10 systems (TechRepublic Premium)
“That created the idea to have Cloud Config, where we could take things they’re already using — Endpoint Manager, Windows Pro or Enterprise devices, Autopilot, things they’re familiar with — and put it together in this recommended configuration to make it super easy for them to get to that end state that they really wanted to get to, but just didn’t have the cycles or the expertise to do,” Grant said.
“We want to relieve and not add to the burden of IT,” she added. “They’ve had so much to do over the past year, and now they have a whole new set of challenges ahead of them as we start to think about what this new hybrid-work world looks like, where people are toggling between locations and maybe across different devices — a personal device maybe with virtualization, a physical device when they’re in the workplace. We want to make it simple, make it streamlined, make it easier for them to do because they just have so much on their plates right now.”
The initial version of Cloud Config was built in just a couple of weeks as a step-by-step guide for those customers to follow for setting up remote, information and frontline workers. Now it’s a guide scenario that’s available in Endpoint Manager and will be getting more features.
The idea is to reduce the complexity for IT admins and make it faster and simpler to get secure devices that are still set up for productivity, and not locked down so much they’re slow or hard to use. That’s even more important when it’s harder to get support because there are no helpdesk visits at home, Grant pointed out. “These are secured endpoints that still work the way people need them to work.”
Cloud Config is ideal for end users who don’t need a complicated setup on their PCs, Ravi Ashok, program manager on the Endpoint Manager team who built Cloud Config, told TechRepublic. “They just need something that’s easy to use that’s got a pretty simple config; from the IT side we want it to be easy to set up as well. Windows has a lot of bells and whistles and knobs, and sometimes, with all the different users and the different needs they have in the organisation, it can be hard to land on exactly how to configure this device for this environment.”
Ashok describes Cloud Config as prescriptive guidance: “We redirect user storage to the cloud using OneDrive folder redirection. We apply the Windows Security Baseline: this is a set of endpoint security settings based on Microsoft research that adds a layer of protection to the device on top of what you already get with Microsoft Defender. We also recommend applying the Windows 10 update ring, so that devices are constantly updated with the security features and quality updates.”
It starts with the basics: applying a device name to organise devices. If you use Windows Autopilot to pre-configure new devices, you can use that in Cloud Config to create a guided setup experience for users that tells them to type in their Azure AD details on a new PC to get started. The guided flow creates all the necessary resources: “The Autopilot profile, the enrolment status page, the settings to redirect storage to OneDrive, the compliance policy. I can also add other things like certificates, Wi-Fi profiles, VPN profiles — whatever these devices are going to need to access organisational resources.”
Cloud Config automatically installs the Teams client and the new Edge browser; it also includes a step for adding specific Office applications or your own line-of-business apps, so you can use it as a simple way of creating a kiosk. “Customers have frontline workers who are on the warehouse floor or a hospital floor, and the device that they use needs to be secure and easy to log into, and have a single-line-of business app that they use every day.”
Manage multiple configurations
You can use groups to manage which devices get a specific configuration and Cloud Config. Conflict reports in Endpoint Manager will warn you if you’re deploying something that conflicts with an existing configuration, but whether you deploy to an existing group or create a new one with the tool, Microsoft recommends removing any other Endpoint Manager configurations deployed to devices. Ashok suggests running a pilot, to see what that will change: “Set up a new group with these configurations and then do a check for things that you might have targeted broadly across the organisation, say to all Windows devices.”
You may want to reset devices to give a clean experience. “That gives you the baseline essentials to get started with and then you can layer stuff on top,” Ashok said. “You are free to manage any of the resources the way you do today and change the settings.”
SEE: Checklist: Securing Windows 10 systems (TechRepublic Premium)
Resetting with Cloud Config is also a way to get a device back to a working state when you’ve tried — and failed — to fix it through normal troubleshooting options, Ashok noted. “If it takes too long to diagnose what might be wrong with a device, or if the user doesn’t have access to support because they’re working remotely, you can do an Autopilot reset on the device to get it back online. Because we redirect user storage to OneDrive, any data that the user creates in their documents folder or their desktop automatically gets synced up to the cloud. They set it up the way they did the first time and they’re back on the desktop with the same apps and configurations applied, and all of their data gets synced back down from OneDrive.”
First steps in the cloud
Customers who are interested in Cloud Config may go on to use more of the cloud management features in Endpoint Manager, Grant suggested.
“They may have taken a half step into a cloud-optimised infrastructure, and this allows them to take a bit more of a full step in. Perhaps they were trying co-management, where they were starting to utilise some of those tools, but still relying on on-premises file storage. Maybe they weren’t using web apps as efficiently as they could because they didn’t really need to when everyone’s working on a desktop, or a kiosk on a shop floor. This allows them to take a little bit more of a full step into a cloud-optimised environment and they find it’s not painful and it’s really functional. If you can actually help me get there, and you can apply the right security baselines, if you can make it easy for me to deploy and manage, I can actually do more in the cloud than I thought I could do before.”
Although the scope of Cloud Config is fairly limited, it fits in with the way Microsoft is approaching recommended configurations through Azure Automanage for server VMs and the frameworks that recommend configurations for Android and iOS devices.
In the long run, IT admins may get a much more unified view of all these kinds of resources, Grant suggested.
“Looking ahead…you have the flexibility to do new things down the road, but also to just see your entire environment in one place — whether that’s a Cloud Config device, or a device configured in another way– maybe for a specialised workflow — or also your non-Windows devices, your virtual devices, all in one environment.”