What’s new in Microsoft Endpoint Manager – 2111 (November) edition

This post has been republished via RSS; it originally appeared at: Microsoft Tech Community - Latest Blogs - .

This month, after the great set of announcements from Microsoft Endpoint Manager at Microsoft Ignite, I thought I'd share "behind the scenes" stories about some of the new capabilities we announced at Ignite, from remote help to our Frontline worker investments. There are plenty of additional capabilities that we released this month; from Filters to Windows Updates - here's the complete list of Endpoint Manager features for 2111 (November). As usual, I appreciate your feedback and I hope you appreciate these behind-the-scenes stories of features newly released or coming soon. Comment on this post or connect with me on LinkedIn.

Remote help: Getting our remote assistance offer to market

The need for a cloud-native remote assistance solution for Windows became more time sensitive for customers during the COVID-19 pandemic, when users could no longer visit their company helpdesk in person.

The Endpoint Manager team interviewed existing and potential customers to understand requirements across different organizations and regions. They told us they wanted a solution that would ensure security and build trust between Helpdesk staff and the users who needed help. They also needed it to tie directly into Endpoint Manager for ease of overall management and integrate with other security features such as device compliance.

Rather than build from scratch, we were able to accelerate time to market by building from some existing technology that Microsoft had which already had much of the functionality we were seeking; we needed to add in more enterprise-grade features. By partnering with the internal team that had built the technology, we were able to develop an enterprise-ready remote assistance product faster and with higher performance than we would have otherwise.

The outcome of our collaboration is the new remote help application, featuring enterprise capabilities such as role-based access control, enhanced trust, elevation, and session reporting. Private preview customer feedback has been very positive, and we'll be releasing the public preview soon. For more information, see: Remote help: a new remote assistance tool from Microsoft and watch this video to hear directly from a member of the Endpoint Manager team Neha Shah, Sr. Program Manager who led the development for this solution:

Designing device management for Android Open Source Project based on the needs of Frontline Workers

Our Android Open Source Project (AOSP) device management initiative started to roll out and was announced in October, but has a longer back story that involves deeply understanding the needs of Frontline Workers.

Historically, Android devices that aren't integrated with Google Mobile Services (GMS) don't have a management option to keep up to date with management API changes. Android Enterprise is not an option, as that management mode has a hard dependency on GMS. Device Administration (DA) management provides some basic management support but doesn't match the scope of corporate device management with Android Enterprise. Moreover, DA management has reduced support over the past few years as Google moved towards Android Enterprise and newer APIs. While DA provides basic management, support remains limited and based on available settings and additional OS-level end of support.

As such, many Frontline workers use devices without GMS, making deployment, configuration, and device protection challenging.

We set out to address the situation. Together with a dozen customers, we listed the engineering challenge: how do we best manage the heterogeneity of Android devices, especially those without GMS? How can we help Frontline Workers using these devices on a factory floor or in a healthcare facility stay secure and ensure configurations and policies that make these devices easy to use are applied?

Goodyear, one of the world's leading tire manufacturers, was part of the cohort of customers that greatly influenced our direction. As shared in this case study, they were using Microsoft Endpoint Manager and RealWear assisted reality wearables to help remote experts diagnose and fix broken machinery in their plants. Ensuring all their Frontline Worker devices were provisioned based on their needs and more secure to protect sensitive information was critical to them.

By continually testing ideas, prototypes and then preview software with our customers, we built a management solution for AOSP devices that was launched in public preview in October. Our first release, with support for configuration and compliance policies, conditional access, and preliminary device management, and additional features (such as adding support for additional applications) will come in 2022. RealWear is the first Android (AOSP) device that will be supported by Endpoint Manager for corporate AOSP management. Learn more: Microsoft adds Android Open Source Project device management. For a demo, see this video:

Managing unenrolled Microsoft Defender for Endpoint devices

Endpoint security management is as old a concept as group policy and active directory. That, in itself, was the problem that most of our customers faced when they started looking at modernizing security management. With multiple ways to configure the same settings, getting complete coverage of your digital endpoint from a single surface was complicated.

It was hard to leave behind the old ways and come up with innovative solutions. There was always a machine that wasn't connected to Endpoint Manager, one that was born in the cloud with no connection to Active Directory, or any other permutations of scenarios that fractured the security management experience. We wanted to bring these worlds together, without another management surface.

We brought together our Endpoint management team with the Microsoft Defender for Endpoint team to brainstorm. How could we create a security management story that leverages the investments people have already made in the Microsoft 365 stack, while keeping making it easy to manage and use. Our goal remained simple. Once Microsoft has a security or management presence on the device, everything else should just work!

Our approach rested on four principles:

  1. Recognize that the security team and the management team at a customer site were not always the same individuals. Equally, the server management team and the endpoint management team were not necessarily the same. We needed to enable security and management teams to operate independently while protecting and managing the endpoint without requiring enrollment.
  2. Build on top of Microsoft 365, leveraging investments in Endpoint Manager and Azure AD, which are already used by the majority of our customers.
  3. Do not recreate another management solution. We focused only on those Microsoft Defender or Microsoft Endpoint Manager components that did not duplicate existing solutions.
  4. Enable support for multiple platforms, in a single surface, for security management.

At Microsoft Ignite we announced our first step in this journey. With the Microsoft Defender for Endpoint team, we've built a capability that allows your Windows devices to receive security policy from Endpoint Manager, regardless of their enrollment status. This initial capability provided by the Defender for Endpoint client is available for public preview, with more innovations on the way. While security continues to grow in complexity, this management integration will drive simplicity for your organization. To read more, see Manage Unenrolled Defender for Endpoint Devices and to learn more about endpoint security and its role in your organization, watch Endpoint Manager Program Managers Lance Crandall and Matt Call at Microsoft Ignite: Endpoint security management with Microsoft Endpoint Manager.

Coming soon – the ConfigMgr 2111 release

Microsoft Endpoint Configuration Manager is a core component of Endpoint Manager, our unified endpoint management solution. We are about to release ConfigMgr 2111 in the next few days! Be on the lookout for more via LinkedIn and the Configuration Manager Blog as we release 2111 to the early update ring and then it will be globally available soon after!

Let us know what you think

This month was a huge month of announcements for Microsoft Ignite! So, this month more than ever, please share your feedback so we can continue to improve the user experience and simplify IT administration. Please share comments, questions, and feedback by commenting on this post or connecting with me on LinkedIn.


Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.