Planning for cloud-native Windows endpoints and modern management
Published Oct 11 2021 09:00 AM 12.5K Views

Hybrid work requires a flexible operating model that empowers employees to work from any location. Azure Active Directory (Azure AD) joined devices enable you to transition towards a cloud-first model with Windows while reducing overall endpoint management costs and maintaining security amidst the IT complexity that comes with hybrid work.

For more than two decades, Windows endpoints were typically joined to on-premises Active Directory for secure access to network resources using Kerberos, Group Policy, and security settings. To meet the increasingly rapid pace of transformation, organizations have worked to recalibrate their digital infrastructure to reduce dependencies on technologies that do not provide business resiliency.

We have been working closely with our customers around the world to enable a workplace that has limited or no reliance on on-premises technology and can support hybrid work for employees. The switch to the cloud can be challenging for those with complex environments that rely heavily on on-premises architecture. To help organizations begin their cloud journey with the least disruption possible, we introduced hybrid Azure AD join as an interim step for unified management. Hybrid Azure AD join enables you to take advantage of some of the benefits of Azure AD while still having your Windows endpoints joined to your on-premises Active Directory .

Although we will continue to support hybrid Azure AD Join, we strongly recommend that organizations embrace fully cloud-native Windows endpoints

Cloud-native Windows endpoints

The unprecedented change in the way we now work reinforces the need to shift device management capabilities to the cloud. As we continue to adapt to remote and hybrid work, we recommend that organizations:

  • Update Windows endpoints with the latest patches and features remotely.
  • Ensure that only compliant devices can access confidential resources.
  • Adopt zero-touch provisioning for devices, giving new employees an immediately productive out-of-box experience when onboarding remotely.

In order to enable rich analytics and gain valuable, actionable insights across your device estate, Windows endpoints joined to Azure AD need to be managed by a unified endpoint management solution like Microsoft Endpoint Manager. These endpoints are purely managed in the cloud and are known as cloud-native Windows endpoints.

If you are managing Windows endpoints today in Configuration Manager, your next step toward modern management would be to enable cloud console and additional cloud values by attaching your Configuration Manager infrastructure to Microsoft Endpoint Manager and enabling co-management. If you have new Windows devices, we encourage you to join them directly to Azure AD in order to take advantage of the benefits you get with cloud attached endpoints.

Let's dive into the key benefits of cloud-native Windows endpoints in the hybrid world of work and discuss why now is a good time to  reevaluate your endpoint management strategy.

Moving forward in a hybrid, modern workplace

The industries hardest hit by the pandemic were those that required a constant connection to on-premises networks and systems, thereby limiting their ability to be flexible and support remote work. By joining Windows endpoints to Azure AD, you enable employees to work from any location, eliminating the line-of-sight to domain controllers. With Azure AD-joined devices, a VPN connection isn't required for the initial device sign-in or to update the local device password after a network password change.

Simplify endpoint management  

The modern workforce is decentralized and often disconnected from corporate networks. Gone are the days when every employee had a designated work desktop or laptop and was allowed to work only on corporate devices. Microsoft Endpoint Manager can reduce the cost of managing multiple device fleets and operating systems because it provides a single pane of glass to manage apps and endpoints. This simplifies IT operations, hardens security policies, and enhances the employee experience.

Microsoft Endpoint Manager provides a unified console for all your cloud endpoints and on-premises endpoints that are cloud attached. To help you transition from maintaining complex Group Policy objects, Microsoft continues its investment in tools like Group Policy analytics that help you to analyze on-premises Group Policy objects and translate them to the cloud.

Another key benefit of cloud-based modern management is to enable automated updates for Windows endpoints. Windows Update for Business lets IT deploy feature and quality updates that keep Windows endpoints current. It also reduces costs and helps improves security by eliminating the need for an on-premises infrastructure to deploy updates.  

Frictionless device onboarding with Windows Autopilot

Provisioning devices by manually installing an operating system (OS) is not possible for employees onboarding remotely around the world. Windows Autopilot enables IT to pre-configure a device with applications, security, and configuration policies so the device is ready to use once shipped to the employee. Windows Autopilot requires no infrastructure to manage this process and allows you to easily provision devices for employees in any location, without connection to a domain controller. Windows Autopilot can be used with hybrid Azure AD-joined devices, however, Microsoft does not recommend this approach. We strongly recommend leveraging Windows Autopilot to join endpoints to Azure AD.

Prioritize security and useability with easy access to critical resources

With the increase in volume and sophistication of threats in the remote and hybrid world of work, organizations are seeking a Zero Trust approach, where nothing inside or outside the corporate network can be trusted. Endpoints like devices and apps are a crucial part of Zero Trust. Resources must be protected and access allowed based on specific conditions and policies.

With cloud-native endpoints, you can enable single sign-on not only to cloud apps, but also to on-premises resources such as web applications and file servers when on network. Cloud-native endpoints can be evaluated for device compliance and Conditional Access policies can ensure secure access to sensitive resources on the endpoints. For added security, cloud-native Windows endpoints can be configured to use Windows Hello for Business as a multifactor authentication method with no additional configuration.

How to move toward cloud-native endpoints

Let's face it, it's not easy to welcome change—especially a change that involves tremendous planning and testing before deployment. As we speak with customers, we often find they struggle with where and how to start planning. At Microsoft, we are committed to helping you through your journey to modern management and to helping you empower your employees to work securely and efficiently with the innovations we are making in Azure AD and Microsoft Endpoint Manager.

We encourage you to get started with the following resources, which are designed to help you plan a proof of concept to test cloud-native Windows endpoint management with Microsoft Endpoint Manager:

 

5 Comments
Version history
Last update:
‎Feb 10 2023 12:04 PM
Updated by: