Maximizing Your Microsoft Investment

Jon Anderson, Now Micro Senior Systems Consultant, answered some questions to help our customers get the most out of Microsoft.

  1. What are some hidden gems or underutilized features of Microsoft’s products that companies should be aware of?

One of the most valuable products that I regularly see being underutilized is the Microsoft Defender suite of tools. Organizations that own A3 / E3 licensing can take advantage of Microsoft Defender for Endpoint Plan 1, which includes several useful tools for securing devices. Organizations that own A5 / E5 licensing can further take advantage of Microsoft Defender for Endpoint with the Plan 2 license. Also included are tools like Microsoft Defender for Cloud Apps and Microsoft Defender for Office 365.

There are also several products beyond the Defender suite of tools that I commonly see being licensed but underutilized or not used at all. Always on VPN, Windows Update for Business, Remote Help (for educational organizations), Conditional Access, Intune, Autopilot, and more. All the products in this list are included at some level in an A3 / E3 license.

2. How can organizations optimize their licensing to fully leverage Microsoft products capabilities?

I recommend reviewing the list of Microsoft licenses that are owned by the organization. Look at the list of features that are included in the license and determine if there is value in implementing any of the features that are currently unused. It is possible to apply different levels of licensing to multiple groups of users and/or devices. I’d recommend evaluating which features are required by the users / devices in the organization and purchasing the appropriate licenses to match the feature requirements.

3. How should companies determine which Microsoft apps/services are most valuable for their specific needs?

I recommend taking advantage of the trial licenses that Microsoft offers. Most of the licenses Microsoft offers are available to use in a trial mode. This allows for evaluating the features of the license without having to purchase it. Trial licenses can be a great tool for evaluating a feature in your own environment. If a longer period is needed to evaluate a product, another option is to buy a small number of licenses. Once the project is ready to move forward at a larger scale, more licenses can be purchased.

4. What are the biggest mistakes you see companies make when implementing Microsoft solutions?

The most common mistake I encounter is a rushed or incomplete implementation of a product. Often, a project may be started without a thorough understanding of the product or a clear goal for the end state. The result of this can be a product that does not work as expected and may require significant effort to fix or re-implement. My recommendation is to spend the time to learn about the product prior to implementing it in a production environment. A Microsoft partner (Now Micro) can also be a great resource to help get a product configured right the first time.

5. How can companies keep up with the rapid pace of innovation from Microsoft? What’s your advice for staying current and training employees on new Microsoft products?

Microsoft has an extensive library of free product documentation available online. Microsoft has also published many free training courses on a wide variety of topics. In addition to these great resources, there are also many Microsoft Tech Community blogs that are worth following. Finally, I’d recommend looking for active user groups in your area. A user group can be a great resource for both learning and networking.

6. For companies invested heavily in Microsoft, what does their IT/infrastructure roadmap need to factor in?

The cloud. Microsoft has been heavily pushing most of their product and service offerings into Azure, and I don’t see that trend changing or slowing down anytime soon. I recommend evaluating the tools and processes in your organization that currently rely on traditional on-premises resources to see if there is a path forward to the cloud.

Inquire with Now Micro to learn how we can support your technology efforts with our team of expert consultants.

Streamlined Device Refreshes with Now Micro

Leveraging Customized Services to Simplify Purchasing, Provisioning, and Management.

Device refreshes allow organizations to take advantage of the latest technology and improve security, productivity and user experience. But for many companies, going through the process poses numerous hurdles.

At Now Micro, we understand those challenges and offer a partnership to make the process easier for our customers. We make device refreshes easy through our customized purchasing, provisioning, and ongoing management.

Tailored Purchasing

We start by understanding your specific needs and goals. Do you need laptops? Tablets? A mix? What applications and software will be required? Any specific security protocols?

Armed with this knowledge, we curate the ideal mix of devices purpose-built for your organization. Our experts handle procurement, leveraging our strong vendor relationships to get you the best pricing and products.

Streamlined Provisioning

Getting new devices deployed can eat up IT resources. We direct ship configured equipment right to your end users, ready to go out of the box. This includes imaging, software installation, security protocols, and any other customization.

Our imaging services save you time and effort while ensuring your new devices are optimized for your environment.

Ongoing Management

We also offer ongoing asset management to keep your technology up to date and secure. This includes order and device information, warranty lookup, open API, device monitoring, user editable fields, geotracking, IoT device management, and more.

With Now Micro as your device refresh partner, you get a tailored, turnkey experience. We handle the heavy lifting so you can focus on your core business. Contact us today to learn more!

Learn more here:

Windows LAPS: Keeping Your Organization Secure

Windows Local Administrator Password Solution (LAPS) is a feature that automatically manages and backs up the password of a local administrator account on your Azure Active Directory-joined or Windows Server Active Directory-joined devices. This solution is one of the most effective ways to protect administrator passwords and prevent unauthorized users from accessing systems or data that they shouldn’t. 

With Windows LAPS, passwords are automatically randomized and updated on a routine basis, so that no two users ever have the same passwords and that passwords don’t become stale and more vulnerable to hacking. This investment in security is crucial for protecting your organization’s data and ensuring peace of mind. This new version of the tool can be configured with Microsoft Intune and can store passwords in Azure Active Directory. 

At Now Micro, we understand the importance of keeping up with the latest technological advancements to help organizations take advantage of new programs. That’s why we stay on top of the news and partner with IT experts to ensure our clients have the most up-to-date hardware and software. 

Contact us at Now Micro to learn more about how we can help your organization take advantage of Windows LAPS and other cutting-edge technologies. Our team of experts can help implement the tool, making it super easy for our customers and their IT staff to manage and maintain security.

Top 4 Windows 11 Interface Updates

Microsoft has launched the all-new Windows 11, bringing users some much-needed improvements and updates. Take a look at the top 4 interface updates on Windows 11:

Overall Interface

The Windows 11 interface will soon rival the design world’s beloved MacOS interface. Features include a cleaner, minimalist design with rounded corners and light, pastel shades.

Start Button

Since Windows 95, the Windows Start Button has always been in the lower-left corner. On Window’s 11, it will now be placed at the bottom center of the screen. This is one of the most significant changes in interface and navigation, allowing the start button to be more visible.

Taskbar

When Windows 11 first rolled out, users found the taskbar not as configurable as Windows 10, and some customization needed to be done. Since then, Microsoft has made some changes making the taskbar more manageable. For example, users can decide whether the taskbar shows more of their chosen pins, recommendations from the software, or the default combination of both. Users can also view the full taskbar on 2nd or 3rd monitors and choose the size of the taskbar.

Microsoft Teams Integration

Microsoft Teams is essential for productivity with the continued importance of remote work. Microsoft Teams will be located in the Windows taskbar, allowing the app to be more integrated than before. This is comparable to Apple’s FaceTime app in macOS, where launching video calls is easy to navigate. As always, Microsoft Teams will be available on Mac, iOS, Android devices, and Windows PCs.

Now Micro is ready to deploy devices that are compatible with Windows 11 for your organization. Visit our website or reach out to our Senior Systems Consultant and Windows expert, Jon Anderson at jona@nowmicro.com to learn how you can integrate Windows 11 into your network.

Notable Microsoft Teams Announcements!

The Most Notable Microsoft Teams Announcements of 2020 (through Oct) 

The later part of 2020 has seen a flurry of updates, previews and announced roadmap items for Microsoft Teams.  Let us look at the announcements that are likely to have the most impact. 

HealthCare: Virtual Rounding and Care Coordination 

2020 has been a stressful time for health care professional across the globe.  From exposure risks to PPE shortages, healthcare providers are turning to technology to provide solutions.   Microsoft has answered this call by announcing Virtual Rounding and Care Coordination.   

Virtual rounding, a Teams app that aims to reduce exposure while health care professionals do their daily checkups on their patients.  The goal is to limit contact to infected or vulnerable patients by leveraging portable carts equipped with video screen, mics, camera’s, and speakers.  This allows healthcare professionals to maintain distancing when physical presence is not needed for diagnostics or treatment. 

Care Coordination, which began its private preview October 1st, allows healthcare to aggregate patient data, provide care plans and test results and communicate with each other regardless of physical location all in a HIPAA compliant platform.  The introduction of Teams for care coordination aims to improve efficiency while minimizing exposure. 

SharePoint home sites for Teams   

The SharePoint home site experience announced in 2019 allows organization to create a new or migrate their existing intranet sites to SharePoint.  With the increasing ability to embed your organizations apps and resources into Microsoft Teams many organizations are hoping Teams will be come the single pane of glass for all needs.   

So why create a home site to serve as your organizations intranet if it will detract from all the work you have done in teams?  

Enter the SharePoint home site app for Teams.  This home site app allows you to deploy your intranet home site through the Teams client. 

The announcement came to us in September 2020 and we are eagerly awaiting release details. 

https://techcommunity.microsoft.com/t5/microsoft-sharepoint-blog/innovations-for-workplace-communications-and-employee-engagement/ba-p/1696149

Teams Breakout Rooms 

Many in person conferences and events will include a keynote or introduction meeting that all attendees are present for before breaking into smaller groups for more granular content.  Recreating this experience virtually has proven difficult.  Microsoft Teams breakout rooms hopes to simplify this experience.  

Teams Breakout Rooms will allow meeting organizer to split attendees into smaller groups and bring everyone back together without the need to drop and rejoin multiple meetings.   

The announcement for Teams breakout rooms came to us in July and we hope to see previews or general availability before the end of 2020. 

Advanced Communication Add-on 

2020 has seen an interesting race to provide more attendees, more features, and more video feeds between collaboration platforms.  The majority of normally in person conferences, large presentations and even college orientations have been converted to virtual events.  2020 more than ever has created a need for very large virtual events.   

Microsoft’s answer to this need is the advanced communications add-on.  At release, the advance communication add-on increased the maximum attendees for Teams live events to 20,000.   

Features coming later this year include: 

  • Teams meeting maximum members increase to 1,000 
  • The ability for a Teams meeting to have up 20,000 overflow participants in a view only meeting experience 
  • Custom Lobby Branding 

To take advantage of these features, the organizer of the meeting/live event will need the advanced communication add-on currently priced at $12 per user/month.  Attendees DO NOT need the add-on. There is also a 60-day trial available through the admin center. 

Considering this new and not quite yet saturated market, I would expect to see more feature announcements coming soon. 

https://docs.microsoft.com/en-us/microsoftteams/teams-add-on-licensing/advanced-communications#:~:text=%20Advanced%20Communications%20provides%20enhanced%20calling%20and%20meeting,across%20meetings%20for%20your%20internal%20and…%20More%20

Custom Meeting Layouts 

If you are looking to make a good impression on clients or impress you coworkers with your big presentation, Microsoft may have given you a secret weapon.  Teams custom meeting layouts allow you, the presenter to customize what attendees are seeing.  Microsoft Ignite gave us a preview of new tech allowing you to overlay the presenter on a PowerPoint slide.  Who knows, maybe someday virtual meetings may look more professional than traditional in-person meetings with half the effort! 

Always On VPN Overview

As technology continues to improve and the workplace continues to evolve, remote workers have become more common. Effectively supporting these remote workers means re-evaluating legacy remote access solutions. This post will look at Microsoft’s current remote access solution, Always On VPN.

Always On VPN is a Microsoft remote access solution that is built into Windows 10. Microsoft has positioned Always On VPN as the replacement for their older remote access solution (DirectAccess).

When planning a deployment of Always On VPN, keep in mind that it is a solution for users or devices that need remote access to local resources on a corporate network. Users with access to cloud resources, and devices managed by cloud-enabled tools may not require a VPN connection.

How Does Always On VPN Work?

Always On VPN is a solution that allows a client to automatically establish a VPN connection without any user interaction. The technology that makes this possible is the VPNv2 CSP node, which is built into Windows 10. This CSP (configuration service provider) allows the built-in Windows 10 VPN client to be configured using an MDM solution (Intune), or PowerShell.

The server side of a typical Always On VPN deployment requires at least one VPN server and one authentication (RADIUS) server. A common solution is to use Windows Server with the Routing and Remote Access role installed for the VPN server, and Windows Server with the Network Policy Server role installed for the RADIUS server. However, these servers do not need to be Microsoft servers. Third party solutions or appliances can be used. Additionally, a certificate authority is required to issue certificates to the servers and clients. The certificates will be used to authenticate the VPN connection.

The Windows 10 VPN client can be configured to connect a user authenticated tunnel or a device authenticated tunnel. Both types of tunnels can be connected simultaneously if required.

User Tunnel

The User Tunnel is established when a user logs into a computer. This type of tunnel is ideal for granting access to file shares or applications.

Here is a high-level overview of the connection process for a Always On VPN user tunnel.

  1. The VPN client sends a connection request to the external IP address of the VPN server
  2. The edge firewall passes the connection request to the external interface of the VPN server
  3. The VPN server passes the connection request to the RADIUS server. The connection request leaves via the internal interface of the VPN server and passes through the internal firewall
  4. The RADIUS server receives and authenticates the connection request
  5. The RADIUS server returns an accept or deny response to the VPN server
  6. The VPN server allows or denies the connection request based on the response from the RADIUS server

Device Tunnel

The Device Tunnel is established as soon as a computer is powered on and connected to the internet. A user does not need to be logged into a computer for a device tunnel to connect. This type of tunnel is ideal for granting access to Active Directory or other management servers like Configuration Manager.

Here is a high-level overview of the connection process for a Always On VPN device tunnel.

  1. The VPN client sends a connection request to the external IP address of the VPN server
  2. The edge firewall passes the connection request to the external interface of the VPN server
  3. The VPN server validates the computer authentication certificate of the client and allows or denies the connection request

Notice that the device tunnel does not use RADIUS for authentication. The VPN server preforms the authentication. This prevents device tunnels from taking advantage of more advanced Always On VPN features like conditional access and multi-factor authentication. For more guidance on when to utilize device tunnels refer to this post.

VPN Protocols

Always On VPN utilizes familiar VPN infrastructure, which means that it can also utilize familiar VPN protocols. There are two main protocols that make the most sense to use when working with Always On VPN.

IKEv2

Internet Key Exchange version 2 (IKEv2) has good security and good performance. Its ability to automatically re-connect after a short interruption gives it good reliability as well. The primary concern with using IKEv2 is that communication happens on UDP 500 and UDP 4500. This makes it more likely that the connection will be blocked by firewalls.

Note that when using a Always On VPN device tunnel, IKEv2 is the only supported protocol.

SSTP

Secure Socket Tunneling Protocol (SSTP) also has good security, and good performance. The main benefit of using SSTP is that communication happens on TCP 443, so it is very unlikely that it will be blocked anywhere. The downsides to SSTP are that it is not quite as secure as IKEv2, and it does not handle connection interruptions as well.

ProfileXML

As I mentioned earlier, Always On VPN utilizes the built-in Windows 10 VPN client. This client is configured using the VPNv2 CSP node. Configuring the settings in the VPNv2 CSP node can be accomplished using an XML file. Once the XML file is created, it can be deployed to systems through Intune or through Configuration Manager using PowerShell. For more information on the XML configuration and deployment, see the Microsoft Documentation.

Additional Reading

This post was a high-level look at the technology behind Always On VPN. For a detailed guide on creating a basic Always On VPN deployment, refer to the Microsoft Documentation. I would also recommend reading Richard Hicks’s blog. Additionally, Now Micro will be hosting a Tech Connect webinar on Always On VPN next month (May 2020). More details can be found on our Events Page.