Endpoint Privilege Management and Intune Premium – Ignite Special with Microsoft VP of Product, Steve Dispensa

  • Podcasts
  • This Week in IT
  • Endpoint Privilege Management and Intune Premium – Ignite Special with Microsoft VP of Product, Steve Dispensa

LISTEN ON:

This week at Ignite, I caught up with Steve Dispensa, Microsoft VP of Product for Enterprise Management and Windows Commercial. I asked Steve about the features coming in Intune Premium, including some of the technical details of how Endpoint Privilege Management works in Windows and how it compares to third-party solutions.

Also, what challenges Remote Help solves for organizations, and where Microsoft Tunnel fits into the picture. Steve also talked about other features like third-party package management and a service that will allow orgs to transfer on-premises PKI to the cloud. And I finished by asking him what he sees as the main security and management differentiators in Windows 11.

See the full transcription of the chat below:

Russell Smith (00:00): 

This week at Ignite, I caught up with Steve Dispensa, who’s a VP of Product for Enterprise Management and Windows Commercial. I asked Steve about some of the features coming to Intune Premium, including some of the technical details about how Endpoint Privilege Management works on Windows and how it compares to third party solutions. Also, what challenges remote help solves for organizations and where Microsoft Tunnel fits into the picture. And I finished it up by asking him what he sees as the main security and management differentiators in Windows 11. 

Russell Smith (00:35): 

So, hi Steve. Thanks for joining us today. Could you tell us a little bit about who you are and to what you do at Microsoft first? 

Steve Dispensa (00:43): 

Sure. So I’m the VP of Product for the Enterprise Endpoint Management Business. So that includes Intune and Configuration Manager. And I also am responsible for Windows for commercial customers. And so I do product management for Windows as well. 

Russell Smith (01:01): 

Great. So there’s been lots of exciting announcements at Ignite this week. Can you tell us a bit about the new Intune Premium Suite? So what does it include and why is Microsoft releasing this now? 

Steve Dispensa (01:15): 

Yeah, it’s so exciting. So we’ve been working for several years on a set of adjacent solutions to core management. So as I know you’ve seen, Core management you know, and Unified Endpoint Management has been sort of an explosively growing market over the last few years with the transition to hybrid work. And they’re just proliferation of devices that IT departments have to manage. And in the process of this massive transition we’ve all gone through over the past few years, several sort of adjacent problems have arisen that are kind of aligned to management, but maybe outside the traditional scope of Intune and config man. And so our customers were sort of bringing us these situations and these problems and saying, Hey, you know, does Microsoft have a solution in this space? And so the, the Interim Premium Suite is really the result of those conversations in that that product development. We first spoke about it last April when we were when we released remote help for Windows. We spoke about it in sort of a little more abstract way, but it’s been really exciting at Ignite to really describe concretely what’s coming and when and just start the path forward to getting this thing ga. 

Russell Smith (02:43): 

Great. So what does, what does this suite actually include? 

Steve Dispensa (02:48): 

So to begin with, of course it will include remote help for Windows, which is a solution that allows help desks and it pros to remotely control end user devices. It will also include Endpoint Privilege Management, which is a new solution that allows end users to run a standard user rather than as a local administrator on their Windows devices and still accomplish everything they need for their work. I can elaborate on that if you’re interested. We will be building an additional, well, sort of an end-to-end application updating solution that will connect with Defender for Endpoint and will allow IT pros to go from sort of just knowing which applications need to be updated all the way through to pushing updates to end user devices. 

Steve Dispensa (03:44): 

We’re building a cloud PKI service that will sort of take, you know, the existing workloads that our customers are running in Microsoft Certificate services and upload those in or sorry, up level those into a cloud-managed service. And then we have some additional pieces that things like Intune Tunnel, which is a remote access solution, we will now be supporting for MAM-managed devices. So for devices that are not fully-managed by IT, but rather that are only managed at the application level by IT, as well as some advanced analytics work that we’ll be talking more about. 

Russell Smith (04:26): 

Great. Well, I am very interested actually in the endpoint management piece, so I’m gonna come back to that in minutes. But before we talk about that in a little bit more detail, so all these pieces that make up the new Premium Suite, which I think is gonna be available in March next year, are they gonna be still available individually or as part of another plan maybe for smaller businesses that can’t quite stretch into Premium? 

Steve Dispensa (04:49): 

Yeah, great question. They will, the each of these solutions will be available as a standalone in the same way that Intune itself is available. And then, you know, we will be offering them also as a suite and that’ll have some sort of attractive economics around that at the suite level. 

Russell Smith (05:08): 

Mm-Hmm. <affirmative>. Ok. So I don’t know if you’re aware, but some of the changes that Microsoft made to Assist caused a little bit of a stir <laugh> in the last year amongst the IT professionals. So could you tell us a little bit about what Remote Help actually offers beyond, I suppose, you know, strong, authentic, strong authentication options over Quick Assist? What are the benefits of using remote help over what’s was already built into Windows? 

Steve Dispensa (05:39): 

Yeah, actually it’s a great question. We built Remote Help on the foundation of Quick Assist, and it was one of the reasons that we thought that this was a business that we wanted to get into. You know, when we thought about the advanced management capabilities that go into Intune Premium, we thought, where does Microsoft kind of have a uniquely Microsoft point of view that we can bring to the table? And Quick Assist is certainly one of those places where it’s built into the operating system securely and sort of at a low enough level that it really integrates perfectly cleanly into Windows, but of course, Quick Assist is just kind of the plumbing, if you will. There’s so much more that you need to build an enterprise service out of it. And so what we’ve done with Quick Assist is we’ve added things like support for Azure Active Directory. 

Steve Dispensa (06:29): 

So both the helper and the person requesting help can see through Azure AD who’s on the other end of the channel, including their, you know, address book, photo and address book title and everything. So it feels like a very secure connection. We’ve done things like because we know what the company’s compliance policies are, we can tell the helper whether or not the device they’re connecting into is compliant. And that’s really valuable because if you find that the device you’re promoting into is out of policy, you wanna be careful not to type secrets into that device as you are helping or, you know, you might, you don’t wanna elevate to being a local administrator on that device if the device may be potentially compromised. And so again, that’s the thing that Microsoft can do because we know the entire set of security policies and compliance policies that are supposed to be enforced on that end point. And so that’s a kind of, those are a couple of examples. There are also things like, you know, certification for compliance policies. There’s you know, those, the sort of the whole set of enterprise robustness that you’d expect out of an enterprise solution from Microsoft. 

Russell Smith (07:44): 

Hmm. Is it true I heard or read somewhere that ServiceNow integration might become into Remote Help? 

Steve Dispensa (07:51): 

Yes, it is. Your information is good. We’ll be taking our first steps at ServiceNow integration shortly. And actually, you know, I think that’s kind of a long-term growth area for us. So, you know, the first things that we’ll be talking about with ServiceNow will really be involving sort of allowing helpers to see tickets directly in the experience and vice versa, which is great first step. I actually think there are several steps that you’ll see from us after that. Don’t have anything to announce today publicly other than watch this space. 

Russell Smith (08:23): 

Great. Okay. That’s great to hear. Okay, so let’s get on to endpoint privilege management, because that’s my favorite subject, <laugh>. I think this has been a long time coming to Windows, to be honest. That’s my feeling about it, and I’m so glad to see Microsoft, the, you know, starting to do something in this space. That’s absolutely great news. But what I wanted to know is this tech, is it built into Windows, maybe the enterprise edition? Is it something that can be enabled by any MDM solution or do you require an Intune license to be able to use it? How does that kind of all hang together from a technical perspective? 

Steve Dispensa (09:01): 

Yeah, great question. The so when we, again, we think about the solutions that we wanted to invest in, we looked for places where, again, Microsoft kind of has unique point of view, and this is another one of those cases where to do a privilege management and a local admin privilege management solution properly, you really need to be wired in deeply into the os. And, you know, it’s well, let me just say it’s a solution over the years, and it’s a kind of integration over the years where third party vendors have occasionally had trouble getting the security just right because it’s such a sensitive operation. And so you know, this is when you say our customers have thought this is a long time coming. I think you’re absolutely right. You know, this is why they were kind of coming to us saying, We’re looking for a Microsoft solution here. 

Steve Dispensa (09:54): 

And so, yes you know, we’ve built this into the core of Windows into both Windows 11 and it’s my expectation that we’ll even bring this back to Windows 10. And the idea there is, you know, to bring a complete solution to market to our customers to truly take a dependency on this solution. And, you know, in terms of how it works you know, the flow is probably fairly intuitive for folks that have been through this before, but we allow a full set of administrative controls around white listing applications. You can say for a given application, if it can elevate automatically with no sort of approval required, or if it requires an admin approval or even just the user stating the reason for elevating. And so in addition to that, of course it provides full auditing. And so it’s great for, you know sort of compliance purposes for forensics, et cetera if there’s ever an issue that pops up. And so, yeah in terms of how it interacts you know, at the moment this is positioned as a part of the Intune Premium Suite, and it’s a feature of Intune at this point. 

Russell Smith (11:19): 

Okay, great. So as I understand this like current for party solutions for endpoint privilege management, this doesn’t require you to install the separate agent on the Windows, it will just work, essentially, if I understand correctly. 

Steve Dispensa (11:32): 

Yeah, that’s exactly right. And that’s again, you know, what the hooks that make this work are built into the Windows platform itself. 

Russell Smith (11:43): 

Mm-Hmm. <affirmative>, so a big plus I think for Microsoft Solution. 

Steve Dispensa (11:47): 

Yeah, I mean, honestly Russell, this is one of those scenarios where we’ve been thinking about this for many years because as you know, local admin is kind of a longstanding attack surface reduction opportunity. And, you know, I’m excited to see customers really start getting, you know, putting local admin to rest forever. Nobody should be a local admin. 

Russell Smith (12:14): 

<Laugh>. Yep, yep. So, I mean, I, I realize this is obviously quite early days for Microsoft Endpoint management solution, and there are some mature third-party solutions out there, like probably Beyond Trust, you are aware of. I don’t want to give you too much of a hard time or at launch, but I’m just a little bit interested in the future of this. And obviously what you’ve described today is already an absolutely fantastic start, in my opinion, But do you think there might be plans in the future to extend this endpoint privilege management capability to do things like that challenge response situation where the users offline, for instance, and might need to elevate a process? Do you think that’s something we might see in the future as part of this product? 

Steve Dispensa (13:01): 

Yeah, maybe so our plan is to build a complete solution for our customers. We think we’re gonna get out the door with EPM in a fairly complete scenario. We think that we’ll see a good amount of adoption based on what we’re hearing from customers, and certainly we’re gonna start getting requests from customers for additional scenario support exactly like the one you mentioned. I think that’s a great example. And like we always do, we’ll take those and sort of you know, stack them and build them and exactly what order and when, you know, obviously as you said, it’s early days and so we can’t exactly commit at this point. But what I will say is you know, because it’s a part of the Intune Premium Suite, it really gives us at Microsoft the license to go really invest in these solutions. And so I expect this to get richer and richer over time. 

Russell Smith (13:55): 

Mm-Hmm. <Affirmative>, that’s a good point. All right. Okay, so I could to speak about endpoint privilege management all day, but I wanna move on a little bit <laugh>. So I don’t know much about Microsoft Tunnel and we’ve been introduced to Microsoft Tunnel for application management. Yeah. So obviously this is more than just just a vpn, but could you explain to our viewers, you know, what’s the difference between this solution and just a vpn? Why would we deploy this solution? 

Steve Dispensa (14:27): 

Sure, absolutely. So, you know, we put, we can’t with Tunnel at least in preview, I think almost two years ago for fully managed devices and the idea was essentially a VPN that was tied to the local device management and allowed access into corpnet for legacy to legacy resources, but of course was tied to Azure Active Directory, and it participated in our zero trust architecture, and it was really as sort of minimal of a solution as you could get to solve that problem. That was our goal which is wonderful for fully-managed devices, but of course at that time didn’t support personally owned devices, essentially a devices that are managed only at the app level instead of the full device level. And that has become, you know, as application management has become an incredibly common scenario for customers to deploy those users still need access to those legacy applications on corpnet. 

Steve Dispensa (15:24): 

And of course, because these are generally personally owned devices that you’re doing application management on, you know, we certainly don’t wanna install a device-wide vpn for your personal iPhone or whatever. And so the solution to this problem is actually surprisingly complicated from an engineering perspective, which is why it took us longer to get out the door with it. But it’s essentially a micro-VPN solution that’s fully connected to our zero trust architecture and fully connected to Azure ad. So that, you know, for example, when a user starts an application that wants to access an on-premises resource at that point, not before, not later, a tunnel is built under the hood and the data traffic is routed back straight over to corpnet and back into that application while not affecting the rest of the networking on the end users device. This is really a solution because so many of our large customers, in fact, I would say all of our large customers have these applications that are still running on premises line of business applications, et cetera. And they’re important for users to get their work done. And so, you know, this is really the solution to that problem. 

Russell Smith (16:38): 

Okay, great. That’s really interesting. I wasn’t quite sure how all of that worked, but that that’s much clearer. So I, heard that, I think it was earlier this year, I think it was you that said, <laugh>, correct me if I’m wrong, that there is more investment going into the kind on premises config manager in terms of the team that’s working on that product. Yeah. So I just wanted to know are there plans to, because I know, I guess that technology is what kind of 30 years old, something like this, you know, kind of stuff that it’s based on and you know, it’s quite different. It works quite differently, obviously from in tune in terms of, you know, the ease of management, all that kind of stuff. So I wondered if there were any plans to make that technology or to modernize that technology. May make it a little bit easier to use or easier to implement. 

Steve Dispensa (17:30): 

Yeah, thank you for the question. Yes, you’re right. The Config Man code base goes back to the nineties. And I actually prior to joining Microsoft, long prior to joining Microsoft, I have an MCSE certification that includes SMS 1.1 I think. So this is it’s, you know, that was like early to mid-nineties, so this has been in market a long time. And actually I think it’s a testament to how well config man solved the problem for customers. It is, you know, just has gigantic deployment around the world. And we view it as a strategic part of the platform. So most of our customers are moving to the cloud and we expect them to continue over time, but move to the cloud, if you sort of double click on that you know, there still is an enormous amount of infrastructure on premises that needs managing, and we think we have the best tool in the industry for that. 

Steve Dispensa (18:26): 

I also think there’s a very interesting long term future for Config Man in terms of better together scenarios where the cloud connects to the on-prem config man site and things work and new value unlocks. So an example of that is, you know, you’re probably most of the management world is tired of hearing me talk about 10 and attach at this point, but honestly, it’s a five-minute process that unlocks so much cloud-based power for Config man, and we’re continuing to invest in those hybrid cloud and config man scenarios. You’ll see more of those as we enhance analytics coming over time where config man has unique point of view that really nothing else has. And so while we do believe of course, that, you know, like the rest of the industry, that the North Star is the cloud we’re proud of config man, we view it as an asset and a part of the overall solution. 

Russell Smith (19:20): 

Great. Great. Well, we’re almost outta time, but I do have just one important question that I’d like to ask you if you don’t mind. And it’s something that I think a lot of IT pros have struggled with a little bit. So what are the main differentiators for Windows 11 for organizations in terms of management and security in your eyes? So what I’m really asking, I guess, is why should businesses consider upgrading from Windows 10 to Windows 11? Obviously there are productivity improvements and all the rest of it, but what about for IT? 

Steve Dispensa (19:55): 

Yeah. Okay. So if we move past the productivity pieces, which I do think are great, and I use 11 every day now, of course you know, from an IT perspective, there are two other pillars besides the experience that come into play. One is security. And I think that’s incredibly important to keep telling that story because Windows 11 has a requirement for a TPM 2.0. And for a modern processor with you know, extensive virtualization capabilities, we can take a dependency on those items in the os. And so, for example you know, most of our enterprises deploying 11 have VBS enabled by default, that creates very strong local separation of sensitive kernel data structures from, you know, code that is running from by the user or potentially an attacker. The TPM anchors so many scenarios locally, including things like the ability to bind an identity access token directly to hardware so it can’t be stolen and replayed somewhere else. 

Steve Dispensa (20:54): 

And in fact you may have seen recently we started talking about a new capability of 11 that is I think the world’s strongest phishing protection. Essentially Windows 11 now has the capability to watch what the user is typing at the keyboard driver and kernel level. And if we see the user type their Microsoft password, we make sure that the, that the network connection is to a Microsoft authentication server. And if it’s to anything else in the world, it’s a phish and we can either stop it or at the very least, warn the user, Hey, you’re doing the wrong thing here. This has an enormous amount of potential to stop phishing of corporate credentials only in Windows 11. So security’s a big deal. There’s more than I’ll spare the other 45 minutes of the security talk, but the kind of like epm I’m with you. 

Steve Dispensa (21:46): 

This is one of my favorite topics but I also think management and total cost of ownership are a pretty important piece of the puzzle as well. And so that’s where you get to things like Windows 11 has over 1400 new cloud–managed, so MDM-managed policies that can be deployed. So if you’re trying to make that move from an on-prem G-based infra into a cloud-based infra 11 makes it that much easier for you. And we’ve done all the work on side by side so that for devices that don’t support Windows 11, you can keep them on 10 and manage them in an entirely parallel, identical way. And you don’t really have to know if you’re targeting a 10 device or an 11 device because the in tune, in Config man policies are designed to apply evenly and sort of semantically equivalently to both. So that’s the short answer on 11. There’s a lot there and I’d encourage folks to take a look. 

Russell Smith (22:42): 

Okay. Great. All right. Okay. Well thank you again, Steve, for your time today and looking forward to whatever else is coming up at Ignite this week. 

Steve Dispensa (22:52): 

It’s gonna be an exciting time. I can’t wait. 

Russell Smith (22:55): 

I hope you enjoyed my interview with Steve. And please let me know in the comments below what you think about Intune Premium and the new features that Microsoft is bringing to Windows Security and Management. If you found this video useful, I’d appreciate if you gave it a like, and if you’d like to see more videos like this, then of course, don’t forget to subscribe to the channel. But I’m gonna leave you now with another video that you might find interesting on a new feature in Windows 11 called Smart App Control. But that’s it from me today, and I’ll see you next time.