Windows and Active Directory at Microsoft Ignite 2019

Microsoft Hero WPC

The spotlight this year at Microsoft’s annual Ignite conference didn’t fall on Windows or Windows Server. But that’s to be expected as Microsoft has shifted its focus to Azure and other cloud services like Microsoft 365. And Windows 10 got its big announcement at the Surface event in New York recently where Microsoft unveiled Surface Neo, a dual-screen foldable device that will run a new SKU called Windows 10X. But Windows hasn’t been left out at this year’s conference and here are some noteworthy announcements for Windows IT professionals.

Windows Admin Center Gets a Reimagined Performance Monitor

Windows Admin Center (WAC) is where Microsoft is investing in new tooling for Windows Server. Not only does it for the first time provide Server Core with a GUI, but WAC will eventually replace the management consoles bundled with the desktop experience in Windows Server; many of which haven’t seen significant improvements in almost 20 years. For more information on WAC and Windows Server Core, see Windows Server 2019 Release Sees Server Core Adoption Soar on Petri.

As part of Windows Admin Center 1910, which you can get from Microsoft’s website for free here, and after Performance Monitor first debuted in Windows in 1993, Microsoft announced a preview of its reimagined Performance Monitor tool. The new monitor has a modern, clean layout that’s available in both light and dark mode. You can get started easily by choosing an object, instance, and then counter from a series of boxes along the top of a new workspace. If you know the counter you want to use, keyword search helps you find it quickly. Explanations for each counter can be accessed by hovering the cursor over the counter name.

Windows Admin Center Performance Monitor (Image Credit: Microsoft)
Windows Admin Center Performance Monitor (Image Credit: Microsoft)

There are several graph types available, including line, report, and min-max. Workspaces allow you to save layouts so you can organize the tool for different monitoring scenarios. Microsoft has also made it easy to aggregate performance counters for Windows Server clusters, including hyperconverged infrastructures. I’ll be looking at the new Performance Monitor on Petri in more detail in the coming weeks.

FIDO Security Key Support Coming to Hybrid Azure AD in 2020

Azure Active Directory (AAD) already supports FIDO security key logins in public preview for cloud-only users but Microsoft announced that support is coming to hybrid AAD/Windows Server AD environments. This feature lets users sign in to Windows 10 using a FIDO security key, instead of a password, and provides single sign-on (SSO) access to cloud resources. Microsoft says:

The expansion of Azure AD support for FIDO2 to hybrid environments has been a huge collaboration effort across various teams within Microsoft and we’re proud to be delivering milestones like this that leap forward in our quest to make the passwordless world a reality.

FIDO support for hybrid AD environments will go into public preview in early 2020. For more information on passwordless sign-in, check out aka.ms/gopasswordless.

Chromium-Based Edge Browser Gets Official Release Date

In case you missed it, Microsoft has revealed a new logo for its upcoming Chromium-based Edge browser. Not very interesting you might say. But more importantly, Microsoft said that the new browser will be made generally available January 15th, 2020 and that the current beta is the final before GA. Initially, the new Edge will be available for Windows 10, Windows 7, Windows 8, and macOS but Linux support is also planned.

The new browser contains features for enterprises, including Internet Explorer mode for seamless support of legacy web apps. There’s also integration with Microsoft Search in Bing so that users can save time by searching for company information, like employees and office locations, using natural language. Microsoft also announced that it’s providing over 100 connectors for Microsoft Search and they will be available in the first half of 2020 for Microsoft 365 customers. There will be connectors for Salesforce.com, ServiceNow, Box, and more.

Finally, Microsoft FastTrack, a deployment program that helps customers move to the cloud, is being expanded to include the new Microsoft Edge in Q1 2020. The App Assure program, where Microsoft helps you get your legacy apps working in Windows 10, will also be expanded to include the new Edge browser. There’s also a new preview security baseline template for Edge that IT admins can apply.

Improved Security in Azure Active Directory

Because Azure Active Directory is an extension of Windows Server Active Directory, it seems right to cover these updates here. Azure multifactor authentication (MFA) will be available for free for all customers using the Microsoft Authenticator app. As part of the announcement, Microsoft said that MFA will be enabled by default starting next month in all new AAD tenants for Microsoft 365, Office 365, Dynamics, and Azure. Although the rollout process may take a few months.

Identity Protection and Conditional Access Updates

Azure AD Identity Protection has been updated with added and enhanced signals, improved APIs for integration with Security Operations Center (SOC) environments, and a new user interface.

Azure Active Directory Identity Protection (Image Credit: Microsoft)
Azure Active Directory Identity Protection (Image Credit: Microsoft)

Conditional Access also gets a report-mode. It’s currently in public preview and lets system administrators see the impact that policies have before enforcing them. And Azure Monitor customers can see the impact of Conditional Access policies using the new Conditional Access workbook.

Azure AD Connect Cloud Provisioning

Microsoft will preview a new feature in Azure AD Connect at the end of November that will allow user identities to be synchronized from Windows Server AD forests and Azure AD regardless of where the forest is located with the help of light-weight agents. The agents can be deployed for redundancy and high availability; and they consolidate users into a single AAD tenant.

Azure AD Entitlement Managed Now Generally Available

Azure AD entitlement management helps organizations more efficiently manage access to groups, apps, and SharePoint Online sites. You can use it to delegate non-admins the ability to create ‘access packages’ that contain resources that users, internal or external, can request access to.

Inbound User Provisioning from SAP SuccessFactors

SAP SuccessFactors is an HR management system and Microsoft announced the public preview of inbound user provisioning. Microsoft said: “You can implement end-to-end identity lifecycle management covering the entire spectrum of Joiner-Mover-Leaver scenarios using SuccessFactors as the “system of record.” Your new employees can get up and running on their first day, and you can modify or revoke access automatically based on the employees role and status in SuccessFactors.”

System Center Configuration Manager Becomes Microsoft Endpoint Management

Last but by no means least, Microsoft announced the convergence of System Center Configuration Manager (SSCM) and Intune. Microsoft Endpoint Manager (MEM) combines Intune and SCCM functionality and data with new intelligent ‘actions’ for seamless end-to-end management of endpoints. MEM will also include the Device Management Admin Center (DMAC) and Desktop Analytics. For more on Desktop Analytics, see Migrate to Windows 10 Using Microsoft’s Desktop Analytics Service on Petri.

Customers will see the Microsoft Endpoint Manager name appear in the Microsoft 365 console later this month. And any SCCM tasks and data you have will also show up there. Microsoft promises that organizations using Intune and Configuration Manager together will benefit from cloud intelligence. For example, you can completely automate compatibility testing when upgrading to a new version of Windows 10, deploy Windows 10 faster, and take immediate action on all your devices; a feature that SCCM users have been asking for.

Licensing

Everyone’s favorite topic. Intune will be available to all Configuration Manager customers so that Windows devices can be co-managed. But if you want to manage non-Windows devices using MEM, you will still need to buy an Intune, Enterprise Mobility & Security (EMS), or a Microsoft 365 E3 or higher license.