Microsoft Ignite 2019 is running this week in Orlando, and there’s already plenty of news to cover.
We published the first version of this article right at 9:00 AM ET on Monday, based on all the news that Microsoft shared with the media in pre-briefing materials.
There were some important breakout sessions on Monday, and Microsoft published a few more blog posts, so we’ve updated this article to include additional news and important details. In other words, this is a laundry list of what we’ve seen so far, with a bit of context added. Expect more polished deep dives and analysis in the coming days and weeks.
What we’re looking for at Ignite 2019
Of course, Windows Virtual Desktop was the big news from Ignite 2018, but since WVD just became generally available, we aren’t expecting anything quite as big to happen this year. However, there are plenty of questions left to answer. For example, Microsoft announced clients for Windows, macOS, iOS, Android, and of course HTML 5, but we’ve yet to hear any official news about thin client support.
We are also especially interested in more information on MSIX app attach. For as big as WVD might eventually be, we think app attach on physical PCs could be even bigger. (Bas van Kaaam wrote a great post covering everything we know about app attach prior to Ignite.)
The most interesting announcements from Ignite so far
We combed through the 87-page media briefing packet for things that caught our eye, and then, on Monday afternoon, added updates based on sessions and blog posts.
Here are all the most interesting announcements related to desktop virtualization, endpoint management, and identity management:
Preview of Windows Virtual Desktop on Azure Stack Hub
We’ve been wondering if we’d get any on-prem WVD options, and this appears to be it. While host pools can run on Azure Stack Hub, the management plane will still be in Azure.
Monday update: IGEL OS support for WVD
We finally have official news about thin clients and WVD. IGEL announced their support for WVD, which they worked on in partnership with Microsoft. WVD has an SDK (which I’ve been told is for the RD Core framework) that other thin client vendors will also be able to use to build support.
Microsoft Endpoint Manager
Microsoft is bringing Intune and SCCM closer together. According to the blog post, this will involve functionality and data from both systems, plus “new intelligent actions and analytics.” Microsoft Endpoint Manager will cover mobile devices as well as Windows; plus Microsoft will be making Intune available to existing SCCM customers for free, for the purpose of doing Windows co-management only. (To clarify, if you want to manage mobile devices with Intune/MEM, you’ll have to buy additional licenses.) So, this sounds like it could be bringing the SCCM console features into Intune for some sort of unified experience, but we’ll just have to wait and see.
Brad described Microsoft Endpoint Manager (MEM) as three things: a new name to cover SCCM and Intune, new licensing terms, and new management capabilities. MEM includes the Device Management Admin Center, as well as Desktop Analytics.
In MEM, admins will be able to see inventory from both SCCM and Intune, as well as from Jamf. They will also be able to do real-time SCCM actions, kicked off from the cloud.
Other new and highlighted features include:
- Conditional access preflighting, so you can turn policies on in audit mode and see who would be affected.
- Compliance Score and policy recommendations based on the regulations that apply to your organization.
- They talked about how much third-party agents and old Group Policy can slow down boot and login times, so there’s a push to go “Microsoft 365 native” and get rid of as much old stuff as you can. A feature called Policy Analytics can recommend MDM policies that can replace GOs. Overall, expect to hear a lot more about Microsoft Managed Desktop.
- Microsoft re-wrote the whole reporting engine for Intune.
Brad also declared that Windows 10 co-management is not a bridge, but a destination. Looking back two years to when co-management was announced, this is definitely a change, as back then, it was frequently described as a bridge.
For more on the thinking behind Microsoft Endpoint Management, see Brad’s other post, Modern management and security principles driving our Microsoft Endpoint Manager vision.
Monday Update: App Assure for WVD and Chrome
App Assure is Microsoft’s free program to help customers update apps so that they work on Windows 10. In the Microsoft 365 keynote, Brad Anderson said that customers evaluated about half a million apps, and only 928 were actually broken.
Now, App Assure is being extended to Edge and Windows Virtual Desktop. If an app that works in Chrome or IE 11 doesn’t work on Edge, Microsoft will help fix it. And, if an app that works in Windows 10 doesn’t work on WVD, again, Microsoft will fix it.
Monday Update: Mobile Threat Defense
MTD integrations are nothing new for UEM vendors, but with this new integration, when a device is in MAM-only mode, the MTD can block Intune’s containerized apps from launching. This is called Conditional Launch, and is rolling out in partnership with Lookout, Zimperium, and Better Mobile. You can read more from Microsoft’s Mayunk Jain.
Azure Active Directory partnerships for on-prem access
Microsoft is going to partner with Citrix, Akamai, and Zscaler (in addition to their existing partnership with F5) so that Azure AD can manage access for traditional on-premises apps. Connecting cloud-based identity management to on-prem apps is a key step for making zero trust and conditional access happen smoothly across everything a user needs. (For more along these lines, we recently covered Okta’s moves in on-premises access.)
Endpoint detection and response for Mac
After releasing Defender ATP for Mac this year, Microsoft is bringing over more endpoint detection and response features from the Windows version. This goes into private preview next month. With all the changes in macOS, including the deprecation of kernel extensions and the introduction of the new EndpointSecurity frameworks, we want to take a closer look at how this is implemented.
Microsoft Power Automate
Microsoft is renaming Microsoft Flow, their cloud workflow app platform, to Power Automate. Along with this, Microsoft announced new robotic process automation features called UI flows, which allow organizations to automate repetitive tasks and work with legacy applications that don’t support automation via APIs. Back in the day, we covered this idea through the desktop virtualization lens (remember all our app transformation stories?), and with Citrix and VMware’s recent investments, this area is now top of mind for us.
Firstline worker authentication and access features
Microsoft is adding new identity features to Microsoft 365 for firstline workers, including SMS-based authentication, as well as global sign-out that logs Android users out of all apps simultaneously, and more. The capabilities will also extend to Teams. The passwordless sign-in option is interesting step toward Microsoft’s passwordless future, even if it uses SMS.
Passwordless authentication for more Azure Active Directory customers
Microsoft will no longer charge for Microsoft Authenticator (MFA) or passwordless authentication in Azure Active Directory, making it easier for organizations to move toward eliminating passwords. Hurray!
More announcements that we noted
Over the last year or so, I (Kyle) have been spending more time on various security fronts. Along those lines, here are some more announcements that we thought were interesting:
Application Guard security in Office and Safe Documents
Once a Microsoft Edge feature, Application Guard will be integrated into Office 365 ProPlus. This security feature opens and edits untrusted files in a container, which is protected by hardware-level security. If the user decides to trust the open file, it gets checked against Microsoft Defender ATP first. If the file is found to be malicious, it remains separate from everything else. Application Guard is now in limited preview, with GA likely in summer 2020.
Similarly, Safe Documents ensures documents opened in Protected View get reviewed by Office ATP before the user opens the document in unprotected mode.
Office 365 Advanced Threat Protection automation capabilities
This new feature promises to help security teams discover and respond to security alerts through the Automated Incident Response in Office 365 ATP. One capability is automated playbooks that review security alerts and offers remediation suggestions.
Secure score updates and Azure Security Center integration
Microsoft continues to add to Secure Score, a feature that caught my (Kyle) attention last year at Ignite. Updates include simplifying the scoring system and allowing users to view their own scores, alongside admins. Users can also set goals and see how they’re doing. Secure Score will integrate with Teams, Planner, ServiceNow, and Azure Security Center. The updates are available now, while other features will go GA later 2019, and the Azure integration come early next year.
Microsoft 365 admin center recommendations
Microsoft 365 will automatically suggest security and management best practices. We’re really curious how useful these are in the wild.
Lastly, it’s hard to get away from all the productivity, AI, digital assistant, and employee experience news. Check these out:
Monday update: Managed Meeting Rooms
This is sort of like Microsoft Managed Desktop, except for all the AV equipment in your rooms.
Microsoft Productivity Score
Continuing the employee experience trend that we’ve been seeing, this feature will look at both how employees are collaborating, and how their apps and devices are performing.
Office app for mobile devices
Word, Excel, and PowerPoint are being combined into one mobile app. One cool feature is the ability to convert images to text. You can also share files between devices and a feature called “differential sync” ensures only the updated parts of larger files are synced between devices.
Azure Active Directory MyApps portal updates
Microsoft is promising a better app launching experience, including better support for mobile. Having an up-to-date experience here is one of those little things that can make things more pleasant and usable for employees.
New Cortana in Office 365 and Knowledge Network in Microsoft 365
Microsoft considers the new Cortana features as productivity improvements. By reading your emails, Cortana can send a briefing email at the beginning of the day with all your tasks and meetings; you can then mark tasks “done” as you finish. With Scheduler, Cortana can help set up meetings, even going so far as to propose times that work for all involved and adding call-in information; it also works with Google calendars (I admit this part is cool). You also get more voice options, if the current voice just doesn’t do it for you.
Initially I (Kyle) didn’t think much of these announcements given it’s felt like Microsoft was dialing back Cortana over the last few months, such as pulling the voice assistant from the menu bar in Windows 10. But once implemented, maybe I could re-examine whether voice assistants are ready for the enterprise.
The Knowledge Network in Microsoft 365, in private preview and expecting a wide 2020 release, uses machine learning to gather together similar content throughout Microsoft 365 and places them under topics that creates an “interactive depository.” The idea is that eventually, it will be easier to find what you need to actually get your job done. It sounds far out, but if it works, I think it’s something we could all appreciate.