New employees can work efficiently from day one.

When employees join the company, they have to wait for applications to be installed after they first log on.

When employees join the company, they log on and their applications are installed and are ready to be used.

Employees can quickly and easily request additional software that they need.

When employees require additional applications, they file a ticket with the help desk, and then typically wait two days for the ticket to be processed and the applications are installed.

When employees require additional applications, they can request them from a website and they are installed immediately if there are no licensing restrictions. If there are licensing restrictions, users must first ask for approval before they can install the application.

The website shows users only the applications that they are allowed to install.

Employees can use their mobile devices at work if the devices comply with security policies that are monitored and enforced. These policies include the following:

• Strong password
  
  
• Lock after period of inactivity
  
  
• Lost or stolen mobile devices are remotely wiped
  
  

Employees connect their mobile devices to Exchange Server for email service but there is limited reporting to confirm that they are in compliance with the security policies in the default Exchange ActiveSync mailbox policies. The personal use of mobile devices is at risk of being prohibited unless IT can confirm adherence to policy.

The IT organization can report mobile device security compliance with the required settings. This confirmation lets users continue to use their mobile device at work. Users can remotely wipe their mobile device if it is lost or stolen, and the help desk can wipe any user’s mobile device that is reported as lost or stolen.

Provide mobile device enrollment in a PKI environment for additional security and control.

Employees can be productive even if they are not at their desk.

When employees are not at their desk and do not have portable computers, they cannot access their applications by using the kiosk computers that are available throughout the company.

Employees can use kiosk computers to access their applications and data.

Usually, business continuity takes precedence over installing required applications and software updates.

Applications and software updates that are required install during the day and frequently disrupt users from working because their computers slow down or restart during the installation.

Users can configure their working hours to prevent required software from installing while they are using their computer.

Adam makes sure that the new users have user accounts in Active Directory and creates a new query-based collection in Configuration Manager for these users. He then defines user device affinity for these users by creating a file that maps the user accounts to the primary computers that they will use and imports this file into Configuration Manager.

The applications that the new users must have are already created in Configuration Manager. He then deploys these applications that have the purpose of Required to the collection that contains the new users.

Because of the user device affinity information, the applications are installed to each user’s primary computer or computers before the user log on.

The applications are ready to use as soon as the user successfully logs on.

Adam installs and configures the Application Catalog site system roles so that users can browse for applications to install. He creates application deployments that have the purpose of Available, and then deploys these applications to the collection that contains the new users.

For the applications that have a restricted number of licenses, Adam configures these applications to require approval.

By configuring applications as available to these users and by using the Application Catalog, users can now browse the applications that they are allowed to install. Users can then either install the applications immediately or request approval and return to the Application Catalog to install them after the help desk has approved their request.

Adam creates an Exchange Server connector in Configuration Manager to manage the mobile devices that connect to the company’s on-premises Exchange Server. He configures this connector with security settings that include the requirement for a strong password and lock the mobile device after a period of inactivity.

Adam has Configuration Manager SP1, so for additional management for devices that run Windows Phone 8, Windows RT, and iOS, he obtains a Windows Intune subscription and then installs the Windows Intune connector site system role. This mobile device management solution gives the company greater management support for these devices. This includes making applications available for users to install on these devices, and extensive settings management. In addition, mobile device connections are secured by using PKI certificates that are automatically created and deployed by Windows Intune. After configuring the Windows Intune connector, Adam sends an email message to the users who own these mobile devices for them to click a link to start the enrollment process.

For the mobile devices to be enrolled by Windows Intune, Adam uses compliance settings to configure security settings for these mobile devices. These settings include the requirement to configure a strong password and lock the mobile device after a period of inactivity.

With these two mobile device management solutions, the IT organization can now provide reporting information about the mobile devices that are being used on the company network and their compliance with the configured security settings.

Users are shown how to remotely wipe their mobile device by using the Application Catalog or the company portal if their mobile device is lost or stolen. The help desk is also instructed how to remotely wipe a mobile device for users by using the Configuration Manager console.

In addition, for the mobile devices that are enrolled by Windows Intune, Adam can now deploy mobile applications for users to install, collect more inventory data from these devices, and have better management control over these devices by being able to access more settings.

Trey Research has several kiosk computers that are used by employees who visit the office. The employees want their applications to be available to them wherever they log on. However, Adam does not want to locally install all the applications on each computer.

To achieve this, Adam creates the required applications that have two deployment types:

• A full, local installation of the application that has a requirement that it can only be installed on a user’s primary device.
  
  
• A virtual version of the application that has the requirement that it must not be installed on the user’s primary device.
  
  

When visiting employees log on to a kiosk computer, they see the applications that they require displayed as icons on the kiosk computer’s desktop. When they run the application, it is streamed as a virtual application. This way, they can be as productive as if they are sitting at their desktop.

Adam lets users know that they can configure their business hours in Software Center and select options to prevent software deployment activities during this time period and when the computer is in presentation mode.

Because users can control when Configuration Manager deploys software to their computers, users remain more productive during their work day.

All computers run antimalware software that has up-to-date definition files and enables Windows Firewall.

Different computers run different antimalware solutions that are not always kept up-to-date and although Windows Firewall is enabled by default, users sometimes disable it.

Users are asked to contact the help desk if malware is detected on their computer.

All computers run the same antimalware solution that automatically downloads the latest definition update files and automatically re-enables Windows Firewall if users disable it.

The help desk is automatically notified by email if malware is detected.

All computers install critical software updates within the first month of release.

Although software updates are installed on computers, many computers do not automatically install critical software updates until two or three months after they are released. This leaves them vulnerable to attack during this time period.

For the computers that do not install the critical software updates, the help desk first sends out email messages asking users to install the updates. For computers that remain noncompliant, engineers remotely connect to these computers and manually install the missing software updates.

Improve the current compliance rate within the specified month to over 95% without sending email messages or asking the help desk to manually install them.

Security settings for specific applications are regularly checked and remediated if it is necessary.

Computers run complex startup scripts that rely on computer group membership to reset registry values for specific applications.

Because these scripts only run at startup and some computers are left on for days, the help desk cannot check for configuration drift on a timely basis.

Registry values are checked and automatically remediated without relying on computer group membership or restarting the computer.

Mobile devices cannot install or run unsafe applications.

Users are asked not to download and run potentially unsafe applications from the Internet but there are no controls in place to monitor or enforce this.

Mobile devices that are managed by the Windows Intune connector or Configuration Manager automatically prevent unsigned applications from installing or running.

Laptops that move from the intranet to the Internet must be kept secure.

For users who travel, they frequently cannot connect over the VPN daily and these laptops become out of compliance with security requirements.

An Internet connection is all that is required for laptops to be kept in compliance with security requirements. Users do not have to log on or use the VPN.

Adam configures Endpoint Protection and enables the client setting to uninstall other antimalware solutions and enables Windows Firewall. He configures automatic deployment rules so that computers check for and install the latest definition updates regularly.

The single antimalware solution helps protect all computers by using minimal administrative overhead. Because the help desk is automatically notified by email message if antimalware is detected, problems can be resolved quickly. This helps prevent attacks on other computers.

To help increase compliance rates, Adam uses automatic deployment rules, defines maintenance windows for servers, and investigates the advantages and disadvantages of using Wake on LAN for computers that hibernate.

Compliance for critical software updates increases and reduces the requirement for users or the help desk to install software updates manually.

Adam uses compliance settings to check for the presence of the specified applications. When the applications are detected, configuration items then check the registry values and automatically remediate them if they are out of compliance.

By using configuration items and configuration baselines that are deployed to all computers and that check for compliance every day, separate scripts that rely on computer membership and computer restarts are no longer required.

Adam uses compliance settings for enrolled mobile devices and configures the Exchange Server connector so that unsigned applications are prohibited from installing and running on mobile devices.

By prohibiting unsigned applications, mobile devices are automatically protected from potentially harmful applications.

Adam makes sure that site system servers and computers have the PKI certificates that Configuration Manager requires for HTTPS connections, and then he installs additional site system roles in the perimeter network that accept client connections from the Internet.

Computers that move from the intranet to the Internet automatically continue to be managed by Configuration Manager when they have an Internet connection. Those computers do not rely on users logging on to their computer or connecting to the VPN.

These computers continue to be managed for antimalware and Windows Firewall, software updates, and configuration items. As a result, compliance levels automatically increase.

New computers are installed with Windows 7.

The help desk installs and configures Windows 7 for users and then sends the computer to the respective location.

New computers go straight to the final destination, are plugged into the network, and they automatically install and configure Windows 7.

Computers must be managed and monitored. This includes hardware and software inventory to help determine licensing requirements.

The Configuration Manager client is deployed by using automatic client push and the help desk investigates installation failures and clients that do not send inventory data when expected.

Failures are frequent because of installation dependencies that are not met and WMI corruption on the client.

Client installation and inventory data that is collected from computers is more reliable and requires less intervention from the help desk. Reports show software usage for license information.

Some computers must have more rigorous management policies.

Because of the more rigorous management policies, these computers are currently not managed by Configuration Manager.

Manage these computers by using Configuration Manager without additional administrative overhead to accommodate the exceptions.

Adam captures an operating system image from a computer that has Windows 7 installed and that is configured to the company specifications. He then deploys the operating system to the new computers by using unknown computer support and PXE. He also installs the Configuration Manager client as part of the operating system deployment.

New computers are up and running more quickly without intervention from the help desk.

Adam configures automatic site-wide client push installation to install the Configuration Manager client on any computers that are discovered. This ensures that any computers that were not imaged with the client still install the client so that the computer is managed by Configuration Manager.

Adam configures client status to automatically remediate any client issues that are discovered. Adam also configures client settings that enable the collection of inventory data that is required, and configures Asset Intelligence.

Installing the client together with the operating system is quicker and more reliable than waiting for Configuration Manager to discover the computer and then try to install the client source files on the computer. However, leaving the automatic client push option enabled provides a backup means for a computer that already has the operating system installed to install the client when the computer connects to the network.

Client settings ensure that clients send their inventory information to the site regularly. This, in addition to the client status tests, help to keep the client running with minimal intervention from the help desk. For example, WMI corruptions are detected and automatically remediated.

The Asset Intelligence reports help monitor software usage and licenses.

Adam creates a collection for the computers that must have more rigorous policy settings and then creates a custom client device setting for this collection that includes disabling remote control, enables BitLocker PIN entry, and lets only local administrators to install software.

Adam configures role-based administration so that help desk engineers do not see this collection of computers to help ensure that they are not accidentally managed as a standard computer.

These computers are now managed by Configuration Manager but with specific settings that do not require a new site.

The collection for these computers is not visible to the help desk engineers to help reduce the possibility that they are accidentally sent deployments and scripts for standard computers.