Microsoft Touts 'Cloud-Native Windows Endpoints' for Remote Device Management
Microsoft advocated for the use of so-called "cloud-native Windows endpoints" to address the needs of remote workforces in a Monday announcement.
Essentially, it's easier to manage a remote workforce when end users are domain-joined to the cloud-based Azure Active Directory service, instead of the traditional Active Directory on-premises domain join, Microsoft argued. The cloud-native Windows endpoints approach doesn't depend on Active Directory, according to a Microsoft document on cloud-native Windows endpoints:
A cloud native Windows endpoint is joined to Azure AD (AADJ) and managed by a Mobile Device Management (MDM) solution. Unlike traditional domain join or Hybrid Azure AD joined endpoints, it has no dependencies on on-premises Active Directory.
The benefits of tying devices to Azure AD is the enablement of single sign-on to access cloud apps, as well as to access local Web apps and file servers. It enables conditional access policies to be set for sensitive resources. Microsoft also argued that, with Azure AD, "cloud-native Windows endpoints can be configured to use Windows Hello for Business as a multifactor authentication method with no additional configuration."
The use of Microsoft's cloud-based identity and access management service also lets organizations bypass virtual private networks (VPNs) for user sign-ins:
By joining Windows endpoints to Azure AD, you enable employees to work from any location, eliminating the line-of-sight to domain controllers. With Azure AD-joined devices, a VPN connection isn't required for the initial device sign-in or to update the local device password after a network password change.
The cloud-native Windows endpoints concept is tied to a bunch of other Microsoft products besides Azure AD, such as Microsoft Endpoint Manager and Windows Intune. Microsoft is previewing a Group Policy Analytics tool in Microsoft Endpoint Manager that promises to help IT pros translate their current Group Policy Objects to Microsoft Intune settings.
Another reason to use cloud-based policies for devices is that organizations get information about when Microsoft institutes a Safeguard Hold on Windows updates, a point explained in July by Aria Carley, a program manager focused on the commercial management of Windows updates. A Safeguard Hold essentially is a Windows update blocked by Microsoft for some technical reason.
The cloud-native Windows endpoints management approach seems to be new Microsoft marketing jargon promoting the use of Azure AD plus Microsoft Endpoint Manager. It's somewhat different from Microsoft's "Windows in Cloud Configuration" approach. Microsoft had introduced Windows in Cloud Configuration for Windows 10 devices back in March, suggesting that it offered a way to easily apply configuration settings for devices that were domain-joined to Azure Active Directory.
The difference with Microsoft's newly emphasized cloud-native Windows endpoints management approach seems to be that organizations can use their current customizations with it, whereas the Windows in Cloud Configuration approach is more of a cookie-cutter setup approach that doesn't allow for any customizations.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.