1
00:00:02,700 --> 00:00:04,590
Proactively ensuring that
your device endpoints

2
00:00:04,590 --> 00:00:05,423
stay up and running

3
00:00:05,423 --> 00:00:08,340
while remaining policy-compliant
is only possible

4
00:00:08,340 --> 00:00:11,308
with access to current
device-level data and analytics.

5
00:00:11,308 --> 00:00:12,330
Today, I'll show you

6
00:00:12,330 --> 00:00:15,234
how data-driven driven
decisions are now possible

7
00:00:15,234 --> 00:00:17,065
across device platforms

8
00:00:17,065 --> 00:00:19,830
with the cloud-based
endpoint management platform,

9
00:00:19,830 --> 00:00:22,740
Microsoft Intune, and
its advanced analytics

10
00:00:22,740 --> 00:00:25,590
that help inform the actions you take,

11
00:00:25,590 --> 00:00:27,930
enabling advanced management for iOS,

12
00:00:27,930 --> 00:00:30,810
Android, macOS, and Windows devices,

13
00:00:30,810 --> 00:00:34,746
along with AI-powered options
to discover and resolve issues

14
00:00:34,746 --> 00:00:39,746
using Microsoft Security Copilot
and new agents with Intune.

15
00:00:40,230 --> 00:00:41,670
Of course, the primary goal

16
00:00:41,670 --> 00:00:44,010
of device management is
to eliminate downtime

17
00:00:44,010 --> 00:00:47,790
while maintaining secure access
to the resources people need

18
00:00:47,790 --> 00:00:49,950
on their managed computers and phones.

19
00:00:49,950 --> 00:00:52,695
If done right, this should also
lead to fewer support calls.

20
00:00:52,695 --> 00:00:56,190
Intune now makes it easy to
query granular information

21
00:00:56,190 --> 00:00:58,285
about your cross-platform devices,

22
00:00:58,285 --> 00:01:01,020
to find data-derived insights.

23
00:01:01,020 --> 00:01:03,540
In fact, with Intune you
have the data you need

24
00:01:03,540 --> 00:01:06,720
at multiple levels to manage your devices.

25
00:01:06,720 --> 00:01:08,280
It starts with Advanced Analytics

26
00:01:08,280 --> 00:01:10,773
to get proactive insights
across your endpoints.

27
00:01:11,610 --> 00:01:13,350
Multi-Device Query then lets you query

28
00:01:13,350 --> 00:01:15,200
across platforms on-demand,

29
00:01:15,200 --> 00:01:19,020
and Single Device Query shows
you real-time information

30
00:01:19,020 --> 00:01:22,320
for running processes,
drivers, and more per device.

31
00:01:22,320 --> 00:01:24,120
Let me show you how it all works together,

32
00:01:24,120 --> 00:01:25,800
starting with Advanced Analytics.

33
00:01:25,800 --> 00:01:27,600
I'll start with tenant-level Reports

34
00:01:27,600 --> 00:01:29,250
under Endpoint Analytics.

35
00:01:29,250 --> 00:01:32,880
Here, you can see the health
status of all managed devices,

36
00:01:32,880 --> 00:01:35,400
and in my case, things look pretty good.

37
00:01:35,400 --> 00:01:37,050
That said, there are opportunities

38
00:01:37,050 --> 00:01:38,884
to improve Startup Performance.

39
00:01:38,884 --> 00:01:41,730
And on the right, I see
insights and recommendations

40
00:01:41,730 --> 00:01:43,830
that I can address immediately.

41
00:01:43,830 --> 00:01:47,520
For example, these two here
are showing above average CPU

42
00:01:47,520 --> 00:01:49,500
and RAM spike times.

43
00:01:49,500 --> 00:01:51,270
And if we dig into this recommendation,

44
00:01:51,270 --> 00:01:54,390
I can see these three devices
on top have a low score

45
00:01:54,390 --> 00:01:56,970
under 50 for CPU spike time,

46
00:01:56,970 --> 00:02:00,596
and this one also has a
bad RAM spike time score.

47
00:02:00,596 --> 00:02:02,310
If I take a look at the CPU

48
00:02:02,310 --> 00:02:04,231
and RAM specs here in this column,

49
00:02:04,231 --> 00:02:07,530
these might be too low for this user.

50
00:02:07,530 --> 00:02:09,510
I can drill into this specific device

51
00:02:09,510 --> 00:02:12,077
for more details on its user experience,

52
00:02:12,077 --> 00:02:16,380
and we can see it's
consistently spiking over time.

53
00:02:16,380 --> 00:02:18,180
And I can use this information then

54
00:02:18,180 --> 00:02:20,970
to increase the Cloud PC spec.

55
00:02:20,970 --> 00:02:23,160
This is a great example
of getting ahead of issues

56
00:02:23,160 --> 00:02:24,990
with proactive analytics.

57
00:02:24,990 --> 00:02:27,840
And beyond that, I can
also do on-demand analytics

58
00:02:27,840 --> 00:02:29,910
using multi-device query.

59
00:02:29,910 --> 00:02:31,560
This goes beyond the
single device querying

60
00:02:31,560 --> 00:02:33,840
that you might have used in CM Pivot.

61
00:02:33,840 --> 00:02:36,810
It allows you to query multiple
devices, across platforms,

62
00:02:36,810 --> 00:02:39,990
from iOS and Android,
to macOS and Windows,

63
00:02:39,990 --> 00:02:42,750
and is great for querying
thousands of devices,

64
00:02:42,750 --> 00:02:44,490
based on their attributes.

65
00:02:44,490 --> 00:02:46,890
For example, let's say I
want to update a policy

66
00:02:46,890 --> 00:02:50,700
for personally-owned devices
enrolled last year or earlier

67
00:02:50,700 --> 00:02:52,850
that are currently noncompliant.

68
00:02:52,850 --> 00:02:55,500
That's where multi-device query comes in.

69
00:02:55,500 --> 00:02:58,680
I'm at the All Devices
level and in Device Query.

70
00:02:58,680 --> 00:03:01,200
And you can see that there
are cross-device options

71
00:03:01,200 --> 00:03:03,453
for several different property categories.

72
00:03:04,290 --> 00:03:07,140
And by expanding the Device property set,

73
00:03:07,140 --> 00:03:10,320
I can see a ton of options for devices.

74
00:03:10,320 --> 00:03:12,780
So, I'm going to write
the query, "Device."

75
00:03:12,780 --> 00:03:16,189
Then add a condition
for enrolled date/time

76
00:03:16,189 --> 00:03:18,630
using this "Where" clause

77
00:03:18,630 --> 00:03:21,123
to find devices enrolled
prior to this date.

78
00:03:22,050 --> 00:03:25,950
Now I'll type in another for
"personal" device ownership

79
00:03:25,950 --> 00:03:28,953
and the one more to find
"noncompliant" devices.

80
00:03:29,790 --> 00:03:31,590
Let's go ahead and run it.

81
00:03:31,590 --> 00:03:34,470
And here are all of my results.

82
00:03:34,470 --> 00:03:37,050
You'll see that they span
across all OS platforms

83
00:03:37,050 --> 00:03:40,290
with macOS, Windows, Android, and iOS

84
00:03:40,290 --> 00:03:43,140
from a variety of manufacturers.

85
00:03:43,140 --> 00:03:44,730
The if I scroll to the right,

86
00:03:44,730 --> 00:03:47,610
you can see our Enrolled Date field.

87
00:03:47,610 --> 00:03:51,480
Then a few over from there,
you see the Ownership

88
00:03:51,480 --> 00:03:54,333
and Compliance info as queried as well.

89
00:03:55,170 --> 00:03:58,290
Multi-device query uses
information that refreshes daily

90
00:03:58,290 --> 00:04:00,450
for online managed devices.

91
00:04:00,450 --> 00:04:03,960
And importantly, if you aren't
fluent in KQL, that's okay,

92
00:04:03,960 --> 00:04:06,660
because using Copilot in
Intune, it can help you author

93
00:04:06,660 --> 00:04:09,780
both multi- and single-device queries.

94
00:04:09,780 --> 00:04:11,937
So I'll open up "Query with Copilot."

95
00:04:12,810 --> 00:04:16,140
Then I'll prompt it with
"Find personally owned devices

96
00:04:16,140 --> 00:04:19,950
enrolled last year or earlier
that are noncompliant."

97
00:04:19,950 --> 00:04:22,260
That will take a moment to process,

98
00:04:22,260 --> 00:04:24,120
and once it returns a response,

99
00:04:24,120 --> 00:04:26,554
I can see the details of the query.

100
00:04:26,554 --> 00:04:28,500
You'll see that the
datetime syntax here is

101
00:04:28,500 --> 00:04:30,570
a little different than mine from before,

102
00:04:30,570 --> 00:04:32,490
but both work the same.

103
00:04:32,490 --> 00:04:34,680
From here, I can even run it.

104
00:04:34,680 --> 00:04:37,950
And it's outputted the same
list of devices as before

105
00:04:37,950 --> 00:04:41,400
without me needing to know to
how to write the KQL for it.

106
00:04:41,400 --> 00:04:43,140
That's multi-device query.

107
00:04:43,140 --> 00:04:46,170
Now for single devices you can
also query them individually

108
00:04:46,170 --> 00:04:47,760
using Device Query,

109
00:04:47,760 --> 00:04:49,530
and a big difference
is that the information

110
00:04:49,530 --> 00:04:51,510
that you're querying is real-time

111
00:04:51,510 --> 00:04:53,580
and there's more granularity available,

112
00:04:53,580 --> 00:04:56,237
so it's great for
troubleshooting a single device.

113
00:04:56,237 --> 00:04:57,720
From the devices view,

114
00:04:57,720 --> 00:04:59,970
this time I'll navigate
to a single device,

115
00:04:59,970 --> 00:05:01,721
this one, JOBA DQ.

116
00:05:01,721 --> 00:05:05,640
Then at the bottom under
Monitor, you'll see Device query.

117
00:05:05,640 --> 00:05:07,122
So I'll open that.

118
00:05:07,122 --> 00:05:10,650
As you can see, this looks a
lot like the multi-device query

119
00:05:10,650 --> 00:05:14,389
that we just saw, and it
uses the same KQL interface.

120
00:05:14,389 --> 00:05:16,920
What's great about Single Device query is

121
00:05:16,920 --> 00:05:18,260
that you can also query all

122
00:05:18,260 --> 00:05:20,541
of the currently running processes

123
00:05:20,541 --> 00:05:24,240
and you have a lot more
Windows-related options for drivers,

124
00:05:24,240 --> 00:05:27,900
events, querying the
registry, services and more.

125
00:05:27,900 --> 00:05:29,520
In my case, I'll just run "Process"

126
00:05:29,520 --> 00:05:32,670
to enumerate what's
running on this machine.

127
00:05:32,670 --> 00:05:35,070
And it returns all of
the running processes.

128
00:05:35,070 --> 00:05:38,460
And again these are
reporting back in real time,

129
00:05:38,460 --> 00:05:41,220
kind of like Task Manager
or Process Monitor would do

130
00:05:41,220 --> 00:05:43,170
running locally in Windows,

131
00:05:43,170 --> 00:05:45,780
but it's right here in
the Intune admin center.

132
00:05:45,780 --> 00:05:46,770
Next, let's move on

133
00:05:46,770 --> 00:05:49,329
to how data-driven management
gets even more powerful

134
00:05:49,329 --> 00:05:51,870
when addressing security vulnerabilities.

135
00:05:51,870 --> 00:05:53,010
For this, I'm going to use

136
00:05:53,010 --> 00:05:55,950
the new Vulnerability Remediation Agent

137
00:05:55,950 --> 00:05:57,363
with Copilot in Intune.

138
00:05:58,560 --> 00:06:00,150
But, instead of starting in Intune,

139
00:06:00,150 --> 00:06:01,800
I'll start in Microsoft Defender.

140
00:06:01,800 --> 00:06:02,633
But don't worry,

141
00:06:02,633 --> 00:06:04,830
if you're not the person
who typically uses Defender,

142
00:06:04,830 --> 00:06:07,402
that's okay, and I'll
show you why in a minute.

143
00:06:07,402 --> 00:06:10,410
I'm in Exposure Management
and Recommendations

144
00:06:10,410 --> 00:06:13,020
and the Vulnerabilities view for devices,

145
00:06:13,020 --> 00:06:15,510
and in the Security recommendations
list at the bottom here,

146
00:06:15,510 --> 00:06:16,920
I can see a few actions

147
00:06:16,920 --> 00:06:20,430
that my device management
team would need to take.

148
00:06:20,430 --> 00:06:21,263
This one here

149
00:06:21,263 --> 00:06:24,960
for the Relecloud sync client
looks like it needs an update.

150
00:06:24,960 --> 00:06:25,860
The impact is high,

151
00:06:25,860 --> 00:06:27,900
and there are quite a few exposed devices,

152
00:06:27,900 --> 00:06:30,240
and some of them are critical.

153
00:06:30,240 --> 00:06:33,538
If I click into it, I can
see even more details.

154
00:06:33,538 --> 00:06:35,804
And in the Exposed devices tab,

155
00:06:35,804 --> 00:06:38,880
the three on top are "critical."

156
00:06:38,880 --> 00:06:41,190
Moving to the Associated CVEs tab,

157
00:06:41,190 --> 00:06:43,980
I see that there are 49
known vulnerabilities

158
00:06:43,980 --> 00:06:45,780
associated with this app.

159
00:06:45,780 --> 00:06:46,613
As you can see,

160
00:06:46,613 --> 00:06:48,600
it's pretty important that
we deploy this update.

161
00:06:48,600 --> 00:06:50,490
So how does this visibility translate

162
00:06:50,490 --> 00:06:52,110
into the Intune admin center

163
00:06:52,110 --> 00:06:54,420
that I use for endpoint management?

164
00:06:54,420 --> 00:06:55,253
Well, that's where

165
00:06:55,253 --> 00:06:58,243
the new Vulnerability
Remediation Agent comes in.

166
00:06:58,243 --> 00:07:01,317
I can access it from Intune's home screen.

167
00:07:01,317 --> 00:07:04,200
That takes me to the
Endpoint security blade

168
00:07:04,200 --> 00:07:05,823
in the Agent overview tab.

169
00:07:06,660 --> 00:07:09,360
Now I've already deployed
this agent to run daily

170
00:07:09,360 --> 00:07:10,590
and look for vulnerabilities

171
00:07:10,590 --> 00:07:13,091
and prioritize them for remediation.

172
00:07:13,091 --> 00:07:15,240
It looks like there is a run in progress

173
00:07:15,240 --> 00:07:16,800
that was just kicked off.

174
00:07:16,800 --> 00:07:18,360
Now the agent run takes a few minutes

175
00:07:18,360 --> 00:07:20,220
to process all the vulnerabilities

176
00:07:20,220 --> 00:07:22,912
and to find matching impacted devices.

177
00:07:22,912 --> 00:07:27,210
Once the run is complete,
I can see its suggestions.

178
00:07:27,210 --> 00:07:29,310
And you'll see that the
top suggestion matches

179
00:07:29,310 --> 00:07:32,160
what we saw earlier in Microsoft Defender.

180
00:07:32,160 --> 00:07:34,020
So I'll review it for additional details

181
00:07:34,020 --> 00:07:35,553
about its evaluation.

182
00:07:36,540 --> 00:07:38,610
Now on top, there's a suggested action.

183
00:07:38,610 --> 00:07:40,110
Again, this is consistent

184
00:07:40,110 --> 00:07:42,150
with what we saw in Defender before,

185
00:07:42,150 --> 00:07:45,030
except now I can actually
do something about it myself

186
00:07:45,030 --> 00:07:47,520
and deploy the fix right from Intune.

187
00:07:47,520 --> 00:07:50,490
That also means that any
action the agent recommends

188
00:07:50,490 --> 00:07:53,730
also requires approval
from an Intune admin.

189
00:07:53,730 --> 00:07:56,190
This is the first of its
kind agent for Intune

190
00:07:56,190 --> 00:07:57,390
with more on the way.

191
00:07:57,390 --> 00:07:59,130
And for more data-driven management,

192
00:07:59,130 --> 00:08:00,990
Copilot in Intune with its capabilities

193
00:08:00,990 --> 00:08:03,630
across the admin center can save you time

194
00:08:03,630 --> 00:08:05,340
with other common daily tasks.

195
00:08:05,340 --> 00:08:06,540
Beyond what I showed earlier,

196
00:08:06,540 --> 00:08:08,880
where it helped me author KQL queries,

197
00:08:08,880 --> 00:08:11,730
Copilot also gives you the
information needed to manage

198
00:08:11,730 --> 00:08:14,880
and troubleshoot your
configuration policies and devices.

199
00:08:14,880 --> 00:08:17,040
First, in policies, you can use Copilot

200
00:08:17,040 --> 00:08:19,242
to assess the impact of a policy

201
00:08:19,242 --> 00:08:22,486
and the settings contained within it.

202
00:08:22,486 --> 00:08:24,360
And for individual settings,

203
00:08:24,360 --> 00:08:26,580
Copilot can tell you what each one does

204
00:08:26,580 --> 00:08:28,431
with a lot of detail.

205
00:08:28,431 --> 00:08:30,780
It can analyze individual devices

206
00:08:30,780 --> 00:08:32,520
and identify potential issues,

207
00:08:32,520 --> 00:08:35,835
based on what's configured
and running on each device.

208
00:08:35,835 --> 00:08:37,590
In the prompt guide menu,

209
00:08:37,590 --> 00:08:41,280
I can find even more
options to use with Copilot.

210
00:08:41,280 --> 00:08:43,200
In fact, one of my
favorite capabilities is

211
00:08:43,200 --> 00:08:44,730
when you have two similar devices,

212
00:08:44,730 --> 00:08:46,920
but only one has an issue.

213
00:08:46,920 --> 00:08:49,949
In this case, Copilot can
compare each device configuration

214
00:08:49,949 --> 00:08:52,440
and figure out the
differences between them

215
00:08:52,440 --> 00:08:55,470
to help you to isolate potential issues.

216
00:08:55,470 --> 00:08:57,480
Copilot also gives you general help

217
00:08:57,480 --> 00:09:00,150
when looking up error
codes to understand them.

218
00:09:00,150 --> 00:09:01,830
Additionally, for Endpoint Security,

219
00:09:01,830 --> 00:09:04,920
you can also use Copilot with
Endpoint Privilege Management

220
00:09:04,920 --> 00:09:06,877
to identify potential app risks

221
00:09:06,877 --> 00:09:10,825
and get details about why
an app may be compromised.

222
00:09:10,825 --> 00:09:12,660
And for your Surface devices,

223
00:09:12,660 --> 00:09:14,460
from the Surface Management Portal,

224
00:09:14,460 --> 00:09:18,630
Copilot can be used to quickly
generate device insights.

225
00:09:18,630 --> 00:09:20,250
So that's how integrated device

226
00:09:20,250 --> 00:09:22,680
and security data in Microsoft Intune

227
00:09:22,680 --> 00:09:25,230
helps you make informed
data-driven decisions

228
00:09:25,230 --> 00:09:27,750
to keep your devices running, secure,

229
00:09:27,750 --> 00:09:30,464
and compliant with the policies you set.

230
00:09:30,464 --> 00:09:34,977
To find out more, check
out aka.ms/CopilotinIntune

231
00:09:34,977 --> 00:09:39,810
and aka.ms/DeviceQueryinIntune
to see what else it can do.

232
00:09:39,810 --> 00:09:41,340
Keep watching Microsoft Mechanics

233
00:09:41,340 --> 00:09:43,294
for the latest updates from Microsoft,

234
00:09:43,294 --> 00:09:45,211
and we'll see you soon.