Mon - Fri 08.00 - 18.00

 +41 21 806 37 15 

sales@lambertconsulting.ch

Menu

Microsoft Endpoint Manager

/ / / / / / /

Initial situation

Our customer, a transport company with 1,400 users, had identified opportunities for technological improvement before working with us. They were using a telephony solution that had reached its limits, a document management platform that required security updates, and messaging and file storage services that could benefit from reliability enhancements. In addition, their Microsoft Office suite needed updating, and the device deployment process could be optimized. These challenges had an impact on team collaboration and raised security issues.

Goal

Our customer was aiming for a hybrid implementation of M365 to leverage both cloud and their existing infrastructure. This hybrid model was conceived as a stepping stone to a full migration , while retaining key elements such as Active Directory on their existing OnPrem infrastructure.

Concept

 

Step 1: Identity management

The first step involved implementing a directory synchronization solution. This solution enabled our customer's employees to use a single login and password for all M365 applications. All identity changes were made locally before being synchronized with the Cloud Entra ID / Azure AD service. This also strengthened security and facilitated password management.
As part of this crucial step, our approach to digital transformation included the deployment of a robust hybrid identity based onAD, ADFS federation, and Entra ID / . Azure AD. This integration provided not only a basic configuration, but also advanced functionalities such as :

  • Identity Protection
  • Privileged Identity Management (PIM)
  • Access reviews


These components ofAzure AD / Entra ID P2 have been carefully configured to identify potential risks, limit privilege rights over time, and force regular review of rights, thus reducing the attack surface. During the workshops, we took a closer look at the implementation of these functions to meet the specific needs of the project.

 

Step 2: Patch management and device management

We have defined a complete patch management strategy managed via Intune (Microsoft Endpoint Manager) at Co-management with System Center (SCCM). This single interface supported all security and functionality updates for Windows 10/11 and iOS & Android mobile devices.

Autopilot & Device Management

AutoPilot was the solution adopted for the initial deployment of the workstations. It enabled secure, rapid configuration without manual intervention, thus reducing deployment time.

 

Step 4: Microsoft Teams

Following stability problems with their previous system, our customer decided to migrate to Microsoft Teams. This step also saw the replacement of the Zoom product for videoconferencing management.

Note: We won't go into more detail on this point, as we've already published several migration projects on Teams on our website (including telephony).

 

Step 5: Migration Exchange and archiving solution

In this phase, we began with an in-depth analysis of requirements, dependencies and the current state of the infrastructure. This detailed analysis was crucial in developing the target architecture and defining the methods for migration. The aim was to guarantee flexibility during the transition phase, while facilitating the management of batches of migration.
For this migration, we opted for the official Microsoft method: the establishment of hybrid mode Exchange. This approach involves a federation between Exchange OnPrem and Online, sharing the same mail domain names. This decision had several significant advantages: it avoided the purchase of costly licenses for third-party tools, it ensured a smooth transition for internal applications that use e-mail (such as faxes, scanners, alert systems, and business software), and it simplified support by having a single point of contact, namely Microsoft, in the event of problems during migration.

In short, this approach has enabled a smoother migration , continuity of operations for in-house applications, and simplified support management while saving on licensing costs.

 

Step 6: SharePoint

As the future EDM system, SharePoint Online was adopted to replace Alfresco, offering a more modern and flexible solution.
We organized a workshop with Alfresco administrators, and key users, to understand the existing document library structure, discuss the proposed migration method in detail, and present the final structure in SharePoint Online.
The gradual migration of sites, as well as communication to users, was carried out by the customer's internal teams with the help of the pilot procedure and support from our team.

 

Step 7: OneDrive

A procedure and best practices have been provided to users for migration data from Dropbox to OneDrive.

 

Step 8: Decommissioning old solutions

The final step was the removal of the OnPrem solutions, which were migrated, thus optimizing the infrastructure.

Challenge:
A crucial component of our success in our customer's digital transformation was our strategic approach to change management. We are convinced that the transition to Microsoft 365 solutions must be accompanied by effective change management to ensure the successful adoption of these new technologies.
To achieve this, we recommended the use of the Prosci ADKAR™ method and worked closely with internal teams. Together, we organized a workshop to share best practices and prepare for change management related to Microsoft 365 solutions. This initiative strengthened employee commitment and contributed to a smooth transition to the new infrastructure.

Result

After the full implementation of the project, our customer observed a noticeable improvement in the stability and security of its systems. Team collaboration became more fluid thanks to the integration of Microsoft Teams and other M365 tools. Device deployment time was reduced, and password management simplified. Security challenges have been addressed, with greater control over corporate data.

Project methodology and quality assurance

Quality assurance is guaranteed by PMI-compliant project management and the use of specific tools by our staff. In particular, we have used:

  • Clearly described business processes.
  • A certified project methodology (Microsoft Sure Step) describing all the deliverables (mandatory and optional) required for project implementation.
  • An internal methodology based on the use of WBS (Work Breakdown Structure).
  • Project document management (Extranet).
  • Project management using Microsoft Project.

We share your challenges, we accompany your changes

If you have a question or a suggestion, we are at your disposal to answer it by email or by phone.

+41 21 806 37 15
info@lambertconsulting.ch

Sign up

Receive notifications about our latest projects

*Only professional emails can be subscribed to this newsletter

/ / /

Initial situation

Our customer, like many others, allows its users to use iMac and iPad for daily tasks. Any kind of application installation or change has to be done manually on each device. This individual management poses problems in terms of time, tracking and security.

Goal

The client's goal was to improve the security of administrator passwords.

Concept

After a thorough assessment of our customer's needs, we recommended the implementation of Microsoft Intune LAPS to improve the management and security of local administrator passwords. Here's how this solution helped their IT team:

  1. Enabling LAPS with Microsoft Intune : We enabled LAPS by configuring the appropriate policies in Microsoft Intune. This allowed us to deploy LAPS settings on all Windows devices in the company.
  2. Automatic password generation and rotation: Thanks to LAPS, local administrator passwords were now automatically generated and securely stored in Active Directory. Regular password rotation was programmed to reinforce security.
  3. Secure password access via Intune: IT staff could access local administrator passwords generated via the Microsoft console Intune. This eliminated insecure password sharing and reduced the risk of administrative accounts being compromised.
  4. Centralized monitoring and auditing: Intune provided monitoring and tracking capabilities for local administrator passwords. The IT team could check the status of password rotation and perform audits to ensure that security best practices were being followed.

Result

With the implementation of Microsoft Intune LAPS, our client has seen several significant improvements:

  1. Enhanced security: Local administrator passwords were now unique, complex and regularly updated, reducing the risk of accounts being compromised.
  2. Simplified management: The IT team has benefited from centralized password management via Intune, which has simplified administrative account management operations.
  3. Reduction of human errors: With automatic password generation and scheduled rotation, human errors related to manual password management have been significantly reduced.
  4. Compliance and Reporting: Intune has enabled password compliance reporting and provided documentation for security audits.

With Microsoft Intune LAPS, our customer was able to improve the security of local administrator passwords, reduce the risk of compromise, and simplify the management of their IT estate. The IT team became more efficient and was able to focus on other critical tasks knowing that the administrator passwords were secure.

We share your challenges, we accompany your changes

If you have a question or a suggestion, we are at your disposal to answer it by email or by phone.

+41 21 806 37 15
info@lambertconsulting.ch

Sign up

Receive notifications about our latest projects

*Only professional emails can be subscribed to this newsletter

/ / /

Initial situation

Our client like many others allows its users to use iMac and iPad for daily tasks. All types of application installation or changes must be done manually on each device. This individual management poses a problem in terms of time, tracking and security.

Goal

The client's objectives were to be able to access enterprise applications and data, secure access to their devices, distribute different applications and OS versions, and have an inventory of their devices.

Concept

We have set up Microsoft Azure, Microsoft Endpoint Manager (Intune), and Apple Business Manager.

Apple Business Manager is a service provided by Apple that enables you to deploy Apple devices and applications in your organization. By leveraging Apple Business Manager (ABM), you can automatically enroll devices in Microsoft Endpoint Manager (Intune) using Automated Device Enrollment (ADE). In other words, it provides similar functionality to that provided by Windows Autopilot for enrolling devices Windows.

We have integrated Apple Business Manager (ABM) with Azure Active DirectoryWe have integrated Apple Business Manager (ABM) with Azure AD to authenticate to ABM using an account. We also set up the synchronization of Azure AD accounts with ABM, which will be managed Apple IDs from then on.

This is a first step to fully integrate ABM with Microsoft Endpoint Manager/Intune, so that we can perform automatic enrollment of macOS/iOS/iPadOS devices.

 Here is a Macroscopic view of the integration of the different components for this project

 Preparation

    • D-U-N-S number
    • Checking the contacts
    • Creation of various accounts

Enrollment

ABM configuration

    • Checking the domain
    • Configure and enable federation between Azure and Apple
    • Authentication test

Configuration of the synchronization between Azure AD and ABM

Result

  • Automated Device Registration (ADR):

The customer can easily enroll a large number of Apple devices (iPhone, iPad, MacBook, etc.) without the IT administrator ever touching the devices. When the organization orders Apple devices from a participating reseller (or Apple itself or a mobile operator), the devices can be immediately added to ABM by the reseller. When a connection is created between Microsoft Intune and ABM, the IT administrator can synchronize these devices automatically and assign an enrollment profile to these devices. This allows the organization to order these Apple devices and simply ship them directly to users. When these devices arrive to users, they can simply turn on their device and the out-of-the-box experience will guide them through the enrollment process.

  • Supervision:

The customer now has a global view of all his Apple devices. The management and supervision of devices, users, applications and configuration is now done centrally

  • Volume Purchase Program (VPP):

The customer now has the ability to purchase multiple licenses for an application to be used on Apple devices (iPhone, iPad, MacBook, etc.). Application purchase information can be synchronized with Microsoft Intune, which will help track usage. This helps to effectively manage apps within the organization and control app spending.

  • Managed Apple ID:

Managed Apple IDs are similar to Apple IDs, except that they are owned and managed by the customer. With ABM, an organization can create and manage these accounts on a large scale for users requiring administrative access to ABM. It eliminates the need for personal accounts for work and creates credentials in bulk.

We share your challenges, we accompany your changes

If you have a question or a suggestion, we are at your disposal to answer it by email or by phone.

+41 21 806 37 15
info@lambertconsulting.ch

Sign up

Receive notifications about our latest projects

*Only professional emails can be subscribed to this newsletter

/ / /

Initial State

The process of migrating over from an On-Premise SCCM /MECM infrastructure to Intune/MEM for Modern Workplace Management can be quite a huge task depending on your current MECM infrastructure and also specific roles in which it plays.

We find that Co-Management or other hybrid type solutions are indeed a great way to have the best of both worlds but our client wanted to move completely away from on-premise solution. MEM with Autopilot Azure Join only was our recommendation.

Goal

  • Streamline workstation management for all sites (800 Windows devices)
  • Enable Windows 10 deployment and ensure provision of Builds (Feature Updates) to all stations
  • Supply windows devices, application deployment and update management installation services throughout all remote sites
  • Automate service requests
  • Remove MECM heavy IT workload.

Solution

Windows 10 delivery: we provided MEM Autopilot Azure Join as a staging solution. We worked together with the devices vendor to integrate all the devices into MEM without any IT touch.

Security: to align and deliver all the security baseline that Microsoft Defender for Endpoint points out during the initial device scan, we used MEM and its built-in security baselines in addition with the security profiles and settings that we can use.

Conditional Access: part of the security tools we need to mention this feature. It helps to maintain the production app accessible only from a secure place / device.

Printing: Printing can be tricky with no dedicated print server, as part of the project we used Universal Print. Universal Print is a modern printing solution that organizations can use to manage their printing infrastructure through Microsoft cloud services. This new integrated service runs entirely on your Azure Active Directory (AAD). When deployed with printers compatible with Universal Print, it does not require any local infrastructure.

Benefits

Our client needed a solution that could bring a greater convenience to their employees without compromising security. With Microsoft Intune, they got a comprehensive and secure platform that optimizes user experience without draining their IT resources.

We share your challenges, we accompany your changes

If you have a question or a suggestion, we are at your disposal to answer it by email or by phone.

+41 21 806 37 15
info@lambertconsulting.ch

Sign up

Receive notifications about our latest projects

*Only professional emails can be subscribed to this newsletter

/ /

Initial situation

Our client had an aging IT asset management system using MDT (Microsoft Deployment Toolkit), and wanted to modernize the management and deployment of approximately 200 PCs and Macs. With Microsoft 365 E3 licenses and wanting to move into the Cloud world, our client turned to the "Modern IT Management" strategy using Intune (Microsoft Endpoint Manager)

Goal

Keep their machines in their local domain while using the power ofIntune to deploy Windows 10, manage Microsoft updates, deploy software, manage security settings.

Concept

We have installed the Azure AD connector so thatIntune can communicate with the local domain.

Created profiles and settings needed in Intune to deploy machines under Windows 10 in Hybrid mode Azure AD .

Used AutoPilot White Glove to deploy machines in Windows 10. This frees up IT support as there are almost no tasks to be done manually.

Proposed and implemented a way to manage Windows 10 updates (Quality and Feature Updates).

Supported and assisted in managing the business software so that it could be deployed with Intune. The client took advantage of deploying the Office 365 suite and configuring OneDrive with the redirection of Known Folders through Intune policies.

Result

Our client can now manage their IT assets through Microsoft Endpoint Manager (Intune). The IT teams can control the deployment of software, updates, security settings of all their machines (PC, Mac) whether they are connected in their network or anywhere in the world.

IT support no longer has to perform all the repetitive and tedious tasks of a traditional Windows 10 deployment because almost all of these tasks are now automated.

We share your challenges, we accompany your changes

If you have a question or a suggestion, we are at your disposal to answer it by email or by phone.

+41 21 806 37 15
info@lambertconsulting.ch

Sign up

Receive notifications about our latest projects

*Only professional emails can be subscribed to this newsletter