Windows Desktop

Overview

glueckkanja-gab (GKGAB) delivers standardized processes for managing Windows devices (Managed Windows Desktop). With the use of the Windows device management service, tasks are performed by a dedicated team of experienced engineers from initial request to delivery.

Managed Windows Desktop is a cloud-based service that combines Microsoft 365 Enterprise (including Windows 10 Enterprise and Office 365 Enterprise) and adds these functionalities:

  • Provisioning of user devices
  • IT service management and operations
  • Security monitoring and response

With the use of the Client Module, tasks are performed by a dedicated team of experienced engineers from initial request to delivery.

Cost base

Services costs for this Module are calculated based on the active user count of the customer. The number of active users equals the amount of Microsoft 365 user subscriptions and are predefined between the parties.

Standard services and tasks

The following section lists the standard tasks and services included in the service.

Device Service

Inventory

All devices are tracked in the admin portal for inventory and status tracking once the device is available in Autopilot.

Firmware Update

By default, Windows Desktop devices receive firmware and driver updates from Windows Update. If the firmware for a device cannot be provided from Windows Updates, the service provider offers the possibility to provide the firmware update to a limited set of devices by RealmJoin. If a device is not on the list, a service request can be raised. The following information must be included:

  • Vendor and Model
  • A RealmJoin user that already uses this machine (to see how to detect it, the user needs RealmJoin PublishState ComputerSystem_Information)
  • The link to the firmware updates available for download
  • The number of expected machines

Lenovo

  • 2013 Models
    • Thinkpad T440, T440
      • SKUs: 20B6, 20B7, 20AQ, 20AR
    • Thinkpad T440p
      • SKUs: 20AN, 20AW
    • ThinkCentre M83
      • SKUs: 10AG, 10AH
  • 2015 Models
    • Thinkpad X250
      • SKUs: 20CL, 20CM
    • Thinkcentre M800
      • SKUs: 10FV, 10FW, 10FX, 10FY
  • 2016 Models
    • Thinkpad T460s
      • SKUs: 20F9, 20FA
    • Thinkpad T460
      • SKUs: 20FM, 20FN
    • ThinkPad T560 (20FH, 20FJ) & ThinkPad P50s (20FK, 20FL
      • SKUs: 20FH, 20FJ, 20FK, 20FL
    • ThinkPad X1 Yoga (20FQ, 20FR) & ThinkPad X1 Carbon 4th (20FB, 20FC)
      • SKUs: 20FQ, 20FR, 20FB, 20FC
    • ThinkPad X1 Tablet
      • SKUs: 20GG, 20GH
    • ThinkPad X260
      • SKUs: 20F5, 20F6
  • 2017 Models
    • Thinkpad T470
      • SKUs: 20HD, 20HE
    • Thinkpad T470s
      • SKUs: 20HF, 20HG, 20JT, 20JS
    • Thinkpad T570
      • SKUs: 20JW, 20JX, 20H9, 20HA
    • ThinkPad X1 Tablet 2nd Gen
      • SKUs: 20JB, 20JC
    • ThinkPad X270
      • SKUs: 20HM, 20HN, 20K5, 20K6
    • ThinkPad X380 Yoga
      • SKUs: 20LJ, 20LH
    • ThinkCentre M710q (10MQ/M1AKT2AA)
      • SKUs: 10MQ
    • ThinkCentre M710s (10M8/M16KT41A)
      • SKUs: 10M8
  • 2018 Models
    • ThinkCentre M720q - M720s
      • SKUs: 10T8, 10SU
    • ThinkPad L480
      • SKUs: 20LT, 20LS
    • ThinkPad T480
      • SKUs: 20L5, 20L6
    • ThinkPad T480s
      • SKUs: 20L7, 20L8
    • ThinkPad T580
      • SKUs: 20L9, 20LA
    • ThinkPad X280
      • SKUs: 20KF, 20KE
    • ThinkPad X1 Yoga 4th Gen
      • SKUs: 20QF, 20QG, 20QD, 20QE
    • ThinkPad X1 Tablet 3rd Gen
      • SKUs: 20KJ, 20KK
  • 2019 Models
    • ThinkCentre M715q
      • SKUs: 10VG, 10VH
    • ThinkCentre M725s
      • SKUs: 10VT, 10VU
    • ThinkPad L490, L590
      • SKUs: 20Q5, 20Q6, 20Q7, 20Q8
    • ThinkPad P53, P73
      • SKUs: 20QN, 20QQ, 20QR, 20QS
    • ThinkPad T495
      • SKUs: 20NJ, 20NK
    • ThinkPad X390 Yoga
    • SKUs: 20NN, 20NQ
  • 2020 Models
    • Thinkpad P1 Gen 3
      • SKUs: 20TH, 20TJ, 20TK, 20TL

Dell

  • Latitude E6440
  • Latitude E6540
  • Latitude E7440
  • Precision M4800
  • Latitude E7450
  • XPS 13 9350
  • XPS 15 9550
  • Inspiron 5368
  • Inspiron 5568
  • Inspiron 7368
  • Inspiron 7569
  • Inspiron 7778
  • XPS 15 9560
  • Latitude 5280
  • Latitude 5288
  • Latitude 5480
  • Latitude 5488
  • Latitude 5500
  • Latitude 5510
  • Latitude 5580
  • Latitude 5285
  • Latitude 7200 2-in-1
  • Latitude 7210 2-in-1
  • Latitude 7400
  • Latitude 7410
  • Precision 7740
  • Precision 7750
  • Precision 3520
  • OptiPlex 3060
  • Latitude 5300
  • Optiplex 3070
  • Precision 5820 Tower

Hewlett-Packard

  • HP EliteBook 840 G7 Notebook PC
  • HP Elite X2 G4

Device setup (enrollment)

Windows Autopilot simplifies the enrollment of devices. With Microsoft Intune and Windows Autopilot, there is no need to build, maintain and apply custom operating system images. The service provider supports the customer in changing the enrollment process.\ Not using the autopilot and pre-registration requires prior agreement and approval of the provider.

Device setup (OneDrive for Business)

The service provider supports the customer in setting up the configuration of OneDrive on Windows devices. The methods available in Microsoft Endpoint Manager are used for this purpose.

Device setup (Application installation)

The applications are installed on the devices with RealmJoin.

Device Support

Local Administrator Password Solution (short LAPS) will solve the issue of using an identical account on every Windows computer in a domain environment. On its own, LAPS creates a randomly generated password for a local admin account. With RealmJoin it is possible to manage secure and individualized administrative accounts, either for local support or remote support, on a large scale. RealmJoin saves encrypted passwords in Azure Key Vault within the customer's tenant and the Azure Audit records all accesses to these passwords. The service provider supports the customer in maintaining the LAPS configuration. Third-party solutions cannot be supported. Exceptions must be discussed in advance.

Remote Support Tool

The RealmJoin Enterprise License contains a single session license of the remote desktop tool AnyDesk. It allows access to client devices including the option to elevate rights by using the RealmJoin LAPS feature. AnyDesk can be installed on Windows and macOS. AnyDesk uses ID numbers to establish connections between two computers. Share your ID number with another user (this user needs AnyDesk as well). This user must enter the ID number in the AnyDesk menu. When you accept the request, the other user will have access to your desktop. RealmJoin skips the whole ID number sharing process because every AnyDesk ID number in an organization is linked to a single user. An Administrator just needs to know the user and can request access to the desktop. However, the user must be able to accept this request. Additional AnyDesk sessions can be purchased separately if no other tool is available.

Device configuration

Security baseline configuration

The service provider supports the customer with a recommendation of the security baseline configuration. The service provider supports the customer in maintaining, modification and developing the security baseline configuration. Comprehensive security consulting, monitoring, and further development can be provided by the Cloud Security Operation Center of glueckkanja-gab. This is available as a separate managed service and cooperates with the Managed Workplace Team.

Update

Windows Update for Business to perform gradual deployment of Windows updates.

Device compliance

These policies are configured for all Windows Desktop devices. A device is reported as non-compliant when it drifts from our required security compliance baseline.

Device security

Comprehensive security consulting, monitoring and further development can be provided by the Cloud Security Operation Center of glueckkanja-gab. This is available as a separate managed service and cooperates with the Managed Workplace Team.

Antivirus

The Microsoft Defender antivirus client is installed and configured on all devices. The Microsoft Defender Antivirus definitions are always up to date. The service provider supports the customer with the updated deployment of the Microsoft Defender Antivirus definitions.

Full Volume Encryption

BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. The TPM is a hardware component installed in many newer computers by computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline.

Operating system updates

Windows devices are always secured with the latest security updates. The service provider supports the customer with the updated deployment of the security updates.

Biometric Authentication

Windows Hello allows users to sign in by using their face or a PIN, making passwords harder to forget or steal. Customers are responsible for implementing the necessary pre-requisites for their on-premises Active Directory for use of this service in a hybrid configuration.

Standard user permission

To protect the system and make it more secure, the user will be assigned standard user permissions. This permission is assigned as part of the Windows Autopilot out-of-box experience.

Network Connectivity

In Microsoft Intune, you can add third-party certificate authorities (CA), and have these CAs issue and validate certificates using the Simple Certificate Enrollment Protocol (SCEP). SCEPman is a fully unattended Certificate Authority using Azure Key Vault for Microsoft Intune-based certificate deployment. SCEPman is an Azure WebApp providing the SCEP and Intune API, using Azure Key Vault-based RootCA and certificate signing. SCEPman is licensed for all Managed Workplace users.

Windows Updates

Update management

Windows Update for Business (WUfB) helps you to keep Windows 10 devices up to date by connecting them directly to Windows Update Service. Additionally, you can control when updates are applied for users or devices, and you can defer or pause the installation of updates for a set period.

Managed Desktop uses four Azure AD groups to manage updates:

  • Semi-Annual Channel Fast
    • Feature Deferral 5 days
    • Quality Deferral 1 days
  • Semi-Annual Channel Broad 1
    • Feature Deferral 30 days
    • Quality Deferral 2 days
  • Semi-Annual Channel Broad 2
    • Feature Deferral 45 days
    • Quality Deferral 3 days
  • Semi-Annual Channel Broad 3
    • Feature Deferral 60 days
    • Quality Deferral 3 days

Emergency blocking of individual Updates

If issues occur after an update, the service provider supports the customer to pause updates on devices by a period of up to 35 days from when the value is set.

Microsoft 365 Apps for enterprise

Microsoft 365 Apps is a version of Office that's available through many Microsoft 365 plans. It includes the following applications: Access, Excel, OneNote, Outlook, PowerPoint, Publisher, Teams, and Word. You can use these applications to connect with Microsoft 365 services such as SharePoint Online or Exchange Online.

Update Management

Managed Desktop uses two Azure AD groups to manage updates:

  • Monthly Enterprise Channel
  • Semi-Annual Enterprise Channel

Security management configuration

The service provider supports the customer with a recommendation of the security management configuration. The service provider supports the customer in maintaining, modification and developing the security management configuration.

Reporting

This module includes a monthly status call with the customer. In this call, the service provider is presenting the findings report from the past month and makes suggestions for optimization, if necessary. The report is afterwards sent to the customer. Every 6 months, the service provider is offering a half-day workshop with the customer in order to discuss the past 6 months and talk about optimization possibilities. The reporting details we measure are ‘evergreen’. We continuously revise them (adjust or remove if needed, add new if it makes sense).

The following aspects can be considered in reporting:

  • Peer-to-Peer usage
  • Delivery Optimization usage
  • Windows Device compliance status
  • Windows Device security status
    • Bitlocker activation
  • Windows Device update status
    • Feature updates
    • Quality updates
    • Microsoft 365 apps updates
  • Security configuration status
  • Enrollment Status
    • Number of new Windows devices in the tenant
  • Configuration profiles

On-Demand services and tasks

The tasks and services described in the following section are not included as part of the Service but may be requested and delivered via On-Demand Services.

Ramp-Up

The initial commissioning and setup of our service is defined as ramp-up and is not part of our service. The ramp-up can be carried out via on-demand services or consulting services.

Customer requests and incidents

Requests that do not fall into the items listed under Standard services and tasks and are from direct customer requests will be treated as a normal change and serviced through On-Demand services.

Prerequisites

Services

An IT-Service agreement with glueckkanja-gab is required. The glueckkanja-gab Service Level Agreement and Request definitions also apply to this Service Description.

The Identity Module is required as the basis for the Client Module.

Technical requirements

Autopilot

  • Devices must be registered to the organization
  • Company branding needs to be configured
  • Network connectivity to cloud services used by Windows AutoPilot
  • Devices must be pre-installed with Windows 10 Professional, Enterprise or Education, of version 1703 or later (build-in licensing)
  • Devices must have access to the internet
  • Users must be allowed to join devices into Azure AD
  • Microsoft Intune services to manage your devices

License

The Customer is responsible for the correct licensing of all Microsoft services used and affected.

Optional

  • Optionally, the customer can add one of the on-call duty packages (defined in more detail in the Service Level Agreement).
  • Software Management can be added as an extension of the Client Module.

Exclusion

The following tasks are not part of the managed service offering and are not supported by GKGAB:

  • Tracking shipping status
  • Personalization: Devices and accessories provided with the service are unable to be customized. All devices and accessories are provided with standard branding, specification, and color combinations. Application deployment and policy configurations are handled through IT-as-a-Service.
  • No local Data recovery: User and team data, including personalization, is stored in OneDrive for Business, with only cache data residing locally. If data is intentionally stored on the device’s internal storage system, any data recovery must be attempted and completed prior to returning the device to Microsoft.
  • Devices are delivered to the customer´s address, where they need to be powered on and set up by the customer.
  • Support of end-users in the device enrollment process

results matching ""

    No results matching ""