FAQ

We are frequently asked these questions

Reset

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

Who uses eido?

IT teams, MSPs, and compliance officers managing Intune environments.

‍

eido

Is eido secure?

eido uses enterprise-grade encryption and access controls, with ISO27001/9001, and Cyber Essentials. See our Security pages on our support site for full details Security | Eido Product Help and Support

‍

eido

Where is eido's data stored?

eido instances may be in Azure datacentres in either Germany or USA.

‍

eido

Does eido require installation?

No, eido is cloud-based and integrates via secure APIs.

‍

eido

What is eido?

eido is a reporting and visibility platform for Microsoft Intune.

‍

eido

Is the solution GDPR-compliant and secure?

Yes. baramundi attaches great importance to data protection and IT security. baramundi is ISO 27001 certified and the baramundi Proactive Hub is completely Made in Europe, meets the requirements of the GDPR and enables companies to secure their compliance requirements through functions such as role and rights management, audit trails and encrypted communication.

Baramundi Proactive Hub

Does the baramundi Proactive Hub have to be installed locally?

The baramundi Proactive Hub and its products are cloud native and cloud only. The cloud architecture enables scalable, secure and flexible use.

Baramundi Proactive Hub

How does Baramundi Perform2Work work?

Baramundi Perform2Work continuously collects and automates data on the digital work environment. The aim is to identify IT problems at an early stage, to make the Digital Employee Experience (DEX) measurable and to optimize it in a targeted manner — even before complaints arise.

‍

The system collects technical and user-related indicators such as CPU, RAM and battery performance, system start times, network quality, crashes or direct user feedback. This data is analyzed, correlated and presented in clear dashboards — for an objective, continuous evaluation of the user experience.

Baramundi Proactive Hub

What is Baramundi Perform2Work?

Baramundi Perform2Work Is a Digital Employee Experience (DEX) solution. The tool provides IT departments with valuable insights into the performance and quality of use of end devices — directly from the perspective of employees. In this way, digital workplaces can be specifically optimized and productivity and satisfaction can be sustainably increased.

Baramundi Proactive Hub

Is the solution GDPR-compliant and secure?

Yes. baramundi attaches great importance to data protection and IT security. Baramundi is ISO 27001 certified and the management suite is completely made in Europe, meets the requirements of the GDPR and enables companies to secure their compliance requirements through features such as role and rights management, audit trails, and encrypted communication.

baramundi Management Suite

Which devices can be managed with the baramundi Management Suite?

The baramundi Management Suite supports:

Windows, Linux, and macOS systems

Android and iOS mobile devices

servers, (I) IoT devices

Thanks to its platform independence, the suite is ideal for heterogeneous IT environments.

‍

baramundi Management Suite

Does the baramundi Management Suite have to be installed locally?

The baramundi Management Suite can be operated both on-prem and as-a-service or hybrid. Companies can choose whether they want to manage their infrastructure themselves or use it as a managed service.

baramundi Management Suite

Which tasks can be automated with the baramundi Management Suite?

The baramundi Management Suite supports IT teams with numerous routine tasks, such as:

Software distribution and OS installations

Patch and update management (including 3rd party)

Inventory of hardware and software

Configuring security settings

Endpoint monitoring and remote support

baramundi Management Suite

What is the Baramundi Management Suite?

The baramundi Management Suite is a comprehensive unified endpoint management platform (UEM) that allows companies to centrally manage, secure and automate their IT devices — from Windows PCs to mobile devices to servers or IoT devices.

baramundi Management Suite

Welche Leistungen bietet SOFTTAILOR im Bereich SCCM Consulting?

SOFTTAILOR bietet umfassende Beratung rund um SCCM – individuell, modular und auf eure Bedürfnisse abgestimmt:

Planung und Aufbau einer neuen SCCM-Umgebung

Migration von Alt-Systemen oder bestehendem SCCM

Optimierung & Health Checks bestehender Installationen

Integration von Cloud-Komponenten wie Intune oder Microsoft Entra

Umsetzung von Patch-Management-Prozessen mit SCCM

Automatisierte Softwareverteilung und Softwarepaketierung mit und für SCCM

‍

Stets das Ziel: Ein stabiles, sicheres und zukunftsfähiges Endpoint Management, das euch wirklich entlastet.

Was ist SCCM und warum ist es für Unternehmen relevant?

SCCM (System Center Configuration Manager) ist eine bewährte Microsoft-Lösung für das zentrale Management von Endgeräten – inklusive Desktops, Laptops und Windows Servern. Im Gegensatz zu reinen Cloud-Lösungen wie Intune lässt sich SCCM vollständig On-Premises betreiben und bietet dabei eine sehr granulare Steuerung von Softwareverteilung, Patch-Management und Compliance.

‍

Gerade in komplexen oder regulierten Umgebungen überzeugt SCCM durch ausgereifte Funktionen, tiefe Integration in Windows-Systeme und flexible Automatisierungsmöglichkeiten. Ein weiterer Vorteil: Clientverwaltungsrechte sind in vielen Microsoft 365 Lizenzen bereits enthalten, was zusätzliche Lizenzkosten spart.

How does SOFTTAILOR help you select the appropriate join model?

SOFTTAILOR supports companies from planning to implementing an optimal Microsoft Entra ID strategy to implement Zero Trust. Existing infrastructures are taken into account as well as individual target images are developed and technically implemented.

Which join types fit which device categories?

The article mentions three allocations:

Entra Registered Devices — for private devices (BYOD)

Entra Joined Devices — for modern, cloud-based work environments

Hybrid Joined Devices — for systems that still need access to on-premise resources but should use cloud services at the same time

What is the web account manager (WAM) at Entra Joined Devices?

Microsoft Entra Joined Devices use the Web Account Manager (WAM) for authentication. WAM provides a seamless SSO experience and is integrated with modern Microsoft services.

When do Entra Registered Devices make sense?

These devices are ideal for companies with a flexible BYOD strategy. They enable secure access to corporate resources without the need to fully integrate private devices into corporate IT or manage them centrally.

How do Entra Registered Devices work technically?

Authentication is carried out via CloudAP, Microsoft's cloud authentication provider. This technology verifies users and devices as they access cloud resources without the device needing to be domain-bound.

What are Microsoft Entra Registered Devices?

Microsoft Entra Registered Devices are devices that are not members of a domain but are linked to a Microsoft Entra ID tenant. These devices are usually privately managed and are used in BYOD scenarios where employees use their own devices to access corporate resources. In short, Microsoft Entra knows the device but doesn't require the user to use an organization ID to authenticate.

Is it easy to switch from domain or hybrid joined to Entra Joined?

A later switch to Entra Joined — e.g. from Hybrid or Domain Joined — is not possible directly, but only by completely resetting (wiping) the device. Entra Join should therefore be included in device and rollout strategies at an early stage, ideally as part of planned hardware cycles or migrations, for example.

What are the benefits of Entra Joined Devices?

Microsoft itself recommends Entra Joined as a standard for new devices. The reasons for this include:

New functions are being developed specifically for cloud native endpoints.
The devices do not require a VPN and can still use all Microsoft 365 and SaaS services.
Modern features such as SSO, self-service password reset or remote deployment are immediately available.

Despite these very valid arguments, SOFTTAILOR looks at each IT environment individually and works with you to develop the right concept for identity management.

What are Microsoft Entra Joined Devices?

Entra Joined Devices are devices that are fully and exclusively integrated with Microsoft Entra ID — without connection to a local Active Directory. They are typically used in companies that have consistently geared their IT environment to cloud services or are striving to do so. They also speak of Cloud native devices.

Why is hybrid join considered an ideal intermediate step?

Hybrid Join combines the best of both worlds:

Local on-premise structures such as GPOs and network drives are retained.
Modern cloud features such as single sign-on and Intune are immediately available.
Remote work is done without a VPN (via Entra Private Access) possible.
The transition to the cloud can be gradual, without the need for a radical change in technology

‍

What do you understand by hybrid joined devices?

Hybrid joined devices are with two identity systems at the same time connected: with a local Active Directory and with Microsoft Entra ID. These join types are ideal for companies that want to retain existing local IT structures, but at the same time want to use cloud features such as Conditional Access or Intune.

What is a domain joined device and when is it used?

Domain joined devices are devices that operate exclusively in a local Active Directory environment. This model is used when a company operates a completely on-premise based infrastructure — for example with classic AD, file servers and without integration of cloud services.

What join types does Microsoft Entra ID have?

Microsoft Entra ID supports four types of device enrollments. These differ in how devices are integrated into identity management and which infrastructure (local, cloud, or hybrid) is used:

Domain Joined — for classic, purely local Active Directory environments.

Hybrid Joined — for devices that are connected to a local AD and Microsoft Entra ID at the same time.

Entra Joined — for cloud-native devices that are fully integrated with Microsoft Entra ID.

Entra Registered — for private or BYOD devices that are registered but not domain-bound.

Was sollten Unternehmen für Ihre Endpoint Security zuerst tun?

Der Einstieg in eine ganzheitliche Endpoint-Strategie kann schrittweise erfolgen – je nach Reifegrad der bestehenden IT-Sicherheit.

Beliebte erste Schritte sind:

Einführung von Patch Management as a Service
Rollout von Microsoft Intune für zentrale Geräteverwaltung
Pilotprojekte mit Microsoft DefenderDurchführung eines Endpoint-Security-Audits

Ein individuelles Beratungsgespräch hilft dabei, den optimalen Startpunkt zu finden.

Wie unterstützt SOFTTAILOR Unternehmen, das Risiko durch Endanwender und Endgeräte zu limitieren?

SOFTTAILOR bietet maßgeschneiderte Lösungen zur Absicherung von Endgeräten. Unternehmen können zwischen umfassendem Endpoint Management as a Service oder einzelnen Modulen wie Patch Management as a Service wählen.

Zu den Leistungen gehören:

Zentrale Verwaltung über Microsoft Intune und SCCM
Automatisiertes Patchen mit Patch My PC oder Robopack
Implementierung von Zero Trust und Client Hardening
Integration von Microsoft Defender for EndpointSecurity-Awareness-Programme für Mitarbeitende

Ziel ist es, interne IT-Teams zu entlasten und die Sicherheitslage messbar zu verbessern.

Was ist Zero Trust und warum ist es relevant für Endgeräte?

Zero Trust basiert auf dem Prinzip „Vertraue niemandem“. Jeder Zugriff wird überprüft – auch innerhalb des Unternehmensnetzwerks. In Verbindung mit Conditional Access, MFA und Least Privilege wird so maximale Sicherheit erreicht. So können sich Angreifer, falls Sie sich Zugang zu Unternehmensressourcen verschaffen konnten, viel schwerer ausbreiten.

Welche Rolle spielt die Mitarbeiterschulung in der IT-Sicherheit?

Schulungen sensibilisieren Mitarbeitende für Sicherheitsrisiken. Awareness-Trainings helfen, Phishing zu erkennen, starke Passwörter zu wählen und verdächtige Aktivitäten zu melden.

Was ist eine moderne Endpoint Protection Platform (EPP)?

Endpoint Protection Plattformen, wie Microsoft Defender erkennen Bedrohungen in Echtzeit, analysieren sie KI-basiert und führen eine erste Abwehrreaktion automatisch durch. Sie ersetzen klassische Antivirus-Software durch intelligente Abwehrmechanismen.

Warum ist Patch Management entscheidend für die IT-Sicherheit?

Über 60 % der Cyberangriffe basieren auf ungepatchten Systemen. Regelmäßige Updates schließen bekannte Schwachstellen. Viele Unternehmen können neben dem Tagesgeschäft nur schwer mit den immer kürzeren Patch Zyklen mithalten und benötigen automatisierte Prozesse – wie Patch Management as a Service von SOFTTAILOR.

Was bedeutet Systemhärtung und warum ist sie so wichtig?

Systemhärtung entfernt unnötige Funktionen, schränkt Benutzerrechte ein und passt sicherheitskritische Einstellungen an. Sie schließt Angriffsvektoren und verhindert auch, dass Angreifer sich im System ausbreiten können, sollten Sie einen Zugangspunkt finden. So wird die Cyberresilienz signifikant erhöht.

Wie hilft Unified Endpoint Management (UEM) bei der Absicherung?

UEM ermöglicht die zentrale Verwaltung aller Geräte im Unternehmen. Tools wie Microsoft Intune automatisieren Konfiguration, Update-Rollouts und Sicherheitsrichtlinien – unabhängig vom Standort der Mitarbeitenden.

Was versteht man unter einer Endpoint-Strategie?

Eine Kombination aus technischen und organisatorischen Maßnahmen zur Absicherung von Endgeräten – darunter Endpoint Management mit einer Unified Endpoint Management Lösung, Systemhärtung, Patch Management, moderne Endpoint Protection und Security-Awareness-Trainings.

Was sind typische Schwachstellen an Endgeräten?

Veraltete Software, überhöhte Benutzerrechte, fehlende Sicherheitsrichtlinien und keine Endpoint Protection sind häufige Schwachstellen. Besonders gefährlich sind Systeme ohne regelmäßige Updates oder MFA.

Warum gelten Endanwender als das größte Cyberrisiko?

"Mitarbeitende sind anfällig für Phishing, Social Engineering und schwache Passwörter. Bereits kleine Unachtsamkeiten können zu schwerwiegenden Sicherheitsvorfällen führen – besonders wenn Endgeräte nicht ausreichend geschützt oder zentral verwaltet sind.

Endgeräte sind das Bindeglied zwischen Endanwendern und Unternehmensressourcen und müssen daher Sicherheitslücken durch das Verhalten von Endanwendern so gut wie möglich technisch begrenzen."

Why should companies migrate to Windows Server 2025?

Windows Server 2025 offers enhanced security, improved performance, rebootless hotpatching, and comprehensive capabilities for hybrid cloud scenarios. The platform is ideally suited for modern IT strategies.

‍

Another reason: Older versions are reaching end-of-support. Extended support for Windows Server 2012/R2 ended in October 2023, with Windows Server 2016 following in January 2027. Migrating helps avoid security and compliance risks.

What platforms does Windows Server 2025 support?

Windows Server 2025 supports both physical servers (certified systems from leading manufacturers such as Dell, HP, Lenovo) and virtual platforms like Microsoft Hyper-V, VMware ESXi, and Citrix Hypervisor. Additionally, the management of hybrid scenarios via Azure Arc is fully integrated.

How much does Windows Server 2025 cost?

Windows Server 2025 is offered under a per-core licensing model, with a minimum of 16 core licenses required per physical server. Additionally, Client Access Licenses (CALs) are necessary to grant users or devices access to the server.

Editions and Pricing (As of May 2025):

Standard Edition: Starting at approximately 1,035 USD for a 16-core license. This edition permits running two virtual machines (VMs) on a licensed host.

Datacenter Edition: Starting at approximately 5,609 USD for a 16-core license. This edition offers unlimited virtualization rights, ideal for highly virtualized environments.

Note: The prices mentioned are list prices and may vary depending on the provider, region, and licensing program.

Alternative Licensing via Azure:

For customers who prefer usage-based billing, Microsoft offers a pay-as-you-go model via Azure Arc. This incurs costs of 33.58 USD per CPU core per month.

Can I manage Windows Server 2025 with Intune?

For management, Microsoft Endpoint Configuration Manager (MECM) is still recommended, as Intune is designed for clients and mobile devices and currently does not support server management. Azure Arc is a viable alternative for smaller or hybrid environments, especially when focusing on cloud-based management and reduced infrastructure complexity.

Can I migrate directly from Windows Server 2016 or 2019 to 2025?

Yes, a direct migration from Windows Server 2016 or 2019 to 2025 is fully supported. For older versions like 2012 R2, an intermediate step is required. Before upgrading, the compatibility of existing applications should be checked.

What are the hardware requirements for Windows Server 2025?

Minimum Requirements:

1.4 GHz 64-bit processor
2 GB RAM • 32 GB free disk space
Gigabit Ethernet adapter

‍

Recommended:

Multi-core processor with virtualization support
4 GB RAM or more
Additional disk space for roles and features
Network adapter with enhanced features

How does Windows Server 2025 differ from Windows Server 2019?

Compared to Windows Server 2019, the new version offers a significantly improved security architecture, greater efficiency in virtualization, new management capabilities via Azure Arc, and hotpatching. Integration into hybrid cloud scenarios has also been greatly simplified.

What editions of Windows Server 2025 are available?

Windows Server 2025 is available in three editions: Essentials for small businesses (up to 25 users), Standard for medium IT environments with up to two virtual machines (VMs), and Datacenter for highly virtualized or cloud-based infrastructures with unlimited VMs. Each edition uses a core-based licensing model.

What is Hotpatching in Windows Server 2025?

Hotpatching allows security-relevant updates to be performed without restarting the server. This significantly increases the availability of critical systems. Prerequisites include a connection to Azure Arc, active Software Assurance, and a separate Microsoft subscription for the Hotpatching feature.

What security features does Windows Server 2025 offer?

Security features have been extensively enhanced. These include improved network segmentation for isolating sensitive data, the integration of Microsoft Defender for early threat detection and defense, and support for modern protocols such as TLS 1.3 and SMB encryption.

What's new in Windows Server 2025?

Windows Server 2025 introduces numerous innovations focused on security, efficiency, and hybrid cloud integration. Key improvements include enhanced network isolation, the integration of modern Microsoft Defender technologies, optimized virtualization performance, hotpatching, and seamless Azure connectivity.

How can SOFTTAILOR help implement Windows Autopilot?

SOFTTAILOR helps you plan, set up and manage Windows Autopilot 1.0 and 2.0. Contact us for more information.

Will Windows Autopilot 2.0 updates reintegrate hybrid support?

Hybrid Entra ID Join is currently not supported, as Microsoft prioritizes the use of purely cloud-based scenarios. However, future updates could provide additional hybrid support options.

What are the challenges of assigning devices without hardware hashes in Autopilot 2.0?

The key challenge is that devices cannot automatically be assigned to the correct Azure organization without a hardware hash. This increases the risk of deployment errors and additional administrative burdens. Specifically, the following problems arise:

Lack of unique identification: Without a hardware hash, it is more difficult to uniquely recognize and correctly configure devices.
Manual assignment required: Since automatic recognition is not required, devices must be manually assigned to groups, for example via Entra ID.
Limited deployment: Configurations, applications, and profiles might not be applied as planned.
Security risks: The missing link can lead to confusion, which represents a potential security risk.

Using Autopilot without hardware hashes is possible, but requires careful planning and clean implementation to ensure a smooth rollout.

What is the next step in Windows Autopilot development?

Microsoft is continuing to develop Autopilot version 2 (v2). Some of the originally announced features have now been implemented, others are still being phased in. These include:

The reintroduction of self-deployment and pre-provisioning modes, which are now available again.- Expanded customization options in the Out-of-Box Experience (OOBE), such as a progress bar and visible EULA options.
Tenant binding, i.e. the direct allocation of devices to a specific tenant.
Improved admin features, such as predefined security policies and automated device renames.

An autopilot version 3 has not yet been announced. For the latest status, it is recommended to take a look at the Microsoft 365 roadmap or the official Autopilot documentation.

What is the new out-of-box (OOBE) experience in Windows Autopilot 2.0?

The OOBE in Autopilot 2.0 offers:The new OOBE in Windows Autopilot 2.0 offers a significantly improved user experience. An integrated progress indicator now shows how far the deployment has progressed as a percentage. User navigation and transparency have also been improved: Elements such as the End User License Agreement (EULA) and other options are directly visible, giving administrators and users more control over the process.

How does app installation differ between Autopilot 1.0 and 2.0?

Autopilot 1.0:

Apps are installed at the same time, which can cause delays.

‍

Autopilot 2.0:

Apps can be prioritized — critical apps like Defender are installed first, while less important apps are added in the background.

Can I use Windows Autopilot 2.0 in Sovereign Clouds?

Yes, Autopilot 2.0 supports sovereign clouds such as GCC, GCC High and DoD for the first time, making it particularly attractive for government and security environments. However, the Sovereign Clouds mentioned above all relate to the U.S. market so far.

What are the technical requirements for Windows Autopilot 2.0?

These are the technical requirements for Autopilot 2.0:

operating system: Windows 11 from version 24H2 (or Windows 11 22H2 with KB5035942).

network: Stable internet connection for setup.

Hardware: Devices with UEFI support.

Identity and endpoint management tools: Entra ID and Microsoft Intune.

Which companies should upgrade to Windows Autopilot 2.0?

Windows Autopilot 2.0 is suitable for companies with a pure cloud strategy that need a more modern architecture, real-time monitoring, and sovereign cloud support. So far, there are no really convincing advantages over Autopilot v1.

Which companies benefit from Windows Autopilot 1.0?

Companies with hybrid IT infrastructures or complex requirements (e.g. pre-provisioning) continue to benefit from Windows Autopilot 1.0. The support for Hybrid Azure AD Join makes it the only choice for organizations that combine on-premises and cloud identity management.

What are the limitations of Windows Autopilot 2.0?

No hybrid support: Connecting via Hybrid Azure AD Join is currently not supported.

Limited app installation during OOBE: Up to ten applications can be installed as standard during the Out-of-Box Experience (OOBE). (Note: This limit may change with future updates.)

Device name assignment: There are no device name templates available. Configuration is done using Intune policies, which allows for more flexibility but can mean additional administrative work.

What are the benefits of Windows Autopilot 2.0?

Autopilot 2.0 allows you to simplify device deployment without hardware hashes, real-time monitoring, prioritized app installations, and use in sovereign clouds in the USA.

What are the key differences between Windows Autopilot 1.0 and 2.0?

Windows Autopilot 1.0 and 2.0 differ in several important ways:

‍

Registration and device management:

Autopilot 1.0 requires hardware hashes to register devices, while Autopilot 2.0 eliminates this step and allows direct allocation via Entra ID. This significantly simplifies the registration process

‍

.out-of-box experience (OOBE):

In Autopilot 2.0, OOBE is optimized, offers a percentage progress indicator and more control. However, some automations that exist in Autopilot 1.0 are missing, such as skipping the EULA.

‍

Hybrid Support:

Autopilot 1.0 supports Hybrid Entra ID Join, which is important for hybrid IT environments. This feature is missing in Autopilot 2.0, which is only suitable for cloud environments.

‍

Monitoring and app deployment:

Autopilot 2.0 provides improved real-time monitoring and prioritizes important apps such as Microsoft Defender during setup. In Autopilot 1.0, all apps are installed at the same time, which can cause delays.

‍

Sovereign cloud support:

Autopilot 2.0 supports sovereign clouds such as GCC and DoD for the first time, making it suitable for government and security-critical environments. (Currently only relevant for the U.S. market)”

How does Windows Autopilot work?

Windows Autopilot automates the process of deploying devices using policies and configurations from the cloud:

Device assignment: Users or groups are automatically assigned to devices.

Deploying apps and configurations: Software and security policies are applied during initial setup.

Management integration: The devices are directly integrated into tools such as Microsoft Intune and, if applicable, SCCM (co-management).

What is Windows Autopilot?

Windows Autopilot is a cloud-based solution from Microsoft that simplifies and automates the deployment and management of Windows devices. The goal is to relieve IT teams and deliver devices quickly and efficiently to end users without the need for physical intervention.

How does SOFTTAILOR help companies with system hardening?

SOFTTAILOR offers tailor-made solutions to implement CIS benchmarks and Microsoft security baselines and make the right decisions:

guidance: Assistance in choosing the appropriate framework.

implementation: Individual adjustment and roll-out of system hardening

Managed system hardening: Regular update of system hardening as a managed service

How do I implement Microsoft security baselines?

1. Activate the security baselines in Microsoft Intune or download the latest version of the security baselines for group policies (GPOs).

2. Tailor the guidelines to meet your specific requirements. Great care should be taken here due to the tatooing effect.

3. Distribute the guidelines to the appropriate devices or user groups.

4. Monitor compliance with guidelines and make adjustments as needed.

How do I implement CIS benchmarks?

1. Download the latest benchmarks from the official website

2. Download Microsoft Security Compliance Toolkit 1.0 to compare the already established guidelines with those from CIS Benchmark

3. Set up import/adjustments according to CIS standards

4. Evaluation of individual policies

5. Monitoring of individual policies in a productive environment

6. Observe monthly reports from CIS benchmarks to stay up to date”

When should companies use the CIS benchmarks?

Every company should harden clients and servers in particular according to CIS benchmarks and only rely on the Microsoft Security Baselines in exceptional cases, with limited resources or as a supplement.

What are the benefits of Microsoft Security Baselines?

Specific to Microsoft products: They are optimally tailored to Windows, Microsoft Edge, and other Microsoft technologies.

Easy to implement: Can be used directly via Microsoft Intune or Group Policy.

automation: Reduces manual effort when securing endpoints.

efficiency: Particularly suitable for companies with limited IT resources.

What are the benefits of CIS Benchmarks?

Available for many platforms: CIS benchmarks are available for Windows, Linux, macOS and cloud services such as Azure and AWS, among others.

Flexibility: Companies can individually adapt the benchmarks to their specific needs.

Compliance: They make it easier to comply with standards such as GDPR, HIPAA or ISO 27001 and are internationally recognized as the “gold standard.”

Community-driven: They are regularly reviewed and updated by security experts worldwide.

Hardened Images: Ideal for cloud users who want to use hardened VMs directly.

What are the differences between CIS benchmarks and Microsoft security baselines?

“The CIS benchmarks are cross-platform and provide detailed, customizable security guidelines for various systems such as Windows, Linux, and cloud services. They are suitable for companies with heterogeneous IT environments and high security requirements, but require more technical expertise and resources.

‍

Microsoft security baselines, on the other hand, are specifically tailored for Microsoft products such as Windows and Microsoft Edge. They're easier to implement, offer less flexibility, but are ideal for small and medium-sized businesses with limited IT resources and Microsoft-centric environments.”

What are Microsoft Security Baselines?

“Microsoft security baselines are predefined security policies developed specifically for Microsoft products. They include recommended settings for Windows, Microsoft Edge, and other applications to ensure security.

‍

Thanks to integration with Microsoft Intune and Group Policy, they are easy to implement and regularly update to cover new threats. They are particularly suitable for companies that need fast and efficient protection of Microsoft products. However, due to limited individual adaptability and the tatooing phenomenon, implementation should be careful.”

What are CIS benchmarks?

The CIS benchmarks are security guidelines developed by the Center for Internet Security. They help you securely configure systems and applications by providing proven best practices. The benchmarks can be used across platforms and are divided into two security levels:

‍

Level 1: Basic security measures with minimal impact on functionality.

Level 2: Stricter configurations for particularly sensitive environments.

‍

In addition, there is the STIG profile (formerly known as “Level 3”), which goes beyond Levels 1 and 2 and includes additional configurations in accordance with the Security Technical Implementation Guide (STIG). This profile is particularly relevant for companies that work on behalf of the US Department of Defense or must meet its security requirements.

‍

CIS also provides hardened, prefabricated images for cloud platforms such as Microsoft Azure and AWS.

‍

Wie kann SOFTTAILOR bei der Implementierung von CMG unterstützen?

SOFTTAILOR übernimmt die vollständige Umsetzung des Cloud Management Gateway – von der Planung über die technische Einrichtung bis zur produktiven Inbetriebnahme. Dank zahlreicher erfolgreich durchgeführter CMG-Projekte verfügt SOFTTAILOR über fundierte Praxiserfahrung und tiefes Know-how im Zusammenspiel von MECM/SCCM und Azure.

Wie unterscheidet sich Cloud Management Gateway (CMG) von Microsoft Intune?

CMG ist eine Erweiterung für Microsoft Endpoint Configuration Manager (MECM/SCCM) und ermöglicht die Verwaltung von Geräten über das Internet, ohne auf eine VPN-Verbindung angewiesen zu sein. Die Infrastruktur bleibt größtenteils On-Premises, während CMG als Cloud-Proxy dient.

‍

Microsoft Intune hingegen ist eine reine Cloud-Lösung für Mobile Device Management (MDM) und benötigt keine lokale Infrastruktur. Es verwaltet Geräte direkt über Azure AD, bzw. Entra ID. Darüber hinaus bietet Intune zusätzlich moderne Sicherheitsfeatures wie Conditional Access, Zero-Trust-Funktionalitäten und die native Integration mit vielen M365 Produkten. CMG fügt SCCM keine Features hinzu, sondern bringt vorhandene Features in die Cloud.

‍

CMG eignet sich für Unternehmen, die SCCM beibehalten möchten, während Intune für eine vollständig cloudbasierte Verwaltung mit modernen Sicherheitsfeatures gedacht ist. Beide können in einer Co-Management-Strategie kombiniert werden.

Welche Alternativen gibt es zum Cloud Management Gateway?

Neben CMG gibt es weitere Möglichkeiten zur Verwaltung von Endgeräten außerhalb des Unternehmensnetzwerks:

Microsoft Intune: Komplett cloudbasierte Verwaltung ohne On-Premises-SCCM oder im Co-Management mit SCCM

VPN-gestützte Verwaltung: Klassische Methode über eine gesicherte Unternehmensverbindung

DirectAccess oder Always On VPN: Microsoft-Technologien für eine persistente Verbindung zu Unternehmensressourcen

Wie erfolgt die Implementierung des Cloud Management Gateway?

Die Implementierung von CMG umfasst folgende Schritte:

Erstellen eines Azure Resource Manager (ARM)-Diensteinstanz für CMG

Konfiguration des Cloud Management Gateway Connector Point in MECM/SCCM

Bereitstellung von Authentifizierungsmechanismen (Azure AD oder Zertifikate)

Konfiguration der MECM/SCCM-Clients zur Nutzung des CMG

Testen der Verbindung und Monitoring über die SCCM-Konsole

Wie sicher ist das Cloud Management Gateway?

CMG bietet mehrere Sicherheitsmechanismen, um eine sichere Verwaltung von Endgeräten zu gewährleisten:

Verschlüsselte Kommunikation über HTTPS

Authentifizierung mittels Azure AD (Entra ID) oder Client-Zertifikaten

Integration mit Conditional Access und weiteren Azure-Sicherheitsrichtlinien

Keine direkte Verbindung von Cloud-Clients zu internen Unternehmensservern

Welche Client-Workloads können über CMG verwaltet werden?

CMG unterstützt verschiedene MECM/SCCM-Workloads, darunter:

Softwareverteilung und Anwendungsbereitstellung

Windows-Updates und Patch-Management

Endpoint Protection (z. B. Microsoft Defender for Endpoint)

Inventarisierung und Hardware-/Software-Reporting

Compliance-Richtlinien und Konfigurationsmanagement

Welche Kosten entstehen bei der Nutzung des Cloud Management Gateway?

Die Kosten für CMG setzen sich aus mehreren Faktoren zusammen:

Azure-Compute-Kosten für die Bereitstellung des Cloud-Dienstes

Datenübertragungskosten für den ein- und ausgehenden Netzwerkverkehr

Speicherkosten für Protokolle und Telemetriedaten in Azure

Die genauen Kosten hängen von der Anzahl der verwalteten Geräte und dem generierten Datenverkehr ab. Eine Kostenabschätzung kann im Azure Pricing Calculator vorgenommen werden.

Welche Voraussetzungen müssen für CMG erfüllt sein?

Um das CMG erfolgreich zu implementieren, sind folgende Voraussetzungen erforderlich:

Microsoft Azure-Abonnement für das Hosting der CMG-Instanz

Microsoft Endpoint Configuration Manager (MECM/SCCM) ab Version 1806

PKI-Zertifikate oder Azure AD-Authentifizierung, bzw. Entra ID, für die sichere Kommunikation

Ein öffentlicher FQDN für das CMG

Eine Internetverbindung für die verwalteten Clients

‍

Wie funktioniert das Cloud Management Gateway?

CMG nutzt Microsoft Azure als cloudbasierten Proxy zwischen den verwalteten Endgeräten und der internen MECM/SCCM-Infrastruktur. Die Kommunikation erfolgt über das Internet, wobei Anfragen vom CMG entgegengenommen und sicher an die On-Premises-SCCM-Server weitergeleitet werden. Die Authentifizierung der Clients kann entweder über Azure AD oder Zertifikate erfolgen.

Welche Vorteile bietet das Cloud Management Gateway?

Das CMG bietet Unternehmen mehrere Vorteile:

Sichere Verwaltung von Endgeräten über das Internet ohne VPN

Reduzierung der Infrastrukturkosten durch Verlagerung von Diensten in die Cloud

Automatische Skalierung je nach Lastanforderungen

Erhöhte Sicherheit durch Authentifizierung via Azure AD oder Zertifikate

Unterstützung hybrider IT-Infrastrukturen mit Cloud- und On-Premises-Komponenten

Was ist das Cloud Management Gateway (CMG)?

Das Cloud Management Gateway (CMG) ist eine cloudbasierte Lösung von Microsoft, die Unternehmen mit SCCM befähigt, auch Endgeräte außerhalb des Unternehmensnetzwerks sicher zu verwalten. Es dient als Proxy zwischen Microsoft Endpoint Configuration Manager (MECM / SCCM) und Microsoft Azure, sodass Clients über das Internet verwaltet werden können, ohne dass eine VPN-Verbindung erforderlich ist.

Does Patch My PC comply with the GDPR or GDPR?

Patch My PC implements numerous measures that make the use of Patch My PC compliant with GDPR. The company signs Standard Contractual Clauses and meets customer data protection requirements, including audits and a 24-hour response time to security incidents. Patch My PC is also ISO 27001 certified, which ensures high security standards for customer data.

‍

Our experience shows that Patch My PC is also willing to sign individual data protection agreements, such as NDAs or order processing contracts. In practice, the software has already been used by large German law firms, ministries and industrial companies that have high data protection requirements.

‍

Data from European customers is hosted in an Azure data center in West Europe. In the PMPC portal, you can Settings > Company check whether the value “EU” is stored as the data storage location.

‍

Patch My PC

How much does it cost to migrate from Ivanti DSM?

The costs of a migration depend on various factors, such as:

‍

The size and complexity of your infrastructure
‍
Desired target system (Intune, MECM/SCCM or Ivanti Neurons)
‍
Number of software packages and configurations
‍
Required adjustments and additional services

‍

After an initial consultation, we will provide you with an individual offer to replace Ivanti DSM in your company.

‍

Ivanti DSM Migration

Was passiert mit euren Ivanti DSM Softwarepaketen?

Eure bestehenden Softwarepakete im Ivanti eScript Format werden von uns in das PSADT (Powershell AppDeploy Toolkit) Format. PSADT ist der weltweit eingesetzte Open-Source Standard für Softwarepaketierung- und Verteilung. Wir empfehlen unseren Kunden die Migration in ein anderes, als das PSADT Format sorgfältig zu prüfen, da man sich damit in eine starke Abhängigkeit von spezifischen Anbietern begibt.

‍

Vorher analysieren wir gemeinsam Eure Applikationslandschaft daraufhin, welche Anwendungen ggf. nicht mehr benötigt werden oder automatisiert über Patch Management Kataloge wie Patch My PC, Robopack oder Neurons for Patch Management bereitgestellt werden können.

Ivanti DSM Migration

Welche Herausforderungen gibt es bei einer Ivanti DSM Migration?

Client Management Lösungen gehören zu den Herzstücken Eurer IT Infrastruktur. Die Ablösung von Ivanti DSM und Einführung einer neuen UEM Lösungen sollte daher gut geplant sein. Zu den typischen Herausforderungen zählen:

‍

Ivanti DSM Funktionen, die sich nicht 100% deckungsgleich in modernen Systemen wiederfinden
‍
Prozesse, die genau an die Funktionen Ivanti DSM angepasst sind
‍
Umgewöhnung von Administratoren und Usern
‍
Kompatibilitätsprobleme zwischen alten und neuen Systemen
‍
Datenverlust-Risiken, falls keine gründliche Planung erfolgt
‍
Hoher Workload neben dem Tagesgeschäft

‍

Unser Ziel: Migration ohne Frustration.

‍

Die Mittel: Erfahrung in Ivanti DSM, dem Zielsystem und sorgfältige Planung.

‍

Ivanti DSM Migration

Warum empfiehlt SOFTTAILOR Microsoft Intune als beste Alternative zu Ivanti DSM?

Viele eingefleischte Ivanti DSM Administratoren sind nach einer ersten Vorstellung von Microsoft Intune erst einmal enttäuscht. Wir verstehen das. Ivanti DSM ist in der Softwareverteilung so ausgereift, wie kaum ein anderes Produkt und hatte eine große Fangemeinde.

‍

Wir empfehlen Unternehmen, die Ivanti DSM einsetzen trotzdem dem Wechsel zu Microsoft Intune, da der moderne Unified Endpoint Management & Security Ansatz eine Welt über die Softwareverteilung hinaus eröffnet. Und im Bezug auf die Softwareverteilung gibt es nur sehr wenige Szenarien, die sich im Co-Management mit Intune und SCCM tatsächlich nicht abbilden lassen, sodass diese Kombination die erste Wahl für die meisten Unternehmen ist. Ein weiterer wichtiger Punkt: Die Lizenzen für Intune und SCCM sind häufig schon in Euren Windows 365 Lizenzen enthalten und verursachen keine weiteren Kosten.
‍

Auch Ivanti Neurons bietet viele dieser Funktionen, ist allerdings unter der schönen Nutzeroberfläche noch nicht so ausgereift wie Microsoft Intune.
‍

In einem Workshop finden wir die passende Lösung für Euer Unternehmen!

‍

Ivanti DSM Migration

Welche Vorteile bieten Intune, MECM/SCCM und baramundi?

SOFTTAILOR sieht für die Ablösung von Ivanti DSM folgende Lösungen vor: Microsoft Intune, ggf. im Co-Management mit SCCM oder Ivanti Neurons. Jede Plattform hat ihre spezifischen Stärken:

‍

Microsoft Intune:
- Cloudbasiertes Management für zentrale Kontrolle und Unified Experience
- Sicherheitsfeatures wie Security Policies, Zero-Trust und Integration z.B. mit Microsoft Defender
- Keine lokale Serverinfrastruktur erforderlich.
  ‍
MECM/SCCM:
- Bewährte On-Premise, die im Co-Management lokale und cloudbasierte Infrastruktur kombiniert
- Ideal für Unternehmen mit On-Premise Geräten, Servern und Hochverfügbarkeitsanforderung
  ‍
baramundi Management Suite:
- UEM „Made in Germany“ – wahlweise On-Premise oder as-a-Service aus der Cloud
- Echtzeit-Softwareverteilung mit direktem Feedback, zentralem Logging und granularen Wartungsfenstern
- Starke Ergänzung zu Intune für komplexe Umgebungen, z. B. Server, hochverfügbare Geräte, Patch Management und detaillierte Inventarisierung
  ‍

In einem Workshop finden wir die passende Lösung für Euer Unternehmen!

Ivanti DSM Migration

Was passiert nach der Migration von Ivanti DSM?

Nach der Migration bieten wir Euch umfangreiche Schulungen in Microsoft Intune / SCCM oder Ivanti Neurons an. Darüber hinaus nehmen viele Kunden unsere Managed Services in Anspruch. Damit kümmern wir uns um ddie tägliche Administration, regelmäßige Optimierungen, Sicherheitsüberprüfungen und proaktiven Support, sodass ihr euch auf eure Kernaufgaben konzentrieren könnt.

Ivanti DSM Migration

Why is the Ivanti DSM migration necessary in 2025?

The migration is primarily necessitated by the End-of-Life (EOL) of Ivanti DSM by the end of 2026, as the manufacturer has discontinued support and regular updates. Without migration, security vulnerabilities can arise, and the integration of new technologies can be hindered. Companies operating such a central system after its EOL may face a lack of cybersecurity protection and violations of policies and regulations.

Ivanti DSM Migration

Was ist eine Ivanti DSM Migration?

Eine Ivanti DSM Migration bezeichnet den Prozess, bei dem eure bestehende Ivanti DSM-Umgebung in eine moderne Unified Endpoint Management Lösung wie Microsoft Intune ggf. in Kombination mit MECM/SCCM oder Ivanti Neurons überführt wird. Dabei werden User, Devices, Daten, Anwendungen und Konfigurationen migriert, um den das Client Management zu modernisieren und langfristig zu sichern.

Ivanti DSM Migration

How much does the Microsoft Intune Managed Service cost?

Our Intune Managed Services are modular. Some modules are billed at a flat monthly rate, providing complete cost control. Other modules are invoiced based on the actual work performed.

‍

Our Managed Services are scalable and significantly more cost-effective than building the same in-house expertise, processes, and resources. With our Managed Services, you ensure that your endpoint strategy doesn't just remain a strategy, but is consistently and regularly implemented operationally.

Microsoft Intune Consulting

How much does Microsoft Intune consulting cost?

Costs vary depending on the scope of the consultation and specific requirements. Typically, costs include:

‍

Consulting services: For planning, implementation, and optimization.
‍
Licenses: Depending on the number of devices to be managed.
‍
Training: For IT teams and employees.

Our Microsoft Intune workshops start from 1,500 EUR net per day. The standardized implementation of Intune via Fast-Track is generally possible for under 10,000 EUR net.

‍

After a free initial consultation, we will gladly prepare a customized offer for you.

‍

Microsoft Intune Consulting

What Microsoft Intune expertise does SOFTTAILOR offer?

Since 2007, the SOFTTAILOR team has exclusively focused on Intune's predecessors. From around 2017, inquiries and beginner workshops for Microsoft Intune increased, leading us to migrate tens of thousands of endpoints to Microsoft Intune, many of which we continue to support.

‍

We share our expertise, for example, with less specialized IT service providers through the Microsoft Partner Association IAMCP e.V., where we co-founded the "Business Circle Endpoint Management" and regularly present the latest Microsoft Intune developments.

‍

Microsoft Intune Consulting

Why is Microsoft Intune consulting by SOFTTAILOR experts beneficial?

With SOFTTAILOR, you benefit from:

‍

Right from the start: When setting up Microsoft Intune, many design errors can be made, which we avoid. If you come to us with an existing Intune tenant, we know which adjustments are crucial for the most important optimizations.
‍
Expertise: Many years of experience in endpoint management and Microsoft technologies.
‍
Individual Solutions: Tailored to your specific business requirements.
‍
All-round Service: From status quo analysis to managed service, you get everything from a single source.

Microsoft Intune Consulting

How long does Microsoft Intune implementation take?

The duration depends on the company size, the complexity of the IT environment, and specific requirements. For smaller companies, implementation can be completed within a few days, while larger organizations with complex requirements and coordination needs may require several weeks or even months. For small and medium-sized businesses, SOFTTAILOR has developed the Microsoft Intune Fast-Track, which enables the rapid deployment of Intune. And even for larger IT environments, our experience from numerous Intune implementations often allows us to beat the projected timeline.

Microsoft Intune Consulting

Let's talk Endpoint

The fastest way to secure and productive endpoints

Secure and productive endpoints in three steps.

Learn what you need to do and how to get to more structure and secure and productive endpoints in the shortest possible way.

Free initial consultation

We'll get to know each other and find out what's currently bothering you. You will get initial ideas on how we can help you.

Proposed solution & offer

After the initial discussion, we will present you with a specific proposed solution and the offer for implementation.

transposition
‍

Equipped with automation and best practices, our team implements the proposed solution in record speed.

Die zwei Geschäftsführer von Softtailor schauen freundlich und kompetent in die Kamera.

Let's get started!

blog

Expert Insights To Go: Our Newest Blog Posts

6.5.2026

Endpoint Management

NIS-2 security measures and vulnerability management: The BSI requires these measures

In its #NIS2know series, the BSI highlights security measures relating to IT systems and focuses in particular on vulnerability management.

13.4.2026

Patch Management

Secure-Boot Certificate Expiry in June 2026: Risks and Need for Action

In June 2026, many of the currently used Secure Boot certificates reach their expiration date and this can quickly become a problem for companies.

4.3.2026

Endpoint Strategy

On-premises vs. cloud — which IT strategy is right for your company?

A hybrid cloud strategy combines on-premises and cloud resources in such a way that workloads run where it makes the most sense functionally, technically, and organizationally. In practice, this often means that sensitive or heavily regulated systems remain on-premises, while scalable services, modern collaboration, or new applications are operated in the cloud.

Always a step ahead!

We send IT decision makers and endpoint administrators hand-curated news, technical insights and practical tips about endpoint management & security that are not available anywhere else.

I would like to subscribe to the SOFTTAILOR newsletter and declare that I have read and understood the privacy policy.Sign up

Thanks for signing up We've sent you an email asking you to confirm your registration.

Oops! Something went wrong while sending... Please try again.