Traditional IT infrastructures are often loosely connected, relatively fragmented, and highly complex — making them incredibly difficult, labor-intensive, and therefore costly to maintain and update. Over the years, this led to compounding IT debt, Shadow IT organizations, and uncontrollable application sprawl — eating up a large chunk of enterprise IT budgets just to maintain status-quo.
Until now, this was a necessary evil organizations felt they had to put up with. But the situation has changed. Enterprises are prioritizing Digital Transformation initiatives and have moved to Windows 10, Office 365, and other Software-as-a-Service solutions. The heavy ballast created by traditional IT management makes it impossible for them to keep up with this faster pace of change. As a result, IT feels torn between providing tangible business value and keeping the infrastructure secure and up-to-date.
This struggle became tangible after the introduction of Windows-as-a-Service, touted as what would become the fastest-adopted operating system ever. But after the initial excitement wore off (and the rubber started to hit the road as early adopters started migrating), larger organizations found out that, while Microsoft might be able to move 90,000 employees to a new version of Windows 10 in less than 10 weeks, they could not. They started to skip releases. With organizations facing the risk of a non-supported OS, analysts and customers alike started to demand a slower, annual upgrade pace.
Enterprises are the fuel to help Microsoft's Azure-driven cloud success story thrive. Therefore, the company has no other choice but to push its "Cloud-Connected" Modern IT vision, which runs on continuous improvements and requires Evergreen IT management. Microsoft recognized 18 months ago that enterprises aren't ready to throw their tried-and-true traditional IT management entirely overboard yet, so the idea of Microsoft Managed Desktop was born.
What Is Microsoft Managed Desktop (MMD)?
In September 2018, Microsoft introduced a new service called Microsoft Managed Desktop (MMD), a new turn-key enterprise service offering to deliver modern devices managed and backed by Microsoft. This includes new hardware and the overall management of those devices (including security monitoring), Windows 10 and Office 365 and the ongoing twice-a-year feature updates for both, as well as monthly quality and security updates and other fixes for a single, per-user monthly subscription fee.
This results in three primary benefits for enterprises, namely:
- Predictable hardware and software costs,
- Smaller infrastructure footprint, and
- Unify management tools across platforms.
The scope goes beyond traditional Device-as-a-Service offerings as it is comprised of a software (Modern Desktop), a hardware (Modern Device), and a service (Managed By Microsoft) component. Let's have a closer look:
(Image Credit: @PatrickMoorhead)
The first component of MMD is the Modern Desktop. All devices that are part of the Microsoft Managed Desktops are running a "lean and mean pre-configured image" according to Bill Karagounis, General Manager for Microsoft, which includes:
- Windows 10 Enterprise E5
- Office 365 ProPlus (including Teams)
- Enterprise Mobility & Security
- Azure Active Directory
- Azure Information Protection
- Microsoft Intune
- Microsoft Cloud App Security
- Microsoft Identity Management
- Microsoft Advanced Threat Analysis
- Azure Advanced Treat Protection
In addition, the device is configured to leverage Microsoft Azure and Windows Analytics cloud services, intelligence, and analytics.
The second component is, of course, the hardware. Enterprise customers can choose from a portfolio of curated devices that meet Microsoft-set quality standards and are designed to support crucial Windows Enterprise features, such as Microsoft AutoPilot, Windows Hello, Cortana, BitLocker, and SecureBoot, as well as use virtualization-based security (CredentialGuard, Windows Defender ADP, and Cloud CredentialGuard). This "Native Windows Security Stack" without any third-party agents enables Microsoft to manage and secure remote devices from their dedicated MMD support center.
Devices can be ordered by the customer through a portal and shipped directly by Microsoft. Surface devices are the only devices available at this moment, but Microsoft is working with other OEMs to meet the quality standards for other device types. After the customer unpacks his or her machine, Microsoft leverages its AutoPilot service to build the user's device "from the cloud." During this year's Ignite sessions, Microsoft couldn't stress enough how much this will minimize IT workload.
(Image Credit: Microsoft, 2018)
MMD Devices are stateless by default. They are utilizing OneDrive for Business, specifically the Known Folder Move feature, to replace and restore a lost, broken, or stolen device within one day. Again, the device gets shipped, unboxed, and connected through AutoPilot, which triggers OneDrive for Business and Azure ID Enterprise State Roaming to download the last known state. In addition, customers will have the option of a 2 or 3-year refresh cycle.
Managed & Backed By Microsoft
The third leg of this "three-legged stool" is the "Managed and Backed By Microsoft" component — which might be the most important value-add to this offering as none of the other two are bringing anything new to the table. As part of the service, Microsoft will manage all Windows 10 Feature Updates (Semi-Annual Channel), Office 365 Updates, and monthly quality updates by automatically setting up a ring-based deployment (according to Microsoft executives during Ignite) and utilizing Azure AD Groups, Windows Update for Business, and Desktop Analytics to roll this out on a scheduled basis for its clients.
For the first time in Microsoft's long history, the company will offer support to corporate users through its dedicated and 24/7 fully staffed MMD support and security center to provide Tier 1 level support for Microsoft hardware and software to solve issues. End users can request support from the Get Help app that ships as part of the image. Once a message is received, Microsoft will then use artificial intelligence and AI learning to decipher the message text, identify the problem and provide a solution. Should the problem persist, a chat or phone support option is available. Clients could even wire the Microsoft Call Center into their organization's call center phone directory tree.
All MMD devices are configured by default to deliver a security base line through the MMD Channel, which Microsoft calls a "widely-tested industry-standard configuration." During Ignite, speakers mentioned throughout sessions how serious Microsoft is taking security as they deal with 6.5 trillion security events every day leveraging Device Health, Identity Protection, and Security Monitoring. Should a security issue arise, Microsoft will first attempt to automatically remediate the problem. If that wasn't possible, the device will be isolated to prevent the problem from spreading before a Microsoft support engineer will meet with the client's security team to solve it together.
Biggest Concerns: Data Privacy & Application Compatibility
While the service sounds like a great alternative to outsourcing your Windows 10 Servicing to a third-party, there are some concerns you should consider — the biggest ones probably being data privacy and application compatibility.
Telemetry, Cloud Analytics & Your Privacy
Telemetry has always been a sore topic for enterprises. With this service, telemetry must not only be turned on, but Microsoft's support team will have to have a full view into your machines and have knowledge of which apps are running, when and what the last crashes were, etc. to be able to manage your devices. Its cloud analytics services will gather trillions of data points across the managed estate and use all the collected data to improve its services. Be sure to understand the implications of this fully before proceeding.
Full Application Compatibility
Let's face it: MMD heavily relies on automation to be profitable. This requires highly standardized infrastructure requirements as well as full application compatibility. In the real-world, we have found that application compatibility is one of the largest obstacles to a smooth migration process.
Although Microsoft promises to have an engineer on hand should you run into application compatibility problems for any customer, ISV, or MS-developed product, they also expect that you fulfill certain requirements as part of the onboarding. Essentially, to be able to use this service, you will need to use Desktop Analytics to gather your inventory and Intune to deploy and manage your apps. From what I gathered at Ignite (although different presentations said different things, so take it with a grain of salt until we know more), Intune now supports Universal Windows Platform applications, Win32-based apps, executables (.exe) as well as multi-file MSIs with transforms.
Once your inventory is created, you will have to decide which to keep, retire, and modernize — something enterprises always struggle with as this means sifting through tens of thousands, if not millions of data rows.
The question is this: how will this labor-intensive process be managed? Who is responsible for doing this? Many enterprises have turned to Juriba's Dashworks Connector and automated application compatibility management at this point.
In the second step, MMD will use Desktop App Asure, a new FastTrack service, to determine the compatibility status of your inventory. You will also have to repackage your apps for Intune.
Intune provides different templates to configure policies. For example, you can now configure a VPN profile access. The user will have their personalized VPN access shortcut already "pre-installed" as part of their out-of-the-box experience. You can also configure certain security settings, e.g., require a password to unlock the device, or switch on real-time monitoring for Windows Defender.
Only time will tell if enterprises will take this service seriously. While this is an enterprise service only at the moment, we can see it working for smaller businesses who don’t have this sort of support. However, it will be interesting to see where Microsoft draws the line lies on what will be supported (i.e. hardware issues vs software issues vs OS issues). For many the initial value proposition might sound appealing, but there are a lot of dependencies (i.e., Intune) to make this work. In addition, the initial reliance on Microsoft hardware (Surface Books are some of the most expensive laptops on the planet!) will be significant barriers to entry.