In the past week, Microsoft asked me to speak at the Windows Partner Deployment Day about the infrastructure, project management & readiness support for effective Windows-as-a-Service deployments. Juriba Dashworks consumes and enhances the valuable Windows Analytics and Upgrade Readiness data feed with a robust command and control system to help manage Evergreen initiatives.
We also spoke a lot about AutoPilot and Microsoft's "Modern IT Management" agenda which the software giant has been pushing for the past three years. The premise is that strategic-minded IT teams strive to increase user productivity and security on any device while contributing to the company's bottom line by driving Digital Transformation and innovation — but they are met with constant challenges, such as more sophisticated cybersecurity threats, disruptive business models, and consumerization of IT. This leads IT to having to do more with less — and one way to do so is to move more applications and infrastructure into the cloud which often requires a different IT management approach that enables them to manage any device with almost zero-touch.
But there is a lot of confusion around this topic: Is Modern IT an Evergreen strategy? How does it compare to traditional image-based device management? Today, I want to take a closer look at what the Modern IT Management approach actually is (and what it is not) and add some of my color via my real-world experience to the topic in the hopes of clearing up some of that mystery.
Microsoft's Vision Of Modern IT Management
Microsoft defines the term "Modern Management" as "a novel approach of managing Windows 10". It is similar to managing mobile devices through Enterprise Mobility Management (EMM), and it allows you to "simplify deployment and management, improve security, provide better end user experiences, and lower costs for your Windows devices." Modern management isn't limited to your Windows 10 desktop devices, but extends to all kinds, e.g., HoloLens and Surface Hubs, and includes employee- and company-owned devices using one management platform.
Microsoft's Modern Management approach rests on four pillars:
- Easy to deploy and manage. Microsoft touts a simplified and faster operating system deployment (OSD) with dynamic provisioning using Windows AutoPilot, which is deeply integrated with Azure AD and Intune.
- Always up-to-date. By updating Windows 10 and Office 365 ProPlus twice a year, you can keep not only your devices more secure, but also your users more productive with new features at a faster cadence.
- Built-in security features. Microsoft 365 platform made huge strides in terms of cybersecurity with natively built-in security capabilities, such as Windows Defender ATP, Office 365 ATP, Azure AD Identity Protection, and more.
- Proactive insights. Telemetry and cloud intelligence allow IT admins to discover device and app issues before they become a bigger problem.
This vision is implemented through what Microsoft calls "Co-Management" which is a "simplified and manageable way to transition from ConfigMgr and AD to a modern management approach with Intune and Azure AD." Microsoft's AutoPilot, Windows Analytics, and Upgrade Readiness are tools in the Co-Management tool belt.
Windows AutoPilot "simplifies and personalizes out-of-the-box (OOBE) experience for users, joins the device to Azure AD, and enrolls it to Intune. Users’ email, apps, files, preferences as well organization’s security settings are also automatically applied by Intune without the need of creating custom OS images."
In addition, enterprises have access to Microsoft support, documentation and some preliminary free services to get them started.
Traditional Image-Based Desktop Management
For many years, organizations have used a combination of on-premises System Center Configuration Manager (ConfigMgr) and the Windows Server Active Directory (AD) to manage their Windows devices. This approach uses image-based management which relies on the creation of an on-premise core image or set of images.
This core build will change any base-build applications and is kept up-to-date by injecting new device drivers for a new, in-scope manufacturer models. It requires extensive testing to get it ready for release and needs to be continuously certified and engineered into a task sequence, so that the right things come down from the internal systems when needed.
All business users get the same image put on their device as part of a hardware refresh or larger IT Transformation project. Once the business user logs in, he or she will receive your personalized applications as personalized entitlements and settings are stored in the Active Directory. The device realizes that you should have these applications that are not included in the core image and provisions them to either your user account or specific device.
Corporate Windows images often take one of two approaches:
- You create a business image and that image has got every app that every person in that business unit might require. This potentially is a huge licensing overspend since not every user needs every app, but it is easier to manage.
- You associate the applications to devices and/or users specifically and the device gets applications delivered as required. This approach is more efficient in licensing terms, but needs constant maintenance as each device can contain a different set of applications.
Ultimately, organizations still use this traditional approach because it centralizes all components of desktop management in the hands of the IT team and they perceive that this approach gives them more control. However, the control does not become less or more with Co-Management, it simply comes down to how you do your distributions and whether you're doing device-based or user-based provisioning of applications.
Modern IT In A Real World Enterprise Context
In the past, some enterprises have used Dell's, HP's, or other hardware manufacturer's services to pre-configure devices as much as possible before leaving the factory. Even when I was running J. P. Morgan's EMEA desktop, you could buy this service from the manufacturer. You would extend your SCCM to give applications access, and the manufacturer would do all of the asset tagging, custom configurations, and much more before they would ship it to your desired location pre-built.
But most IT teams wouldn't dream of shipping devices to end users directly. There are a lot of internal policy and control issue reasons why not. For example, they might want to put an asset tag on it, scan an RFID tag, put the device through some internal stop management process, or they might not trust their HR as to the location of the user.
Therefore, one of the biggest linchpins to making Modern IT Management work successfully is very tight application management in the Microsoft Store for Business and Intune. While the latter is making good progress, the vast majority of large organizations already have their own service/application request systems and need to integrate the solutions to provide and end to end experience for the users.
Moreover, as of today, Microsoft Intune in the Azure Portal does not support the management of .exe files. LOB apps require .msi, .appx, or .appxbundle. This means, despite using Microsoft's Co-Management approach, you still have to manage your SCCM deployments as well as your Autopilot deployments. So, you end up with a hybrid model and could effectively double up a lot of work. In addition, many companies already have processes and workflow built against in-house desktop and application management tools. All of these items are barriers to full modern management adoption and must be overcome.
A Step Towards Evergreen IT?
The first thought that one might have when learning more about Microsoft's Modern IT Management vision is that it enables Evergreen IT. But Evergreen IT to me is about keeping everything in lifecycle whereas Modern IT Management is really much more about the end user experience through zero touch dynamic provisioning. Right now, I am not convinced that Evergreen IT is at all benefited by which approach you take for your PC deployment.
What are your thoughts on this? Do you have any plans to use Co-Management in the near future? How are you planning to integrate it into your Evergreen IT strategy? I would love to hear your opinion in the comments below.