- Azure Sentinel—A real-world example - Tue, Oct 12 2021
- Deploying Windows Hello for Business - Wed, Aug 4 2021
- Azure Purview: Data governance for on-premises, multicloud, and SaaS data - Wed, Feb 17 2021
Let's start by looking at what a "not-so-modern" desktop involves.
Traditional desktop approaches
Anyone who's been in business IT knows that for decades now we've used OS imaging to set up desktops and laptops. The flow looks something like this: Oder a fresh batch of machines from your favorite manufacturer. When they arrive, set them up on a bench, and run your imaging tool (Windows Deployment Services, System Center Configuration Manager/Endpoint Manager) to replace the Windows installation on those PCs with your image.
This standard image, known as a golden image or standard operating environment (SOE), has some applications, along with the version of Windows you have standardized on, plus the right drivers for the hardware. As the diversity of your hardware fleet grows, you may have to create multiple images for different brands or even models. And as patches for the applications and OS come out, you'll need to keep this image up to date; otherwise, the end user will have to wait once they receive the PC for it to catch up with all recent patches.
There are different flavors of images. Thin images only have the OS and perhaps a few small programs that you want on every PC, whereas a thick image has all the applications installed and takes longer to deploy (and is more work for you to keep up to date) but less time after imaging as all the applications a user needs are already there.
Once the PCs are ready to go, you use Group Policy to manage thousands of settings for security, manageability, and control across all the machines, sometimes locking them down very tightly, hindering end user productivity (but "at least it's secure," say the security folks).
If you take a step back and look at this scenario, it's got a few drawbacks. It's very labor-intensive (read: costly) in terms of maintaining images, ensuring the right drivers are available (and keeping them up to date), application deployment and testing as well as being very centralized. The only way to do this is to prepare machines in the head office and then deploy them. It also only works for business-supplied hardware; Bring Your Own Device (BYOD) or Bring Your Own Disaster machines aren't welcome.
If you're a large enterprise, there are options where your OEM will do the steps above as a service for you, but that's really only available for those with large budgets.
Windows Autopilot in Endpoint Manager
The modern desktop alternative
Notice above that the Windows OS, with the right drivers supplied by the manufacturer, is wiped. What if you just kept that installation instead?
The first step is using Autopilot and registering each device's unique ID with your organization. Now you can customize Windows setup to suit your business needs (the user doesn't become a local administrator, and there is seamless upgrade from Pro to Enterprise) no matter where the PC is, as long as the device has internet connectivity.
You can also join the PC to Azure Active Directory (and optionally to AD as well). This means you can buy 100 new laptops, have them shipped directly from your manufacturer to your end users, and let them do the setup. This is especially useful at the moment, as your end users are probably mostly working from home.
If you haven't looked at it recently, Autopilot comes in a few different versions. Self-deploying mode lets you set up kiosks and digital signage devices without providing user credentials, while White glove allows your IT department or outsourced IT company to fully prepare a PC with all applications for eventual delivery to end users. It also works when you need to reset existing PCs when they're being passed on to new users or in educational settings to get them ready for the next semester.
The ability to control the deployment comes down to provisioning packages that let you do the Windows SKU upgrade, deploy (smaller) applications, and implement particular configuration settings.
As you'll have noticed, we're not using GPOs. For a truly modern desktop, you'll join it to an MDM solution instead and use the hundreds of settings on offer there instead of the thousands in GPOs to control the most important options.
These devices will sit neatly in your MDM (next to your Android, Mac, and iOS devices). Ultimately, this is Microsoft's goal: to offer Windows 10 as a service (WaaS) and make it behave like a mobile OS and be managed like one. And upgraded like one—hence Microsoft's twice-a-year release cycle, which hasn’t exactly proven popular with businesses. There have been some concessions, with the "fall" versions being supported for 30 months instead of 18, as long as you're on the Enterprise or Education SKUs.
That MDM in Microsoft's vision is Intune, now part of a marriage with System Center Configuration Manager into a new product, Endpoint Manager.
For ongoing patching, a modern desktop doesn't necessarily rely on Windows Server Update Services or SCCM on-premises. Instead, it can use Windows Update for Business to control updates and patches through configuration settings, with the actual bits coming directly from Microsoft Update (or from nearby PCs).
Notice that this whole approach (and you can pick bits of it and still do some of it using your traditional processes) requires less manual labor. It's more automated and more decentralized, eminently suited to a world where not everyone is in the office (like during a pandemic, for instance).
A strategy built on telemetry
The other part of a modern desktop approach is ongoing management, which should be built on telemetry. There used to be a free service called Windows Analytics that helped you understand which releases of Windows were deployed in your environment and which PCs were ready to be upgraded to the new version. Desktop analytics, on the other hand, is part of Endpoint Manager (so it is no longer free). It is expanded in scope and uses AI to suggest which devices should be part of the next wave of piloting the new release of Windows 10.
Instead of testing every single business application with every new release of Windows 10, you test the most important ones and then you roll out the new version to a small subset of your users and let them report back to you (as well as gather telemetry from their devices) to see whether there are any issues. If not, you increase the size of the group until, eventually, everyone is on the new version, by which time your pilot team is already testing the next version.
This, of course, mimics how Microsoft acts as the IT department for the millions of unmanaged consumer Windows 10 devices around the world, deploying in rings and seeing from the signals it's getting back whether to proceed with the deployment or not.
Endpoint Manager security configuration
Security is another large part of a modern desktop. In moving toward a passwordless, zero-trust world, look to procure devices that support Windows Hello for Business when you buy new hardware. Those devices all use BitLocker to encrypt their drives to protect them against attacks.
Access to cloud services and resources is controlled through Conditional Access (CA), which takes into account much more than just username and password, including location, device and OS, the risk profile of the user and the risk profile of this sign-in to grant access, grant access after prompting for MFA, provide restricted (read-only/no download of documents) access, and so forth.
And your Windows devices, Mac devices, and Linux machines should also be protected with Microsoft Defender Advanced Threat Protection (MDATP), a modern, machine-learning based Endpoint Detection and Response (EDR) tool. Interestingly, Microsoft has recently added the ability to purchase MDATP as a standalone product. It used to be available only through Microsoft 365 E5 licensing.
Subscribe to 4sysops newsletter!
Conclusion
Certainly, all the old ways of managing PCs are still supported and many businesses might cling to "what works." But I think if anything can be learned from the last few months of chaos, it's that flexibility and the ability to adapt to new situations is vital, especially for IT teams. Hopefully, some tech I've covered and provided links to in this article leave you with some food for thought and the impetus to go and try it out, if you're not already "modern."
It all sounded great until you said this:
Instead of testing every single business application with every new release of Windows 10, you test the most important ones and then you roll out the new version to a small subset of your users and let them report back to you (as well as gather telemetry from their devices) to see whether there are any issues.
So now MS is pushing it's strategy/tragedy of using unskilled, unpaid, unaware testers out to it's customers. MS calls them "Insiders", I call them "crash test dummies". They want us to push untested changes out to users and wait for them to crash in production and report errors. So now MS want's us to add more lost productivity on top of the failures it is already pushing out to us. But MS has already demonstrated the problem with this approach with their failed Fall 2018 update. All of the problems in that disaster had been identified by Insiders ahead of the roll out, but MS did not recognize the significance of the low quantity reports. Why would anyone not think that businesses with less experience would not exhibit the same short sightedness!?
I can see where Autopilot would be handy, but only after exhaustive quality control testing by IT. Sorry, you just can sell me on using normal users to become "insiders" for quality control testing inside the corporate world. If you say limit the 'insiders' to a test group, how is that different than the current best practice of extensive testing by quality control testers before rolling out a change? Just because MS 'saved expenses' by firing most of their quality control team does not mean we should jump off the same cliff!
Hi Ron,
Thanks for your feedback – I was expecting some comments on this piece and you really didn't disappoint.
I agree with your points regarding the issues around Microsoft's Windows 10 releases, although I would point out that more recent releases have had improved quality and less issues. I think Microsoft does work hard to learn from their mistakes.
As for using the same approach internally in a business I can understand your concerns. I would mention that you don't have to take every Windows 10 release, especially if you're on the fall releases you can stick with it for up to 30 months, which would give you longer to do more comprehensive testing of all business applications. For what it's worth I upgrade my client's Windows 10 installations every 12 months, with some testing of their most important applications but not comprehensive testing of every app, but then again I work in SMB and not enterprises.
And finally, I do agree that Microsoft's decision to get rid of their testers in hindsight probably wasn't the best decision they could have made.
Overall though I do think there needs to be a balance between the IT department's desktop management approach from 10-20 years ago (what I call the "Stalin school of IT") which is very regimented, very locked down and providing no flexibility for end users and the YOLO world of upgrading to every new release with no testing at all. Somewhere in-between (and it'll be different for every business) is where I think a modern IT department needs to be to help the business be more effective with their IT infrastructure investments.
Just my two cents 🙂