- The risk of fake OAuth apps in Microsoft 365 and Azure - Fri, Nov 27 2020
- Azure Sentinel: Microsoft's SIEM for the cloud and on-premises - Fri, Oct 30 2020
- Microsoft Cloud App Security - Tue, Sep 29 2020
Let's start by looking at what a "not-so-modern" desktop involves.
Traditional desktop approaches ^
Anyone who's been in business IT knows that for decades now we've used OS imaging to set up desktops and laptops. The flow looks something like this: Oder a fresh batch of machines from your favorite manufacturer. When they arrive, set them up on a bench, and run your imaging tool (Windows Deployment Services, System Center Configuration Manager/Endpoint Manager) to replace the Windows installation on those PCs with your image.
This standard image, known as a golden image or standard operating environment (SOE), has some applications, along with the version of Windows you have standardized on, plus the right drivers for the hardware. As the diversity of your hardware fleet grows, you may have to create multiple images for different brands or even models. And as patches for the applications and OS come out, you'll need to keep this image up to date; otherwise, the end user will have to wait once they receive the PC for it to catch up with all recent patches.
There are different flavors of images. Thin images only have the OS and perhaps a few small programs that you want on every PC, whereas a thick image has all the applications installed and takes longer to deploy (and is more work for you to keep up to date) but less time after imaging as all the applications a user needs are already there.
Once the PCs are ready to go, you use Group Policy to manage thousands of settings for security, manageability, and control across all the machines, sometimes locking them down very tightly, hindering end user productivity (but "at least it's secure," say the security folks).
If you take a step back and look at this scenario, it's got a few drawbacks. It's very labor-intensive (read: costly) in terms of maintaining images, ensuring the right drivers are available (and keeping them up to date), application deployment and testing as well as being very centralized. The only way to do this is to prepare machines in the head office and then deploy them. It also only works for business-supplied hardware; Bring Your Own Device (BYOD) or Bring Your Own Disaster machines aren't welcome.
If you're a large enterprise, there are options where your OEM will do the steps above as a service for you, but that's really only available for those with large budgets.
The modern desktop alternative ^
Notice above that the Windows OS, with the right drivers supplied by the manufacturer, is wiped. What if you just kept that installation instead?
The first step is using Autopilot and registering each device's unique ID with your organization. Now you can customize Windows setup to suit your business needs (the user doesn't become a local administrator, and there is seamless upgrade from Pro to Enterprise) no matter where the PC is, as long as the device has internet connectivity.
You can also join the PC to Azure Active Directory (and optionally to AD as well). This means you can buy 100 new laptops, have them shipped directly from your manufacturer to your end users, and let them do the setup. This is especially useful at the moment, as your end users are probably mostly working from home.
If you haven't looked at it recently, Autopilot comes in a few different versions. Self-deploying mode lets you set up kiosks and digital signage devices without providing user credentials, while White glove allows your IT department or outsourced IT company to fully prepare a PC with all applications for eventual delivery to end users. It also works when you need to reset existing PCs when they're being passed on to new users or in educational settings to get them ready for the next semester.
The ability to control the deployment comes down to provisioning packages that let you do the Windows SKU upgrade, deploy (smaller) applications, and implement particular configuration settings.
As you'll have noticed, we're not using GPOs. For a truly modern desktop, you'll join it to an MDM solution instead and use the hundreds of settings on offer there instead of the thousands in GPOs to control the most important options.
These devices will sit neatly in your MDM (next to your Android, Mac, and iOS devices). Ultimately, this is Microsoft's goal: to offer Windows 10 as a service (WaaS) and make it behave like a mobile OS and be managed like one. And upgraded like one—hence Microsoft's twice-a-year release cycle, which hasn’t exactly proven popular with businesses. There have been some concessions, with the "fall" versions being supported for 30 months instead of 18, as long as you're on the Enterprise or Education SKUs.
That MDM in Microsoft's vision is Intune, now part of a marriage with System Center Configuration Manager into a new product, Endpoint Manager.
For ongoing patching, a modern desktop doesn't necessarily rely on Windows Server Update Services or SCCM on-premises. Instead, it can use Windows Update for Business to control updates and patches through configuration settings, with the actual bits coming directly from Microsoft Update (or from nearby PCs).
Notice that this whole approach (and you can pick bits of it and still do some of it using your traditional processes) requires less manual labor. It's more automated and more decentralized, eminently suited to a world where not everyone is in the office (like during a pandemic, for instance).
A strategy built on telemetry ^
The other part of a modern desktop approach is ongoing management, which should be built on telemetry. There used to be a free service called Windows Analytics that helped you understand which releases of Windows were deployed in your environment and which PCs were ready to be upgraded to the new version. Desktop analytics, on the other hand, is part of Endpoint Manager (so it is no longer free). It is expanded in scope and uses AI to suggest which devices should be part of the next wave of piloting the new release of Windows 10.
Instead of testing every single business application with every new release of Windows 10, you test the most important ones and then you roll out the new version to a small subset of your users and let them report back to you (as well as gather telemetry from their devices) to see whether there are any issues. If not, you increase the size of the group until, eventually, everyone is on the new version, by which time your pilot team is already testing the next version.
This, of course, mimics how Microsoft acts as the IT department for the millions of unmanaged consumer Windows 10 devices around the world, deploying in rings and seeing from the signals it's getting back whether to proceed with the deployment or not.
Security is another large part of a modern desktop. In moving toward a passwordless, zero-trust world, look to procure devices that support Windows Hello for Business when you buy new hardware. Those devices all use BitLocker to encrypt their drives to protect them against attacks.
Access to cloud services and resources is controlled through Conditional Access (CA), which takes into account much more than just username and password, including location, device and OS, the risk profile of the user and the risk profile of this sign-in to grant access, grant access after prompting for MFA, provide restricted (read-only/no download of documents) access, and so forth.
And your Windows devices, Mac devices, and Linux machines should also be protected with Microsoft Defender Advanced Threat Protection (MDATP), a modern, machine-learning based Endpoint Detection and Response (EDR) tool. Interestingly, Microsoft has recently added the ability to purchase MDATP as a standalone product. It used to be available only through Microsoft 365 E5 licensing.
Certainly, all the old ways of managing PCs are still supported and many businesses might cling to "what works." But I think if anything can be learned from the last few months of chaos, it's that flexibility and the ability to adapt to new situations is vital, especially for IT teams. Hopefully, some tech I've covered and provided links to in this article leave you with some food for thought and the impetus to go and try it out, if you're not already "modern."