Wednesday, 27 September 2017

Building Bridges: Co-Management with Intune and Configuration Manager

On Monday, Microsoft finally announced the rollout of the capability to manage a Windows 10 device with Intune MDM and the Configuration Manager agent. This long-sought-after capability has been requested by many of my Enterprise customers after they’ve embarked on the journey to modern management with Windows 10. If you want to unlock this superpower, read on.

Before diving into co-management, let’s take a moment to differentiate between modern management and traditional management. At the onset, I would characterize the fundamental difference between the two management methodologies by how they deploy and manage a machine.

On one end of the spectrum, traditional management designs and deploys a Windows machine with a high level of customization defined by the corporate IT department. On the other end of the spectrum, modern management prioritizes simplicity with a simple and minimal image that has little to no customizations.

I see the value of the modern approach; however, it is worth noting that it brings its nuances, which if not handled well can become problematic.

Let me elaborate briefly what I mean by that. In a modern, Enterprise-scale IT environment, when I provision a user for a client, I must either coordinate with a deployment technician internally or a hardware vendor to image the machine with my highly-customized version of Windows.

After successfully coordinating the device image, I need to ensure that the device is joined to Active Directory and that it has the Configuration Manager agent installed. As you know, both scenarios can be time-consuming and error-prone because the image evolves considerably over time.

While you start with a clean albeit customized base image, throughout deployment you will undoubtedly implement many additional customizations using Configuration Manager to apply more software and settings to the device.

And it doesn’t stop there. After you’ve finished with Configuration Manager to deploy the machine, Group Policy is applied to the machine through Active Directory where user and machine specific security and configuration needs are further layered on top of the base image. In Enterprise environments, Group Policy customizations can affect hundreds of settings on the machine depending on which role the computer and user is assigned to perform their work functions.

The whole process requires considerable planning, building, and testing before being promoted into production as a finished solution, and it needs to be revised at least twice a year to keep in synchronization with Windows 10 release schedule. Once you have a validated image, it can take the system anywhere from 45 minutes up to two hours to provision the device to an end user.

My goal is always the same: to make the process as hands-free as possible. However, more often than not, this goal falls short for many of my customers because their existing environment is chock-full of customizations that the deployment technician must manually specify at deployment time. For example, machines might be named incorrectly, machines can be put into the wrong Active Directory OU, and the user might be assigned to the wrong machine. These kinds of mistakes (and I’m only touching the surface here) require manual remediation and in some cases, re-imaging the machine.

Modern management bases the image on the factory load of Windows 10, which means the first time an end user logs into a machine they provide their credentials and that machine is tailored to their particular work needs using Windows Setup combined with Provisioning Packages for customization and the use of Intune for performing the final customizations.

One of the most critical reasons to adopt the modern approach is to drive down the total cost of ownership.

Sounds great, right? Well, there’s a catch, you have to put aside everything you know about traditional management and leave your expectations at the door. Modern and traditional management methodologies are like night and day, hence treating them the same will set you up for failure.

The challenge that organizations face during the transition from traditional to modern methodologies comes from not evolving and managing their expectations. That is to say customers expect that their workflows, procedures, and protocols will continue to operate (without any further modifications) within a modern management framework. In my experience, this has never happened.

Rolling out a modern management framework requires simplicity. In order to transition a user with many dependencies to a modern management framework, you will need to commit significant planning and resources to make modern management a reality.

In my opinion, only those organizations that can identify simple use cases and can invest in implementing a modern management framework should embark on the journey.

To summarize the key difference, modern management strives to drive down the cost of ownership by packaging as few applications and customizations into the image as possible. The downside is that on the management side of things, provisioning users take on a few new approaches, and staff must learn new ways of managing applications, machines and images.

With that said, I can now turn to Intune’s new capability. Initially, MDM was an extremely small subset of Group Policy, which was frustrating for system administrators and the IT security department due to the lack of configuration capabilities available. There are ADMX backed Group Policies that can be delivered via MDM, but we are looking at only 367 settings opposed to 2500-3000 Group Policies.

More specifically, legacy software packages are not part of the Windows Store modern management vision. We could deliver Win32 applications via MDM in Intune, but all the files had to be within a single MSI file - a rare configuration with most complicated applications. It was time-consuming and cumbersome for many customers because there wasn’t much of a technology bridge between these two worlds and “creative” (i.e., fragile and risky) solutions began to creep into the picture.

With co-management, your device lives in between traditional and modern management practices, which helps you focus on just those technologies that apply to the device until it can fully cross over into a modern management state.


To get started, I recommend rolling out the following through Intune when it makes sense in your environment:

  • Conditional access
  • Software updates
  • Compliance policies

Because they are easily managed through the cloud and should be the first workloads that you configure for exclusive management through Intune. With Microsoft’s announcement, the migration path for each machine now has three states:

  1. Traditional management state
  2. Co-management state
  3. Modern management state

Unfortunately, in practice, I’ve found it difficult to find user populations where pure Intune management of Windows 10 meets the requirements of the Enterprise customer.

The trinity of Intune, Azure AD, and Windows 10 S represent a computing fabric that most closely resembles a pure form of modern management. The paradox that we face is that deploying such a configuration across an entire user base would be a suicide mission for most organizations.

If you haven’t been keeping track of Windows 10 S, there is no support for Win32 applications (marketed as a security strategy), but there is a modern application management use case which uses Universal Windows Platform or Desktop Bridges applications delivered through the Microsoft Store.

Enterprise customers are notoriously difficult to migrate because of the enormous amount of technical debt in the organization, which for the most part, resides with their applications. The consequence of this technical debt is that it will take these customers years to modernize their application base and be able to deliver their entire application portfolio through the Microsoft Store.

Until such time, organizations won’t be able to retire traditional imaging, management, and Active Directory methodologies. Depending on who I’ve talked to, a number of different migration timelines have been mentioned, regardless I believe that the journey is going to be a long one.

Co-management is a hugely welcome capability right now because the timeline for Microsoft to move Windows 7 and Windows 8 to end-of-life is fast approaching, and huge numbers of organizations are scrambling to prepare for that inevitability. The unfortunate reality for most of them is that to transition from traditional to modern management they will encounter a chasm between how they used to do things and how they will need to do things and Co-management offers the first bridging technology to help scaffold over that chasm.

Customers who need capabilities that are exclusive to Configuration Manager can carry them forward until they either no longer need the capability or wait until Intune makes sense to take over the capability by managing it via the cloud.

I hope this bridge between traditional and modern management will make the migration process easier for many of my customers. The point to keep in mind is that the migration path is not an all or nothing scenario, it is necessarily incremental and long in the tail.

Use empirical data (not marketing hype) to identify candidate user populations where modern management makes sense. In my experience, I’ve found the mobile information worker to be a stable and predictable candidate user group to start with. Once I have successfully migrated one user group, I proceed further down the modern management path as additional user populations are identified and vetted (i.e. not selected arbitrarily).

In the end, it is important to realize that migration isn’t just a management capability puzzle, it is also an application modernization strategy as well. Remember that you can also use desktop virtualization to deliver legacy applications to modern users as a bridging technology.

Above all, keep your eyes and ears open because modern management is a rapidly changing landscape, what didn’t work six months ago, may miraculously work today. If you have blocking issues, talk directly with your Microsoft reps and communicate feature requirements through the various user voice sites out there for the different Microsoft products.

There are a few juicy announcements that are coming down the pipe from Microsoft, so stay tuned to this blog for breaking news.

No comments:

Post a Comment