Placeholder Image

Subtitles section Play video

  • Welcome to Microsoft Mechanics.

  • Coming up, we take a look at your options for managing Windows 10 devices

  • using traditional management strategies

  • with configuration manager and cloud base modern management with Microsoft Intune.

  • We'll explore the end-to-end lifecycle from new ways

  • to deploy Windows PCs without having to create your own images.

  • To new options for keeping your users productive while configuring

  • and securing your companies Windows 10 devices.

  • Microsoft Mechanics

  • So, I'm joined today by Mark Florida,

  • an expert in traditional Windows management configuration manager

  • and model management with Microsoft Intune.

  • Mark, welcome.

  • Thanks, it's great to be on the show.

  • To start off with the release of Windows 10,

  • there have been lots of enhancements that expand what's possible

  • in terms of the management of both the main joint PC's with configuration manager.

  • And with Azure Active Directory joint PCs with Microsoft Intune.

  • Can you bring us up-to-date on what's been happening in this space?

  • oh yeah, sure.

  • So last December we released a new version of configuration manager,

  • We call it our current branch.

  • It aligns with the windows 10 servicing model.

  • Let me show you what that kind of looks like here in the demo.

  • As you can see we've implemented some new features aligned with Windows 10,

  • such as the ability to measure your health state of your Windows 10 devices.

  • So we're basically kind of keeping up and lighting up new features that come here with Windows 10.

  • The other thing that we've been working on is making it much easier to upgrade.

  • This new release of configuration manager

  • has been one of our fastest updating releases ever.

  • We already have it installed on over 44 million clients

  • and over 23,000 different customers.

  • And that's not all.

  • With windows 10 and the enhancements that have been made in the inbox MDM agent,

  • we've also enhanced Intune to better leverage those capabilities.

  • Let me show you what that looks like here.

  • What we've done is modified Intune to incorporate many of the new policies that

  • are now available in Windows 10.

  • So what you see right here is an ability to configure these new policies,

  • such as set in addition upgrade

  • which is super critical for customers who need to move from a lower-end sku to a much higher-end sku.

  • You can set up additional policies here like a VPN profile

  • and other changes as well.

  • In this last piece here there are very significant changes around Windows information protection.

  • Windows information protection really affords a customer

  • the ability to protect their corporate information

  • to ensure that it doesn't move out of their environment without their knowledge or control.

  • I know a lot of poeple watching this are actually considering that longer term management structure.

  • Some folks may be looking to shift some of that management capability to the cloud

  • Other folks might be more comfortable with sticking to traditional configuration manager.

  • How should people be weighing up all the different management options?

  • Sure, you know whether you choose traditional or modern,

  • for us it's really about lowering the overall cost of managing your windows devices.

  • It's not a question of one or the other.

  • I think what customers will find is that,

  • given their environment they can likely apply both in different situations.

  • So Mark, can you give us some examples of what those decision points really are?

  • Yes, there are three key areas.

  • The first being your imaging and how you get Windows 10 deployed.

  • The second being applications and identity and the third is software updates.

  • Okay, let's deep dive in.

  • What about the first of those provisioning?

  • Yeah, so if i look at a typical imaging model today

  • let's face facts, it's pretty heavy.

  • You have to get a machine in and you have to re-image it.

  • You have apply all your new drivers and it takes hours and usually requires a lot of manpower.

  • What we've done with Windows 10,

  • is we now allow you to get devices deployed much more quickly,

  • and much easier for the end user to be able to work off those devices.

  • Let me show you what this looks like in a demo.

  • So what you're seeing here on the screen is just a device that comes right out of box.

  • And what you'll notice is a real key change here,

  • is I have an option to join this device to Azure Active Directory

  • which is new because most people are joining into local Active directory.

  • So, the first thing I'm going to do is enter in my credentials.

  • These are the same credentials I would use for accessing corporate email.

  • So the end user is very familiar with having to do this.

  • Now behind-the-scenes what's going on is this device is joining to Azure Active Directory.

  • And as part of that we're going to start to now get management policies coming down.

  • The very first policy that you see here is a multi-factor authentication.

  • This is a good way to validate that my identity is who I am when I'm trying to log into this device.

  • I'll enter that code there to attest that this is truly myself.

  • And this next piece that you're seeing here is where Intune comes into play.

  • So this pin isn't part of the regular out-of-box experience?

  • This is actually Intune policy telling Windows to require a pin.

  • Oh yeah, absolutely that's kind of the beauty of it.

  • To the end-user they don't know that they're going through a real disjointed experience at all.

  • But, it's getting the device prepped and ready for them with the right policy

  • so that the IT administrator can feel secure that the device is protected.

  • Now I'm going to show you a few other cool things.

  • First, you'll notice a substantial change here.

  • which is when a typical system comes back up,

  • you'll notice that it's being managed through local active directory.

  • Not the case here, this is now being managed through Azure Active Directory.

  • The last thing I want to show you is

  • It's right here.

  • So what you notice here is this device also has the configuration manager agent installed on it.

  • So what we've done is we've really integrated the management experience for a customer,

  • so that they can use Intune to help provision this device.

  • They can use Azure Active Directory to help get this device registered and managed.

  • But, they can also use configuration manager in this environment

  • if they still need traditional management scenarios.

  • That sounds like a pretty good idea.

  • So what do you actually have to do to make that work?

  • Well all I really had to do was go into the Intune console

  • and use Intune to provision the SCCM client.

  • SCCM exec just needed to be installed and that was it.

  • The second area that you spoke of was around identity and applications.

  • What are the decision points that you suggest for folks here?

  • Sure, it really just comes down to technology.

  • It's a comparison between domain join and what's available there

  • and what's available with Azure Active Directory.

  • When I speak with customers, it generally comes down to what are using group policy for?

  • If you're using it for security settings

  • and making sure that those policies are adhered to,

  • then really take a look at what's available in Windows 10 with the inbox MDM agent

  • Because it can cover many of, if not all of those needs.

  • And then with applications, it just comes down to the type of applications that you are deploying.

  • And if you're primarily using web applications or SAAS applications,

  • you will find that Azure Active Directory provides many of the same needs that you're accomplishing today

  • with your domain join machines

  • such as your ability to authenticated and attest who the user is.

  • So I guess you'd be looking at Intune as the management provider in that case.

  • Can you show us what this looks like?

  • Yeah sure, I'd love to.

  • So for a little bit of context,

  • this device that we're on right now has just a local account.

  • So it's not managed and you can almost think of it as a home PC

  • or a BYOD device that was brought to work.

  • I'm going to attempt to access my work email.

  • Go up here into outlook.

  • I'm going to do a couple things that are just pretty standard which I think most poeple are use to

  • which is typing in your credentials.

  • So you can get to your email.

  • Okay and you'll notice I'm blocked.

  • And that's by design.

  • And the reason being is because I previously enacted a policy in Intune

  • to prevent access to email unless the device is managed.

  • So what I'm going to do is now make that happen.

  • I'm doing something very similar to what you saw in the previous demo,

  • which is adding your Azure Active Directory account to this device.

  • So click done here and now what you'll notice is there is a work account that has been added to the machine.

  • I should be able to go back and get a look at my email.

  • I'll close that out.

  • I still can't get access.

  • Now the reason that I showed this was to make a key point

  • that it's important that the device is fully configured and compliant before getting access.

  • What you'll notice is now that I've given the system a little bit of time to behave,

  • the browser when I first launched is now showing me my email.

  • It logged me in using single sign-on.

  • That's all possible because the device has joined Azure Active Directory.

  • I can see here, I've got my work email and I'm good to go.

  • And that's only possible because of our conditional access checks were validated.

  • And I can be sure that the device is trusted before allowing the user to get access to corporate information.

  • Excellent, it looks like there might be some extra policies that have applied there as well.

  • I can see a little briefcase icon up there.

  • Yes, that is Windows Information protection.

  • The edge browser is defined as a managed application.

  • It's one where the company has full control over, is a good way to think about it.

  • So what's kind of neat about this feature is,

  • let me go down to the secret email that you sent me here.

  • And you can see that there is some text on our secret recipe that we want to make sure stays protected.

  • What I'm going to do is attempt to move that information out of a corporate managed application.

  • That little briefcase.

  • And move that over to a non-protected more personal application.

  • So let me launch Notepad.

  • Notepad has not been declared as a corporate application.

  • Thus, you don't see that briefcase or anything like that.

  • But, what you'll notice when I attempt to hit paste is that

  • the system is prompting me: "Do you want to allow this to happen?"

  • I as the end user can say: "Sure, I want to make that happen."

  • I presume it gets audited if you actually say that you want to change that to personal data?

  • Oh yeah definitely and it's actually richer than that.

  • It would have been a pretty lame demo to show you,

  • but you can actually make this as an IT administrator.

  • You can just block it completely.

  • So if you don't want to allow the information to go out, you can just stop that.

  • If you want to you can make this silent so I could paste it out into a personal application.

  • But, continued to audit that as well.

  • So there's different kinds of sets of options depending on who your user base and your scenarios are.

  • I'll just allow this paste to happen.

  • So now you see it went through.

  • Your audit message that you described earlier will be recorded

  • And this last piece is to show you how it would work with just a fully managed application.

  • In this case, Wordpad.

  • You can see it has the briefcase up above and that means it's a corporate management application.

  • You have to paste the information in there.

  • That went on without any end user intervention.

  • So in summary, if you're still leading the complexity of domain join

  • you can continue to use configuration manager for those devices.

  • And at the same time blend this with simpler more cost effective management

  • with mobile device management.

  • Mark, you also mentioned software updates.

  • Yes, so the two previous areas are really a choice the customer can make.

  • The reason I call out software updates

  • is because of the new model that has been released with Windows 10.

  • They've moved to a cumulative update model

  • which greatly simplifies the update process for a customer

  • to keep their Windows devices up-to-date.

  • It's something a customer should take a look at if they haven't done so already.

  • Why don't I give you a glimpse of what that looks like.

  • What I'm going to do is show you Configuration Manager.

  • Where we have built an experience in there for you to manage Windows 10 servicing.

  • So there's a few kind of key concepts I'll talk about which is that

  • you can define how successful a deployment is.

  • As well as monitor in your environment the various

  • levels of windows that you might have deployed.

  • And track the progress there.

  • The other thing that you can do is create a ring.

  • The ring is the ability for you to stage a role out of a given new update that Windows releases.

  • This is very valuable when you think about things like application compatibility testing.

  • I'll create a service plan for you in a ring in essence to get the update out of the door.

  • So first thing I got to do here is type in a name.

  • Windows plan.

  • Now I'm picking the set of devices that I want to target.

  • So New York branch is the one that we have just a small number of users for.

  • I then get to select what type of update from Windows I want to deploy.

  • I'll choose the business one and now I will create that.

  • Once that's created, let me show you a little bit of the internals of what a servicing plan looks like.

  • A lot of it for a config manager customer is going to be very familiar and some will be different.

  • So, here's your deployment settings.

  • Your servicing plan again it's really just the group of devices you want to target.

  • And this is probably the most significant change if you're used to

  • software updates management and configuration manager.

  • We built an experience where you can choose

  • if you want updates to go out right away

  • when Windows releases them.

  • That would be the zero option.

  • Or you can put a buffer in place.

  • And this basically allows you maybe wait for the rest of the world to test out an update

  • before you decide to take it on yourself.

  • You can just automate this away.

  • You don't have to come back on day 52 to do a manual deployment.

  • Let us do that for you and take it over.

  • So the first thing that come to mind when I think about Windows 10

  • is that there is a difference between feature updates and security updates.

  • Does this cover both of those?

  • yes, absolutely it does.

  • It goes back to that same kind of mechanic that we have in configuration manager.

  • It's used for both.

  • So you can deploy your cumulative updates with this.

  • You can deploy your critical and we have that covered.

  • That sounds amazing actually, it's really great set of features

  • for being able to do software updates and deployments in line with Windows servicing model.

  • So that covers the core management scenarios around provisioning identity and applications

  • and software updates.

  • What else is in store?

  • Well we're going to continue to expand what we do with MDM management with Intune.

  • And we're also going to continue to invest in configuration manager.

  • All with the premise that we want to be able to support the management needs that our customers have.

  • And we realize that there's a blend of both

  • a need for modern management and traditional management .

  • And we'll keep investing in both to make sure our customers are happy.

  • Cool and how can people learn more?

  • As you start to roll out Windows 10 for your organization,

  • it is a great time to familiarize yourself with the management strategy.

  • You can learn more in the link below.

  • Great, thank you very much for taking the time to come on the show.

  • And keep watching Microsoft Mechanics for the latest in tech updates.

  • Thanks for watching and bye for now.

  • Microsoft Mechanics

  • www.microsoft.com/mechanics

Welcome to Microsoft Mechanics.

Subtitles and vocabulary

Click the word to look it up Click the word to find further inforamtion about it