Modern desktop deployment and management with Microsoft 365

Adnan Hendricks

• SAFFA living in Netherlands, work globally

• Microsoft Trainer +25y (xRL MSLearning)

• Microsoft MVP + 5 Years

• Cloud Solution Architect & Readiness Trainer

• Former MS Consultant in MS MCS.

• Courseware technical writer, Speaker, Events Org

@Microspecialist

[email protected]

Cloud Solutions Architect

4

Beat the Windows 10 Deployment Clock

January 14, 2020

End of Support for Windows 7

Less than 500 days away

Are you ready?

Modern Workplace- Work from anywhere

- Choose the device you want or bring your own

- Quick, friendly out-of-box experience

- Self-service

- Integrated and cloud-based security

- Simpler application delivery through Store/SaaS

- Data intelligence for better business insights

- Minimize on-preminfrastructure costs

- Unified identity, device and app management

- Self-service deployment without imaging

Intune & AzureActive Directory

Cloud Modern Management

On-premises

Device Compliance

PatchingSoftware DistributionAD &

ConfigMgr

On-premises

Device Compliance

PatchingSoftware Distribution

Intune & AzureActive Directory

Cloud Modern Management

AD &

ConfigMgr

Hybrid AAD Joined (DJ++)

+ Intune MDM

Hybrid AAD Joined (DJ++)

+ ConfigMgr agent

Azure AD

Setup Hybrid Azure AD

License users for Azure AD

Enable Windows 10

Auto-enrollment

ConfigMgr

ConfigMgr 1710+

Onboard to AAD

** Set up Internet facing client

Intune

If hybrid, migrate users off first

Standalone only

License users for Intune

Windows client

Windows 10 1709+

‘How to shift’to the modern desktopCore steps and processes for large-scale deployment of Windows 10 and Office 365 ProPlus

Why move?

END-TO-END IMPROVEMENTS FOR SECURITY AND INFORMATION

PROTECTION

TEAMWORK AND PRODUCTIVITY ENHANCEMENTS CONNECTED WITH

OFFICE 365

AND IF YOU’RE STILL ON WINDOWS 7 OR OFFICE 2010, SUPPORT ENDS

STARTING JANUARY 2020

What’s different compared to the last big desktop deployment?

Directory services are moving to the cloud as the fabric for connecting to cloud-based services across apps and services

In-place upgrades are viable and recommended for applying new versions of Windows

UEFI replaces the traditional BIOS and is needed along with 64-bit for many of the modern security and protection capabilities in Windows

Microsoft Intune can manage Windows 10 policies, your connected apps and be configured for co-management with ConfigMgr

Office 365 ProPlus is the preferred option of Office desktop apps and uses a new package type called Click-to-Run

Office 365 ProPlus and Windows 10 are now use semi-annual feature updates and cumulative monthly updates

Device and App Readiness• Inventory devices and apps under management

• Prioritize devices and apps based on counts and importance

• Windows Analytics Upgrade Readiness helps assess apps and devices against known compatibility status

• Work through hardware and app inventory and use info to target devices ready for deployment

• Continue triaging and expanding target devices until deployment is complete

• Implement required fixes for browser-based apps

Windows Analytics

Directory and Network Readiness

• Azure Active Directory deployed for targeted users

• Network bandwidth requirements calculated for OS, apps, drivers, language packs and user state

• Delivery Optimization, P2P caching, LEDBAT and compression controls configured to control bandwidth

• Plan Office-related networking considerations: OneDrive Known Folder Move, Outlook Data Files, etc.

• Deployment rings and group phases planned based on readiness and network capacity

Office & LOB App Delivery• Ensure required apps are available for managed

software distribution

• Prepare new apps to replace or supersede apps that won’t be brought forward

• Prepare for Office 365 ProPlus (Click-to-Run) app delivery, customization and user-based, subscription activation

User Files & Settings

• Target scenarios where user state migration is required: PC replacement or wipe and load

• Plan for methods to be used: OneDrive Known Folders, User State Migration Tool or custom solution

• Prepare required storage infrastructure

Security & Compliance

• Assess current client-side and server or cloud-based security solutions in place

• Test impacts of 3rd party disk encryption and anti-malware, then plan your deployment and AV software accordingly

• Plan for new security and compliance capabilities in Windows 10 and Office 365 ProPlus

• Assess security considerations of deployment process, access to deployment shares and how user state is migrated

• Configure endpoint settings and policies: Group Policy, MDM, Data Loss Prevention

• Configure security and compliance services for cloud-based components and EDR

OS Deployment & Feature Updates• Assess hardware replacement cycle

• Prepare hardware and application testing for each new feature update, verify hardware vendor support for each feature update

• Plan for in-place upgrades for Windows 10 releases, refresh, replace and bare metal deployments for Windows 7 to Windows 10

• Establish deployment plan with validation feedback loop

• Establish process for rollback, remote users or no infrastructure deployment scenarios (offline media)

• Carry out deployment plan and establish repeatable process for new users and ongoing PC replacements

Windows- & Office-as-a-Service

• Prepare for semi-annual feature updates to Office and Windows

• Establish Insider team and process to evaluate new Windows and monthly Office updates

• Prepare for updates to software distribution and update management tools as needed

• Operationalize semi-annual deployment processes

Users Apps

Microsoft Intune Learn more at microsoft.com/intune

Simplify Windows 10 management and lower TCO with EMS

Self-service deploymentMake any new PC enterprise-ready via

a simple self-service experience.

Automatically configure devices when yourusers login with their company credentials.

Use cloud intelligence

to upgrade Windows 10

and Office 365 ProPlus

with confidence.

Simplified management & securityEmbrace cloud-based management and transition at

your pace while staying in control.

Always up to dateDeliver the latest features and

security.

Control what

updates are

deployed, to

whom and

when.

Proactive insightsGet ongoing proactive insights to

diagnose and fix issues before they

happen.

Cloud updates mean youdon’t need to have on-premise update servers.Microsoft 365

EMS

Windows 10

Contoso Sign in

Corp. Username

Password

Certificate

Agentless Unified identity,

device and O365

ProPlus mgmt.

Integrateddata protection

Enterprise Mobility + Security Learn more at microsoft.com/ems

Sign in with contoso.microsoft.com

[email protected]

Next

Office 365ProPlus MGMT

Co-Management Architecture With ConfigMgr and Intune

Windows 7/8.x

Windows 10AD Domain-joined &

AAD Joined

Mobile devices Intune

ConfigMgr console

Azure portal

ConfigMgrSite Servers

ConfigMgr agent

AD Domain Joined

ConfigMgr agent

AD Domain Joined

AAD Joined

ConfigMgr agent

Intune MDM

AD Domain Joined

AAD Joined

AutoPilot

Intune MDM

AD Domain Joined

AAD Joined

ConfigMgr agent

Intune MDM

AD Domain Joined

AAD Joined

Existing ConfigMgr managed devices

New devices

AD/AAD

connect

Adopt Windows 10

Adopt Office 365/ProPlus

Imaging to Signature Image

1/2020

GPO to MDM Policy

Kerberos to Modern Auth

Win32 to Modern Apps

ConfigMgr Content Delivery to Cloud Content Delivery

Today

WSUS to WUfB

Adopt & Connect Transition to Modern

Modernizing with a co-management bridge

AD/AAD

connect

Adopt Windows 10

Adopt Office 365/ProPlus

Imaging to Signature Image

1/2020

GPO to MDM Policy

Kerberos to Modern Auth

Win32 to Modern Apps

ConfigMgr Content Delivery to Cloud Content Delivery

Today

WSUS to WUfB

Adopt & Connect Transition to Modern

Modernizing with a co-management bridge

- Users see settings and data

across devices (Enterprise

Roaming of Settings)

- IT can control access via

Azure AD device-based

conditional access.

- Users sign-in conveniently

and securely with Windows

Hello for Business.

- Eliminate PC dependency

on domain controllers

- Better battery life and

performance of the device

- Extend your on-premises directory with Azure AD.

- Azure AD Join your AD domain-joined devices

- AD + Azure AD Join new devices through Auto Pilot

- Transition GPO to MDM

- Pilot Azure AD Join to identify AD auth dependencies

- Gradually move traditional management tools that rely on computer identity to their cloud equivalents or AAD enlightened versions (e.g. ConfigMgr with CMG, WSUS to WUfB)

- AAD Join new devices (AD Joined machines remain AD joined until retired)

AD/AAD

connect

Adopt Windows 10

Adopt Office 365/ProPlus

Imaging to Signature Image

1/2020

GPO to MDM Policy

Kerberos to Modern Auth

Win32 to Modern Apps

ConfigMgr Content Delivery to Cloud Content Delivery

Today

WSUS to WUfB

Adopt & Connect Transition to Modern

Modernizing with a co-management bridge

S E T T I N G S P O L I C I E S

O F F I C E &A P P S D R I V E R S

1. Build & maintain

custom image, gathering

everything else that’s

necessary to deploy

2. Wipe original OEM

Windows image and

replace with custom image

Time

Money

OEM/Reseller

Ship

Off-the-shelf and Shrink-wrapped Devices Employee unboxes device, self-deploys

Deliver direct to Employee

Employee driven Self-Deployment

• Custom imaging – expensive, limits HW choice, impairs talent

acquisition

• Windows EULA – employees not permitted to accept on org-

owned devices

• Non-trivial decision making (Personal vs Org Owned disambig,

Privacy Settings, OEM Registration) generates Helpdesk calls

• OOB account is always Admin – majority of enterprises want

standard accounts on corp-owned devices

ANNA [email protected]

United Arab Emirates

United Kingdom

United States

Let’s start with region. Is this right?

YesYesYes

Is this the right keyboard layout?

US

United States-Dvorak for left hand DVORAK L

United States-Dvorak for right hand DVORAK R

United States-International QWERTY

Albanian QWERTZ

YesYesYes

SkipAdd layout

Want to add a second keyboard layout?

SkipSkip

Now let's get you connected to a network. That way you get updates, apps and cat videos as soon as possible. How about the first one on the list? Want to use that one?

Skip for now

Let’s connect you to a network

Network4

Contoso Corp

ContosoMNGuestWiFi

Connect

Contoso Corp 2

Connect automatically

Now let's get you connected to a network. That way you get updates, apps and cat videos as soon as possible. How about the first one on the list? Want to use that one?

Skip for now

Let’s connect you to a network

Network4

Contoso Corp

ContosoMNGuestWiFi

Connect

Contoso Corp 2

Connect automatically

Agree & Connect

Welcome to our Guest Wi-Fi

By clicking on the connect button you agree to our Terms

of Service and have reviewed the Contoso Privacy Policy.

Agree & Connect

Welcome to our Guest Wi-Fi

By clicking on the connect button you agree to our Terms

of Service and have reviewed the Contoso Privacy Policy.

Just a moment…

Now we can go look for any updates

Next

[email protected]

Welcome to ContosoMN!

Enter your ContosoMN email

Change account

Need help?

Please sign in with your ContosoMN email address

Privacy & Cookies Terms of Use

Next

[email protected]

Welcome to ContosoMN!

Enter your ContosoMN email

Change account

Need help?

Welcome to ContosoMN

Privacy & Cookies Terms of Use Next

Next

Welcome to ContosoMN!

Enter your ContosoMN password

Change account

Need help?

Welcome to ContosoMN

Privacy & Cookies Terms of Use

……….

Next

Please wait while we setup your device…

Just a moment…

We’re getting everything ready for you.

This might take several minutes.

We want everything to be ready for you.

Hardware Vendor

Windows AutoPilot Service

Upload

Device IDs

Configure AutoPilot Profile

Employee unboxes device, self-deploys

Ship Deliver direct to Employee

Self

Deploy

IT Admin

Device IDs

Hardware Vendor

Windows AutoPilot Service

Upload

Device IDs

Configure AutoPilot Profile

Employee unboxes device, self-deploys

Ship Deliver direct to Employee

Self

Deploy

IT Admin

Device IDs

Windows AutoPilot

Microsoft 365 powered device

United Arab Emirates

United Kingdom

United States

Let’s start with region. Is this right?

YesYesYes

Is this the right keyboard layout?

US

United States-Dvorak for left hand DVORAK L

United States-Dvorak for right hand DVORAK R

United States-International QWERTY

Albanian QWERTZ

YesYesYes

SkipAdd layout

Want to add a second keyboard layout?

SkipSkip

Now let's get you connected to a network. That way you get updates, apps and cat videos as soon as possible. How about the first one on the list? Want to use that one?

Skip for now

Let’s connect you to a network

Network4

Contoso Corp

ContosoMNGuestWiFi

Connect

Contoso Corp 2

Connect automatically

Now let's get you connected to a network. That way you get updates, apps and cat videos as soon as possible. How about the first one on the list? Want to use that one?

Skip for now

Let’s connect you to a network

Network4

Contoso Corp

ContosoMNGuestWiFi

Connect

Contoso Corp 2

Connect automatically

Just a moment…

Now we can go look for any updates

Next

[email protected]

Welcome to ContosoMN

Enter your ContosoMN email

Change account

Need help?

Please sign in with your ContosoMN email address

Privacy & Cookies Terms of Use

Next

[email protected]

Welcome to ContosoMN!

Enter your ContosoMN email

Change account

Need help?

Welcome to ContosoMN

Privacy & Cookies Terms of Use

Next

Welcome to ContosoMN!

Enter your ContosoMN password

Change account

Need help?

Welcome to ContosoMN

Privacy & Cookies Terms of Use

……….

Please wait while we setup your device…The other part is, if you have your device get set up with local active directory domain joined, how do I get the SCCM client installed on the machine? You can use Intune to

basically upload your ConfigMgr MSI into Intune. Intune can install that ConfigMgr on to the machine as a part of your Autopilot experience once your device ends up being

managed by Intune.

Your device will reboot now….

We’ll continue setting up your device after reboot

Connecting to your organization’s network…

Other User

Sign in to: CONTOSO

How do I sign in to another domain?

Sign-in options

→

Contoso\AnnaAnders

Sign in to: CONTOSO

How do I sign in to another domain?

Sign-in options

→

Contoso\AnnaAnders

……….

Other User

We’re getting everything ready for you.

Setting up your device for work

Security

Applying security policies (1 of 1)

Encrypting hard drive to keep your data safe

Leave everything to us. (Don’t turn off this device.)

Adding network connections (1 of 1)

Adding Contoso WiFi network

Applications

Installed application 0 of 18Installing applications (1 of 1)

Installing Contoso Electronics

Security setup complete

Network setup complete

Application installation complete

AADIntune

Apps

Updates Reporting

Config

Manager

Policies

AD

Co-Management using Windows AutoPilot

AD/AAD

connect

Adopt Windows 10

Adopt Office 365/ProPlus

Imaging to Signature Image

1/2020

GPO to MDM Policy

Kerberos to Modern Auth

Win32 to Modern Apps

ConfigMgr Content Delivery to Cloud Content Delivery

Today

WSUS to WUfB

Adopt & Connect Transition to Modern

Modernizing with a co-management bridge

A new way to build, deploy and service Windows

A single cumulative update each month with no

new features

• Security fixes, reliability fixes, bug fixes, etc.

• Supersedes the previous month’s update

Twice per year with new capabilities

• New features and innovation APIs and security

capabilities

• Very reliable, with built-in rollback capabilities

• Simple deployment using in-place upgrade, driven

by existing tools

• Try them out with Insider Preview

Quality Updates Feature Updates

2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015

Traditional deployment (every 3-5 years)

Apps Infra Imaging Deploy

2009 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 2025 2026 2027 2028

Windows as a service (twice per year)

Apps Infra Imaging Deploy

1 Configure Insider PCs• Lab or secondary PCs

• Enough to explore new features, measure compatibility

2 Identify special PCs• Deploy Windows 10 Enterprise LTSB

• Limited numbers (we hope)

3 Recruit volunteers for pilots• Willing participants who will provide feedback

• Cover the broadest set of apps and devices possible

4 Divide broad population of PCs• Standard deployment best practice

• Focus on risk reduction, minimizing disruption

AD/AAD

connect

Adopt Windows 10

Adopt Office 365/ProPlus

Imaging to Signature Image

1/2020

GPO to MDM Policy

Kerberos to Modern Auth

Win32 to Modern Apps

ConfigMgr Content Delivery to Cloud Content Delivery

Today

WSUS to WUfB

Adopt & Connect Transition to Modern

Modernizing with a co-management bridge

Check out the 1703 MDM security baselines here:

https://aka.ms/mdm1703baselines

MDM

Security Baselines

AD/AAD

connect

Adopt Windows 10

Adopt Office 365/ProPlus

Imaging to Signature Image

1/2020

GPO to MDM Policy

Kerberos to Modern Auth

Win32 to Modern Apps

ConfigMgr Content Delivery to Cloud Content Delivery

Today

WSUS to WUfB

Adopt & Connect Transition to Modern

Modernizing with a co-management bridge

Traditional Application

Management

Modern Application

Management

Microsoft Cloud

3rd Party SaaS Apps

On Premises Apps

Microsoft Azure

Monitor users /

prevent data leak

Block various actions

Restrict download

Enforce MFA

Block sign-in

Allow sign-in

Access Control

Session Restrictions

OS Platform

Is Compliant / Domain joined

Is lost or stolen

Device Risk

Device

User identity

Group membership

Session RiskUser

Mobile or Cloud app

Per app policyApp

Location

IP range

Country / Region

ApplicationsPolicy ControlsPolicy Conditions

WindowsDefender

Azure AD

Identity

Protection

Service

Microsoft

Cloud App

Security

ODSP limited

access

On-premise

Traditional OS Deployment

Win32 app management

Configuration and GPO

Bitlocker Management

Hardware and software inventory

Update management

Cloud attached Cloud managed

Unified Endpoint Management – Windows, iOS, macOS, Android

Modern access control – Compliance, Conditional Access

Modern provisioning – Autopilot, DEP, Zero Touch, KME

Modern security – Hello, Attestation, ATP, Secure Score

Modern policy – Security Baselines, Guided Deployments

Modern app management – O365 Pro Plus, Stores, SaaS, VPP

Full M365 integration – Analytics, Graph, Console, RBAC, Audit

Thank You!