Blog Post

Security, Compliance, and Identity Blog
7 MIN READ

Managing Windows 10 with EMS & ConfigMgr

Brad Anderson's avatar
Brad Anderson
Iron Contributor
Sep 08, 2018
First published on CloudBlogs on Aug 18, 2015
One great piece of news at the outset of Windows 10 is that it can be managed from your existing infrastructure – i.e. ConfigMgr 2012 and ConfigMgr 2012 R2. Windows 10 also continues support for Group Policy and WMI, and it advances its MDM support in significant ways. With the Unified Windows Platform, for example, the MDM capabilities will be present and consistent on all Windows 10 devices and form factors. There are also a number of new and improved deployment and management capabilities built into core Windows that are then available in ConfigMgr and Intune which you will want to be familiar with. A few of the new manageability capabilities in Windows 10 include:
  • Enhanced MDM capabilities. With these you will be able to choose the management solutions and configuration that work best for you ( e.g. ConfigMgr, Hybrid , or Intune standalone).
  • Deployment, Enrollment, and Management of devices is optimized for corporate-owned devices.
  • A robust upgrade path from Windows 7, 8, and 8,1 to Windows 10 via traditional wipe/reload as well as in-place upgrades (both delivered through ConfigMgr 2012 without requiring an upgrade to your infrastructure).
  • Universal Windows apps will provide the ability for a single application to be written and then used on all Windows 10 form factors. This is a powerful way to empower your workforce.

Windows 10 and Manageability Choices

One differentiator of Windows in the enterprise is its deep management exposure, and, by extension, in-depth security technologies that help protect corporate data and resources. Microsoft’s management solutions (ConfigMgr and Intune) are highly integrated with Windows – and, with Windows 10, significant capabilities have been added to this combination . With Windows 10, a domain-joined PC, managed with the ConfigMgr agent, will continue to be a deep and rich management configuration for organizations. ConfigMgr will continue to have full operating system deployment options via either the new and improved upgrade process, or through the traditional wipe and load. This is the method most organizations use today to manage their corporate Windows devices – and this is likely to continue. Windows 10 also fully embraces MDM management, and cloud-optimized solutions, like Intune/Hybrid configurations, and Azure Active Directory, with unified management capabilities across all form factors. This is a lighter-touch approach to management. There is no longer disparity across Windows devices regarding what can be managed through MDM on, for example, phones vs. laptops. This is now possible because Windows 10 delivers a single and common kernel across all form factors and the MDM capabilities are built into that common kernel. The new Windows 10 features (like Enterprise Data Protection , Universal Windows apps , and much, much more) are all manageable through the MDM layer of Windows 10. There are a significant number of MDM policies in Windows 10 , including security controls like configuring software update behavior, and managing Defender. While there have been many improvements to the MDM capabilities, not every management capability exists – yet. To solve for this, we have effectively built a “bridge” between the ConfigMgr agent and the MDM agent which enables the agents to co-exist and expose all the existing manageability that you know today – as well as the new functionality that is being exposed via MDM to be manageable from the ConfigMgr console. No one else (traditional PC management or EMM vendor) has done any work like this. This is another HUGE reason that ConfigMgr + EMS is your best solution for deploying and managing Windows 10. Additionally, the next version of ConfigMgr will support MDM-based management for Windows devices, fully on-premises, with no ConfigMgr agent required. So what does this all mean for your company? Primarily, it’s about providing you the choice and the power to use the Microsoft management solution and configuration that works best for your organization . The tried and true model of provisioning Windows ( e.g. using custom images, domain joining, installing the ConfigMgr agent) is still highly effective with Windows 10. With all of the MDM optimizations added for the enterprise (and with those optimizations common across both mobile and desktop Windows), as well as the ability to use organizational identity with AAD Join (and auto-enrollment into Intune/Hybrid) you now have an additional, cloud-optimized path to making your workforce more productive on Windows 10 right out of the box – and this is where Intune and EMS come in. For many organizations, both models of management will be used for Windows 10 , as they are highly complementary. For example: You may choose to use the traditional management capabilities for your corporate devices and MDM for BYO. You will, however, want a single management solution with a single console to do this – and ConfigMgr and EMS is the only solution for that. Over the long-term, I believe that most organizations will move towards the lighter-touch MDM method of managing devices. Ultimately, the management solution you’ll select comes down to a few things:
  • The scenarios in which Windows devices are being used in your environment.
  • The different types of scenarios you need to enable (CYO, BYO, mission critical devices, etc.).
  • What level of control you need over these scenarios.
  • The pace at which you are moving to cloud services.

MDM Enrollment and Management of Devices is Optimized for Corporate-owned Devices

There are a number of significant innovations and new capabilities in the area of device enrollment and domain join that are being delivered through Windows 10, EMS and ConfigMgr. A few of the most impressive features include:
  • Windows 10 is thoroughly cloud-optimized and enables people to get business-ready right out of the box via Azure Active Directory Join. This automates enrollment into management and it seamlessly delivers the necessary mission-critical corporate apps and policies (think of Azure Active Directory Join as the cloud domain join). AAD becomes aware of the device and then solutions like Intune can apply policy and settings to the device (think of Intune as the cloud Group Policy).
  • ConfigMgr and Intune can now bootstrap the enrollment of devices for Intune and/or ConfigMgr management. The ability to do this is already authored directly in the admin console, or you can do it by using the excellent Windows Image and Configuration Designer tool.
  • Users can now auto enroll devices into management right out of the box using an AAD account + enabling auto enrollment into Intune. This process can also configure key capabilities like using Microsoft Passport to simplify user logins. Think of that for a moment: A user takes their device, logs in with their Azure AD account, and the device is all set up and managed. It’s actually that simple!
  • For task worker devices that cannot leave the corporate network, Admins can enroll those devices directly into ConfigMgr MDM without ever leaving the corporate network.
  • The “kiosk mode” for devices is manageable by ConfigMgr and/or Intune on any Windows SKU.
  • Admins can configure and manage per-app VPN to simplify user access to on-premises corporate resources whenever they launch an app.

New Ways to Deploy Windows 10

The Windows and ConfigMgr teams have worked together to make significant improvements to the upgrade path to Windows 10. Using a ConfigMgr task sequence, upgrades can be delivered by running setup, and maintaining ConfigMgr client stability throughout the process. The upgrade process can also handle any errors, like driver or application compatibility through the upgrade process – and then even manage the rollback if necessary. As mentioned previously , the wipe and reload OS deployment model is still fully supported, using the new Windows deployment tools (ADK). As always, the goal here is to provide IT with as many proactive choices as possible so that the best deployment model is available to each organization. Additionally, admins can now use dynamic provisioning (via the Windows Image and Configuration Designer) to domain join an out-of-box Windows 10 Pro PC, upgrade to Enterprise, install the ConfigMgr agent, or enroll the device into ConfigMgr or Intune MDM

Power Your Business with Universal Apps

With all Windows 10 devices now running on a single, unified Windows kernel, this represents the apex of our platform convergence journey. This convergence enables a single Windows app to be written and then run on every Windows 10 device. This is an amazing value for any organization building Windows applications. Think of the apps that your organization builds every day and how the Universal Applications will streamline your developers and your users! Whether your organization is using phones, tablets, Xboxes, Surface Hubs, or even the HoloLens – you have a single app that can now run on all of these and be deployed/managed by ConfigMgr. Administrators can also access a new Business Store coming later this year – a portal specifically for organizations – and they can do so by signing in with an Azure Active Directory identity. Admins can manually download the Windows app + the app license that they recently purchased from the store, create an app deployment in ConfigMgr vNext, and then deploy that to users and/or devices as required (or as available via the Intune company portal). The ConfigMgr admin will be able assign apps acquired through the Business Store portal to the appropriate people within that organization – and the store will then install the app along with the appropriate license for that Windows device.

To see how to make the most of these new manageability features, check out the rest of this series at aka.ms/DeployWin10 .

Published Sep 08, 2018
Version 1.0
No CommentsBe the first to comment