Aloha and Happy Friday!
As was discussed previously, our Endpoint Management modernization story is compelling. The server team overheard that good news and is curious - but the Server Management discipline is quite different than Endpoint management.
Server teams manage/operate systems that are usually locked away in datacenters – either their own and/or a cloud provider. They’re usually not exposed to physical loss or theft, nor people shoulder-surfing at a coffee shop. They’re usually only accessible via remote management capabilities. They usually have much more stringent change control and update processes - and often extreme business sensitivity to reboots (especially unplanned, but planned ones, too).
So, what is our Server Management story then, circa 'Holidays 2023?'
Well, I'm glad you asked - and I get this question a lot these days.
For starters, it comes as no surprise that Azure and the cloud is the hub of our server, infrastructure and management solutions - present and future. That said, we're by no means abandoning 'on-prem.' Don't forget, Azure runs 'on-prem' - the underlying foundation is Windows Server and Hyper-V - 'the cloud' is very well-managed physical and virtual servers and infrastructure, running in datacenters. And we continue investing and innovating in the server ‘OS’ itself, in fact, we have an 'Azure' edition of Windows Server and we have a Windows Server vNext flavor in preview now. One improvement coming to Server vNext, is a significant scale enhancement for the Active Directory DB. Yep, the ol' NTDS.DIT JET Blue DB is getting 32k page support (it’s been 8k since the dawn of AD). That said, we're by no means abandoning 'on-prem.'
In terms of management from on-premises, Configuration Manager still fully supports management of Windows Servers, as does Group Policy (and new ADMX templates/GPO controls always come along with new versions of the OS). If that's your steady run-state solution today, that's great - but in terms of the future, your plans must include consideration of hybrid/cloud, to some degree.
- By the way, if you've done a lot with GPOs over the years to configure your server fleet, go check out "Azure Policy"
In terms of management from the cloud, Windows Server OSes can’t fully enroll into Intune. Even if they could, there isn’t much server management capability directly in Intune. However, we do have more and more cloud integrations for Windows Servers. For example, Configuration Manager and/or GPOs can be used to on-board servers into cloud services such as Defender for Endpoint and/or Defender for Cloud and then managed via those cloud portals.
- Onboard non-Azure machines with Defender for Endpoint - Microsoft Defender for Cloud | Microsoft Learn
- Below is one of my on-prem AD-joined/SCCM-managed servers that is on-boarded into Defender for Endpoint for A/V and security alerting and monitoring.
If you’ve setup Tenant Attach to integrate your ConfigMan site with your Intune service, you can sync CM-managed servers to Intune and perform CM-agent tasks and things like CMPivot and Resource Explorer from the cloud. Here's my Intune portal, showing on-prem servers that have been sync'd:
We have lots more good news thanks to our folks who know, love and drive innovation in the server and infrastructure space. Read on, friends, read on...
Windows Administration Center (aka WAC – ‘whack’)
- A modern server management solution that enables grouping and administration of servers.
- It’s along the lines of a crazy-good combo of Server Manager + your favorite MMC snap-ins + magic server pixie dust. It has a clean UI with very rich capability that we frequently update/expand (based on your feedback - so check it out and let us know what would make your server management life easier).
- It’s a move away from the tools of old that required ‘LAN’ connectivity - it's built with an enterprise mindset, from a modern foundation of things like PowerShell remoting, etc.
- There is also a Windows Admin Center ‘service’ in Azure that can be accessed via the Azure Portal to do much of the same stuff.
- Here’s one of my physical lab servers, running a local instance of Windows Admin Center:
Azure Arc
- Azure Arc is an agent-based connection system that enables and extends your non-Azure servers into the Azure platform:
- On-prem physical servers
- On-prem VMs – including VMWare vSphere
- VMs hosted with other cloud providers such as Amazon or Google.
- Once the Arc agent is installed and configured on the server, it is registered as an Azure resource - and can be managed from your Azure control plane
- NOTE: The Azure Arc service/agent is 'the bridge' into Azure - the various services there may need/use additional agents, such as the Azure Monitor Agent (which is replacing a few other legacy Azure Agents).
- Here’s a physical server, on-boarded to Arc:
- I configured it for the ‘Updates’ service in Azure, and here it is, installing an ‘Updates Deployment Run’ which contains three updates:
Azure Automanage
- Azure Automanage is a collection of many Azure infrastructure and server management capabilities bundled up as ‘Configuration profiles’ (use our profiles or create your own)
- The Automanage Configuration profiles can be applied to one or more servers and then "Conformance" to the profile is tracked, measured, alerted and remediated if there is drift.
Don’t take my word for it, go watch Jeff and Co talk about this goodness and then watch Dean Wells talk about Automanage (here's another one that is a couple years old but has some of the history and design thinking of Automanage).
Okay - enough reading ...
Go try WAC – it’s an easy install onto a server.
Go try Arc - On-boarding a server to Arc is easy, too.
- Enable one or more Azure services on it
- Try out the Updates experience.
- Check out the registry and file tracking capabilities.
- Check out Azure Policy
- Or get a whole collection of Azure services at once via an Automanage Configuration Profile.
I routinely mess with all of these in my lab/demo environment, and I’ve been handily impressed (and server management was how I paid the bills for 13 years while I was in corporate IT).
Here's a "Server Management" version on my prior "Endpoint Management" visual:
There you have it my friends, some of the good news around modern Windows Server management.
P.S. If you’re a history buff, or just sentimental, this is fun - 30 years of Windows Server - Microsoft Community Hub
A series recap (so far):
- The Twelve Days of Blog-mas: No.1 - A Creative Use for Intune Remediations - Microsoft Community Hub
- The Twelve Days of Blog-mas: No.2 - Windows Web Sign in and Passwordless - Microsoft Community Hub
- The Twelve Days of Blog-mas: No.3 - Windows Local Admin Password Solution (LAPS) - Microsoft Communi...
- The Twelve Days of Blog-mas: No.4 - Sync Cloud Groups from AAD/Entra ID back to Active Directory - M...
- The Twelve Days of Blog-mas: No.5 - The Endpoint Management Jigsaw - Microsoft Community Hub
- The Twelve Days of Blog-mas: No.6 - The Reporting Edition - Microsoft Community Hub
- The Twelve Days of Blog-mas: No.7 - Architecture Visuals - for Your Reference or Your Own Docs - Microsoft Community Hub
Enjoy the weekend
Hilde