Breaking with Tradition: Microsoft's New Windows MDM Approach -- Redmondmag.com

Breaking with Tradition: Microsoft's New Windows MDM Approach

While Windows 10 forces IT pros to adapt to a faster pace of change, its MDM enablement introduces new endpoint configuration and management approaches. Microsoft insists all you need is its Enterprise Mobility + Security service, but others beg to differ.

By Jeffrey Schwartz
03/13/2017

Microsoft may have backed away from its bold prediction that 1 billion devices in use would be running Windows 10 by mid 2018, but the company maintains it’s still the fastest-growing upgrade of the client OS to date. While it appears that enterprises are taking the typical measured approach toward planning their Windows 10 upgrades, migrating to this version will require IT pros to learn new ways to configure, deploy and maintain this OS.

Windows 10 breaks with two traditions when it comes to PC client management. One is the accelerated pace of new releases that replaces Microsoft’s traditional approach to upgrading Windows on average every three years. Unlike past new versions, IT organizations can no longer accept updates on their own terms and schedules. Second is the fact that Windows 10 is now mobile device management (MDM)-enabled, meaning organizations can opt to configure, deploy, and manage PCs and other devices based on the OS, using modern methods of enrolling mobile devices using MDM tools.

Since its release 18 months ago, Windows 10 has been installed on 400 million devices, according to Microsoft’s most recent disclosure back in September, though a majority of those are on consumer systems. IDC estimates that 162 million commercial licenses of Windows 10 were deployed as of December, and expects demand to accelerate this year. Last summer’s release of the Windows 10 Anniversary Update, version 1607, for many the equivalent of Service Pack 1, set the stage for many enterprises to stop waiting and move forward. A motivating factor to embark on, or at least plan, an upgrade to Windows 10 is that Microsoft’s support for Windows 7 is scheduled to end in January 2020. With less than three years to go, many want to avoid the last-minute rush they faced when Windows XP was deprecated back in 2014.

Adapting to Windows as a Service
The most immediate change IT organizations will see is the Windows-as-a-Service continuous release cycle. Similar to how mobile OS and cloud providers issue new releases, Microsoft pushes out new Windows 10 updates two or three times per year. Unlike the less-frequent service packs of the past, IT pros have limited time frames to push those updates out to devices if they want to receive future upgrades and patches.

IT managers with commercial or enterprise licenses have more breathing room over deployment of those releases than those with home or pro licenses, but Windows as a Service means organizations must sharply accelerate their ability to roll out these new releases to their users (see Ed Bott’s Windows Insider column, "4 Strategies to Stay Ahead of Microsoft’s New Timeline," on p. 30).

Microsoft has talked this up for some time, but the reality of Windows as a Service will surface at the end of this month, when Microsoft will end support for the first iteration of Windows 10 (version 1507), the "current branch for business" (CBB). Organizations can opt for CBB version 1511, released in November 2015, but Microsoft recommends organizations skip that and deploy last summer’s Windows 10 Anniversary Update, version 1607 (see "Windows 10 Version 1507 To Lose Support in March" at bit.ly/2knyTAq).

MDM Enabled in Windows
Windows 10 MDM properties are based on the Intune MDM protocol, which is compatible with the Open Mobile Alliance (OMA) Uniform Resource Identifier international standard supported by most major hardware, software and communications providers. While Windows 10 natively supports Microsoft’s Intune MDM protocol, it doesn’t require Intune, Microsoft’s cloud-based device configuration and management tool. While that’s the future Microsoft sees for device configuration and management, Microsoft emphasizes that organizations can continue to deploy Windows 10 using traditional System Center Configuration Manager (SCCM) approaches and support Group Policy and Active Directory.

But longtime IT pros accustomed to working with SCCM can also now use the MDM capabilities in Windows 10 without having to install and maintain the full SCCM client to manage PCs (whether owned by the organization or the employee) as managed devices. Windows 10 effectively is built to allow SCCM to configure PCs (and other Windows devices) using modern MDM practices.

"MDM really is the future of management," said Steven Rachui, a premier field engineer at Microsoft, who described how to manage Windows 10 using the MDM Protocol and SCCM during the December TechMentor conference in Orlando, produced by Redmond parent company 1105 Media Inc. The SCCM client is becoming more MDM-capable, Rachui explained. Likewise, Microsoft is adding more MDM features with every release update of Windows 10, he added.

Among some of the MDM features Rachui discussed were software and hardware inventory management, conditional access, and PC device configuration, enrollment, and management. "Even from Windows 10’s initial release 1507, to 1511, to 1607 -- the Anniversary Update -- the capabilities of the client have become more and more broad as we have gone forward," Rachui added. "What we were able to do initially, we can do a lot more of now. Something the [SCCM] client does, it has more capability than MDM does, but for certain scenarios MDM might work perfectly for you today. And there are more capabilities in MDM than might initially meet the eye."

MDM likely won’t replace SCCM in large organizations anytime soon, given the broad mix of Windows versions in production, and the inherent complexities associated with configuring and matching those environments, says Forrester Research Inc. analyst Dave Johnson. "Endpoint management is hard. There are lots of aspects to it," Johnson says. "For example, automated patch management, moving large payloads around, getting software distributed to PCs on large enterprise networks that were never designed for large, bulk data transfers like that are all very difficult."

But as those large enterprise networks become less of a limiting factor, either through cloud migrations or datacenter modernization, and as Windows 10 gains richer MDM support and is replaced by older and more complex versions of Windows, some believe reliance on SCCM over time could diminish, though others say that remains to be determined.

MDM Platforms
The fact that Windows 10 is MDM-enabled is good news whether or not you use SCCM. But proponents say the ability to enroll Windows 10 using the same MDM approaches applied to other mobile devices ultimately will allow a unified approach to handling all endpoints, including those looking to support Internet of Things (IoT)-based hardware. Many large organizations already have experience using various MDM tools, which are likely to play more prominent roles as organizations manage various device types and Software-as-a-Service (SaaS) services and move toward federated identity management.

Among the largest MDM providers are MobileIron, Good Technology (now a division of BlackBerry) and AirWatch, which VMware Inc. acquired in 2014. AirWatch has evolved into a key component of VMware’s effort to provide unified endpoint management (UEM) to enterprises. MobileIron is considered the largest major independent MDM provider, though other suppliers that offer tools include Citrix Systems Inc., IBM Crop., SAP AG, ManageEngine and LANDesk, which recently renamed itself Ivanti, following its merger with Heat Software.

Enter Microsoft EMS
Microsoft’s entry to the MDM field three years ago, with the introduction of its Enterprise Mobility Suite (recently renamed Enterprise Mobility + Security [EMS]) with support for non-Windows devices was a surprise at the time because it was only a few months into Satya Nadella’s tenure as Microsoft’s CEO. EMS is a bundled, cloud-based service that includes Intune, Azure Active Directory (Azure AD) and Azure Information Protection for securing data. The properties of Azure Information Protection, available in EMS to prevent leakage of data, are now available in the Windows 10 Anniversary Update. The feature is called Windows Information Protection (see "Prevent Data Leakage in Windows," ).

Microsoft now claims EMS is the most widely used device management platform. In its late January earnings release for the quarter ended Dec. 31, 2016, Microsoft said 41,000 organizations now use EMS, which is a bundle of Azure AD, Azure Rights Management and Intune.

Azure AD has given EMS a huge lift, helped in no small part by the draw of the formidable installed base of AD users that can connect or federate identities with it. Even more broadly, every Office 365 user is automatically enrolled into Azure AD. Microsoft counts 80 million active Office 365 subscriptions.

MDM Competition Heats Up
Microsoft’s ability to bundle EMS with other services makes it a much more financially appealing solution to third-party MDM platforms and identity and access management offerings from the likes of Centrify Corp., Okta Inc., OneLogin Inc. and Ping Identity, among others. Microsoft argues defiantly that with EMS, there’s no need for third-party MDM and identity providers. "My advice to you, just come and use what comes from Microsoft," Corporate VP Brad Anderson asserted in a recent video announcing the pending release of a more integrated release of EMS. "It’s more integrated, it’s more simple, you’re going to be better off."

Anderson has become famous for such bluster, having made similar comments during interviews with Redmond editors in the past, most recently during the Microsoft Ignite conference in Atlanta last fall. Sumit Dhawan, the newly promoted GM for VMware’s end-user computing business, is familiar with Anderson’s tough talk about EMS versus alternative MDM platforms. Dhawan argues it’s not an either-or proposition between EMS and VMware’s new Workspace One platform, which brings together AirWatch MDM, VMware Identity Manager and the ability to offer managed desktops and remote apps via various cloud and hyper-converged infrastructure options under its Horizon offering.

"Brad and I have known each other for a while. He’s a good friend and, of course, a formidable competitor," Dhawan says. "What we see in the marketplace regarding EMS and Intune is that almost all components besides Intune are completely complementary to what we provide with Workspace One. For example, if customers are moving to Office 365, they’re moving to Azure AD. We actually embrace that, and we work with Azure AD. We work with the rest of their technology stack very, very well. We have customers who use our solutions together. The Intune product is the only technology that overlaps."

VMware and Microsoft forged an unlikely partnership 18 months ago, in which the two companies would collaborate in enabling AirWatch to better manage new Windows 10 deployments, including working together to address security threats. Despite their rivalry, the pact is among many mutually beneficial partnerships between competitors.

Microsoft still touts Azure AD as its most potent weapon. In order to compete, VMware continues to expand and promote its own VMware Identity Manager, which launched two years ago and is part of the Workspace One UEM offering. Dhawan says customers who choose to manage their devices with its management tools can use VMware Identity Manager without having to migrate from Azure AD.

Featured

How To Fix Problems with Cached Credentials in Windows 11

While the fix might not be obvious, it should only take a few minutes to get back up and running.
Microsoft Constructing $3.3 Billion AI Datacenter in Wisconsin

Microsoft and the Biden administration announced on Wednesday that the company is investing more than $3 billion in a new AI and cloud datacenter in southeast Wisconsin.
Exchange Server Subscription Edition Coming Next Year

Microsoft provided a brief update on Tuesday of its Exchange Server roadmap, including the news that Exchange Server Subscription Edition (SE) will be arriving in the third quarter of 2025.
Biden Administration Releases Global Cybersecurity Initiative

The U.S. Department of State has released a comprehensive cybersecurity framework aimed at international cooperation when targeting cybercriminals and strengthening defenses.
Microsoft Purview Enhanced with AI Security and Compliance Hooks

Microsoft Purview, the company's data governance solution, is receiving a handful of upgrades to help enterprises securely manage their growing AI-related data.