This is a graphic that Microsoft used at Ignite to help illustrate the different journeys that organizations might take to get to modern management. Here’s a quick post on the last item in the table – the co-management path. Now that the key prerequisites for co-management have become available (SCCM 1710 and Windows 10 1709) have been out for a while, organizations that are considering co-management are looking at the management scenarios that are available to them. There is some new infrastructure that needs to be configured and there are a lot of good posts on those prerequisites like this one from the Microsoft Document Library so rather than focus on the technical details, I’d like to explore some of the management decisions that you might need to address:
- Co-management does not require a hybrid infrastructure of SCCM connected to Intune. It actually requires each platform to run in standalone mode. That means that if you have a hybrid environment, you will need to migrate to a standalone Intune model.
- Not all workloads are available in both platforms so you will need to choose what makes sense to move from SCCM to Intune. For instance, Win32 application management is easier in SCCM and most organizations already have an established release management process around it. Compliance policies on the other hand are often better suited to be managed with Intune as it provides a richer experience and more advanced controls for things like Device compliance policies, Resource access policies, and Windows Update policies.
- In other cases, the workload may not be available to be migrated to Intune or may not be an easy transition. Examples include Endpoint protection and Operating System Deployments. If you have a requirement for upgrading Windows 7 devices to Windows 10, SCCM is still the best option.
- Are you going to start with Intune managed devices and then add the SCCM client or are you going to start with SCCM Managed devices and enroll them into Intune?
- Ho do you want to address non-Windows 10 devices?
As exciting as new technology is, there is always value in understanding your use case scenarios and requirements before embarking on any new initiative. As a friend of mine constantly reminds me, “Businesses don’t care about the use of innovative technology but the innovative use of technology”.
Microsoft announced on February 1st that they will be adding another six months to the supprot of Windows 10 version 1607, 1703, and 1709.
|Release||Release Date||End of Support||End of Additional Servicing for Enterprise & Education|
|Windows 10 1511||November 10, 2015||October 10, 2017||April 10, 2018|
|Windows 10 1607||August 2, 2016||April 10, 2018||October 9, 2018|
|Windows 10 1703||April 5, 2017||October 9, 2018||April 9, 2019|
|Windows 10 1709||October 17, 2017||April 9, 2019||October 9, 2019|
Up to this point Microsoft has offered 18 months of support for each Windows 10 release. This extension seems a direct repsonse from enterprise customers struggling to keep pace with the rapid release cycle and short support windows associated with Windows as a Service.
Windows as a Service isnto only new for customers. It’s new for Microsoft as well. As they figure out how fast customers can ingest all of the innovatiosn comign out of Redmond, we’ll see the release cycles stabailze and balance update frequency with upgrade readiness.
For organizations that are having trouble transitioning engineerg efforts traditional associated with operating system updates to a more operational model, tools like Intune and SCCM can help accelerate the transion. I’ll be writng a few pieces in the future on how to take advantage of these types of tools to simplify Windows 10 update management.
Is SCCM right for you or is InTune a better fit? Why choose? Use Both!
Beginning with the Fall Creators Update for Windows 10 (aka 1709) Windows 10 devices will be able to join both on premise AD domains as well as the Azure AD service. This opens the door to have devices managed by both SCCM and Intune. While administrators can use co-management to split up specific servicing workflows such as using SCCM for application deployment and Intune for update management so that devices get updates wherever they are, the co-management bridge is intended to simplify the migration to cloud based modern management services and not a long term solution. It would be really nice to be able to mix and match servicing scenarios so that as a device moves between on premise and off premise they are serviced by the most appropriate tool however at first glance this functionality is not readily apparent.
Now that Autopilot is available for Operating System Deployments, Intune + Autopilot provides a credible solution for full device lifecycle management for many use case scenarios. I expect to see more organizations using the co-management bridge to begin their migration to modern management.
As organizations move to modern management to be more agile in the way they manage multiple types of devices and cloud based services, the legacy management models associated with traditional PC management can lead to multiple consoles for managing different types of devices and services. At Microsoft Ignite this year, a hybrid approach called “Co-management” was announced. to bring organizations closer to modern management while still maintaining traditional management methods. In the past it has been difficult to use more than one management platform for the same device. Windows 10 1709 opens the doo this co-management by allowing devices to be managed simultaneously with SCCM 1710 and with Intune. What are the benefits of co-management? Here’s a few that come to mind.
- Manage devices where they live. Use SCCM to manage devices that are primarily on premise and use Intune to manage the same device when it is roaming.
- Transition workloads to Intune as you are ready
- Add modern management functionality to traditionally managed devices. Consider device compliance policies, resource access policies, Conditional access, selective wipe, factory reset etc.
- Single pane of glass for consolidated views of all devices such as mobile phones, tablets, Macs, PCs.
- Transition Windows 10 devices to Intune while managing legacy (Windows 7) devices with SCCM until they are upgraded or lifecycled.
- Self-provisioning of devices by end users
- Simplified BYOD scenarios
- Enhanced mobile workforce management
So, is this the best of both worlds? Nto really. Microsoft views this as a transitional step on the journey to modern management. Nonetheless I’m excited about the new opportunities for organizations to deliver a better user experience.
I get a lot of questions about Microsoft’s mobile device management (MDM) strategy. It can be confusing because to achieve the full spectrum of management functionality, multiple Microsoft products are required:
- Exchange ActiveSync (EAS)
- System Center 2012 Configuration Manager
- Windows Intune
Can you do some MDM with only EAS? Of course. Can you do MDM with only Intune? Absolutely. So how do you explain this multi-product approach to MDM? Although not strictly true, the way I like to look at it is as a series of layers, with each layer adding additional functionality, and Configuration Manager bringing it all together.
|Exchange ActiveSync (EAS)||Configuration Manager||Intune|
Microsoft calls this approach Unified Device Management (UDM) since it goes beyond simply managing mobile devices. Using the MS approach all devices including servers, desktops, laptops, tablets, and mobile phones can be managed with the same tool set. Some might consider this too confusing and prefer a point solution with less moving parts, however, consider the following:
- Many organizations already have Configuration Manager in place
- Many organizations already have Exchange or hosted Exchange in place
- Using an incremental approach allows you to start small using the pieces you already have without purchasing new software and tailor the solution to your specific needs while controlling costs
Start with Exchange and Configuration Manager and add InTune when and where it makes sense.