Uncategorized

Windows Autopilot vs System Center Configuration Manager

Posted on Updated on

I previously mentioned that I was excited to compare Windows Autopilot with System Center Configuration Manager (SCCM). Well, we finally have more details about Windows Autopilot and I’m finally able to give you a comparison of Autopilot and SCCM for Windows 10 deployments.

System Center Configuration Manager

Before I dive into Windows Autopilot, let us review the typical use cases for SCCM so that we have a basis for comparison. SCCM is an on premise tool that performs many functions in addition to Operating System Deployment (OSD) however; I will just focus on the OSD portion for now. Here are the three most common OSD scenarios:

Scenario 1 – Boot Media

This is a Light Touch deployment requiring physical access to each device. It is well suited to small remote offices or a small staging area without OSD infrastructure (Distribution Points etc.).

  1. SysAdmin creates a custom Windows Image, driver package(s) and task sequence
  2. SysAdmin either creates boot media
  3. Boot media is distributed to required locations
  4. Each device is booted with the boot media and the task sequence builds the device
  5. Applications can be added in the task sequence or post OSD through SCCM’s Software Deployment functionality

Pros

  • Minimal network impact
  • Minimal infrastructure requirements

Cons

  • Requires visiting each device (Light Touch)
  • Boot media management overhead

Scenario 2 – PXE Boot

This is a Light Touch deployment requiring physical access to each device to enter PXE boot – This can be made Zero Touch if the boot order is set to PXE first however, this is not a sustainable configuration. It is well suited to a large staging are or small remote offices with OSD infrastructure (Distribution Points etc.).

  1. SysAdmin creates a custom Windows Image, driver package(s) and task sequence
  2. Sysadmin deploys task sequence to a collection of devices
  3. Devices are booted and forced into network boot
  4. The device finds a boot image from the SCCM Distribution Point and
  5. Each device is booted with the boot media and the task sequence builds the device
  6. Applications can be added in the task sequence or post OSD through SCCM’s Software Deployment functionality

Pros

  • No media management
  • Easy modification of task sequences, boot images and driver packages

Cons

  • Requires visiting each device (Light Touch)
  • Requires complex infrastructure

Scenario 3 – Deployed Task Sequence

This is a true Zero Touch deployment that can be used a Self-Service option as well as a scheduled mandatory deployment. It can even be coupled with Wake-on-Lan to target devices that are powered off (but still connected to the network. This is well suited to upgrading or refreshing large numbers of devices currently in use as it requires that each device is already managed with SCCM.

  1. SysAdmin creates a custom Windows Image, driver package(s) and task sequence
  2. Sysadmin deploys task sequence to a collection of devices
  3. Task sequence is executed on device (Self-serve or scheduled)
  4. Required files are copied to the device and the device reboots and the task sequence deploys the operating system
  5. Applications can be added in the task sequence or post OSD through SCCM’s Software Deployment functionality

Pros

  • No requirement to visit each device (True Zero Touch)
  • No media management
  • Easy modification of task sequences, boot images and driver packages
  • Supports Self Service
  • Supports Scheduling

Cons

  • Requires complex infrastructure
  • Only available to existing SCCM clients

Windows Autopilot

Windows Autopilot is a cloud-based service that does not require any special infrastructure. Here’s a typical OSD scenario using Windows Autopilot:

  1. SysAdmin creates device profile(s)
  2. Sysadmin registers the device(s) with the Windows Autopilot service
  3. SysAdmin assigns a profile to the device(s)
  4. Device is booted end user
  5. Device is connected to network (any Network – home, work, public)
  6. User provides enterprise credentials, Language and Keyboard settings
  7. Device self configures based on assigned profiles
  8. If the organization uses Intune additional polices and applications may be delivered to the device

Pros

  • No requirement to visit each device (Near Zero Touch)
  • No media management
  • Easy modification of profiles
  • Supports Self Service

Cons

  • Cloud service (may be a con for some organizations)
  • Eliminates requirement of staging areas and internal device shipping
  • No support for system upgrade (maintaining user data and state information)
  • No support for complex configurations (multi partition, etc.)

Conclusion

InTune has been evolving rapidly over the last few years and has been able to provide much of the same functionality as SCCM such as hardware and software inventory, application management, software updates etc. The one feature that missing was OSD. Coupled with Windows Autopilot, Microsoft InTune is a credible end-to-end lifecycle management platform for many use cases that requires no on premise infrastructure. While it cannot service all of the use cases that SCCM can, it can save time and money for organizations where it is a good fit.

Advertisements

Microsoft Education Event – Surface Laptop and Windows Autopilot

Posted on Updated on

At the Microsoft Education Event this past week, there were many announcements that we covered in the Universal Windows Podcast Episode 66. While most of the show was dedicated to the Education sector and Windows 10s, there were two announcements that I was particularly excited intrigued about. Specifically the new Surface laptop and Windows Autopilot.

When I try the Surface Laptop later this month I will check out the lapability but from the specs, there are definitely a couple of missing features that would fit my use cases. I’d really like to see a full USB-C port and built in LTE. From a USB-C perspective, I have run into issues with USB resources with my Surface Pro 3 and I think USB-C is the future. As the Surface Laptop is a premium device, for me to justify the price tag, I’d like to feel like the device has a long useful life ahead whether I keep it myself, hand it down to a family member or sell it. USB-C gives it a longer useful life in my opinion.

As far as LTE, I firmly believe the future is BYON (Bring Your Own Network). We won’t need to be hunting for free WiFi at Starbucks or airports and other locations with unknown risks and tethering while useful can be inconvenient and drain your mobile’s battery. There rumours that an LTE version might be out in the fall.

The most exciting reveal for me was Windows Autopilot. It appears to be a simple to use, Windows 10 mass deployment tool built for the classroom scenario. As I do a lot of work with SCCM, the de facto Enterprise class Operating System deployment tool, I am curious to see how this stacks up. I will do a side-by-side comparison once more details of Autopilot are available. Stay tuned.

When the Stars Align

Posted on Updated on

https://giphy.com/embed/PvMKNlIlQtXEI

This week Microsoft announced that Windows 10, Office 365 and System Center Configuration Manager would align their release schedules. They are looking at a spring and fall release most likely in March and September. This is great news for businesses that have being struggling to adapt to the new Windows-as-a-Service model align with Office-as-a-Service. There are definitely inter-dependencies between Windows and Office as well as SCCM the tool commonly used to deploy, update and manage both Windows and Office.

From an IT Management perspective, organizations have been trying to accelerate the engineering efforts previously put into Windows and Office deployments and operationalize the process but the various product release schedules with low predictability have made it difficult. This should help by providing regular milestones and predictability. Good Job Microsoft.

Here is a link to the release from Microsoft

Intune: Conditional Access for Exchange Online

Posted on Updated on

One the promises of Mobile Device Management (MDM) and Mobile Application Management (MAM) is the ability to separate the user’s personal data from corporate data. This capability enhances BYOD scenarios as a selective wipe can be performed on a device removing only the corporate data and leaving the personal data intact when a user leaves the organization or a device is retired from corporate use.

In Intune this functionality works in conjunction with MAM. Managed mobile apps are “wrapped” so that any data that they use is stored in a secure container that can be remotely wiped by the management platform.

This month a new conditional access capability has been introduced into Windows Intune that helps achieve this segregation. Conditional access policies can now be enforced preventing email client applications from connecting to Office 365’s exchange Online service unless the application is MAM managed application. This will prevent users from accessing corporate email with an unmanaged email app.

Windows Store for Business – Managing Paid Apps with Intune

Posted on

This post will walk you through simple management of Windows Store for Business (WSfB) apps that require a paid license.

You will need the following prerequisites:

  1. Configure synchronization between WSfB and Microsoft Intune
  2. Configure a payment method for license fees

Once you have met the prerequisites you can follow along below.

Instructions

  1. Login to the Windows store for Business with your management account.
  2. Navigate to Shop

  3. Use the category browser or the search tool to find the application that you wish to purchase. For this walk through I have chosen EZDictionary

  4. Click the app that you wish to purchase
  5. On the App page select Buy Now

  6. From the Buy dialogue select the quantity of licenses you wish to purchase and then click Next

  7. Verify your purchase information including payment method, price, quantity and total and then click Next

  8. You will receive a transaction completion notice. Click Close.

  9. Navigate to Manage>Inventory and verify that the app is available. Be sure to check the number of available licenses.

  10. Login to the Microsoft Intune Management Portal and navigate to Administration>Mobile Device Management>Windows>Store for Business and select Sync Now

  11. Once the Sync completes, navigate to Apps>Volume Purchased Apps and verify that the app is available to be managed. Notice that you get information about the number of licenses available and deployed.

Add Users to Windows Store for Business

Posted on

You can add additional users to the Windows Store for Business (WSfB). In addition to the first account you add which is automatically the Global Admin, there are three additional built in roles:

  1. Admin: Manage account settings, acquire aps, distribute apps, sign policies and catalogs
  2. Purchaser: acquire and distribute apps
  3. Device Guard signer: sign policies and catalogs

To add an account, follow these instructions:

  1. Login to the Windows store for Business with your management account.
  2. Navigate to Settings>Permissions

  3. On the Permissions screen click Add People

  4. On the Assign roles to people screen, add the email address of the person you wish to add, assign them a role, and then click Save

Adding a Payment Method to your Windows Store for Business Account

Posted on Updated on

Whether you are using the Windows Store for Business alone or integrated with Microsoft Intune or System Center Configuration Manager, in order to perform bulk purchases of apps that require a paid license in the Windows Store for Business (WSfB), you will need to add a payment method to your account. This will involve adding a credit card to the account. This process is fairly straight forward, and most SysAdmins should have no problem with this process. So why then, did I create this blog post?

In many larger organizations, the SysAdmin is not responsible for procurement and does not have access to the corporate credit card that will be used to make purchases. So you can pass this on to your procurement office and let them enter the credit card information for you. You can add an additional account to the WSfB for the procurement officer if required.

Instructions

  1. Login to the Windows store for Business with your management account.
  2. Navigate to Manage>Account information

  3. Select Show my payment options

  4. Select Add new payment method

  5. Add the appropriate credit card information and then click Next

  6. Verify your information and then click Save

  7. Once you see the payment method listed including the credit card’s last four digits and the expiry date, click Close

    Now you can make paid license purchases from the WSfB.