This is a graphic that Microsoft used at Ignite to help illustrate the different journeys that organizations might take to get to modern management. Here’s a quick post on the last item in the table – the co-management path. Now that the key prerequisites for co-management have become available (SCCM 1710 and Windows 10 1709) have been out for a while, organizations that are considering co-management are looking at the management scenarios that are available to them. There is some new infrastructure that needs to be configured and there are a lot of good posts on those prerequisites like this one from the Microsoft Document Library so rather than focus on the technical details, I’d like to explore some of the management decisions that you might need to address:
- Co-management does not require a hybrid infrastructure of SCCM connected to Intune. It actually requires each platform to run in standalone mode. That means that if you have a hybrid environment, you will need to migrate to a standalone Intune model.
- Not all workloads are available in both platforms so you will need to choose what makes sense to move from SCCM to Intune. For instance, Win32 application management is easier in SCCM and most organizations already have an established release management process around it. Compliance policies on the other hand are often better suited to be managed with Intune as it provides a richer experience and more advanced controls for things like Device compliance policies, Resource access policies, and Windows Update policies.
- In other cases, the workload may not be available to be migrated to Intune or may not be an easy transition. Examples include Endpoint protection and Operating System Deployments. If you have a requirement for upgrading Windows 7 devices to Windows 10, SCCM is still the best option.
- Are you going to start with Intune managed devices and then add the SCCM client or are you going to start with SCCM Managed devices and enroll them into Intune?
- Ho do you want to address non-Windows 10 devices?
As exciting as new technology is, there is always value in understanding your use case scenarios and requirements before embarking on any new initiative. As a friend of mine constantly reminds me, “Businesses don’t care about the use of innovative technology but the innovative use of technology”.
Microsoft announced on February 1st that they will be adding another six months to the supprot of Windows 10 version 1607, 1703, and 1709.
|Release||Release Date||End of Support||End of Additional Servicing for Enterprise & Education|
|Windows 10 1511||November 10, 2015||October 10, 2017||April 10, 2018|
|Windows 10 1607||August 2, 2016||April 10, 2018||October 9, 2018|
|Windows 10 1703||April 5, 2017||October 9, 2018||April 9, 2019|
|Windows 10 1709||October 17, 2017||April 9, 2019||October 9, 2019|
Up to this point Microsoft has offered 18 months of support for each Windows 10 release. This extension seems a direct repsonse from enterprise customers struggling to keep pace with the rapid release cycle and short support windows associated with Windows as a Service.
Windows as a Service isnto only new for customers. It’s new for Microsoft as well. As they figure out how fast customers can ingest all of the innovatiosn comign out of Redmond, we’ll see the release cycles stabailze and balance update frequency with upgrade readiness.
For organizations that are having trouble transitioning engineerg efforts traditional associated with operating system updates to a more operational model, tools like Intune and SCCM can help accelerate the transion. I’ll be writng a few pieces in the future on how to take advantage of these types of tools to simplify Windows 10 update management.
As organizations move to modern management to be more agile in the way they manage multiple types of devices and cloud based services, the legacy management models associated with traditional PC management can lead to multiple consoles for managing different types of devices and services. At Microsoft Ignite this year, a hybrid approach called “Co-management” was announced. to bring organizations closer to modern management while still maintaining traditional management methods. In the past it has been difficult to use more than one management platform for the same device. Windows 10 1709 opens the doo this co-management by allowing devices to be managed simultaneously with SCCM 1710 and with Intune. What are the benefits of co-management? Here’s a few that come to mind.
- Manage devices where they live. Use SCCM to manage devices that are primarily on premise and use Intune to manage the same device when it is roaming.
- Transition workloads to Intune as you are ready
- Add modern management functionality to traditionally managed devices. Consider device compliance policies, resource access policies, Conditional access, selective wipe, factory reset etc.
- Single pane of glass for consolidated views of all devices such as mobile phones, tablets, Macs, PCs.
- Transition Windows 10 devices to Intune while managing legacy (Windows 7) devices with SCCM until they are upgraded or lifecycled.
- Self-provisioning of devices by end users
- Simplified BYOD scenarios
- Enhanced mobile workforce management
So, is this the best of both worlds? Nto really. Microsoft views this as a transitional step on the journey to modern management. Nonetheless I’m excited about the new opportunities for organizations to deliver a better user experience.
As organizations upgrade to Windows 10 there are many opportunities for security and performance improvements. Many of these enhancements rely of functionality that is only available with UEFI firmware as it is required for secure boot which is often a prerequisite for enhanced security features such as Device Guard and Credential Guard. Since Windows 7 did/does not support UEFI, most organizations will need to convert device firmware to UEFI as part of the Windows 10 upgrade. As upgrading to Windows 10 can be a long process, organizations have looked to tools like SCCM and MDT to automate and accelerate the process. Often time performing zero touch installations of hours or through self-service. Converting Bios to UEFI as part of the process ahs been problematic as each device may have different methods for converting and it typically requires visiting the device since the change happens in the before the operating system loads.
Microsoft has just made this problem a little easier to manage. SCCM 1702 introduces the ability to include UEFI conversion as part of a Task Sequence if the device supports it. I’m looking forward to accelerating many Windows 10 migrations with this functionality.