Wednesday, 11 October 2017
Tuesday, 10 October 2017
To kick off the series I've posted an interview with a co-worker and Microsoft MVP Marcos Nogueira. We chat about Azure and System Center along with the challenges customers face. To tune in just view the video below.
Wednesday, 27 September 2017
On Monday, Microsoft finally announced the rollout of the capability to manage a Windows 10 device with Intune MDM and the Configuration Manager agent. This long-sought-after capability has been requested by many of my Enterprise customers after they’ve embarked on the journey to modern management with Windows 10. If you want to unlock this superpower, read on.
Before diving into co-management, let’s take a moment to differentiate between modern management and traditional management. At the onset, I would characterize the fundamental difference between the two management methodologies by how they deploy and manage a machine.
On one end of the spectrum, traditional management designs and deploys a Windows machine with a high level of customization defined by the corporate IT department. On the other end of the spectrum, modern management prioritizes simplicity with a simple and minimal image that has little to no customizations.
I see the value of the modern approach; however, it is worth noting that it brings its nuances, which if not handled well can become problematic.
Let me elaborate briefly what I mean by that. In a modern, Enterprise-scale IT environment, when I provision a user for a client, I must either coordinate with a deployment technician internally or a hardware vendor to image the machine with my highly-customized version of Windows.
After successfully coordinating the device image, I need to ensure that the device is joined to Active Directory and that it has the Configuration Manager agent installed. As you know, both scenarios can be time-consuming and error-prone because the image evolves considerably over time.
While you start with a clean albeit customized base image, throughout deployment you will undoubtedly implement many additional customizations using Configuration Manager to apply more software and settings to the device.
And it doesn’t stop there. After you’ve finished with Configuration Manager to deploy the machine, Group Policy is applied to the machine through Active Directory where user and machine specific security and configuration needs are further layered on top of the base image. In Enterprise environments, Group Policy customizations can affect hundreds of settings on the machine depending on which role the computer and user is assigned to perform their work functions.
The whole process requires considerable planning, building, and testing before being promoted into production as a finished solution, and it needs to be revised at least twice a year to keep in synchronization with Windows 10 release schedule. Once you have a validated image, it can take the system anywhere from 45 minutes up to two hours to provision the device to an end user.
My goal is always the same: to make the process as hands-free as possible. However, more often than not, this goal falls short for many of my customers because their existing environment is chock-full of customizations that the deployment technician must manually specify at deployment time. For example, machines might be named incorrectly, machines can be put into the wrong Active Directory OU, and the user might be assigned to the wrong machine. These kinds of mistakes (and I’m only touching the surface here) require manual remediation and in some cases, re-imaging the machine.
Modern management bases the image on the factory load of Windows 10, which means the first time an end user logs into a machine they provide their credentials and that machine is tailored to their particular work needs using Windows Setup combined with Provisioning Packages for customization and the use of Intune for performing the final customizations.
One of the most critical reasons to adopt the modern approach is to drive down the total cost of ownership.
Sounds great, right? Well, there’s a catch, you have to put aside everything you know about traditional management and leave your expectations at the door. Modern and traditional management methodologies are like night and day, hence treating them the same will set you up for failure.
The challenge that organizations face during the transition from traditional to modern methodologies comes from not evolving and managing their expectations. That is to say customers expect that their workflows, procedures, and protocols will continue to operate (without any further modifications) within a modern management framework. In my experience, this has never happened.
Rolling out a modern management framework requires simplicity. In order to transition a user with many dependencies to a modern management framework, you will need to commit significant planning and resources to make modern management a reality.
In my opinion, only those organizations that can identify simple use cases and can invest in implementing a modern management framework should embark on the journey.
To summarize the key difference, modern management strives to drive down the cost of ownership by packaging as few applications and customizations into the image as possible. The downside is that on the management side of things, provisioning users take on a few new approaches, and staff must learn new ways of managing applications, machines and images.
With that said, I can now turn to Intune’s new capability. Initially, MDM was an extremely small subset of Group Policy, which was frustrating for system administrators and the IT security department due to the lack of configuration capabilities available. There are ADMX backed Group Policies that can be delivered via MDM, but we are looking at only 367 settings opposed to 2500-3000 Group Policies.
More specifically, legacy software packages are not part of the Windows Store modern management vision. We could deliver Win32 applications via MDM in Intune, but all the files had to be within a single MSI file - a rare configuration with most complicated applications. It was time-consuming and cumbersome for many customers because there wasn’t much of a technology bridge between these two worlds and “creative” (i.e., fragile and risky) solutions began to creep into the picture.
With co-management, your device lives in between traditional and modern management practices, which helps you focus on just those technologies that apply to the device until it can fully cross over into a modern management state.
To get started, I recommend rolling out the following through Intune when it makes sense in your environment:
- Conditional access
- Software updates
- Compliance policies
Because they are easily managed through the cloud and should be the first workloads that you configure for exclusive management through Intune. With Microsoft’s announcement, the migration path for each machine now has three states:
- Traditional management state
- Co-management state
- Modern management state
Unfortunately, in practice, I’ve found it difficult to find user populations where pure Intune management of Windows 10 meets the requirements of the Enterprise customer.
The trinity of Intune, Azure AD, and Windows 10 S represent a computing fabric that most closely resembles a pure form of modern management. The paradox that we face is that deploying such a configuration across an entire user base would be a suicide mission for most organizations.
If you haven’t been keeping track of Windows 10 S, there is no support for Win32 applications (marketed as a security strategy), but there is a modern application management use case which uses Universal Windows Platform or Desktop Bridges applications delivered through the Microsoft Store.
Enterprise customers are notoriously difficult to migrate because of the enormous amount of technical debt in the organization, which for the most part, resides with their applications. The consequence of this technical debt is that it will take these customers years to modernize their application base and be able to deliver their entire application portfolio through the Microsoft Store.
Until such time, organizations won’t be able to retire traditional imaging, management, and Active Directory methodologies. Depending on who I’ve talked to, a number of different migration timelines have been mentioned, regardless I believe that the journey is going to be a long one.
Co-management is a hugely welcome capability right now because the timeline for Microsoft to move Windows 7 and Windows 8 to end-of-life is fast approaching, and huge numbers of organizations are scrambling to prepare for that inevitability. The unfortunate reality for most of them is that to transition from traditional to modern management they will encounter a chasm between how they used to do things and how they will need to do things and Co-management offers the first bridging technology to help scaffold over that chasm.
Customers who need capabilities that are exclusive to Configuration Manager can carry them forward until they either no longer need the capability or wait until Intune makes sense to take over the capability by managing it via the cloud.
I hope this bridge between traditional and modern management will make the migration process easier for many of my customers. The point to keep in mind is that the migration path is not an all or nothing scenario, it is necessarily incremental and long in the tail.
Use empirical data (not marketing hype) to identify candidate user populations where modern management makes sense. In my experience, I’ve found the mobile information worker to be a stable and predictable candidate user group to start with. Once I have successfully migrated one user group, I proceed further down the modern management path as additional user populations are identified and vetted (i.e. not selected arbitrarily).
In the end, it is important to realize that migration isn’t just a management capability puzzle, it is also an application modernization strategy as well. Remember that you can also use desktop virtualization to deliver legacy applications to modern users as a bridging technology.
Above all, keep your eyes and ears open because modern management is a rapidly changing landscape, what didn’t work six months ago, may miraculously work today. If you have blocking issues, talk directly with your Microsoft reps and communicate feature requirements through the various user voice sites out there for the different Microsoft products.
There are a few juicy announcements that are coming down the pipe from Microsoft, so stay tuned to this blog for breaking news.
Friday, 28 July 2017
environment, you might not realize until deployment time that some of your systems will fail to display video or Windows will simply not use the card at all. The root cause of the is due to older video cards not being Secure Boot compatible. To fix the issue, you have three paths that are all valid, but I believe have to be evaluated carefully.
The first option is to remove the video card that wasn't supplied by the hardware vendor of the motherboard and use the onboard video. In some cases, this might be satisfactory, but depending on your needs you may need to look at another option such as disabling Secure Boot in the BIOS. Disabling secure boot is cheap but will not protect your system against malware that infects the boot environment of your machine, so you have to question the value of such an approach in an enterprise environment.
A more expensive approach would be to modernize your hardware, this could be as simple as giving the user a new PC because at this point with Windows 10 most enterprise hardware that currently has Secure Boot capability. The other choice is to replace the display card, but before buying that display card, you should evaluate the cost of a new card on hardware with a limited remaining lifespan versus purchasing a new system.
If you need to upgrade many machines, it might make more long term value to get these systems out of your fleet rather than taking a reduced security posture or buying new hardware for a device that may only be in the fleet for another year. To make an informed decision use tools such as System Center Configuration Manager to determine the affected systems through hardware inventory data it can capture. To me, secure boot is a no brainer that enterprises should enable by default with Windows 10.
Friday, 12 May 2017
Monday, 1 May 2017
Hello and welcome to the next edition of the VirtualizationAdmin.com newsletter. I’ve picked a couple of topics in the news this month by looking at some new developments at FSLogix where they have a solution focused on Office365 users. VMware has an upgrade out for customers that add some enhancements to their server virtualization platform. After the articles of the month, I will look at hypervisor security since I think there is some work to be done in this area.
Read more at: http://www.virtualizationadmin.com/newsletters/monthly-newsletter/virtualizationadmin-com-monthly-newsletter-april-2017-16510.html
Monday, 24 April 2017
The focus was about deploying Windows and Linux virtual machines in Azure using different management methods. We started off with the Azure Portal then moved into the Azure CLI and eventually Powershell to show the different ways that Azure can be managed.
We plan to hold more hands-on Azure events as they are very popular with the group. We'd like to thank our sponsors that helped make this event a success and contribute to ensuring that we can do future events!
Thursday, 6 April 2017
For enterprise customers and developers, the ISO media for Windows 10 1703 can be found on your volume licensing site or MSDN. If you are building Windows images for deployment be sure to update your ADK environment to 1703 as well hosted over in the hardware developer center. There has been some news about potential issues with the new ADK so review the following blog articles by MVP Mikael Nystrom:
OS Deployment – Installing ADK 1703 on Windows Server 2016 could fail
OSD – App-V tools are missing in ADK 1703 when being installed on Windows Server 2016 (sometimes)
Need to know what is new with 1607 for IT Pros?
No problem, Microsoft has published documentation over here.
First, let's start off with what this version of Windows is meant for. The Windows 10 IoT Core edition is the smallest footprint of Windows 10 available for devices. If you look at the infographic below, you can see that Windows 10 IoT comes in many flavors with different levels of functionality. Essentially the Windows 10 IoT Core version of Windows 10 is intended for single purpose use cases. There is no Windows shell and no command prompt, but you do get the ability to run Universal Windows Platform applications. Win32 applications are still supported, but they will not output to the console.
When I first started looking IoT, I saw management and security taking a back seat, but as I've witnessed in the news, this lack of care and feeding has created security and operational issues. IoT was overlooked at being too basic and non-business critical to be on the radar for many organizations but now that these devices are being infected with malware, spyware and participating in BotNets all of a sudden the need for management has become a clear requirement for not just businesses but consumers as well.
It will be interesting to see where the smallest of the Windows 10 IoT editions finds itself in the marketplace but I am hesitant to write it off as a hobbyist product because of the integrated management, the ability to continue using Visual Studio and integrate your solution with Azure's IoT Suite. If you are looking for the latest releases of IoT core I've put a set of links below so you can start downloading them right away!
Rasberry Pi 2 & 3
Wednesday, 29 March 2017
|Alan Rafuse, Crystal and Dave|
The event was originally put together to fill the void that was left when TechDays Canada was no longer being put on by Microsoft Canada. Dave felt that these sorts of events were very important to the community and started with a round of events in Western Canada. Soon MVPDays expanded to Central Canada and the USA featuring more MVPs from across Canada and the USA. I've been personally amazed at the dedication and enthusiasm of everyone involved especially Dave and Crystal has this can sometimes feel like a thankless job.
|Speaker preparation the night before in Vancouver|
You can check out the website www.mvpdays.com to see some of the past speakers plus the past and future dates. The speakers are important, but more importantly, I am going to list off hopefully a complete list of past and present sponsors because without them events such as this wouldn’t happen. Events like this need volunteers, sponsors and most importantly organizers that do it for the IT community.
HPE by Avnet
Canada, I had the opportunity to speak about VDI. The MVPDays team was really on the ball this time around to record some of the presentations, so I had the opportunity to have my video posted to Microsoft's Channel 9. It was a great time to reconnect with fellow MVPs and customers in Calgary, Edmonton, and Vancouver. Hope to do it again next year.
The session looks at how new hardware, software and the cloud is changing the world of VDI. Many smaller organizations have found traditional VDI to be too complex and expensive to adopt while enterprises have struggled to manage it. In this session, I have an overview of some of the modern challenges facing VDI and the options you have to overcome it.
I will review some of the latest trends in hardware to create easy to deploy VDI environments on-premises and look at how the cloud is simplifying the design and operation of VDI. I also explore other technologies at the software level that manage the VDI environment from the hypervisor all the way up to the user data. It has been a long journey for VDI, but I believe we finally see cost effective solutions that make a stronger case for organizations to phase out traditional desktop computing devices.