Globally, the last few years have been extremely challenging and unimaginable, both personally and professionally. As a result of the global pandemic, businesses have been forced to work in conditions they could never have imagined. Neither forecast nor preparation could have prepared for the rate at which events unfolded. This made it extremely difficult for the IT department to manage regular device deployment tasks such as imaging laptops and desktops, handing over devices, patching, software deployment, and data security.
Organizations must move away from the traditional models of device deployment and approach it in modern ways with the toolsets available now. Is your IT department still approaching this topic in the same way it did 10 to 15 years ago? This blog provides an overview of the transition to the new model and discusses the issues with traditional methods of device deployment.
Traditional methods of Windows Image deployment
The traditional methods which the enterprise IT departments have followed for so long fall into either of these three categories viz. bare metal, reimage, or refresh. The process of maintaining monolithic huge operating system images takes a toll on the IT and consumes a lot of resources leading to user frustration. It also brings in the physical element of the laptop or desktop to be connected to the physical LAN segment in the office to be loaded with OS bits which takes hours to install. There is a lot of redundancy in this process as well since the hardware vendors ship PC with a loaded windows OS which the enterprise IT formats and then loads on SOE (standard operating environment).
Maintaining these static images is a problem in itself because there are so many device models out there and applications as well. So consistently keeping the golden images up-to-date with the latest device drives, BIOS firmware, antivirus, applications, and patches, etc., becomes a challenge. Therefore how many SOE images should we maintain and then how often should they be refreshed - quarterly, every 6 months? But there are huge security concerns about deploying devices that are not up-to-date and pose serious risks to an organization’s security posture. There is no clear answer and no matter how hard the enterprise IT tries, the users end up complaining about things breaking here and there leading to more dissatisfaction.
We have a few uncomfortable questions here. Are the things that were relevant 10-15 years ago even needed today? Do they align with the organization’s objectives of efficient, secure, and human-centric IT delivery? Is it possible to move away from these traditional time-consuming, and costly ways of managing a device's lifecycle? Workplace technology has moved leaps and bounds in the last few years. The whole ecosystem has evolved to support the new ways of managing devices which we refer to as the modern workplace as an umbrella term. The key elements which enable this are:
- Internet: This remains the key factor that is the foundation for all these technologies to work. The average internet speed in the USA is 200 Mbps with almost 95% of users having access to the internet in the developed world.
- Windows OS: Microsoft has evolved the OS and built-in native capabilities into Windows 10 which brings to life all these features. Windows as a Service (WaaS) is a key enabler.
- Cloud/SaaS Applications: Exponential growth of SaaS and continued improvements to functionality have made them ubiquitous in the enterprise environment. Their success also leads to the first point above i.e. Internet.
Modern deployment methods
Modern Windows deployment removes the issues which arise with the traditional wipe reload, refresh, and replace models that we talked about above. Also, it tackles the issue of devices being shipped to IT and then IT handing them over to the end users and thus becoming an in-between bottleneck. Why not ship the devices straight to the end user while IT just provisions and manages it? We have been doing it successfully in the mobile device world so far with Android and iOS platforms. Essentially the idea is that we can manage PCs similarly we manage mobile devices.
The modern deployment aims to be zero-touch and builds on the concept of the zero-trust model of security viz. never trust, always verify, or permitless security. Moving to this method will require mindset and behavior change for the enterprises but the benefits are immense in the long term. We have seen organizations that were utilizing these approaches were able to handle pandemic situations in a much more efficient and productive manner proving their resilience to unknown risks.
Figure:1 Source: The Path to Modern IT https://docs.microsoft.com/en-us/windows/client-management/manage-windows-10-in-your-organization-modern-management
Figure 1 above depicts the key enablers for traditional management which revolved around AD, Group policies, and SCCM. Modern management has its key pillars as Azure AD, Intune, and Office 365.
Autopilot: This service was initially rolled out by Microsoft in June 2017. This program is targeted toward OEMs, distributors, and resellers. This allows enterprises to receive business-ready PCs which are linked to the organization’s Azure Active Directory and Intune device management along with preloaded Office 365 apps. Autopilot is similar to what Apple Device Enrollment Program (DEP) does and links device ownership to an organization. It allows existing devices enrolled in Azure AD to be enrolled into Intune via Autopilot. This also allows resetting the device to a pretty good known state while retaining a connection to Azure AD and Intune and thus saving the need to reimage devices which saves both time and cost.
Autopilot is a key enabler that enterprises should use in today's environment where employees cannot come to offices as well as IT teams. This reduces the overhead of managing windows devices plus gives the user pleasure of holding and unboxing a new device himself. This also removes the need for a device to be in the corporate environment which was needed earlier while joining Active Directory.
Provisioning packages: Provisioning packages are another way for organizations to quickly configure new devices ready without the need for imaging. They work even when there is no mobile device management infrastructure and doesn't need the device to be even connected to a network.
Ongoing management: With the Windows-as-a-Service model managing devices in the future becomes easier and removes the burden on IT departments and users of imposed training for new releases. Microsoft releases new features two to three times per year rather than the traditional upgrade cycle where new features are only made available every few years. Windows features are released more like patches previously which are focused on continually providing new capabilities and updates while maintaining a high level of hardware and software compatibility. The devices can be serviced in a ring model with early adopters, champion users, pilot users, and then broad rollouts. Delivery optimization further reduces bandwidth consumption by sharing the work of downloading these packages among multiple devices in the enterprise. Ultimately, this model replaces the need for traditional Windows deployment projects.
Endpoint analytics: Monitoring is critical in today’s world because of the so many moving parts with a myriad of devices on different network segments in different geographies. So it becomes a key area to focus on and understand the real-time health of the environment and thus take proactive actions in preventing issues. Additionally fixing those issues and automating most of the recurring issues. Device telemetry generates a lot of noise and it's important to see the right signals and act accordingly to bring meaningful outcomes which lead to productivity and user satisfaction. This also helps in recognizing which devices or users are impacted the most and benchmarking the organization's user experience and improving it continuously.
All these technologies can help enterprises to bring out better outcomes in a seamless manner without headaches and costs. It keeps the environment agile and protected against emerging security threats and also prevents frequent unintentional and intentional data leakages. Enterprises that are already moving toward modern management should consider it as the primary way of managing devices and for those sitting on the edge, this is the time to aggressively start looking and embrace this new change!
References and Further Reading:
https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-packages
