MODERN DESKTOP MANAGEMENT Simplifying the Desktop Deployment Process with Intune and Autopilot

Show video

welcome to chromecast take it out i'm sam major commercial director for chrome technologies i'm joined today by sam remo technical consultant it's so nice to be in the building and see someone face to face again thank you for having me no problem so we're here to talk about um imagine modern desktop environment using tools such as microsoft intune although i've just learned to change the name to make it even more confusing says endpoint manager now under that umbrella microsoft endpoint manager yeah okay cool uh and we're obviously talking about the comparison of using that to manage i guess evolving modern environments compared to i guess i'm more experienced in this kind of ccm and that was now legacy really and i guess the differences and advantages we should be using where we shouldn't be using it and the overall difference in how we use it to us automate etc etc yeah so i think one of the most common words you'll hear buzzing around is autopilot so that is effectively a bolt-on to intune and in tune is the odd name for microsoft endpoint manager so it's most prevalent it's most useful if you think about the old-school method of how we used to deploy a desktop image typically you would have a technician he would go away he'd wipe the machine clean he'd download all the drivers for the device he'd install windows he'd still installed applications he'd create what was then known as a gold build that's kind of where i might go back to where i start with this image and literally yeah my gold images on a usb stick or or external drive and kind of starting from there various days using things like ghost and whatnot to drag those across networks yeah so gas had its problems along with some of the other cloning technologies around those days and it it's quite an indicative way to approach and then if you had different requirements for different departments within your organization you then had to create a gold build for a finance you had to grow a goal with variety a goal but for legal and so on we had eight different goal builds for a customer at once we had to manage so yeah so qsccm that they introduced the tar sequence the concept of wiping the machine installing an operating system loading the drivers and then installing a specific app set of applications for a department the fundamental issue with a gold build was is that you had one build and it was fixed in its state when sccm introduced the task sequence you were allowed able to adapt the build according to which department you were targeting for which made the whole process much more flexible and you could make fluid changes and if your if for instance there was a security outbreak you could update your application and the very next build it's created would be available you wouldn't have to go through the whole process of redeveloping your build yeah okay cue inching yep so your your desktop technicians will go they'll specialize in in desktop they'll they'll put they'll find all the drivers for your build they'll put your desired set of applications on there that's what that's their focus that's what they do with it if you've got an sccm you've also got a sql server to manage just sccm infrastructure you've got to pay for that initial hardware and you've got to maintain it one thing i know about sccm is quite an unwieldy thing to manage obviously quite an investment in the actual hardware you mentioned things like sql and whatnot it's quite a lot to actually manage just to do what's not called simple things but you know to get your applications out there to get your updates and whatnot it's a fair investment and it's fair overhead yes so your your deployment engineer your your sccm specialist you know for one other title for that person not only have they got to be a desktop specialist they've also got to be an infrastructure specialist and so splitting their discipline in in two areas can consume time and it slows the whole process out or you've got to put more resources in you've got to have someone actually dedicate doing that some are just dedicated to doing that and also your cost of your total cost of investment increases exponentially yeah and invariably there's clock crossovers between the two disciplines and and so therefore you've got to have a tiny lit knit team that working together to to achieve your own goal so cue intune so what what's so great about inching what why why are we here talking about it well essentially what that's done that in simple terms that's taken sccm and put it in the cloud so you've you're able to deploy a build with no infrastructure simply you power it up you can go through the manufacturer's oem setup at that point you it will ask you do you want to sign in with your work credentials as you sign with your correct work credentials it goes off to microsoft it recognizes who you are then it begins to deploy a profile and then the necessary applications and then given half an hour 45 minutes after several reboots you've got a working device ready for business interesting so i mean especially for us we obviously manage historically we've used a lot of sccm we have distribution points down our build rooms and whatnot we're connected to client sites but we're still using sccm they will ultimately no doubt evolve to using intune actually we talked before about your reference one of our previous podcasts where rupert and i talked about the evolution of everything as a service we talked about certain things like 365 whilst there are people that potentially wouldn't use 365 majority people do and it makes sense right yeah i think this is where and you can correct me wrong but this is the conversation we've had i just see there's no real reason that you want to keep all that legacy infrastructure on site to manage that all yourselves when you could easily adopt this in the cloud and then as you alluded to the whole build process is far simpler and easier in this kind of new iteration than previous it's a big step on yeah i i i almost look at it from a selfish point of view why would i want to worry about supporting all that infrastructure where i really want to focus on creating a slick automated build that's going to improve the use experience no end however intune isn't the answer isn't the answer to everything there may be some applications that won't work from the cloud or there may be some security reasons that you would still want to run some on premise so in that case guess what you can use intune to deploy vpn and then you get access to your on on-site infrastructure okay so i guess if you put that into i guess some context for someone like us and you know because the audience right now you know i've worked together for an awful long time we've done some very big desktop estate projects and thinking back to some of those you know we've had literally thousands of boxes through the door and we've had to use an sem sccm sorry image and awful lot machines but that's time on the deck here engineering in front of it making it happen re-boxing it and then an engineer taking out doing that white glove the rolls-royce service to desk and obviously fundamentally that changes with how we do it as a service provider and there's little nuances we need to understand as we've learned from the past the kind of hash codes on the outside the box makes life a lot easier so remember that one yeah so so hash codes that's when you take a unique identity from the machine you register that within azure then as the device powers up the microsoft knows that it belongs to a particular company and then it will download the relevant software there's kind of two ways of approaching that there's a magic five presses of the window key and that will then go into what is autopilot which i mentioned earlier and so then with no particular identity it would down download your core set of applications your base build then that's ready for use that you can then ship that to the end user the end user can then sign in with their credentials as they sign in it will be authenticated via zero sso and mfa when they're signed in then if they've got any specific line of business applications they will then come down on top you'll with that then just think we talked touched on on-prem so if they've got a bunch of stuff we can do with engine i'm about to inch and auto pilot because i was kind of bundle those two together do different things good to differentiate but so we we use the hash code we download kind of the i guess it's called a basic setup it ships to you at your desk you log in as simon ring wrote he knows you're part of chrome as your attempt and whatnot i'm assuming then it goes to some of the on-prem apps and it does the final overlay to get your build not specifically on-prem so typically i have administrator access to an environment so a base build may go out let's say with windows patching adobe acrobat microsoft office basic office automation tools then as i log in it will recognize who i am i'll be a member of specific groups then it will allocate those uh the applications associated with their groups to myself and that they'll download in time some will download automatically some will be available for me to install at my leisure depending on how the uh application's been configured you just said you're an admin right so let's say i'm not clearly best to keep me off everything so if it arrives at my desk and there's apps i don't have how do i get them to my desktop on my laptops so with the the app provisioning within intune is very much similar to sccm and the way most organizations will do it they'll package an application they'll import into their deployments school they'll associate a most likely owner's eurogroup to them azure also has dynamic groups so if your profile sits fits certain criteria perhaps if you're a member of finance or or you live in a certain area you will be added automatic to a specific group and then that group will then be associated with an application and that application will be deployed to you that can be done one of two ways it can be made as a required application which means it will just auto magically come down don't have to worry about that or if it's something perhaps you're not likely to use that often or if you use a number of machines and you only want it on one specific means for instance yourself sam you have a desktop here and you have a laptop at home so you you may only want the app in the office then you you can just go into the software mail and then select if you just talked about that we can control so let's say it's not me but someone else and we want them to have access to x in the office but not why on the electrical home we can control all that as well right so they only have location specific access as well yeah we can do that by damage by dynamic groups or we can do it by provisional sorry conditional access there are the number of methods the essentially in tune it is sql back-end so there's a whole load of queries that we can create to target applications to users based on set criteria we also as well have exclusions so if if you're a a member of finance uh but you're only a junior member perhaps then you won't get this application yeah you know if um i'm trying to think another scenario for that for the moment i understand i understand the kind of concept there's a lot of control and what actually struck me you and i talked about this yeah there is a direct comparison obviously between this is an evolution of sccm there's a lot of stuff we could do there the the thing that struck me with sccm was it seemed to be for the most part the reserve of the bigger companies because that made sense to make that investment they had a lot of desktops there's a lot of overhead for smaller companies you kind of sucked it up the refresh and what that would be a painful process but it didn't warrant the investment in in sccm so you seem to see in the larger enterprises right and there's always complaints that it was a bit it was costly it was unwieldy it was a bit of a pain to set up and whatnot no one seemed super happy with it but from the conversation we had you know it seems to be with with uh intune autopilot and actually i'd like to get to your apartment but in tune certainly it's no longer the reserve of large enterprise this is fit for purpose for your 10 user company to your 10 000 user company everyone in between yeah i mean it it doesn't come at a bargain basement cost and then let's be honest about it but however if you've got on on-premise infrastructure you you've got to have an army of engineers to look after that you know depending on the size of your organization because in tune stroke azure takes that away from you and it's all cloud-based you haven't got a worry about patching the servers and maintaining all that hardware which in turn means is that a smaller organization that has a smaller i.t team they can still have large enterprise capability because it's all facilitated by the cloud yeah i mean that's and that's i mean clear benefit for the guys as they haven't been able to bite the bullet and make that investment or just haven't had the budget or staffing you know to be able to do that there's clear benefits yeah i i think as well it's very well there's a few small niche companies out there that really do require an enterprise offering yeah and but it just doesn't make sense for them to invest in all of the infrastructure and you know have a huge i.t team as an overhead where and then that brings it to brings that offering to the table for them yeah so going back as a silhouette uh i kind of have just in my brain bundled autopilot and in tune it was almost one of the same thing obviously very different things would be good for if anyone like me has made that mistake if you could just tell us what this is in tune and this is autopilot and obviously where they actually work together so so fundamentally uh in intune is a software deployment mechanism a method of patching your devices a method of enforcing configuration and policies upon them so that i mean for instance you could lock down your web browser you could configure an application in a specific way so it finds the correct servers that you're connecting to and so on and so forth and all that is is done within intune what ins autopilot brings to the party is it's the white glove part of the process so when you want to provision a machine it as i said that the magic five presses of the the windows key and that will then initiate the device it will go off to the internet the hash code of the device is registered in azure it will then download the applications as if you had logged in but without logging in so you can have a a device with almost without an identity but with the correct configuration and then when it goes to the end user as opposed to that you can pretty much repeat the same process but you would have a few more setup steps to go through when you you power the machine up the first time round and then when you sign in then it uses your user account to identify that you belong to an organization so on the one hand it's a the the autopilot and the hashing gives you a hardware-based authentication and on the other hand when you sign in with your user id and you prove who you are through your mfa that's it gives you a user authentication but the end result is you get a an automated installation of windows and all your software and just to to go back on something i mentioned earlier about how typically in the past with the gold builds a technician had to go away and find all of the relevant hardware and drivers for the advice the the approach with intune and autopilot is very much different you actually don't wipe the machine you take it from the vendor just for instance say with dell devices they'll come pre-installed with all of the the drivers to run the machine optimally we don't what machines hate themselves we leave that in place we boot the machine then we sign in and we download the application design effectively rather than creating the machine we transform the machine we take it from an office off the shelf device that could be targeted either at consumer or commercial and we turn it into a business machine interesting i actually actually wanted to cover because it was still not that clear in my mind i'm used to you know taunting customers around at packaging and all that sort of stuff and the difference i guess in how we're used to it in the sccn days and whatnot and you know i know a fair bit about packaging and the success or not success of those sort of endeavors um how is that different is it different in intune or is your app packaging it's just still that we can't change that or how does that how's that evolved so fundamentally your approach to app application packaging hasn't changed you your microsoft has made available for instance microsoft office that's available via the web and you can provision that and there are various applications available in microsoft store you can make those available through intune but when it comes down to your line of business applications you go back to your core basic packaging skills so you're gonna if for instance we've we've recently uh heard about windows 11 so that that's coming soon and so the the appropriate way to approach that would be you go through your tested and validation process make sure application works on the new s you'd put that into a package team they would package the app configure it customize it uh for the target environment when it's done then the change then is that you use an intune tool to put the if you like wrap the application into what is effectively a zip file you then upload that file to intune and then it's it's almost like for like with uh sccm configuration manager microsoft endpoint manager the many brands microsoft has given it in that you'll be able to set the command line options for the application you want to install you can set criteria that it must only install on 64-bit windows it must only install on a specific version of windows and you can set criteria both for and against it and by by that what i mean is that you that a specific device must meet this criteria but it also must not meet a second set of criteria and again as as i alluded to earlier you can assign that application to groups and you can have groups that are included that will be in it but if if there's a cross rover of groups if someone is a member of two groups then that you can also exclude it typically i use this whereby an application might be available to a production environment and then i'm introducing a new version of that application so then the new version i'll exclude the production users from that and then i'll just add the pre-production or uat test to that and so then it become becomes into you can put effectively put a test application into a live environment in the confidence that it's only going to hit that your target users the people who are going to test it not ruin everyone's lives yes okay i mean someone that is um hands-on with it and i guess it kind of to wrap up almost but i want to get this part out of you um you've used both you're very experienced in the sccm world and prior and you're obviously very versed in intune now i guess what's the the top things your top salient points that this is why it's better i i'm glad you asked me that question because first i'd like to say i was very much a skeptic first i like having traversed through the goal build process through sccm and use another third-party tool to create a build going into the cloud you know is it really going to work do do we really just want to take a machine off the shelf and you know have have the faith in it that we can deploy it to that um but i'm very much a convert now um the big takeaways for me is that um one is it it's the time and effort that goes into as i said earlier acquiring all those drivers and creating a new build the the lack of investment inventory infrastructure i i'm aware that for some of your clients you've put in a point-to-point vpn for so that they can have a an sccm deployment yeah server on-site and connect to their domain you don't have to worry about all you need is an internet connection so pretty much you can do it anywhere on the planet that said there are some organizations that it might not be so suitable for um i we i did some work for a construction company and one day i was in a plush office in the centre of london uh connectivity 100 gigabit land and so on and then the next day i was in a port cabin you know working off a like a satellite piece of stream yeah and yeah it was very much different experience and just just jumping back to a previous point we we spoke about autopilot intune so autopilot lends itself to those portal cabin scenarios we'll prep the device and get it all up to date then ship it working if we go into the office then we can potentially pass the the device to the user and let them go uh just simply sign into the device and let it you know re let it provision yeah in their presence because time time and well not necessary time but bandwidth isn't an issue yeah okay so i guess my point should take that is it's really it's become simpler it's pretty easy to use microsoft's done a favor popped in the cloud to save the expense of kind of on-site investment and management uh and it just yeah as we've seen obviously we've been using this and you've been using it for our customers as well it is simple and they say as before i don't trust it's in the cloud clearly have become converts or even evangelists yeah absolutely yeah i mean you say simple not all so simple it's a constantly evolving product and you know microsoft every couple of months though there's a new news flavor for it um something an error i've particularly worked on was taking all of the legacy group policies you know you can import those policies into intune what intune microsoft are now doing is they're making those policies natively available within intune so you don't have to go through the process of importing your old style policies in as it's constantly evolving constantly moving forwards and you know in my opinion it's a very good investment brilliant thanks son great cheers and thank you for joining us on this edition of chromecast check it out please remember to like subscribe comment and share if there's anybody to cover in future episodes do do that in the comments below [Music] you

2021-09-12

Show video