Coming up, we take a look at your options for managing Windows 10 devices

using traditional management strategies

with configuration manager and cloud base modern management with Microsoft Intune.

We'll explore the end-to-end lifecycle from new ways

to deploy Windows PCs without having to create your own images.

To new options for keeping your users productive while configuring

and securing your companies Windows 10 devices.

Microsoft Mechanics

So, I'm joined today by Mark Florida,

an expert in traditional Windows management configuration manager

and model management with Microsoft Intune.

Mark, welcome.

Thanks, it's great to be on the show.

To start off with the release of Windows 10,

there have been lots of enhancements that expand what's possible

in terms of the management of both the main joint PC's with configuration manager.

And with Azure Active Directory joint PCs with Microsoft Intune.

Can you bring us up-to-date on what's been happening in this space?

oh yeah, sure.

So last December we released a new version of configuration manager,

We call it our current branch.

It aligns with the windows 10 servicing model.

Let me show you what that kind of looks like here in the demo.

As you can see we've implemented some new features aligned with Windows 10,

such as the ability to measure your health state of your Windows 10 devices.

So we're basically kind of keeping up and lighting up new features that come here with Windows 10.

The other thing that we've been working on is making it much easier to upgrade.

This new release of configuration manager

has been one of our fastest updating releases ever.

We already have it installed on over 44 million clients

and over 23,000 different customers.

And that's not all.

With windows 10 and the enhancements that have been made in the inbox MDM agent,

we've also enhanced Intune to better leverage those capabilities.

Let me show you what that looks like here.

What we've done is modified Intune to incorporate many of the new policies that

are now available in Windows 10.

So what you see right here is an ability to configure these new policies,

such as set in addition upgrade

which is super critical for customers who need to move from a lower-end sku to a much higher-end sku.

You can set up additional policies here like a VPN profile

and other changes as well.

In this last piece here there are very significant changes around Windows information protection.

Windows information protection really affords a customer

the ability to protect their corporate information

to ensure that it doesn't move out of their environment without their knowledge or control.

I know a lot of poeple watching this are actually considering that longer term management structure.

Some folks may be looking to shift some of that management capability to the cloud

Other folks might be more comfortable with sticking to traditional configuration manager.

How should people be weighing up all the different management options?

Sure, you know whether you choose traditional or modern,

for us it's really about lowering the overall cost of managing your windows devices.

It's not a question of one or the other.

I think what customers will find is that,

given their environment they can likely apply both in different situations.

So Mark, can you give us some examples of what those decision points really are?

Yes, there are three key areas.

The first being your imaging and how you get Windows 10 deployed.

The second being applications and identity and the third is software updates.

Okay, let's deep dive in.

What about the first of those provisioning?

Yeah, so if i look at a typical imaging model today

let's face facts, it's pretty heavy.

You have to get a machine in and you have to re-image it.

You have apply all your new drivers and it takes hours and usually requires a lot of manpower.

What we've done with Windows 10,

is we now allow you to get devices deployed much more quickly,

and much easier for the end user to be able to work off those devices.

Let me show you what this looks like in a demo.

So what you're seeing here on the screen is just a device that comes right out of box.

And what you'll notice is a real key change here,

is I have an option to join this device to Azure Active Directory

which is new because most people are joining into local Active directory.

So, the first thing I'm going to do is enter in my credentials.

These are the same credentials I would use for accessing corporate email.

So the end user is very familiar with having to do this.

Now behind-the-scenes what's going on is this device is joining to Azure Active Directory.

And as part of that we're going to start to now get management policies coming down.

The very first policy that you see here is a multi-factor authentication.

This is a good way to validate that my identity is who I am when I'm trying to log into this device.

I'll enter that code there to attest that this is truly myself.

And this next piece that you're seeing here is where Intune comes into play.

So this pin isn't part of the regular out-of-box experience?

This is actually Intune policy telling Windows to require a pin.

Oh yeah, absolutely that's kind of the beauty of it.

To the end-user they don't know that they're going through a real disjointed experience at all.

But, it's getting the device prepped and ready for them with the right policy

so that the IT administrator can feel secure that the device is protected.

Now I'm going to show you a few other cool things.

First, you'll notice a substantial change here.

which is when a typical system comes back up,

you'll notice that it's being managed through local active directory.

Not the case here, this is now being managed through Azure Active Directory.

The last thing I want to show you is

It's right here.

So what you notice here is this device also has the configuration manager agent installed on it.

So what we've done is we've really integrated the management experience for a customer,

so that they can use Intune to help provision this device.

They can use Azure Active Directory to help get this device registered and managed.

But, they can also use configuration manager in this environment

if they still need traditional management scenarios.

That sounds like a pretty good idea.

So what do you actually have to do to make that work?

Well all I really had to do was go into the Intune console

and use Intune to provision the SCCM client.

SCCM exec just needed to be installed and that was it.

The second area that you spoke of was around identity and applications.

What are the decision points that you suggest for folks here?

Sure, it really just comes down to technology.

It's a comparison between domain join and what's available there

and what's available with Azure Active Directory.

When I speak with customers, it generally comes down to what are using group policy for?

If you're using it for security settings

and making sure that those policies are adhered to,

then really take a look at what's available in Windows 10 with the inbox MDM agent

Because it can cover many of, if not all of those needs.

And then with applications, it just comes down to the type of applications that you are deploying.

And if you're primarily using web applications or SAAS applications,

you will find that Azure Active Directory provides many of the same needs that you're accomplishing today

with your domain join machines

such as your ability to authenticated and attest who the user is.

So I guess you'd be looking at Intune as the management provider in that case.

Can you show us what this looks like?

Yeah sure, I'd love to.

So for a little bit of context,

this device that we're on right now has just a local account.

So it's not managed and you can almost think of it as a home PC

or a BYOD device that was brought to work.

I'm going to attempt to access my work email.

Go up here into outlook.

I'm going to do a couple things that are just pretty standard which I think most poeple are use to

which is typing in your credentials.

So you can get to your email.

Okay and you'll notice I'm blocked.

And that's by design.

And the reason being is because I previously enacted a policy in Intune

to prevent access to email unless the device is managed.

So what I'm going to do is now make that happen.

I'm doing something very similar to what you saw in the previous demo,

which is adding your Azure Active Directory account to this device.

So click done here and now what you'll notice is there is a work account that has been added to the machine.

I should be able to go back and get a look at my email.

I'll close that out.

I still can't get access.

Now the reason that I showed this was to make a key point

that it's important that the device is fully configured and compliant before getting access.

What you'll notice is now that I've given the system a little bit of time to behave,

the browser when I first launched is now showing me my email.

It logged me in using single sign-on.

That's all possible because the device has joined Azure Active Directory.

I can see here, I've got my work email and I'm good to go.

And that's only possible because of our conditional access checks were validated.

And I can be sure that the device is trusted before allowing the user to get access to corporate information.

Excellent, it looks like there might be some extra policies that have applied there as well.

I can see a little briefcase icon up there.

Yes, that is Windows Information protection.

The edge browser is defined as a managed application.

It's one where the company has full control over, is a good way to think about it.

So what's kind of neat about this feature is,

let me go down to the secret email that you sent me here.

And you can see that there is some text on our secret recipe that we want to make sure stays protected.

What I'm going to do is attempt to move that information out of a corporate managed application.

That little briefcase.

And move that over to a non-protected more personal application.

So let me launch Notepad.

Notepad has not been declared as a corporate application.

Thus, you don't see that briefcase or anything like that.

But, what you'll notice when I attempt to hit paste is that

the system is prompting me: "Do you want to allow this to happen?"

I as the end user can say: "Sure, I want to make that happen."

I presume it gets audited if you actually say that you want to change that to personal data?

Oh yeah definitely and it's actually richer than that.

It would have been a pretty lame demo to show you,

but you can actually make this as an IT administrator.

You can just block it completely.

So if you don't want to allow the information to go out, you can just stop that.

If you want to you can make this silent so I could paste it out into a personal application.

But, continued to audit that as well.

So there's different kinds of sets of options depending on who your user base and your scenarios are.

I'll just allow this paste to happen.

So now you see it went through.

Your audit message that you described earlier will be recorded

And this last piece is to show you how it would work with just a fully managed application.

In this case, Wordpad.

You can see it has the briefcase up above and that means it's a corporate management application.

You have to paste the information in there.

That went on without any end user intervention.

So in summary, if you're still leading the complexity of domain join

you can continue to use configuration manager for those devices.

And at the same time blend this with simpler more cost effective management

with mobile device management.

Mark, you also mentioned software updates.

Yes, so the two previous areas are really a choice the customer can make.

The reason I call out software updates

is because of the new model that has been released with Windows 10.

They've moved to a cumulative update model

which greatly simplifies the update process for a customer

to keep their Windows devices up-to-date.

It's something a customer should take a look at if they haven't done so already.

Why don't I give you a glimpse of what that looks like.

What I'm going to do is show you Configuration Manager.

Where we have built an experience in there for you to manage Windows 10 servicing.

So there's a few kind of key concepts I'll talk about which is that