Managing the modern desktop

Since the release of Microsoft 365, the concept of the ‘modern desktop’ and ‘modern management’ have been a constant throughout Microsoft’s marketing of this product (along with the ‘modern workplace’). You might be interested in this product, but what exactly is the modern desktop and modern management? And why should this be important to you? And what about transitioning to a modern desktop from your current situation? How can this be achieved? And if you can get there, how does modern management help you maintain the modern desktop to be compliant with your servicing requirements. I want to talk about these topics to hopefully shed some light on these questions.

The modern desktop and modern management

Microsoft say that the best way to experience Microsoft 365 is by running the modern desktop. What this is defined as is a device with the most up-to-date versions of Windows 10 Enterprise and Office 365 ProPlus, securely managed by the Enterprise Mobility + Security suite of products. This empowers your staff by providing the productivity tools they need to get the job done, and your IT teams can take advantage of the cloud to simplify and reduce costs (which represents modern management). You will often see the below graphic (or similar) relating to Microsoft 365 and these concepts. The focus of this post is the modern desktop and modern management pieces of the ‘integrated for simplicity’ component shown below.

Note that Office 365 ProPlus is a major component of the ‘modern desktop’, however, in this blog post I will be focusing on Windows 10. I will dive into Office 365 Pro Plus in a future blog post.

Why modern management?

Here at cubesys, we often start with the below graphic when discussing the ‘why?’ for modern management with customers, which I think succinctly sums up the differences and pros and cons of traditional IT versus modern IT (or modern management).

Without going into too much detail, a key point to take away here is that traditional IT management is not inherently suited to today’s mobile, work from anywhere accessing anything on any device workplace. Modern IT on the other hand is better equipped to do so, providing a simpler, flexible and more secure cloudbased management method resulting in a lower TCO and a better (integrated) experience for the end user.

Another key point to consider is to do with the servicing of Windows 10 and Office 365. Focusing for a minute on a traditional Windows OS upgrade, traditional IT management methods have always struggled with keeping their fleet current, which impacts on security and productivity. SOE deployments often require exhaustive testing to pass on all of the required apps and use tedious image-based deployments.

Windows 10 has introduced a new way to build, deploy, and service Windows, Windows as a service (WaaS), which simplifies the management of your fleet. Modern (cloud based) management has been built to easily leverage this servicing model to further facilitate the above mentioned benefits.

Windows as a service

WaaS is the new way to manage servicing with Windows 10. With WaaS, there are two release types: feature updates that add new functionality twice per year, and quality updates that provide security and reliability fixes at least once a month. The smaller semi-annual feature updates are easier to manage and have less impact than much larger service pack or OS upgrades that existed with previous Windows versions.

As mentioned above, Microsoft will release a new feature update of Windows 10 every 6 months, e.g. 1803 earlier this year, and that versions is then supported for 18 months. As can be seen below the release cadence for each feature update overlaps with the next to allow flexible servicing timelines.

Also note below that Office 365 ProPlus has a similar release cadence to simplify the servicing of the modern desktop.

With WaaS, you will need to change the way you approach deploying updates. Rather than looking at an OS upgrade, or now with Windows 10 a feature update, as a project, the philosophy is to look at it as a repeatable  process that can be integrated into an IT team’s operations. To facilitate this, Windows 10 servicing channels are a way to separate users into deployment groups for feature and quality updates. Servicing channels include:

  • Windows insider program: A few machines to evaluate early builds prior to their arrival to the semi-annual channel (such as the IT team).
  • Semi-annual targeted: Select devices across various teams used to evaluate the major release prior to broad deployment .
  • Semi-annual: Broadly deployed to most of the organization and monitored for feedback.
  • Long term service: Devices that are critical and will only receive updates once they’ve been vetted for a period of time by the majority of the organization.

WaaS is a broad topic and I have only scratched the surface here to highlight some key concepts and terms. For more detailed information on WaaS, start with Overview of Windows as a service. In summary for the context of this post however, modern management effectively leverages the cloud and WaaS to simplify management of the modern desktop.

Transitioning to a modern desktop

Ok. So you get the concepts so far and you are interested, but how do you start transitioning to a modern desktop and modern management. You may be thinking that because your environment is completely on-premises, or because you have a legacy business critical app, or you have strict compliance regulations, that you will not be able to cutover to a cloud-based management platform. This was an issue in the past, but there are now multiple paths that you can take to transition to cloud-based management and exist in a state of co-management, where some of your fleet are managed on-premises, and those that are suitable are managed by the cloud.

Firstly, just to be clear, when we are talking about cloud-based modern management, we are talking about leveraging Azure AD and the Enterprise Mobility Suite mentioned earlier, more specifically, Microsoft Intune, which is Microsoft’s cloud-based MDM platform. Microsoft Intune is a part of the Enterprise Mobility and Security SKU (EM+S).

I don’t want to get bogged down in deploying Azure AD and Intune. However, to summarise in the context of this post, typically you would configure policies in Intune to deploy and configure Windows 10 devices and assign these policies to groups of users or devices in Azure AD. Typically this would involve populating Azure AD with your users, groups and devices from on-premises by synchronising all or part of your on-premises directory to Azure AD with a utility such as Microsoft’s Azure AD Connect. In this scenario you can configure all or some of your Windows 10 devices to be joined to an on-premises AD domain and Azure AD at the same time (hybrid Azure AD joined device), which, along with other requirements, facilitates transitioning to modern management at your own pace. For more information on this topic, refer to Introduction to device management in Azure Active Directory.

With the above in mind, getting back to transitioning to a modern desktop, below are options available to you:

  • If you manage devices with Configuration Manager on-premises currently, you can enable co-management for some or all Windows 10 devices. This allows you to manage Windows 10 devices with Configuration Manager and Intune concurrently, and transition devices and apps to the cloud at a controlled pace. Refer to Co-management for Windows 10 devices for more information. This requires a hybrid Azure AD joined device.
  • Similarly, if you just manage devices with group policy on-premises, you can configure hybrid Azure AD join for some or all devices and then manage them with group policy and Intune concurrently. See Introduction to device management in Azure Active Directory for more information.
  • Alternatively, if you have an existing use case that fits the scenario, you can deploy Windows 10 cloud only devices, so the device is joined to Azure AD and managed by Intune only, which still allows you to pilot the technology.
  • Of course there is also the big-bang/cutover approach, but this is generally not suitable.

Another feature of the complete modern desktop I’d quickly like to flag here also is Windows Autopilot. Windows Autopilot leverages Intune and Azure AD (and other technologies) to set up and pre-configure new devices, getting them ready for productive use. In addition, you can use Windows Autopilot to reset, repurpose and recover devices. Windows Autopilot further serves the ‘light touch’ benefit of modern management from IT’s perspective. For more information on Autopilot, start at Overview of Windows Autopilot, or you can visit my previous blog post regarding this topic also, A look at Windows Autopilot.

Servicing the modern desktop

Once a Windows 10 device is joined to Azure AD and being managed by Intune, you can use Intune software updates and Windows Updates for Business, to manage the deployment of Windows 10 and Office ProPlus feature and quality updates. You can develop your servicing strategy by using ‘deployment rings’, which in Intune are basically policies that specify the servicing channel (discussed earlier in this post) to use, and these policies are assigned  to the relevant Azure AD groups for deployment. For more information on the concept of deployment rings, start at Build deployment rings for Windows 10 updates.

An additional benefit of the complete modern management picture is the concept of using data-driven analytics to guide your Windows servicing approach. By configuring your Windows clients to send telemetry data to a cloud-based service called Windows Analytics, you can really gain insights into your organisation’s devices and apps, and their compatibility with the Windows 10 version you are targeting for deployment. This helps to mitigate risk to and improve deployment success.

Windows analytics is a cloud-based service leveraging ‘solutions’ hosted by Operational Management Suite, OMS (or Azure Log Analytics) workspace. There are 3 Windows Analytics solutions to facilitate modern management; Upgrade Readiness (which was the subject of the previous paragraph), Update Compliance and Device Health. Below is a graphic illustrating some basic information on each. For more information on Windows Analytics and these 3 solutions, start at Windows Analytics overview.

COPE modern desktop servicing

Ok, so now hopefully you understand the key concepts above and can see conceptually that it is achievable to transition to the modern desktop and modern management, and do it at your own pace, but how can you start putting this all together in a way that your organisation is going to most benefit from.

cubesys can assist you with this journey with our tailored COPE Modern Desktop Servicing. COPE (Corporately Owned Personally Enabled) is a suite of offerings based on Microsoft 365 (and the modern desktop and modern management discussed in this post). Broadly, COPE is designed to quickly realise the potential of your employees, while aligning to your corporate and security compliance needs. COPE Modern Desktop Servicing is a framework to provide you a data driven, automated approach for your Windows 10 and Office 365 ProPlus servicing requirements. For more information on this service and how we can be of assistance, reach out to us here at cubesys to start the discussion on your path to the modern desktop.

As mentioned earlier in this post, in my next blog post we’ll have a look at Office 365 ProPlus in more detail. Until then…


Andrew Matthews
Andrew Matthews
SENIOR CLOUD CONSULTANT AT CUBESYS Andrew has 14+ years’ experience in senior operational and support roles, solution architecture, design, professional services and project management. Andrew specialises in Office 365 and Azure AD, EM+S, Exchange and Lync/Skype for Business.