The benefits of a modern workplace and modern desktop are many. Users and companies now more than ever need to be ready for a mobile world. A user expects to be able to work from anywhere and many organizations needs to be prepared for changes such as scaling in terms of growth, acquisitions or even in the worst-case downsizing.
The road to a modern desktop the Microsoft way is to activate and use co-management to take it in baby steps. My philosophy is to build a use case without co-management using a cloud-only solution and use that to showcase what can be done in your organization. The idea is to accelerate the journey to the modern desktop as it will be a great example of what can be achieved and how well it works.
Do “deployment” of a new Windows 10 device or reset your existing Windows 10 device and have in mind that everything you need should be available to you automatically! That means settings, applications and documents and files so that you can start working immediately.
The goal is to setup an environment where you can join any Windows 10 device to your environment, letting it be totally agnostic from your physical network.
- Azure AD Premium P1 (or P2) or EM+S E3 or E5 or Microsoft 365 E3, E5 or any other license including Azure AD P1 (or the automatic MDM enrollment feature).
- Intune licenses as part of EM+S or Microsoft 365 or standalone Intune licenses.
- Windows 10 Pro or Enterprise.
AutoPilot as the modern “deployment solution”
Deployment in the new world is not done image based with certification of drivers and network PXE boot. Instead you (or preferably the vendor or a partner) register devices you need to deploy using the AutoPilot service that Microsoft provide.
When the device is booted for the first time, it fetches the AutoPilot profile and applies it, and when your user login using their email address the Windows 10 device is joined to Azure AD and at the same time enrolled into Intune (requires Azure AD Premium P1 license).
By activating the Intune Enrollment Status page, you can also see the progress and making sure that the device is (almost) ready when the user´s logged in.
OneDrive Known Folder Move is the modern folder redirection
One of the most important things I want available on any device I use is my files and documents. By activating and using OneDrive Known Folder Move, I can get my Desktop, Documents and Pictures folders redirected to my OneDrive for Business.
This is just like good old folder redirection where you redirect these folders to the network with offline files (yikes!), but now you do it for OneDrive where you also get a better sync than with offline files.
- Start using OneDrive Known Folder Move (pre-req to have Office 365 / OneDrive for Business)
MSIX is the future
Repackaging packages to MSIX is the future. Why? Because there are several benefits over traditional MSI packaging and distribution. Delta updates of apps is one advantage, another big advantage is how the updates of apps work, which is a huge problem today in many enterprises.
But wait, did not Microsoft release Win32 app support in Intune? Yeah, they did, but why on earth would you want to put makeup on the pig? By moving your existing Win32 app packages to a modern management solution is like moving to a new house and bringing everything with you, not only your stuff and furniture but also the dust and dirt.
- Download MSIX Packaging tool and convert an existing applications package.
- (when available, also try the MSIX convert feature in the SCCM console which will be available in a future ConfigMgr upgrade!)
Enterprise state roaming
To get some basic sync of settings such as background image and other customizations as well as favorites in Edge, saved credentials in Windows and more you activate Enterprise State Roaming so that the settings roam with you. This feature has a lot to wish for but at least provides basic profile roaming.
- Activate Enterprise State Roaming (applies to both Azure AD joined, and Hybrid Azure AD joined Windows 10 devices)
Follow up using Windows Analytics
As all your clients are disconnected from your infrastructure in our scenario you need to be able to followup important things such as patch status, and this can be done using Windows Analytics and Update Compliance specifically.
- Activate and start using Update Compliance which is a part of Windows Analytics (can be applied to all Windows 10 devices)
Helping your users remotely
When your Windows 10 devices are basically anywhere in the world you must be able to remote control them to provide support whenever needed. You can do this using Quick Assist which has been with Windows 10 since 1607. It works just like TeamViewer, which is very popular, in the sense that Quick Assist works basically anywhere if you have a working internet connection.
Worth noting is that in Windows 10 v1809 you will learn that the person giving assist is signed on to the Quick Assist app when providing support, so all you must do is to provide the connection ID to the end user and off you go!
Key fact – access to on-premise recourses!
Well, I think most can agree on that they few organizations have no moved or migrated all on-premise resources to the cloud. Therefore, most users still need to access resources only available on-premise.
A magic feature exists thanks to Azure AD Connect, which means that whenever your Azure AD joined Windows 10 devices is on your corporate network and has contact with a domain controller you get a Kerberos ticket for that user! This can be used to access any on-premise resources although the device is not part of the on-premise domain at all!
Read more about how this works from Michael Niehaus.
With all these steps you have a quick way of getting started with a top modern workplace which works anywhere in the world. And, to add to that, whenever their devices are in the corporate network, the user gets access to any internal resources such as files, printers and applications the user have access to.