In-Depth
Microsoft 365 for Modern Workplace and Management
The new service aims to make Enterprise Mobility + Security (EMS) more appealing than ever.
A secret project that resulted in the development of what is now known as System Center Configuration Manager (SCCM) began 25 years ago, an anniversary Microsoft marked at the recent Ignite conference in Orlando with online tributes and anecdotes. The covert project, championed by founder and then-CEO Bill Gates, was code-named "Project Hermes," and debuted in November 1994 as Systems Management Server (SMS).
"I can tell you, this has had a profound impact on my life and the life of my family, and it's impacted millions of IT professionals," said Brad Anderson, corporate VP for enterprise mobility and management, speaking in one of the general sessions at Ignite, where he gave a nod to the milestone and urged people to look at the online video tributes and anecdotes.
But this session was all about life after SCCM. Microsoft's answer is the company's cloud-based Enterprise Mobility + Security (EMS), which includes the Intune PC, a device and application enrollment, management and security tool. EMS also includes Azure Active Directory (Azure AD) and data loss prevention capabilities.
The Microsoft 365 Subscription
While EMS has been around for a few years, Microsoft recently integrated it into the Azure portal. Now Microsoft is looking to make EMS and Intune even harder for customers to pass up. The recent launch of Microsoft 365 now provides a single subscription for EMS, bundled with Office 365, Windows 10 and optional Dynamics 365 business applications.
Anderson told attendees at Ignite that Microsoft 365 is not just a bundle of products. It taps into the intelligence of the Microsoft Graph API and provides what the company is calling "modern IT," to address the shift in the way people work, with mixtures of personal and corporate devices that use different on-premises and Software-as-a-Service (SaaS) apps. In these new agile environments, IT pros now must support employees who need to be more empowered to do their jobs, while making sure enterprise information remains secure.
"We pulled all of the resources together from across the company -- identity, management, security, productivity -- and said, 'Let's try to envision where this goes, and what's going to be needed to come up with a holistic solution,' and that is what Microsoft 365 has become," Anderson said. "One of the big transitions here is how do we help you go from where we're all at, to where we want to go in the future."
Anderson predicted 90 percent of the IT pros in his Ignite audience were in environments where devices are managed by a combination of Active Directory, Group Policy and SCCM. In Microsoft's own SCCM configuration, the company runs a hybrid model where it manages more than a half-million PCs and devices. "So, what we have been working on is how can we help you move from where you're at today into a world where we can help you, and apply the power of the cloud to help you do more," he said.
A key part of that is a change in the shift toward self-service provisioning of devices. The new Auto Pilot feature now lets users automatically set up their own PCs when they arrive at their desk without an IT pro touching them. When booting up Windows, for example, the user inputs basic information such as a username, geography, language, keyboard preferences and Wi-Fi information. Microsoft first started offering Auto Pilot with its own Surface-based PCs, but at Ignite announced that Lenovo, HP, Panasonic, Fujitsu and Toshiba are supporting it, as well. The support is expected to become available next year.
Moving Away from SCCM
As Intune takes on more automated deployment capabilities, SCCM is no longer necessary in a growing number of scenarios, according to Anderson. "One of the big things about modern management is we are encouraging you to move away from imaging," Anderson said. "Stop maintaining those images and all of the libraries and drivers and let's move to a model where we can automatically provision you from the cloud."
Microsoft has no illusion that large enterprises are going to give up SCCM anytime soon, especially considering the company itself still relies on it. In fact, usage is on the rise. Anderson estimated that SCCM now manages 75 percent of all PCs, hundreds of millions, and continues to grow by 1 million users per week. Microsoft continues to upgrade SCCM, and has moved from its traditional release cycle of every two to three years to three times per year, and its current branch model with new test builds for insiders issued every month.
Already half of the installed base has upgraded to the new SCCM release cycle with more than 100 million that are actively managed and sharing telemetry with Microsoft. Only Office 365 and Azure AD have that many users under management, Anderson noted. Where the irony comes into play was that the Ignite session was addressing the modern on-premises workplace, where SCCM is actually moving to the cloud.
SCCM Co-Management Bridge for Intune
To ease the transition to the cloud, Microsoft has been offering an Intune connector with SCCM. However, the company has also rolled out its new co-management bridge, ensuring that Microsoft 365 can determine whether Intune or SCCM are the authoritative source when an administrator is moving a workload. This ensures that conflicting policies aren't applied. It's also an acknowledgement that the capabilities in the Intune approach don't yet match the scenarios SCCM can handle.
"I've worked with a number of organizations that have tried to go from [SCCM] to Intune, and just haven't been able to get there because the capabilities in [mobile device management (MDM)] haven't been rich enough," Anderson said. "A lot of the reasons come down to things like, are all your applications ready to go?" The new co-management feature, expected to come out this month with the 1710 Build, is for a device to be both Active Directory- and Azure AD-joined. That's significant, he said. "The same device can be managed by [SCCM] and Intune at the exact same time. Important to this is Intune and [SCCM] are in constant communication with each other, so we know every object, every attribute, who the authoritative source is -- so you don't have to worry about conflicts."
PowerShell Scripts for Intune
Anderson acknowledged that the MDM functions in Intune don't offer the granular capabilities provided in SCCM. Over time, that may be moot, but for now it's an issue. To address that, Microsoft released the Intune Management Extension, designed to move the SCCM agent into the MDM layer in Windows. "There are things the MDM layer has not enabled you to do, and you've needed us to extend that," Anderson said. "Now, on every managed device that is managed by Intune there is now a PowerShell interface so you can run any PowerShell script. This alone is going to unblock many of you to move up to Intune and modern management for your devices. Because now if there's a Group Policy setting that you've been using in the past, that's not exposed to the MDM, fine, just go apply it through a PowerShell script."
Anderson emphasized this extension is a PowerShell runtime that's running on the managed device and warned IT pros not to confuse it with PowerShell access available via the Microsoft Graph. "The Microsoft Graph is the API for the administrative experience," he said. "This is actually being able to run scripts on any Intune-managed device that's [running] Windows 10. It's a fantastic set of capabilities."
About the Author
Jeffrey Schwartz is editor of Redmond magazine and also covers cloud computing for Virtualization Review's Cloud Report. In addition, he writes the Channeling the Cloud column for Redmond Channel Partner. Follow him on Twitter @JeffreySchwartz.