Taking a More Modern Approach to Windows Deployment
With so much going on in the world of IT service management (ITSM), and the wider IT management space, it’s easy to neglect some of the ITSM or IT management basics (and I feel your pain). Take Windows PC deployment as an example – are you still doing this the same way you’ve done it for the last ten years (or longer)?
My blog wants to help you to address this. So please read on to understand what your IT department could be doing with its new Windows PC deployments.
The issues with the traditional Windows PC build process
Historically, companies have often had problems with Windows OS endpoint management. The original equipment manufacturer (OEM) devices would roll out with more bloatware than Jabba the Hut could deal with – giving the IT department a headache from day zero. Combined with the fact that a lot of organizations aren’t green fields and already have a fleet of devices “out in the wild” that need managing (which may not be built to the required standard or be up-to-date). Then, conducting a “big bang” refresh isn’t always the right option for some organizations. All in all, the overheads of Windows PC management have traditionally been pretty high!
When it comes to Windows deployment and device management there’s a whole raft of considerations to be made regarding PC imaging, re-imaging, supporting infrastructure, and the network; and then the age-old issues related to applications and drivers (and their ability to work properly). Heck, and I haven’t even touched on the data challenges yet.
When it comes to Windows deployment and device management there’s a whole raft of considerations to be made regarding PC imaging, re-imaging, supporting infrastructure, and the network. #WindowsDeployment Share on XThe common Windows PC deployment strategies
Companies spend vast sums of money deploying Windows devices using a range of deployment strategies, for instance:
- Wipe and load (the global number one method in my experience!)
- Upgrade (who actually does this?)
- BYOD (commonly referred to as “bring your own disaster”)
On top of these options, departments must then think about the Windows image approaches:
- Thick (deploy everything onto the device)
- Thin (deploy only the OS, drivers, and management services)
- Hybrid (deploy the OS and a subset of the required applications, commonly referred to as “core apps”)
Then delivering the new device(s) to the customer supply chain is also an important consideration:
- OEM/factory imaging (when your vendor supplies the device either to the IT department with the corporate image or ships directly to the end user)
- Third-party image, hold and deploy (when a services company may provide imaging services and manage the logistics side, which may include deployment of hardware to your business)
- In-house (IT) imaging (when the supplier ships the devices to IT with a plain “vanilla” image, then IT conducts a “wipe and load”)
All these options then have the question of: Do we deliver straight to the end customer or to IT to then handle distribution and deployment?
The required deployment capabilities
So, as you can probably tell, this isn’t for the faint-hearted and there are a lot of design considerations. Rather than break down into every detail, I’m going to instead look at abstracting the capabilities that your IT department might require for a Windows business desktop deployment. I did warn you that there’s a lot of overhead.
In my diagram, I’ve tried to stick to capabilities that are required by most organizations, there may also be other ones specific to your business. However, my pictorial list should cover the core areas that I’ve experienced across a range of organizations and IT departments.
So, this is all great, but you probably already knew it. More so, as we drill into the details, there are often several constraints at the technology layer, or with the deployment strategy, that may influence the design decisions. But what if we could remove some of these? Enter Windows Autopilot…
Endpoint deployment automation in a mobile and cloud-first world
Realizing that Windows PC deployment and management not only costs businesses a great deal of money but that it’s also inconvenient for the person using the device is important here. In general, the device is being used as a “means to an end,” the interface through which to enable someone to do their duties with the ability to have a level of personalization.
So, surely Windows PC deployment should be simpler, say like the mobile phone set-up experience? Enter the capabilities offered by Windows Autopilot such that, for the first time, we’re stepping nearer to being able to deploy Windows devices without huge layers of supporting systems, engineering, and infrastructure.
Windows Autopilot is built into Windows 10 (Creators Edition and above) and is part of the out-of-the-box setup process. If your organization has the following services:
- Intune
- Office 365
- Azure Ad Premium
Then it can take advantage of Autopilot. Some of the Microsoft marketing messages will help you to understand what it does:
- “Unbox your new Windows device and turn it on. Windows Autopilot configures it from the cloud— with a few simple clicks, the device becomes business-ready.”
- “Windows Autopilot makes it easy for end users to set up new devices, without any IT involvement.”
Autopilot’s automated deployment capabilities
Either the OEM, partner, or your IT department can pre-load a list of authorized devices, assign them to people, and have the device simply be turned on without having to wipe and load the device. It will allow the user to join the Azure Active Directory, will enroll into Intune, and do so as a limited (non-administrator) user account.
I’ve been test driving this in the lab and, so far, I’m impressed (and not just with how I look in a lab coat). There are, however, some harsh realities I need to acknowledge. This leads us back to the capabilities I went through earlier. With Autopilot (at the time of writing) there are a few gaps in this model.
(When I talk about the traditional model below, I’m using the standard Microsoft Windows management stack, which includes Active Directory and System Center suite.)
Capability | Traditional | Windows Autopilot |
Out of the box enabled | No | Yes |
Simple deployment without infrastructure investments | No | Yes |
Seamless user-driven experience | Possible with engineering | Yes |
Remote support | Yes | With third-party services, e.g. TeamViewer |
Software inventory | Yes | With third-party services, e.g. Snow, SysAid, etc. |
Fine-grained control of device configuration | Yes | Limited |
Incident management and request fulfilment etc. | Yes | With third-party services e.g. SysAid or other ITSM solution |
Now I’ve picked a few areas here to highlight that the Microsoft Cloud Management route, using Windows Autopilot and associated services (Intune/O365/Azure), provides some of the story but to get the complete “novel” you need to augment and extend this with third-party services.
The user-empowered world
So, in a cloud, mobile, and user-centric world we want to ensure that we can enable our people without necessarily taking on, or continuing to have, a high central PC-management overhead. The technology and options that cloud brings means that this is clearly possible, and Microsoft has taken huge steps to changing the way Windows can be managed (for the better). However, there’s still some legwork that organizations will need to take for this to work today.
Will the Autopilot route fit some organizations and use cases? Absolutely. Does it tick every box right now? I’m afraid not. But then is avoiding the cost of engineering, infrastructure, and support worth accepting the capability gaps? Perhaps. Can you also augment the gaps with additional cloud management tools? Sure, it’s an option that I’d be looking at right now.
You might find that you can achieve the same or better business outcomes without the headaches and the costs. One thing is for sure, with cloud and mobile, doing things the way that you used to is being turned on its head!