4. Overview of Management Products
1. Built-in Management Features
1. How Windows Stays Up to Date
1. Overview of Microsoft Intune
3. Configuring Microsoft Intune
After completing this topic, you should be able to
Now, what I want to do is answer the question "How do I manage Windows 10?" And when it comes to managing Windows 10, in my organization, in my business, it really comes down to choices. And that's because you've got multiple tools available to you, and the reason why you have more tools available to you is because, well, the Windows 10 devices themselves vary. Some of them are corporately owned, but some of them are personally owned. That changes the landscape when it comes to management. So Windows 10 has several different ways in which we can manage devices, both corporate owned devices and the BYOD type of scenarios. So we are going to talk about kind of the old school method of doing it with Active Directory and Group Policies, and some of the built-in methods of managing Windows 10 such as WMI and PowerShell. We are also going to be looking at managing Windows 10 devices from the cloud using Microsoft Intune. So the key theme to this or I should say the answer to the question "How do I manage Windows 10?" Well you have got choices now in regards to how we do that.
After completing this topic, you should be able to
This is going to be a fun topic. At least, I think it's going to be fun. Hope you have fun too. We're going to talk about how to manage Windows 10. So, by the end of this, my hope is that you have a pretty good understanding of the different choices you have available to you. And, you know, we've had a tectonic-size shift around mobile devices and cloud services. And so, as you would expect, the management tools are also shifting making and creating more choices for organizations. So, as organizations have adopted new tools, well, there are more choices, more options now – more than ever in terms of managing Windows 10. Now the answer to the question – "How do I manage Windows 10?" – is twofold, the same and different. The same because Windows 10 supports all of the same methods we had in the past – Group Policy and all that. But different because Windows 10 comes at a different time in history. In fact, I remember a USA Today article couple of years ago that made some survey and basically reported that mobile searching was up five times from the year before and that over 50% of all searches were being done on mobile devices and that something like nine out of ten searches on the phone actually resulted in a purchase. Now that was a couple of years ago. I can only imagine what those numbers would be today because we are in the midst of the mobile age, right. And mobility has taken center stage. And that continues to grow and shape our business. And so, from an IT standpoint, we need more management options because today is different than yesterday. And that's the keyword here behind the question "How do I manage Windows 10?" The keyword is you've got more choices than you had before.
So let's examine the different kinds of management categories that feed into this concept of choices in terms of ownership, identity, updating, management, and infrastructure. Let's start with ownership. Now, in terms of ownership, today we've got devices that are organizationally owned and we have devices that are personally owned. Now that's not really different, but then it is, right, because those organizationally owned devices – well, we can manage them in the same way that we did before, but what about those people who personally own a device but want to do organizational work, right – the BYOD scenario? Or we could say, "There's a third option." And that's CYOD. That's the Choose Your Own Device. With that, an organization might offer a user multiple devices to choose from. It's still owned by the business, but the user is choosing that particular device. And so that would be kind of a third category here. But we've got this ownership model that shifted from what it was in the past. And so that's going to dictate, of course, a need for some new management choices. Then we've got different identities now. In response to this, Microsoft has not just Active Directory identities, but we also have as Azure Active Directory identities. Now personally owned device is exclusively off the network. And you might just use a Microsoft account. But, for those devices that are BYOD, but accessing software as a service or cloud-based services, then Azure Active Directory provides us another identity store that we didn't have before, cool.
Then we've got updating – so keeping our system up to date. Now this doesn't just kind of changes in terms of the "how," there are also changes here to the "what." I mean, if you follow the Windows 10 story, you've heard of this thing called Windows as a Service. And the Windows as a Service is not just delivering hot fixes to this machine. It's also about feature upgrades to it. And so a lot depends on the edition and whether or not we're part of Windows Insider or we're part of a long-term servicing branch. Those are all factors that control how often I'm going to experience updates and how much control I have in deferring those upgrades. So you've got choices here. You've got management choices in terms of WSUS. There's also Windows Update for Business, Windows Update itself, and then kind of managing those updates through maybe Intune, maybe integration with Configuration Manager. So this is not a complete list, but it gives you a basic idea.
Okay, so this illustrates I think...this left-hand side illustrates kind of dynamics that we're experiencing. So let's look here in terms of some of the core management tools that kind of integrate with these and work with these. So we've got Group Policy, which – of course – is going to be something we would associate with organizationally owned in Active Directory. We've got System Center Configuration Manager or SCCM, Intune for Microsoft mobile device management, third-party solutions, and then down here corresponding infrastructure here – so a variety of different ways in which our infrastructure is deployed. Maybe no infrastructure at all because we're going completely cloud. Maybe we're not doing much with the cloud right now. So it's all on-premise environment or something in between where we're mixing out. We have some Office 365, we have some Exchange Online, but we also have some on-premise services. So maybe we found this hybrid approach. What I hope you're learning from this is that Windows 10 gives you a range of multiple management choices because we've got these different types of dynamics today that we didn't have ten years ago.
After completing this topic, you should be able to
So let's take another look now at our different choices. But this time, let's compare them side by side. Now keep in mind that the reason Microsoft gives us so many choices, well, relates to what I think of some three key factors – three key points. Number one – depth and breadth. You know, organizations vary in complexity. They vary in their management needs. So providing both depth and breadth is going to be important. So, in some cases, you might want advanced control – total control – and so given as options that enable that feature, that capability. In other cases, you might want something more lightweight – more in terms of supporting BYOD. Then you might want solutions that are targeting Microsoft devices, solutions that support non-Microsoft devices, solutions that are based in non-Microsoft services that support third-party applications. So both the depth and breadth, I think, is a good way of describing one of – you know – our management needs or principle.
Another one is we want solutions that are compatible, that work with our existing framework, that work with our existing environment. So certainly, don't throw everything out that we've been doing for the last 15-20 years. It needs to work with our existing management framework. And then the third thing I think is important is that we have consistency. To really make our lives easier as an IT professional, I want to simplify the differences between the devices as much as I can. Now, where the differences matter, I want to be able to manage differences. But, where they don't matter, I don't want to manage differences. So having some consistency between desktop and mobile is useful. Having too many tools can be a challenge. In many ways, I want to have my cake and I want to eat it too, right. So now let's look at each of these three different kind of identity models now and compare the management options that are typically associated with those.
First one is No Join. This is the personally owned device. This is typically where we have a Microsoft account. From a management standpoint, there's going to be very minimal amount of administration or management that's taking place. We might be managing just e-mail through ActiveSync, but there really isn't going to be much more. Everything is going to be held here with a Microsoft account, which the organization isn't going to have a whole lot of insider or viewage into the device based on that account. The next identity model is Azure Active Directory domain or cloud join. So an Azure AD cloud join gives us a different set of options. It's a different identity source. So, instead of our accounts living in Active Directory, we can create accounts or we can synchronize accounts into Azure Active Directory – so cloud services. So this is leveraging Active Directory in the cloud. And what we're doing here is we're actually able to leverage MDM – mobile device management – solutions that work...that also integrate with Azure AD. This would include things like Intune. It would include Office 365 – possibly a support for third-party devices. The other thing about this option here is it can support non-Windows devices. It does require Azure Active Directory accounts, okay.
[In the illustration, there are three devices: mobile, tablet, and desktop. The presenter compares and explains the aforementioned devices on three management models: "No Join," "Azure AD Joined," and "AD DS Domain Joined."]
And last but not least is the more traditional approach – the one that we're more common with. So this is well known. It's also rich. It's kind of the traditional Windows network type of approach. So here we've got Group Policy. Now the upside of this is we're far more familiar with it. The downside of this is it's more Windows and domain specific. So this becomes...you know, in terms of BYOD, we have – you know, strictly with this option – more limitations. Now there are other ways in which we can address that. Configuration Manager has some MDM capability with the help of Intune. So there is some extension we can go beyond this. But, in terms of Windows devices, we've got Group Policy and we've got PowerShell that we can use for managing those types of devices. So these are kind of our three identity models – devices that are not participating in any directory service. But then we have Azure Active Directory or cloud join device where we're leveraging MDM primarily and we're taking advantage of those cloud-based accounts and then a traditional approach here with on-premise Active Directory.
After completing this topic, you should be able to
Now I want to do an overview of some of the management choices in Windows 10. And really, we're still defining some of the key terms we need to be familiar with so that we can go forward with more detail in later sections. Now I've touched on some of the choices Windows 10 provides, but some of you watching this right now might still be in the dark when it comes to what some of those choices or options actually mean. And, as you can see here, there are a lot of choices, a lot of different tools. Some of you might be looking at this list and going, "MDOP – what is that?" And maybe even looking at Group Policy and not sure what that is or Configuration Manager. So, for those of you a little bewildered by the acronyms here associated with managing Windows 10, I want to take a moment and kind of clear that up by kind of touring some of these or at least defining a few of these big ones for you.
[In the illustration, there is a list of management tools. Some of the management tools in the list include "WMI," "RSAT," "ConfigMgr," and "Intune."]
So let's start with this one here – Group Policy. What is Group Policy? Well, this is the primary management option that so many businesses – who have Active Directory – rely on. Group Policy is rich. It has a wide range of features such as software installation, scripting support, the ability to control registry keys, application control, desktop environment kind of control. I mean you name it. Now the way it works – in simple terms – is once a computer becomes a member of an Active Directory domain, it will download and process policies that are associated with where it lives in Active Directory. So we take and create a computer account. We put it inside of Active Directory in what we call an OU – an organizational unit. And then we link policies to that OU. And so then the computer will apply those policies. Its key advantage here is that it helps you manage just about anything related to Windows. Now one of its primary downsides, though, is that it's related to primarily Windows. And it's restricted to be now domain only. So there's really limited support and you could say not much at all in regards to BYOD and not a whole lot of support for non-Microsoft devices. It also doesn't support Windows phone.
MDOP – M-D-O-P – thought I was going to give you a little jingle there, didn't you? What is MDOP? Well, MDOP is an add-on product for volume license customers. And then it extends the management capabilities built in to Windows server. So the thing with MDOP is it's not just one thing, it's actually a whole bunch of different management tools primarily designed for the enterprise for large-scale businesses with lots of desktops, software assurance, and with volume licensing type of customers. MDOP stands for the Microsoft Desktop – emphasis there – Desktop Optimization Pack. So let me kind of give you kind of an overview of what some of the things are inside of MDOP. So, for instance, you get Application Virtualization – App-V. So this eases...potentially lowers the cost of deploying applications, then user experience virtualization. So this is like roaming profiles, but it works. Then we've got over here AGPM for supporting Advanced Group Policy Management.
So, in a big company, you got a lot of Group Policy administrators that could potentially be stepping on each other's toes. And there are not a lot of built-in auditing features or change control inside of Active Directory Group Policy. So AGPM provides kind of a layer on top of regular Group Policy for reporting and for role-based management and for auditing and such. Then we've got MBAM. And MBAM is all about Microsoft BitLocker Administration and Monitoring. So it adds a...like AGPM does, it adds another layer of management and monitoring and reporting on top of BitLocker. Then we've got DaRT. And DaRT stands for Diagnostics and Recovery Toolset. And that's really kind of like the old ERD commander from, like, the NT days. I don't know if anybody remembers that. A lot of us used it – loved that set of tools. Well, DaRT is kind of like the replacement for that. And so it boots in to Windows Recovery or Windows PE. And it has a whole set of sysinternal tools – advanced debugging and recovery tools – built in to the Windows recovery environment. So it's a nice little add-on. I should say last but is least, MED-V because MED-V was really designed for XP compatibility. And, with XP being end of life, I'm not sure what the future of MED-V will have in MDOP. But anyway, we've got inside of MDOP, not just one flavor. This is kind of like buying that package of multiple flavors of chips, you know. You get that Lays package. You get like Frito Lays and duritos of like ten different flavors. And you can get like this one package. No? Anyway, so MDOP gives you multiple management options beyond what you have just by itself.
Alright, so the next one is what is Configuration Manager? Configuration Manager is an amazing solution, but it's a monster solution. So there are a lot of parts to it, lot of pieces to it. It's an own-server installation. And it concludes multiple features. So it can do like software metering. And they can be an inventory tool, a remote management tool. It does operating system deployments. It can do mobile device management with the help of Intune. It can do application deployments. It integrates with updating. So there's a lot that Configuration Manager can do specifically in regards to managing Microsoft devices, especially for large enterprise organizations.
So what is Intune? Well, we're going to be describing and discussing Intune in greater detail in later videos. But, for now, I'm providing just some basic definitions. Intune is cloud-based mobile device management. I mean that's the basic idea. Now it can support, you know, a variety of scenarios – lightweight type of scenarios, Lite-Touch type of management scenarios. Or you can go more full management. You can integrate with an on-premise solution for more full-management type of options. Or you could go cloud only if you wanted to. And this is great for small businesses because there's no infrastructure with this. We're not installing domain controllers and all of those types of works. Instead, it's all driven for us from the cloud. Another point here about Intune and one of its key advantages is it's not limited to Windows devices. It also supports Apple and Android and can manage those devices as well. Alright, for those of you who are Office 365 customers, you already have access to some mobile device management. O365 has some MDM in it. Now it's not as rich as some of the other options that we've looked at previously like Intune, but it does have some important abilities like it can do remote wipe, it can do a device lock, it can – of course – manage around the Office suite in those mobile apps.
After completing this topic, you should be able to
Next thing that I want to explore are some of the built-in management features. Windows 10 and Windows server has several technologies in it that enable management either directly from, you know, client to client or client to server. Or it can be used and leveraged by other services. So let's have a look at some of the built-in management features. Now, to summarize the key built-in features in Windows 10 that are available on Windows client, we've got in focus WMI – Windows Management Instrumentation – WinRM, RSAT, and PowerShell. Now all of these give you different capabilities, especially the ability to remotely administer a Windows 10 device and doing that from like a script or from a PowerShell type of console. Now these are areas I'm going to explore in greater detail in the upcoming sections. So stay tuned. I want to point out, though, that this is not an exhaustive list. These are the ones I am going to focus on here. But, in other videos, I talk about other ways in which we can control or manage other aspects of Windows 10 that we could probably include here at this point as well – things like AppLocker and Remote Desktop and Group Policy and the like. But, for now, these are kind of your basic management features that are built in to Windows client. And they're all very, very handy and useful. Now I want to explore PowerShell in Windows 10 with you. So, with the end of this, I hope that you have a really good understanding of what is new. And, if you've never used PowerShell, begin using it right away.
Let's start with this question now – what is Windows PowerShell? Now, unless you've been living under a rock or a nuclear fallout shelter or you are from another planet or something, you've probably have heard of PowerShell. So let's come up with the answer here. Let me bring the answer up for us to see. PowerShell is an extremely powerful and rich object-oriented scripting and configuration engine. That's what it stands for. Now emphasis here, my friend, is on extremely powerful. And the other point I should make is that we're talking about a configuration and scripting engine. So PowerShell is not just another command line or a console. There's much more to it than that. It has a rich set of features. So here's a list of some of those key features in PowerShell. It's built on .NET. So it's object oriented. It treats everything like an object and that's a key. Another important point is it supports both consoles and scripting. So there is a command line ability. And the command line ability has got all these great features like AutoComplete or tab complete. And, in Windows 10, it's got coloring and it's got the ability to chain cmdlets together, which is really cool. We call that the pipeline, right. It's also modular and extensible. So PowerShell is kind of always growing and people are writing new modules for it and new functions for it and increasing the capability on getting PowerShell to do some really neat things. You've got hundreds of what are called cmdlets that you can chain together and that you can use. And because PowerShell is so rich and so powerful...one of the reasons why it's important to learn and to use to support Windows 10 is because there's wide adoption. Even non-Microsoft vendors are creating PowerShell modules to manage their components or manage their software from Windows.
So, in terms of what PowerShell is – if you are brand-new to PowerShell – this is the wagon to get on. Now, in addition to many of the features that come in PowerShell, there are some new features in Windows 10. So this is in addition to the previous versions. We've version 5 here. So all great the stuff in version 3, version 4 – that's all inside of Windows 10. In version 5, we get additional modules like PowerShellGet and PackageManagement to support OneGet and package deployment for applications, managing zip files with archive cmdlets – cmdlets that help me work with managed switches. So there's a network switch module. And so these are different modules that come with banks of cmdlets. And additional cmdlets and parameters have been added. New parameters to existing cmdlets – so a lot of rich changes here. Other thing that they did was they adopted console coloring – so our syntax coloring like they do with the ISE if you're familiar with PowerShell ISE, the Integrated Scripting Environment. That has syntax coloring. Well, we kind of adopted that here in the basic console as well. There are performance improvements, there are enhancements to Desired State Configuration, and there's even – you know – more. So PowerShell features in Windows 10 – lot of great stuff to check out.
Now in regards to managing Windows 10 – one of my favorite features in PowerShell – is this ability right here. And that's the ability to issue commands over the network remotely. There are a couple ways in which we can do this. We can do kind of an interactive PowerShell session like remote console used to do for us or SSH kind of an experience. And that's this guy right here. So we can enter a PowerShell session remotely and then we can issue commands against that machine. Alternatively my friends, we can also right here...we can also do it with an invoke-command. And what is nice about this option is it has a fan-out capability. So you basically put the command that you want – our chain of cmdlets – inside of what is called a scriptblock. And then that's followed by what it says here hostname. That's the computer name. That can actually be multiple computer names, not just one. So you can actually have the command and have it fan out and affect multiple machines. This is a very powerful and convenient way to manage a population of Windows devices. This includes support, of course, for – you know – Windows 10, but also Windows 7, Windows 8 devices as well.
[The presenter refers to and explains the following lines of code: PS C:\>invoke-command -scriptblock {[command]} [hostname] PS C:\>enter-pssession [hostname]]
After completing this topic, you should be able to
Another built-in management feature in Windows 10 is the WMI framework. Well, what is WMI? I'm glad you asked. WMI stands for the Windows Management Instrumentation. And what it is is it's a uniform infrastructure for obtaining management data. The whole idea here behind WMI is gathering information. So you might think of WMI as kind of your computer's truth teller, the nark of your internal system, your software and hardware informant. That's its job. Its job is to help you, to help programmers gather information. And one of the things it does is it simplifies the way that information can be retrieved. And it also supports scripting. And the information is organized into what are called namespaces. So now let's think of some practical reasons why this is really handy. Think of a situation where you might have needed to know the firmware version of, like, a dozen machines out there on the floor or you needed to know how much free space was left on a hard drive or the version information of that piece of software out there or an environment variable or some other esoteric detail. WMI can expose that information for you. And you can retrieve it remotely. And you might have an application that can do that for you as well that's built on top of WMI. And so I like to think of WMI based on the keyword instrumentation in that like a dashboard where you walk up to a dashboard, you've got all that information there on the pipes or the vehicle – whatever. That's really what WMI does for me. It exposes what is going on inside that black box of the computer. If I ask it the right questions, I can get some really useful answers.
So here's a look at the WMI architecture and how WMI works. Now it's based on classes, consumers, and providers. Now the main bodies of interest are these providers down here. And so what we have there? Managed objects. And the managed object is really something that we're monitoring. It's the monitor component – so the hard drive or the database. Now this is where that monitoring, of course, takes place and the providers act like drivers in that they interact with the managed object and they provide the information that WMI needs. It provides it with the data. Now right here is our central core. This is our dilithium crystal maybe. No? Okay, so a beryllium sphere. No, it's neither one of those. This, however, is where the service and its structure live or its repository. See WMI is organized into namespaces. And so we've got these classes and these definitions. And the WMI namespace is necessary because it creates really categories for the data. And those categories can then be referenced by applications and scripts. So we've a consistent way of retrieving that information. So what you have here in the center is the service and a lot of database-like functions – really important. Finally up here, we have our consumers. And this is where the questions are actually coming from. So think maybe PowerShell here – PowerShell asking a question or script asking a question or a management application. The WMI Core right here acts as the middleware and its job is to retrieve the answers and then supply them to the interrogators up above.
[In the illustration, there are three sections: Providers, Infrastructure, and Consumers. The Providers section is placed at the bottom. The Infrastructure section is placed above the Providers section. The Consumers section is placed above the Infrastructure section. The Providers section contains ".NET," "CIMv2," and "others." The Infrastructure section contains "WMI Core" and "Repository." The Consumers section contains "WMI applications" and "WMI APIs."]
After completing this topic, you should be able to
Now related to WMI is WinRM. In this section, I want to show you how WinRM is very helpful and how you can begin to use WinRM to manage your Windows 10 machines. So what is WinRM? Well, let's start nerdy and work our way from there. WinRM stands for Windows Remote Management, which is an implementation of another protocol called WS-Management. WS-Management is based on a protocol called SOAP over HTTP. Now let me tell you a little bit about why that's important. HTTP means this is firewall happy. So it works well. Going through firewalls, it supports HTTP or HTTPS. The SOAP part stands for Simple Object Access Protocol. And that's really about gathering information and it works with XML. So that's an information protocol that can be used over HTTP. So that's what we're talking about. WinRM is the ability to gather information remotely. And it can retrieve information that is, you know, running in and querying WMI.
Now WinRM is actually the server component. The client component is going to be something like PowerShell or Windows Remote Shell. Nevertheless, in order to use WinRM between client and server, WinRM itself has to be configured on both ends. So you configure WinRM. You enable that. That's going to support like remote WMI. Now that's all very interesting, you might say. Well, why should I care, you ask. Well, WinRM allows you to perform management tasks over the network remotely. So you can use it to retrieve WMI information as I've been saying. But let's say you want to diagnose a system that's turned off. Well, if it has a Baseboard Management Controller like a server and it's turned off – well – WinRM can actually talk to that server's management chip. So it's really powerful and WinRM is also what PowerShell uses for its remote management. So it's a fundamental piece to the Windows management story.
After completing this topic, you should be able to
So the next built-in client management tool I want to talk about are the MMC tools – the Microsoft Management Console tools. In particular – this set of tools called the RSAT. What is the RSAT? Let me share that with you. If you haven't heard of the RSAT before – and I'm sure many of you have – it's the Remote Server Administration Tools. And these have been around for a while. They are available for Windows 10 as well. So the idea here is Microsoft has built in to Windows what is called the MMC – the Microsoft Management Console. It's a framework. And that framework supports multiple tools via what are called snap-ins. And so there's a bunch of these built in to Windows 10 already like, for instance, one of my favorite ones is Computer Management. You could do all kinds of things in there. Then Event Viewer, then the Performance Tools – a lot of those kinds of things we do through an MMC. Well, in addition to that, if you're an IT professional and you have some server administrator responsibilities, then you could download the Remote Server Administration Tools and extend what is built in to Windows 10 to include additional snap-ins that let you manage your DNS servers, your DHCP servers, all those domain controllers, IPAM servers, and other types of server rules. So the Remote Server Administration Tools is a free download that IT professionals with server administration privileges are going to do or use and extend their management capability to include not just client, but also server.
After completing this topic, you should be able to
Now everything requires maintenance. Windows is not any different. So we're going to look now at how Windows stays up to date. We're going to talk about the hygiene services to keep it patched, to keep those vulnerabilities addressed. So let's dig into this. Now here's a funny saying – the problem with software is it's great until it isn't, right. There's something about software. It's just its complexity that kind of takes on a mind of its own. And even the greatest developers and programmers out there cannot anticipate every possible error or issue that can come up. So we know that the bugs in software is a reality. And we also know that security vulnerabilities – well, they get discovered. And so what we need, of course, is a way to make sure systems stay up to date. Another important factor with this, of course, is compliance. A lot of us are under regulations and have specific requirements of making sure that our systems have the latest patches and are specifically addressing known issues or specifically addressing known vulnerabilities as they come to light. And so, if the machines are not updated and patched on a regular basis – we don't have good hygiene services in terms of our software – then we can find our systems falling out of compliance, configuration drift or compliance drift as it might be called.
So we all know this is true, right. We know it's absolutely critical that we keep our systems up to date. On the other hand, we also know that some systems we don't want patched with future upgrades perhaps or we don't want them changing or updating as often. And those are going to be the more of the exception rather than the rule. So, from an IT standpoint, we also want to have some control and some say on certain systems in terms of when they get updated and when they get patched. And so this is one of the things that we're looking at when we're talking about maintaining and updating Windows 10 – the essential need to keep it updated and also looking at the "how" and how to manage it. So let's start with a look at some of the updates that we might actually need. When we talk about keeping our systems updated, we're talking about things like drivers. We're talking about keeping our software up to date. We're talking about addressing specific security issues, which we might call hot fixes along those lines. We're also talking about maintaining and updating antivirus definitions, but not only just patching our systems and addressing specific issues. One of the things that's, you know, fairly new or newer – when it comes to Windows – is the fact that we can also upgrade and install new features, even upgrading to a new edition of Windows using Windows Update. And so this is actually a shift from some of the approaches Microsoft has had in the past. So this is also known as Windows as a Service. I would talk a little bit more about that in another video, but it's related – of course – to updating as updating being kind of the channel in which Windows as a Service is delivered. Simply meaning this that when we have new features, Microsoft isn't going to wait two years to include them in the service pack. Instead, what Microsoft does will release them every three or four months in what you might call major update or major upgrade.
And so there would be far more frequent updates coming out. So that's another important aspect. There's a paradigm shift from Microsoft in terms of how they're going to release even the features. So it's not just vulnerabilities, it's not just security fixes, it's not just bugs, but we're also talking about core features to Windows. Now the next thing we're going to look at is how these are actually applied. Okay, how do we maintain them? Now the primary way in which we maintain them is, well, through Windows Update. And one of the key points here is that a lot of our systems are going to have these updates automatically, right. So you don't actually have to have to go and manually find the patches or the hot fixes and download those. I mean there might be situations where you do that because the hot fix isn't, maybe, targeting a whole group of machines, but only machines with certain symptoms. So, in that sense, you can actually go and find those hot fixes, but those are going to be outliers. And, most of the time, your systems are automatically going to use a schedule and be updated. Of course, you can force your machines to go out and check – manually look – to see if there's any of the latest updates. And there are other applications and ways in which we interact with updates. So, for instance, you could go into Device Manager. And, if there's a device in there that you want to check to see if there's a new driver from Device Manager, you can have it query Windows Update to see if there are any drivers available for that new device. You can also actually force it to go look for updates using the command line. There's a command line tool called wuauclt – the Windows Update automatic update client. And it's kind of a shortened version of that where you can use that as well.
Now this is important in regards to...the couple of other points here are important in regards to management. So, speaking of Windows Update and Automatic Updates – as I mentioned earlier – there are going to be situations where, as an IT professional or as an organization, we want to control that a little bit more. We want to manage the updates. We want to review the updates. And so historically, we've had features like WSUS – Windows Server Update Services. We've had features where WSUS integrates with other system center products like Configuration Manager and Virtual Machine Manager – VMM. Well, that's still true, right. We can still actually use WSUS, Configuration Manager, System Center. And we can also extend our management of updates with MDM solution – so Intune and maybe even third party. So, from an IT-professional standpoint where we're thinking about controlling and managing those updates, we have some additional tools here. There's a new one called Windows Update for Business. Part of this is Microsoft is publishing updates more frequently including feature upgrades. As far as their paradigm is concerned around Windows as a Service, one of the aspects here is even though they're giving us control – unless you have a special function machine running the LTSB edition of Windows 10 – you can only delay upgrades for so long before you're no longer in support,
so depending on the actual role of the machine, the edition of the machine like, for instance, Windows 10 Enterprise has a specific edition called the Long-Term Servicing Branch. In that one, you can actually delay upgrades for a much longer period of time for something like up to two to three years more following along the lines of the previous release cycle of Windows, you know, back in the Vista 7 days and before – so the every two-year kind of cadence. So LTSB lets you kind of adopt that model or retain that model. But LTSB is really meant for limited function machines. We still have an important need to have these, right, to make sure our systems are in compliance. And we want to have the latest features and address those security vulnerabilities. So the assumption Microsoft has is that there's going to be a need for frequency of updates, but also an amount of delay. So that's where these kind of come in – the ability to actually review updates, deliver updates, and not delay them indefinitely, but be able to publish those updates to Windows 10 devices. Alright, so what we see here with keeping Windows 10 up to date is we see a large range of updates going beyond just fixes, but also supporting drivers and supporting new features and new editions of Windows 10, right. And then we have same controls that we had before – some management controls. And we have some new ones like Windows Update for Business. And the other part of this story here is the fact that we're talking about a new approach and that's Windows as a Service.
After completing this topic, you should be able to
Now, at the end of this section, you'll understand and be able to configure Windows Update on a Windows 10 device. And you'll understand some of the new settings in there and some of the ways in which you can manage Windows Update through policy. So let me show you how to do that. Now the first thing we want to look at is where we get our updates from. And we get them, of course, from Microsoft. Another way we might get our updates is through our neighboring devices through a feature Microsoft calls Delivery Optimization. A Delivery Optimization is kind of an interesting feature. And there is a little bit of controversy around this, but the idea behind this is that it's intended to actually speed up the delivery of patches and updates. And the way that it works is similar to, like, BranchCache if you're familiar with that or similar to – like – a Torrent system if you're familiar with that. So the idea is this. And that is what you do is you share your updates with your neighbors. So let's say, there's a new feature upgrade that's been released and you decide you want to update your system. And so you go ahead and that system starts receiving an update or maybe it's the schedule, right. So you have updates delivered to machine at 3 a.m. or whatever. So that begins. Now, when that begins, those updates come from Microsoft.com, but not all of it. It's actually chunked up. Your neighboring device might already have that feature. And so you might pull in some chunks of that update from your neighboring device from across the street or from across the state or what have you. And that all is intended to speed up the actual delivery of those updates because you're pulling those bits in from multiple systems.
Now I know that's a little...you know, that's different. But the whole point is they call it Delivery Optimization because you'll receive your updates much faster. That's the benefit to you and I. So it's never the whole update coming from your client machine or your neighboring machine or from your machine, right, because one of the other factors here is I don't want my machine to be acting as a server for some other devices. But that's avoided by your machine delivering certain chunks of data, not necessarily the full update. So there's a sharing that's taking place. And so it's kind of a...oh, what do they call that when you have a river and tributary – kind of a tributary kind of approach. We have multiple streams coming in, right – something like that, alright. Now one of the controversies behind this is the fact that I already mentioned your machine becoming a server for the neighbors. But, as I said, you're only actually sharing some of the portion of the updates – chunks of it. That's what Microsoft says. And the other aspect of this is security concerns. One of things Microsoft says is this is not an attack vector in the way that some might fear it is. It's no more an attack vector than downloading an application from the Windows Store. And that's because updates are digitally signed. And so there's an origin integrity – an actual content integrity – through digital signatures that's still maintained. These are still updates that are authored by Microsoft. They're just being sourced. Now, if you still don't like Delivery Optimization, you can turn it off. There's a way of actually doing that. The other factor is it's not downloading and sharing personal content. This is strictly just updates. Alright,
so that was a couple of words about Delivery Optimization. Now the primary point of this slide – let's not get away from that. And that's the fact that inside Windows Control Panel or the Settings app, I should say, there is a Windows Update control that allows you to manage many of these settings. And you can do different things in here. You can manage, for instance, whether or not you want to receive updates from other Microsoft products. You can also control whether or not you want to be a part of the Windows Insider effort there. Now the Windows Insider effort is really designed for people who want the latest and greatest. They are essentially getting beta versions of new builds. And so they can test them out and even give Microsoft feedback to make Windows better. Now Windows Insider actually has a couple of distribution rings. So there's the fast ring. And those are for individuals who are cutting edge. They want the good, the bad, even the ugly. And then there are those people who are on the slow ring. You might think of them as a more sanguine ring. And that is they want to receive updates, but the good, the less bad maybe, and no ugly, right. So they've given the fast ringers the opportunity to provide feedback to kind of maybe catch any potential problems. Nevertheless, the slow ring or the fast ring – you're still getting bits before the folks that are part of the Current Branch. Current branch is the main release of an update to the millions of users that are using Windows 10.
Alright, but there's more. Inside the Settings app, you can control additional updating settings. And of course, it can also be controlled through policies. And there are options inside of here of actually rolling back updates if you want to. And then, if you dig into this, there are additional options in here like the ability to delay upgrades and other types of settings. In fact, some of the settings in here – I think – remind me of the four personalities from ancient Greek times like you have the slow and fast rings for the Insider program that I was describing earlier. And I think of that, maybe, as the choleric personality and the sanguine personality. But there's also this one button in there called Delay Updates. And, if you turn on Delay Updates, well, I think that's more of those cautious types – the more melancholic personality. So that button can actually delay updates for a month or so. So that would be for somebody's set – not part of Windows Insider, but set right to be on the Current Branch. And they may not even know they are own Current Branch. They just have the default settings set to automatic, but they want to then delay those updates for about a month. And they have an option just for that kind of personality. And yet speaking of personalities, that fourth and final personality that I'm thinking about here is the one who just doesn't really care, right. These are the people that just use Windows. They get through regular updates. They stick with the default settings. Those are the phlegmatic settings, right. These settings are designed for people who don't really care and maybe people who are more tolerant than the rest of us. Alright, so the point is you've got a variety of different settings for a variety of different types of people or scenarios might be better put. And you've got support from management situation as well. So there are command line options for this. And organizations you want more control, well, they can use policies and a WSUS server or use Windows Update for Business to manage the distribution of these updates in their organization.
After completing this topic, you should be able to
Alright, so now we're going to look at WSUS for Windows 10 or Woo-sus for Windows 10. Now this is an important topic because many organizations need and want the control over how updates are distributed. And Windows 10 is being enriched. And I say, "Is being" because it currently is enriched, but as time goes on and Windows 10 matures, you're going to see additional improvements in this category. And that is it's enriched with features designed to help organizations manage the distribution of updates. They call that Windows Update for Business. And what that is is it's specifically an updating model unique to Windows 10 – unique Windows 10 updating features. And those features can be integrated and managed with centralized updating services like WSUS or Configuration Manager, the Enterprise Mobility Suite, and maybe even third party. So the basic idea here – and then we're keeping this kind of a high level – is that we want to make sure that our updates are strategically released. So this means we're going to want to test our updates. We might have specific distribution rings or what we call computer groups in WSUS that allow me to target those updates to specific machines before I release them to other devices in my organization and then being able to deploy updates that control which updates I want to defer, which updates I want to release and then have some good reporting. So this is the basic overview like an organizational need in terms of update management. And WSUS as well as the features built in to Windows 10 are intended to help organizations facilitate this process and to even improve on this process.
So here we see WSUS in action – Windows Server Update Services. And you can see we're pulling down updates from Microsoft Update. And those updates are being controlled, managing the release of those updates. WSUS has the ability to store those updates. You can expect to see new features coming to WSUS actually to also support some of the new features in Windows 10 such as Windows as a Service. And then we've got ways of controlling the types of updates – drivers, definitions, feature upgrades, updates for other Microsoft products. A lot of this is going to be policy driven. So our clients – they instead of going to microsoft.com, we configure them to go to a WSUS server. The WSUS server is where the IT organization is able to actually come in and make decisions regarding the type of updates and when we want those updates to be released. So WSUS isn't going away even though there are a lot of big changes happening to the updating model. In actuality, it's going to be something that Microsoft continues to invest in and improve in to support our Windows 10 devices and Windows as a Service.
After completing this topic, you should be able to
Now, in addition to traditional management options and in addition to kind of the management technologies that are built in to Windows, Microsoft gives us a yet another management tool. Remember, when it comes to management with Windows 10, it's both same and different because we are in new times. And Windows 10 comes at a new time. So we have mobile device management solution – a new management tool call Microsoft Intune. It's not brand-new. It's been around for a little while. But, for some of you, you may not have heard about it or have used it. So what I want to do is begin with an overview and describe what Intune is and why it's an important tool to know and why it can be very useful in your organization. So, of course, we start with this question right here – what is Intune? Well, let's get to the heart of this. Intune is a cloud-based management solution. And it's going to allow you to target phones, tablets, even allow you to target desktops. So really the way to think of Intune is it's Microsoft's cloud-based MDM or mobile device management solution. Okay, so now let's talk about some of the key features that are available in Windows Intune. And this will illuminate some of its primary functions and why it's very useful. First off, device choice. One of the goals behind Intune is anywhere type of management. What is great about this is we got multiple form factor support – so different types of devices. But there's also support in Intune for multiple operating systems – so not just Microsoft or not just Windows, but also support for Apple and Android. That's pretty cool.
Self-service is another key aspect of this. So the idea behind Intune is to support specifically the BYOD model to give IT managers and the IT part of the organization more control over BYOD, but still support that. So that falls into...what we have basically is a need for self-service, right. So users can opt in, they can enroll their own devices. And so that's an important part of what Intune can provide in terms of that category. But, if we're going to support BYOD, another important thing that is going to concern us is going to be security. So there are security features built in to Intune, which allows us to integrate with other security services as well. So this is cloud based. So we can take advantage of other cloud-based security systems like Azure, RMS, and Enterprise Data Protection. That is to say what we can do with Intune is use it to help us designate which apps are for business, which are not and control the risk of data leakage – you know – on personal devices, corporate data being leaked out through personal channels and personal devices. Additionally, Intune gives me other security features for mobile devices like remote wipe, I can require devices to be locked, and Intune boosts antimalware and quarantine features and other types of cloud services like conditional access – controlling access based on the device.
Lastly, I want to mention integration here. Integration is something that you could use in reference to multiple directions, right – integration with Internet and other cloud services, integration with Office 365, integration with on-premise Active Directory. So, if you have an Active Directory environment – there's integration with Intune and your on-premise environment and integration with Configuration Manager – Intune can extend the reach of Configuration Manager when it comes to mobile device management. So these are some key features, but that's not all. We've got more. There they are. App Management – what that means I can use Intune to deploy software or allow users to deploy software from, say, a company portal. And I could also apply policies for specific mobile applications – so App Management, App Controller, those types of things. Also, controlling updates managing – those types of updates. Alerting & reporting is another key benefit here. Intune lets me view the status of my devices, the health of my devices, and get kind of "at a glance" type of look in terms of where my devices stand. And then infrastructure and cloud based – this is cloud based. That's an important point. And so that means that it inherently has less infrastructure. Instead, it's subscription based. Now you can sign up for a free trial and you can begin exploring some of these features now if you would like.
After completing this topic, you should be able to
Now let's explore how Intune works. And my goal for you on this section is to be able to understand the difference between two different Intune deployments. There's the standalone deployment, and then there's the more integrated deployment called hybrid. And, when we're done with this, you'll be able to tell the differences between the two, the advantages, disadvantages – that sort of thing. Now let's start with this standalone deployment. Now standalone deployment is really advantageous and attractive to small businesses and even medium-sized businesses because it removes the need to have a lot of infrastructure. Instead, it's cloud based. So our services – they're all going to be running up here in the cloud. We can rely on, in terms of identity services, Azure Active Directory. So that can supply our identity services. We might have integration with Office 365 here. Office 365 actually has a little bit of its own MDM capability, but it really gets kicked up a few notches when it's integrated here with Intune.
Now the other advantage to this is you are not limited to just Windows devices. You've got support for, you know, your Windows workstations and your Windows phones and other types of windows devices, but you also have support for iOS 6 and above and Android 4 and above. Microsoft says there's support here for, like, over 50,000 mobile devices. And maybe, if you've got desktops in there closer to 7,000, that's a Microsoft number in terms of Intune capability, but that's a lot. And, if we're talking small business here, that's a lot, a lot. So that's really attractive, I think, in terms of advantages to standalone. Now management is all done through a simple web console. Clients though have to be connected to the Internet. So there is a client connectivity requirement that you would expect because we're connecting to the cloud. We do have app deployment. We do have the ability to manage devices – so remote wipe. And those things are available for us. We do have, for our Windows devices, some antimalware. We have updating features that are supported in here as well. Now there are some features that are missing from this so that if you want a richer environment, that integrates with your on-premise services. Well, then let's talk about hybrid.
The hybrid approach is the integrated approach. Microsoft calls this unified administration or unified management. And what we're talking there is integration specifically with Configuration Manager – that guy right there. Now, when you're integrated with Configuration Manager, you have support for additional operating system platforms. So, in addition to the ones that you have a standalone, you now also have support for...or management capability for Linux Servers and Mac OS X as well. You've got more scalability. So there's support for more devices here. This does require some on-premise infrastructure, right. So you're going to have to have Active Directory here. It's also more extensible, more customizable. Clients don't actually have to have an Internet connection. They will have a network connection, but they don't actually have to have an Internet connection to support this particular model. Now you have a lot of the same type of controls that we were talking about with standalone – so remote wipe, app deployment. You also have – because Configuration Manager is involved – Operating System Deployment for Windows devices. You also have integration for App-V – so if you want to deliver App-V applications.
Now it lists here other types of services that might need to be included in a hybrid approach. So there's not really a full explanation with this. So let me just point out a couple of other ones that might or might not. They're more optional. So another approach would also include devices not just using or connecting via Intune, but using a feature called Workplace Joins. You might have a Reverse Proxy here and Federation Services to help facilitate the integration. That may or may not be part of your design. You might also need a way to automatically distribute certificates for devices. And so there's a Public Key Infrastructure component here that Microsoft supports called NDES for Network Device Enrollment Services. And so it supports the SCEP protocol for automatically issuing certificates for devices if they need it. Now not every operating system over here will need a certificate, but it depends on how you're actually connecting. And it also depends on if you're doing two-factor authentication and that sort of thing. Now you might also have other types of integrations like, for instance, with Enterprise Data Protection in Azure RMS. So that allows you to do a kind of a container type of security on these devices for BYOD. And so there maybe support for that. So you can actually designate through Intune which applications are business applications, which are not and so that you can keep data from moving between them. And that would help in terms of users working and storing corporate data and using corporate applications on their personally owned devices and avoiding information leakage. So there are some other scenarios here that might play a role in your deployment and configuration of Intune. And this, I hope, gives you a good description of how powerful Intune is, its scalability in terms of its capability, and a look here at how Intune works.
After completing this topic, you should be able to
Okay, so now let's configure Intune, right, get our hands dirty – should be fun. Let me show you how to configure Intune. And my goal for you is at the end of this, you'll feel far more confident, you will jump in, and maybe even get a trial and start using Intune today. So here's what I want you to do. I want you to treat this as kind of a getting started lesson. So consider some of the key steps, important tasks in getting Intune up and running. So you can explore some of the important management features that it has and maybe as well prepare for the Windows 10 certification exam if that's one of the things you're trying to do as well. Alright, so first things first. You need a subscription. And, as I said earlier, this can be a trial – pretty easy to get. And then next you're going to need to create a user account. So you can do that in what is called the Intune account portal. And then, after you have your account set up, then you want to start configuring policies. And that's done through the Intune administration portal. And these are web based, easy to use. I think they require Silverlight to run. So you need to have a browser support Silverlight. That's it.
Now, after you sign up, some of the other steps you are going to need is going to be provisioning additional users and policies. And that's one of the things I want to explore with you. Now, before I do that, though, there might be some other more advanced configurations you need to perform. And a lot of it depends on what kind of configuration you're doing, what kind of Intune deployment – I should say – you're doing. So, whether or not you have on-premise infrastructure, well, you might need to configure an Azure AD connector or DirSync – as it's called – to synchronize on-premises with Azure AD. If you're doing Configuration Manager, there's a couple of settings you need to enable for integration with that called the MDM authority. And the MDM authority is a setting inside Intune. And it's essentially a setting that indicates if you are standalone or hybrid. It's really kind of the primary setting there. Now that setting can't be changed very easily. So you have to select that particular setting with some caution – one thing to be aware of. The last point here is regarding certificates. And Intune itself doesn't require a lot in terms of certificates. But, if you are supporting say like Apple devices, for instance, those require what is called an APN. So you might have to acquire some certificates for those. So another important thing you have to think about in your Intune configuration is what certificates that you need and then, you know, the appropriate infrastructure that matches.
So, for instance, another important point that's listed up here is the fact that if you do need device certificates, you can rely on the SCEP protocol and deploy certificates automatically through network device enrollment. That implies that you're going to need a PKI. And so that's another big aspect of design that could, you know, add an additional day or so to your implementation of Intune. So my primary focus – just so you know – in this section isn't on some of the advanced configurations with Intune. So I'm not going to delve into some of these, but mostly I'm going to focus in kind of how to manage Windows 10 through Intune. Now quick word about Intune subscriptions for a moment. But let's say that you try the free trial here and then you want to actually continue using Intune to manage your mobile devices. Well, you've got several options. So, for instance, one thing you can do is go with an Intune subscription. And what this allows you to do is continue using Intune, but kind of a per user pricing model. And that's like less than $10 per user a month – something along those lines. But then there's also the Enterprise Mobility Suite, which includes Intune, but it's packaged with some other cloud services that could be quite useful. So Azure RMS and Azure AD Premium, for example – these two are useful in supplying or supporting BYOD protections. So this is where we have Enterprise Data Protection where we can containerize our corporate data away from personal data on the same device. And the user doesn't have to switch between different types of modes. It's really seamless and transparent. And so you've got high-level protection in BYOD situations and good authentication because you are using Azure AD Premium. So that gives you like multifactor authentication. So that's kind of a powered subscription, right, with additional security features.
Then we've got those subscriptions more suited for larger businesses. So you might already have an enterprise agreement. So you can expand that, consider or include Intune, and then an online subscription that's in a volume licensing model or volume licensing program for small business. And oftentimes, the pricing breaks down a little bit depending on the number of licenses you have and how the prices work. So you've got several different options to explore and certainly you would want to investigate further and talk to, you know, a Microsoft representative or look online at the licensing FAQ and those sorts of things to see what your options are. But Intune is a cloud-based option. So we're not installing Intune onto a server. Instead, we're subscribing to it. So, now that we have Intune initially configured, we have our subscription. One of our first tasks is to create our users and groups. And so there are a couple of ways in which we can do this. We can create our new users and groups from, like, a new user's wizard. There's also an option to do a bulk add. So you can do a bulk import if you want to. And then you're going to want to create groups, right. Because what is the purpose of groups? Well, they simplify administration. So you can have user groups and you can also create these things called device groups. And these groups are important because they're going to be the targets of our policies. And then you can configure your policies and administer those. Now, speaking of the administration, you can also create additional tenant administrators. So there's also the ability to actually delegate different administrative roles. So it's a good idea that when you define some users, one of the users you define is at least one other administrator account in case anything happens with the first administrator account. So that's just a quick tip.
Alright, the next thing I want to show you is how to configure enrollment for your devices. This is the next step in getting our devices to receive policies and to be managed by Intune. Now, once a device is enrolled, then it will be applying policies and maybe downloading and installing applications. And you can actually deliver applications a couple of different ways to your devices. Now first things first though. We want these devices to be enrolled. So let me make a couple of additional points here. Enrollment is going to require an Intune application to be added and installed on these devices – so depending on the device that could change some requirements like an Apple device requires an APN certificate to be managed by Intune. Whereas, a PC device...well, the user – if it's a BYOD, they're going to have to have administrative rights to install the Intune application. So users can use an installer provided by an administrator to manually enroll the device. Intune can also be deployed to domain-joined machines, perhaps, using Group Policy. Or another option you have here in getting these devices access to Intune is to include the Intune application in the operating system itself. Now end users can download the app. They can self-enroll, but you have other options as well to enable access to Intune. Now Intune has a rich set of features and abilities. And this includes not only security-like policies, but also ability to control access based on conditions, which I guess is security like. But then there are also updates. There's also the ability to deliver profiles like VPN profiles, e-mail profiles, and a whole lot more.
After completing this topic, you should be able to
All right, another challenge here – a fresh scavenger hunt if you will. What I want you to do is think about where you would go if you wanted to configure your system to receive updates not just for Windows, but for other Microsoft products as well. But maybe you don't want them immediately. You want to defer them, and so you want to delay them for a couple of additional months. So where would you go to configure your Windows 10 system to receive updates for other Microsoft products and to defer for couple more months? Think about that for a moment. Feel free to pause the video while you think about that and then resume it when you're ready.
[Exercise: Updating Settings.]
Are you ready? All right, this might be a pretty straightforward one. And I bet you can guess that we're starting with Settings. I mean that's where we typically go, right. So I'm going to use a keyboard shortcut. So I'm going to use Windows+I to bring up Settings. The next place we need to go is Update & security and then you guessed it, it's Windows update here. Once this finishes loading, we can click Advanced options. And this is where we can select Give me updates for other Microsoft products when I update Windows and this is where I can Defer upgrades. I can also come in here and view my update history. And down here I can actually join Windows insider if I want the latest and greatest. So this is where we go, and this is how we configure Windows 10 to receive updates for other Microsoft products and enable the Defer upgrades option.
© 2018 Skillsoft Ireland Limited