Microsoft Sheds Some Light on Windows 10 Device Management
- By Kurt Mackie
- March 25, 2016
When it comes to managing Windows 10 devices, users are often confused about which of Microsoft's management products -- namely, System Center Configuration Manager (SCCM) and Microsoft Intune -- to use.
This week, Microsoft offered what it called "clear and simple guidance" for organizations trying to decide between SCCM and Intune to manage Windows 10 PCs, tablets and phones. The solution is to use both products, according to a blog post Wednesday by Brad Anderson, corporate vice president for enterprise and client mobility at Microsoft.
"Previously, we haven't really been as clear as we needed to be about when each approach should be used, as well as the reality that most organizations will want to run both," Anderson explained.
In Microsoft's view, both SCCM and Intune are needed because organizations may have a mix of Windows 10 desktop and mobile devices to manage. And those devices may be used for both business and personal purposes.
Intune is branded as Microsoft's solution for mobile device management and mobile application management, but it evolved from earlier desktop management roots, and it has those capabilities, too. The venerable SCCM client and server management tool isn't going away anytime soon following Intune's arrival. Instead, Microsoft service-enabled it, updating it regularly like it updates Windows 10. SCCM also is capable of connecting with Intune so that it can serve as an organization's main management tool.
Windows 10 Guidance
In a nutshell, here's Microsoft's advice regarding its two main client management tools:
- Use SCCM and traditional management techniques if an organization is managing Windows 10 devices that aren't primarily mobile devices and are domain-joined.
- Use Intune for mobile device management if the devices typically are used in mobile scenarios and aren't already domain joined.
In the second scenario, organizations have two options. They can use Intune for mobile device management in conjunction with the Azure Active Directory Service to support corporate devices. Or, secondarily, they can use Intune plus a "work account" to manage personal devices.
However, using a work account will have some limitations, as explained earlier this month by Microsoft's Azure Active Directory team. For instance, there's no single sign-on access to Windows Store apps, and roamed settings for separating corporate data from personal data doesn't take place with work accounts. The technology that keeps personal and corporate data discreet is called "enterprise state roaming" by Microsoft.
Microsoft's preferred approach for mobile device management with Intune is to use "Azure AD Join." Tapping Azure AD Join technology requires having an Azure AD Premium subscription or Enterprise Mobility Suite licensing, among other requirements. The Enterprise Mobility Suite is a licensing bundle consisting of the rights to use Windows Azure Active Directory Premium, Windows Intune and Windows Azure Rights Management Services.
For those struggling with the SCCM-versus-Intune conundrum, Microsoft offered this "generalized decision tree," per an Intune team blog post:
If an organization needs greater control over Windows 10 device settings, then Microsoft is recommending the use of SCCM and Group Policy. If not, then the organization can use Microsoft Intune.
In general, Microsoft's Intune team claimed that organizations no longer have to perform wipe-and-load upgrades to Windows 10, which can be time-consuming. Instead, they can use the easier "in-place" upgrade process from Windows 7/8.1 clients that will preserve data and settings. But that's just Microsoft's advice for desktop upgrades.
Things are different for Windows Phone 8.1 mobile device upgrades. Organizations will have to start from an "out of box" experience when upgrading Windows Phone 8.1 mobile devices to Windows 10 Mobile. In other words, these devices will have to be provisioned from scratch.
The Intune team also touted the delivery of "the latest feature and quality updates through simple -- often automatic -- patching processes" for Windows 10 devices. This update release approach by Microsoft is still controversial among IT pros. They get Windows 10 updates in waves, with "current branch" releases every four months and "current branch for business" releases every eight months.
IT pros also are concerned with the quality of recently released Windows 10 patches. Microsoft no longer provides full descriptions of them. It's a regular topic of discussion in support forums, such as the Patchmanagement.org list-serve.
IT pros will have to keep up with current branch for business Windows 10 releases. If they fail to move to the latest one in eight months' time, their Windows 10 installations won't get future updates, including security patches. It's a big shift from Microsoft's traditional client update model.
Unmentioned in Microsoft's announcements this week was Windows Update for Business. It's a service-enabled management capability designed to help organizations better navigate the Windows 10 branch changes. For instance, it will be possible to segregate end user devices into different Windows 10 update groups, if wanted, with some users getting updates faster than others. This facility can potentially be used to test patches before broader rollouts in an organization, for instance.
Microsoft had talked about Windows Update for Business late last year as the "cloud equivalent to WSUS and [System Center] Configuration Manager." However, it hasn't said much about it since. Microsoft is planning to integrate Windows Update for Business capabilities into Windows Server Update Services and SCCM, although the timeline hasn't been disclosed.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.