Modern desktop deployment, when you follow Microsoft and Microsoft related media on the internet you probably have read this ‘name’ before. But what does Microsoft mean with Modern Desktop Deployment? What products does Microsoft have available to get the desktop deployed?
In this blog post I will show you how Modern Desktop Deployment might look like using parts of Microsoft 365, like Windows AutoPilot and Intune.
Previously when you prepared a Windows device for your users, you probably deployed a customized image to the device, which contained all the software, Windows Updates etc.
In the modern desktop deployment time you don`t use customized images but use Windows AutoPilot.
With Windows AutoPilot the hardware vendor registers the new devices to your Windows AutoPilot Service and then ships the device direct to the end-user. The user unboxes and starts the device. The user needs to connect the device to the internet and after that, the user is presented a customized logon screen. The user authenticates with his Azure AD (Office 365) account which results in the device being Azure AD joined en automatically enrolled to Intune. Intune applies settings and deploys software like the Company Portal and Office ProPlus to device. And after this setup is finished, the user is logged on and is ready to start working on the device.
That`s what AutoPilot is in a overview.
But to get this all running we need to create an AutoPilot profile and assign that profile to the AutoPilot devices. With such a profile we have the option to change a part of the out-of-the-box experience by accepting the EULA and blocking the privacy settings pages. Here you also choose the user account type (standard or administrator) and set a computer name template.
Optional we can enable the Enrollment Status Page under the Windows enrollment settings. This will present the user a status page before he first logs on to the Intune managed device, in which he can see what is happening with the device during setup.
You have several options to choose from under the settings tab. For example it allows you to block the device until all apps and profiles are installed. This makes sure all settings and apps are installed before the user is logged on.
If we have a look at the user experience, the user is presented with a customized welcome screen with your company logo, instead of the default authentication page.
When the device is assigned to the user, the user only needs to enter the password from his Azure AD account, like below. If the device is not assigned to an user, the user is asked to enter his Azure AD username and password.
If we choose to hide the EULA and Privacy settings in the AutoPilot Profile, those pages are skipped and the Enrollment Status page is shown. (if enabled). Here the user gets insight in what happens with the device after the authentication. Another benefit of enabling the status page is that the policies are applied and software is deployed to the device before the user is logged on the first time. Without this status page, the user is logged on to the device while Intune is still applying settings and installing software.
Software deployment is one of the jobs we need to get done during desktop deployment and with Intune we have that possibility.
We are already able to deploy apps purchased via the Microsoft Store and applications using MSI installer files for a while, but since a few months we are also able to deploy Win32 apps. Have a look at this previous post, to see how that works. And Intune also supports the new MSIX installer file type. By adding support for Win32 app and MSIX support, we are now able to deploy almost every application using Intune to our Windows 10 devices.
To deploy Office 365 ProPlus you don`t even have to upload your installer files, Office ProPlus is already present in the Intune portal, ready to deploy to Windows 10 (or macOS). Just check the apps that you want to install, choose the version, language and some other settings and the Office suite is ready to be deployed.
Besides installing applications, you can also remove applications with Intune. We can use Intune to remove the default Windows 10 applications like Xbox, GameBar, My Office etc. In this post I showed how that can be done.
But not only user applications need to be deployed to our Windows devices, we also need to make sure Windows Updates are installed. With Intune you can deploy several Update Rings to your devices to take control of Windows Updates. Per update ring you can choose the servicing channel and deferral period.
And as end-users do not always install updates themselves, we can force the installation of the updates in the update ring. Some other update settings are active hours and when to restart the device after installation of updates.
Customize the Start menu
When the user is logged on for the first time on his new Windows 10 device, the start menu might look something like this.
Fortunately we have some options with Intune to customize the start menu. We can start customizing the start menu with a Device Restrictions policy. A lot of settings are presented via the GUI in this policy set, like removing Recently added apps, remove the Shutdown button or removing Documents on Start.
There are also some custom CSP policies to apply to the devices with which you can block for example Windows Consumer features or Third Party Suggestions in Spotlight.
And as already mentioned in this article, we can remove built-in Windows 10 apps, so they also don`t show up in the start menu.
One step further in customizing the start menu is applying a start menu layout using a xml file, like you can with a Group Policy. This will pin start menu tiles to the start menu, overwriting the existing tiles which you get out-of-the-box.
After all those customizations the end result is a start menu like the one below.
User files and settings
Now that we have deployed (and removed) applications and customized the start menu, it`s time to have at look at how we can provide our users with easy access to their documents. And we have a look at some handy features which an Azure AD joined device provides the user.
I assume user documents are stored as much as possible in OneDrive for Business when you purchase Microsoft 365 licenses. So it would be nice if the user is signed in to OneDrive silently after logging on the first time on the Azure AD joined device.
We can use Administrative Templates (just released at the moment of writing) to get this job done. From the list of settings we can use the setting ‘Silently configure OneDrive using the primary Windows account’ to sign in to the client automatically.
Using Intune to silently configure OneDrive, makes it easy for our users to access their documents. And with Known Folder Move even the Desktop, Documents and Pictures folders are protected.
Now something completely different, but I think a handy feature for a user who forgot his password: Self Service Password Reset from the Windows logon screen. When enabled for your users and enabled via an Intune policy on Azure AD joined devices, it provides your users an easy way to reset the Azure AD password direct from the logon screen. And Self Service Password Reset also prevents a lot of phone calls to the service desk.
I already wrote an article about this option a year ago, so have a look at this article for full details on setting this up.
Securing Windows 10
The last part of this long read is dedicated to securing Windows 10 with Microsoft Intune. I already wrote about setting up Update rings, so your devices get the latest (security) updates. But what about disk encryption, managing Windows Defender and the firewall? All these options can be managed by using Intune.
With Intune on an Azure AD joined Windows 10 device with the right conditions (hardware and OS), you are able to fully automate the process of enabling disk encryption. To fully automate BitLocker your device needs to run Windows 10 Enterprise, have a HSTI interface and the users needs to be local Administrator. But since Windows 10 1809, there are some new capabilities to start this automated process even on non-HSTI and Windows 10 Pro devices. MVP Oliver Kieselbach wrote a nice article about this which you find here.
Since Windows 10 1709 we have Firewall CSP settings to take control over the Windows Defender Firewall. It allows us to enable the firewall for the three profiles, control what the default action is for inbound connections, block or allow notifications and a lot more.
And Microsoft made it pretty easy to control these firewall settings since they added those settings to the Device Management portal.
Settings to take control of the built-in anti-virus solution of Windows 10, Windows Defender Antivirus, are also available from the portal. You can for example make sure real-time protection and cloud-delivered protection are enabled. And your users are not able to disable those settings.
But not only the anti-virus part of Windows Defender can be managed by using Intune. We can take control of all parts of Windows Defender like Application Guard, Exploit Guard and Smartscreen.
Another nice set of policies allows you to add support information to the Windows Defender Security Center. As shown below you can add the phone number, email address and url of your service desk to the WD Security Center, but also to WD notifications.
As last topic in this securing Windows 10 part, we have a quick look a the Security Baselines which are just release in public preview today. Using GPO`s we relied for many years on Microsoft to provide us a security baseline and use that as a starting point in securing Windows. But a security baseline for MDM was not available until today. These security baselines need to help us to further secure our MDM (modern deployed) desktops.
After reading this long post I hope you have a good view of what is possible with the Microsoft 365 suite in deploying and managing Windows 10 desktop. If you have any questions about Modern Desktop Deployment or something related, don`t hesitate to contact me.