Microsoft is creating a lot of buzz about their new “Modern Desktop” approach to Windows Operating System management.
What is the Modern Desktop and what does it mean to you?
The Microsoft Modern Desktop is a paradigm shift on how an operating system is managed on the PC. The goal is essentially to treat the OS as an abstracted layer on the PC that can be updated or replaced without affecting the underlying user’s data or applications. This shift is an attempt to transform how a PC is ultimately managed by treating it more like your smart phone verses the traditional PC. Just like your phone, most of your data and settings are stored in the “cloud”, making it possible to wipe the local device at-will without affecting the user’s productivity. In this model, the PC’s operating system is merely a facilitator to retrieve from online storage your data and applications.
What are the benefits of the Modern Desktop?
The benefits you will see from the Modern Desktop will depend on the maturity of your current desktop management process. For example, if your IT staff spends an inordinate amount of time migrating a PC with any manual tasks such as saving/restoring user data, reinstalling applications, and restoring the user’s settings, you will have great benefits from adopting the Microsoft Modern Desktop approach. This is especially true when the user base is remote and hard to reach. The user experience with the Modern Desktop is as simple as powering on a new PC and logging in. The PC, having been reinstalled with the generic (OEM) Windows 10 image, will essentially configure itself through a preconfigured dataset within the Microsoft Azure and Microsoft Intune environment. The PC joins the domain through Microsoft Azure, data stored in Microsoft OneDrive will become available again, and applications are reinstalled.
From the IT support perspective, new PCs are configured on Microsoft Azure and in Microsoft Intune. Items such as PC name, assigned user, basic policies, and applications available in Intune are all preconfigured. Once the PC is provisioned in Autopilot, the PC can be delivered to the user with no additional IT support required.
However, environments that are currently well managed will not see significant benefits by adopting the Modern Desktop, and in some environments, may actually lose some benefits. This is primarily due to a combination of the requirements to adopt the Microsoft Modern Desktop, the cost of the services provided by Microsoft, as well as the limitations, primarily around data and applications management. Because the benefits may or may not exceed the costs, it’s wise to conduct a full evaluation of your current state and shortcomings that may be improved by adopting the Microsoft Modern Desktop.
What is required for the Modern Desktop Experience?
Microsoft provides a suite of “Productivity Tools” that together make up for the entire “Modern Desktop Experience.”
Altogether, this requires the following minimum licenses:
|Microsoft Subscription||Published Cost|
|Microsoft 365 Business subscriptions||$20.00 per user/month – Annual commitment|
|Enterprise Mobility + Security E3 or E5 subscriptions||E3 – $8.74 user/month
E5 – $14.80 user/month.
Windows 1703 or newer – $199 / PC
|Azure Active Directory Premium P1 or P2 and Microsoft Intune subscriptions (or an alternative MDM service).||P2 $9 user/month,
EMS E5 for Intune $14.80 user/month annual commit.
Additionally, the following are also recommended (but not required):
- Office 365 ProPlus, which can be deployed easily via Intune (or other MDM services). $12.50 or $8.25 user/month annual commit
- Microsoft 365 F1 subscriptions
- Microsoft 365 Academic A1, A3, or A5 subscriptions
- Microsoft 365 Enterprise E3 or E5 subscriptions, which include all Windows 10, Office 365, and EM+S features (Azure AD and Intune).
- Intune for Education subscriptions, which include all needed Azure AD and Intune features.
Windows Autopilot depends on a variety of internet-based services. Access to these services must be provided for Autopilot to function properly. In the simplest case, enabling proper functionality can be achieved by ensuring the following:
- Ensure DNS name resolution for internet DNS names
- Allow access to all hosts via port 80 (HTTP), 443 (HTTPS), and 123 (UDP/NTP)
- In environments that have more restrictive Internet access, or for those that require authentication before internet access can be obtained, additional configuration may be required to whitelist access to the required services. For additional details about each of these services and their specific requirements, review the following details:
|Windows Autopilot Deployment Service||After a network connection is in place, each Windows 10 device will contact the Windows Autopilot Deployment Service. With Windows 10 version 1903 and above, the following URLs are used: https://ztd.dds.microsoft.com, https://cs.dds.microsoft.com.|
|Windows Activation||Windows Autopilot also requires Windows Activation services. See Windows activation or validation fails with error code 0x8004FE33 for details about the URLs that need to be accessible for the activation services.|
|Azure Active Directory||User credentials are validated by Azure Active Directory, and the device can also be joined to Azure Active Directory. See Office 365 IP Address and URL Web service for more information.|
|Intune||Once authenticated, Azure Active Directory will trigger enrollment of the device into the Intune MDM service. See the following link for details about network communication requirements: Intune network configuration requirements and bandwidth.|
|Windows Update||During the OOBE process, as well as after the Windows 10 OS is fully configured, the Windows Update service is leveraged to retrieve needed updates. If there are problems connecting to Windows Update, see How to solve connection problems concerning Windows Update or Microsoft Update.
If Windows Update is inaccessible, the AutoPilot process will still continue but critical updates will not be available.
|Delivery Optimization||When downloading Windows Updates, Microsoft Store apps and app updates, Office Updates and Intune Win32 Apps, the Delivery Optimization service is contacted to enable peer-to-peer sharing of content so that only a few devices need to download it from the internet.
If the Delivery Optimization Service is inaccessible, the AutoPilot process will still continue with Delivery Optimization downloads from the cloud (without peer-to-peer).
|Network Time Protocol (NTP) Sync||When a Windows device starts up, it will talk to a network time server to ensure that the time on the device is accurate. Ensure that UDP port 123 to time.windows.com is accessible.|
|Domain Name Services (DNS)||To resolve DNS names for all services, the device communicates with a DNS server, typically provided via DHCP. This DNS server must be able to resolve internet names.|
|Diagnostics data||Starting in Windows 10, 1903, diagnostic data collection will be enabled by default. To disable Windows Analytics and related diagnostics capabilities, see Manage enterprise diagnostic data level.
If diagnostic data cannot be sent, the Autopilot process will still continue, but services that depend on diagnostic data, such as Windows Analytics, will not work.
|Network Connection Status Indicator (NCSI)||Windows must be able to tell that the device is able to access the internet. For more information, see Network Connection Status Indicator (NCSI).
www.msftconnecttest.com must be resolvable via DNS and accessible via HTTP.
|Windows Notification Services (WNS)||This service is used to enable Windows to receive notifications from apps and services. See Microsoft Store for more information.
If the WNS services are not available, the Autopilot process will still continue without notifications.
|Microsoft Store, Microsoft Store for Business||Apps in the Microsoft Store can be pushed to the device, triggered via Intune (MDM). App updates and additional apps may also be needed when the user first logs in. For more information, see Prerequisites for Microsoft Store for Business and Education (also includes Azure AD and Windows Notification Services).
If the Microsoft Store is not accessible, the AutoPilot process will still continue without Microsoft Store apps.
|Office 365||As part of the Intune device configuration, installation of Office 365 ProPlus may be required. For more information, see Office 365 URLs and IP address ranges (includes all Office services, DNS names, IP addresses; includes Azure AD and other services that may overlap with those listed above).|
|Certificate revocation lists (CRLs)||Some of these services will also need to check certificate revocation lists (CRLs) for certificates used in the services. A full list of these is documented at Office 365 URLs and IP address ranges and Office 365 Certificate Chains.|
|Hybrid AAD join||The device can be hybrid AAD joined. The computer should be on corporate network for hybrid AAD join to work. See details at Windows Autopilot user-driven mode|
|Autopilot Self-Deploying mode and Autopilot White Glove||Firmware TPM devices, which are only provided by Intel, AMD, or Qualcomm, do not include all needed certificates at boot time and must be able to retrieve them from the manufacturer on first use. Devices with discrete TPM chips(including ones from any other manufacturer) come with these certificates preinstalled. Make sure that these URLs are accessible for each firmware TPM provider so that certificates can be successfully requested:|
What are the limitations?
Although many of the benefits sound very appealing, there are considerable limitations to the Microsoft Modern Desktop, including technical and business limitations.
- No locally saved data is maintained. This could be very limiting for many power users, such as engineers, developers, and media specialists, where exclusive cloud storage is impractical or impossible. This data can be considered business critical to these users and data loss can be very expensive.
- Only applications stored in Intune as Appx packages in the Microsoft store can be reinstalled. This can be another large problem for the power user or for environments with many home-grown and/or unique application portfolios.
- Updating Encrypted systems is only supported with BitLocker. Unless BitLocker is your encryption choice, you will not be able to do in-place upgrades unless the current encryption is decrypted each time the PC requires a major upgrade, e.g., the semi-annual Windows 10 updates.
- Issue and misconfigured systems don’t recover. When something goes wrong with the process, the PC can potentially hang indefinitely or throw errors that are difficult to get past without intervention.
- Group policies are limited. If you’re used to the robust GPOs from an on-premise domain, you will find the policies available with Azure AD very limiting.
- PC must be connected to the Internet. There is not “Offline” option when it comes to provisioning with the Modern Desktop. All components, settings, and Applications are pulled down from the cloud.
- Licensing. A Microsoft Enterprise agreement, E3 + the Mobility pack is required for this to work. This could be costly.
- Process. Business processes may need to change in order to accommodate the new way of provisioning systems.
- Security. Current security policies would need to be evaluated, including opening access to the cloud and how local data is protected.
Are there alternatives?
Yes! The Modern Desktop approach is not a new one. It is in fact a concept that we at Swimage have embraced and adopted with our software, Swimage, over the past decade. The goal is to make the lives of both IT and the user as simple as possible under nearly any circumstance.
Swimage has specific technology that will allow for data and applications to be detected and restored automatically, regardless of where that data may be located. It also efficiently handles all ends of the spectrum, from the mass rollouts (thousands at a time) to the single hard-to-reach home user. Swimage seamlessly integrates with current Microsoft infrastructure, such as SCCM, which augments and enhances your current investments, not replaces them.
Swimage easily handles all of the following scenarios:
- Automated self-deployment with pre-provisioning configuration
- Remote and self-service deployment kits
- Mass deployments, all hands free
- Keep systems encrypted at all times with any type of encryption
- PC-to-PC migration, directly migrating all data and applications
- Template-based PC provisioning engine
- Data stored locally or on the cloud
What can Swimage do for you?
We have been working perfecting Windows PC management and deployments for decades. We will evaluate your current processes and recommend the correct solution to optimize your PC management based on your business needs. Other solutions, including Microsoft’s Modern Desktop, expect your IT and business to conform to them, which may not be what you need and may cost you more in the end.
Swimage can show you how to optimize your PC management with Swimage and meet your budget goals with a positive return on investment, too!