Krome Cast: Tech-IT-Out
Krome Cast: Tech-IT-Out
KROME CAST: TECH-IT-OUT - Simplifying the Desktop Deployment Process with Intune and Autopilot
In this episode of Krome Cast: Tech-it-Out, we discuss Modern Desktop Management, including how using Microsoft Endpoint Manager tools, Intune MDM and Autopilot can simplify the desktop deployment process.
Enterprise desktop deployment and mobile device management can be a challenge for any organisation; you need to deploy modern apps, configure multiple corporate desktop images, roll out applications, effectively and often remotely.
With the advancement of cloud solutions, such as Microsoft Endpoint Manager, we discuss the benefits of using cloud-based mobile device management (MDM) and mobile application management tools, and how Microsoft Endpoint Manager compares to SCCM.
This podcast features Krome’s Commercial Director, Sam Mager, along with Technical Consultant Simon Ringrow, sharing their insights on the evolution of desktop deployment and offering a brief introduction to Microsoft Intune and Microsoft Autopilot.
For more information contact 01932 232345 or www.krome.co.uk
► ABOUT KROME: Krome Technologies is a technically strong, people-centric technology consultancy, focused on delivering end-to-end infrastructure and security solutions that solve business challenges and protect critical data. We work collaboratively with clients, forming long-term business partnerships, applying knowledge, experience and the resources our clients need to solve problems, design solutions and co-create agile, efficient and scalable IT services.
► KROME WEBSITE: https://www.krome.co.uk/
► SOCIAL MEDIA
• YouTube: https://www.youtube.com/@krometechnologies
• Linkedin: https://www.linkedin.com/company/krome-technologies-ltd
• Instagram: https://www.instagram.com/krometechnologies/
• Twitter: https://twitter.com/KromeTech
• Facebook: https://www.facebook.com/KromeTechnologies/
► CONTACT
• Telephone: 01932 232345
• Email: info@krome.co.uk
SPEAKERS
Sam Mager, Simon Ringrow
Sam Mager 00:01
Welcome to Krome Cast, Tech-it-Out. I'm Sam Mager, Commercial Director for Krome Technologies. I'm joined today by Simon Ringrow, Technical Consultant.
Simon Ringrow 00:08
It's so nice to be in a building and see someone face to face again Sam. Thanks for having me.
Sam Mager 00:12
No problem. So we're here to talk about managing modern desktop environment using tools such as Microsoft Intune, although I've just learnt they've changed the name to make it even more confusing, says Endpoint Manager now under that umbrella?
Simon Ringrow 00:23
Yeah, Microsoft Endpoint Manager, yep.
Sam Mager 00:25
Okay, cool. And we're also talking about the comparison of using that to manage I guess, evolving modern environments compared to, I guess, what I'm more experienced in, is kind of SCCM. And that, what is now legacy, really, and I guess the differences and advantages, where we should be using, where we shouldn't be using it, and the overall difference in how we use it to automate? Etc, etc.
Simon Ringrow 00:44
Yeah, so I think one of the most common words you'll hear buzzing around is Autopilot. So that is effectively a bolt on to Intune. And Intune is the old name for Microsoft Endpoint Manager. So it's most prevalent, it's most useful. If you think about the old school method of how we used to deploy a desktop image. Typically, you would have a technician who would go away, he'd wipe the machine clean, he'd download all the drivers for the device, he'd install windows, he'd install applications, he'd create what was then known as a gold build.
Sam Mager 01:16
And that's kind of where, if I go back to where I started with this imaging, and literally, yeah, remember gold images, on a USB stick or external drive and kind of starting from there. Very early days using things like Ghost and whatnot to drag those across networks.
Simon Ringrow 01:29
Yeah, so Ghost had its problems along with some of the other cloning technologies around those days. And it's quite an antiquated approach. And then if you had different requirements for different departments within your organisation, you then had to create a gold build for a finance, you had to grow gold build for IT, a gold build for legal. And so on and so forth
Sam Mager 01:48
We had eight different gold builds for a customer once, that we had to manage, so yeah.
Simon Ringrow 01:53
So cue SCCM, they introduced the task sequence, the concept of wiping the machine, installing an operating system, loading the drivers and installing a specific set of applications for a department. The fundamental issue with a gold build was that you had one build and it was fixed in its state. When SCCM introduced the task sequence, you were allowed, able to adapt the build, according to which department you were targeting for, which made the whole process much more flexible, and you could make fluid changes. And if you're, if, for instance, there was a security outbreak, you could update your application, and the very next build that's created would be available, you wouldn't have to go through the whole process of redeveloping your build. Cue Intune, so your desktop technicians will go, they'll specialise in desktop, they'll put, they'll find all the drivers for your build, they'll put your desired set of applications on that. That's what, that's their focus, that's what they do. With it, if you've got an SCCM, you've also got an SQL server to manage
Sam Mager 03:04
That's true yep.
Simon Ringrow 03:04
SCCM infrastructure, you've got to pay for that initial hardware. And you've got to maintain it.
Sam Mager 03:09
One thing I know about SCCM, is it is quite an unwieldy thing to manage, obviously, quite an investment in the actual hardware. You mentioned things like SQL and whatnot, it's quite a lot to actually manage just to do, let's not call it simple things, but you know, to get your applications out there to get your updates and whatnot. It's a fair investment. And it's fair overhead.
Simon Ringrow 03:30
Yes, so your, your deployment engineer, your, your SCCM, specialist, for want of a title for that person, not only have they got to be a desktop specialist, they've also got to be an infrastructure specialist. And so splitting their discipline in two areas can consume time and it slows the whole process down.
Sam Mager 03:49
Or you've got to put more resources in you got to have someone actually dedicated to doing that someone just dedicated to doing that. And the cost of your total cost of investment increases exponentially.
Simon Ringrow 03:58
Yeah. And invariably, there's crossover between the two disciplines, and so, therefore, you've got to have a tightly-knit team working together to achieve your end goal. So cue Intune, so what's so great about Intune? Why are we here talking about it? What essentially what that's done that in simple terms, that's taken SCCM, put it in the cloud. So you've, you're able to deploy a build with no infrastructure. Simply you power it up, you can go through the manufacturer's OEM setup, at that point you it will ask you do you want to sign in with your work credentials? as you sign with your work credentials, it goes off to Microsoft, it recognises who you are, then it begins to deploy a profile, and then the necessary applications and then given half an hour, 45 minutes, after several reboots, you've got a working device ready for business.
Sam Mager 04:52
Interesting, I mean, especially for us, we obviously manage, historically we've used a lot of SCCM. We have distribution points down in our build rooms and whatnot, where we're connected to client sites where we're still using SCCM, They will ultimately no doubt evolve to using Intune. And actually, we talked before about your reference to one of our previous podcasts, Where Rupert and I talked about the evolution of Everything-as-a-Service. We talked about certain things like 365, whilst there are people that potentially wouldn't use 365, the majority of people do, and it makes sense, right?
Simon Ringrow 05:22
Yeah.
Sam Mager 05:22
I think this is where, and you can correct me if I'm wrong, but this is a conversation we've had, I just see, there's no real reason that you want to keep all that legacy infrastructure onsites and manage it all yourselves when you could easily adopt in the cloud and then I just alluded to there, the whole build process is far simpler and easier, in this kind of new iteration and previous is a big step on.
Simon Ringrow 05:43
Yeah, I almost look at it from a selfish point of view, why would I want to worry about supporting all that infrastructure? And I'd really want to focus on creating a slick, automated build, that's going to improve the user experience no end. However, Intune isn't the answer to everything. There may be some applications that won't work from the cloud, or there may be some security reasons that you would still want to run some on-premise. So in that case, guess what you can use Intune to deploy VPN, and then you get access to your on, on on-site infrastructure.
Sam Mager 06:16
Okay, so I guess if you put that into, I guess, some context for someone like us, and you know, because the audience won't know, but you and I have worked together for an awfully long time, we've done some very big desktop estate projects and thinking back to some of those, you know, we've had literally 1000s of boxes through the door, and we've had to use an SEM, SCCM sorry, image an awful lot machines, but that's time on the deck here, engineer in front of it, make it happen, reboxing it, and then an engineer, take it out and do that white glove, the Rolls Royce service to desk. And obviously, fundamentally, that changes with how we do it as a service provider. There's little nuances we need to understand, as we've learned from the past, the kind of hash codes on the outside the box makes life a lot easier, remember that one.
Simon Ringrow 06:57
Yeah, so so hash codes, that's when you take unique identities from the machine, you register that within Azure, then as the device powers up, the Microsoft knows that it belongs to a particular company, and then it will download the relevant software. There's kind of two ways of approaching that. There's a magic five presses of the window key, and that will then go into what is Autopilot, which I mentioned earlier. And so then, with no particular identity with Down's, download your sort of core set of applications, your base build, then that's ready for use, that you can then ship that to the end-user, the end-user can then sign in with their credentials. As they sign in it we authenticated via Azure SSO and MFA. When they're signed in, then if they've got any specific line of business applications, they will then come down on top.
Sam Mager 07:51
Will that then just see we talked touched on on-prem. So if they've got a bunch of stuff we can do with Intune, I want to go back to Intune and Autopilot, because I always kind of bundle those two together, but they do different things we have to differentiate. But so we use the hash code, we download the, I guess we call it the basic setup, one correct way of putting it, it ships to you at your desk, you log in as Simon Ringrow, it knows you're part of Krome's Azure tenant and whatnot, I'm assuming then it goes to some of the on-prem apps, and it does the final overlay to get your build
Simon Ringrow 08:18
it not specifically on-prem. So typically, I have administrator access to an environment, So base build may go out, let's say with Windows patching, Adobe Acrobat, Microsoft Office, basic Office automation tools, then as I log in, it'll recognise who I am, I'll be a member of specific groups, then it'll allocate those the applications associated with the groups to myself, and that they'll download in time. Some will download automatically, some will be available for me to install at my leisure, depending on how the application has been configured.
Sam Mager 08:57
You just said you're an admin, right? So let's say I'm not clearly, best keeping off everything. So if it arrives on my desk, and there's apps I don't have, how do I get them to my desktop, or my laptops?
Simon Ringrow 09:07
So with the app provisioning within Intune is very much similar to SCCM, and the way most organisations will do it, they'll package an application, they'll import into their deployments, or they'll associate a most likely an Azure group to them. Azure also has dynamic groups, so if your profile fits, fit certain criteria, perhaps if you're a member of finance, or you live in a certain area, you will be added automatically to a specific group, then that group will then be associated with an application and that application will be deployed to you. That can be done one of two ways, it can be made as a required application, don't have to worry about that, which means it will just automatically come down, or if it's something perhaps you're not likely to use that often or if you use a number of machines and you only want it on one specifically, for instance, I know yourself, Sam, you have a desktop here and you have a laptop at home. So you may only want the app in the office, then you can just go into the software mail and something
Sam Mager 10:11
Actually, we just talked about what we can control, So let's say it's not me, but someone else and we want them to have access to x in the office, but not y on the laptop at home, we can control all that as well right, so they only have location-specific access as well.
Simon Ringrow 10:23
Yeah, we can do that by dynamic, dynamic groups, or we can do by provisional, so conditional access, there are a number of methods. The essentially Intune in SQL back end. So there's a whole load of queries that we can create to target applications to users based on set criteria. We also as well have exclusion, so if if you're a member of finance, but you're only a junior member perhaps, then you won't get this application.
Sam Mager 10:56
Yeah.
Simon Ringrow 10:56
you know, I'm trying to think of another scenario, but can't at the moment
Sam Mager 11:02
I understand the kind of concept, there's a lot of control. And what actually struck me, you and I talked about this, there is a direct comparison, obviously, between this is an evolution of SCCM there's a lot of stuff obviously, we could do there, t the thing that struck me with SCCM was, it seemed to be, for the most part, the reserve of the bigger companies because that made sense to make that investment, they had a lot of desktops, there's a lot of overhead. For smaller companies, you kind of set it up that refreshable, that would be a painful process, but it didn't warrant the investment in SCCM. So you seem to see it in the larger enterprises, right, and there's always complaints that it was a bit, it was costly, it's unwieldy, it was a bit of a pain to set up and whatnot, no one seemed super happy with it. But from conversations we had, you know, it seems to be with, Intune, Autopilot and actually I'd like to get to the Autopilot bit in a minute. But Intune have certainly, it's no longer the reserve of large enterprise, this is fit for purpose for your 10 user company, to your 10,000 user company and everyone in between.
Simon Ringrow 11:58
Yeah, I mean, it doesn't come at a bargain basement costs, let's be honest about it. But however, if you've got an on-premise infrastructure, you've got to have an army of engineers to look after that, you know, depending on the size of your organisation, because intune stroke Azure takes that away from you, and it is all cloud base, you haven't got to worry about patching the servers and maintaining all that hardware, which in turn means is that a smaller organisation that has a smaller IT team, they can still have large enterprise capability, because it's all facilitated via the cloud.
Sam Mager 12:33
Yeah, I mean, that's and that's, I mean, a clear benefit for the guys, as they haven't been able to bite the bullet and make that investment or just haven't had the budget or staffing, you know, to be able to do that, there's clear benefits.
Simon Ringrow 12:43
Yeah, I think as well, it's very well, there's a few small niche companies out there that really do require an enterprise offering, but it just doesn't make sense for them to invest in all of the infrastructure and you know, have a huge IT team as an overhead, where and then that brings it to that brings that offering to the table for them.
Sam Mager 13:07
Going back as I said I would, I kind of just in my brain, bundled Autopilot and Intune as almost one and the same thing, obviously they're very different things that are good for anyone like me has made that mistake, if you could just tell us what this is Intune, and this is Autopilot, and offices where they actually work together.
Simon Ringrow 13:21
So so fundamentally, Intune is a software deployment mechanism, method of patching your devices, a method of enforcing configuration and policies upon them. So that I mean, for instance, you could lock down your web browser, you could configure an application in a specific way, so it finds the correct servers that you're connecting to, and so on and so forth. And all that is is done within Intune, what is it Autopilot brings to the party, is it's the white glove part of the process. So when you want to provision a machine, it as I said that the magic five presses of the Windows key and that will then initiate the device, it will go off to the internet, the hash code of the device is registered in Azure, it will then download the applications as if you had logged in, but without logging in. So you can have a device with almost without an identity but with the correct configuration and then when it goes to the end-user. But as opposed to that, you can pretty much repeat the same process, but you would have a few more setup steps to go through when you power the machine up the first time round, and then when you sign in, then it uses your user accounts to identify that you belong to an organisation. On the one hand, it's the hash, Autopilot and the hashing that gives you a hardware-based authentication and on the other hand, when you sign in with your user ID, and you prove who you are through your MFA. That's it gives you a user authentication. But the end result is you get an automated installation of Windows and all your software. Just to go back on something I mentioned earlier, about how typically, in the past with the gold bills, a technician had to go away and find all of the relevant hardware and drivers for the device. The approach with Intune, and Autopilot is very much different, you actually don't wipe the machine, you take it from the vendor, just, for instance, say, with Dell devices, they'll come pre-installed with all the drivers to run the machine optimally, we don't want the machine take lives off, we leave that in place, we boot the machine, then we sign in and we download the application is it effective we'd rather than creating a machine, we transformed a machine, we take it from an off the off the shelf device that could be targeted either at consumer or commercial, and we turn it into a business machine.
Sam Mager 16:07
Interesting. Actually, I do want to cover because it was still not that clear in my mind, I'm used to, you know, talking to customers around packaging, and all that sort of stuff. And the difference, I guess, in how we used to do it in the SCCM days and whatnot. And you and I know, a fair bit about packaging and the success or not success or some of those sort of endeavours. How is that different? Is it different in Intune? Or is your packaging is just still that we can't change that? Or how does that how's that evolved?
Simon Ringrow 16:34
So fundamentally, your approach to application packaging hasn't changed, your Microsoft has made available, for instance, Microsoft Office that's available via the web, and you can provision that, and there are various applications available at the Microsoft Store, you can make those available through Intune. But when it comes down to your line of business applications, do you go back to your core basic packaging skills. So you're going to if for instance, we've we've recently heard about Windows 11, so that's coming soon, and so the appropriate way to approach that would be, you'd go through your testing and validation process, make sure your application works on us, you'd put that into a package it in a team, they would patch the app, configure it, customise it for the target environment. When it's done that the change then is that you use an Intune tool to put the if you'd like wrap the application into what is effectively a zip file, you then upload that file to Intune, then it's it's almost like for like with SCCM Configuration Manager, Microsoft Endpoint Manager, there are many brands Microsoft has given it. And that you'll be able to set the command-line options for the application you want to install, you can set criteria that it must only installed on 64 bit Windows, it must only install on a specific version of Windows. And you can set the criteria both for and against it, and by that what I mean is that you that, a specific device must meet this criteria, but it also must not meet a second set of criteria. And again, as I alluded to earlier, you can assign that application to groups, and you can have groups that are included that will be in it, but if there's a crossover of groups, if someone is a member of two groups, then that you can also exclude it. Typically I use this whereby an application might be available to a production environment. And then I'm introducing a new version of that application. So then the new version, I'll exclude the production users from that. And then I'll just add the pre-production or UAT tests to that and so that it becomes into you can put effectively put a test application into a live environment in the confidence that it's only going to hit that your target users, the people are going to test it.
Sam Mager 18:59
And not ruin everyone's lives.
Simon Ringrow 19:01
Yes.
Sam Mager 19:02
Okay, I mean, someone that is hands-on with it. I guess it kind of to wrap up almost, but I want to get this part out of you. You've used both, you're very experienced in the SCCM world and prior. And you're obviously very versed in Intune Now, I guess what's the top things your top salient points that this is why it's better?
Simon Ringrow 19:23
I'm glad you asked that question because first, I'd like to say I was very much a skeptic at first, Having traversed through the gold build process through SCCM and using other third-party tools to create a build, going into the cloud, is it really going to work? Do we really just want to take a machine off the shelf and you know, have the faith in it that we can deploy it to that. I'm very much a convert now. The big takeaways for me is that, one is it's the time and effort that goes into as I said earlier, acquiring all those drivers and creating the new build, the lack of investment in infrastructure, I'm aware that for some of your clients, you've put in a point to point VPN for so that they can have an SCCM deployment server on-site, and connect to their domain. You don't have to worry about it, all you need is an internet connection. So pretty much you can do it anywhere on the planet. That said, there are some organisations that it might not be so suitable for. We I did some work for a construction company, and one day I was in a plush office in the centre of London, connectivity, 100, gigabit LAN, and so on, and then the next day I was in a port cabin working off, like a satellite connection Yeah, yeah, it was very much different experience. And just jumping back to a previous point, we spoke about Autopilot and Intune. So Autopilot lends itself to those porter cabin scenarios, we'll prep the device and get it all up to date and then ship it, working. If we go into the office, then we can potentially pass the the device of the user, and let them go, just simply sign into device and let it you know, read. Let it provision, in their presence, because time, time, and well, not necessarily time, but bandwidth isn't an issue.
Sam Mager 21:24
Yeah, okay. So I guess my points of time that is it's really the it's become simpler it's become easy to use, Microsoft has done us a favour, popped it in the cloud, to save us the expense of going on-site, investment and management. And it just yeah, as we've seen, obviously, we've been using this and then you can use it for our customers as well. It is simple, and the naysayers before don't trust it if in the cloud, clearly have become converts or even evangelists.
Simon Ringrow 21:48
Yeah, absolutely. I mean, you say simple, not also simple. It's a constantly evolving product, and you know, Microsoft, every couple of months, though, there's a new reason, new flavour for it. Something an area I particularly worked on, was taken all the legacy group policies, you know, you can import those policies into Intune, while Intune Microsoft are now doing is they're making those policies, natively available within Intune, so you don't have to go through the process of importing your old-style policies and as it's constantly evolving, constantly moving forward, and you know, in my opinion, it's a very good investment.
Sam Mager 22:25
Brilliant, thanks Simon.
Simon Ringrow 22:26
Great, cheers.
Sam Mager 22:28
And thank you for joining us on this edition of Krome Cast, Tech-it-Out. Please remember to like, subscribe, comment and share, And if there's anything you'd like us to cover in future episodes, do do that in the comments below, thank you.