Breaking with Tradition: Microsoft's New Windows MDM Approach

While Windows 10 forces IT pros to adapt to a faster pace of change, its MDM enablement introduces new endpoint configuration and management approaches. Microsoft insists all you need is its Enterprise Mobility + Security service, but others beg to differ.

Microsoft may have backed away from its bold prediction that 1 billion devices in use would be running Windows 10 by mid 2018, but the company maintains it’s still the fastest-growing upgrade of the client OS to date. While it appears that enterprises are taking the typical measured approach toward planning their Windows 10 upgrades, migrating to this version will require IT pros to learn new ways to configure, deploy and maintain this OS.

Windows 10 breaks with two traditions when it comes to PC client management. One is the accelerated pace of new releases that replaces Microsoft’s traditional approach to upgrading Windows on average every three years. Unlike past new versions, IT organizations can no longer accept updates on their own terms and schedules. Second is the fact that Windows 10 is now mobile device management (MDM)-enabled, meaning organizations can opt to configure, deploy, and manage PCs and other devices based on the OS, using modern methods of enrolling mobile devices using MDM tools.

Since its release 18 months ago, Windows 10 has been installed on 400 million devices, according to Microsoft’s most recent disclosure back in September, though a majority of those are on consumer systems. IDC estimates that 162 million commercial licenses of Windows 10 were deployed as of December, and expects demand to accelerate this year. Last summer’s release of the Windows 10 Anniversary Update, version 1607, for many the equivalent of Service Pack 1, set the stage for many enterprises to stop waiting and move forward. A motivating factor to embark on, or at least plan, an upgrade to Windows 10 is that Microsoft’s support for Windows 7 is scheduled to end in January 2020. With less than three years to go, many want to avoid the last-minute rush they faced when Windows XP was deprecated back in 2014.

Adapting to Windows as a Service
The most immediate change IT organizations will see is the Windows-as-a-Service continuous release cycle. Similar to how mobile OS and cloud providers issue new releases, Microsoft pushes out new Windows 10 updates two or three times per year. Unlike the less-frequent service packs of the past, IT pros have limited time frames to push those updates out to devices if they want to receive future upgrades and patches.

IT managers with commercial or enterprise licenses have more breathing room over deployment of those releases than those with home or pro licenses, but Windows as a Service means organizations must sharply accelerate their ability to roll out these new releases to their users (see Ed Bott’s Windows Insider column, "4 Strategies to Stay Ahead of Microsoft’s New Timeline," on p. 30).

Microsoft has talked this up for some time, but the reality of Windows as a Service will surface at the end of this month, when Microsoft will end support for the first iteration of Windows 10 (version 1507), the "current branch for business" (CBB). Organizations can opt for CBB version 1511, released in November 2015, but Microsoft recommends organizations skip that and deploy last summer’s Windows 10 Anniversary Update, version 1607 (see "Windows 10 Version 1507 To Lose Support in March" at

MDM Enabled in Windows
Windows 10 MDM properties are based on the Intune MDM protocol, which is compatible with the Open Mobile Alliance (OMA) Uniform Resource Identifier international standard supported by most major hardware, software and communications providers. While Windows 10 natively supports Microsoft’s Intune MDM protocol, it doesn’t require Intune, Microsoft’s cloud-based device configuration and management tool. While that’s the future Microsoft sees for device configuration and management, Microsoft emphasizes that organizations can continue to deploy Windows 10 using traditional System Center Configuration Manager (SCCM) approaches and support Group Policy and Active Directory.

But longtime IT pros accustomed to working with SCCM can also now use the MDM capabilities in Windows 10 without having to install and maintain the full SCCM client to manage PCs (whether owned by the organization or the employee) as managed devices. Windows 10 effectively is built to allow SCCM to configure PCs (and other Windows devices) using modern MDM practices.

"MDM really is the future of management," said Steven Rachui, a premier field engineer at Microsoft, who described how to manage Windows 10 using the MDM Protocol and SCCM during the December TechMentor conference in Orlando, produced by Redmond parent company 1105 Media Inc. The SCCM client is becoming more MDM-capable, Rachui explained. Likewise, Microsoft is adding more MDM features with every release update of Windows 10, he added.

Among some of the MDM features Rachui discussed were software and hardware inventory management, conditional access, and PC device configuration, enrollment, and management. "Even from Windows 10’s initial release 1507, to 1511, to 1607 -- the Anniversary Update -- the capabilities of the client have become more and more broad as we have gone forward," Rachui added. "What we were able to do initially, we can do a lot more of now. Something the [SCCM] client does, it has more capability than MDM does, but for certain scenarios MDM might work perfectly for you today. And there are more capabilities in MDM than might initially meet the eye."

MDM likely won’t replace SCCM in large organizations anytime soon, given the broad mix of Windows versions in production, and the inherent complexities associated with configuring and matching those environments, says Forrester Research Inc. analyst Dave Johnson. "Endpoint management is hard. There are lots of aspects to it," Johnson says. "For example, automated patch management, moving large payloads around, getting software distributed to PCs on large enterprise networks that were never designed for large, bulk data transfers like that are all very difficult."

But as those large enterprise networks become less of a limiting factor, either through cloud migrations or datacenter modernization, and as Windows 10 gains richer MDM support and is replaced by older and more complex versions of Windows, some believe reliance on SCCM over time could diminish, though others say that remains to be determined.

MDM Platforms
The fact that Windows 10 is MDM-enabled is good news whether or not you use SCCM. But proponents say the ability to enroll Windows 10 using the same MDM approaches applied to other mobile devices ultimately will allow a unified approach to handling all endpoints, including those looking to support Internet of Things (IoT)-based hardware. Many large organizations already have experience using various MDM tools, which are likely to play more prominent roles as organizations manage various device types and Software-as-a-Service (SaaS) services and move toward federated identity management.

Among the largest MDM providers are MobileIron, Good Technology (now a division of BlackBerry) and AirWatch, which VMware Inc. acquired in 2014. AirWatch has evolved into a key component of VMware’s effort to provide unified endpoint management (UEM) to enterprises. MobileIron is considered the largest major independent MDM provider, though other suppliers that offer tools include Citrix Systems Inc., IBM Crop., SAP AG, ManageEngine and LANDesk, which recently renamed itself Ivanti, following its merger with Heat Software.

Enter Microsoft EMS
Microsoft’s entry to the MDM field three years ago, with the introduction of its Enterprise Mobility Suite (recently renamed Enterprise Mobility + Security [EMS]) with support for non-Windows devices was a surprise at the time because it was only a few months into Satya Nadella’s tenure as Microsoft’s CEO. EMS is a bundled, cloud-based service that includes Intune, Azure Active Directory (Azure AD) and Azure Information Protection for securing data. The properties of Azure Information Protection, available in EMS to prevent leakage of data, are now available in the Windows 10 Anniversary Update. The feature is called Windows Information Protection (see "Prevent Data Leakage in Windows," ).

Microsoft now claims EMS is the most widely used device management platform. In its late January earnings release for the quarter ended Dec. 31, 2016, Microsoft said 41,000 organizations now use EMS, which is a bundle of Azure AD, Azure Rights Management and Intune.

Azure AD has given EMS a huge lift, helped in no small part by the draw of the formidable installed base of AD users that can connect or federate identities with it. Even more broadly, every Office 365 user is automatically enrolled into Azure AD. Microsoft counts 80 million active Office 365 subscriptions.

MDM Competition Heats Up
Microsoft’s ability to bundle EMS with other services makes it a much more financially appealing solution to third-party MDM platforms and identity and access management offerings from the likes of Centrify Corp., Okta Inc., OneLogin Inc. and Ping Identity, among others. Microsoft argues defiantly that with EMS, there’s no need for third-party MDM and identity providers. "My advice to you, just come and use what comes from Microsoft," Corporate VP Brad Anderson asserted in a recent video announcing the pending release of a more integrated release of EMS. "It’s more integrated, it’s more simple, you’re going to be better off."

Anderson has become famous for such bluster, having made similar comments during interviews with Redmond editors in the past, most recently during the Microsoft Ignite conference in Atlanta last fall. Sumit Dhawan, the newly promoted GM for VMware’s end-user computing business, is familiar with Anderson’s tough talk about EMS versus alternative MDM platforms. Dhawan argues it’s not an either-or proposition between EMS and VMware’s new Workspace One platform, which brings together AirWatch MDM, VMware Identity Manager and the ability to offer managed desktops and remote apps via various cloud and hyper-converged infrastructure options under its Horizon offering.

"Brad and I have known each other for a while. He’s a good friend and, of course, a formidable competitor," Dhawan says. "What we see in the marketplace regarding EMS and Intune is that almost all components besides Intune are completely complementary to what we provide with Workspace One. For example, if customers are moving to Office 365, they’re moving to Azure AD. We actually embrace that, and we work with Azure AD. We work with the rest of their technology stack very, very well. We have customers who use our solutions together. The Intune product is the only technology that overlaps."

VMware and Microsoft forged an unlikely partnership 18 months ago, in which the two companies would collaborate in enabling AirWatch to better manage new Windows 10 deployments, including working together to address security threats. Despite their rivalry, the pact is among many mutually beneficial partnerships between competitors.

Microsoft still touts Azure AD as its most potent weapon. In order to compete, VMware continues to expand and promote its own VMware Identity Manager, which launched two years ago and is part of the Workspace One UEM offering. Dhawan says customers who choose to manage their devices with its management tools can use VMware Identity Manager without having to migrate from Azure AD.

"We think that customers will have multiple directories to store their credentials and potentially have different strategies for doing IDPs [identity providers] and SSO [single sign-on]," Dhawan says. "We provide a single sign-on solution out of the box for our customers so customers of different scale who haven’t invested in these technologies can make use of what we have in our solution." Likewise, MobileIron recently added an SSO component to its MDM platform called MobileIron Access. Many analysts believe Microsoft and VMware will wind up with the largest piece of the MDM pie, though there’s a strong market for best-of-breed solutions. Forrester’s Johnson says Microsoft’s push is attracting a lot of inquiries, especially from Office 365 and others that have Azure AD already populated. "They are very good with their licensing arrangements and create a favorable incentive for companies to make it harder for them to justify investing in something else," Johnson says. "That’s part of Microsoft’s strategy, but it’s also not a bad one. The customer ultimately benefits by having lower-cost access to a management capability that they need."

However, he predicts it’s not realistic to anticipate that Microsoft is going to continue to invest at the level necessary to match more iOS-centric or Android-focused vendors. "But they’ll always develop at least the basics and the core requirements that are needed to build a management capability," he says. One area Microsoft clearly is investing in is the core EMS platform.

Microsoft Upgrades EMS
Microsoft is currently in the process of rolling out a major upgrade to the service with a new administrative console that brings together management of Intune, Azure AD, Azure Information Protection, Cloud App Security and Office 365. "What we’re delivering with this new EMS console is an integrated administrative experience that makes the end-to-end scenarios we’ve enabled far simpler, much more powerful, and even more flexible," Anderson noted in a blog post outlining the upgraded service.

One such scenario that Anderson said will benefit from this integration is support for "Conditional Access," according to Anderson. Using Conditional Access, administrators can set policies and rules for access to an organization’s data, which the EMS properties of Intune, Azure AD and Office 365 services will together enforce in real time (see Figure 1).

[Click on image for larger view.] Figure 1. Conditional Access to policies with Microsoft’s new EMS.

Administrators can define access based on behaviors of identities, devices and types of network, and EMS will assess risk and grant access in real time, Anderson noted. Organizations can apply policies to more than 3,000 SaaS apps, as well as apps running in a datacenter. "All of this means that you no longer have to go to one console to set identity policies, and then another console to set device/app policies," Anderson noted. "It’s all together. Not only is it all in one place, but the capabilities of the service are also deeply integrated." The new EMS also removes the requirement for a Silverlight plug-in, allowing control from any native browser experience.

Citrix Integration with EMS
Looking to address the overall scalability of EMS, especially for hybrid implementations, Microsoft is working with Citrix following an extensive pact announced last year. The two have integrated EMS with the Citrix NetScaler application delivery controller (ADC) and load-balancing appliance. The result is the new Citrix NetScaler Unified Gateway with Microsoft Intune, released in January. Citrix said it lets administrators apply policies tied to EMS to NetScaler, allowing for conditional single sign-on access based on specific endpoint and mobile devices.

Citrix in January also released its Windows 10 Desktop-as-Service (DaaS) VDI offering that will run on Azure. The new service, called XenDesktop Essentials, is the first that allows a customer to run DaaS on Azure without the typical licensing restrictions of running virtual Windows clients on shared infrastructure. "That’s a key advantage of that partnership," says IDC Research Director Robert Young, noting it’s the first VDI service available using Azure with more flexible licensing terms.

"Microsoft customers who have licensed Windows 10 Enter¬≠prise on a per-user basis will have the option to manage their Windows 10 images on Azure through our XenDesktop VDI solution," says Calvin Hsu, VP of product marketing at Citrix. "Once XenDesktop Essentials is set up and running, the service can be managed by the Citrix Cloud." Citrix also said its Apps-as-a-Service offering, XenApp Essentials, poised to replace Microsoft’s Azure RemoteApp, will arrive this quarter.

The two companies are also helping each other fill holes in their respective MDM offerings. Using the Intune App SDK with EMS, Citrix will be able to manage its apps running on Apple iOS and Android. Citrix XenMobile will also gain support for Azure AD and mobile apps in both companies’ ecosystems, including Citrix Worx (its e-mail, calendaring, contact and note-taking app suite) and Receiver, the software that lets customers run XenDesktop and XenApp on multiple platforms. That will let users share information across those apps, while protecting data using the Intune App SDK controls. Right now, Citrix ShareFile, the company’s file-sharing and storage service, can be managed with Intune.

MDM Co-Existence with Intune APIs
While Microsoft talks tough about rival MDM tools, it stands to benefit from its partnerships with its competitors by ensuring those platforms can treat Windows 10 like other mobile devices. That’s why Microsoft has long promised to release its APIs, which the company finally did in late January in concert with its launch of the upgraded EMS. The Intune APIs are tied with Microsoft Graph. As such, Microsoft describes the new interfaces as the "Intune Graph API." According to Microsoft, the Intune Graph API gives developers programmatic access to Intune information and how to tie them to a tenant (Microsoft posted details on the Intune Graph API at

The API performs the same Intune operations available via the Azure Portal. Customers and partners can customize the console for their specific needs. As an example, Microsoft introduced a version for education that takes out features that a school district wouldn’t need. "The way that we have archi¬≠tected this where it’s built on top of the graph, it’s all a set of HTTP calls. It couldn’t be more simple and it’s consistent across [the] Microsoft [Graph]," Anderson said in the video.

"What that means is Microsoft doesn’t think customers would not want to use other solutions for Office 365 management and controls," VMware’s Dhawan says, noting the Intune APIs and SDK will allow organizations to integrate EMS with its WorkSpace One platform to enable the "co-existence" of the two. "Very shortly we will be able to provide those applications securely, and manage them using our Workspace One solutions right next to other applications," he says.

Naturally Dhawan doesn’t share Microsoft’s rhetoric that most organizations won’t need third-party solutions. Likewise, he doesn’t predict every ISV will incorporate the Intune API into their apps. "While there will be a small number of application ISVs who will adopt Microsoft’s SDK, we cannot envision every possible application provider in different industries, in different horizontal applications," he says. That’s why Dhawan is confident VMware’s AirWatch technology and WorkSpace One UEM portfolio will appeal even to those using Microsoft’s EMS. "We are going to have our work cut out for us," he says. "But we think the solution that we have is a strong offering and tremendous value proposition above and beyond what Microsoft offers as part of their Enterprise Agreements."

Indeed, EMS and the MDM capabilities in Windows 10 may have broad appeal, but large organizations have unique requirements and many don’t want to be tied solely to Microsoft. "They will compete on product, price, feature, function and that’s fine," Young says. "Many folks don’t want to buy soup to nuts everything from one vendor. A lot of customers don’t want to be locked in."


comments powered by Disqus

Subscribe on YouTube