- Tim Mangan, TMurgent Technologies, LLP
Microsoft thinks that you, as Windows administrators, should modernize how you manage computing resources and users. While I appreciate the concepts and direction, it might not make sense for every organization -- yet. You must first buy into modern Windows application management and then proceed tactically where and when it makes sense.
This strategy involves provisioning devices with an operating system, applications and identity management, and enforcing policies that control those applications. Today, you probably achieve this on premises using a combination of imaging, System Center Configuration Manager (SCCM), application virtualization and Microsoft Active Directory (AD) with Group Policies. Microsoft's modern Windows application management approach is to move all of this control to the cloud to free IT from having to host the infrastructures you use today.
Where modern management is headed
There are limitations to modern management. Microsoft's capabilities continue to evolve, but the inability of its Intune device management tool to handle the majority of applications presently deployed in organizations -- Win32, .NET and Java -- will keep you from going fully modern today. Microsoft is working on that through its new MSIX project, but it has a very long way to go. An often-overlooked aspect of Intune management is that its cloud-based Azure Active Directory (AAD) policies have nothing like the breadth of on-premises AD Group Policies. You may not really need most of that stuff, but chances are your current policies have become so institutionalized that the change itself becomes a huge burden to your organization.
Modern Windows application management can make sense for small startups that have no infrastructure and limited applications. For larger organizations, co-management is an option, but it is not a magic bullet. Co-management -- using both on-premises SCCM and Intune -- means doubling down; you have desktops that are both AD and AAD joined, using Intune for some things and SCCM for what Intune cannot handle.
Still, there are opportunities for large and medium-sized businesses to use modern Windows application management. The best approach may be to think small, such as at the departmental level, where you can fully adopt the modern strategy and avoid co-management. Isolating groups that have simple application needs that you can control via Intune alone allows IT staff to learn the modern management methodology without adding a huge risk or burden to your organization.
As you build those skills and knowledge, and the modern technology improves, you are then prepared to expand by converting additional groups or experimenting with co-management once modern can handle 80% of your needs by itself.
Along the way, the tooling will improve. Microsoft's recently announced MSIX app packaging format might help bring support to modernize a higher percentage of current app portfolios. It will allow for legacy apps to function like Microsoft's Universal Windows applications and for IT to distribute and manage them with unified application management tools. But it is too early to tell how well this approach will succeed.
Moving the control plane into the cloud, no matter where you keep the data, will ultimately allow administrators to gain advantages over those that remain bogged down by today's internal infrastructures. Over time, you will figure out if you can trust a service provider to keep your business running. If they fall short, we'll develop backup plans for successful Windows application management.
Dig Deeper on Windows applications
Explore the benefits behind SCCM tenant attach
SCCM vs. Intune: A closer look at the capabilities of each
January 15, 2020: It’s time for Windows 10 modern management!
VMware Workspace ONE for Microsoft Endpoint Manager: What does it mean?