But there’s always been that missing hole. One of the hopes with Bring Your Own Desktop (BYOD) was that corporations would eventually allow users to buy their own computers and utilize them on the corporate network, thus causing a decrease in some costs for the corporation while giving the users more of a choice in their brand of system. This didn’t always work, as a requirement to re-image the system to a set of applications and requirements that were native to the corporation was always the norm. Additional concerns about third party applications that could be brought into the enterprise always raised issues, and then there’s that fine line of supporting the device, especially when something happens physically to it.
Eventually, hardware started to become more mobile. Desktops and laptops became more compact and more advanced. Supporting the device came to just managing the operating system. Thus, the creation of Windows 10 version 1709 allowed for the ability to domain join these systems to Azure Active Directory remotely using Microsoft AutoPilot, at which point the device itself could be serviced by Microsoft Intune. This allowed for the managing and installation of applications, as well, via Intune. In some cases I’ve seen, corporate VPN apps and antivirus software would be deployed to the system, as well as additional scripts that could on-premise domain join the device. Essentially, the best of both worlds.
Once we got to Windows 10 version 1809, a new preview feature became available, the ability to do a hybrid domain join of the system to both Azure Active Directory and on-premise Active Directory during the configuration of the device. In some of the proof of concepts I’ve done for some customers, it works just as it says it would.
However, there’s always tradeoffs, and in some cases they work really well, but in others, they don’t. Here’s a list of the good and the bad of Microsoft AutoPilot with Intune:
Good – Joins the system to both Azure Active Directory and on-premise Active Directory. Today’s mobile workforce needs to have access to all resources, and having that on-premise option for management and legacy applications and monitoring is a must. This also includes third-party solutions such as BMC and LanDesk, where the client can be pushed out by Intune, thus continuing as much of the same experience for the user as possible.
Bad – Well, domain join works, but to make sure it works 100% completely, the whole process needs to take place on-premise so that after that first reboot, the domain join pulls down policies as it should via you on-premise domain controllers. Probably something that Microsoft should think about figuring out a solution for in the future. I think the biggest hang-up here is solutions that don’t have DirectAccess for network connectivity, or ‘always on’ VPN solutions.
Good – Manage the system via Intune. In my opinion, System Center Configuration Manager isn’t going anywhere; there’s always the need to manage a back-end on-premise infrastructure for software updates and cataloguing what’s on-premise. But for the mobile workforce, Intune will eventually be the better solution for those folks. They’ve already been, and continue, to address Group Policy configurations being migrated to the cloud, so they’ve listened. It just becomes a whole lot easier to do everything for mobile users using a tool specific for those users, and Intune is it.
Bad – Little things that Microsoft should have addressed, but hasn’t it. Some things they can get around, some they can’t:
- No good computer naming structure. One of my current locations bases the computer name via they country, followed by their city, followed by their building…. it becomes a management nightmare. That’s a separate domain join profile per site. Management nightmare.
- VBS scripts. Yes, I said it, some companies continue to fully rely on VBS scripts. I’ve plead with them to upgrade to PowerShell, and get the cold shoulder. I’m thinking a statement should be made by Microsoft about this, but then again, Office 2016 was still using some VBS scripts under the covers for some things.
- Win32 apps. Yes, Microsoft has some tools out there to handle installing legacy apps, but their packaging solution isn’t the best. Takes some additional work to migrate and lots of testing.
Good, but bad – The workstation needs to have Windows 10 version 1809. Just a few days ago, Microsoft officially labeled 1809 as enterprise ready. So it gets you up-to-date with regards to the O/S, which is great, but many environments might still have issues with pushing it out there ahead of the rest of the enterprise.
Smaller companies, or newer companies that can set policy to push the mobile environment, should have no issue whatsoever with regards to deploying workstations out by Microsoft Intune, whether doing a hybrid domain join or not. Those larger companies that have a good number of processes in-place? Might need to consider some rethinking as to how you are doing things.
Just some thoughts on the subject; we’d like to hear from you as to your suggestions and thoughts around Microsoft AutoPilot.