i'm jason githens, i leadthe config manager product team on the enterprise client managementteam along with our intune product. and over here we have deen,who's on the windows team. so deen's gonna talk aboutthe principles of managing windows, traditional and modern. and then i'm gonna come back and discuss the overview of configmanager versus intune management. the reason we put thissession together, primarily, is that one of the mostcommon questions we get is,
when do i manage windows10 with config manager? when do i manage it with intune? and it's a great question andwhat we wanna leave today with is super clear guidanceon how to think about to those two different managementstyles of traditional and modern. one bold statement i wanna make isthat config manager is not dead, it is still a reality,we will continue to invest in it. it will be around for years,we can't even see the horizon at which point it goes awaybecause it's so far out.
so, just to put any fears to rest ifyou’re the active user of configmgr, it's not going away,we continue to invest in it. i'll get into that, i'll give yousome numbers to prove that my words aren't just words becausei run the product team, that they're actuallybacked by data. it's always good to reinforce mylines with some factual data so i'll get in to that later. that said though intune andwindows are evolving to where modern management is a viable scenario forenterprises.
it's going to be a journey bycustomer, by users with in that customer and it's going to evolveovertime, so both styles are valid. we're gonna try to be super crystalclear on this scenarios to consider for what's right foryour organization specifically. so with that, i will turn it over to deen to take you throughthe windows background and then i'll jump back in todiscuss intune and in configmgr. >> sure, thanks jason, somy name is deen king-smith, i'm a program manager onthe windows device management team.
early this week i did a session onthe road to modern management and thanks jason forinviting me to join this talk. i wanted to take a moment and talk about traditionalversus modern management. so quick, handful, this room is huge, quick raise ofhands, how many people have used any of the components listedon the screen right now? that's probably the vastmajority of you. this is what we think about when wethink about traditional management,
group policy, preferences, configuration manager, primarilyon-prem and primarily desktop. if you think about this inthe context of your traditional it lifecycle, it tends tostart with acquiring windows. either through the volumelicensing agreements or going out to best buy andbuying a thousand devices from your favorite oem butit can be a fairly complex process. this is followed by deployments,one of the things that i had the wonderful experiencewhen i was in undergrad,
had internship on wall street. and we actually took an entirefloor of a building offline to deploy windows. pc booting took about 45 minutesas you walk around to every pc and keep hitting the buttons. mind you, this was windows xp,so it was a long time ago. but it was a cumbersome andoverhead intensive process. we've heard feedback from some ofyou guys that you actually just hire high school studentsto sit in the warehouse and
pop a usb drive in andpush out your images that way. from an identity standpoint, it'sactive directory primarily on-prem. then we get into managingdevice applications and this whole update cycle. making sure you have the rightpolicies and the right settings and the right securityinfrastructure in place. make sure your applications havethe right compatibility story to actually be usedby your end user. as we took a step back andlooked to traditional management,
well we found that 56% of it'stime is being spent on actually this granular day to day management. all 3,000 plus group policies, all1,667 ie group policies, these v on ie teams that the number ingrainedin my head for the rest of my life. [laugh] butthere is a lot of time spent here. and as we think about modernmanagement we want to see what we can do to simplify this experience. to make it cloud enabled, to makeit as secure, and productive, and lightweight as possible.
we talked about traditionalmanagement tends to be desktop and on-prem only,we're not on-prem right now and i definitely don'thave a desktop with me. so what does that mean formanagement? what does that mean for security? what does that mean for reporting? which brings us tomodern management. so if you ever come out to redmond, i encourage you to come visitsometime and swing by my office.
you'll see this quote on my wall andyou'll see this quote on my door. this is kind of like myteam's guiding principle, when we think about what managementcapabilities you want to light up in windows, it's all about this. satya talks a lot about a cloudfirst, mobile first world. for your end users,it's all about productivity anywhere as long as you havean internet connection or even when you don't havean internet connection, we want to empower all of ourend users to be productive.
for the it admins in the room,it's about manageability, it's about making sure that your endusers devices are always up do date, always have the right configuration. they're running onwindows as a service, you're managing how thoseupdates are rolling out. for the security folks in the room,it's all about making sure that the actual asset itself andthe enterprise data's secure. whether on the device or reallywhere ever that ends up living. this is especially critical whenwe think a bout byod scenarios.
so let's take a look atmodern management in the, again, this it lifecycle. this is essentially our north starwhere we ultimately want to get to. simplified user licensing,windows as a subscription, so you are no longer buying 20,000seats when you only need five. for smaller businesses it's aboutif i bring one person on board i am paying for that one person? if i bring 20 people on boardi'm paying for those 20 people. this is how we want to package anddistribute windows long-term.
for [inaudible] it'sall about the cloud. that internship experiencethat i had, that was exciting, i was in new york in the summertime, i had a blast. i don't want my nephews to havethat experience, because when they get to their internship, theyshould get a device, they should log in with their user, theirazure active directory credentials. and that device should get up andrunning by itself, pulling directly from the cloud with the rightapplications, the right settings, everything that user needs tobe productive out of the box.
analytics, management security and map management, think of thatas your on device experience. leveraging with the windowsanalytics platform our telemetry offerings, to make sure thatas you as it admins and it professionals can always knowwhat's going on with that device. windows defender advanced threatprotection to make sure that we're dealing withadvanced persistent and threats andthings along those lines. and last but not least, updating.
if windows is truly a service, you have to make sure that you havea great experience around updating. and that's not only justthe operating system but your applications. leveraging the power of ourenterprise store to package its traditional applications, leveragingcentennial and other technologies. distribute them to the store,manage them through the store, simplify licensing excuse me. and of course from ourmanagement standpoint intune,
we wanna make sure that we havea great experience end to end. so what does all this mean to you? at the end of the day,it's about costs. i put that 56% number up, but time, as you know generallydirectly links to cost. if you spend a week doing something,that's a week of time and a week of cost that could beused doing something else. so when we think about ourwindows 10 management principles, it's all about reducing cost andreducing tco.
by creating synergies between,wow that's a buzz word, creating synergies between our clientoffering and our cloud offerings within to our cloud management andazure active directory for identity. if you were, if you stopped by mytalk on tuesday, the on the road management, shameless plug that'sonline, take a look at it. we talked about some of thesedifferent strategies around how to move from traditionalto modern management. the second piece of thisis around insights. if everything's running in the cloudand everything is piping up all
this lovely telemetry,what can you do with that? we wanna be able to provide you richit, we wanna provide rich insights to all of you so that you canknow when my surface book, not my surface book, my lenovo laptop,when the hard drive's about to fail. so if i'm a consultant beforei go on the client side, you say hey deen,come over to the help desk, let's swap out your hard drive,let's swap out your laptop. cuz we're starting to seedata that's telling us that you're reaching that thresholdwhen your hard drive might fail.
and last butnot least this comes back to the experience that i mentionedearlier that i want for my nephew when he getshis first internship, assuming this technology. another conversation though,it's around empowering and delighting users. as a user, the last thing you wantthem to do is have to get this brand new machine and wait. who in here likes waiting?
i surely don't. not looking forward to file the atlbecause i know it's gonna be a long wait in security, but we wanna cutall that down, self-provisioning, getting up andrunning as quick as possible, applications just poppingup on the device. so with all these managementprinciples that brings us to a couple of challenges. and for this, i'm going to hand the floor backover to jason to talk about these.
>> thanks dean. >> thanks jason. >> so, this is really the cruxof the conversation, this table. these are the comparisons of traditional versusmodern management. and the way to think about this, the way to process this slide,is going left to right. each of these rows is really its ownline item of things that you have to resolve to move from the middlecolumn to the right-hand column.
these are the pieces thatyou would have to address. and some will be faster than others,some will take longer than others. it's a combinationof windows evolution through the rapid iteration and innovation of windows to enablemodem management to deliver that cost savings that dean talkedabout in a number of these areas. so taking the first row,provisioning. the os deployment,imaging refresh as driven by config manager is thecommon way to deliver windows today.
that will probably be the commonway customers get from windows 7, 8, 8.1 to 10 as well. it's a standard approach, it's wellknown, it's well understood, but it is complicated, it is costly. but that is the primary wayto get to windows 10 today or you can use native upgradealso driven by config manager. the modern equivalent ofthat is really when you get out of the imaging process. you do aad join,autoenrollment into intune, or use
the provisioning tool that's alsobeen developed by the windows team to really pivot that vanilla skuthat you got from your manufacture into something productive, secure,and usable by your end users. a number of things have to happenfor that to be a reality, however. you have an existing populationof hardware that's already domain joined running a version of windows,probably windows 7. those aren't just gonna be thrownout to get new hardware that's gonna be handed to the user, that's gonnabe aad joined and intune enrolled. so you have to getthose to windows 10.
that's an intersection point whereconfig manager is still the best tool to do that. as you get new hardware, as you havefor example some class of user for whom modern management isthe perfect thing for them cuz for example they are reallyin the office. they use universal apps sothey have a small application stack. you don't have five hundred grouppolicies you need to apply to their devices. that might be an opportunityto go to the right-hand,
the blue column on thatparticular use case. send them a box with a surface proin it, they open it, they put in their credentials, itenrolls in intune, gets polices and apps, and off they go. second piece is around identity andauthentication. i'm pretty sure everyone in thisroom uses active directory, that's the common identityservice for on-prem today. the online corollary of thatis azure active directory. the difference between those two,
the key difference between thosetwo is that active directory is a combination identity, deviceregistration, and policy service. it has the group policy engine livesin active directory, so you can do policy and typically people usea number of group policies to lock down their pcs, to enable usersto be productive by configuring applications so they talk tothe right backend service, etc. the corollary onthe modern management side is azure active directory isan identity service full stop. it's the identitybackplane of our entire
microsoft services ecosystem,but it's not a policy service. the policy service is the mdm thatattaches to azure active directory, in our case it's intune. intune then becomes the policyprovider as the management authority and there is no group policyconstruct in azure active directory. you deliver your policies throughthe mdm channel through intune as invoked through the inbox mdmstack built into windows. there's no agent you have toinstall, it's just there. one of the challenges there is thatwe have to evolve that agent or that
inbox mdm to expose the managementcapabilities that customers need. it's not ever going to be,for example, a replacement. not a replacement. equivalent of group policy. group policy is a cost driver. there are some 6,000 group policyconfigurations that you can manage, and that drives up cost. and the promise of modernmanagement, as dean pointed out in the last slide, is to reducethe cost of ownership of windows.
if you move all of thosecomplexities from the middle column, the orange column to the bluecolumn, you've really have not delivered the promise of reducingthe cost of ownership of windows. you've just moved the managementmodel from an on-premises config manager service toa cloud-based intune service. there is cost savings there, butit's not as profound as we hope for when we make the cost ofownership reduction promise. so that's another consideration,and that's an active evolution. there is more and more going intothat inbox mdm capability with
every release of windows. intune is adding more and more capabilities to manage thatinbox mdm exposed capability. and eventually there willbe a tipping point and it will vary by organization asto when your organization and it will vary by user withany organization as to when exactly you've reach the criticalmass point when that modern management policy piece isadequate for your needs. the other thing to talk about there,and i spent a lot of time on this
row cuz it's an important one, isthat there is another consideration. and this where we're gonna have tomeet in the middle, so to speak, customer to microsoft. with all the new securitycapabilities of windows, there are other ways to achievethe intent that you may be delivering today with group policy. for example with device guard,windows information protection, and so on and so on. there are so many newwindows security features and
they are all exposed formodern management that those maybe have a corollary to what you'reusing group policy to do today and you may not need an exact replicaof that particular policy object in the modern management side. software updates, so software updates today is reallyabout granular patch selection, i'm specifically,talking about config manager. it's granular patch, choosingyour patches like kb one, two, three, schedule and testing those,scheduling those, deploying those,
wrenching your feet,do it again, next patch tuesday. windows is changing howthey publish patches. for windows 10 for example, patches are all cumulative, thereis no more pick kb one, two, three. and that's being done to reducethe fragmentation of the windows ecosystem in the enterprise. because today, if you imagine,just multiply by this room, everyone's patch tuesday process, they're all probably somewhatdifferent, and you probably
have applied different patches todifferent pcs in your organization. that results quickly in millionsof permutations of windows that we don't have a copy of at microsoftto actually do testing on. because as soon as you'vegone from the rtm baseline or the service pack baseline, itimmediately starts to devolve into this crazy ecosystem of justdifferent types of packages, different batches of appliances,some excluded. and it just becomes really hard toassure quality of windows updates, windows feature releases.
because we don't have a good senseof the underlying platforms that are out there,they're just so skewed. so as patchesare cumulative then there's potentially less overhead inthe patch management model in config manager because you don'thave to go through this process of picking the patches you want,[inaudible] the ones you don't want, testing them each individually,it's a monolithic patch each month. and that sets up on the modernmanagement equivalent of the patch management process is really,is powering your patch service out
of windows update for business andcontrolling your scheduling of and delivery of those patchesout of intune through mdm. that's a lot less controlthan is there today. so again, that's gonna be more thanevolutionary piece of moving off of the traditional way of managingpatches with config manager to a point where you're comfortablemoving to this windows update for business driven patchmanagement as processed or as controlled byschedule through intune. so that's just going to take sometime to evolve and adapt and
trust that method frankly. next one down isa big sticking point. this is the one that's probably themost common on the list of customers when you say, when are youmoving to modern management? the common response is, as soon as i can deliver all of myfive thousand win32 applications. and our response is okay, that'snot here, that's not doable today. we do have basic msi installationin-box in windows in the mdm stack. but something, a complex setupprocess like say this little
product called office,that can't be run that way. and that's kind of an important one. it would be sort of sad if the userwent through this great provisioning process andgot autoenrolled into intune and ended up with a devicewith a browser. so, they need stuff towork on once it's done. so, that's one of the big ones we'recollectively working to solve and address that. the modern equivalent ofthat is the universal apps,
the centennial model. whereby, you can take some win32apps and effectively wrap them and publish them to the windows storefor business and saas apps, but the win32 app challenge is a bigsticking point in the move to modern management and we are collectivelyworking out a way to ease that pain. we don't have a committed plan yet,but it is the high on our list to have some resolution in 2017to address at least the core of the win32 app distribution problem,then you have the agent. one of the benefits, one ofthe common complaints about config
manager is client agent health. nice thing about the inbox mdmstack is there is no agent, it's just part of windows. so there is a benefitthere as well and that's not really a migrationdecision that you have to make or you don't make a decisionbased on that, but it's just pointing out that theyare two different management styles. sccm is agent-based. intune is inbox mdm based.
anything inboxed mdm, any mdm vendorcan effectively do the same thing. all of our ip and config manageris really rolled up in our agent. that's how we do all the uniquethings, like test sequences, application models, soon and so on and so on. but that's been built up over 20years, that's not something we're just going to replicateovernight in the mdm side. and then finally and i've alreadytalked about the group policy, and mdm policy piece. so, that's really our road signof the areas that we need to do
work at variable levels to achievea viable enterprise story to move to that blue to actuallystart realizing the cost savings benefits of windows ownership andwe absolutely wanna go there. when i made the comment thatconfig manager isn't dead, it was not a statement of we're notfully behind this move to modern management. it was an assessment of the realityof today that not everything that every customer needs is there forthat blue column to be real. it might be of some orgs.
it might be in some pocketsof your organization and it's our intent to make thata bold truth over time, and make that to bethe way we manage windows. that we certainly wantto get people there and i wanna talk about inthe next couple slides. i really wanna talkabout how to think about config manager in thatecosystem of modern management. it's effectively, before i getinto the customer examples, it's effectively, it's an and.
it's not an or question. config manager and intune together,give you the best of both worlds. you get pc management onthe config manager side. connect that to intune, you also get cross platformmobile device management. it's our intent to delivera thoroughfare to move from a to b over time that's disruptiveto your security standards, your it productivity and all theother, all the other things you're accountable for,relative to pc management.
so, some of customersthat we talk to and their ability to adopt or adopt modern managementright off the bat. so it looks like startups orspinoffs, looking to start lifeall in the cloud. very few customers have this luxuryof being a startup or spinoff. so this is really for a sliver ofour customer base that we talk to, but there are absolutely customersout there that wanna do that blue column all the way through andthey are sold on the idea.
it meets the capabilitythat they need and they are moving forwardwith that plan. those customers do exist. so, it's not a myth thatpeople are doing this. there are customers we work directlywith that really dress that first bullet, that representthat first bullet. a second or there are establishedenterprises looking to move significant users intheir estate to the cloud. they have really bought into thiscost of ownership reduction message
and they are actively pursuingmoving parts of their estate, whether large or small tothis cloud management model. they are very attracted toshipping a box to a user, having them put in theircredentials and just start working. and we are working with thosecustomers to how can we best fill those gaps around say,win32 applications to make that a successful reality, then there areestablished enterprises looking to move pockets full of the users tothe cloud, which is related to above that and then thereare enterprises with no plans for
now to move to the cloud at all. they are stayingwith config manager, staying with traditional management,but our challenge is we have to build anecosystem of management solutions. windows has to build outcapabilities that satisfy every one of these classificationsof customers, but it's also meant to highlight thatwe'll continue to invest in all of the customer needs that you seehere, because they are so variable. there are large defenseorganizations that are firmly
entrenched in that last bullet, but there are startups andhighly agile, very progressive technology leadership teams in theirorganization that are more aligned to the first coupleof bullets there. we have to satisfy all of them and that leads me to our approachto the best of both worlds. so for that early part of the list, they really wanna get tothat intune site up there. they wanna reduce the amount ofinfrastructure they have to have.
they want to reduce the amountof complexity and people power, it takes to run a large complexconfig manager hierarchy. however, most customers realitytoday is really in this in config manager with intune world. and i don't really,i'm not specifically referring to a, even though the slide sayshybrid configuration, this doesn't even have tobe a hybrid configuration. it can be a separate intunestandalone instance and a separate configmanager implementation.
we have wired them together for themto work well together whether or not you've connected them asa hybrid configuration or not, but either configuration whether you gostandalone or hybrid, having both solutions provides you the abilityto banish pcs traditionally. and we'll do all the work on ourside, so that you can move from that orange column to the blue column onthe backbone of config manager and intune over the period of timethat's right for your organization. maybe months, maybe years,maybe longer. but we'll have both solutions inplace to ensure you're successful
whether it's traditional or modernmanagement and we'll assure that you have the power to move from one tothe other, as your organization is ready or as parts of yourorganization are ready. so the transition matrixis really it desire and functional requirements,which i talked about. how much do you want do you wantto get to that left-hand side and how much of the functionalrequirement's there? so, that's really the bar thati could not put a timeline on. i couldn't say that's a sevenprocess, a seven month process,
cuz that's going to be so variable. it's going to bea combination of you buying into this cost of ownership promise. buying into windows 10. deploying windows 10 at scale andhaving the functionality you need on that modern managementside to get there. my main point here is that, given the unknown variabilityof that line, we have to hedge. our hedge is to build both solutionsand have them work together.
that's our promise to you guys. that's our promise to windows isthat we will maintain the best of both worlds as long as there isa valid best of both worlds. if five, ten years from now,on-prem management is just gone, then there's no reason to keepinvesting in config manager, but we're not going to force that issueby de-investing in the product that people use to manage windows. we will continue investing in ituntil customers are fully able to move to modern management.
so i just wanted to make thatcommitment, cuz i've been asked so many times this week. is config manager going away? is it gonna merge with intune? and the answer is noto the first part. yes, to the second part, becauseit's already converging with intune. it's not going to become intune. we're not going to put sccm in thecloud, but it will continue to work very closely together withintune wired together for
as one great example,conditional access. we provide a conditional accessmodel through agent-based pc management and that requires a connection tointune, because the intune service tells azure active directory if a pcmanaged by sccm is compliant or not. azure active directory willthen only allow office access, i would say exchange accessif that device is compliant as determined by the pc agent. that metaphor also workswith intune management.
same conditional access usingthe inbox mdm stack, but a lot of the scenarios are mixedbetween agent-based and modern management and we have to assurethat we wire our services up so that you get the capability whetheryou're using agent or whether you're using mdm and this is a repeatof a slide i showed yesterday. this is the main point here, i'm notgonna go deep into all the services. i did a full session with a bunch offolks on the windows side yesterday. and if you're interested in it,you can watch that recording. but the main point i wanna make hereis that even though config manager
is on-premises, it's really partof an ecosystem of services. it is wired up to everythingyou see in the big cloud there. it's wired up to intune. it's a fully matrix solution. it thrives with itscloud connectivity. so really, i think the short tomedium term reality, is really this hybrid environment where you havethe on premises config manager, but it's invigorated, or tricked outa little by by connecting to all these rich cloud services.
so you continue to get,you never lose functionality. our intent is that you never have tolose functionality if you stay on premises, but you still get thatrich ecosystem of services whether you're doing modern management ortraditional management. the last thing we want to do isstart having you make a decision. if i get a, b and c capabilityon modern, i get c, d, e and f on traditional, butthey don't match together. that's just results in disaster. so we want to ensure that we keepsuper setting mdm capabilities
on the config manager side. i want to talk a little bit aboutour new current branch model. and the reason that i'mbringing this up is really, to reiterate the point ofour continued investment of config manager and how we've reallytotally redesigned you we build and release our main managementsolution of config manager. so about 10 months ago, december of last year, we releasedour first version of current branch. this was our attempt to reallymodernize config manger
to keep up with these windows guys. cuz they started to release a coupletimes a year and we were like, they came to us with this idea. and we looked at our multi-millionlines of code product, and said. something a little worse than butin that vein. and so we locked a bunchof engineers away and said, okay, can you guys figure out howwe could update config manager more frequently than our typicalthree to five year cadence? and they asked, how frequently?
and we said,maybe every four months. and that was a tricky conversationto have but they pulled it off. they pulled off a servicing model that frankly blew us awayabout how well it's working. we didn't know it wasgoing to work this well. i'll be completelyhonest about that. i think we probably hada bunch of reqs open for css, just in case we needed togo hire 100 support people, to support the people as theytransition to this model.
it didn't happen. our call volume dropped by likenearly 20% after we released servicing, mainly because it'swired to data and telemetry and we're able to identify issuesoften before people even see them. if we need to plumb a hotfix downthat channel, we can do that. it's right in your face too. you don't have to call support andfind out where on some obscure technet site you need togo to get hotfix 45716 and apply that to fixthis content problem.
it will be in your console andit will say, this is to fix your content problem. i probably need that. so it has been adapted, andi said earlier when i was making the promise that we'llcontinue to invest. i said i would show some numbersto reenforce that point. just to show you that we are stillquite the popular product. that's a little,the date is a little old but nearly 21,000 unique tenants havealready upgraded the current branch.
the most interesting thing onthis slide to me is that gray box that a majority of them10,286 are on 1,606. that's been out for about a monthand they've upgraded that fast. when we set goals withbrad anderson, our vp about what we, what our goals would be, we hadto change those three times for the fiscal year becauseeverytime we set a goal. we would exceed at the nextcouple of weeks and so we keep upping the goalwe either beat that goal. but we're just surprised by this and
this next chart iseven more eye popping. it's actually gone up. it's about 42 milliontotal clients today. those tenants represent 42million managed windows pc’s. we estimate that this is about anywhere from a quarter to a thirdof our entire config manager population that's upgraded in lessthan a year, to current branch. so, the adoption rate is high, theinterest is high, the need is there. we got a lot of peopleworking on the product.
we got a lot of peopleworking on intone. we’re developing both, but ourintent is to really provide you with the tools you need to be successful,and you make the decision as to when it's the right time toswitch your tool and or to move from traditionalto modern management. we're not even going to force thatissue by pulling the rug out of config manager. we can't. we had a 42,000,000 of client leasetoday, we'll fall off the planet.
so i don't know if theyfall off the planet. that was a bad analogy. but i don't know where they go. so a bit of an eye chartprobably for future reference. probably don't want to read this ona beautiful thursday afternoon but i'll cover some ofthe highlights of this slide. so again, cloud and modernmanagement are absolutely where we see windows going,where we see customers going. however, traditional management andby extension config manager,
again i'll say it one more time cuzthis question comes up a lot and is not going away. we continue to invest deeply in it. config manager moved to a servicingmodel gives it years of life. it gives it years of flexibility, years of updates thatare easy to consume. you don't have to go through amonolithic six to nine month upgrade process every time a newversion comes out. you click a button.
we do it for you. we orchestrate the upgrade of everycomponent in your infrastructure. modern management through intunehas significant potential for tco reduction andit has a significant future to it. it's just gonna be adopted ata variable cadence and, again, the best of both worldssolution of config manager, intune is the rightway to get you there. and i don't mean tosound like marketing. i just realized, i sound like i'mtrying to sell you something.
i'm really not. i'm just trying to positionour strategic backdrop so you know you can makethe right decisions for your organization knowing that we'regonna support you on both models. and again, monthly one ofthe beauties of intune is monthly iterations of the service thatyou don't have to do anything. even with config manager servicingmodel you have to click some buttons. intune just updates, every month,or more frequently if we need to.
it's a multi-tenantcloud-only service with no infrastructure requirementson your side and it just works. it's got great uptime. it's got great performance. we're moving the entire thing toazure hosted to increase scale. we're gonna have an azure portalin intune that's gonna combine capabilities of the ems suite ofazure active directory premium and rights management as well as intune. and there's gonna be an integratedadministrative experience with role
based access with api exposurewith reporting with scale. so it's going to, the strength ofconfig manager is being replicated at least on the administrativeside and intune as well. so that's another evolution that'shappening, that makes intune only management more realistic than itwas previously because of all these enterprise capabilitiesthat you need around scale, console performance,reporting, etcetera. that a lot of people stick withconfig manager because it does all of those things today.
intune will do those inthe first half of next year. most equitable, at least froman administrative experience to what you get out ofconfig manager today, the difference there will be whatyou're able to do on the client based on mdm versusagent-based management. again, back to that eye chartof the orange and blue columns. and then last one, it's just really hammering home thesame point i've been talking about. with the combination of the two,you get the best of both worlds and
we'll provide you the toolingto get from one to the other over time as it's rightfor your organization to move. stick with us, we're getting there. that's the main point iwanted to land there. so these are some customerit trends that we see. today we see mostly organizationssplit along desktop, mobile, and productivity teams. you have a team that runs your mdm. you have a team that runsyour pc management, and
you have a team that runs youroffice products, client and server. as the huge transition that we'reseeing in mass volumes like for example the office 365, theproductivity team is less invested. they don't even have to worry about the exchange insharepoint servers any more. they’re very focused on productiveexperience for the end user. they're more end user focused, it'smore of a productivity team because they don't have to work on thebackend side, the data center side. and we're seeing a combinationof end point teams, pc and
mobile joining together and thenyou have your cloud office team. it of the future, we're projecting,will really be a combined end-user computing group that combinescloud-mobility management, which is inclusive of the enterprisemobility suite and office 365. so, but again, those will bevariable trends over time. they will, they'll bedifferent by organization. but these are the commontrajectory points that we see. that we're trying to build ourproduct suite around what we see it organization structure being.
it's a guessing game. but this is how we see, this is inour numerous customers conversations and analyst conversations. this is really how we see the itorganizations manifesting over the years. we want to ensure that we'rebuilding our solutions in combination with itorganizational trends. so this is another one of the keyslides that i wanted to talk about. the main point, and you can seethe top column is a traditional
management workflow, the bottomis a modern management workflow. you move over andyou go through some cloud layers. i really want to just puta top track over this. the main point i wanna to makehere is we see this trend, we see this trajectory oftraditional but modern management. we're building outa solution built on a, best way to saya click-stop strategy. we see multiple points that you canstart to make this move without profound impact of having tomake a complete cutover from
one to the other. step one, we completely supportiaas azure hosted config manager. first step you can make tocloud is moving your existing datacenter hosted config managerservices up to azure and reduce your cap x andop x cost there. one cost reduction measure. you still get agentbased management. you still have config manager. you just get those serversout of your data center.
and if you combinethat with our new, and our 16.10 update coming out innovember, with content peer caching. you can start to produce thosedistribution points as well. you move your brains up tothe cloud with your primary site management points. you start peeling awayyour distribution points, because we have peer cachingnative in the product, or will have towardthe end of this year. and then, you can start realizingcost savings in config manager, but
yet you still get the benefit of theclient-based traditional management. next click-stop in that wouldbe what's in the middle here, our cloud-based management. not to confuse that with mdm. that's not an mdm construct. what that is, is the ability tomanage your internet roaming users with a config manager agentthrough an azure service. so we're gonna be providing a cloudbased proxy that you can put into azure, that you could manageyour client-based systems.
not your mdm systems, yourclient-based systems secm client, from that cloud proxy withoutany dmz hosted resources. we will securely proxy allof those client requests back through that azure hosted proxyinto your existing config manager infrastructure, through certbased authentication, and then the client willget it's policy. and for example, could install the application yousent to it from the cloud dp. so you start moving more to cloud.
we have an internet basedclient management today, but it's pretty darn hard toconfigure and get to work right. this makes it incredibly simple. maybe not simple,that was a little strong. it makes it easier. [laugh] don't hold me to simple. [laugh] we're gonna have tore-record that part of this session. [laugh] but that again, that keeps those capabilities you needwith an agent, like rich application
handling, policies through dcm,software update management. you continue to get those and you haven't quite made that quickstop over to modern management yet. and then, if that's all up andrunning, and as we evolve windows and intune andyou evolve an organizationally. then we want to provide a pathto move that over time, that agent mod will strip thataway and just move that to intune. and that's really whatwe want to it, and you can do it at your own pace.
you can do it at your own,as requirements are met, but that's our promise. that's really what wewant to build is this combination of solutions thatwork very well together. that have a road map over tothe modern side over time, but give you click-stops to wherethe analogy i consistently use is. there's a point in this trajectorywhere you've just returned the rental car and if you back itup, you're gonna shred the tires. so we wanna give you points beforeyou go to the rental car agency,
which i see as that last box,because once you've gone cloud. trying to go back to on-prem isgoing to be pretty hard, but we wanna give you steps alongthe way that get you closer and closer to that tco promise. but without necessarily shreddingyour tires as you try to back out of the rental car return. and then another thing that frankly, i probably shouldn't even bring upcuz we haven't committed to it yet. i was just checking mail beforethe meeting to see if we're gonna do
this, but i didn't geta chance to get a response. i'm just gonna throw my entireengineering team into the bus and say this. we are also looking at,not committed but looking at a model that you could even takethe modern provisioning workflow. that super elegantexperience of opening a box, running through ad joint androlling into intune. and wouldn't it be cool if youcould then drop the cm agent and have a talk to the cloud proxy andb2b agent manage at the end of that?
it would be another click-stop thatwe could provide that's still not quite past the spreadyour tires point. but it does, one more stepto that modern management. you can take advantage of a goodchunk of the modern management workflow by getting thatclient onboarded cleanly, and then flip it over to traditionalmanagement to continue the policies and apps you need. without having to makea profound adjustment and negotiations with your securityteam, or change in policy, or
convincing your leadership teamthis is the right thing to do. you can start chipping away atthis problem and then last stop, after you've gonethrough that piece. your modern provisioning, you're still kinda falling backto traditional management. over time, modern managementis at the right spot for you. at that point, the nice thing thedevice is already, the device and user are already inazure active directory. if you've gone through the modernprovisioning work flow.
we just have to then, next stepwould be drop that agent and force an intune enrollment,and you're on cloud. again, simple that'sprobably the wrong word, but simplistic is whati'll gravitate to. so again, that agent delivery isnot something we've committed to. we were assessing customer feedbackjust this week to see if that was a real thing that anybody wanted. by a show of hands, is that something anybodyin the room would use?
[laugh] all right,we got two hands back there. so that's good, all right. okay. so that's a real thing. we thought it was neat, butoften we think things are neat and we ask people if they want it. and they go, no that's neat. okay. glad we didn't build it, but this isdefinitely something we want to look into, andwe want it to get better than neat.
so that's my click-stop piece. oops sorry. so this is really the emsexperience, and ems is our enterprise mobility and securitysuite of which intune is a part of. also gives you usagerights to configmgr. this is just an overview ofthat end-to-end workflow and the point at which emsassists that workflow. we've already talked aboutsimplified deployment with azure active directory join,configuring windows 10,
things like per-app vpn, etc. all the policies, windowsinformation protection, manage and protect, andthen unify device management. and again, our unified devicemanagement is really built on the promise of keeping configmanager and intune working together. whether you're a hybridconfiguration, or an intune stand aloneconfiguration and to give you the best of bothservices in both products. for example, if we had conditionalaccess to modern management we want
to ensure that you have that modelin pc management as well through config manager. getting to windows 10, you probablyseen various forms of this slide. so i won't spend a wholelot of time on that. i did want to leave,since this is really a 200 level, not giant audience. i think we can havea pretty good q and a. so i do wanna leave some time for adecent amount of q and a at the end. so if you see me movingquickly it's just that to
get ahead of my clock here. so we can have that good q and a discussion, butthe traditional model of getting to windows 10 config manager mvtrefresh task sequences imaging. that's really the, how people,that's tried and true. it works. it gets you back to a clean state. gets all the old stuff that may havecome onto that machine over time. one of the,it gets you the ability to.
well, i don't know allthe things on the list. you guys know what imaging is. the upgrade process. upgrade is actually a viableway to do the windows changes today, or windows upgradestoday, using the config manager software update engine to deliverthe upgrade as if it were an update. we're doing a lot of, just a sidenote here, whether it's a refresh or upgrade. we're adding in 1610 a whole newlevel of customizable notifications,
because now your userreally does need to know what kind of update this is. when it was a software update, therewas a security update, that nothing was gonna change on them other thanthey might reboot and yell at you. that was one thing. when they click ok, and it upgrades their operating systemthat's another thing entirely. so we've added some more,a lot more. a slider-bar of customizablenotifications from nothing to much
richer. it's specifically forthe upgrade step, because that way you can let usersbetter know what's going to happen, because it is going to bea longer running update. if there is gonna be more downtimeinvolved, then you need to be able to let the user know what's goingto happen when they hit that point. on the modern side,there is the provisioning package. the provisioning tool, which is also continuing toevolve on the windows side.
it provides that greatexample of putting a provisioning package on a usb key,executed it on the pc, and really building that pc outto what you want it to be. but without that crazy step ofremoving a perfectly good image and putting another one back on. that one's driven by, there are alot of factors that drive that first box of refresh, but it's just sadto me to get a shiny new surfacepro box and then go reimage that thingwhen you don't have to do that. because it doesn't come witha bunch of trial software that you
don't want. it's a clean image as it is. with provisioning you cando things like sku upgrade, you can move that thing from proto enterprise without reimaging. you don't gotta have to go find allthe drivers to put back down because you ripped out a perfectly goodimage and put a new one on. it's like getting a brand new carand putting a slightly bigger engine in that new car,there's no reason to do that. just buy the car withthe engine you wanted.
and then there's user provisioningthrough ad join and auto enrollment. i'm assuming you're pretty familiarwith this whole ad join process, but at a high level there'sa screen when you turn on the pc. it asks the user if this isa corporate-owned device, they say yes, it takes them toazure active directory sign in page. if they put in a credential thatmaps your organizational credential, it will route them to theappropriate organizational sign in page that may be brandedyour organization. put in their credentials,runs through a process,
registers the azureactive directory. you can configure as your activedirectory to auto role that in to intune, and then the deviceis managed, it's secured, it gets its apps, and offthe user goes and does their job. and possibly, if my team doesn'tkill me when i get back, you can do this to deliverthe config manager agent, but we have to figure that out first. and at the end of it they log ontothe device, they ctrl-alt-delete onto the device with theirazure active directory credentials.
that becomes the authenticationservice that the user continues to use. by azure active directory beingthe authentication service you also get the conditionalaccess model, because you can configure the device to only allowor configure through intune. only let that device talk toemail for that particular user if the device they're trying to accessemail on is secure and managed. or yeah, compliant and managed. so again, we're gonna close with,i don't know,
try to leave 20 minutes forq and a if we need it, you guys may just run out tothe event, which is fine too. but, it's really this slide again,and i know i spent a lot of time on this, i'm not gonnaspend that much time on it again. but, for the orange,if any of those things are must-have in your organization,you're in traditional for now. we wanna get you to blue, andwe wanna give you the tools to get to blue, the solutions to get toblue, the products to get there, but it's a journey over time.
we'll continue to invest inboth of our products suites of config manager and intune and all the other components ofvms to help you get you there. but neither is going away, and neither is beingunder-invested in any. in terms of years,it's beyond the horizon when i could say anythingwould change in that promise. so, in closing,some things to remember, i think i got ahead of myself andgave you the things to remember.
our customers have options, they'reall designed to work together, pick what works best for our customerbased on their goals & scenarios. we want to give you the optionto be successful, and not forced you into a solution thatmaybe you're not ready for yet. get started today optimizingwhat you have for migration to modern management. again those click stops thati talked about, look for for opportunities to embrace someof the cloud capabilities. and lastly,evaluate this session, but
don't evaluate the demosbecause there weren't any. so with that,we did reserve 20 minutes. you can step up to any of these fourmics that are in the aisle, and we're happy to take anyquestions you guys might have. thanks so much for coming out ona beautiful thursday afternoon and ejoy, and if you're going tothe event tonight enjoy that. >> [applause]->> thank you. >> [inaudible]>> [applause] >> what's that?
>> gentlemen, this. >> sorry. >> soi'm just thinking about support and let's say i've auto joined ad. >> uh-huh. >> and my first-tier helpdesks doesn't know what the device is that the person has. >> right. >> can i change the nameon-the-fly of the device so
i can associate thatdevice with my user? >> that is a good question. i don't know, i mean,the device is gonna be combined with the userthat enrolled it. so you can reverse look upthe device by knowing the user that enrolled the deviceby the user credential. cuz that's gonna be boundto the device in aad. but i think you can changethe device name locally, what i'm not entirely sure about isif you can change it server side and
have it be reflected on the client. >> sowindows is gonna have a random name? >> right, yeah. >> unless they change it manually? >> that's right, yeah. >> okay. >> yeah.>> another option you can do is, if you go to the add work page, at the bottom there's a link thatsays export management logs.
that'll generate essentiallykind of like a gp result policy state report, but alsohave device information in there. so you can instruct the userto generate that xml file and just email it overto support desk and that'll have that initial set ofinformation in there for them. >> okay, thank you.>> cheers. >> thanks. >> simple question about 1610. is it gonna be a base install oris it gonna be an iterative update?
>> good question,1610 will be an iterative, 1606 in about twoweeks will be a base. >> so 1606 will be a base,the media should be out mid-october, we're finishing up now. >> excellent, cuz i really didn'twanna have to do this four times. >> [laugh] we're with you,we didn't want you to have to, so you just have to do it twice. [laugh]>> hi, we've got about 30,000 devices on standalone intune andwe'd like to move to hybrid.
but we're being told that becausewe're on legacy office 365 that's not gonna be possible withoutre-enrolling all the devices. could you confirmwhether that's the case? >> yeah, that's the case,it's not related to office, it's related to the way that we havebuilt our management authorities. today requires unenroll,re-enroll just because it's authority switching that we canonly do on the operations side. and we haven't evolved to the pointwhere that can be a seamless experience, it isa brute force thing.
to that point though,we are looking at, and hopefully this is the firsthalf of next year. we are investing in makingthe switching simpler because it's a common question where customersstart life in one config and wanna move to another. we're also gonna have a lot ofcustomers that adopted hybrid because it had the things likerole-based access that will now be available in intune standalonein the first half of next year. and so for anyone that wants toswitch because it makes more
business sense for them, we want to provide a seamlessexperience to do that. so that will get better, but to the state today isexactly as you framed it. >> okay, thanks. >> sure. >> so, is it possible to takean azure ad joined machine and manage it with sccm? we're gonna find out.
[laugh] i just made a boldclaim that it was, but we have to make that work. >> no i mean so right now,as it stands, it is not? >> no, it's possible, that workflow i mentioned isnot a viable workflow today. because we have to do a littlework on our clients and so it can be installable by an mdm. and we have to do somecertificate-based work to make sure that it can communicateup to the cloud services.
but you could,if you'd ad-joined the machine, you could put the config managerclient on it. >> okay.>> yeah, that's nothing unsupported about that. >> all right. >> i mean, config manager clientmachines work in work groups, right? they don't need a domainjoined parameter. so, all right, thanks. >> hi, so as a->> it's so weird when you guys
are asking questions cuz itcomes up on different speakers, i'm always lookingthe wrong direction. so, anyway, there you are. >> yep, so as a group policy mvp, i appreciate the fact that youunderscored that neither sccm nor group policy is going awayin any strategic timeline. that's very helpful,i appreciate you saying so on stage, that's the first thing. and the second important piece that,i saw a provisioning demo
in another session, but i wantedto ask your opinion about it. because what i saw was, okay, i got the provisioning package,i email it to somebody. >> mm-hm. no security involved, they doubleclick it and stuff changes on their windows 10 machine,it seems rife as an attack surface. can you speak to the securitythey're with regards to provisioning packages? >> take it away, dean.
[laugh]>> which system was this? >> i needed some water. >> [laugh] so this was the oneclip provisioning capability? >> yeah, it was in the lasthour down in b hall, an mvp did the talk,he talked about how you could either not digitally sign ordigitally sign. and if you don't digitally sign,which is what his demonstration was, that you can just double-clickon it, get it in an email or put it on a usb stick.
double-click and magic occurs,he did it in his demo, vpn profiles occurred,certificates were installed, msi's were installed, and soon, i mean i saw the demo. so i see no security between having a provisioning package andsomebody double-clicking on it. and magically their windows 10machine, which was a home machine, is now an enterprisemachine with these vpn and any number of categories thatare in the provisioning package. maybe i saw it completely wrong,
but that's what i thought i saw, soi figured i would ask your opinion on what the securitymechanism is between. is it the icd program thatproduces the package, and then once it's delivered,which he's suggested that you can send it in an email,it's about 10k is what he said. users are supposedto click on it and then magic occurs to configuretheir windows 10 machine. that's what i got outof the demonstration. >> i'm sure>> [inaudible] to you, right?
so i'm not making it up, right? okay, there is. it's probably worthwhile to takepart of this conversation offline. diving a little bit deeper. however, there is a scenario that weare looking at as we think about, again, as i've talkedabout modern management. buying that device and quickly justtyping in username and password. one of the things weare looking at is if i get a fresh device off the shelf andi wanna quickly get up and
running instead of havingto call my help desk. it's like, help desk,what do i need to do. blah, blah, blah, blah, blah. can i just click on a link and thatinitial provisional process kicks off and the device gets up to date. now, the security piece around that. that's actually one of my colleagueswho literally sits across the hall from me. so let's follow up online andi'll send him a note as soon as this
session wraps up, just so i can makesure his brain is thinking about it. since it's still a reasonablehour on the west coast. >> sure.>> and then, we can definitely yeahi need to look at that. >> we've got each other's emails. >> yeah we definitely do. >> and we're friends,so it's easy enough. >> it's a really good question. i mean i don't know how realisticit is that you're gonna email out
provisioning packagesto your end users. you're probably gonnasend out a link and secure them on a sharesomewhere but. >> that was the story i got. >> that was probably a good story you got because it'seasier to demo that way. but i don't know. but it's a good question,we will follow up on that one. >> thanks, mike, sir.
>> hi there. >> hi there.so two things. one, while i appreciatethe whole you know not wanting to throw the engineersunder the bus thing. >> [laugh]>> it's nice to know that you guys are at least looking into the wholegetting the sccm client thing onto an azure ad joined machine throughthe channels you were talking about. so it's good to knowyou're looking into it. two, and this may be a very simplequestion, if i have an azure ad
joined machine, can it access,network resources in a similar way to a traditionallyjoined ad machine. >> that,there are some gotcha's there. like and curb auth. i'm not the expert on likethe access model there. and i know that you can,with aed federation, you can do some thingsto mitigate that. i just off the top of my head. i don't work on the identity side.
i don't know preciselythe answer to that. i do know there's somethings you have to do. and some things you haveto be conscientious of. probably just check thatout in the aad technet azure active directory technet site,i. or if you've got my name you can. it's just my initialjayjiggens@microsoft.com i can find out for you. i just don't know fromthe top of my head.
>> sure, sure, and that's a questioni've been asking all this week. and it's been kinda hardto get an answer on. >> okay i know the rightpeople if you want to drop/ it out.->> yeah sure, sure. >> i can find out for you.- it's a great questioni just don't really know. >> sure okay.great thank you. >> all right.you're welcome. >> hey how are you.>> good, how are you.
>> good, thanks. the peer caching thatyou're introducing in 1610, is that something i can leveragesomehow using intune and the [inaudible] idistribute through intune. can they make userthe same peer caching. >> no, it's native to our agent. >> okay, it's not part of the oslike delivery optimization. >> delivery optimization,is you're exactly right. it is part of the os.
this is different. this is our agent,basically using some windows components like branch cacheto enable appear caching stories, purely dependent ona config manager agent. >> okay, i appreciate it. >> that's not intune piece,all right, thanks. >> anybody else. don't be shy,we've got 10 minutes left. >> well, we'll be hanging out ifanybody stiil wants to go up to
the mic and have their voicecome out of a little box. we'll be standing up here forpacking up. so feel free to comeup with any questions. we've got one more brave soul. >> yeah, i still saw your slide withthe with the modern direction to go. where you have the alt fullymanaged and then the mdm managed. and i really wonder whyare you putting it this way. do you see an advantage of. i mean, whenever i start to digdeeper into this alternative of
doing all group policy and scriptbased management and mdm management, what i get as an answer is,it's actually less management. so it's kind of an in thing to do less managed because this iscooler because it's easier. people understand it better. or why do you see this as a naturaldirection that we all should go to. >> it's [inaudible]. >> yeah.it's cost, cost of ownership. >> it probably comes down to cost,but i do want to push back
on something that you said thati found was quite interesting. it's not less managed. the management surface in windows is still the managementsurface in windows. and as we build out additionalcapability on our mdm platform, we're moving away from this wholeconcept of 3336 group policies and having a policy for and individual check box and moving moretowards a policy for a scenario. so great example.
you know, that's one side of it. the other side of it is,as you look at certain capabilities in the platform,i'll pick on microsoft on that team. there are certain capabilities in i11 that need the 1600 and 67 group policies to manage ie that simplydon't exist in microsoft edge. activex controls isa great example of that. so, as you look at raw numbers ourmdm policy surface is going to be less and that's by design,quite frankly. so, it's not less manageable,i would happily acquiesce that
there are some scenarios that wedon't have policies around yet. so that's fair. but as we look longterm it is about cost, it is about a very view iod store. it is about making managementwindows and wrapping your head around 500 or so policies orwhatever the number it is today. easier to andeasier to manage day to day. a great example one of our financialservices customer base in the uk. we're having a conversation aroundie11 versus edge management
back when i was on that teamrunning the enterprise there. and one of the stories he told me, every time we did an update to ie,we sat down and went through all 1667 policieswith all my security people because they wanted to sign off oneach and everyone of those policies. that's a lot of time andthat's a lot of overhead. that's 3 days lost. i could have been bettersuited with rolling out the next version of windows or
figuring out something else ismore important for their estate. so, it's definitely about cost, but it's also about making surethe storage is it's simpler to grab. it's less overhead to manage andwe're leveraging the cloud and leveraging to telemetry and we're just making the whole hati officially call the whole mousetrap [inaudible]>> it's about achieving intent without necessarily making youauthor every granular piece of intent.
>> yep.>> like metaphors like information protection,device guard, cred guard. i mean there are evolutionsof windows that are happening that make some of those oldthings that you had to do moot software updates, right. you really don't need a granularsoftware update management strategy, moving forward, as everythingis just a cumulative update. so, there are changesin the platform, there are changes in process thatwill have to be embraced but
i totally agree with what dean said,it's not less management, it's an evolution of how youmanage the secure a device. >> good.>> and again, look at ourconditional access model. that's a whole rethought outmethod of how you protect, really what you're trying toprotect is the data to begin with. conditional access assures thatany device that data is hitting is secured and protected, so thedata does not drop off that device into the wrong hands or iscrippled with malware, whatever so
we're really just evolvingthe ecosystem of what management is, not intentionally reducingthe management capabilities. we learned our lesson withthe original launch of intune around that, right. intune was gonna be a simplerway to do pc management. we learned that simplicity and less functionality wasn't reallya solution that was gonna take off. so we're not going to do that again. we're going to involvethe entire ecosystem of services
to give you a simplerway to do management. simpler way to achieve your intent. management is not really,management is a buzz word. it's really about security andintent and productivity. it's what you're trying toachieve through management. it's not management itself. i'm 100% with you withthe subject of data security. the conditional access andall this data protection. this is new and this is very good.
i mean this is the last placewe need to manage with new ways. >> yep.>> with. but i have another view on thison this previous management. because i think there'sa historical reason because msi applications havebeen around for 20 years. >> yeah.>> so companies have a long historyof demanding more control because they know the applicationsand year after year, the demand for the customization rises,
while mobile apps are justin their infancy. we don't have experienceexperience with them. and i think over the course of thenext years we're gonna see more and more demands tomanage more granular. and because we are justin the beginning, everybody's sufficient with, okay, idon't have a lot of settings to do. but, i think that with appsbeing an android price, it's gonna be indemand eventually for customizing menus customizingspecific aspects of an app.
and there's nothing there wehad ways of doing this and this is why group of this groove forthe years, right. sort of feel that's gonnaafter 10 years it's gonna be the same thing i think. so i can speak froma platform sampler. we intentionally do not want toturn to repulsy, like that is a. like if,remember the quote that of here. above is, you love repulsy, butin the end it's not repulsy. and again,it still comes back down to, yes,
i will happily with you that. over time, our managementcapabilities will grow and we will leverage feed backfrom the insides program, where we leveraged feedback fromour customers, who will leverage feedback from having conversationsthat ignite to make sure that, and of course data and all the. all of our various data points,to make sure that we're building up the right capabilities, to make surethat our customers are productive. to make sure thatthe data is secure.
make sure their assets are secure. to make sure that everythingthat we've talked about so far today, is kept up to spec. that said, what we won't do isstart lighting up policies for check boxes. like, there's an entire reviewprocess, which sorting through some emails while jason was wrapping up,on what policies get lit up and why. because they're being very,very, very, deliberate and intentful andthoughtful on what this story is.
and quite frankly, it's directlyinfluenced and guided by you guys. like if you sit here andtell me that, hey, i need this capability becausei don't see it in the platform. i'm gonna take that feedback andrationalize it with a couple of other customers thatwe talk to on a regular basis. it will likely pop upin the next release. that's the beauty ofwindows as a server, we can iterate fairly quickly. so if there's,i come back to the earlier point,
if there's something that yousee that's missing, let me know. cuz i'll take it back tothe engineering team tonight, and we'll see what we can get done forour next release, cuz we're in the middleof engineering right now. ignites actually welltimed in that respect. but again, we're not gonnaend up with group policy and we're not gonna end up with 3000 orso policies. we implicitly don't want to do that. i totally appreciate the perspectiveof your organization, and
that's why, that was reallythe point of this entire talk, as we will continue to have,if you do have those needs, we will have a solution foryou called config manager. your purvue doesn't necessarilyrepresent the guy behind you. i'm not sure, maybe it does. i don't know. i don't know you guys,but it could be. that's why we're investing in both. because if you need that level ofgranularity, you have a huge msi
app source and you wanna keepdoing it that way, go for it. we'll have the tools foryou to do that. for customers that wannarealize the benefit, or are really trying to move the dialon the cost of managing windows. there will be an outlet for them toand we'll build everything they need to be successful like dean said,by adding the spot policies or addressing the spotscenario they have. without just throwingthe entire kitchen sink of group policy at the problem.
>> good, thank you. it was a great session. >> thank you. one more. wait, two more maybe. okay, go ahead. you in the middle,you've been waiting for a while. >> check, check. go ahead.>> i wonder if there's a way
with the modern deployment process to guaranteethe integrity of the image. in the traditional way, i was sure that i wipedeverything off the machine and every bit i installed wasinstalled through config manager. in the new way, you telling me i am shipping a machine directly tothe user and the user's joining it to azure id and->> yep. >> how do i make sure that nobodyhas tampered this machine?
either the oem installingsome crypt anti-virus or the user installing hisfavorite games or so? despite surfaces. >> [laugh]>> no, those are viable questions. there's no silver bullet for theuser that enrolls their own device. that if you bought it off the shelf. i'm not going to name an oem. i don't want to call it names. but if you did buy a devicethat came with this image
it would really be incumbent uponthe organization to buy the device, or negotiate with the oem to get adevice that comes with an image that you know that's not gonnahave any of that stuff on it. and that's easier said than done. but we don't have any silver bulletto go remove the anti-malware trial version from that device. now i believe the provisioningfolks are doing some work that will do that foryou without reimaging. but that would requirethat's not the aed case,
that is that you have a systemintegrator in between the box and the user that does thisprocess to clean the image up. but it doesn't reimage, but it gets the image into known goodstate, based on this provision, i believe provisioning's->> definitely. so to add on to whatjesse just mentioned. not specifically, but the team literally sitsnext to me in our building. we are building tohave the capability so
that if there is blaotware,not spyware, but bloatware, value added software as certain oemswill tell you, you have the ability to actually pull that off as partof the provisioning process. i think there is a timehit that you will take. 20 i think, it's like 20,30 minutes or so based on last time i saw the data. but we are buildingout that capability so that if it is a commercialoffice health device and you have context on what the actualapplication is or you know what
the applications that are gonna bethere that you don't want there you can pull that back off. but to jason's pointit's like if there. there are devices that are soldon the marketplace that come with bare bones windows that you canbuy directly from some oems. or you can buy directly from us. >> and then in the lifecycle of that device, you're really dependent on thismassive ecosystem of security services that windows is adding.
either in the cloud side or theclient side to keep that vice clean for post-breach analysis withadvanced threat protection. with all the controls that are addedto prevent infection, or breach. and so those services, that devicetalking to windows services, plus the ad account ofthe user on the device, plus your mdm policiesto invoke those. you get up to a pretty secure deviceat the end of that process with all the windows services andcapabilities that are being added in windows 10 andanniversary edition and beyond.
so there are paths to achieve it, itreally is a different mindset than the traditional completely wipingthe device, locking down the image, and taking the user's admin credsaway and basically making it a toaster for the user sothey can't break anything. >> okay, thank you. all right, one more. >> okay, i get the last question. so dean has heard mesay this before, and i'm completely onboard with notdragging backward the 3,000 and
change group policysettings into mdm. i'm super onboard with it. i totally get why youdon't wanna do that. we're on the same page. that being said>> i feel a big but coming on here. >> that's not even a but. >> [laugh]>> however? >> it's not even, not a however. >> [laugh]>> the question is, and
as group policy mvp whoteaches policy at mdm to thousands of administrators a year. one of the questions iget all the time is, like okay>> how do i, not me personally, how do they, the admin,how do i pitch my need to you. i can walk up and just say hey dean,i got this thing, i think you should think about. how does a mere mortalwho's not here at ignite. for every one guy hereat ignite there's 1,000
admins who aren't at ignite. how do they get their voicedconcern about a policy that maybe should be mdm-ified? >> windows insider. >> say again. >> does it work? >> actually it does. and so there's two things. windows insider program,
you're previewing buildson a regular basis. and there's what's calledsystem initiated user feedback, those little things that pop up. hey, how was this built for you? how do you like microsoft edge, or did you find it easy toconnect to the internet? we have teams on teams on teams thatactively crawl all of that data that send analysis, and i see reports weekly on howmy parts of the os are doing.
so that's one piece. the other piece,which is the feedback hub. so the big thing about the feedbackhub is that it's crowd source. so let's say you puta feedback like, hey, i really would like a policyto manage widget a or address this scenario. let's say, 15 other admins,you can search for, like, did somebody say something aboutwidget a or scenario widget? upvote that, that actually pops upin a bug that ends up on my team
that we have to look at,and that we will look at. and then we'll triage and figure out what's the bestarea to respond to it. >> and that's great, can i ask youguys as a homework assignment to make a blog entry for how toget your wishes ported to mdm? i think that would bea really valuable thing. >> for the ecosystem to know howto get it elevated to your team. >> that's for the feedback. >> we have a very similar, we have auser voice process on the config man
intune side which is the same thing. >> your mic's not active any more. i'll come up. >> so what jason wasjust mentioning is for the config in the intune side>> are we, on windows we have, inside oron feedback code run for config node,is essentially, user voice? >> user voice yeah. >> right, user voice.
which is the same set of, same setof concept, give feedback, you can end up vote don't vote, like,hey hey hey, this is important. >> yeah.i get it, i know user voiceit's not my favorite. i think like, the most interestingstuff stays to the top and gets more votes, and the reallyinteresting stuff that gets three votes will never make itto your radar screen. i think it's a poor systemto rate actual reality. because you me who do this more
are we have bigger brains thanthe number of maximum quotes, [laugh] it's just nota great system for that. >> we use that as a that's not theonly factor we consider on the user voice item. that's the we've delivered 60 itemsout of user voice in our first three releases of currentbranch of config manager, so it's a tool,it's not the only tool. like if we go to a customer visitfor a large, important customer, and we hear a feedback item and
then we see there'sa corresponding user voice item. we can synthesize that to mean it'sprobably something we should go do. >> sure>> doesn't have to be the top vote getter, we don't just iterateby order down that list. we look at everything, so it's a little overlysimplified to think that we just start scraping stuff off the mostvoted, that's a data point, it's not the only data point that we usewhen considering user voice items. >> i wasn't saying that you were,
i was suggesting that forother people who are voting, more things that are alreadypre-voted get higher and more votes. so- >> [inaudible] >> i'll cut this off. >> yes, sir. >> so again, thank you guys forcoming out to this session. i hope everybody hada wonderful ignite. feedback is a beautiful thing,so fill out your evaluations and if you have any questions,shoot now.
>> thanks, guys.