Salaam, Namaste, Ola and Hello!
Before I start I would like to say a big thanks to Feed spot for ranking my I am IT Geek blog in the top 50 Azure blogs! You can see the top 100 Azure blogs at the following link: https://blog.feedspot.com/microsoft_azure_blogs/
After the success of the ‘WVD in a Pandemic’ (https://iamitgeek.com/2020/09/09/azure-wvd-in-a-pandemic/) post I did a few months back, I thought it would be good to do another real world use case post around a project I did for a South UK based secondary school a few months ago.
Use Case Problem/Requirement
At the time of starting this project the school in question was closed due to COVID19 restrictions being in place. Before the restrictions were put in place students used school provided laptops (Windows 10 devices) during the school day and at home to do home work. Currently the IT team at the school had no central management of the devices, therefore in the scenario where an app needed to be deployed, each user would need to bring there laptop to the IT team over a period of time for a manual installation, or deployed via Group policy if the app was supported.
In the existing environment prior to the pandemic this solution was just about manageable, but new restrictions meaning students would be doing classes from home for the foreseeable future the solution was not sustainable or manageable. The school had the following key requirements:
- Remote deployment of Applications: The school wanted to the ability to be able to deploy new or updates of apps to devices remotely without the need for the students to bring their devices into the school.
- Secure & Compliant: At present, the school used Group Policy to lock down devices so students had limited access to areas like control panel and being able to change background images for example. The school wanted to be able to deploy policies in the same way as Group policy, but without the requirement of the device being on the School LAN
- Patch Management: The existing patch management solution was Windows Server Update Services (WSUS). Similar as before, before the pandemic this was a manageable solution, however new restrictions meant the school needed a remote way of managing this.
- Laptop Deployment: The biggest requirement for the school was to be able to deploy laptops to students without any IT team intervention. The existing solution/process was all manual, so the school wanted a way in which laptops could be sent directly to students and automatically provisioned.
Why Microsoft Endpoint Manager & Autopilot?
I started this engagement by doing a demo of Endpoint Manager and Autopilot in Microsoft 365 to show the customer what it’s full capabilities were. This included the Compliance and Configuration policies, as well as the Windows update rings and Autopilot provisioning process.
In the demo I was able to showcase how this solution would solve the problems and meet the requirements, including:
- Deploy Applications to enrolled devices: One of the great features within Endpoint Manager is that you can deploy a whole host of different applications to enrolled devices, including win32, msi and line of business (LOB) applications. You can see more detailed information around application deployment in the following Microsoft article: https://docs.microsoft.com/en-us/mem/intune/apps/apps-windows-10-app-deploy
- Compliance & Configuration Policies: Within Endpoint Manager the compliance and configuration policies are able to ensure all enrolled devices have one standard configuration with regards to security and meet the compliance rules set by the school. If any devices fall out of this configuration, then the IT Admin team at the school are alerted and can remediate the issue. The configuration policy has a lot of the Group Policy features, like being able to lockdown Windows 10 desktops and set specific backgrounds on desktops.
- Windows Update Ring: Endpoint Manager in Microsoft 365 uses Windows update ring to manage the deployment of Windows update for enrolled Windows 10 devices. This would take away the need for the WSUS server to manage patching and allow devices to pickup relevant updates over the internet rather than have to connect back to the network via VPN and pick them up.
- Autopilot: The final piece of the puzzle was OS deployment. As mentioned previously the IT Admin team currently did manual OS installations which required the devices to be in the school and also it was very time consuming. Although Autopilot does not have OS deployment features, it does allow you to deploy all the applications, policies and configuration via Endpoint Manager with a new unboxed Windows 10 device. All the IT admin team would need to do is request a hardware ID from the laptop hardware provider and upload this into Autopilot. Then the device would be able to get shipped directly to the students house where they could complete the Out Of Box Experience, connect the device up to there home internet and login with there school student credentials. The device would then download all the required policies and applications and be fully secure
- Resetting devices: At present the school already had enough Windows 10 devices to enroll into Endpoint manager, however they were all at different patch levels, different build versions and also different version of applications including Office (2013 and 2016). The first challenge was to get all the devices reset, and unfortunately this caused a delay in the project as not all devices would reset first time.
- Group Policy Integration: As mentioned earlier, the school used group policy to restrict access to certain areas of Windows 10 (like background image), unfortunately the configuration profiles were missing some of features from Group Policy. It meant the school had to re-think some of there internal policies, but fortunately the policies that were missing were low impact and did not cause any major issues.
- Documentation: In my experience, documentation can always cause issues due to the audience not all having the same level of understanding. This experience was no different! The documentation had to make sense to students who were between the ages of 10-16, which meant they were not very IT savvy. We mitigated this by creating a test bed and getting a group of students to go through the documentation/user guides before we were able to decide on the final version.
Where are they now?
It has been a few months since the deployment but the feedback has been all positive. The school were able to deploy between 200-300 laptops in the space of a week to students with minimal issues. Documentation was one of the key reasons behind this, and the time taken to test this on a test bed of students proved time well spent. The IT team have reduced the amount of time they spend on admin/management tasks with this service, meaning they have been able to spend more time on improving other services at the school. Since the initial launch, the school have been able to deploy several additional applications via Endpoint Manager which was another massive success!
In summary, Endpoint Manager in Microsoft 365 has saved this school a lot of time, money as well as kept students safe and not needing to come into school during the height of the pandemic.
Hope you find this helpful, if you would like any more information feel free to tweet me @shabazdarr or ask a question in the comments section below! Until next time, ‘IamITGeek’ over and out!