Microsoft Managed Desktop: All your Windows 10 devices, managed by Microsoft

With Microsoft Managed Desktop, Microsoft is betting your organization has better things to do than endpoint management. Early customers like the Seattle Reign show what to expect.

Mary Branscombe Sep 20th 2018 A-A+
iStock-936062694-desktop-office-employee-frustration.jpg

Bill Predmore, president and co-owner of professional women’s soccer team the Seattle Reign, has enough to worry about without managing PCs. “I don’t want to have to think about technology,” he told CIO.com. “I want it to be like a utility where I flip a switch and it just works.”

So, in December 2017, the Seattle Reign turned to a private preview of Microsoft Managed Desktop (MMD), a new desktop management service from Microsoft, which Predmore heard about in advance as the company is a team sponsor. With MMD, corporate customers receive access to Microsoft 365 on a modern device that is managed by Microsoft.

For the Seattle Reign this means a mix of Surface laptops, some Surface Pros that are used on the field and off, and one Surface Studio. Microsoft also supports devices from HP and Dell, with the baseline for support being a spec that includes a TPM (Trusted Platform Module) chip, biometric login, and high-quality drivers.

Microsoft 365 combines Windows, Office and Microsoft’s Enterprise Mobility and Security management service, and MMD locks that down even further. “We don’t allow third-party agents to run, to minimize the numbers of background agents running,” says Microsoft General Manager Bill Karagounis. “It’s a very native stack secured by Windows Defender and Defender ATP, monitored by us in our security operations center so you’re not compromising the battery life and performance of devices by having five or ten agents running at all time.”

Predmore has been pleasantly surprised by the results, in particular how smoothly Windows feature updates and monthly security updates have been.

“Technology is a potential competitive advantage for us but I'm forever worried about somebody getting a virus,” Predmore says. “Now all that security is managed by Microsoft and I just don’t have to worry about it.”

The Seattle Reign’s experience with MMD sheds early light on what organizations might expect in letting Microsoft manage their Windows 10 fleet.

Desktop as a managed service

For many organizations, like the Seattle Reign, desktops have become a commodity, as there is little competitive advantage to be reaped from managing them. They don't need highly customized desktop experiences with handcrafted group policies, and BYOD has accelerated the shift to managing the information users have access to rather than the devices they access it with. In this increasingly cloud-enabled world, access control is king, with encryption and credential protection being much more important than being behind the firewall.

For several years, Microsoft has offered consumers the option of buying PCs without the pre-installed bloatware OEMs often include. These “Signature Edition” PCs reportedly run faster and have longer battery life. MMD is the leased-equipment business equivalent, but with ongoing management to keep PCs properly set up.

This combination of hardware and services is the bet Microsoft is making with MMD: that organizations will leave patching and testing updates for application compatibility behind in favor of higher-value business tasks.

“On paper, customers who sign up for Microsoft’s new service get much faster Windows and Office 365 transitions on Surface hardware with one throat to choke if something goes wrong or is insecure. This is different in that many different parties are involved with other management schemes,” says Patrick Moorhead, principal analyst at Moor Insights & Strategy.

“Microsoft finally gets its chance to show the degree of ease faster transitions can be,” Moorhead says. “This is going to be a big learning experience for the enterprise and Microsoft.” 

What MMD means for your organization

The complexity of managing previous versions of Windows has meant that handing over PC management to managed service providers and outsourced IT was rarely economic. Microsoft is betting that its new versions of Windows and Office — as well as its cloud analysis and management tools — make it cost effective to take over desktops at scale, whether that management is done by Microsoft; OEMs such as Dell and HP, which already offer on-demand device replacement; or partners such as Avanade/Accenture and Computacenter.

Microsoft has “tens of customers” for MMD in the UK and US, including large, regulated organizations like Lloyds Banking Group as well as SMBs like Seattle Reign. Karagounis says the MMD baseline caters for large regulated companies but “we give the smaller organizations a choice with things they don’t want to light up because they’re too heavy-duty.”

The program will expand to Canada, Australia and New Zealand in early 2019 and other geographies later in the year. Some customers want a direct relationship with Microsoft, although in the future Karagounis expects partners will provide “the lion’s share” of these kind of managed desktop services. Microsoft uses tools like Autopilot that are available to partners and IT departments and it’s documenting the configuration used for MMD. “We’re sharing the reference architecture and baseline with our partners, so they can decide whether they want to replicate or build on top of this service to offer it to their customers.”

If you’re on Windows 7 and need help migrating applications to Windows 10, or you need to deploy Office 365 or Azure Active Directory — a prerequisite for MMD — you’ll also need a partner to help with that.

“This offering wouldn’t happen without the cloud,” Karagounis tells CIO.com. “The fact that so much of our technology has been able to migrate into a cloud-based infrastructure means we can start doing things like managing PCs over the cloud.”

The cloud will continue to allow Microsoft to collect both operational signals and security insights, and help it learn from any problems MMD customers have in order to improve the experience of all enterprise Windows customers, Karagounis says. This is the same principle as the Desktop App Assure program: When one customer reports an app compatibility problem, plenty of other customers likely have the same problem but haven't reported it. Karagounis says Microsoft has made “hundreds of changes” to the Microsoft 365 service based on running MMD for early customers.

One of those changes was automatically syncing the desktop and common folders like Documents to OneDrive. “If one of our users drops a cup of coffee on their PC, we want to be able to send them out a new PC and when they log in everything comes down and OneDrive has already replicated their desktop and the known folders on the device and all the other data,” Karagounis says. “We want these devices to be effectively stateless, so we can reset them and replace them at any point.”

Microsoft also recently changed the setup experience for Azure AD customers. Previously, users could log on to a new PC with their enterprise credentials, get to the desktop, and start working with files while policy was being applied to install apps and encrypt the device.

“For our larger, more regulated customers that wasn’t acceptable,” Karagounis explains. “They wanted all the security pieces in place by the time a user could start doing things, so the operational risk and security departments can say, ‘That user is locked down; they’re running with standard user privilege; they’ve got all the right policies before they can do anything on our corporate network.’”

MMD is an enterprise service and the price varies based on the choice of devices.

For Seattle Reign’s Predmore, the early returns have been worth it.

“In the past, the way we managed the situation where we didn’t have the available resources to manage the complexity for the level of services we wanted to provide was that we simply did not provide those services,” he says. “That limited our ability because we didn’t have the structure in place to run the business the way we wanted do. If you look at the cost of the devices and software licences and someone to manage it, this is both better and less costly.”