Analysis Microsoft has introduced a cloud configuration for Windows 10 with the claim of “easy to manage cloud endpoints,” but complex manual steps and interaction with InTune management means it is unlikely to match Google’s Chrome OS for ease of deployment.
A post from Microsoft 365 corporate VP Jared Spataro explains that Cloud Config is not new technology but “a set of recommended configurations that uses the technology infrastructure you already have” – presuming your organisation has bought into the full 365 stack.
There are two key strategic elements here. One is that Microsoft is keen to compete with Google’s Chrome OS, which, unlike Windows, was built specifically as a cloud client.
According to analyst Canalys, Chromebook sales “almost quadrupled in size over the same period a year ago,” with 11.2 million sold globally in the fourth quarter of 2020. That is a small but growing share of the total PC market (including tablets), which reached 143.7 million in that quarter, but significant not only because they do not run Windows, but also because they hook into Google’s cloud ecosystem. Chrome OS is easy to configure, with auto updating and a Google login giving access to its cloud workspace.
Second, Microsoft is engaged in upselling its customers from Office 365 – desktop Office plus cloud-hosted email, OneDrive, SharePoint, Teams – to Microsoft 365, including PC and mobile device management. Organisations with up to 300 users can get Microsoft 365 Business Premium for £15.10 per user/month, ($20 in the US), while enterprises pay from £28.10 ($32 in US) for Microsoft 365 E3.
Windows 10 Cloud Config has its own microsite promising cloud-based identity management and “IT-curated applications” but the real detail is in this overview and setup guide [PDF]. Here we learn the licensing requirements:
- Azure Active Directory Premium P1
- Microsoft Intune
- Microsoft Teams
- OneDrive for Business
- Windows 10 Pro
All these requirements are satisfied by Microsoft 365 Business Premium and E3, but not by the much cheaper Microsoft 365 Business Standard or Office 365 E3.
What do you get for your money?
The essence is that Cloud Config PCs are joined to Azure AD, not on-premises Active Directory, and managed through InTune mobile device management in a locked-down configuration. “A major airline told us they are looking to empower frontline workers by deploying devices with a simple configuration that are easy to manage and swap out,” according to the configuration document.
The suggested configuration blocks the Microsoft Store app, and does not give users local admin rights on their PCs. Settings block user access unless all required apps are installed, and do not permit the user to reset their device. Windows automatic update is turned on with a deferral period of zero days.
Microsoft summarises the pros and cons of Cloud Config, saying that it only works for ‘a subset of people’ who can manage with simplified, locked-down PCs
Additional applications (including custom and non-Microsoft applications) can be deployed through InTune, part of which is Microsoft Endpoint Manager, though Microsoft suggests such applications are kept to a minimum.
Password expiration is set to 41 days – a controversial setting among security professionals, some of whom feel that forced expiration encourages passwords to be written down insecurely since users cannot remember their passwords. Windows Autopilot can be used, making configuration automatic based on registration by the hardware vendor, in which case all a user needs to do is to turn on and connect to the internet.
Some flexibility is proposed in Microsoft’s guide. The default is to block browser password managers, for example, but according to the document: “you might consider allowing end user to use password managers.”
Bitlocker drive encryption is on by default for removable drives, but this can be turned off. In the end, anything in the proposed policy can be varied by Windows administrators who know how they work; what Microsoft is offering is a best-practice solution that will achieve relatively secure PCs that can be easily replaced in the event of a fault or theft. Cloud document storage means that a new PC should restore everything as the user left it.
There is a lot of sense in this approach, though locked-down PCs can be annoying for users, and the cost is considerable for businesses (education gets generous discounts). The bigger problem perhaps is that Microsoft’s PC management technology, grafted onto Windows, is no match for what can be done with newer operating systems like Chrome OS or iOS.
InTune is great when it works, but it is not always a smooth experience, especially for Android devices where users have to suffer a thing called the Company Portal app, which can be problematic. Starting with a brand-new PC in the manner envisaged by Cloud Config give it the best chance of success, but Microsoft will not match the low administrative burden of Chrome OS unless it performs further major surgery on Windows.
The benefit of Microsoft’s approach is use of the familiar Office desktop applications and the ability to run Windows applications rather than being pushed towards doing everything in a web browser. Cloud Config is also a substantial step forward from the old world of managing PC images, Windows Server Update Services, System Center Configuration Manager, and the rest. ®