A beginner’s guide to Windows device management

Emily Brown

Sep 21, 2020

12 min read

Since its debut in 1985, Windows PCs and laptops have become a dominating presence in both business and personal computing spaces. When we have a look at the global market share, Windows operating system dominates it with a whopping lead of around 77 percent, with macOS trailing behind as a distant second. Hence, it comes as no surprise that managing the corporate Windows machines is indispensable for an IT admin. This blog aims to provide a basic guide to Windows device management to get you started. 

Mobile Device Management solutions have always been the optimal option to manage enterprise mobile devices, but it used to fall short for traditional desktop and PCs. Legacy Windows devices did not have MDM features built into them, making them highly difficult to manage in a simple and efficient manner. Traditionally, Windows devices were managed using agent-based client management tools. The introduction of Windows 8.1 showed some development with some MDM concepts. The progress was complete in 2015 as all the modern MDM concepts were realized with the latest Windows 10 OS. Now, with a complete UEM solution like Hexnode, Windows 10 devices can be managed remotely from a single Web Console along with the Android, iOS and macOS corporate devices.

What is Windows device management? 

Windows device management is the process of monitoring, auditing, securing and managing the Windows laptops and phones in an enterprise or educational environment, usually done in a centralized manner. 

Why MDM for Windows? 

For managing Windows devices, group policies have long been the go to method. Group Policy is a feature of Microsoft Windows Active Directory that provides centralized management and controls the connected user and computer accounts. Group policies are a trusted staple for the Domain admin. However, managing and keeping track of a fleet of devices with varying sets of group policies can be difficult for even veteran admins. For common enterprise requirements, MDM would prove to be an easier and less time-consuming option. In case of more specialised and extensive feature requirements, dependencies on the group policy management cannot be eliminated entirely. For example, deploying apps and configuring network settings like Wi-Fi can easily be done using an MDM solution. However, specialized tasks such as preventing access to specific control panel applets can only be achieved by using a Group Policy. 

MDM vs Group Policy 

MDM  Group Policy 
Manages MDM-enrolled devices that could be non-domain-joined or domain-joined in an Azure Active Directory or Active Directory environment.  Used to manage domain-joined devices in a traditional Active Directory environment. 
Enterprise oriented settings for security, app deployment and network configurations.  More extensive and granular settings. 
Easy to deploy even for beginners.  Could be confusing and time-consuming if the admin goes for extensive granularity in settings. 


Migrating from Group Policy Management to MDM management – MMAT 

Unlike the previous Windows versions, Microsoft Windows 10 is almost mobile-like in nature with its mobility supporting features and controls. Hence, managing the Windows systems like any other mobile device is a lucrative option which is possible by managing all the corporate devices using a single MDM.  

The question may arise on how to make the transition between the traditional Group Policy Objects (GPOs) to the modern MDM software for the Windows device management. Microsoft has created an excellent tool – MMAT – MDM Migration Analysis Tool for the technical migration from group policies to MDM. MMAT does a best-effort analysis since a one-to-one mapping between the MDM policies and Group policies are not available. However, MMAT greatly saves the time taken by the administrators in the migration process. 

MMAT works in three stages: 

  1. It determines all the GPOs applied to the target system and filter out the ones that are not enabled or with denied access. 
  2. For each GPO, the GPO XML file is retrieved from the server using Powershell. The information is stored in GPOReport-{GPOGuid}.txt files. 
  3. The MdmMigrationAnalysisTool.exe is invoked so that it compares the GPOReport-{GPOGuid}.txt files against MDMPolicyMapping.xml. We get the results as HTML and XML files.

How can you manage your Windows 10 devices using Hexnode MDM? 

From initial deployment to the end-user involvement, it is important to support, manage and monitor the devices throughout their lifecyle. For managing Windows 10 devices with Hexnode, there are four critical elements: 

  1. Enrollment and setup 
  2. Configuring policies and settings 
  3. Securing against unauthorized access and attacks 
  4. Asset Management

1. Enrollment and Setup 

Enrolling a device with Hexnode establishes a connection between the MDM and and the device through which they communicate with each other. Windows PCs and tablets can be enrolled in different methods using either Open or Authenticated enrollment. The devices can be enrolled using either Hexnode Installer App or the Native enrollment method. For bulk enrollment of devices, provisioning package (.ppkg) file can be used for a one-time setup so that the user can enroll the devices the first time they are turned on by installing the ppkg file. On enrolling a Windows device, the Hexnode Notifications App gets automatically installed on the device. The admin can send broadcast messages to the users that are received and displayed on the installed app.

Important Integrations with Hexnode MDM 

  • Azure Active Directory: Azure Active Directory is Microsoft’s cloud-based identity and access management service. Azure AD supports multi-factor authentication and single sign-on (SSO), thereby increasing the security of the enterprise users. On integrating Azure AD with Hexnode, all the Azure AD users can by synced for easy enrollment and policy assignment with a single click. 
  • Active Directory: Microsoft Active Directory domain services contain all the directory information and manages all the interactions between the user and the domain. Multiple Active Directory domains can be configured and managed from a single web console in Hexnode. 
  • GSuiteIntegrating GSuite with Hexnode helps businesses to import their GSuite users and groups directly into the MDM console. The Windows devices can then be enrolled with their corresponding GSuite users. 
  • System Center Configuration Manager (SCCM): SCCM is a software management suite from Microsoft that manages a group of computers running Windows operating system. SCCM provides remote control, operating system deployment, network security and other services. On integrating SCCM with Hexnode, the devices in the SCCM server can be migrated with ease to the Hexnode portal.


2. Configuring Policies and Settings

After enrolling the devices, the devices have to be configured properly with the required configurations and settings. These settings can be configured in a policy. The policy can be assigned to individual devices or groups of devices based on the requirements. You can create either static or dynamic groups for applying the policies. We have discussed a brief overview of the settings you can configure using an MDM. 

App management 

Managing the apps installed in the corporate devices is an essential feature for any admin. The business devices often need to have some apps installed in them. Getting each user to install the apps would be a hassle. Hexnode simplifies this task by enforcing the app installation of the apps configured as mandatory apps in the MDM policy. The mandatory apps are silently installed on the devices. Both store apps and enterprise (MSI) apps can be deployed using the Mandatory Apps feature. 

To prevent the users from installing unnecessary or malicious applications, the admin can either blacklist or whitelist the applications. If a blacklisted application is installed on the device, the device is marked as non-compliant. On whitelisting the apps, all the apps other than the ones whitelisted are considered blacklisted.  

 Network Settings 

For accessing company resources such as enterprise Wi-Fi on BYOD devices, the user need not know about the complex settings or the credentials. With Hexnode, the admin can directly push the Wi-Fi configuration settings to the enrolled Windows devices. The settings can be configured remotely and then deployed to the devices automatically without the user having to worry about connecting to the Wi-Fi manually. 

Account Management 

Hexnode allows you to configure email and Exchange ActiveSync accounts remotely and push it to the enrolled Windows devices over-the-air. Exchange ActiveSync syncs emails, attachments, calendar, contacts, and tasks between the device and your email account server.  


3. Securing against unauthorized access and attacks

Windows device security
Securing your Windows devices

In the enterprise IT world, device and data security is one of the most important elements in the device lifecycle. Preventing the compromise of device security is infinitely easier with an MDM. Strong password policiesBitlocker encryption, threat management, and configuring settings restrictions are some ways to secure the systems

Password Policies 

Enforce strong passcode policies to secure the corporate data in the Windows devices. The passcode can be made mandatory and you can set a passcode age so that the passcode is changed frequently

BitLocker Encryption 

BitLocker is Microsoft’s full-disk encryption tool for Windows PCs. It enforces encryption on system drives, fixed data drives, and removable drives for data protection. It actively prevents unauthorized users from accessing device data even if the device is stolen or lost. Hexnode MDM allows you to setup BitLocker and configure the encryption settings for the operating system, fixed data drives, and removable drives remotely in a single policy.

Windows Defender 

Windows Defender is an anti-malware tool for threat management in Windows devices. Microsoft Defender offers real-time protection against viruses, spyware, malware or any other software threats. The admin can configure various Windows Defender settings in a policy from the HexnodeWeb Console. These settings are controlled in Windows Defender Security Centre (WDSC), a built-in Universal Windows Platform (UWP) app that offers the continuous real-time protection for Windows devices.  

Additionally, you can also configure Windows Defender Application Guard settings with Hexnode. Windows Defender Application Guard is a security tool designed to protect devices from security attacks originating from untrustworthy websites by enforcing browser isolation. If the user tries to access a website that is not trusted by the organization, an isolated anonymous browsing session is opened so that the enterprise data is not accessible to any potential attackers

Security Restrictions 

Depending on the business use-case, the IT admins can configure various restrictions for device settings in a policy. For instance, the users can be restricted from deleting the workplace account from device settings so that the device cannot be disenrolled from the MDM by the user. The device security can be further ensured by mandating signed certificate for installing provisioning package files and restricting automatic pairing with other devices. 

4. Asset Management

The IT admin has to continually track and monitor the enrolled devices and users even after the initial setup to ensure proper functioning in a seamless manner. The dashboard in the Hexnode Web Console gives a general overview of the asset status in a single glance. The quick actions allow the admin to execute instant device scans, send a broadcast message, install an application or even wipe/disenroll the device.  

Reports and analysis 

Analyzing and monitoring corporate asset information is always easier with solid reports. Hexnodeallows you to generate complete device reports and granular reports based on specific actions at any time manually or at a scheduled time. The reports can be easily exported as either PDF or CSV files. 

Handling lost devices 

The corporate devices may get stolen or misplaced even with utmost care. In such an even, the sensitive data can be protected by performing a remote wipe with Hexnode Remote Actions on the lost device.  

Windows Kiosk Management with Hexnode 

The enrolled Windows machines can be converted into purpose-oriented devices by locking them down into a Kiosk mode. The user would be limited to the kiosk apps and would not be able to access the device settings or other apps. Windows 10 devices can be locked down into a Single App or Multi App kiosk mode. The Kiosk Mode is supported for Windows 10 Pro, Enterprise and Education editions. Windows Kiosk Mode has many business use-cases that enhances employee productivity, improves data security and user experience. Self-service kiosks at banks and ticketing kiosks are public places are a few examples of Windows kiosks in everyday life. 

Windows Single App Mode 

For kiosks at public places, single app mode is often the ideal option. With Hexnode, you can configure the enrolled Windows PCs to run a single UWP or Microsoft store app in full screen for a restricted local user account. 

To lock down the Windows 10 devices without using an MDM, the admin can make use of Assigned Access, an in-built single app kiosk mode feature. A major drawback of Assigned Access is that it has to configured individually in each of the devices. For bulk provisioning and silent installation of apps, the devices should be deployed using an MDM. 

Windows Multi App Mode 

The local user account is restricted to a handful of whitelisted applications in Windows Multi App mode, preventing the users from accessing any other features or settings in the device. Multi App mode is useful for increasing employee productivity by reducing distractions and providing users access to only what they need. The kiosk account can be locked down into Windows Store apps, UWP apps or Desktop apps.  

 Get started with Windows device management for your organization. 
Emily Brown

Reading is therapy and writing is healing...sincerely, a cool nerd.

Share your thoughts