This article is contributed. See the original author and article here.
In this article, we outline the key advantages of cloud-based deployments, introduce HoloLens 2 platform fundamentals, and describe the core components needed to successfully deploy HoloLens 2 devices.
Enterprises around the globe are rapidly adopting mobile devices, such as laptops, smartphones, and mixed reality/virtual reality (MR/VR) headsets in an effort to improve workforce productivity and operational efficiency, With Microsoft HoloLens 2 and Mixed Reality solutions, you can transform your business workflows – from remote collaboration and task guidance to employee training and other use cases.
This mobile-first device landscape means that IT teams need to look for new, cost-effective ways to manage corporate devices. Historically, on-premises IT tools such as Active Directory and Configuration Manager, addressed complex desktop PC management needs. Today, the device management and IT infrastructure industries are undergoing massive modernization, moving to cloud-based services that allow for scale at an ever-increasing pace. HoloLens 2 is tightly integrated with Microsoft Azure cloud services that enable administrators to deploy devices at large scale with increased scalability, security, and reliability.
Why cloud management versus on-premises?
HoloLens 2 was designed and built as a modern, cloud-first, device. HoloLens 2 runs on the Windows Holographic OS, which is based on a “flavor” of Windows 10, that provides users, admins, and developers with a robust, performant, and secure platform. Windows Holographic supports end-to-end cloud-based device management capabilities to give companies control over their devices, data, and apps.
The table below briefly illustrates some basic differences between Windows 10 and Windows Holographic.
Windows 10 for desktop
Windows Holographic for HoloLens 2
Configuration Manager/Group Policy, mobile device management (MDM)
Mobile device management (MDM)
Cloud and on-premises
Windows apps, Win32, Universal Windows Platform (UWP)
CSPs and policies
Direct registry access
It’s not an understatement that on-premises management requires heavy IT involvement. Local storage and processing of corporate data inevitably yields high-touch supervision and costly processes and tools.
The integration between HoloLens 2 and cloud services, like Azure Active Directory (Azure AD) and Microsoft Intune, allows for fast-time-to-value, and high degrees of scalability. Those services minimize complexity to allow you to expand to more users, devices, and services dynamically, with close-to-zero marginal cost. Continuous service improvements are delivered as part of your Azure subscription, without requiring time-consuming software installation and updates. Every service, from identity, to updates, to app deployment, is designed to keep end-users and corporate assets secure, with low admin maintenance costs. The goal is to reduce the overhead on you, the IT administrator, and empower you to focus on other important activities.
HoloLens 2 deployment checklist
Now let’s explore some essential components for low-touch, cloud-based deployments of HoloLens 2. Although every environment has its own requirements, the information below is intended to outline the foundational services, technologies and tools that can be used to quickly reach deployment scale.
Identity: Azure Active Directory
Azure Azure AD is Microsoft’s cloud identity and access management service. HoloLens 2 treats identity with Azure AD accounts in almost the same manner as other Windows 10 devices, enabling:
- Automatic device enrollment with your organization’s tenant and mobile device management (MDM) solution.
- Secure and seamless user sign-in experiences to devices, applications, and corporate resources
- Windows Hello for Business features for secure authentication with PIN, Iris or FIDO keys, for up to 64 users.
To get started:
- Define your user management and identity model. For more information about creating a tenant for your organization, see the Quickstart Guide.
- Create the appropriate users and groups and assign licenses in the Microsoft 365 Admin Center.
- Get Azure AD Premium P1 (required).
Security: HoloLens 2
Microsoft HoloLens 2 implements the latest standards for a highly secure modern device. The security capabilities are designed for comprehensive coverage – from hardware to software. Some examples include always-enabled device encryption (BitLocker), Trusted Platform Module (TPM), Conditional Access, Windows Defender Smart Screen, and more.
To get started, review the HoloLens 2 security documentation for details about the architecture, capabilities, and deployment considerations.
Device management: Microsoft Intune
Microsoft Intune is a cloud-based MDM service that enables you to control how your organization’s devices are used, including mobile phones, laptops, and HoloLens 2 devices. This service enables people in your organization to be productive on all of their devices, corporate-owned or personal, while keeping your organization’s information protected with policies you create and manage. Intune offers a streamlined management experience with no on-premises resource overheard. The service is part of Enterprise Mobility + Security (EMS) suite and is included with the respective subscriptions.
To get started, review the Setup guide for Microsoft Intune.
Device enrollment: Intune and Azure AD
There are two low-touch solutions to enroll corporate devices to your organization’s Azure AD tenant and MDM:
- Auto-enrollment during initial device setup, which registers and joins Azure Active Directory and allows the device to be managed with Intune; OR
- Windows Autopilot for HoloLens 2 (currently in Public Preview). With Autopilot, the provisioning experience is drastically simplified for both IT and end users. IT admins can preconfigure HoloLens 2 policies, and upon first boot, devices will be deployed in business-ready state with zero end-user interaction. Note that Windows Autopilot also requires Auto-enrollment to be configured first for the low-touch Autopilot flow.
To get started:
- Configure your auto-enrollment profile in Intune.
- Plan your device deployment within your business.
- For Autopilot:
- Contact your reseller to support you with device registration, and
- Prepare your deployment profiles in Intune.
Application deployment: Intune and Microsoft Store for Business
There are several ways to deploy apps to your managed devices, but one common way is by synchronizing Intune with Microsoft Store for Business. On Microsoft Store for Business, admins can find and purchase apps for their organization and by connecting Microsoft Store for Business to Intune, you can manage volume-purchased apps from the portal.
To get started:
- Pick the solution (app) that satisfies your business scenario and acquire licenses.
- Associate and synchronize Microsoft Store for Business with Intune and assign apps to groups.
Policies: Configuration Service Providers
Configuration Service Providers (CSPs) are the foundation of device management. They are an interface to read, set, modify, or delete configuration settings on the device by mapping to registry keys or files. CSPs can be deployed in the form of custom policy or configuration profiles from the MDM platform. Example policies include device restrictions, updates, certificates, or network profiles. HoloLens supports a subset of the Windows 10 CSPs and we continuously expand the list based on customer feedback.
To get started:
HoloLens 2 works best in commercial environments with wireless network availability. It supports modern and widely used networking frameworks such as VPN, Proxy, EAP and Simple Certificate Enrollment Protocol (SCEP) or Public Key Cryptography Standard (PKCS) certificates.
For your network infrastructure, we suggest:
- Test your network with your Mixed Reality solution. For example, for customers using Dynamics 365 Remote Assist, there are certain network network optimizations recommended, along with additional technical requirements.
- For environments using firewall or proxy, ensure that critical endpoints/URLs for HoloLens 2 are allowed.
- In many scenarios, we have observed the following as best practices:
- Use Wi-Fi 4+ (802.11.n+) access points with MU-MIMO capabilities.
- Create a dedicated SSID on 5GHz band dedicated to HoloLens.
- Ensure good network coverage at your end-site.
Today’s mobile-first device landscape has changed the business of IT deployment and device management. Although the shift from on-premises to cloud-based deployments can be challenging, Microsoft’s cloud-based technologies, such as Azure AD and Intune, offer low-touch solutions with the goal of reducing overhead on security and IT admins.
The ultimate reward of implementing these new technologies is threefold – defining the modern workplace for your business, empowering your workforce, and participating in the new wave of computing with Mixed Reality. If you are interested in learning how Mercedes-Benz USA IT deployed hundreds of HoloLens 2 devices to redefine remote collaboration and task guidance, watch this short video from the recent North America HoloLens Industry Summit:
For more information, please explore considerations when deploying and managing HoloLens 2 as well as common deployment scenarios for enterprises.
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.