The past
Over the last 20+ years I’ve followed the journey from when Microsoft introduced client->server architecture and the Windows NT client and server operating system where both computers and servers resided inside a physical building and local network. Clients then was a physical PC and so were servers.
Today
Fast forward, today, we have a lot more complexity, users are working from multiple mobile client devices (most people have a laptop and a phone as a minimum), they work at any location and at any time. Apps are a mix of modern SaaS, Web and traditional Windows Client/server apps (What we usually call Legacy Apps), that runs at multiple private and public clouds and datacenters. At the same time, cyber risks has increased exponentially. All of this has led to increased complexity, risk and cost for delivering a good digital employee experience (DEX).
The challenges
There are a few challenges that after 20+ years of Legacy Applications are still an issue. Client/Server applications are normally very latency sensitive, some requires less than 1ms latency between client and server, while others can handle a little more. The other is security for these legacy apps are usually poor, providing low or no encryption, and many of them have poor authentication mechanisms or based on Windows Kerberos authentication that worked well in the old client server world, but does not fit well in a modern cloud based world with a lot of new security threats. The amount of solutions and tools in the End User Computing (EUC) space is an ever growing list of vendors that tries to solves parts or all of these challenges, as well described in this article EUC Hexagrid | Dizzion
The most common model that I’ve worked with for the last 10 years is a hybrid model, where a modern device management system has been introduced to secure and deliver modern SaaS apps to laptops and mobile devices, while, legacy client apps has been delivered with a virtual application or virtual desktop infrastructure, or with VPN. Traditional VPN solutions are risky, because they often provide too much access into the datacenter network, and introduces a risk in the environment.
Managing virtual apps and desktops has over the last years been done with image deployment to a pool of single or multisession machines. This method is quite effective, but also leads challenges with handling userprofiles and flexibility to users need for different apps, and performance requirements. The tools out there today have been perfectioned to deliver this in a quite good way. But to be honest, it is not cheap, and requires some very skilled operational and architectural people to develop and maintain it.
Digital workplace is mostly a cost and support function in most businesses, and all these complex solutions drives the cost up without necessarily increasing the business profitability. Yes, it’s a key element to connect humans to the digital world in a secure way, but the cost and complexity of doing this is driving the cost up.
New way?
Is there a new and better way to do this? I believe yes, but there is still not a one-solution fits all. But there is one big player that increasingly provides a way of handling many of these scenarios in a secure and effective way. And that is Microsoft. So how do I picture the ideal solution based on Microsoft?
First, the assumption here is that you already have invested heavily in the Microsoft 365 portfolio. If you are a google apps based company this is not for you. But a lot of companies today (at least I Norway where I live) already have an E3 license and manage their devices with Intune and Autopilot.
I also assume you use Citrix, VMWare or any other desktop and app virtualization to deliver legacy business apps to the clients.
The new services that Microsoft now provides is the Global Secure Access -> Recommend reading Marius Sandbu’s blog posts about it -> ZTNA for Azure Private Endpoint using Entra Private Access – msandbu.org
Now with GSA you can provide secure access to your endpoints to you datacenters (private og cloud) on an application basis. Now, this will add some latency, but may work for web and tcp apps that is not too latency sensitive and from clients that is not too far away. These endpoints are company owned and locked down by Intune.
How about the clients that is too far away to get a good enough latency between client and server? And the external clients or BYOD users? And how about the apps that is too latency sensitive? This is where the next Microsoft innovation comes in. Windows 365 Cloud PC Enterprise.
At least for me the enterprise version was going under my radar for a while. The Business version is more like a solution for individual users, not providing network access and management options. Azure Virtual Desktop is also an alternative. But then I came along this excellent article from Nerdio that compares Windows 365 Enterprise vs Business vs Azure Virtual Desktop-> Windows 365 vs. Azure (Windows) Virtual Desktop | Nerdio (getnerdio.com)
Based on the article, you can see that for personal virtual desktop, the Windows 365 Enterprise actually providing management and network access functionality to a lower cost than Azure Virtual Desktop. (Starting at 20$ per user per month including compute and storage). And you manage it the same way as you manage the physical PC’s. This reduces a lot of the complexities of a traditional pooled image based desktop/apps solutions with all the use profile and other operational pains that follows. And you can manage it with the same people as you manage the physical endpoints. No need for a virtual desktop superhero (if you read this and are a virtual desktop superhero, no offence -> you are still relevant, just move into Windows 365/AVD and GSA space)
But the Windows 365 runs in the cloud and you may not want to move all your servers to the cloud? Well, if your datacenter are located close enough to an Azure site, you can run the desktops in the cloud and the servers on-prem. If the application is super latency sensitive, move only these servers to the cloud and keep the other on-prem. This is the power of hybrid deployments. Use the best of both worlds. An example is south of Norway where I live, there is usually 5-10ms to the nearest Azure site, which is sufficient for many apps. Some people are curious about running AVD on-premises using Azure stack HCI, but calculations has shown that this actually may be more expensive-> Citrix vs Azure Virtual Desktop on-premises what’s the cost difference? – msandbu.org
But how about virtual apps?
Well this has been a good option if you only have a few legacy apps that you need to deliver. So for this AVD pooled apps is a good option, and it can connect to hybrid apps just like Windows 365. But, for users with low latency to datacenter, these apps can be delivered directly to the endpoint together with GSA, like described earlier. Remote users may actually have a better experience running a full virtual desktop, because a lot of applications has workflows that requires drag/drop between different apps, which may work better in a full desktop environment vs on a remote app scenario.
Personas
My recommendation is to develop personas for different categories of users with different needs. Based on the needs you map them to different types of Windows delivery models: Conditional Access architecture and personas – Azure Architecture Center | Microsoft Learn
Summary
So to summarize, I think it’s about time to think in a new way when it comes to providing different user with the best possible Digital Employee Experience, in a secure, flexible and cost effective way. Leverage the best from SaaS services in the Microsoft portfolio and build a secure access to hybrid cloud. Embrace Windows 365 Enterprise and Frontline, Intune and Global Secure Access and deliver the right choice for every user type.
Digital Workplace Blog 
Leave a comment