Windows 10 Management Technologies: What’s New
Michael Niehaus Senior Product Marketing Manager, Windows Microsoft
Business needs are evolving. Windows 10 offers to meet those needs. MANAGEMENT CHOICES
BASIC LIGHTWEIGHT FULL CONTROL
Active Directory Active Directory and/or
Azure Active Directory Exchange ActiveSync Group Policy
Mobile Device System Center Management
• BYOD (personal) devices • Company-owned and • Company-owned • E-mail access only BYOD devices devices • Internet-facing or • Corporate network corporate network WINDOWS MANAGEMENT FEATURES
PRODUCTS System Center Configuration Manager Microsoft Desktop Optimization Pack (MDOP) CLOUD SERVICES
Azure Active Directory WINDOWS SERVER Azure RMS Microsoft Intune Active Directory Group Policy Windows Store Windows Server Update Services (WSUS)
WINDOWS CLIENT Windows Management Instrumentation (WMI) Mobile Device Management (MDM) Agent Windows Remote Management (WinRM) PowerShell Windows Update AppLocker Group Policy Client WINDOWS MANAGEMENT CHOICES
AVAILABLE CHOICES
IDENTITY Active Directory; Azure Active Directory DEVICE Group Policy, ConfigMgr, 3rd party PC management; Intune, 3rd party MDM MANAGEMENT
WINDOWS STORE Unrestricted; Curated Organization Store; Managed (MDM, ConfigMgr, etc.)
INFRASTRUCTURE On-premises or in the cloud
OWNERSHIP Corporate-owned, CYOD; BYOD
Organizations may mix and match, depending on their specific scenario IDENTITY CHOICES Active Directory provides key business identity and security capabilities Azure Active Directory takes this to the cloud Both work together Windows 10 fully leverages both WINDOWS 10 IDENTITY CHOICES
ORGANIZATION OWNED PERSONALLY OWNED (BYOD)
• Computer joins AD to • Computer joins AAD to • Computer registers with AD or AAD via Device establish trust establish trust Registration to establish trust for remote • User signs on using AD • User signs on using resource access account AAD account • User signs in with a Microsoft account, • Group Policy + System • Intune/MDM associates an AAD account Center • Settings roaming • Intune/MDM AZURE ACTIVE DIRECTORY
Windows Store
Create an Azure Active Directory Enable single sign-on with cloud- tenant for your business based services, including the Windows Store Set up synchronization between Active Directory and Azure Active Enable roaming of app settings and Directory (with ADFS or Password data between devices Sync, limited account details)
Demo
Azure Active Directory walkthrough MANAGEMENT CHOICES
Works with existing infrastructure Advanced and simple MDM support Consistent across PC/mobile Intune and 3rd party solutions WINDOWS 10 WORKS WITH EXISTING INFRASTRUCTURE
SUPPORTS WINDOWS 10 SUPPORTS WINDOWS 10 PRODUCT MANAGEMENT DEPLOYMENT
System Center 2012 R2 Configuration Manager
System Center 2012 Configuration Manager
System Center Configuration Manager 2007
Windows Server 2012 R2 Windows Server 2012 Windows Server 2008
Microsoft Deployment Toolkit 2013
Updates will be required. New OS features may require newer versions for full support. MOBILE DEVICE MANAGEMENT
Significant investments in added functionality for both mobile and desktop devices
Fully managed corporate device
Device Lockdown
BYOD: simple security settings Phone Desktop Phone Desktop
Windows 8.1 Windows 10 MDM IN WINDOWS 10
• Un-enrollment in two • Provisioning phases & alerts • Bulk enrollment • Removal of Enterprise • Simple bootstrap configuration (apps, certs, • Converged protocol profiles, policies) and • Azure AD Integration Enterprise encrypted data (with EDP)
• Full device wipe • Additional device inventory • Remote Lock, PIN reset, Ring, Find • Enhanced inventory for compliance decisions
• Greatly extended set of policies (Parity with Windows Phone 8.1) • Curated Windows Store • Context based policies • Business Store Portal app • Client certificates – Direct install deployment; License reclaim/re- (PFX) use • Enterprise Wi-Fi • Enterprise App management • VPN management • Simplified LOB app management • Email provisioning • Win32 app management • MDM Push when user not • App inventory (MDM/store apps) logged in • App allow/deny lists through • Device Update control Applocker • Kiosk Mode, Start screen / Start • Enterprise data protection menu configuration and control Demo
MDM Enrollment MDM ARCHITECTURE
PowerShell ConfigMgr Scripts Desired Config Converged MDM client across PC and mobile
MDM Client WMIWMI bridgeBridge EAS Client Backward compatibility with existing MDM servers
Configuration Manager component New capabilities exposed using Configuration Service CSP CSP CSP CSP CSP CSP / WMI Provider (CSP) model Wrapper WMI Bridge gives access to new CSPs
Common component Desktop component Demo
WMI Bridge DEVICE MANAGEMENT VISION A “single pane of glass” for managing all of your devices
Single admin console
GROUP POLICY
NEW IN WINDOWS 10 NEW FROM WINDOWS 7
New policies to support Windows 10 Capabilities from Windows 8.1: features: • Policy caching • Start screen and start menu management • IPv6 support for printers, VPN, targeting • “Project Spartan” settings • Next-Generation Credential PIN settings Capabilities from Windows 8: • Universal app management • Sign-in optimization for DirectAccess clients • Better use of larger registry policies (registry.pol) • Remote group policy refresh (GPUpdate) • More efficient background processing MICROSOFT DESKTOP OPTIMIZATION PACK (MDOP)
Full support for Windows 10 at general availability, with updates for:
• App-V • UE-V • MBAM • DaRT • AGPM AN APP STORE THAT’S OPEN FOR BUSINESS
Volume purchasing Flexible distribution License reclaim/re-use Your company store TODAY
WINDOWS STORE “ENTERPRISE APP STORE”
• Modern apps • MDM-driven • Sign in with MSA • Sideload line-of-business modern apps • Pay with credit card, gift card, PayPal, Alipay, • Link to apps in the Windows Store INICIS, mobile operators (Phone) ONE WINDOWS STORE Convergence
WINDOWS 8.1
WINDOWS 10 WINDOWS PHONE 8.1
XBOX
• Converged developer portal for Windows • Fully converged experience and Windows Phone • Best features from each • Separate user and developer capabilities • New capabilities ONE BIG STORE WITH EVERYTHING
WITH WINDOWS 10, WE PROVIDE A SINGLE STORE TO SELL APPS AND OTHER DIGITAL GOODS, SUPPORTING MORE PAYMENT INSTRUMENTS THAN ANY OTHER APP STORE. COMMON, SAFE AND CONVENIENT WAYS TO PAY
CURATED ‘ORGANIZATION STORE’
TAILORED APP RECOMMENDATIONS
SUPPORT FOR DIGITAL GOODS (Apps, Games, Music, Movies, etc.) TOMORROW
WINDOWS STORE WINDOWS STORE + BSP “ENTERPRISE APP STORE”
• Modern apps • Modern apps • Sideload line-of-business modern apps • Sign in with MSA • Organization Store for the org’s preferred • Deploy apps from the Windows Store • Pay with credit card, gift card, PayPal, or LOB apps (even when the Store UI is disabled) Alipay, INICIS, mobile operators (Phone) • Sign in with MSA to acquire public apps; through BSP integration using MDM sign in with AAD to acquire org apps • Pay with credit card or PO/invoice • B2B purchasing and distribution • Deploy modern apps offline, in images, and more • Modern app license management SCENARIOS FOR ANY NEED
FLEXIBLE APP SUPPORT FOR ANY SIMPLIFY VIA DEPLOYMENT ORGANIZATION CONVERGENCE Online, offline, or included Teacher and classroom One store, one volume in images purchase program Small businesses and other Through the store, via MDM, organizations Universal apps across or using System Center all device types Large enterprises LOB and B2B apps can Simplified sideloading processes be kept private WORKING WITH STORE APPS BSP SCENARIOS
ONLINE OFFLINE
• Requires the use of Azure AD accounts • No dependency on Azure AD (or any other • Installation files managed and deployed by the identities) Windows Store • Installation files are downloaded and deployed • Licenses tracked by the Windows Store using org’s infrastructure • Updates installed via Windows Update / WSUS • No license tracking • Updates installed via Windows Update / WSUS SCENARIOS ORGANIZATION STORE (HOSTED)
IT ADMINISTRATOR NOTES SIGN IN TO BUSINESS APPS ACQUIRED ORGANIZATION STORE • Cloud-based STORE PORTAL • Free apps CREATED • No on-prem infrastructure • Using AAD account • Purchased using • Desired apps added requirements a PO or invoice • No MDM service required • Apps automatically updated from the Windows Store • Can include LOB apps END USER
LOG INTO WINDOWS ACCESS WINDOWS INSTALL APPS • Using AD or AAD account STORE • Selected from the • Sees Organization Store Private Store using AAD, and public categories or public categories using MSA
SCENARIOS MOBILE DEVICE MANAGEMENT
IT ADMINISTRATOR NOTES SIGN IN TO BUSINESS APPS ACQUIRED APPS ADDED TO MDM • Cloud-based or on-prem STORE PORTAL • Free apps SERVICE (depending on the MDM • Using AAD account • Purchased using • Link to the app service used) a PO or invoice in the BSP • Apps automatically updated from the Windows Store • The Windows Store can be disabled if desired END USER
LOG INTO WINDOWS LAUNCH ENTERPRISE INSTALL APPS • Using AD or AAD account APP STORE (MDM) • Selected from the MDM- • Sees available app provided list • Installed by the Windows Store, as directed by the MDM service SCENARIOS IMAGING
IT ADMINISTRATOR NOTES SIGN IN TO APPS DOWNLOAD ADD APPS TO • Apps available to every user BUSINESS STORE ACQUIRED APP ENTERPRISE when they log in PORTAL • Free apps INSTALLATION IMAGE FILES • Apps automatically updated • Using AAD account • Purchased using • Provisioned from the Windows Store a PO or invoice for all users • Save locally • The Windows Store can be disabled if desired • License tracking needs to be END USER done by the customer
LOG INTO WINDOWS APPS INSTALL • Using AD or AAD account AUTOMATICALLY • Per user installs from provisioned app SCENARIOS ENTERPRISE APP STORE USING SYSTEM CENTER CONFIGURATION MANAGER
IT ADMINISTRATOR NOTES SIGN IN TO APPS DOWNLOAD ADD APPS TO • Per-user app installation BUSINESS STORE ACQUIRED APP CONFIGMGR PORTAL INSTALLATION • Apps automatically updated • Free apps • Available for from the Windows Store • Using AAD account • Purchased using FILES installation • The Windows Store can be a PO or invoice • Save files locally (pull), or required (push) disabled if desired • License tracking needs to be done by the customer END USER
LOG INTO WINDOWS LAUNCH COMPANY INSTALL APPS • Using AD or AAD account PORTAL • Installed by ConfigMgr • Shows all available apps added by IT administrator SCENARIOS LICENSE MANAGEMENT
IT ADMINISTRATOR NOTES SIGN IN TO BUSINESS VIEW ASSIGNED REVOKE LICENSE • Devices periodically check to STORE PORTAL LICENSES • Available for reuse see if licenses are still valid • Using AAD account • For any BSP app (LOB, free, paid)
END USER
LOG INTO WINDOWS LAUNCH APP • Using any account • Informed that license is no longer available
KEY STORE INVESTMENTS
BUSINESS STORE PORTAL • Allows orgs to acquire apps, manage licenses, download app files • Pay using additional methods, including purchase orders, invoices, and Enterprise Agreement (EA) and other volume license (VL) programs ORGANIZATION STORE • Fully curated list of apps from within the Windows Store • Can include public apps as well as ISV and Line-of-Business apps FULL MANAGEMENT SUPPORT • Mobile device management (MDM) control (using services such as Intune) • Control for agent-based management solutions (such as System Center Configuration Manager) • Application update approval Session Evaluation
http://aka.ms/WCP362