Windows Store Windows Server Update Services (WSUS)

Windows 10 Management Technologies: What’s New

Michael Niehaus Senior Product Marketing Manager, Windows Microsoft

Business needs are evolving. Windows 10 offers to meet those needs. MANAGEMENT CHOICES

BASIC LIGHTWEIGHT FULL CONTROL

Active Directory Active Directory and/or

Azure Active Directory Exchange ActiveSync Group Policy

Mobile Device System Center Management

• BYOD (personal) devices • Company-owned and • Company-owned • E-mail access only BYOD devices devices • Internet-facing or • Corporate network corporate network WINDOWS MANAGEMENT FEATURES

PRODUCTS System Center Configuration Manager Microsoft Desktop Optimization Pack (MDOP) CLOUD SERVICES

Azure Active Directory WINDOWS SERVER Azure RMS Microsoft Intune Active Directory Group Policy Windows Store Windows Server Update Services (WSUS)

WINDOWS CLIENT Windows Management Instrumentation (WMI) Mobile Device Management (MDM) Agent Windows Remote Management (WinRM) PowerShell Windows Update AppLocker Group Policy Client WINDOWS MANAGEMENT CHOICES

AVAILABLE CHOICES

IDENTITY Active Directory; Azure Active Directory DEVICE Group Policy, ConfigMgr, 3rd party PC management; Intune, 3rd party MDM MANAGEMENT

WINDOWS STORE Unrestricted; Curated Organization Store; Managed (MDM, ConfigMgr, etc.)

INFRASTRUCTURE On-premises or in the cloud

OWNERSHIP Corporate-owned, CYOD; BYOD

Organizations may mix and match, depending on their specific scenario IDENTITY CHOICES Active Directory provides key business identity and security capabilities Azure Active Directory takes this to the cloud Both work together Windows 10 fully leverages both WINDOWS 10 IDENTITY CHOICES

ORGANIZATION OWNED PERSONALLY OWNED (BYOD)

• Computer joins AD to • Computer joins AAD to • Computer registers with AD or AAD via Device establish trust establish trust Registration to establish trust for remote • User signs on using AD • User signs on using resource access account AAD account • User signs in with a Microsoft account, • Group Policy + System • Intune/MDM associates an AAD account Center • Settings roaming • Intune/MDM AZURE ACTIVE DIRECTORY

Windows Store

Create an Azure Active Directory Enable single sign-on with cloud- tenant for your business based services, including the Windows Store Set up synchronization between Active Directory and Azure Active Enable roaming of app settings and Directory (with ADFS or Password data between devices Sync, limited account details)

Demo

Azure Active Directory walkthrough MANAGEMENT CHOICES

Works with existing infrastructure Advanced and simple MDM support Consistent across PC/mobile Intune and 3rd party solutions WINDOWS 10 WORKS WITH EXISTING INFRASTRUCTURE

SUPPORTS WINDOWS 10 SUPPORTS WINDOWS 10 PRODUCT MANAGEMENT DEPLOYMENT

System Center 2012 R2 Configuration Manager

System Center 2012 Configuration Manager

System Center Configuration Manager 2007

Windows Server 2012 R2 Windows Server 2012 Windows Server 2008

Microsoft Deployment Toolkit 2013

Updates will be required. New OS features may require newer versions for full support. MOBILE DEVICE MANAGEMENT

Significant investments in added functionality for both mobile and desktop devices

Fully managed corporate device

Device Lockdown

BYOD: simple security settings Phone Desktop Phone Desktop

Windows 8.1 Windows 10 MDM IN WINDOWS 10

• Un-enrollment in two • Provisioning phases & alerts • Bulk enrollment • Removal of Enterprise • Simple bootstrap configuration (apps, certs, • Converged protocol profiles, policies) and • Azure AD Integration Enterprise encrypted data (with EDP)

• Full device wipe • Additional device inventory • Remote Lock, PIN reset, Ring, Find • Enhanced inventory for compliance decisions

• Greatly extended set of policies (Parity with Windows Phone 8.1) • Curated Windows Store • Context based policies • Business Store Portal app • Client certificates – Direct install deployment; License reclaim/re- (PFX) use • Enterprise Wi-Fi • Enterprise App management • VPN management • Simplified LOB app management • Email provisioning • Win32 app management • MDM Push when user not • App inventory (MDM/store apps) logged in • App allow/deny lists through • Device Update control Applocker • Kiosk Mode, Start screen / Start • Enterprise data protection menu configuration and control Demo

MDM Enrollment MDM ARCHITECTURE

PowerShell ConfigMgr Scripts Desired Config Converged MDM client across PC and mobile

MDM Client WMIWMI bridgeBridge EAS Client Backward compatibility with existing MDM servers

Configuration Manager component New capabilities exposed using Configuration Service CSP CSP CSP CSP CSP CSP / WMI Provider (CSP) model Wrapper WMI Bridge gives access to new CSPs

Common component Desktop component Demo

WMI Bridge DEVICE MANAGEMENT VISION A “single pane of glass” for managing all of your devices

Single admin console

GROUP POLICY

NEW IN WINDOWS 10 NEW FROM WINDOWS 7

New policies to support Windows 10 Capabilities from Windows 8.1: features: • Policy caching • Start screen and start menu management • IPv6 support for printers, VPN, targeting • “Project Spartan” settings • Next-Generation Credential PIN settings Capabilities from Windows 8: • Universal app management • Sign-in optimization for DirectAccess clients • Better use of larger registry policies (registry.pol) • Remote group policy refresh (GPUpdate) • More efficient background processing MICROSOFT DESKTOP OPTIMIZATION PACK (MDOP)

Full support for Windows 10 at general availability, with updates for:

• App-V • UE-V • MBAM • DaRT • AGPM AN APP STORE THAT’S OPEN FOR BUSINESS

Volume purchasing Flexible distribution License reclaim/re-use Your company store TODAY

WINDOWS STORE “ENTERPRISE APP STORE”

• Modern apps • MDM-driven • Sign in with MSA • Sideload line-of-business modern apps • Pay with credit card, gift card, PayPal, Alipay, • Link to apps in the Windows Store INICIS, mobile operators (Phone) ONE WINDOWS STORE Convergence

WINDOWS 8.1

WINDOWS 10 WINDOWS PHONE 8.1

XBOX

• Converged developer portal for Windows • Fully converged experience and Windows Phone • Best features from each • Separate user and developer capabilities • New capabilities ONE BIG STORE WITH EVERYTHING

WITH WINDOWS 10, WE PROVIDE A SINGLE STORE TO SELL APPS AND OTHER DIGITAL GOODS, SUPPORTING MORE PAYMENT INSTRUMENTS THAN ANY OTHER APP STORE. COMMON, SAFE AND CONVENIENT WAYS TO PAY

CURATED ‘ORGANIZATION STORE’

TAILORED APP RECOMMENDATIONS

SUPPORT FOR DIGITAL GOODS (Apps, Games, Music, Movies, etc.) TOMORROW

WINDOWS STORE WINDOWS STORE + BSP “ENTERPRISE APP STORE”

• Modern apps • Modern apps • Sideload line-of-business modern apps • Sign in with MSA • Organization Store for the org’s preferred • Deploy apps from the Windows Store • Pay with credit card, gift card, PayPal, or LOB apps (even when the Store UI is disabled) Alipay, INICIS, mobile operators (Phone) • Sign in with MSA to acquire public apps; through BSP integration using MDM sign in with AAD to acquire org apps • Pay with credit card or PO/invoice • B2B purchasing and distribution • Deploy modern apps offline, in images, and more • Modern app license management SCENARIOS FOR ANY NEED

FLEXIBLE APP SUPPORT FOR ANY SIMPLIFY VIA DEPLOYMENT ORGANIZATION CONVERGENCE Online, offline, or included Teacher and classroom One store, one volume in images purchase program Small businesses and other Through the store, via MDM, organizations Universal apps across or using System Center all device types Large enterprises LOB and B2B apps can Simplified sideloading processes be kept private WORKING WITH STORE APPS BSP SCENARIOS

ONLINE OFFLINE

• Requires the use of Azure AD accounts • No dependency on Azure AD (or any other • Installation files managed and deployed by the identities) Windows Store • Installation files are downloaded and deployed • Licenses tracked by the Windows Store using org’s infrastructure • Updates installed via Windows Update / WSUS • No license tracking • Updates installed via Windows Update / WSUS SCENARIOS ORGANIZATION STORE (HOSTED)

IT ADMINISTRATOR NOTES SIGN IN TO BUSINESS APPS ACQUIRED ORGANIZATION STORE • Cloud-based STORE PORTAL • Free apps CREATED • No on-prem infrastructure • Using AAD account • Purchased using • Desired apps added requirements a PO or invoice • No MDM service required • Apps automatically updated from the Windows Store • Can include LOB apps END USER

LOG INTO WINDOWS ACCESS WINDOWS INSTALL APPS • Using AD or AAD account STORE • Selected from the • Sees Organization Store Private Store using AAD, and public categories or public categories using MSA

SCENARIOS MOBILE DEVICE MANAGEMENT

IT ADMINISTRATOR NOTES SIGN IN TO BUSINESS APPS ACQUIRED APPS ADDED TO MDM • Cloud-based or on-prem STORE PORTAL • Free apps SERVICE (depending on the MDM • Using AAD account • Purchased using • Link to the app service used) a PO or invoice in the BSP • Apps automatically updated from the Windows Store • The Windows Store can be disabled if desired END USER

LOG INTO WINDOWS LAUNCH ENTERPRISE INSTALL APPS • Using AD or AAD account APP STORE (MDM) • Selected from the MDM- • Sees available app provided list • Installed by the Windows Store, as directed by the MDM service SCENARIOS IMAGING

IT ADMINISTRATOR NOTES SIGN IN TO APPS DOWNLOAD ADD APPS TO • Apps available to every user BUSINESS STORE ACQUIRED APP ENTERPRISE when they log in PORTAL • Free apps INSTALLATION IMAGE FILES • Apps automatically updated • Using AAD account • Purchased using • Provisioned from the Windows Store a PO or invoice for all users • Save locally • The Windows Store can be disabled if desired • License tracking needs to be END USER done by the customer

LOG INTO WINDOWS APPS INSTALL • Using AD or AAD account AUTOMATICALLY • Per user installs from provisioned app SCENARIOS ENTERPRISE APP STORE USING SYSTEM CENTER CONFIGURATION MANAGER

IT ADMINISTRATOR NOTES SIGN IN TO APPS DOWNLOAD ADD APPS TO • Per-user app installation BUSINESS STORE ACQUIRED APP CONFIGMGR PORTAL INSTALLATION • Apps automatically updated • Free apps • Available for from the Windows Store • Using AAD account • Purchased using FILES installation • The Windows Store can be a PO or invoice • Save files locally (pull), or required (push) disabled if desired • License tracking needs to be done by the customer END USER

LOG INTO WINDOWS LAUNCH COMPANY INSTALL APPS • Using AD or AAD account PORTAL • Installed by ConfigMgr • Shows all available apps added by IT administrator SCENARIOS LICENSE MANAGEMENT

IT ADMINISTRATOR NOTES SIGN IN TO BUSINESS VIEW ASSIGNED REVOKE LICENSE • Devices periodically check to STORE PORTAL LICENSES • Available for reuse see if licenses are still valid • Using AAD account • For any BSP app (LOB, free, paid)

END USER

LOG INTO WINDOWS LAUNCH APP • Using any account • Informed that license is no longer available

KEY STORE INVESTMENTS

BUSINESS STORE PORTAL • Allows orgs to acquire apps, manage licenses, download app files • Pay using additional methods, including purchase orders, invoices, and Enterprise Agreement (EA) and other volume license (VL) programs ORGANIZATION STORE • Fully curated list of apps from within the Windows Store • Can include public apps as well as ISV and Line-of-Business apps FULL MANAGEMENT SUPPORT • Mobile device management (MDM) control (using services such as Intune) • Control for agent-based management solutions (such as System Center Configuration Manager) • Application update approval Session Evaluation

http://aka.ms/WCP362