410 likes | 421 Views
Learn how to choose the best deployment method for Windows 10, keep it up to date, manage security features, and enhance productivity.
E N D
Accelerate deployment of Windows 10 at scale Speaker name Speaker title
Session objectives and takeaways Understand how to: • Choose the best deployment method for your organization to get to Windows 10 • Keep Windows 10 up to date • Manage Windows 10 security features and enhance productivity
What's driving change? Users Data Devices Apps IT Employees Business partners Customers
Windows 10 Investments for business Protection against modern security threats Managed for continuous innovation Enhanced productivity Innovative devices for your business MDM • Windows as a Service • New deployment options
Enterprise Mobility Suite (EMS) Unify identity Manage apps and devices Protect data Microsoft Enterprise Mobility Suite (EMS) Azure Rights Management Microsoft Intune & System Center Configuration Manager Azure Active Directory Premium Manage and protect corporate apps and data on almost any device with MDM and MAM. Easily manage identities across on-premises and cloud. Single sign-on and self-service for corporate resources. Encryption, identity, and authorization policies to secure corporate files and email across phones, tablets, and PCs.
Enhancing Windows 10 experiences with EMS • Simplify deployment • Azure AD Join with Intune auto enrollment • Provisioning packages and profiles for bulk enrollment • In-place upgrade to Windows 10 with ConfigMgr • Configure Windows 10 • Expanded MDM settings • Per-app VPN • Microsoft Passport policies and certificates • Windows Universal and Win32 apps • Support volume purchase of apps User IT Manage and protect • Corporate data leakage prevention through enterprise data protection (EDP) policies • RMS integration for securing shared documents/files • Device Guard and AppLocker policies • Advanced conditional access policies • Integration with Windows Health Attestation Service (HAS) • Unify device management • Intune integration with ConfigMgr to manage all devices in the environment • New in ConfigMgr: • Faster and easier ConfigMgr updates • Windows 10 servicing • On-premises MDM
Flexible deployment and management options Intune standalone (cloud only) ConfigMgr integrated with Intune (hybrid) ConfigMgr console Intune web console System Center Configuration Manager MDM MDM MDM or agent Agent IoT/Kiosk devices Domain-joined PCs Mobile devices Mobile devices and PCs
What we hear from you… How should I deploy Windows 10? How do I keep Windows up to date? How can I secure and improve productivity in Windows 10?
How should I deploy and manage Windows 10? Deployment and mgmt. strategy On-ramp to the cloud over time Existing Windows 7, 8, 8.1 Win32 Apps ConfigMgr agent Upgrade to Windows 10 with ConfigMgr Preserve apps and configuration Maintain management processes and principles of today New Windows 10 device Enroll into Intune (Azure AD Join/provision) Manage via MDM Universal apps (Store/LOB) Basic MSI support
Getting to Windows 10 Existing devices Refresh • Use if significant changes are needed, such as OS architecture change x86 versus x64 • Traditional process • Capture data and settings • Deploy (custom) OS image • Inject drivers • Install apps • Restore data and settings ConfigMgr/MDT Traditional ConfigMgr/MDT Improved Modern ConfigMgr/WICD/Intune/Azure AD Existing devices Upgrade Let Windows and ConfigMgr do the work Preserve all data, settings, apps, and drivers Install (standard) OS image Restore everything Recommended for existing devices (Windows 7/8/8.1) New devices IT Pro Provisioning Windows Image and Configuration Designer (WICD) • Transform into an enterprise device Provisioning profile with ConfigMgr User Provisioning Azure AD Join with Intune auto enrollment
In-place upgrade with ConfigMgr Preserve applications, drivers, user data, and settings Compared to refresh, in-place upgrade is… Zero dependencies on Windows ADK; supplemental to existing deployment scenarios Faster: 30 to 60 minutes, on average, to upgrade Smaller: file size is default OS Media, no applications More robust rollback capabilities on failure to functional down-level OS Another tool in the OS deployment toolbox Refresh, replace, and bare metal Reduce upfront testing and deployment preparation
Upgrade versus refresh Continue to use refresh (wipe-and-load) when… Custom requirements WinPE offline operation Custom base image Third-party disk encryption Configuration drift/change Domain membership Local administrators Bulk application swap Fundamentalchange Disk partitioning BIOS -> UEFI x86 -> x64 Base OS language
System Center Configuration Manager @ Microsoft IT Infrastructure • 6 Primary Sites • 13 Secondary Sites • 300 Distribution Points PCs and Devices • ~350,000 clients • ~125k mobile devices (EAS) Users • ~98k FTEs • ~82k Vendors Active Directory Federation Server Azure Active Directory MS Online Directory Sync User Discovery Intune subscription Connector site role Microsoft Intune Device Mgmt. Site ~15K devices Redmond Site 1 75k Clients Redmond Site 2 90k Clients North & South America 50k Clients Europe, MidEast, Africa 50k Clients Australia & Asia 75k Clients
Windows deployment of the future Custom Solution MDT & IT Easy Upgrade Experiment Update Upgrade 80% FTE 1 Year 95% FTE 8 Months 95% FTE 3 Months 95% FTE 5 Weeks 95% FTE 5 Weeks 2009 2012 2013 2014 2015
Modern Deployment Options User-driven, from the cloud IT-driven, using new tools • Company-owned devices:Azure AD join, either during OOBE or after from settings • BYOD devices:“Add a work account” for device registration • Automatic MDM enrollment as part of both • MDM policies pushed down: • Change the Windows SKU • Apply settings • Install apps • Create provisioning package using Windows Imaging and Configuration Designer with needed settings: • Change Windows SKU • Apply settings • Install apps and updates • Provisioning profile with Intune and ConfigMgr: • Enroll a device for ongoing management (just enough to Bootstrap) • Deploy manually, add to images
Provisioning package and profile Windows Imaging and Configuration Designer Initial setup Edition upgrade Certificates Connectivity profiles Management enrollment Modern applications Win32 applications Enterprise policies Offline content Browser settings Start menu customization Assigned access • Apply during: • At OOBE (out-of-box experience) • During runtime (.PPKG file) • Embedded in the image (ConfigMgr OSD, MDT, and WDS) • Provisioning profile with Intune and ConfigMgr: • A lifeline profile – Wi-Fi, enrollment
DemoProvisioning – Windows Image Configuration Designer and ConfigMgr profiles
Azure AD Join for Windows 10 Azure AD Join makes it possible to connect work-owned Windows 10 devices to your company’s Azure Active Directory. With Azure AD Join, you can auto enroll devices in Microsoft Intune for management. Azure Active Directory Microsoft Intune 3rd party apps & clouds Apps in Azure Intune/MDM auto-enrollment Intune auto-enrollment On-premises apps Enterprise-compliant services Windows 10 Azure AD Joined Devices Single sign-on from the desktop to cloud and on-premises applications with no VPN Support for hybrid environments
What we hear from you… How should I deploy Windows 10? How do I keep Windows up to date? How can I secure and improve productivity in Windows 10?
Windows as a Service Consumer devices Keeping hundreds of millions of consumers up to date Large and diverse user base helps drive quality of the OS updates BYOD devices are up to date and secure Business users Update their devicesafter features are validatedin the market Special systems Examples: air traffic control, emergency rooms No new functionality on Long Term Servicing Branch Regular security updates
Windows as a Service – rings Microsoft Insider Preview Branch Current Branch Current Branch for business Engineering builds Broad Microsoft internal validation Users Tens of thousands Customer internal ring I Customer internal ring II Customer internal ring III Several Million Customer internal ring IV Hundreds of millions *Conceptual illustration only
Thinking through deployment strategy Current Branch Windows Insider Preview Branch Current Branch for Business Long Term Servicing Branch Deploy to appropriate audiences Test and prepare for broad deployment Specific feature and performance feedback Application compatibility validation Information workers, general population Specialized systems Deploy for mission critical systems Early adopters, initial pilots, IT devices Stage broad deployment Test machines, small pilots NUMBER OF DEVICES STAGE Release
The new System Center Configuration Manager • Simplify the upgrade experience: in-place upgrade from Configuration Manager 2012 and R2 to latest product version • Support faster paced updates for Windows 10 and Intune: new updates and servicing nodes deliver periodic updates for new features, bug fixes, and extensions for hybrid deployments using Intune • Intune updates monthly—keep ConfigMgr on pace • Listen and respond quickly to customer feedback: foundational improvements made in latest version of the product allow us to respond to customer feedback more quickly
Telemetry/Usage Direct customer engagements Partners Customer feedback MSIT Indiana University UserVoice Boeing British Telecom SCCM vNext MVP Hackathon Daimler USAF S&N Tech previews Develop Develop Develop Test Test Test Esc Esc Esc Flight to MSIT/TAP Flight to MSIT/TAP RTM Flight to MSIT/TAP RTM RTM
Windows 10 management with upcoming releases of Configuration Manager System Center Configuration Manager Current Branch (version yymm) Current Branch (version yymm) Current Branch (version 1511) Long Term ServicingBranch System Center 2016 Configuration Manager FALL WINTER SUMMER
Windows 10 management with older versions of Configuration Manager * Customers using Windows 10 Current Branch (CB) or Current Branch for Business (CBB) with Configuration Manager 2012 R2 SP1 or Configuration Manager 2012 SP2 will need to migrate to the Current Branch of System Center Configuration Manager after this time for continued support.
DemoUpdates and servicing nodeServicing dashboard Configuring update rings in admin console
What we hear from you… How should I deploy Windows 10? How do I keep Windows up to date? How can I secure and improve productivity in Windows 10?
Conditional access control with EMS User attributes User identity Group memberships Auth strength (MFA) Conditional access control with EMS Devices Managed by Intune or ConfigMgr • Compliant with Intune or ConfigMgr policies Domain joined Application Business sensitivity Azure AD Other Network location On-premises applications
“Enterprise data protection” for Windows 10 Configure and manage EDP policies with Intune and Azure Rights Management Microsoft Intune & Azure Rights Management Separate personal and corporate data with limited impact on employees’ day-to-day activities User Apply policies Control app access to corporate data and prevent copy- and paste-related data leaks Save File share Protect Data at Restwherever it may roam* Personal storage Secure content collaboration through integration with Azure Rights Management Save Share files and enforce policies Corporate network * Some roaming scenarios use Azure Right Management
Enhanced end-user experiences • Unified end-user portal • Consistent look and feel as the company portal • One-stop shop for all apps • Convergence of software center and app catalog • Device compliance • Microsoft Passport • Ability to deploy certificates and Passport policies for simplified authentication • Offline Universal Windows apps • Deploy Universal Windows apps that are built internally (line-of-business apps) • Deploy offline apps and licenses from the Windows Business Store
DemoEnterprise data protectionWindows Store for Business and end-user portal
How should I deploy and manage Windows 10? Deployment and mgmt. strategy On-ramp to the cloud over time Existing Windows 7, 8, 8.1 Win32 Apps ConfigMgr agent Upgrade to Windows 10 with ConfigMgr Preserve apps and configuration Maintain management processes and principles of today New Windows 10 device Enroll into Intune (Azure AD Join/provision) Manage via MDM Universal apps (Store/LOB) Basic MSI support
Session objectives and takeaways Understand how to: Choose the best deployment method for your organization to get to Windows 10 Keep Windows 10 up to date Manage Windows 10 security features and enhance productivity
Next steps To explore Try Enterprise Mobility now http://www.microsoft.com/ems TechNet @ http://technet.microsoft.com/ MSDN @ http://www.msdn.com/ To do Rate the session Q&A