IT might long for the days when employees worked on one desktop computer. Too bad the ‘90s are over. Today, employees use multiple devices that should seamlessly integrate with each other and the rest of the environment. That’s easier said than done, especially for IT managers who are still imaging and deploying devices like they were five years ago. The process can be lengthy and complex, and presents challenges for organizations of all sizes. But new tools simplify the process, and one that’s getting more and more attention is Windows 10’s modern device management.
Speaker: Per Larsen (MVP)
2. Per Larsen
Solution Architect, Technical Lead Microsoft Enterprise Mobility Suite (EMS) and
Microsoft Partner Technology Solutions Professional (P-TSP)
Co-Owner of Everything Windows User Group Denmark
e: per.larsen@atea.dk | m: +45 3078 1828 | t: @PerLarsen1975
in: www.linkedin.com/in/perlarsen1975 | Blog: osddeployment.dk
14. Microsoft Azure Active Directory (AAD)
Bringing the cloud to Windows desktops
• Windows 10 is build for Microsoft Azure
• It's not a strong relationship yet, more of a fling…
• But it's worth looking at now, as it's going to be a big growth area
• Windows 10 can join Azure AD instead of a on premise AD
If you have Office 365, you already have an Azure AD domain
16. Microsoft Azure Active Directory (AAD)
Windows 10 will be powered by Azure AD, giving you options for:
• Self-provisioning of corporate owned devices
• Use existing organizational accounts
• Single Sign-On
• Automatic MDM enrollment
• Enterprise-ready Windows Store
• Enterprise State Roaming
• Store BitLocker Keys in Azure AD
• New Azure AD portal
22. Windows Defender Advanced Threat Protection
• Built into Windows, cloud powered
• No additional deployment & Infrastructure. Continuously up to date; lower
costs.
• Behavioral-based, post-breach detection
• Actionable, correlated alerts for known and unknown adversaries. Real-time
and historical data.
• Rich timeline for investigation
• Easily understand scope of breach. Data pivoting across endpoints. Deep files
and URLs analysis.
• Unique threat intelligence knowledge base
• Unparalleled threat optics provides detailed actor profiles. First- and third-
party threat intelligence data.
23. Let’s have a closer look
Windows Defender Advanced Threat Protection
24. Windows Store for Business
The one stop Store for Windows 10 Devices
25. Windows Store for Business
Find and acquire Manage Distribute
Designed for organizations
Personalized for your organization
26. Windows Store for Business
• The Business Store Portal (BSP) and Store recognize two identities for you
• Log on with Azure AD, you get the corporate options (and you don't need a
credit card)… leave the organization, you lose the apps
• Log on with your MSA (as in today), you pay with credit card and any apps
you buy travel with you
• Organizations can buy apps in bulk
• Organizations can use purchase order, credit cards.
You can get the Appx packages to put in your store when you purchase them
through the BSP, and even preinstall Appx packages in your image
27. Let’s have a closer look
Windows Store for Business
29. How to troubleshout from the client side
• Getting Resultant Settings
• MDM – Export Result
• GPO – Result /H %TEMP%gpo.html
• Event logging
• MDM - Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-
Provider
• GPO - Microsoft-Windows-GroupPolicy/Operational
30. Settings Synchronization interval
• MDM - Every 3 minutes for 30 minutes after enrollment, and then every 8 hours
• Can be customized - DMClient CSP
• Provider/ProviderID/Poll
• Device Management Log XML to HTML Converter
• GPO - A default value of 90 minutes with a 30 minute random offset
34. What are the options ??
• Windows Update
• WSUS
• SCCM
• Intune
35. Windows Update for Business – Deployment rings
Deployment ring Servicing branch
Total weeks after Current Branch
(CB) or Current Branch for Business
(CBB) release
Preview Windows Insider Pre-CB
Ring 1 Pilot IT CB CB + 0 weeks
Ring 2 Pilot business users CB CB + 4 weeks
Ring 3 Broad IT CB CB + 6 weeks
Ring 4 Broad business users CBB CBB + 0 weeks
Ring 5 Broad business users #2 CBB
CBB + 2 weeks as required by
capacity or other constraints
36. Category Maximum deferral Deferral increments Example Classification GUID
Feature Updates 180 days Days
From Windows 10,
version 1511 to
version 1607
3689BDC8-B205-
4AF4-8D4A-
A63924C5E9D5
Quality Updates 30 days Days
Security updates
0FA1201D-4330-
4FA8-8AE9-
B877473B6441
Drivers (optional)
EBFC1FC5-71A4-
4F7B-9ACA-
3B9A503104A0
Non-security
updates
CD5FFD1E-E932-
4E3A-BF74-
18BF0B1BBD83
Microsoft updates
(Office, Visual
Studio, etc.)
varies
Non-deferrable No deferral No deferral Definition updates
E0789628-CE08-
4437-BE74-
2495B842F43B
37. Capability Windows 10, version 1511 Windows 10, version 1607
Select Servicing Options: CB or CBB
Not available. To defer updates, all
systems must be on the Current
Branch for Business (CBB)
Ability to set systems on the Current
Branch (CB) or Current Branch for
Business (CBB).
Quality Updates
Able to defer receiving Quality
Updates:
•Up to 4 weeks
•In weekly increments
Able to defer receiving Quality
Updates:
•Up to 30 days
•In daily increments
Feature Updates
Able to defer receiving Feature
Updates:
•Up to 8 months
•In monthly increments
Able to defer receiving Feature
Updates:
•Up to 180 days
•In daily increments
Pause updates
•Feature Updates and Quality
Updates paused together
•Maximum of 35 days
Features and Quality Updates can be
paused separately.
•Feature Updates: maximum 60 days
•Quality Updates: maximum 35 days
Drivers No driver-specific controls
Drivers can be selectively excluded
from Windows Update for Business.
38. Let’s have a closer look
Windows Update for Business
EWUG 1701 - Modern Device Management – http://www.ewug.dk
About the presenter:
Please do not hesitate to ask questions during the presentation, we will have a Q&A at the end of the presentation but I prefer a open dialog and see where it will take us
About me:
Solution Architect, Technical Lead Microsoft Enterprise Mobility Suite (EMS) and Microsoft Partner Technology Solutions Professional (P-TSP)
Co-Owner of Everything Windows User Group Denmark
Find me:
E-mail: per.larsen@atea.dk
Phone: +45 3078 1828
Follow me:
Twitter: https://twitter.com/perlarsen1975/
LinkedIn: https://www.linkedin.com/in/perlarsen1975/
Join me:
Everything User Group Denmark: http://ewug.dk
#UpgradeYourWorld
It has been a journey, with lot’s of up’s and down’s and still is!
Let me introduce you to Tom and Bob…
The Windows 10 eco-system
For a successful implementation of Windows 10, a clear Workstyle Strategy is essential.
Do you have a Work style Strategy?
Do you have a Work place Strategy?
Do you have a BYOD strategy?
Do you have a Virtual Desktop Infrastructure strategy?
Devices
Do you have a (one) Device Strategy?
Windows 10
Do you have a OS Strategy?
Cloud
Do you have a Cloud Strategy?
Microsoft Azure AD
Office 365
Windows 10, one Windows across all devices
Let’s try to contextualize the achievement of Windows 10 being a converged platform for Microsoft.
Windows has been synonymous with a PC. However, as this slide illustrates, Windows devices are no longer just the realm of PCs – from IoT to Perceptive Pixel Interfaces (PPIs).
Reduce CTO
Hybrid – Cloud only
Enterprise Mobility + Security
Windows licens management
Simple Application deployment needs
Simple management needs
Not for all devices
Windows 10 is born for Modern Management
Intune settings for Surface Hub
Live Demo
Microsoft Azure Active Directory
Microsoft Azure Active Directory (AAD)
Windows 10 likes Microsoft Azure
It's not a strong relationship yet, more of a fling…
But it's worth looking at now, as it's going to be a big growth area
Windows 10 can join Azure AD instead of a on premise AD
If you have Office 365, you already have an Azure AD domain ("Azure AD tenant" is the official phrase)… you've just need to claim it.
Microsoft Azure Active Directory (AAD)
Microsoft Azure Active Directory | Bringing the cloud to enterprise devices
Windows 10 will be powered by Azure AD, giving you the options for:
Self-provisioning of corporate owned devices. With Windows 10, employees can configure a brand new device in the out-of-box experience, without IT involvement.
Use existing organizational accounts. Employees can use their Azure AD account to login to Windows (the same account they use to sign into Office365).
Automatic MDM enrollment. Windows 10 PC's and tablets can be automatically enrolled in an organizations device management solution as part of joining them to Azure AD. This will work with Microsoft Intune and with 3rd party MDMs.
Single Sign-On to company resources in the cloud. Users will get single sign-on from the Windows desktop to apps and resources in the cloud, such as Office 365 and thousands of business applications that rely on Azure AD for authentication.
Single Sign-on on-premises: Windows 10 PC's and tablets that are joined to Azure AD will also provide SSO to on-premises resources when connect to the corporate network and from anywhere with the Azure AD Application Proxy.
Enterprise-ready Windows store. The Windows Store will support app acquisition and licensing with Azure AD accounts. Organizations will be able to volume-license apps and make them available to the users in their organization.
Support for modern form factors. Azure AD Join will work on devices that don't have the traditional domain join capabilities.
Enterprise State Roaming. Things like OS settings, Desktop wall paper, Tile configuration, websites and Wi-Fi passwords will be synchronized across corporate owned Azure AD joined devices.
http://blogs.technet.com/b/ad/archive/2015/05/13/azure-active-directory-and-windows-10-making-the-enterprise-cloud-a-reality.aspx
About AzureAD| What's new
Microsoft Upgrade Analytics
The Windows Upgrade Analytics Service uses telemetry data to provide powerful upgrade readiness insights and recommendations about the computers, applications and drivers in your organization. This new service guides you through upgrade projects using a workflow based on Microsoft recommended practices. Up-to-date inventory data allows you to balance cost and risk in your upgrade projects.
http://oms.Microsoft.com
Windows Defender Advanced Threat Protection is a new service that helps our enterprise customers to detect, investigate, and respond to advanced and targeted attacks on their networks.
Windows 10 is the most secure enterprise platform today, but cyberattacks are getting more sophisticated as they are using social engineering, zero-day vulnerabilities, or even misconfiguration to break into corporate networks. Thousands of such attacks were reported in 2015 alone.
Building on the existing pre-breach security defenses built into Windows 10, we have released a new service, Windows Defender Advanced Threat Protection (ATP), which provides a post-breach layer of protection.
Windows Defender Advanced Threat Protection is a new service that helps our enterprise customers to detect, investigate, and respond to advanced and targeted attacks on their networks.
Windows 10 is the most secure enterprise platform today, but cyberattacks are getting more sophisticated as they are using social engineering, zero-day vulnerabilities, or even misconfiguration to break into corporate networks. Thousands of such attacks were reported in 2015 alone.
Building on the existing pre-breach security defenses built into Windows 10, we have released a new service, Windows Defender Advanced Threat Protection (ATP), which provides a post-breach layer of protection.
Microsoft Windows Store for Business
The one stop Store for Windows 10 Devices
Microsoft Windows Store for Business
The one stop Store for Windows 10 Devices
Designed for organizations
The Windows Store for Business is the place where IT decision makers and administrators find, acquire, manage, and distribute apps to Windows 10 devices.
Find and acquire
Quickly and easily find the right apps for your teams. Acquire apps individually or in volume.
Manage
Manage your organization’s inventory of apps in one place. You can assign, reclaim, or reassign licenses as well as control updates.
Distribute
Choose from scalable distribution options.
Using accounts assigned by your organization, directly provide apps to individuals and groups, or let employees find apps in your private store.
Connect your management server for more options.
Managing computers not connected to the internet? Distribute offline-licensed apps.
Windows Store for Business
Inject them into images as we've done with Desktop apps
Familiar tools: dism.exe, PowerShell (new noun: AppxVolume); MDT 2013 Update 2, System Center Configuration Manager via updates and then whatever ships with Windows Server 2016
They can be sysprep’ped
When the user first starts up, the app looks for a license and potentially whether that user is approved for the APP
All centrally controlled
Still have "deep links" as a deployment method as well
Let’s have a closer look: Microsoft Windows Store for Business
https://businessstore.microsoft.com/
https://www.microsoft.com/business-store/
https://www.microsoft.com/en-us/business-store/
Here we see:
…the initial release of Windows 10,
…the November Update
…the coming 2016 release this summer, formally known as the Anniversary Update.
…and a hypothetical example of how the first 2017 release might look.
Remember that we now support two production releases in market at a time. This means that if you have deployed the November Update, you have until late 2017 to move to the 2016 Summer release.
Some customers have told us that they have concerns about the cadence of releases, because they are worried new releases will arrive before they are able to deploy the last release, they would fall behind.
Now that each release has a longer lifespan, you have more time to deploy, and more time to optimize your processes and infrastructure for this new model.
We recommend you continue pilots and deployments of the November 2015 update, to establish a base for getting the newest features from Windows more quickly.
So far, the response to these changes has been largely positive, but our priority here today is to hear your thoughts.
[This is meant to tee up a discussion on WaaS and uncover deployment concerns, or blockers, that might exist.]
For Windows Update for Business policies to be honored, the Telemetry level of the device must be set to 1 (Basic) or higher. If it is set to 0 (Security), Windows Update for Business policies will have no effect. For instructions, see Configure the operating system telemetry level.
Feature Updates: previously referred to as upgrades, Feature Updates contain not only security and quality revisions, but also significant feature additions and changes; they are released at a slower cadence, every 4 to 8 months.
Quality Updates: these are traditional operating system updates, typically released the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as those for Microsoft Office or Visual Studio) as Quality Updates. These non-Windows Updates are known as Microsoft Updates and devices can be optionally configured to receive such updates along with their Windows Updates.
Non-deferrable updates: Currently, antimalware and antispyware Definition Updates from Windows Update cannot be deferred.