WINDOWS 10FOR THE ENTERPRISE

Nico Sienaert

KEY TAKEAWAYS

Windows 10 Management

Windows 10 Deployment

Tips & Tricks

About Myself

Nico Sienaert

Innovation Manager @ Getronics

v-Technology Solutions Professional @ Microsoft

Microsoft MVP Enterprise Client Management

http://scug.be/blogs/nico

@nsienaert

ONE WINDOWS

PhoneSmall Tablet

2-in-1s(Tablet or Laptop)

Desktops & All-in-Ones

PhabletLargeTablet

Classic Laptop

BEST OF ALL WORLDS

Windows 10

ConvergedOS kernel

Convergedapp model

GUI IMPROVEMENTS

The Start Button Continuum Snap Assistant Task View Modern Apps in Desktop view Notification Center Apps: Cortana, New FotoApp, Better Calendar for Phone, Project Spartan Ctrl C + V in a Command Prompt

DEMO

QUICK LOOK AND FEEL

APP & DEVICE COMPAT

INTERNET EXPLORER

A REQUIRED STEPPING STONE TO WINDOWS 10

Migrate to Internet Explorer 11 on Windows 7 (before JAN 2016) Enterprise Mode, offering improved Internet Explorer 8 compatibility and document

type overrides Enterprise Site Discovery Toolkit, to better understand how users are browsing

DEPLOYMENT CHOICES

Traditional process Capture data and settings Deploy (custom) OS image Inject drivers Install apps Restore data and settings

Still an option for all scenarios (Refresh, Replace, Bare Metal)

Wipe-and-Load In-Place

Let Windows do the work Preserve all data, settings,

apps, drivers Install (standard) OS image Restore everything

Recommended for existing devices (Windows 7/8/8.1)

IN-PLACE

NEW COMMAND LINE OPTIONS FOR SETUP.EXE Regain control after success or failure using /postoobe and /postrollback switches Control driver migration operations using /migratealldrivers and /installdrivers Copy log files to a location of your choise using /copylogs (Default: C:\$Windows.~BT\Sources\Panther)

ENABLING UPGRADE FROM WINDOWS 7 VIA WINDOWS UPDATE WindowsTechnicalPreview.exe (a.k.a. KB2990214) enables installation via Windows Update on Windows 7 Removing KB2990214 will remove the option

USE CONFIGMGR TO HAVE MAX CONTROL

WSUS NOT SUPPORTED

NOT FOR ALL SCENARIOS

SUPPORT

CM12 and R2 will support full Windows 10 thru a Service Pack

CM vNext will have full Windows 10 Support OoB

CM07 will support certain Windows 10 features

MDT2013 will support Windows 10 thru update (Preview today)http://blogs.technet.com/b/configmgrteam/archive/2014/09/30/windows-10-enterprise-management-with-sc-configmgr-and-intune.aspx

You can play already with the upgrade process thru Win10http://blogs.technet.com/b/configmgrteam/archive/2014/10/29/how-to-upgrade-to-win-10-using-the-task-sequence-in-sc-2012-r2-configmgr.aspx

DEMO

WIN10 TASK SEQUENCE

DEPLOYMENT CHOICES

Traditional process Capture data and settings Deploy (custom) OS image Inject drivers Install apps Restore data and settings

Still an option for all scenarios (Refresh, Replace, Bare Metal)

Wipe-and-Load In-Place Provisioning

Let Windows do the work Preserve all data, settings,

apps, drivers Install (standard) OS image Restore everything

Recommended for existing devices (Windows 7/8/8.1)

Configure new devices Transform into an

Enterprise device Remove extra items, add

organizational apps and config

New capability for new devices

PROVISIONING

TAKE OFF-THE-SHELF HARDWARE

APPLY A PROVISIONING PACKAGE

DEVICE IS READY FOR PRODUCTIVE USE

TRANSFORM A DEVICE Install apps Enterprise configuration

FLEXIBLE METHODS Automatically trigged at first boot (OOBE) Launch via GUI

NEW TOOL FOR PROVISIONING Windows Imaging and Configuration Designer (ICD) Configure running devices or deploy to a new one

PROVISIONING CAPABILITIES Installation of language packs, updates, apps, certs Configuration of wi-fi, e-mail, IE, etc. Enrollment in mobile device management

DEMO

PROVISIONING

MANAGEMENT CHOICES

IDENTITY CHOICES

O

R

G

A

N

I

Z

A

T

I

O

N

O

W

N

E

D

(

C

Y

O

D

)

P

E

R

S

O

N

A

L

L

Y

O

W

N

E

D

(

B

Y

O

D

)

Computer joins AD to establish trust

User signs on using AD account

Group Policy + System Center

Computer registers with AD or AAD via Device Registration to establish trust for remote resource access

User signs in with a Microsoft account, associates an AAD account

Intune/MDM

Computer joins AAD to establish trust

User signs on using AAD account

Intune/MDM

Settings roaming

DOMAIN CLOUD JOIN

http://scug.be/nico/2015/03/19/windows-10-azure-domain-join/

CLOUD JOIN OOBE

Windows Pro is typically purchased for work machines, so we made a guess but nows the time to correct us.

Looks like your company owns this PC Did we get that right?

NextBack

Help me choose

MOBILE DEVICE MGMT Provisioning Bulk enrollment Simple bootstrap Converged protocol Azure AD Integration

Greatly extended set of policies(Parity with Windows Phone 8.1)

Context based policies Client certificates Direct install

(PFX) Enterprise Wi-Fi VPN management Email provisioning MDM Push when user not

logged in Device Update control Kiosk Mode, Start screen / Start

menu configuration and control

Curated Windows Store Business Store Portal app

deployment; License reclaim/re-use

Enterprise App management Simplified LOB app management Win32 app management App inventory (MDM/store apps) App allow/deny lists through

Applocker Enterprise data protection

Full device wipe Remote Lock, PIN reset,

Ring, Find Enhanced inventory for

compliance decisions

Un-enrollment in two phases & alerts

Removal of Enterprise configuration (apps, certs, profiles, policies) and Enterprise encrypted data (with EDP)

Additional device inventory

MDM Architecture

New capabilities exposed

using Configuration Service

Provider (CSP) model

WMI Bridge gives access to

new CSPs

Root\cimv2\mdm

MDM_*

CSP CSP / WMI Wrapper

Common component Desktop component

WMI bridge

MDM Client WMI Bridge EAS Client

Configuration component

CSP CSP CSP CSP

PowerShellScripts

ConfigMgrDesired Config

ONE WINDOWS STORE

WINDOWSPHONE 8.1

WINDOWS 8.1

WINDOWS 10

Converged developer portal for Windows and Windows Phone

Separate user and developer capabilities

Fully converged experience

Best features from each

New capabilities

XBOX

STORE OF TOMORROW

CONSUMER WINDOWS STORE

Modern apps Sign in with MSA

Pay with credit card, gift card, PayPal, Alipay, INICIS, mobile operators (Phone)

ENTERPRISE WINDOWS STORE

ENTERPRISE APP STORE

Modern apps Organization Store for the orgs preferred

or LOB apps Sign in with MSA to acquire public apps;

sign in with AAD to acquire org apps Pay with credit card or PO/invoice

B2B purchasing and distribution Deploy modern apps offline, in images,

and more

Sideload line-of-business modern apps Deploy apps from the Windows Store

(even when the Store UI is disabled)

SECURITY

Multi Factor Authentication Azure MFA

Secure Token Protection Hard Container (leverage Hyper-v)

Next Generation Credentials (alternatives for passwords) PIN

When devices are enrolled a PIN can be set (SSO) Key Pair wih a phone, USB dongle, (roaming scenarios)

BIO gestures (like face, Iris, fingerprint) -> Windows Hello

https://www.youtube.com/watch?v=1AsoSnOmhvU

InformationProtection

Secure Identities

Threat Resistance

SECURITY

Device Protection BitLocker

Data Protection (Azure) RMS Conditional Access

Accidental Data Leakage Corporate \ Personal Data Managed Applications SOFT or HARD Block Options Remote Wipe

InformationProtection

Secure Identities

Threat Resistance

SECURITY

Malware Prevention Store Apps Signing Service

Pre-Booth Authentication Secure boot Trusted boot Measured boot

InformationProtection

Secure Identities

Threat Resistance

MISCELLANEOUS

KMS New KMS and MAK keys for Windows 10 Updates for existing KMS computers to support new products and keys

GROUP POLICIES Start Screen & Start Menu Settings Project Spartan Settings Universal App Management

NEW WMI CLASSES Win32_InstalledProgram +Usage +File +Framework Win32_DeviceContainer, Win32_InstalledDevice +HardwareID

THE END

Windows 10 will probably be the best OS Microsoft has ever released

Best of All Worlds

One Windows

You can still have impact by joining the Insider Program!

Enterprise forums through TechNethttps://social.technet.microsoft.com/Forums/en-US/home?category=WinPreview2014

Community discussions through Answershttp://answers.microsoft.com/en-us/windows/forum/windows_tp

Windows Feature Suggestionshttps://windows.uservoice.com