choose the best deployment method for your organization to get to windows 10 keep windows 10 up to...
Post on 18-Jan-2016
224 Views
Preview:
TRANSCRIPT
LEX
Accelerate deployment of Windows 10 at scaleSpeaker nameSpeaker title
Session objectives and takeaways
Choose the best deployment method for your organization to get to Windows 10
Keep Windows 10 up to date
Manage Windows 10 security features and enhance productivity
Understand how to:
What's driving change?
IT
Employees CustomersBusiness partners
Devices AppsUsers Data
Investments for business
Enhanced productivity
Protection against modern security threats
Managed for continuous innovation
Innovative devices for your
business
MDM Windows as a Service
New deployment
options
Windows 10
Enterprise Mobility Suite (EMS)
Easily manage identities across on-premises and cloud. Single sign-
on and self-service for corporate
resources.
Azure Active Directory Premium
Unify identity Manage apps and devices
Protect data
Microsoft Intune & System Center Configuration
Manager
Azure Rights Management
Manage and protect corporate apps and data on almost any device with MDM and MAM.
Encryption, identity, and authorization policies to secure corporate files and email across
phones, tablets, and PCs.
Microsoft Enterprise Mobility Suite (EMS)
Enhancing Windows 10 experiences with EMS
Simplify deployment• Azure AD Join with Intune
auto enrollment• Provisioning packages and
profiles for bulk enrollment• In-place upgrade to
Windows 10 with ConfigMgr
Unify device management• Intune integration with
ConfigMgr to manage all devices in the environment
• New in ConfigMgr:• Faster and easier
ConfigMgr updates• Windows 10 servicing• On-premises MDM
Configure Windows 10 • Expanded MDM settings• Per-app VPN• Microsoft Passport policies
and certificates • Windows Universal and Win32
apps• Support volume purchase of
apps
Manage and protect• Corporate data leakage
prevention through enterprise data protection (EDP) policies
• RMS integration for securing shared documents/files
• Device Guard and AppLocker policies
• Advanced conditional access policies
• Integration with Windows Health Attestation Service (HAS)
User IT
Flexible deployment and management options ConfigMgr integrated with Intune (hybrid)Intune standalone (cloud only)
Mobile devices and PCs
Intune web console
System Center Configuration Manager
Mobile devicesDomain-joined PCs
ConfigMgr console
MDM
IoT/Kiosk devices
Agent
MDM
MDM or agent
What we hear from you…
How can I secure and improve productivity in Windows 10?
How do I keep Windows up to date?
How should I deploy Windows 10?
Deplo
ym
ent
an
d m
gm
t. s
trate
gy
Existing Windows 7, 8, 8.1
Win32 Apps
ConfigMgr agent
Upgrade to Windows 10
with ConfigMgr
Preserve apps and configuration
Maintain management processes and principles of
today
New Windows 10 device
Enroll into Intune
(Azure AD Join/provision)
Manage via MDM
Universal apps (Store/LOB)
Basic MSI support
How should I deploy and manage Windows 10?
On-ramp to the cloud over time
Existing devices
Refresh• Use if significant changes are
needed, such as OS architecture change x86 versus x64
• Traditional process• Capture data and settings• Deploy (custom) OS image• Inject drivers• Install apps• Restore data and settings
Getting to Windows 10
Existing devices
Upgrade• Let Windows and ConfigMgr
do the work• Preserve all data, settings,
apps, and drivers• Install (standard) OS image• Restore everything
Recommended for existing devices (Windows 7/8/8.1)
New devices
IT Pro Provisioning• Windows Image and
Configuration Designer (WICD)• Transform into an
enterprise device• Provisioning profile with
ConfigMgr
User Provisioning• Azure AD Join with Intune
auto enrollment
Improved ModernTraditional
ConfigMgr/MDT ConfigMgr/WICD/Intune/Azure ADConfigMgr/MDT
Reduce upfront testing and deployment preparation
Zero dependencies on Windows ADK; supplemental to existing deployment scenarios
Another tool in the OS deployment toolbox
Refresh, replace, and bare metal
Compared to refresh, in-place upgrade is…
Faster: 30 to 60 minutes, on average, to upgrade
Smaller: file size is default OS Media, no applications
More robust rollback capabilities on failure to functional down-level OS
In-place upgrade with ConfigMgr
Preserve applications, drivers, user data, and settings
Continue to use refresh (wipe-and-load) when…
Configuration drift/change
Domain membership
Local administrators
Bulk application swap
Custom requirements
WinPE offline operation
Custom base image
Third-party disk encryption
Upgrade versus refresh
Fundamentalchange
Disk partitioning
BIOS -> UEFI
x86 -> x64
Base OS language
System Center Configuration Manager @ Microsoft IT
Redmond Site 1
75k Clients
Redmond Site 2
90k Clients
North & South America
50k Clients
Europe, MidEast, Africa
50k Clients
Australia & Asia
75k Clients
Device Mgmt.Site
~15K devices
Infrastructure• 6 Primary Sites• 13 Secondary Sites• 300 Distribution Points
PCs and Devices• ~350,000 clients• ~125k mobile devices
(EAS)
Users• ~98k FTEs• ~82k Vendors
Microsoft Intune
Azure Active
Directory
Connector site role
Intune subscription
User Discovery
MS Online Directory Sync
Active Directory Federation Server
Windows deployment of the future
80% FTE 1 Year 95% FTE 8 Months95% FTE 3 Months 95% FTE 5 Weeks 95% FTE 5 Weeks2009 2012 2013 2014 2015
Windows 7 Windows 8 Windows 8.1 Windows 8.1 Update Windows 100
2
4
6
8
10
12
0
1
2
3
4
5
6
7
8
Complexity User Experience Helpdesk Setup IR
Custom Solution
MDT & IT EasyUpgrade
ExperimentUpdate Upgrade
DemoConfigMgr admin console – upgrade
• Company-owned devices:Azure AD join, either during OOBE or after from settings
• BYOD devices:“Add a work account” for device registration
• Automatic MDM enrollment as part of both
• MDM policies pushed down:
• Change the Windows SKU
• Apply settings
• Install apps
• Create provisioning package using Windows Imaging and Configuration Designer with needed settings:
• Change Windows SKU
• Apply settings
• Install apps and updates
• Provisioning profile with Intune and ConfigMgr:
• Enroll a device for ongoing management (just enough to Bootstrap)
• Deploy manually, add to images
User-driven, from the cloudIT-driven, using new tools
Modern Deployment Options
Provisioning package and profile
Initialsetup
Edition upgrade
CertificatesConnectivity
profilesManagement enrollment
Modern applications
Win32 applications
Enterprise policies
Offline content
Browser settings
Start menu customizatio
n
Assigned access
Windows Imaging and Configuration Designer
Apply during:• At OOBE (out-of-box experience)• During runtime (.PPKG file) • Embedded in the image (ConfigMgr OSD, MDT, and WDS)
Provisioning profile with Intune and ConfigMgr:• A lifeline profile – Wi-Fi, enrollment
DemoProvisioning – Windows Image Configuration Designer and ConfigMgr profiles
Azure AD Join makes it possible to connect work-owned Windows 10 devices to your company’s Azure Active Directory.
With Azure AD Join, you can auto enroll devices in Microsoft Intune for management.
Azure AD Join for Windows 10
Windows 10 Azure AD Joined Devices
Intune/MDM
auto-enrollment
Intune auto-enrollment
Enterprise-compliant services
Support for hybrid environments
Single sign-on from the desktop to cloud and on-premises applications with no VPN
DemoAzure AD Join with Intune auto-enrollment
What we hear from you…
How can I secure and improve productivity in Windows 10?
How do I keep Windows up to date?
How should I deploy Windows 10?
Windows as a Service
Special systemsExamples: air traffic control, emergency rooms
No new functionality on Long Term Servicing Branch
Regular security updates
Business usersUpdate their devicesafter features are validatedin the market
Consumer devicesKeeping hundreds of millions of consumers up to date
Large and diverse user base helps drive quality of the OS updates
BYOD devices are up to date and secure
*Conceptual illustration only
Current Branch for businessCurrent BranchMicrosoftInsider Preview Branch
Broad Microsoft internal validation
Engineering builds
Customer internal ring I
Customer internal ring II
Customer internal ring III
Customer internal ring IV
Users
Tens of thousands
Several Million
Hundredsof millions
Windows as a Service – rings
Current Branch for Business
Stage broad deployment
Information workers,general population
Long Term Servicing Branch
Deploy for mission critical systems
Specialized systems
Specific feature and performance feedback
Application compatibility validation
Windows Insider Preview Branch
Test machines, small pilots
Current Branch
Deploy to appropriate audiences
Test and prepare for broad deployment
Early adopters, initial pilots, IT devices
STAGE
NU
MB
ER
OF D
EV
ICES
Release
Thinking through deployment strategy
The new System Center Configuration Manager• Simplify the upgrade experience: in-place upgrade from
Configuration Manager 2012 and R2 to latest product version
• Support faster paced updates for Windows 10 and Intune: new updates and servicing nodes deliver periodic updates for new features, bug fixes, and extensions for hybrid deployments using Intune
• Intune updates monthly—keep ConfigMgr on pace
• Listen and respond quickly to customer feedback: foundational improvements made in latest version of the product allow us to respond to customer feedback more quickly
Flight to MSIT/TAP
RTM
Develop Test
Esc
Develop Test
Esc
Develop Test
Esc
Tech previews
Flight to MSIT/TAP
RTM
Flight to MSIT/TAP
RTM
SCCM vNextDirect customer engagements
MSIT Indiana University
British Telecom
Boeing
USAFDaimler S&N
Customer feedback
UserVoice
MVP Hackathon
Partners Telemetry/Usage
Windows 10 management with upcoming releases of Configuration Manager
Current Branch (version 1511)
System Center 2016 Configuration Manager
Current Branch (version yymm)
Long Term Servicing Branch
Current Branch (version yymm)
System Center Configuration Manager
FALL WINTER SUMMER
Product version Release vehicle
Availability Windows 10 features supported
Support Windows Servicing Model supported
System Center Configuration Manager
Current Branch
Generally available Q4 CY2015 with updates released periodically throughout the year
New features, security updates, and bug fixes
Can defer updates for up to 12 months before you must deploy updates to maintain support
Windows 10 Current Branch, Current Branch for Business, and Long Term Servicing Branch
System Center 2016 Configuration Manager
Long Term Servicing Branch
Generally available CY2016 in alignment with System Center 2016
Support for existing features included in latest Windows LTSB at point of release; newer features will not be supported. Security updates released as needed
10 years of support: 5 mainstream + 5 extended
Windows 10 Long Term Servicing Branch
Is ConfigMgr LTSB the right choice for me?
Customer environment ConfigMgr LTSB?
All Windows 10 clients in my organization are on Current Branch (CB) or Current Branch for Business (CBB)
No. In order to be in support on the latest Windows CB/CBB, you need the Current Branch of ConfigMgr
Some Windows 10 clients in my organization are on CB/CBB, but some are on the Long Term Servicing Branch (LTSB)
No. The Current Branch of ConfigMgr will support Windows CB/CBB as well as LTSB
My hierarchy is completely disconnected; I cannot connect any servers to the web
No. The ConfigMgr updates and servicing model allows a completely offline mode
I use ConfigMgr in a hybrid environment with Intune No. In order to get the latest updates for MDM/MAM, including platform updates, you must use the Current Branch of ConfigMgr
I cannot install multiple updates a year; I need more time for my change process
No. The Current Branch of ConfigMgr allows you to defer updates for up to 12 months
I will probably need support for future releases of SQL server, WSUS, or other components that ConfigMgr has a dependency on
No. Only the Current Branch of ConfigMgr will support the latest releases of these components
My environment cannot accept any updates; I do not need new functionality or platform support in the foreseeable future
Yes. LTSB is the right choice for you
Type of support/FeatureSystem Center Configuration Manager
(Current Branch)System Center Configuration Manager
(Long Term Servicing Branch)
Request to change product design and features
(e.g. Critical DCRs)
New product features
Security updates
Non-security update support (e.g. critical bug fixes)
Windows 10 (Current Branch)
Windows 10 (LTSB)
Support for new Windows 10 Enterprise features
MDM (Intune)
MDM (On Premise)
AppCompat support for major upgrades (e.g. SQL v.Next, App-V v.Next, etc.)
ConfigMgr (Current Branch) vs. ConfigMgr 2016
Product version Release vehicle Availability Windows 10 features supported
Support
System Center 2012 ConfigMgr SP2
AND
System Center 2012 R2 ConfigMgr SP1
Service packs May 2015 Support for existing features included in latest Windows LTSB at point of release. Newer features will not be supported
Windows 10 Long Term Servicing Branch (LTSB), Current Branch (CB), and Current Branch for Business (CBB): will provide support for July 2015 LTSB + Windows CB and CBB releases through February 2016 *
Cumulative updates As needed
System Center 2007 ConfigMgr Compatibility pack September 2015
Support for existing features included in latest Windows LTSB at point of release (management only, no OSD). Newer features will not be supported
Windows 10 July 2015 Long Term Servicing Branch
* Customers using Windows 10 Current Branch (CB) or Current Branch for Business (CBB) with Configuration Manager 2012 R2 SP1 or Configuration Manager 2012 SP2 will need to migrate to the Current Branch of System Center Configuration Manager after this time for continued support.
Windows 10 management with older versions of Configuration Manager
DemoUpdates and servicing nodeServicing dashboard Configuring update rings in admin console
What we hear from you…
How can I secure and improve productivity in Windows 10?
How do I keep Windows up to date?
How should I deploy Windows 10?
On-premises applications
Conditional access control with EMS
ApplicationBusiness sensitivity
OtherNetwork location
DevicesManaged by Intune or ConfigMgr Compliant with Intune or ConfigMgr policiesDomain joined
User attributesUser identity Group membershipsAuth strength (MFA)
Conditional access control
with EMS
Azure AD
“Enterprise data protection” for Windows 10Configure and manage EDP policies
with Intune and Azure Rights Management
Separate personal and corporate data with limited impact on employees’ day-to-day activities
Protect Data at Rest wherever it may roam*
User
Corporate network
Microsoft Intune&
Azure Rights Management
Apply policies
Save
Save
Share files and enforce policies
File share
Personal storage
Secure content collaboration through integration with Azure Rights Management
* Some roaming scenarios use Azure Right Management
Control app access to corporate data and prevent copy- and paste-related data leaks
• Unified end-user portal• Consistent look and feel as the company portal• One-stop shop for all apps• Convergence of software center and app catalog• Device compliance
• Microsoft Passport• Ability to deploy certificates and Passport policies for simplified authentication
• Offline Universal Windows apps• Deploy Universal Windows apps that are built internally (line-of-business apps) • Deploy offline apps and licenses from the Windows Business Store
Enhanced end-user experiences
DemoEnterprise data protectionWindows Store for Business and end-user portal
Summary
Deplo
ym
ent
an
d m
gm
t. s
trate
gy
Existing Windows 7, 8, 8.1
Win32 Apps
ConfigMgr agent
Upgrade to Windows 10
with ConfigMgr
Preserve apps and configuration
Maintain management processes and principles of
today
New Windows 10 device
Enroll into Intune
(Azure AD Join/provision)
Manage via MDM
Universal apps (Store/LOB)
Basic MSI support
How should I deploy and manage Windows 10?
On-ramp to the cloud over time
Session objectives and takeaways
Choose the best deployment method for your organization to get to Windows 10
Keep Windows 10 up to date
Manage Windows 10 security features and enhance productivity
Understand how to:
Next steps
To explore• Try Enterprise Mobility now• http://www.microsoft.com/ems• TechNet @
http://technet.microsoft.com/• MSDN @ http://www.msdn.com/
To doRate the session
Q&A
© 2014 Microsoft Corporation. All rights reserved.
top related