WINDOWS 10 MANAGEMENT

JORGEN.NILSSON@ONEVINN.SEccmexechttp://ccmexec.com Blog:

TWO NEW SHERIFFS IN TOWN

MANAGEMENT OPTIONS IDENTITY

GROUPING

Active Directory

Domain join | Workgroup

MANAGEMENT

Group policy

ConfigMgr

MDM

Exchange Active Sync

Powershell | WMI

Azure Active Directory

Azure AD join

New GPOs | AGPM scripting

MDM policies via WMI bridge

New configuration | Initial provisioning

WINDOWS 10 MANAGEMENT

• GROUP POLICIES WILL STILL WORK BUT….• MDM POLICIES WILL HAVE A LOT OF THE SAME CAPABILITITES• FEATURES LIKE ENTERPRISE DATA PROTECTION, DEVICE HEALTH ATTESTATION

WILL REQUIRE ONE OF THE TWO SHERIFFS.

WINDOWS MANAGEMENT FEATURES

Windows ClientWindows Management Instrumentation (WMI)Windows Remote Management (WinRM)Windows UpdateGroup Policy Client

Windows ServerActive DirectoryGroup PolicyWindows Server Update Services (WSUS)

ProductsSystem Center Configuration ManagerMicrosoft Desktop Optimization Pack (MDOP) Cloud Services

Azure Active DirectoryAzure RMSMicrosoft IntuneWindows StoreWindows Update

Mobile Device Management (MDM)PowerShellAppLocker

INTUNE MANAGEMENT• ” THIS IS YOUR LAST CHANCE. AFTER THIS, THERE IS NO TURNING BACK. YOU

TAKE THE BLUE PILL - THE STORY ENDS, YOU WAKE UP IN YOUR BED AND BELIEVE WHATEVER YOU WANT TO BELIEVE. YOU TAKE THE RED PILL - YOU STAY IN WONDERLAND AND I SHOW YOU HOW DEEP THE RABBIT-HOLE GOES.”

“THE MATRIX”

• BLUE PILL = INTUNE MANAGEMENT WITH THE INTUNE AGENT• RED PILL = WINDOWS 10 MANAGEMENT WITH THE MDM AGENT

BLUE PILL – INTUNE MANAGEMENT

• SAME FEATURES AS BEFORE IN INTUNE EXCEPT..• WINDOWS DEFENDER MANAGEMENT REPLACES THE ENDPOINT PROTECTION

CLIENT.

RED PILL – THE FUTURE OF MANAGEMENT• MANAGEMENT WITH THE BUILTIN MDM AGENT • BRING-YOUR-OWN-DEVICE• MANY MORE FEATURES IN WINDOWS 10• MAC OSX SUPPORT COMING• INTEGRATION WITH AZURE AD JOIN• CUSTOM POLICIES• COMING FEATURES ENTERPRISE DATA PROTECTION, DEVICE HEALTH

ATTESTATION

MOBILE DEVICE MANAGEMENTSignificant investments in added functionality for both mobile and desktop

devices

BYOD: simple security settings

Device Lockdown

Fully managed corporate device

Phon

e

Desk

top

Desk

top

Phon

e

Windows 8.1 Windows 10

MDM IN WINDOWS 10

One consistent

set of MDM

capabilities across Mobile,

Desktop, and

Embedded products

Provisioning Bulk enrollment Simple bootstrap Converged protocol Azure AD Integration

Greatly extended set of policies(Parity with Windows Phone 8.1)

Context based policies Client certificates – Direct install

(PFX) Enterprise Wi-Fi VPN management Email provisioning MDM Push when user not logged in Device Update control Kiosk Mode, Start screen / Start

menu configuration and control

Curated Windows Store Business Store Portal app

deployment; License reclaim/re-use

Enterprise App management Simplified LOB app

management Win32 app management App inventory (MDM/store

apps) App allow/deny lists through

Applocker Enterprise data protection

Full device wipe Remote Lock, PIN reset, Ring,

Find Enhanced inventory for

compliance decisions

Un-enrollment in two phases & alerts

Removal of Enterprise configuration (apps, certs, profiles, policies) and Enterprise encrypted data (with EDP)

Additional device inventory

ENROLLMENT

INVEN

TORY

APPLICATION MANAGEME

NTDEVICE

CONFIGURATIO

N AND

SECURITY

REM

OTE

AS

SIST

ANCE

UNENROLLME

NT

WINDOWS 10 CUSTOM POLICY• OPEN MOBILE ALLIANCE DEVICE MANAGEMENT (OMA DM)• OPEN MOBILE ALLIANCE UNIFORM RESOURCE IDENTIFIER (OMA URI)• WINDOWS 10 MOBILE AND DESKTOP• INTUNE AND CONFIGURATION MANAGER

• HTTPS://MSDN.MICROSOFT.COM/EN-US/LIBRARY/WINDOWS/HARDWARE/DN904962%28V=VS.85%29.ASPX

WINDOWS 10 & INTUNE

WINDOWS 10 IDENTITY CHOICES

•Computer joins AD to establish trust•User signs on using AD account•Group Policy + System Center

Active Directory Azure Active Directory

•Computer joins Azure AD to establish trust•User signs on using Azure AD account• Intune/MDM• Settings roamingSingle sign-on to enterprise + cloud-based

services

AZURE AD JOIN• SINGLE SIGN ON TO APPS PROTECTED BY AZURE AD (OFFICE 365)• SYNCED BACK ON-PREM FOR USE IN ADFS• CONDITIONAL ACCESS FOR OFFICE 365• CONDITIONAL ACCESS FOR ON-PREMISE (ADFS)

REQUIREMENTS AZURE AD JOIN/INTUNE

• EMS / AZURE AD PREMIUM / INTUNE SUBSCRIPTION• AZURE AD CONNECT TO SYNCHRONIZE YOUR IDENTITIES• REGISTER YOUR DOMAINNAME• ADFS OR PASSWORD SYNC

DNS:• ENTERPRISEENROLLMENT.YOURDOMAIN.COM• ENTERPRISEREGISTRATION.YOURDOMAIN.COM

PERSONAL VS CORPORATE DEVICESPERSONAL DEVICE• INTUNE ENROLLMENT FORCES A

WORKPLACE JOIN IN AZURE AD• ENROLLED DEVICE=PERSONAL

DEVICE

CORPORATE DEVICE• AZURE AD JOIN, OPTIONAL INTUNE

ENROLLEMENT.• ENROLLED DEVICE = CORPORATE

DEVICE• GLOBAL ADMINISTRATORS ARE

MADE LOCAL ADMINISTRATORS• ADD ADDITIONAL LOCAL

ADMINISTRATORS

AZURE AD JOIN

PROVISIONING PACKAGES• QUICKLY CONFIGURE A NEW DEVICE WITHOUT GOING THROUGH THE

PROCESS OF INSTALLING A NEW IMAGE.• SAVE TIME BY CONFIGURING MULTIPLE DEVICES USING ONE PROVISIONING

PACKAGE.• QUICKLY CONFIGURE EMPLOYEE-OWNED DEVICES IN AN ORGANIZATION

WITHOUT A MOBILE DEVICE MANAGEMENT (MDM) INFRASTRUCTURE.• SET UP A DEVICE WITHOUT THE DEVICE HAVING NETWORK CONNECTIVITY.

PROVISIONING PACKAGES

• APPLICATIONS WINDOWS APPS, LINE-OF-BUSINESS APPLICATIONS • BULK ENROLLMENT INTO MDM AUTOMATIC ENROLLMENT INTO MICROSOFT

INTUNE OR A THIRD-PARTY MDM SERVICE • CERTIFICATES ROOT CERTIFICATION AUTHORITY (CA), CLIENT CERTIFICATES • CONNECTIVITY PROFILES WI-FI, PROXY SETTINGS, EMAIL • MUCH MORE…

PROVISIONING PACKAGE

POP QUIZ - WHICH FEATURE IS THIS OLD NUGGET?• LOCAL ADMIN PASSWORD SOLUTION (LAPS)• EHANCED MITIGATION EXPERIENCE TOOLKIT (EMET)• DRIVERS ERRORS• APPLICATIONS ERRORS• UNTRUSTED FONT BLOCKING

EVENT FORWARDING!

COMMUNITY SOLUTIONS• IF YOU DON’T USE ANY CLIENT MONITORING TOOL• USE EVENT FORWARDING!

COMMUNITY SOLUTION• POWERSHELL SCRIPT TO WRITE FORWARDED EVENT LOGS TO A SQL

DATABASEHTTPS://BLOG.NETNERDS.NET/2013/03/IMPORTING-WINDOWS-FORWARDED-EVENTS-INTO-SQL-SERVER-USING-POWERSHELL/

EDGE FAVORITES LOCATION• %USERPROFILE%\APPDATA\LOCAL\PACKAGES\

MICROSOFT.MICROSOFTEDGE_8WEKYB3D8BBWE\AC\MICROSOFTEDGE\USER\DEFAULT

TO COPY FAVORITES THE FOLLOWING REGISTRY KEY MUST BE DELETED AS WELL OTHERWISE COPIED FAVORITES WILL NOT SHOW UP. ”HKEY_CLASSES_ROOT\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APPCONTAINER\STORAGE\MICROSOFT.MICROSOFTEDGE_8WEKYB3D8BBWE\MICROSOFTEDGE\FAVORDER”

EDGE• YOU CANNOT IMPORT FAVORITES

FROM IE IF FOLDER REDIRECTION IS USED.• FAVORITES CAN ONLY BE IMPORTED

FROM %USERPROFILE%\FAVORITES

• USE POWERSHELL: HTTPS://GALLERY.TECHNET.MICROSOFT.COM/POWERHSELL-SCRIPT-TO-COPY-1E300DE5

UNINSTALL BUILT-IN APPS• FOR CURRENT USER, USE: • REMOVE-APPXPACKAGE

• TO REMOVE THEM FOR ALL NEW USERS CREATING THEIR PROFILE.• REMOVE-APPXPROVISIONEDPACKAGE

HTTP://CCMEXEC.COM/2015/08/REMOVING-BUILT-IN-APPS-FROM-WINDOWS-10-USING-POWERSHELL/

BLOCK BUILT-IN APPS USING APPLOCKER

• EDGE, WINDOWS FEEDBACK, CONTACT SUPPORT CANNOT BE UNINSTALLED.• IF BLOCKED WITH APPLOCKER AND THE POLICY IS APLIED TO THE COMPUTER

BEFORE THE USER LOGS IN THE FIRST TIME. THE APPLICATION IS NOT INSTALLED FOR THE USER AT ALL.

HTTP://CCMEXEC.COM/2015/08/BLOCKING-BUILT-IN-APPS-IN-WINDOWS-10-USING-APPLOCKER/

QUESTIONS?

THANK YOU!