How Windows 10 marks the end - download.microsoft.com€¦ · Azure Active Directory (AAD) Premium...
Transcript of How Windows 10 marks the end - download.microsoft.com€¦ · Azure Active Directory (AAD) Premium...
How Windows 10 marks the end of Roaming Profiles
About meMicrosoft Community Star (HK and TW)
Microsoft Most Valued Professional (MVP)
MCT, MCP, MCP+I, MCITP, MCTS, MCDST, MCSA,
MCSE, MCSE+I, MCDBA, MCAD, MCSD, MCPD
DataAccess Insider, Azure Insider,
DotNet Insider, SourceCode K2 Insider
Guest Speaker on Regular MSDN Seminars (2003-2007)
Guest Speaker on Microsoft ImagineCup (2005-2007)
Guest Speaker on Microsoft TechEd 2008
Guest Speaker on Microsoft TechDays 2009
Guest Speaker on Microsoft TechDays 2015
Guest Speaker on Microsoft Tech Summit 2017
Agenda
• Identifying the Problem
• Enterprise State Roaming: The Cloud Solution
• UE-V: The On-Prem Solution
• Hybrid Environments
• Q&A
Identifying the Problem
I want settings and app data accessible from any device.
The Windows experience should follow me as a user so I can stay productive wherever I go.
Problem 1
Device replacement is painful. I want to feel protected from data loss if my device fails.
Configuring my device again is time consuming.
Problem 2
Microsoft’s Customer Promises
Roaming Profiles
When are the Roaming Profiles from?
1994!
Roaming Profile VersioningClient OS Server OS Extension Profile Location
Win NT4 Win Server NT 4 None \\<servername>\<fileshare>\<username>
Win 2000 Win Server 2000 None \\<servername>\<fileshare>\<username>
Win XP Win Server 2003
Win Server 2003 R2
None \\<servername>\<fileshare>\<username>
Win Vista Win Server 2008 V2 \\<servername>\<fileshare>\<username>.V2
Win 7 Win Server 2008 R2 V2 \\<servername>\<fileshare>\<username>.V2
Win 8 Win Server 2012 V3 \\<servername>\<fileshare>\<username>.V3 *
\\<servername>\<fileshare>\<username>.V2 **
Win 8.1 Win Server 2012 R2 V4 \\<servername>\<fileshare>\<username>.V4 *
\\<servername>\<fileshare>\<username>.V2 **
Win 10 V5 \\<servername>\<fileshare>\<username>.V5
Win 10 Anniversary (1607) V6 \\<servername>\<fileshare>\<username>.V6
* After the software update and registry key are applied (KB 2887239)
** Before the software update and registry key are applied
*** After the software update and registry key are applied (KB 2887595)
**** Before the software update and registry key are applied
• If support 2 OS versions, 2 x Roaming Profile Size
• If support 3 OS versions, 3 x Roaming Profile Size
• Documents and Pictures (Computer Configuration)
• Contacts, Desktop, Favorites, Music, Videos, Start Menu, AppData\Roaming (User Configuration)
• Between WinVista/Win Server 2008 and Win7/Win Server 2008 R2
• Between Win8/Win Server 2012 and Win8.1/Win Server 2012 R2
• Between WinVista, Win7, Win8 and Win8.1
• Changes made on one OS version won’t roam to another OS version
• Moving your environment to new version of OS, new and empty profile created
• No supported method of migrating User Profiles
Roaming with 1+ Versions of Windows
• Using more than one PC
• Remote Desktop Session Host Server
• Virtualized Desktop Infrastructure (VDI) Server
• Will fixing it in future release
• Configurate User Profile Disks with Remote Desktop Session Host Server or VDI Server
• More info: https://blogs.technet.microsoft.com/enterprisemobility/2012/11/13/easier-user-data-management-with-user-profile-disks-in-windows-server-2012/
Roaming Start Menu on Win 10
• Enforcement of Admin control by using Mandatory User Profile
• Users can access data anywehre
• Easier backup
• Very large size, but smaller with Folder Redirection since Win Server 2008
• Only registry is roaming but not Local Settings• It can corrupt with Diff set of applications installed on machines
• Some applications does not support profile in UNC, i.e.,• Batch file under Command Prompt
• Adobe Reader v9.0 and v10.0
• OpenOffice.org 3.3
• AutoCAD 2013
Roaming Advantages & Disadvantages
Settings roaming is what we still want!
• Sync your settings
• Enterprise State Roaming (ESR): The Cloud Solution
• User Experience Virtualization (UE-V): The On-Prem Solution
Settings Roaming in Win10
Settings Sync
• Allows consumers to sync their OS Settings and Modern Applicatio data across all their personal Windows Devices
• Theme, IE Settings, Edge Browser Settings, Passwords, Language Preferences, Ease of Access Features, Other Windows Settings
• UWP Data
Settings Sync
• Only Microsoft Accounts
• Enterprise Users needs to connect a Microsoft Account to AD domain account
• Replaced with a Primary/Secondary Account Framework
• Primary can be Microsoft Account, Azure AD Account, On-Prem AD Account, Local Account
• Secondary can be Microsoft Account, Azure AD Account, some other account such as Gmail or Facebook
• Only Primary Account for the device can be used for Settings Sync
What Account?
Enterprise State Roaming (ESR)
Settings Sync
Goal:Provide Enterprise State Roaming using Azure Active Directory (AAD) authentication for AAD Premium users.
• Corporate-owned device support
• Separation of corporate and consumer data
• Enhanced security (Azure RMS)
• Management and monitoring services
Protection Scope
App Data*
• UWP app roaming
data
OS Settings
• Personalization
• Accessibility
• Language settings
• Windows settings
• Browser settings
• Credentials
Cloud
• Data resides in
the Azure Cloud
Devices
• PC
• Laptops
• Tablets
• VDI (client SKU VM)
*ESR does not currently support the roaming of Win32 app settings
• Always based on the identity used to sign into Windows (“primary account”)
• Always based on the identity of app acquisition
• User’s relevant app data roams across their devices if the acquisition ID is the same as the primary account
• Enterprise and personal data stay separate in their respective storage locations
Identity and Roaming Data Separation
EmployeeConsumer
Personal
Company
Owned
Personal
(BYOD)
Company
Owned
Consumer BYODBusiness
Only
Business
Open
scenarios
Consumer Use Business Use
OneDrive OneDrive
OneDrive OneDrive
App State Roaming Example
AzureCloud
Business onlyApps
AAD PrimaryIdentity
Work-ownedDevice
Business & ConsumerApps
AzureOnly the business app syncs to cloud
AAD Primary, added MSAIdentity
Work-ownedDevice
Data that syncs is encrypted• Encrypted using Azure Rights Management (Azure
RMS) before leaving the device
• All content stays encrypted at rest in the cloud
• Enterprises with Azure RMS subscription can Bring Your Own Key
Enhanced Security
Storage location• Enterprise State Roaming data is hosted in the
Azure region that best aligns with the tenant’s country
• Data is locally located with the geographical region, and is not replicated across regions
Sync data storage
Why Join Azure AD?
Five Easy Steps
Step 1: Create an Azure Directory
• Azure AD Premium, OR
• EMS
Step 2: Enable Device Registration
Step 2a: Enable MDM Enrollment
Step 3: Configure DNS
Entry Type Target
Enterpriseregistration CNAME enterpriseregistration.windows.net
Step 4: Create Cloud IDs
Step 5: Join the Azure DomainRequires Windows 10 *
• With Enterprise or Education SKU
• Becomes the primary account
• Enables logon with other tenant IDs
• Linked secondary logon
AAD Join in OOBE
AAD Join after OOBE
Questions on Azure AD
• Windows Settings
• UWP App Settings
Enterprise State Roaming (ESR)
1. Azure Active Directory (AAD) Premium subscription.
2. Windows 10 (Version 1511, OS Build 10586 or later).
3. Devices are Azure AD joined (or traditional on-prem AD domain-joined devices with automatic registration to Azure AD).
1. IT Admin goes to the AAD online management portal to configure users for Enterprise State Roaming.
2. Additional policies may be applied.
How do I try out ESR?
User Experience Virtualization(UE-V)
What is User Experience Virtualization (UE-V)?
• VDI environment where multiple accounts are stored
• Call centers where thin clients are used
• Enterprise user with multiple devices (dekstop, laptop, ...etc)
• Microsoft Office 2016, 2013, and 2010
• Internet Explorer 11 and 10
• Many Windows applications, such as Xbox
• Many Windows desktop applications, such as Notepad
• Many Windows settings, such as desktop background or wallpaper
User Experience Virtualization (UE-V)
UE-V Customer Value
On-Premise• UE-V relies on local network share
• No server component needed
• Customer can completely manage and own their data
• Works for customers in strict data enforced countries such as those in EU
Win32 App settings roaming• Over 80%+ applications in use by
Enterprise customers are Win32 desktop applications
• Custom and LOB apps can be roamed using templates
• Granular control over which app can roam
UE-V
Settings Storage Path
What’s New for Windows 10 Anniversary Update
Easier to deploy Easier to manage Simple to Acquire Simple to Migrate
Built in
components of
Windows
New PowerShell
and GP
commands
Moving from
MDOP attachment
licensing
Ensuring settings
and configurations
are retained
Previously, UE-V shipped with the Microsoft Desktop Optimization Pack (MDOP) as an external set of installers• Agent UI and Service Setup
• Template Generator Setup
Needed MDOP attachment to Software Assurance License to get the installers
MDOP
For Window 10 Anniversary Update and beyond, UE-V is shipped as a Windows component in Windows Enterprise SKU and can be enabled inbox• PowerShell & Group policy deployment
• Agent UI has been removed
UE-V Template Generator ships as a part of the Windows Assessment and Deployment Kit (ADK)• Available for download from the Hardware Download Center
Software Assurance License now includes MDOP without additional add-on license after August 1st, 2015
What’s New
For customers who are paying for Windows Pro SKU but would like to use UE-V and other enterprise features, they can upgrade to Windows Enterprise SKU• Allows Pro SKUs to turn on Enterprise features including UE-V
• Using SLMGR.VBS, just change the product key
• No reboot needed
Pro SKU to Enterprise SKU
For customers who were using a previous version of Windows and UE-V• Upgrade to Windows 10 Anniversary Update will automatically migrate UE-V setting,
configurations and enable the UE-V service
Removed inbox templates• Win32 calculator template
• IE 8/9
Added inbox template• Office 2016
Migration
• Does not roam printer settings or preferences
UE-V Changes in Windows 10
Enable-UEV• Turns on the UE-V service, requires reboot
Disable-UEV• Turns off the UE-V Service, requires reboot
Get-UevStatus• Displays whether UE-V service is enabled or disabled in Boolean value
Set-UevConfiguration• Configures the UE-V service
• Needs to be set before enable
Get-UevConfiguration• Displays the configurations set by the IT admin
Key PowerShell commands for UE-V
• Allow UE-V Users List Folder/read data and Create Folders/Append data in root
• Allow Creator Owner Full Control on Subfolders and files
• Use Group Policy or PowerShell
• Get-childItem c:\programdata\Microsoft\UEV\InboxTemplates\*.xml|% {register-UevTemplate $_.Fullname}
• Set-UevConfiguration -EnableWaitForSyncOnApplicationStart
Deploy UE-V
What if my customer uses a hybrid on-premise and cloud environment?
What if my customer wants to roam Win32 apps settings right now?
Can UE-V and ESR currently coexist?
UEV & ESR Together??
• UE-V can roam Win32 applications on-premises while Enterprise State Roaming (ESR) can roam the rest
Admins can configure UE-V to roam just Win32 app settings by disabling roaming of Windows OS settings and Universal app data through • Enable “Do Not Synchronize Windows Apps”
• Disable “Synchronize Windows Settings”
• Disable “IE” Roaming in the applications section
In Windows 10 Anniversary Update, UE-V will automatically detect if ESR is enabled and apply the above policies directly
UE-V & ESR Together
Summary on UE-V & ESR TogetherUE-V is a completely on-premise solution, requires management of templates, provides granular control and can roam Win32 app settings.
ESR is a cloud-based solution connected to AAD, which provides an enterprise compliant service that syncs OS settings and modern app data.
UE-V and ESR can co-exist for a complete settings roaming solution in hybrid environments.
Summary
• Unfortunately lacks support for Win32 applications
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-windows-enterprise-state-roaming-overview
https://technet.microsoft.com/en-us/itpro/windows/manage/uev-for-windows
Summary
Thank You
Share us your feedback of this session!
Download the Tech Summit Event App! https://aka.ms/tshkapp
Log in with your Tech Summit Account
Add your attended session to My Agenda
Click into the agenda details for the session’s evaluation
Is time Allowed?
More...
Customizing the Start Menu in Windows 10
Windows 10 Start Menu
Group Policy for Start Menu Options
Create Start Layout XML
Export the Start Layout•
•export-startlayout –path <path><file name>.xml
•Add LayoutCustomizationRestrictionType="OnlySpecifiedGroups“ to
DefaultLayoutOverride element
Specified Tile Groups can never be changed
Applying the Start Layout•
•
•Group Policy
Windows Imaging and Configuration Designer provisioning package
Mobile Device Management (MDM)
Group Policy Preference
Import in Windows Image
Sample Start layout XML
start:Tile Size="2x2" Column="2" Row="0" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App"
Taskbar Options•
Default Windows Apps
Apps pinned by the user
Apps pinned during deploy
•
Configuring the Taskbar•
•
•<taskbar:UWA> and AUMID to pin Universal
Windows Platform apps.
<taskbar:DesktopApp> and Desktop Application Link Path to pin desktop applications.
•Add PinListPlacement="Replace" to
<CustomTaskbarLayoutCollection>
Sample Taskbar Start layout XML
taskbar:UWA AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge"
taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk"
Deploy the Start Layout
Combine Start & Taskbar Layout
Deploying the Start Menu•
•
•
Use Group Policy to deploy Start layout•
•
./User/Vendor/MSFT/Policy/Config/Start/StartLayout
Use MDM to deploy Start Layout
Use Windows Imaging and Configuration Designer (ICD) to include XML in the PPKG
Import-StartLayout
Other ways to deploy Start layout
Summary
Summary•
•
•
•Manage Windows 10 Start and taskbar layout