SCUG.dk Windows 10 Management - September 2015
-
Upload
ronni-pedersen -
Category
Technology
-
view
1.460 -
download
0
Transcript of SCUG.dk Windows 10 Management - September 2015
TWO NEW SHERIFFS IN TOWN
MANAGEMENT OPTIONS IDENTITY
GROUPING
Active Directory
Domain join | Workgroup
MANAGEMENT
Group policy
ConfigMgr
MDM
Exchange Active Sync
Powershell | WMI
Azure Active Directory
Azure AD join
New GPOs | AGPM scripting
MDM policies via WMI bridge
New configuration | Initial provisioning
WINDOWS 10 MANAGEMENT
• GROUP POLICIES WILL STILL WORK BUT….• MDM POLICIES WILL HAVE A LOT OF THE SAME CAPABILITITES• FEATURES LIKE ENTERPRISE DATA PROTECTION, DEVICE HEALTH ATTESTATION
WILL REQUIRE ONE OF THE TWO SHERIFFS.
WINDOWS MANAGEMENT FEATURES
Windows ClientWindows Management Instrumentation (WMI)Windows Remote Management (WinRM)Windows UpdateGroup Policy Client
Windows ServerActive DirectoryGroup PolicyWindows Server Update Services (WSUS)
ProductsSystem Center Configuration ManagerMicrosoft Desktop Optimization Pack (MDOP) Cloud Services
Azure Active DirectoryAzure RMSMicrosoft IntuneWindows StoreWindows Update
Mobile Device Management (MDM)PowerShellAppLocker
INTUNE MANAGEMENT• ” THIS IS YOUR LAST CHANCE. AFTER THIS, THERE IS NO TURNING BACK. YOU
TAKE THE BLUE PILL - THE STORY ENDS, YOU WAKE UP IN YOUR BED AND BELIEVE WHATEVER YOU WANT TO BELIEVE. YOU TAKE THE RED PILL - YOU STAY IN WONDERLAND AND I SHOW YOU HOW DEEP THE RABBIT-HOLE GOES.”
“THE MATRIX”
• BLUE PILL = INTUNE MANAGEMENT WITH THE INTUNE AGENT• RED PILL = WINDOWS 10 MANAGEMENT WITH THE MDM AGENT
BLUE PILL – INTUNE MANAGEMENT
• SAME FEATURES AS BEFORE IN INTUNE EXCEPT..• WINDOWS DEFENDER MANAGEMENT REPLACES THE ENDPOINT PROTECTION
CLIENT.
RED PILL – THE FUTURE OF MANAGEMENT• MANAGEMENT WITH THE BUILTIN MDM AGENT • BRING-YOUR-OWN-DEVICE• MANY MORE FEATURES IN WINDOWS 10• MAC OSX SUPPORT COMING• INTEGRATION WITH AZURE AD JOIN• CUSTOM POLICIES• COMING FEATURES ENTERPRISE DATA PROTECTION, DEVICE HEALTH
ATTESTATION
MOBILE DEVICE MANAGEMENTSignificant investments in added functionality for both mobile and desktop
devices
BYOD: simple security settings
Device Lockdown
Fully managed corporate device
Phon
e
Desk
top
Desk
top
Phon
e
Windows 8.1 Windows 10
MDM IN WINDOWS 10
One consistent
set of MDM
capabilities across Mobile,
Desktop, and
Embedded products
Provisioning Bulk enrollment Simple bootstrap Converged protocol Azure AD Integration
Greatly extended set of policies(Parity with Windows Phone 8.1)
Context based policies Client certificates – Direct install
(PFX) Enterprise Wi-Fi VPN management Email provisioning MDM Push when user not logged in Device Update control Kiosk Mode, Start screen / Start
menu configuration and control
Curated Windows Store Business Store Portal app
deployment; License reclaim/re-use
Enterprise App management Simplified LOB app
management Win32 app management App inventory (MDM/store
apps) App allow/deny lists through
Applocker Enterprise data protection
Full device wipe Remote Lock, PIN reset, Ring,
Find Enhanced inventory for
compliance decisions
Un-enrollment in two phases & alerts
Removal of Enterprise configuration (apps, certs, profiles, policies) and Enterprise encrypted data (with EDP)
Additional device inventory
ENROLLMENT
INVEN
TORY
APPLICATION MANAGEME
NTDEVICE
CONFIGURATIO
N AND
SECURITY
REM
OTE
AS
SIST
ANCE
UNENROLLME
NT
WINDOWS 10 CUSTOM POLICY• OPEN MOBILE ALLIANCE DEVICE MANAGEMENT (OMA DM)• OPEN MOBILE ALLIANCE UNIFORM RESOURCE IDENTIFIER (OMA URI)• WINDOWS 10 MOBILE AND DESKTOP• INTUNE AND CONFIGURATION MANAGER
• HTTPS://MSDN.MICROSOFT.COM/EN-US/LIBRARY/WINDOWS/HARDWARE/DN904962%28V=VS.85%29.ASPX
WINDOWS 10 & INTUNE
WINDOWS 10 IDENTITY CHOICES
•Computer joins AD to establish trust•User signs on using AD account•Group Policy + System Center
Active Directory Azure Active Directory
•Computer joins Azure AD to establish trust•User signs on using Azure AD account• Intune/MDM• Settings roamingSingle sign-on to enterprise + cloud-based
services
AZURE AD JOIN• SINGLE SIGN ON TO APPS PROTECTED BY AZURE AD (OFFICE 365)• SYNCED BACK ON-PREM FOR USE IN ADFS• CONDITIONAL ACCESS FOR OFFICE 365• CONDITIONAL ACCESS FOR ON-PREMISE (ADFS)
REQUIREMENTS AZURE AD JOIN/INTUNE
• EMS / AZURE AD PREMIUM / INTUNE SUBSCRIPTION• AZURE AD CONNECT TO SYNCHRONIZE YOUR IDENTITIES• REGISTER YOUR DOMAINNAME• ADFS OR PASSWORD SYNC
DNS:• ENTERPRISEENROLLMENT.YOURDOMAIN.COM• ENTERPRISEREGISTRATION.YOURDOMAIN.COM
PERSONAL VS CORPORATE DEVICESPERSONAL DEVICE• INTUNE ENROLLMENT FORCES A
WORKPLACE JOIN IN AZURE AD• ENROLLED DEVICE=PERSONAL
DEVICE
CORPORATE DEVICE• AZURE AD JOIN, OPTIONAL INTUNE
ENROLLEMENT.• ENROLLED DEVICE = CORPORATE
DEVICE• GLOBAL ADMINISTRATORS ARE
MADE LOCAL ADMINISTRATORS• ADD ADDITIONAL LOCAL
ADMINISTRATORS
AZURE AD JOIN
PROVISIONING PACKAGES• QUICKLY CONFIGURE A NEW DEVICE WITHOUT GOING THROUGH THE
PROCESS OF INSTALLING A NEW IMAGE.• SAVE TIME BY CONFIGURING MULTIPLE DEVICES USING ONE PROVISIONING
PACKAGE.• QUICKLY CONFIGURE EMPLOYEE-OWNED DEVICES IN AN ORGANIZATION
WITHOUT A MOBILE DEVICE MANAGEMENT (MDM) INFRASTRUCTURE.• SET UP A DEVICE WITHOUT THE DEVICE HAVING NETWORK CONNECTIVITY.
PROVISIONING PACKAGES
• APPLICATIONS WINDOWS APPS, LINE-OF-BUSINESS APPLICATIONS • BULK ENROLLMENT INTO MDM AUTOMATIC ENROLLMENT INTO MICROSOFT
INTUNE OR A THIRD-PARTY MDM SERVICE • CERTIFICATES ROOT CERTIFICATION AUTHORITY (CA), CLIENT CERTIFICATES • CONNECTIVITY PROFILES WI-FI, PROXY SETTINGS, EMAIL • MUCH MORE…
PROVISIONING PACKAGE
POP QUIZ - WHICH FEATURE IS THIS OLD NUGGET?• LOCAL ADMIN PASSWORD SOLUTION (LAPS)• EHANCED MITIGATION EXPERIENCE TOOLKIT (EMET)• DRIVERS ERRORS• APPLICATIONS ERRORS• UNTRUSTED FONT BLOCKING
EVENT FORWARDING!
COMMUNITY SOLUTIONS• IF YOU DON’T USE ANY CLIENT MONITORING TOOL• USE EVENT FORWARDING!
COMMUNITY SOLUTION• POWERSHELL SCRIPT TO WRITE FORWARDED EVENT LOGS TO A SQL
DATABASEHTTPS://BLOG.NETNERDS.NET/2013/03/IMPORTING-WINDOWS-FORWARDED-EVENTS-INTO-SQL-SERVER-USING-POWERSHELL/
EDGE FAVORITES LOCATION• %USERPROFILE%\APPDATA\LOCAL\PACKAGES\
MICROSOFT.MICROSOFTEDGE_8WEKYB3D8BBWE\AC\MICROSOFTEDGE\USER\DEFAULT
TO COPY FAVORITES THE FOLLOWING REGISTRY KEY MUST BE DELETED AS WELL OTHERWISE COPIED FAVORITES WILL NOT SHOW UP. ”HKEY_CLASSES_ROOT\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APPCONTAINER\STORAGE\MICROSOFT.MICROSOFTEDGE_8WEKYB3D8BBWE\MICROSOFTEDGE\FAVORDER”
EDGE• YOU CANNOT IMPORT FAVORITES
FROM IE IF FOLDER REDIRECTION IS USED.• FAVORITES CAN ONLY BE IMPORTED
FROM %USERPROFILE%\FAVORITES
• USE POWERSHELL: HTTPS://GALLERY.TECHNET.MICROSOFT.COM/POWERHSELL-SCRIPT-TO-COPY-1E300DE5
UNINSTALL BUILT-IN APPS• FOR CURRENT USER, USE: • REMOVE-APPXPACKAGE
• TO REMOVE THEM FOR ALL NEW USERS CREATING THEIR PROFILE.• REMOVE-APPXPROVISIONEDPACKAGE
HTTP://CCMEXEC.COM/2015/08/REMOVING-BUILT-IN-APPS-FROM-WINDOWS-10-USING-POWERSHELL/
BLOCK BUILT-IN APPS USING APPLOCKER
• EDGE, WINDOWS FEEDBACK, CONTACT SUPPORT CANNOT BE UNINSTALLED.• IF BLOCKED WITH APPLOCKER AND THE POLICY IS APLIED TO THE COMPUTER
BEFORE THE USER LOGS IN THE FIRST TIME. THE APPLICATION IS NOT INSTALLED FOR THE USER AT ALL.
HTTP://CCMEXEC.COM/2015/08/BLOCKING-BUILT-IN-APPS-IN-WINDOWS-10-USING-APPLOCKER/
QUESTIONS?
THANK YOU!