Upload
others
View
10
Download
0
Embed Size (px)
Citation preview
Adnan Hendricks
• SAFFA living in Netherlands, work globally
• Microsoft Trainer +25y (xRL MSLearning)
• Microsoft MVP + 5 Years
• Cloud Solution Architect & Readiness Trainer
• Former MS Consultant in MS MCS.
• Courseware technical writer, Speaker, Events Org
@Microspecialist
Cloud Solutions Architect
4
Beat the Windows 10 Deployment Clock
January 14, 2020
End of Support for Windows 7
Less than 500 days away
Are you ready?
Modern Workplace- Work from anywhere
- Choose the device you want or bring your own
- Quick, friendly out-of-box experience
- Self-service
- Integrated and cloud-based security
- Simpler application delivery through Store/SaaS
- Data intelligence for better business insights
- Minimize on-preminfrastructure costs
- Unified identity, device and app management
- Self-service deployment without imaging
On-premises
Device Compliance
PatchingSoftware Distribution
Intune & AzureActive Directory
Cloud Modern Management
AD &
ConfigMgr
Azure AD
Setup Hybrid Azure AD
License users for Azure AD
Enable Windows 10
Auto-enrollment
ConfigMgr
ConfigMgr 1710+
Onboard to AAD
** Set up Internet facing client
Intune
If hybrid, migrate users off first
Standalone only
License users for Intune
Windows client
Windows 10 1709+
‘How to shift’to the modern desktopCore steps and processes for large-scale deployment of Windows 10 and Office 365 ProPlus
Why move?
END-TO-END IMPROVEMENTS FOR SECURITY AND INFORMATION
PROTECTION
TEAMWORK AND PRODUCTIVITY ENHANCEMENTS CONNECTED WITH
OFFICE 365
AND IF YOU’RE STILL ON WINDOWS 7 OR OFFICE 2010, SUPPORT ENDS
STARTING JANUARY 2020
What’s different compared to the last big desktop deployment?
Directory services are moving to the cloud as the fabric for connecting to cloud-based services across apps and services
In-place upgrades are viable and recommended for applying new versions of Windows
UEFI replaces the traditional BIOS and is needed along with 64-bit for many of the modern security and protection capabilities in Windows
Microsoft Intune can manage Windows 10 policies, your connected apps and be configured for co-management with ConfigMgr
Office 365 ProPlus is the preferred option of Office desktop apps and uses a new package type called Click-to-Run
Office 365 ProPlus and Windows 10 are now use semi-annual feature updates and cumulative monthly updates
Device and App Readiness• Inventory devices and apps under management
• Prioritize devices and apps based on counts and importance
• Windows Analytics Upgrade Readiness helps assess apps and devices against known compatibility status
• Work through hardware and app inventory and use info to target devices ready for deployment
• Continue triaging and expanding target devices until deployment is complete
• Implement required fixes for browser-based apps
Windows Analytics
Directory and Network Readiness
• Azure Active Directory deployed for targeted users
• Network bandwidth requirements calculated for OS, apps, drivers, language packs and user state
• Delivery Optimization, P2P caching, LEDBAT and compression controls configured to control bandwidth
• Plan Office-related networking considerations: OneDrive Known Folder Move, Outlook Data Files, etc.
• Deployment rings and group phases planned based on readiness and network capacity
Office & LOB App Delivery• Ensure required apps are available for managed
software distribution
• Prepare new apps to replace or supersede apps that won’t be brought forward
• Prepare for Office 365 ProPlus (Click-to-Run) app delivery, customization and user-based, subscription activation
User Files & Settings
• Target scenarios where user state migration is required: PC replacement or wipe and load
• Plan for methods to be used: OneDrive Known Folders, User State Migration Tool or custom solution
• Prepare required storage infrastructure
Security & Compliance
• Assess current client-side and server or cloud-based security solutions in place
• Test impacts of 3rd party disk encryption and anti-malware, then plan your deployment and AV software accordingly
• Plan for new security and compliance capabilities in Windows 10 and Office 365 ProPlus
• Assess security considerations of deployment process, access to deployment shares and how user state is migrated
• Configure endpoint settings and policies: Group Policy, MDM, Data Loss Prevention
• Configure security and compliance services for cloud-based components and EDR
OS Deployment & Feature Updates• Assess hardware replacement cycle
• Prepare hardware and application testing for each new feature update, verify hardware vendor support for each feature update
• Plan for in-place upgrades for Windows 10 releases, refresh, replace and bare metal deployments for Windows 7 to Windows 10
• Establish deployment plan with validation feedback loop
• Establish process for rollback, remote users or no infrastructure deployment scenarios (offline media)
• Carry out deployment plan and establish repeatable process for new users and ongoing PC replacements
Windows- & Office-as-a-Service
• Prepare for semi-annual feature updates to Office and Windows
• Establish Insider team and process to evaluate new Windows and monthly Office updates
• Prepare for updates to software distribution and update management tools as needed
• Operationalize semi-annual deployment processes
Users Apps
Microsoft Intune Learn more at microsoft.com/intune
Simplify Windows 10 management and lower TCO with EMS
Self-service deploymentMake any new PC enterprise-ready via
a simple self-service experience.
Automatically configure devices when yourusers login with their company credentials.
Use cloud intelligence
to upgrade Windows 10
and Office 365 ProPlus
with confidence.
Simplified management & securityEmbrace cloud-based management and transition at
your pace while staying in control.
Always up to dateDeliver the latest features and
security.
Control what
updates are
deployed, to
whom and
when.
Proactive insightsGet ongoing proactive insights to
diagnose and fix issues before they
happen.
Cloud updates mean youdon’t need to have on-premise update servers.Microsoft 365
EMS
Windows 10
Contoso Sign in
Corp. Username
Password
Certificate
Agentless Unified identity,
device and O365
ProPlus mgmt.
Integrateddata protection
Enterprise Mobility + Security Learn more at microsoft.com/ems
Sign in with contoso.microsoft.com
Next
Office 365ProPlus MGMT
Co-Management Architecture With ConfigMgr and Intune
Windows 7/8.x
Windows 10AD Domain-joined &
AAD Joined
Mobile devices Intune
ConfigMgr console
Azure portal
ConfigMgrSite Servers
ConfigMgr agent
AD Domain Joined
ConfigMgr agent
AD Domain Joined
AAD Joined
ConfigMgr agent
Intune MDM
AD Domain Joined
AAD Joined
AutoPilot
Intune MDM
AD Domain Joined
AAD Joined
ConfigMgr agent
Intune MDM
AD Domain Joined
AAD Joined
Existing ConfigMgr managed devices
New devices
AD/AAD
connect
Adopt Windows 10
Adopt Office 365/ProPlus
Imaging to Signature Image
1/2020
GPO to MDM Policy
Kerberos to Modern Auth
Win32 to Modern Apps
ConfigMgr Content Delivery to Cloud Content Delivery
Today
WSUS to WUfB
Adopt & Connect Transition to Modern
Modernizing with a co-management bridge
AD/AAD
connect
Adopt Windows 10
Adopt Office 365/ProPlus
Imaging to Signature Image
1/2020
GPO to MDM Policy
Kerberos to Modern Auth
Win32 to Modern Apps
ConfigMgr Content Delivery to Cloud Content Delivery
Today
WSUS to WUfB
Adopt & Connect Transition to Modern
Modernizing with a co-management bridge
- Users see settings and data
across devices (Enterprise
Roaming of Settings)
- IT can control access via
Azure AD device-based
conditional access.
- Users sign-in conveniently
and securely with Windows
Hello for Business.
- Eliminate PC dependency
on domain controllers
- Better battery life and
performance of the device
- Extend your on-premises directory with Azure AD.
- Azure AD Join your AD domain-joined devices
- AD + Azure AD Join new devices through Auto Pilot
- Transition GPO to MDM
- Pilot Azure AD Join to identify AD auth dependencies
- Gradually move traditional management tools that rely on computer identity to their cloud equivalents or AAD enlightened versions (e.g. ConfigMgr with CMG, WSUS to WUfB)
- AAD Join new devices (AD Joined machines remain AD joined until retired)
AD/AAD
connect
Adopt Windows 10
Adopt Office 365/ProPlus
Imaging to Signature Image
1/2020
GPO to MDM Policy
Kerberos to Modern Auth
Win32 to Modern Apps
ConfigMgr Content Delivery to Cloud Content Delivery
Today
WSUS to WUfB
Adopt & Connect Transition to Modern
Modernizing with a co-management bridge
S E T T I N G S P O L I C I E S
O F F I C E &A P P S D R I V E R S
1. Build & maintain
custom image, gathering
everything else that’s
necessary to deploy
2. Wipe original OEM
Windows image and
replace with custom image
Time
Money
OEM/Reseller
Ship
Off-the-shelf and Shrink-wrapped Devices Employee unboxes device, self-deploys
Deliver direct to Employee
Employee driven Self-Deployment
• Custom imaging – expensive, limits HW choice, impairs talent
acquisition
• Windows EULA – employees not permitted to accept on org-
owned devices
• Non-trivial decision making (Personal vs Org Owned disambig,
Privacy Settings, OEM Registration) generates Helpdesk calls
• OOB account is always Admin – majority of enterprises want
standard accounts on corp-owned devices
ANNA [email protected]
Is this the right keyboard layout?
US
United States-Dvorak for left hand DVORAK L
United States-Dvorak for right hand DVORAK R
United States-International QWERTY
Albanian QWERTZ
YesYesYes
Now let's get you connected to a network. That way you get updates, apps and cat videos as soon as possible. How about the first one on the list? Want to use that one?
Skip for now
Let’s connect you to a network
Network4
Contoso Corp
ContosoMNGuestWiFi
Connect
Contoso Corp 2
Connect automatically
Now let's get you connected to a network. That way you get updates, apps and cat videos as soon as possible. How about the first one on the list? Want to use that one?
Skip for now
Let’s connect you to a network
Network4
Contoso Corp
ContosoMNGuestWiFi
Connect
Contoso Corp 2
Connect automatically
Agree & Connect
Welcome to our Guest Wi-Fi
By clicking on the connect button you agree to our Terms
of Service and have reviewed the Contoso Privacy Policy.
Agree & Connect
Welcome to our Guest Wi-Fi
By clicking on the connect button you agree to our Terms
of Service and have reviewed the Contoso Privacy Policy.
Next
Welcome to ContosoMN!
Enter your ContosoMN email
Change account
Need help?
Please sign in with your ContosoMN email address
Privacy & Cookies Terms of Use
Next
Welcome to ContosoMN!
Enter your ContosoMN email
Change account
Need help?
Welcome to ContosoMN
Privacy & Cookies Terms of Use Next
Next
Welcome to ContosoMN!
Enter your ContosoMN password
Change account
Need help?
Welcome to ContosoMN
Privacy & Cookies Terms of Use
……….
Next
Hardware Vendor
Windows AutoPilot Service
Upload
Device IDs
Configure AutoPilot Profile
Employee unboxes device, self-deploys
Ship Deliver direct to Employee
Self
Deploy
IT Admin
Device IDs
Hardware Vendor
Windows AutoPilot Service
Upload
Device IDs
Configure AutoPilot Profile
Employee unboxes device, self-deploys
Ship Deliver direct to Employee
Self
Deploy
IT Admin
Device IDs
Is this the right keyboard layout?
US
United States-Dvorak for left hand DVORAK L
United States-Dvorak for right hand DVORAK R
United States-International QWERTY
Albanian QWERTZ
YesYesYes
Now let's get you connected to a network. That way you get updates, apps and cat videos as soon as possible. How about the first one on the list? Want to use that one?
Skip for now
Let’s connect you to a network
Network4
Contoso Corp
ContosoMNGuestWiFi
Connect
Contoso Corp 2
Connect automatically
Now let's get you connected to a network. That way you get updates, apps and cat videos as soon as possible. How about the first one on the list? Want to use that one?
Skip for now
Let’s connect you to a network
Network4
Contoso Corp
ContosoMNGuestWiFi
Connect
Contoso Corp 2
Connect automatically
Next
Welcome to ContosoMN
Enter your ContosoMN email
Change account
Need help?
Please sign in with your ContosoMN email address
Privacy & Cookies Terms of Use
Next
Welcome to ContosoMN!
Enter your ContosoMN email
Change account
Need help?
Welcome to ContosoMN
Privacy & Cookies Terms of Use
Next
Welcome to ContosoMN!
Enter your ContosoMN password
Change account
Need help?
Welcome to ContosoMN
Privacy & Cookies Terms of Use
……….
Please wait while we setup your device…The other part is, if you have your device get set up with local active directory domain joined, how do I get the SCCM client installed on the machine? You can use Intune to
basically upload your ConfigMgr MSI into Intune. Intune can install that ConfigMgr on to the machine as a part of your Autopilot experience once your device ends up being
managed by Intune.
Other User
Sign in to: CONTOSO
How do I sign in to another domain?
Sign-in options
→
Contoso\AnnaAnders
Sign in to: CONTOSO
How do I sign in to another domain?
Sign-in options
→
Contoso\AnnaAnders
……….
Other User
Setting up your device for work
Security
Applying security policies (1 of 1)
Encrypting hard drive to keep your data safe
Leave everything to us. (Don’t turn off this device.)
Adding network connections (1 of 1)
Adding Contoso WiFi network
Applications
Installed application 0 of 18Installing applications (1 of 1)
Installing Contoso Electronics
Security setup complete
Network setup complete
Application installation complete
AD/AAD
connect
Adopt Windows 10
Adopt Office 365/ProPlus
Imaging to Signature Image
1/2020
GPO to MDM Policy
Kerberos to Modern Auth
Win32 to Modern Apps
ConfigMgr Content Delivery to Cloud Content Delivery
Today
WSUS to WUfB
Adopt & Connect Transition to Modern
Modernizing with a co-management bridge
A new way to build, deploy and service Windows
A single cumulative update each month with no
new features
• Security fixes, reliability fixes, bug fixes, etc.
• Supersedes the previous month’s update
Twice per year with new capabilities
• New features and innovation APIs and security
capabilities
• Very reliable, with built-in rollback capabilities
• Simple deployment using in-place upgrade, driven
by existing tools
• Try them out with Insider Preview
Quality Updates Feature Updates
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
Traditional deployment (every 3-5 years)
Apps Infra Imaging Deploy
2009 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 2025 2026 2027 2028
Windows as a service (twice per year)
Apps Infra Imaging Deploy
1 Configure Insider PCs• Lab or secondary PCs
• Enough to explore new features, measure compatibility
2 Identify special PCs• Deploy Windows 10 Enterprise LTSB
• Limited numbers (we hope)
3 Recruit volunteers for pilots• Willing participants who will provide feedback
• Cover the broadest set of apps and devices possible
4 Divide broad population of PCs• Standard deployment best practice
• Focus on risk reduction, minimizing disruption
AD/AAD
connect
Adopt Windows 10
Adopt Office 365/ProPlus
Imaging to Signature Image
1/2020
GPO to MDM Policy
Kerberos to Modern Auth
Win32 to Modern Apps
ConfigMgr Content Delivery to Cloud Content Delivery
Today
WSUS to WUfB
Adopt & Connect Transition to Modern
Modernizing with a co-management bridge
Check out the 1703 MDM security baselines here:
https://aka.ms/mdm1703baselines
MDM
Security Baselines
AD/AAD
connect
Adopt Windows 10
Adopt Office 365/ProPlus
Imaging to Signature Image
1/2020
GPO to MDM Policy
Kerberos to Modern Auth
Win32 to Modern Apps
ConfigMgr Content Delivery to Cloud Content Delivery
Today
WSUS to WUfB
Adopt & Connect Transition to Modern
Modernizing with a co-management bridge
Microsoft Cloud
3rd Party SaaS Apps
On Premises Apps
Microsoft Azure
Monitor users /
prevent data leak
Block various actions
Restrict download
Enforce MFA
Block sign-in
Allow sign-in
Access Control
Session Restrictions
OS Platform
Is Compliant / Domain joined
Is lost or stolen
Device Risk
Device
User identity
Group membership
Session RiskUser
Mobile or Cloud app
Per app policyApp
Location
IP range
Country / Region
ApplicationsPolicy ControlsPolicy Conditions
WindowsDefender
Azure AD
Identity
Protection
Service
Microsoft
Cloud App
Security
ODSP limited
access
On-premise
Traditional OS Deployment
Win32 app management
Configuration and GPO
Bitlocker Management
Hardware and software inventory
Update management
Cloud attached Cloud managed
Unified Endpoint Management – Windows, iOS, macOS, Android
Modern access control – Compliance, Conditional Access
Modern provisioning – Autopilot, DEP, Zero Touch, KME
Modern security – Hello, Attestation, ATP, Secure Score
Modern policy – Security Baselines, Guided Deployments
Modern app management – O365 Pro Plus, Stores, SaaS, VPP
Full M365 integration – Analytics, Graph, Console, RBAC, Audit