[ppt]powerpoint presentationvideo.ch9.ms/sessions/ignite/2015/decks/brk2320_minasi.pptx · web...
TRANSCRIPT
Windows 10 Management Scenarios: Mark Minasi Helps You Have Total Control for Every BudgetMark MinasiWriter, Speaker, [email protected] @mminasijoin my newsletter at www.minasi.com
Windows 10, Azure, AD and the like offer us a lot of options, so sometimes it's a little hard to keep them straight
In this session, I'll outline many of the combinations with an eye to What it does What it costs What are the ingredients
This is all "200" levelAnd I'll demo what I can
Hello and Welcome!
Identity Solutions Windows Store App Control Controlling Apps Keeping corp data on personal devices safe Whatever else I have time for
Topics
"Don't Do Anything" Again, Microsoft supports Windows 7 until
2020, Windows 8 until 2023 There is no rush unless you're running
Windows 7 Professional, as the free upgrade to Windows 10 is only available for a year
First, Though, Remember Option One
"Just keep doing what you're doing" If your Win 10 devices are running full
Windows Pro or Enterprise, then group policies, Vbscripts, PowerShell scripts, Ochestrator runbooks, workflows etc all work as well as they ever did
And Remember Option Two
Identity in Windows 10You've always had a lot of choices in where to store your identity and your machine's. Win 10 adds one t the mix
Enabling tech: Microsoft Accounts (MSAs) -- Hotmail, live, outlook.com accounts
What it does: gives you an identity recognized by your computer and many Web
locations Lets you sync some settings between devices Machine is registered with Microsoft for sync and auth purposes Lets Store apps roam with your account Minimal MDM… password minimums, scripts can sometimes fill in Works on a wide variety of devices
Cost: zero Fine for homes or very, very small orgs
Option One: Local Accounts
Ingredients: DCs, network, "full" Windows What it does:
Rich device, app, and security management via group policies App roaming via group policies or Config Manager Desktop roaming via roaming profiles and folder redirection Wide software library
Cost: AD infrastructure, CALs Of little or no value for phones, non-
Microsoft tablet devices Can only join one domain
Option Two: AD-Joined
Ingredients: AAD, probably O365, Win 10 devices
Steps: enable device join in Azure, Create AAD accounts (either sync them or create new ones)
What it does: Enables Conditional Access for files MDM via third party, inTune Provides identity for Store apps
Cost: O365 or AAD charges per-user No on-prem required; can only join one
AAD; can't be joined to an AD
Option 3: Azure AD, Cloud Join
Demo: Azure AD Device Registration and Cloud Join
Deploying Apps to DevicesAcquiring Modern/Store/Universal apps and
getting them on Windows 10 devices
Ingredients: an MSA (Microsoft Account), credit card
What it does: Lets you get any application in the Windows store onto a compatible
device Remembers your apps and roams them to devices You can put your LOB apps into the Store (but the world sees them) You can sideload LOB apps you don't want to put in the store Deploy LOBs with add-appxpackage
Requires organizational users have credit cards
Limited org data governance
Option One: Use the Windows Store
Demo: New Windows Store (kind of)
BusinessStore.Microsoft.com Cost: Nothing -- all Web-based Ingredients: Azure AD accounts or MSA Log onto BSP with your MSA, get personal
apps Log onto the Business Store Portal with
your AAD creds, see the org's apps Admin can block categories like "Food and Dining" Can create a category for the organization Can acquire X copies of the app for the org
Option Two: Business Store Portal (BSP)
Accepts payments besides credit cards -- PO or invoice
You can download the Appx package for the modern app
Once you have the package, you can deploy offline, or install with PowerShell Add-AppXPackage
Admin can control app licenses (portal is there)
No inTune needed, no Config Manager needed
LOBs have to go into the store to be accessible
Option Two, Continued
Admin sets up the BSP with an admin-level AAD account with a browser
User logs in with AD, AAD, or MSA account to the Store
Apps are automatically updated via the Store (actually the Store service)
Admin can explicitly assign an app to a user, so the user need do nothing, or have it appear in the Store
More Details
Ingredients: inTune or Config Manager, appx packages acquired from the BSP, AAD or MSA account
Cost: inTune licences or perhaps System Center licenses
Additions: Apps can be delivered with an MDM/MAM tool LOB apps need not be uploaded to the store and can be sideloaded Store apps can be delivered even when systems are offline or if the
Store has been disabled
Option Three: Create an Enterprise Store
You can deploy Desktop apps as well You can do B2B distribution (And thus LOB and B2B apps can be kept
private) User logs onto the Company Store rather
than Store If you use an MDM…
Get the apps as before In the service, link to the apps' locations in the store When the user logs in with an AD or AAD account, the MDM/MAM
deploys the app
Option Three Continued
BSP, get apps, download appx Set the appxes out either as packages to be
deployed, or put them in the Company Store
SCCM Details
You can control the automatic updates, can schedule them rather than now, which does updates as soon as possible
APIs expose the whole thing and support agent-based solutions like Config Manager
When you leave an organization and can no longer sign on with AD or AAD, you lose access to the org apps and their data stores
Of course, you always have your MSA apps
Other Details
Controlling Apps in Windows 10
Reducing friction getting to apps we want people to run, and blocking the things we don't want them running
Server 2008 introduced Terminal Services RemoteApps
Basically it delivers a RDS session inside a window, looking like a local app
Never really caught on in the Windows world, but it's popular in the Citrix world
Azure, however, has RemoteApps
Azure RemoteApps
Build an Azure image with the app Log onto the portal, go to RemoteApps Deploy as icons or paths Must survive a Sysprep Deploy to users via Azure Portal, something
easier is probably on the way No Modern apps Works on any Windows… but Win 10
speeds it up
Azure RemoteApps
As we all know, most IT pros' favorite malware delivery tool is a USB stick
DeviceGuard in Windows 10 slows that down
You have a list of approved executables, or perhaps a rule to "only run signed code," or code signed by some party
Comes with a signing tool that lets you sign your in-house stuff in case you don't have a PKI in place
DeviceGuard: Crush USB Malware
There's a GP setting that said "you can only elevate signed apps," and there was AppLocker
But they're little-used and could be bypassed by a local admin
Win 10, however, uses a Virtual Secure Mode (VSM) wherein Hyper-V hosts a mini-Windows where the LSA runs in 1 GB of RAM
Provides a virtual TPM for VMs May need 2016 Server's AD
"Wait a Minute, Haven't I Heard This Before…"
Off by default In Group Policies: Computer / Admin
Templates / System / DeviceGuard, Turn On Virtualization Based Security
Will not work unless your system uses Secure Boot
Enabling It
Thanks for attending, please do an evaluation
Join my newsletter mailing list at www.minasi.com
Thank You! Follow me at @mminasi
© 2015 Microsoft Corporation. All rights reserved.