Windows 10 Management Scenarios: Mark Minasi Helps You Have Total Control for Every BudgetMark MinasiWriter, Speaker, Consultanthelp@minasi.comTwitter @mminasijoin my newsletter at www.minasi.com

Windows 10, Azure, AD and the like offer us a lot of options, so sometimes it's a little hard to keep them straight

In this session, I'll outline many of the combinations with an eye to What it does What it costs What are the ingredients

This is all "200" levelAnd I'll demo what I can

Hello and Welcome!

Identity Solutions Windows Store App Control Controlling Apps Keeping corp data on personal devices safe Whatever else I have time for

Topics

"Don't Do Anything" Again, Microsoft supports Windows 7 until

2020, Windows 8 until 2023 There is no rush unless you're running

Windows 7 Professional, as the free upgrade to Windows 10 is only available for a year

First, Though, Remember Option One

"Just keep doing what you're doing" If your Win 10 devices are running full

Windows Pro or Enterprise, then group policies, Vbscripts, PowerShell scripts, Ochestrator runbooks, workflows etc all work as well as they ever did

And Remember Option Two

Identity in Windows 10You've always had a lot of choices in where to store your identity and your machine's. Win 10 adds one t the mix

Enabling tech: Microsoft Accounts (MSAs) -- Hotmail, live, outlook.com accounts

What it does: gives you an identity recognized by your computer and many Web

locations Lets you sync some settings between devices Machine is registered with Microsoft for sync and auth purposes Lets Store apps roam with your account Minimal MDM… password minimums, scripts can sometimes fill in Works on a wide variety of devices

Cost: zero Fine for homes or very, very small orgs

Option One: Local Accounts

Ingredients: DCs, network, "full" Windows What it does:

Rich device, app, and security management via group policies App roaming via group policies or Config Manager Desktop roaming via roaming profiles and folder redirection Wide software library

Cost: AD infrastructure, CALs Of little or no value for phones, non-

Microsoft tablet devices Can only join one domain

Option Two: AD-Joined

Ingredients: AAD, probably O365, Win 10 devices

Steps: enable device join in Azure, Create AAD accounts (either sync them or create new ones)

What it does: Enables Conditional Access for files MDM via third party, inTune Provides identity for Store apps

Cost: O365 or AAD charges per-user No on-prem required; can only join one

AAD; can't be joined to an AD

Option 3: Azure AD, Cloud Join

Demo: Azure AD Device Registration and Cloud Join

Deploying Apps to DevicesAcquiring Modern/Store/Universal apps and

getting them on Windows 10 devices

Ingredients: an MSA (Microsoft Account), credit card

What it does: Lets you get any application in the Windows store onto a compatible

device Remembers your apps and roams them to devices You can put your LOB apps into the Store (but the world sees them) You can sideload LOB apps you don't want to put in the store Deploy LOBs with add-appxpackage

Requires organizational users have credit cards

Limited org data governance

Option One: Use the Windows Store

Demo: New Windows Store (kind of)

BusinessStore.Microsoft.com Cost: Nothing -- all Web-based Ingredients: Azure AD accounts or MSA Log onto BSP with your MSA, get personal

apps Log onto the Business Store Portal with

your AAD creds, see the org's apps Admin can block categories like "Food and Dining" Can create a category for the organization Can acquire X copies of the app for the org

Option Two: Business Store Portal (BSP)

Accepts payments besides credit cards -- PO or invoice

You can download the Appx package for the modern app

Once you have the package, you can deploy offline, or install with PowerShell Add-AppXPackage

Admin can control app licenses (portal is there)

No inTune needed, no Config Manager needed

LOBs have to go into the store to be accessible

Option Two, Continued

Admin sets up the BSP with an admin-level AAD account with a browser

User logs in with AD, AAD, or MSA account to the Store

Apps are automatically updated via the Store (actually the Store service)

Admin can explicitly assign an app to a user, so the user need do nothing, or have it appear in the Store

More Details

Ingredients: inTune or Config Manager, appx packages acquired from the BSP, AAD or MSA account

Cost: inTune licences or perhaps System Center licenses

Additions: Apps can be delivered with an MDM/MAM tool LOB apps need not be uploaded to the store and can be sideloaded Store apps can be delivered even when systems are offline or if the

Store has been disabled

Option Three: Create an Enterprise Store

You can deploy Desktop apps as well You can do B2B distribution (And thus LOB and B2B apps can be kept

private) User logs onto the Company Store rather

than Store If you use an MDM…

Get the apps as before In the service, link to the apps' locations in the store When the user logs in with an AD or AAD account, the MDM/MAM

deploys the app

Option Three Continued

BSP, get apps, download appx Set the appxes out either as packages to be

deployed, or put them in the Company Store

SCCM Details

You can control the automatic updates, can schedule them rather than now, which does updates as soon as possible

APIs expose the whole thing and support agent-based solutions like Config Manager

When you leave an organization and can no longer sign on with AD or AAD, you lose access to the org apps and their data stores

Of course, you always have your MSA apps

Other Details

Controlling Apps in Windows 10

Reducing friction getting to apps we want people to run, and blocking the things we don't want them running

Server 2008 introduced Terminal Services RemoteApps

Basically it delivers a RDS session inside a window, looking like a local app

Never really caught on in the Windows world, but it's popular in the Citrix world

Azure, however, has RemoteApps

Azure RemoteApps

Build an Azure image with the app Log onto the portal, go to RemoteApps Deploy as icons or paths Must survive a Sysprep Deploy to users via Azure Portal, something

easier is probably on the way No Modern apps Works on any Windows… but Win 10

speeds it up

Azure RemoteApps

As we all know, most IT pros' favorite malware delivery tool is a USB stick

DeviceGuard in Windows 10 slows that down

You have a list of approved executables, or perhaps a rule to "only run signed code," or code signed by some party

Comes with a signing tool that lets you sign your in-house stuff in case you don't have a PKI in place

DeviceGuard: Crush USB Malware

There's a GP setting that said "you can only elevate signed apps," and there was AppLocker

But they're little-used and could be bypassed by a local admin

Win 10, however, uses a Virtual Secure Mode (VSM) wherein Hyper-V hosts a mini-Windows where the LSA runs in 1 GB of RAM

Provides a virtual TPM for VMs May need 2016 Server's AD

"Wait a Minute, Haven't I Heard This Before…"

Off by default In Group Policies: Computer / Admin

Templates / System / DeviceGuard, Turn On Virtualization Based Security

Will not work unless your system uses Secure Boot

Enabling It

Thanks for attending, please do an evaluation

Join my newsletter mailing list at www.minasi.com

Thank You! Follow me at @mminasi

© 2015 Microsoft Corporation. All rights reserved.