LEX

Accelerate deployment of Windows 10 at scaleSpeaker nameSpeaker title

Session objectives and takeaways

Choose the best deployment method for your organization to get to Windows 10

Keep Windows 10 up to date

Manage Windows 10 security features and enhance productivity

Understand how to:

What's driving change?

IT

Employees CustomersBusiness partners

Devices AppsUsers Data

Investments for business

Enhanced productivity

Protection against modern security threats

Managed for continuous innovation

Innovative devices for your

business

MDM Windows as a Service

New deployment

options

Windows 10

Enterprise Mobility Suite (EMS)

Easily manage identities across on-premises and cloud. Single sign-

on and self-service for corporate

resources.

Azure Active Directory Premium

Unify identity Manage apps and devices

Protect data

Microsoft Intune & System Center Configuration

Manager

Azure Rights Management

Manage and protect corporate apps and data on almost any device with MDM and MAM.

Encryption, identity, and authorization policies to secure corporate files and email across

phones, tablets, and PCs.

Microsoft Enterprise Mobility Suite (EMS)

Enhancing Windows 10 experiences with EMS

Simplify deployment• Azure AD Join with Intune

auto enrollment• Provisioning packages and

profiles for bulk enrollment• In-place upgrade to

Windows 10 with ConfigMgr

Unify device management• Intune integration with

ConfigMgr to manage all devices in the environment

• New in ConfigMgr:• Faster and easier

ConfigMgr updates• Windows 10 servicing• On-premises MDM

Configure Windows 10 • Expanded MDM settings• Per-app VPN• Microsoft Passport policies

and certificates • Windows Universal and Win32

apps• Support volume purchase of

apps

Manage and protect• Corporate data leakage

prevention through enterprise data protection (EDP) policies

• RMS integration for securing shared documents/files

• Device Guard and AppLocker policies

• Advanced conditional access policies

• Integration with Windows Health Attestation Service (HAS)

User IT

Flexible deployment and management options ConfigMgr integrated with Intune (hybrid)Intune standalone (cloud only)

Mobile devices and PCs

Intune web console

System Center Configuration Manager

Mobile devicesDomain-joined PCs

ConfigMgr console

MDM

IoT/Kiosk devices

Agent

MDM

MDM or agent

What we hear from you…

How can I secure and improve productivity in Windows 10?

How do I keep Windows up to date?

How should I deploy Windows 10?

Deplo

ym

ent

an

d m

gm

t. s

trate

gy

Existing Windows 7, 8, 8.1

Win32 Apps

ConfigMgr agent

Upgrade to Windows 10

with ConfigMgr

Preserve apps and configuration

Maintain management processes and principles of

today

New Windows 10 device

Enroll into Intune

(Azure AD Join/provision)

Manage via MDM

Universal apps (Store/LOB)

Basic MSI support

How should I deploy and manage Windows 10?

On-ramp to the cloud over time

Existing devices

Refresh• Use if significant changes are

needed, such as OS architecture change x86 versus x64

• Traditional process• Capture data and settings• Deploy (custom) OS image• Inject drivers• Install apps• Restore data and settings

Getting to Windows 10

Existing devices

Upgrade• Let Windows and ConfigMgr

do the work• Preserve all data, settings,

apps, and drivers• Install (standard) OS image• Restore everything

Recommended for existing devices (Windows 7/8/8.1)

New devices

IT Pro Provisioning• Windows Image and

Configuration Designer (WICD)• Transform into an

enterprise device• Provisioning profile with

ConfigMgr

User Provisioning• Azure AD Join with Intune

auto enrollment

Improved ModernTraditional

ConfigMgr/MDT ConfigMgr/WICD/Intune/Azure ADConfigMgr/MDT

Reduce upfront testing and deployment preparation

Zero dependencies on Windows ADK; supplemental to existing deployment scenarios

Another tool in the OS deployment toolbox

Refresh, replace, and bare metal

Compared to refresh, in-place upgrade is…

Faster: 30 to 60 minutes, on average, to upgrade

Smaller: file size is default OS Media, no applications

More robust rollback capabilities on failure to functional down-level OS

In-place upgrade with ConfigMgr

Preserve applications, drivers, user data, and settings

Continue to use refresh (wipe-and-load) when…

Configuration drift/change

Domain membership

Local administrators

Bulk application swap

Custom requirements

WinPE offline operation

Custom base image

Third-party disk encryption

Upgrade versus refresh

Fundamentalchange

Disk partitioning

BIOS -> UEFI

x86 -> x64

Base OS language

System Center Configuration Manager @ Microsoft IT

Redmond Site 1

75k Clients

Redmond Site 2

90k Clients

North & South America

50k Clients

Europe, MidEast, Africa

50k Clients

Australia & Asia

75k Clients

Device Mgmt.Site

~15K devices

Infrastructure• 6 Primary Sites• 13 Secondary Sites• 300 Distribution Points

PCs and Devices• ~350,000 clients• ~125k mobile devices

(EAS)

Users• ~98k FTEs• ~82k Vendors

Microsoft Intune

Azure Active

Directory

Connector site role

Intune subscription

User Discovery

MS Online Directory Sync

Active Directory Federation Server

Windows deployment of the future

80% FTE 1 Year 95% FTE 8 Months95% FTE 3 Months 95% FTE 5 Weeks 95% FTE 5 Weeks2009 2012 2013 2014 2015

Windows 7 Windows 8 Windows 8.1 Windows 8.1 Update Windows 100

2

4

6

8

10

12

0

1

2

3

4

5

6

7

8

Complexity User Experience Helpdesk Setup IR

Custom Solution

MDT & IT EasyUpgrade

ExperimentUpdate Upgrade

DemoConfigMgr admin console – upgrade

• Company-owned devices:Azure AD join, either during OOBE or after from settings

• BYOD devices:“Add a work account” for device registration

• Automatic MDM enrollment as part of both

• MDM policies pushed down:

• Change the Windows SKU

• Apply settings

• Install apps

• Create provisioning package using Windows Imaging and Configuration Designer with needed settings:

• Change Windows SKU

• Apply settings

• Install apps and updates

• Provisioning profile with Intune and ConfigMgr:

• Enroll a device for ongoing management (just enough to Bootstrap)

• Deploy manually, add to images

User-driven, from the cloudIT-driven, using new tools

Modern Deployment Options

Provisioning package and profile

Initialsetup

Edition upgrade

CertificatesConnectivity

profilesManagement enrollment

Modern applications

Win32 applications

Enterprise policies

Offline content

Browser settings

Start menu customizatio

n

Assigned access

Windows Imaging and Configuration Designer

Apply during:• At OOBE (out-of-box experience)• During runtime (.PPKG file) • Embedded in the image (ConfigMgr OSD, MDT, and WDS)

Provisioning profile with Intune and ConfigMgr:• A lifeline profile – Wi-Fi, enrollment

DemoProvisioning – Windows Image Configuration Designer and ConfigMgr profiles

Azure AD Join makes it possible to connect work-owned Windows 10 devices to your company’s Azure Active Directory.

With Azure AD Join, you can auto enroll devices in Microsoft Intune for management.

Azure AD Join for Windows 10

Windows 10 Azure AD Joined Devices

Intune/MDM

auto-enrollment

Intune auto-enrollment

Enterprise-compliant services

Support for hybrid environments

Single sign-on from the desktop to cloud and on-premises applications with no VPN

DemoAzure AD Join with Intune auto-enrollment

What we hear from you…

How can I secure and improve productivity in Windows 10?

How do I keep Windows up to date?

How should I deploy Windows 10?

Windows as a Service

Special systemsExamples: air traffic control, emergency rooms

No new functionality on Long Term Servicing Branch

Regular security updates

Business usersUpdate their devicesafter features are validatedin the market

Consumer devicesKeeping hundreds of millions of consumers up to date

Large and diverse user base helps drive quality of the OS updates

BYOD devices are up to date and secure

*Conceptual illustration only

Current Branch for businessCurrent BranchMicrosoftInsider Preview Branch

Broad Microsoft internal validation

Engineering builds

Customer internal ring I

Customer internal ring II

Customer internal ring III

Customer internal ring IV

Users

Tens of thousands

Several Million

Hundredsof millions

Windows as a Service – rings

Current Branch for Business

Stage broad deployment

Information workers,general population

Long Term Servicing Branch

Deploy for mission critical systems

Specialized systems

Specific feature and performance feedback

Application compatibility validation

Windows Insider Preview Branch

Test machines, small pilots

Current Branch

Deploy to appropriate audiences

Test and prepare for broad deployment

Early adopters, initial pilots, IT devices

STAGE

NU

MB

ER

OF D

EV

ICES

Release

Thinking through deployment strategy

The new System Center Configuration Manager• Simplify the upgrade experience: in-place upgrade from

Configuration Manager 2012 and R2 to latest product version

• Support faster paced updates for Windows 10 and Intune: new updates and servicing nodes deliver periodic updates for new features, bug fixes, and extensions for hybrid deployments using Intune

• Intune updates monthly—keep ConfigMgr on pace

• Listen and respond quickly to customer feedback: foundational improvements made in latest version of the product allow us to respond to customer feedback more quickly

Flight to MSIT/TAP

RTM

Develop Test

Esc

Develop Test

Esc

Develop Test

Esc

Tech previews

Flight to MSIT/TAP

RTM

Flight to MSIT/TAP

RTM

SCCM vNextDirect customer engagements

MSIT Indiana University

British Telecom

Boeing

USAFDaimler S&N

Customer feedback

UserVoice

MVP Hackathon

Partners Telemetry/Usage

Windows 10 management with upcoming releases of Configuration Manager

Current Branch (version 1511)

System Center 2016 Configuration Manager

Current Branch (version yymm)

Long Term Servicing Branch

Current Branch (version yymm)

System Center Configuration Manager

FALL WINTER SUMMER

Product version Release vehicle

Availability Windows 10 features supported

Support Windows Servicing Model supported

System Center Configuration Manager

Current Branch

Generally available Q4 CY2015 with updates released periodically throughout the year

New features, security updates, and bug fixes

Can defer updates for up to 12 months before you must deploy updates to maintain support

Windows 10 Current Branch, Current Branch for Business, and Long Term Servicing Branch

System Center 2016 Configuration Manager

Long Term Servicing Branch

Generally available CY2016 in alignment with System Center 2016

Support for existing features included in latest Windows LTSB at point of release; newer features will not be supported. Security updates released as needed

10 years of support: 5 mainstream + 5 extended

Windows 10 Long Term Servicing Branch

Is ConfigMgr LTSB the right choice for me?

Customer environment ConfigMgr LTSB?

All Windows 10 clients in my organization are on Current Branch (CB) or Current Branch for Business (CBB)

No. In order to be in support on the latest Windows CB/CBB, you need the Current Branch of ConfigMgr

Some Windows 10 clients in my organization are on CB/CBB, but some are on the Long Term Servicing Branch (LTSB)

No. The Current Branch of ConfigMgr will support Windows CB/CBB as well as LTSB

My hierarchy is completely disconnected; I cannot connect any servers to the web

No. The ConfigMgr updates and servicing model allows a completely offline mode

I use ConfigMgr in a hybrid environment with Intune No. In order to get the latest updates for MDM/MAM, including platform updates, you must use the Current Branch of ConfigMgr

I cannot install multiple updates a year; I need more time for my change process

No. The Current Branch of ConfigMgr allows you to defer updates for up to 12 months

I will probably need support for future releases of SQL server, WSUS, or other components that ConfigMgr has a dependency on

No. Only the Current Branch of ConfigMgr will support the latest releases of these components

My environment cannot accept any updates; I do not need new functionality or platform support in the foreseeable future

Yes. LTSB is the right choice for you

Type of support/FeatureSystem Center Configuration Manager

(Current Branch)System Center Configuration Manager

(Long Term Servicing Branch)

Request to change product design and features

(e.g. Critical DCRs)

New product features

Security updates

Non-security update support (e.g. critical bug fixes)

Windows 10 (Current Branch)

Windows 10 (LTSB)

Support for new Windows 10 Enterprise features

MDM (Intune)

MDM (On Premise)

AppCompat support for major upgrades (e.g. SQL v.Next, App-V v.Next, etc.)

ConfigMgr (Current Branch) vs. ConfigMgr 2016

Product version Release vehicle Availability Windows 10 features supported

Support

System Center 2012 ConfigMgr SP2

AND

System Center 2012 R2 ConfigMgr SP1

Service packs May 2015 Support for existing features included in latest Windows LTSB at point of release. Newer features will not be supported

Windows 10 Long Term Servicing Branch (LTSB), Current Branch (CB), and Current Branch for Business (CBB): will provide support for July 2015 LTSB + Windows CB and CBB releases through February 2016 *

Cumulative updates As needed

System Center 2007 ConfigMgr Compatibility pack September 2015

Support for existing features included in latest Windows LTSB at point of release (management only, no OSD). Newer features will not be supported

Windows 10 July 2015 Long Term Servicing Branch

* Customers using Windows 10 Current Branch (CB) or Current Branch for Business (CBB) with Configuration Manager 2012 R2 SP1 or Configuration Manager 2012 SP2 will need to migrate to the Current Branch of System Center Configuration Manager after this time for continued support.

Windows 10 management with older versions of Configuration Manager

DemoUpdates and servicing nodeServicing dashboard Configuring update rings in admin console

What we hear from you…

How can I secure and improve productivity in Windows 10?

How do I keep Windows up to date?

How should I deploy Windows 10?

On-premises applications

Conditional access control with EMS

ApplicationBusiness sensitivity

OtherNetwork location

DevicesManaged by Intune or ConfigMgr Compliant with Intune or ConfigMgr policiesDomain joined

User attributesUser identity Group membershipsAuth strength (MFA)

Conditional access control

with EMS

Azure AD

“Enterprise data protection” for Windows 10Configure and manage EDP policies

with Intune and Azure Rights Management

Separate personal and corporate data with limited impact on employees’ day-to-day activities

Protect Data at Rest wherever it may roam*

User

Corporate network

Microsoft Intune&

Azure Rights Management

Apply policies

Save

Save

Share files and enforce policies

File share

Personal storage

Secure content collaboration through integration with Azure Rights Management

* Some roaming scenarios use Azure Right Management

Control app access to corporate data and prevent copy- and paste-related data leaks

• Unified end-user portal• Consistent look and feel as the company portal• One-stop shop for all apps• Convergence of software center and app catalog• Device compliance

• Microsoft Passport• Ability to deploy certificates and Passport policies for simplified authentication

• Offline Universal Windows apps• Deploy Universal Windows apps that are built internally (line-of-business apps) • Deploy offline apps and licenses from the Windows Business Store

Enhanced end-user experiences

DemoEnterprise data protectionWindows Store for Business and end-user portal

Summary

Deplo

ym

ent

an

d m

gm

t. s

trate

gy

Existing Windows 7, 8, 8.1

Win32 Apps

ConfigMgr agent

Upgrade to Windows 10

with ConfigMgr

Preserve apps and configuration

Maintain management processes and principles of

today

New Windows 10 device

Enroll into Intune

(Azure AD Join/provision)

Manage via MDM

Universal apps (Store/LOB)

Basic MSI support

How should I deploy and manage Windows 10?

On-ramp to the cloud over time

Session objectives and takeaways

Choose the best deployment method for your organization to get to Windows 10

Keep Windows 10 up to date

Manage Windows 10 security features and enhance productivity

Understand how to:

Next steps

To explore• Try Enterprise Mobility now• http://www.microsoft.com/ems• TechNet @

http://technet.microsoft.com/• MSDN @ http://www.msdn.com/

To doRate the session

Q&A

© 2014 Microsoft Corporation. All rights reserved.