Windows 8 Client Features and Enhancements
Transcript of Windows 8 Client Features and Enhancements
Windows 8 Client Features and Enhancements
Chalk Talk Chalk Talk
Microsoft Confidential
Sanesh VigPremier Field Engineer (PFE)
Conditions and Terms of Use
This training package is proprietary and confidential, and is intended only for uses described in the training materials. Content and software is provided to you under a Non-Disclosure Agreement and cannot be distributed. Copying or disclosing all or any portion of the content and/or software included in such packages is strictly prohibited.
The contents of this package are for informational and training purposes only and are provided "as is" without warranty of any kind, whether express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement.
Training package content, including URLs and other Internet Web site references, is subject to change without notice. Because Microsoft must respond to changing market conditions, the content should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.
Copyright and Trademarks
Microsoft Confidential
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
For more information, see Use of Microsoft Copyrighted Content athttp://www.microsoft.com/about/legal/permissions/
Microsoft®, Internet Explorer®, and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other Microsoft products mentioned herein may be either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.
Copyright and Trademarks © 2012 Microsoft Corporation. All rights reserved.
Agenda
Windows 8 Product Line up
Windows 8 style User Interface and Modern Apps
Windows 8 Security
Deployment and Activation Methods
Windows Assessment and Deployment Toolkit
Hardware Types and Storage SolutionsHardware Types and Storage Solutions
Windows To-Go
Bitlocker Enhancements
Hyper V Client
Other Enhancements
Microsoft Confidential3
Objectives/Takeaways
Provide an understanding ofThe goals and objectives that lead to some of the new features in Windows 8
The reasons and decisions behind some of the new features
Provide insight into Windows 8 features and enhancementsenhancements
Call out any requirements and implementation specifics
Highlight the value these features bring to your environment
Given the time constraintsStrive for a balance of breadth and demos
Design Philosophy and Goals
Touch FirstTouch is a first class input and a long-term bet
Designed to work with touch, keyboard and mouse, or both
Fast and FluidFast and FluidUser Interface is responsive, performant, and animated
A feeling of weightlessness when using Windows
Windows ReimaginedBetter service what people are doing today
Modernize the experience of using Windows
Anticipate ways people will be using PCs in the future
Consistent user interface across PC, TV (Xbox) & phone
Windows 8 Editions
BackgroundWindows Vista and Windows 7 were available in many editions
Additional versions for Europe (N) and other regions
Could lead to customer confusion over which edition to buyCould lead to customer confusion over which edition to buy
Upgrade ‘matrix’ may add to this
Resulted in edition & feature comparison charts, etc
There was a need to streamline these
Windows 8 Editions
SolutionReducing the number of SKUs and simplifying the choice of edition
For majority of customers – just 2 editions: Windows 8 and Windows 8 Pro
For ARM based devices –Windows RT (pre-installed only)
For Enterprise customers with Software Assurance –Windows 8 EnterpriseFor Enterprise customers with Software Assurance –Windows 8 Enterprise
Windows 8 Editions
SolutionWindows 8
Upgrade from Win 7 Home Premium
Most basic version of Windows
Windows 8 ProUpgrade from Win 7 Pro or Ultimate
Can install Windows Media Centre - available via separate ‘Media Pack’ add-onCan install Windows Media Centre - available via separate ‘Media Pack’ add-on
Windows RT Pre-installed only
Office Home & Student 2013 RT, device encryption (BitLocker), only runs Windows 8 apps, no domain join, etc
Windows 8 EnterpriseSame as Windows 8 Pro, plus -Windows To Go, DirectAccess, BranchCache, VDI enhancements, Side loading apps
Windows 8 System Requirements
Processor: 1 gigahertz (GHz) or faster with support for PAE, NX, and SSE2
RAM: 1 gigabyte (GB) (32-bit) or 2 GB (64-bit)
Hard disk space: 16 GB (32-bit) or 20 GB (64-bit)
Graphics card: Microsoft DirectX 9 graphics device with WDDM Graphics card: Microsoft DirectX 9 graphics device with WDDM driverModern Apps: Screen resolution 1024 X 768 or greater
Modern Apps using the Snap feature: resolution1366 X 768 or greater
Taking advantage of touch input requires a screen that supports multi-touch
Microsoft Confidential9
Windows 8 style User Interface and Modern Apps
This section focuses on the enhancements in Shell, new Windows 8 style UI and modern App behavior
Windows 8 experience over that of Windows 7
Microsoft Confidential10
Account Types
Local AccountsTraditional local account
No online sync features
When running an App that requires a Microsoft Account user will be prompted to sign in
Domain AccountsDomain AccountsTraditional Windows domain account
Microsoft AccountsOnline identity such as [email protected] or [email protected]
Provides a more connected experience
Required to download Apps from the Store
Can be connected to a domain account
Cannot be connected to a local account
Microsoft Confidential - For Internal Use Only12
Password Types
Standard text password
PINPIN
Picture password
Combination of gestures over a user-defined picture
Microsoft Confidential - For Internal Use Only13
Password Viewer
Eye Icon
To verify the password and avoid lockouts
Available after the first character is typed
Tapping or clicking and holding this icon will show the string
Microsoft Confidential - For Internal Use Only14
Modern App
Why Modern Apps:
Buggy installers
Incomplete/incorrect uninstallation
AppContainer
Modern Apps operate in sandbox-like environment called an AppContainer.
The AppContainer restricts an apps access to much of the system and the user's profile by default.
Additional access can be requested by declaring the capabilities that require them when publishing the app.
Microsoft Confidential15
Modern Apps
Immersive
Each every pixel is yours
App bar and Navigation bar experience is uniform across the apps
Share Apps
Microsoft Confidential16
APPX Package
Package: Holds all resource, files, metadata to install the app onto
Manifest that describes how it integrates.
Has the .APPX extension
ZIP format
Must be digitally signed
Companies can sign using their own Trusted Authority
Microsoft Confidential17
Process Lifecycle Management
PLM:Goal: don’t think about closing an app
Switch away and back from the app
With PLM an app can have three states:RunningRunning
Suspended
Terminated
Microsoft Confidential - For Internal Use Only7/30/201118
PLM Task Management
If suspended app is resumed, just continue (already in memory)
If PC is low on memory, terminate suspended apps
When PLM terminates apps, takes most memory consuming app (and not in back stack)
Microsoft Confidential - For Internal Use Only7/30/201119
Deployment and Activation Methods
This section focuses on the different methods of deploying Windows 8.
Focusses on the changes in the activation method
Microsoft Confidential21
Deploying Windows 8
Automated deployment of Windows 8 client and Windows Server 2012 editions uses several different Microsoft technologies. These include:
Windows Deployment Server 2012Windows Deployment Server 2012
Microsoft Deployment Toolkit 2012 Update1
System Center Configuration Manager 2012 service pack 1 (SP1)
Dism/Imagex using an answer file
Third party tools
Microsoft Confidential - For Internal Use Only22
Windows Assessment and Deployment Toolkit (ADK)
This section talks about the components of Windows ADK and the tools included in Windows ADK which help in validating and improving their Windows 8 image
Microsoft Confidential23
Windows Assessment and Deployment Toolkit (ADK)
All core Windows 8 deployment tools are now part of the “Assessment and Deployment Kit” (ADK)
ADK is the new Windows AIK plus Assessment ToolsTools
Everyone will be able to download the ADK from the Download Center
No ARM tools will be available, therefore MDT will not support ARM
Cannot (should not) coexist with Windows AIK
Microsoft Confidential24
Active Directory-Based Activation
Domain joined Windows 8 and Windows Server 2012 computers automatically activate
Down-level operating systems are not supported. There are no plans to back port support for this feature.feature.
Activation objects are populated by forest
Configurable using Volume Activation Services Role or SLMGR.VBS
Microsoft Confidential - For Internal Use Only7/30/201125
Windows 8 Security - Enhancements
Address Space Layout Randomization
User Account Control
Mandatory Integrity Control
System Service Hardening
Session 0 Isolation
Microsoft Confidential - For Internal Use Only7/30/201126
Session 0 Isolation
File and Registry Virtualization
Windows Resource Protection
Windows Defender
SmartScreen Filtering
Address Space Layout RandomizationAddress Space Layout Randomization
How to prevent exploitations of buffer overflowsHow to prevent exploitations of buffer overflows
Microsoft Confidential27
Address Space Layout Randomization (ASLR)
Windows before Windows VistaCommon DLLs were loaded into user-space memory in the same location
System was vulnerable to Return-to-Lib-Attacks
With Windows Vista, ASLR introducedRandomized location of DLLs that are capable of ASLR Randomized location of DLLs that are capable of ASLR
Protection for your system, while ensuring that old programs will continue to run
Microsoft Confidential28
Address Space Layout Randomization (ASLR) (continued)
Improvements in Windows 8 (all used by IE10)Bottom-up and top-down allocations are now randomized
Data Execution Prevention/No Execute (DEP/NX)
Structured Exception Handling Overwrite Protection (SEHOP)
Microsoft Confidential30
User User Account Account ControlControl
How UAC works and protects your computerHow UAC works and protects your computer
Microsoft Confidential31
Mandatory Integrity ControlsMandatory Integrity Controls
Restrict permissions of less trustworthy applications running under Restrict permissions of less trustworthy applications running under the same user account
Microsoft Confidential35
Mandatory Integrity Controls (MIC)
What does MIC add?
How does MIC work?
Working with MIC
MIC and Internet Explorer
Microsoft Confidential36
High
Medium
High
Medium
Processes Objects
High ILProcess
Low Low
Read
Write
38 Microsoft Confidential
Medium ILProcess
High
Medium
Processes
High
Medium
Objects
Process
Low
Read
Write
Low
39 Microsoft Confidential
High
Medium
Processes
High
Medium
Objects
Low
Read
Write
Low ILProcess
Low
40 Microsoft Confidential
System Service Hardening System Service Hardening
Restrict critical Windows services from performing abnormallyRestrict critical Windows services from performing abnormally
Microsoft Confidential41
System Service Hardening
Reduces permissions for servicessc qprivs <servicename>
Reduces running services, for example:Windows Image Acquisition (WIA)
Group Policy Client service in Windows 8
sc [server] qprivs [service name]
Microsoft Confidential42
Session 0 IsolationSession 0 Isolation
Isolating services in a non-interactive Session 0Isolating services in a non-interactive Session 0
Microsoft Confidential43
Session 0 Isolation
Isolate services from user session
Services run in session 0
First user session is session 1
UI0Detect service is disabled in Windows 8
Microsoft Confidential44
File and Registry VirtualizationFile and Registry Virtualization
Application compatibility technology that enables registry write Application compatibility technology that enables registry write operations to protected locations
Microsoft Confidential45
File and Registry Virtualization
Everyone has limited access to files/folders/registry locations
Non-aware application is virtualized
Application is fooled
Exceptions:64-bit applications64-bit applications
Applications running with Admin token
FARV-aware applications
Microsoft Confidential46
Windows Resource ProtectionWindows Resource Protection
Protect registry keys and folders in addition to critical system filesProtect registry keys and folders in addition to critical system files
Microsoft Confidential47
Windows Resource Protection
Previously known as Windows File Protection (2000/XP)
Files and Registry locations are protected
Majority of core OS files/registry keys
Folders are exclusively for OS processes
Protected by TrustedInstallerTrustedInstaller is a service and not an accountTrustedInstaller is a service and not an account
Microsoft Confidential48
Differences between Windows XP and Windows 8 (continued)
Windows Resource Protection
50 Microsoft Confidential
Windows DefenderWindows Defender
First line of defense against viruses and other unwanted softwareFirst line of defense against viruses and other unwanted software
Microsoft Confidential51
Windows Defender
Used to be only antispyware
Now, it is antispyware and antivirus together
Primarily a consumer-oriented security program
Microsoft Confidential52
SmartScreenSmartScreen FilteringFiltering
Prevents unknown and malicious programs from runningPrevents unknown and malicious programs from running
Microsoft Confidential53
SmartScreen Filtering
Introduced with Internet Explorer
Reputation based. For example: Download history/trafficDownload history/traffic
URL reputation
Antivirus results
Microsoft Confidential54
Bitlocker in Windows 8Bitlocker in Windows 8
Software EncryptionSoftware Encryption
Microsoft Confidential56
Introducing BitLocker in Windows 8
Purpose/BenefitsBitLocker helps mitigate unauthorized data access by enhancing file and system protections. BitLocker also helps render data inaccessible when BitLocker-protected computers are decommissioned or recycled.
57 Microsoft Confidential
BitLocker Enhancements
BackgroundHardware advancements can help improve Windows 8 securityBitLocker provisioning and deployment could be time consuming & difficult
Encrypting large volumes takes significant time
Multi-Factor authentication not an option for all scenariosRebooting a machine using BitLocker + PIN requires user input (not reachable remotely)Rebooting a machine using BitLocker + PIN requires user input (not reachable remotely)
TPM hardware not included on all systems & adds to provisioning complexity (ownership, disabled in BIOS)
Only BitLocker uses the TPM. BitLocker only in ‘premium’ SKUs
BitLocker Enhancements
SolutionNew Features:
BitLocker pre-provisioningUsed Disk Space Only encryptionStandard User PIN and user password changeStandard User PIN and user password changeNetwork UnlockSupport for encrypted hard drives (hardware encryption)Virtual Smart Card
Technical Requirements
Trusted Platform Module (TPM) version 1.2 chip or later
The system BIOS or Unified Extensible Firmware Interface (UEFI) boot firmware (for TPM and non-TPM computers) must support the USB mass storage device class TPM computers) must support the USB mass storage device class
The hard disk must have at least two partitions:Operating System Partition
System Partition/Boot Partition
In Windows 7, the system partition should be at least 100 MB in size
In Windows 8 and Windows Server 2012, the system partition should be at least 350 MB in size.
60 Microsoft Confidential
BitLocker Enhancements
RequirementsTPM (Trusted Platform Module) chip BitLocker Network Unlock
ClientWindows 8Windows 8
UEFI firmware (with UEFI DHCP drivers)
ServerBitLocker network unlock feature
Server 2012 WDS role
Correctly configured certificates
Network unlock group policy settings
Virtual Smart Card
Virtual Smart Cards are new in Windows 8 and Windows Server 2012.
Virtual Smart Cards are built in TPMs and act the same as a physical smart card that is always plugged into a smart card reader.
Deleting the virtual smart card will require a new virtual Deleting the virtual smart card will require a new virtual smart card to be provisioned. It should be done sparingly and not as a troubleshooting step.
62 Microsoft Confidential
Used Disk Space Only Encryption
BitLocker uses block level encryption. Prior to Windows 8, BitLocker would use a swap file to reduce writes to the drive during encryption that consumed all, but 6 GB of free drive space.
In Windows 8, the swap file is no longer used.
Used Disk Space Only offers the ability to encrypt only Used Disk Space Only offers the ability to encrypt only blocks with data, improving encryption times on volumes without large amounts of data.
Used Disk Space Only Encryption is required for thinly provisioned storage.
New data written to the drive will be encrypted as the writes occur.
63 Microsoft Confidential
Introducing Encrypted Hard Drives
Self-encrypting at hardware level and allows for full disk hardware encryption.
Windows 8 support installing to these devices without modification.
BitLocker feature has support for Encrypted Hard Drives.
Currently, manufacturers ship a solution known as Self-Currently, manufacturers ship a solution known as Self-Encrypting Drives (SEDs); these are different from Encrypted Hard Drives.
BitLocker can provide management (Microsoft BitLockerAdministration and Monitoring [MBAM]) and additional protectors if desired.
64 Microsoft Confidential
Benefits of Encrypted Hard Drives
Better performance
Strong security based in hardware
Ease of use
Lowers cost of ownership
65 Microsoft Confidential
Encrypted Hard Drive Usage
For Encrypted Hard Drives used as data drives:The drive must be in an uninitialized state.
The drive must be in a security inactive state.
For Encrypted Hard Drives used as boot drives:The drive must be in an uninitialized state.
The drive must be in a security-inactive state.The drive must be in a security-inactive state.
The system must be UEFI 2.3.1 based.
The system must have CSM disabled in UEFI.
The system must always boot natively from UEFI.
66 Microsoft Confidential
Installing to Encrypted Hard Drives
Deploy from mediaAutomatically Encrypted
Deploy from network –or- Deploy from WDS Enhanced Storage component needs to be included and configured in Unattend.xml
Disk DuplicationDisk DuplicationDisks must be partitioned using Windows 8 setup tools
Images made using disk duplicators will not work
67 Microsoft Confidential
System Partition Layout
Extensible Firmware Interface (EFI) System Partition
Standard System Partition
68 Microsoft Confidential
What is a Trusted Platform Module?
Preparing the TPMTPM setting must be in BIOS/UEFI firmware.
Windows 8 offers the ability to prepare the TPM without physical presence Note: This does not apply to all TPMs.all TPMs.
For computers that do not support automatic preparation, physical presence is required.
69 Microsoft Confidential
BitLocker EnhancementsMicrosoft BitLocker Administration and Monitoring (MBAM) 2.0
MBAM 2.0 MBAM is part of MDOP (Microsoft Desktop Optimisation Pack) – available with Software AssuranceBest Practice is to use MBAM –wherever possible
Goal Goal Reduce costs of provisioning BitLocker, simplify provisioning process and help maintain higher levels of compliance
These were based on the top customer pain points
FeaturesSelf-service recovery portal for usersBetter maintenance & enforcement of compliance – complex PIN support, etcIntegrating with existing management infrastructure (SCCM)
Hardware Security in Windows 8Hardware Security in Windows 8
New Hardware Considerations for Windows 8New Hardware Considerations for Windows 8
Boot Process Changes in Windows 8
Microsoft Confidential71
New Hardware Considerations For Windows 8UEFI
Windows Runtime
SoC
Encrypted hard drives
USB supportUSB support
Microsoft Confidential - For Internal Use Only72
Unified Extensible Firmware Interface (UEFI)
Replacement for BIOS-based hardware
Support for UEFI started in Windows 7
Acts as a shell with application and driver support before loading the operating system
73 Microsoft Confidential
UEFI Classes
Four classes of UEFI hardwareClass 2 and 3 machines are most common.
Class 2 uses a hybrid BIOS/UEFI implementation using a Compatibility Support Module (CSM).
Class-3 hardware uses UEFI only and does not have a BIOS mode.
Class 3 systems reach POST faster than UEFI+CSM enabled systems.
Class 3 hardware is required for several features in Windows 8 and Class 3 hardware is required for several features in Windows 8 and Windows Server 2012.
74 Microsoft Confidential