Windows 8 Client Features and Enhancements

Windows 8 Client Features and Enhancements

Chalk Talk Chalk Talk

Microsoft Confidential

Sanesh VigPremier Field Engineer (PFE)

Conditions and Terms of Use

This training package is proprietary and confidential, and is intended only for uses described in the training materials. Content and software is provided to you under a Non-Disclosure Agreement and cannot be distributed. Copying or disclosing all or any portion of the content and/or software included in such packages is strictly prohibited.

The contents of this package are for informational and training purposes only and are provided "as is" without warranty of any kind, whether express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement.

Training package content, including URLs and other Internet Web site references, is subject to change without notice. Because Microsoft must respond to changing market conditions, the content should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.

Copyright and Trademarks

Microsoft Confidential

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

For more information, see Use of Microsoft Copyrighted Content athttp://www.microsoft.com/about/legal/permissions/

Microsoft®, Internet Explorer®, and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other Microsoft products mentioned herein may be either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.

Copyright and Trademarks © 2012 Microsoft Corporation. All rights reserved.

Introductions

Name

Title/Function

Tell us something about yourself

Expectations for the Course

2

Agenda

Windows 8 Product Line up

Windows 8 style User Interface and Modern Apps

Windows 8 Security

Deployment and Activation Methods

Windows Assessment and Deployment Toolkit

Hardware Types and Storage SolutionsHardware Types and Storage Solutions

Windows To-Go

Bitlocker Enhancements

Hyper V Client

Other Enhancements

Microsoft Confidential3

Objectives/Takeaways

Provide an understanding ofThe goals and objectives that lead to some of the new features in Windows 8

The reasons and decisions behind some of the new features

Provide insight into Windows 8 features and enhancementsenhancements

Call out any requirements and implementation specifics

Highlight the value these features bring to your environment

Given the time constraintsStrive for a balance of breadth and demos

Design Philosophy and Goals

Touch FirstTouch is a first class input and a long-term bet

Designed to work with touch, keyboard and mouse, or both

Fast and FluidFast and FluidUser Interface is responsive, performant, and animated

A feeling of weightlessness when using Windows

Windows ReimaginedBetter service what people are doing today

Modernize the experience of using Windows

Anticipate ways people will be using PCs in the future

Consistent user interface across PC, TV (Xbox) & phone

Windows 8 Editions

BackgroundWindows Vista and Windows 7 were available in many editions

Additional versions for Europe (N) and other regions

Could lead to customer confusion over which edition to buyCould lead to customer confusion over which edition to buy

Upgrade ‘matrix’ may add to this

Resulted in edition & feature comparison charts, etc

There was a need to streamline these

Windows 8 Editions

SolutionReducing the number of SKUs and simplifying the choice of edition

For majority of customers – just 2 editions: Windows 8 and Windows 8 Pro

For ARM based devices –Windows RT (pre-installed only)

For Enterprise customers with Software Assurance –Windows 8 EnterpriseFor Enterprise customers with Software Assurance –Windows 8 Enterprise

Windows 8 Editions

SolutionWindows 8

Upgrade from Win 7 Home Premium

Most basic version of Windows

Windows 8 ProUpgrade from Win 7 Pro or Ultimate

Can install Windows Media Centre - available via separate ‘Media Pack’ add-onCan install Windows Media Centre - available via separate ‘Media Pack’ add-on

Windows RT Pre-installed only

Office Home & Student 2013 RT, device encryption (BitLocker), only runs Windows 8 apps, no domain join, etc

Windows 8 EnterpriseSame as Windows 8 Pro, plus -Windows To Go, DirectAccess, BranchCache, VDI enhancements, Side loading apps

Windows 8 System Requirements

Processor: 1 gigahertz (GHz) or faster with support for PAE, NX, and SSE2

RAM: 1 gigabyte (GB) (32-bit) or 2 GB (64-bit)

Hard disk space: 16 GB (32-bit) or 20 GB (64-bit)

Graphics card: Microsoft DirectX 9 graphics device with WDDM Graphics card: Microsoft DirectX 9 graphics device with WDDM driverModern Apps: Screen resolution 1024 X 768 or greater

Modern Apps using the Snap feature: resolution1366 X 768 or greater

Taking advantage of touch input requires a screen that supports multi-touch


Windows 8 style User Interface and Modern Apps

This section focuses on the enhancements in Shell, new Windows 8 style UI and modern App behavior

Windows 8 experience over that of Windows 7


Start Screen


Account Types

Local AccountsTraditional local account

No online sync features

When running an App that requires a Microsoft Account user will be prompted to sign in

Domain AccountsDomain AccountsTraditional Windows domain account

Microsoft AccountsOnline identity such as [email protected] or [email protected]

Provides a more connected experience

Required to download Apps from the Store

Can be connected to a domain account

Cannot be connected to a local account

Microsoft Confidential - For Internal Use Only12

Password Types

Standard text password

PINPIN

Picture password

Combination of gestures over a user-defined picture


Password Viewer

Eye Icon

To verify the password and avoid lockouts

Available after the first character is typed

Tapping or clicking and holding this icon will show the string


Modern App

Why Modern Apps:

Buggy installers

Incomplete/incorrect uninstallation

AppContainer

Modern Apps operate in sandbox-like environment called an AppContainer.

The AppContainer restricts an apps access to much of the system and the user's profile by default.

Additional access can be requested by declaring the capabilities that require them when publishing the app.


Modern Apps

Immersive

Each every pixel is yours

App bar and Navigation bar experience is uniform across the apps

Share Apps


APPX Package

Package: Holds all resource, files, metadata to install the app onto

Manifest that describes how it integrates.

Has the .APPX extension

ZIP format

Must be digitally signed

Companies can sign using their own Trusted Authority


Process Lifecycle Management

PLM:Goal: don’t think about closing an app

Switch away and back from the app

With PLM an app can have three states:RunningRunning

Suspended

Terminated

Microsoft Confidential - For Internal Use Only7/30/201118

PLM Task Management

If suspended app is resumed, just continue (already in memory)

If PC is low on memory, terminate suspended apps

When PLM terminates apps, takes most memory consuming app (and not in back stack)


Modern Application Lifecycle


Deployment and Activation Methods

This section focuses on the different methods of deploying Windows 8.

Focusses on the changes in the activation method


Deploying Windows 8

Automated deployment of Windows 8 client and Windows Server 2012 editions uses several different Microsoft technologies. These include:

Windows Deployment Server 2012Windows Deployment Server 2012

Microsoft Deployment Toolkit 2012 Update1

System Center Configuration Manager 2012 service pack 1 (SP1)

Dism/Imagex using an answer file

Third party tools


Windows Assessment and Deployment Toolkit (ADK)

This section talks about the components of Windows ADK and the tools included in Windows ADK which help in validating and improving their Windows 8 image


Windows Assessment and Deployment Toolkit (ADK)

All core Windows 8 deployment tools are now part of the “Assessment and Deployment Kit” (ADK)

ADK is the new Windows AIK plus Assessment ToolsTools

Everyone will be able to download the ADK from the Download Center

No ARM tools will be available, therefore MDT will not support ARM

Cannot (should not) coexist with Windows AIK


Active Directory-Based Activation

Domain joined Windows 8 and Windows Server 2012 computers automatically activate

Down-level operating systems are not supported. There are no plans to back port support for this feature.feature.

Activation objects are populated by forest

Configurable using Volume Activation Services Role or SLMGR.VBS


Windows 8 Security - Enhancements

Address Space Layout Randomization

User Account Control

Mandatory Integrity Control

System Service Hardening

Session 0 Isolation


Session 0 Isolation

File and Registry Virtualization

Windows Resource Protection

Windows Defender

SmartScreen Filtering

Address Space Layout RandomizationAddress Space Layout Randomization

How to prevent exploitations of buffer overflowsHow to prevent exploitations of buffer overflows


Address Space Layout Randomization (ASLR)

Windows before Windows VistaCommon DLLs were loaded into user-space memory in the same location

System was vulnerable to Return-to-Lib-Attacks

With Windows Vista, ASLR introducedRandomized location of DLLs that are capable of ASLR Randomized location of DLLs that are capable of ASLR

Protection for your system, while ensuring that old programs will continue to run


Address Space Layout Randomization (ASLR) (continued)


Windows 8Windows XP

Address Space Layout Randomization (ASLR) (continued)

Improvements in Windows 8 (all used by IE10)Bottom-up and top-down allocations are now randomized

Data Execution Prevention/No Execute (DEP/NX)

Structured Exception Handling Overwrite Protection (SEHOP)


User User Account Account ControlControl

How UAC works and protects your computerHow UAC works and protects your computer


User Account Control (UAC)


UAC: Token Filtering Scenario


UAC Configuration


Mandatory Integrity ControlsMandatory Integrity Controls

Restrict permissions of less trustworthy applications running under Restrict permissions of less trustworthy applications running under the same user account


Mandatory Integrity Controls (MIC)

What does MIC add?

How does MIC work?

Working with MIC

MIC and Internet Explorer


High

Medium

High

Medium

Processes Objects

High ILProcess

Low Low

Read

Write

38 Microsoft Confidential

Medium ILProcess

High

Medium

Processes

High

Medium

Objects

Process

Low

Read

Write

Low


High

Medium

Processes

High

Medium

Objects

Low

Read

Write

Low ILProcess

Low


System Service Hardening System Service Hardening

Restrict critical Windows services from performing abnormallyRestrict critical Windows services from performing abnormally


System Service Hardening

Reduces permissions for servicessc qprivs <servicename>

Reduces running services, for example:Windows Image Acquisition (WIA)

Group Policy Client service in Windows 8

sc [server] qprivs [service name]


Session 0 IsolationSession 0 Isolation

Isolating services in a non-interactive Session 0Isolating services in a non-interactive Session 0


Session 0 Isolation

Isolate services from user session

Services run in session 0

First user session is session 1

UI0Detect service is disabled in Windows 8


File and Registry VirtualizationFile and Registry Virtualization

Application compatibility technology that enables registry write Application compatibility technology that enables registry write operations to protected locations


File and Registry Virtualization

Everyone has limited access to files/folders/registry locations

Non-aware application is virtualized

Application is fooled

Exceptions:64-bit applications64-bit applications

Applications running with Admin token

FARV-aware applications


Windows Resource ProtectionWindows Resource Protection

Protect registry keys and folders in addition to critical system filesProtect registry keys and folders in addition to critical system files



Previously known as Windows File Protection (2000/XP)

Files and Registry locations are protected

Majority of core OS files/registry keys

Folders are exclusively for OS processes

Protected by TrustedInstallerTrustedInstaller is a service and not an accountTrustedInstaller is a service and not an account


Differences between Windows XP and Windows 8



Differences between Windows XP and Windows 8 (continued)



Windows DefenderWindows Defender

First line of defense against viruses and other unwanted softwareFirst line of defense against viruses and other unwanted software


Windows Defender

Used to be only antispyware

Now, it is antispyware and antivirus together

Primarily a consumer-oriented security program


SmartScreenSmartScreen FilteringFiltering

Prevents unknown and malicious programs from runningPrevents unknown and malicious programs from running


SmartScreen Filtering

Introduced with Internet Explorer

Reputation based. For example: Download history/trafficDownload history/traffic

URL reputation

Antivirus results


SmartScreen Filtering (continued)

Windows 8 displays a warning


Bitlocker in Windows 8Bitlocker in Windows 8

Software EncryptionSoftware Encryption


Introducing BitLocker in Windows 8

Purpose/BenefitsBitLocker helps mitigate unauthorized data access by enhancing file and system protections. BitLocker also helps render data inaccessible when BitLocker-protected computers are decommissioned or recycled.


BitLocker Enhancements

BackgroundHardware advancements can help improve Windows 8 securityBitLocker provisioning and deployment could be time consuming & difficult

Encrypting large volumes takes significant time

Multi-Factor authentication not an option for all scenariosRebooting a machine using BitLocker + PIN requires user input (not reachable remotely)Rebooting a machine using BitLocker + PIN requires user input (not reachable remotely)

TPM hardware not included on all systems & adds to provisioning complexity (ownership, disabled in BIOS)

Only BitLocker uses the TPM. BitLocker only in ‘premium’ SKUs


SolutionNew Features:

BitLocker pre-provisioningUsed Disk Space Only encryptionStandard User PIN and user password changeStandard User PIN and user password changeNetwork UnlockSupport for encrypted hard drives (hardware encryption)Virtual Smart Card

Technical Requirements

Trusted Platform Module (TPM) version 1.2 chip or later

The system BIOS or Unified Extensible Firmware Interface (UEFI) boot firmware (for TPM and non-TPM computers) must support the USB mass storage device class TPM computers) must support the USB mass storage device class

The hard disk must have at least two partitions:Operating System Partition

System Partition/Boot Partition

In Windows 7, the system partition should be at least 100 MB in size

In Windows 8 and Windows Server 2012, the system partition should be at least 350 MB in size.



RequirementsTPM (Trusted Platform Module) chip BitLocker Network Unlock

ClientWindows 8Windows 8

UEFI firmware (with UEFI DHCP drivers)

ServerBitLocker network unlock feature

Server 2012 WDS role

Correctly configured certificates

Network unlock group policy settings

Virtual Smart Card

Virtual Smart Cards are new in Windows 8 and Windows Server 2012.

Virtual Smart Cards are built in TPMs and act the same as a physical smart card that is always plugged into a smart card reader.

Deleting the virtual smart card will require a new virtual Deleting the virtual smart card will require a new virtual smart card to be provisioned. It should be done sparingly and not as a troubleshooting step.


Used Disk Space Only Encryption

BitLocker uses block level encryption. Prior to Windows 8, BitLocker would use a swap file to reduce writes to the drive during encryption that consumed all, but 6 GB of free drive space.

In Windows 8, the swap file is no longer used.

Used Disk Space Only offers the ability to encrypt only Used Disk Space Only offers the ability to encrypt only blocks with data, improving encryption times on volumes without large amounts of data.

Used Disk Space Only Encryption is required for thinly provisioned storage.

New data written to the drive will be encrypted as the writes occur.


Introducing Encrypted Hard Drives

Self-encrypting at hardware level and allows for full disk hardware encryption.

Windows 8 support installing to these devices without modification.

BitLocker feature has support for Encrypted Hard Drives.

Currently, manufacturers ship a solution known as Self-Currently, manufacturers ship a solution known as Self-Encrypting Drives (SEDs); these are different from Encrypted Hard Drives.

BitLocker can provide management (Microsoft BitLockerAdministration and Monitoring [MBAM]) and additional protectors if desired.


Benefits of Encrypted Hard Drives

Better performance

Strong security based in hardware

Ease of use

Lowers cost of ownership


Encrypted Hard Drive Usage

For Encrypted Hard Drives used as data drives:The drive must be in an uninitialized state.

The drive must be in a security inactive state.

For Encrypted Hard Drives used as boot drives:The drive must be in an uninitialized state.

The drive must be in a security-inactive state.The drive must be in a security-inactive state.

The system must be UEFI 2.3.1 based.

The system must have CSM disabled in UEFI.

The system must always boot natively from UEFI.


Installing to Encrypted Hard Drives

Deploy from mediaAutomatically Encrypted

Deploy from network –or- Deploy from WDS Enhanced Storage component needs to be included and configured in Unattend.xml

Disk DuplicationDisk DuplicationDisks must be partitioned using Windows 8 setup tools

Images made using disk duplicators will not work


System Partition Layout

Extensible Firmware Interface (EFI) System Partition

Standard System Partition


What is a Trusted Platform Module?

Preparing the TPMTPM setting must be in BIOS/UEFI firmware.

Windows 8 offers the ability to prepare the TPM without physical presence Note: This does not apply to all TPMs.all TPMs.

For computers that do not support automatic preparation, physical presence is required.


BitLocker EnhancementsMicrosoft BitLocker Administration and Monitoring (MBAM) 2.0

MBAM 2.0 MBAM is part of MDOP (Microsoft Desktop Optimisation Pack) – available with Software AssuranceBest Practice is to use MBAM –wherever possible

Goal Goal Reduce costs of provisioning BitLocker, simplify provisioning process and help maintain higher levels of compliance

These were based on the top customer pain points

FeaturesSelf-service recovery portal for usersBetter maintenance & enforcement of compliance – complex PIN support, etcIntegrating with existing management infrastructure (SCCM)

Hardware Security in Windows 8Hardware Security in Windows 8

New Hardware Considerations for Windows 8New Hardware Considerations for Windows 8

Boot Process Changes in Windows 8


New Hardware Considerations For Windows 8UEFI

Windows Runtime

SoC

Encrypted hard drives

USB supportUSB support


Unified Extensible Firmware Interface (UEFI)

Replacement for BIOS-based hardware

Support for UEFI started in Windows 7

Acts as a shell with application and driver support before loading the operating system


UEFI Classes

Four classes of UEFI hardwareClass 2 and 3 machines are most common.

Class 2 uses a hybrid BIOS/UEFI implementation using a Compatibility Support Module (CSM).

Class-3 hardware uses UEFI only and does not have a BIOS mode.

Class 3 systems reach POST faster than UEFI+CSM enabled systems.

Class 3 hardware is required for several features in Windows 8 and Class 3 hardware is required for several features in Windows 8 and Windows Server 2012.


Windows 8 Client Features and Enhancements

Documents

Transcript of Windows 8 Client Features and Enhancements