MMS 2013 フィードバックセッション( クライアント編 )日本マイクロソフトクラウド & ソリューションビジネス統括本部シニアテクノロジースペシャリスト青木祐二

アジェンダ• Windows 8• デバイス管理 (SCCM / Windows Intune)• MDOP (MBAM, App-V, UE-V)• VDI

Windows 8

Windows 8 関連セッション (1/2)セッション ID セッションタイトル

DC-B301 A Geek's Guide to USMT 5.0

DC-B302 Demonstrations of Assessment and Deployment Kit Tools

DC-B303 Advanced Microsoft Deployment Toolkit 2012 Update 1 Customizations

DC-B304 Implementing the Windows To Go Concept in an Enterprise Environment

DC-B305 Application Compatibility for Windows 8

DC-B306 Building the Perfect Windows 8 Image

DC-B308 Deploying Windows 8 Using Lite Touch

DC-B310 Develop a Successful Flexible Desktop Strategy in Today’s Digital Era

DC-B311 Windows Sysinternals Primer

Windows 8 関連セッション (2/2)セッション ID セッションタイトル

DC-B315 Internet Explorer 10 Administration

DC-B316 Real World Windows 8 Deployment with MDT 2012 Update 1

DC-B317 Deploying Windows To Go in the Real World

DC-B318 What's New in Windows 8 Deployment

DC-B319 Windows RT in the Enterprise

DC-B320 Windows Store Apps: Enterprise LOB App Deployment Scenarios

DC-B401 Advanced Automation Using Windows Powershell

DC-B402 Windows 8 Security Internals

• Windows 8 の導入 / 展開 / 移行 / 互換性• Windows To Go の展開• Windows ストアアプリの展開• Windows RT の企業内利用• Internet Explorer 10

Windows 8 関連セッション サマリ

What's New in Windows 8 Deployment Michael NiehausSenior Product Marketing ManagerMicrosoft

DC-B318 Windows 8 の展開に関連したツールや依存するコンポーネントを説明

Windows 8Current observations:

15 minutes goes to 10 when using new Windows PEWindows Vista takes over 30 minutes for a clean install (no integration components)…

Windows 7•Image size:•1.97GB image (WIM), 7.87GB expanded

•Installation time (new):•15 minutes*•Upgrade time (from Vista):•30 minutes

Windows 8•Image size:•1.96GB image (WIM), 7.76GB expanded

•Installation time (new):•10 minutes•Upgrade time (from Windows 7):•20 minutes

Windows 8: UEFI is importantNew disk layoutGPT instead of MBRRequires multiple partitionsBCD is not on diskRequires FAT32 boot partition, media

New version for Windows 8 logo machinesUEFI 2.3.1Faster POST, faster bootWill be able to support PXE

No cross-platform deploymentsNeed to use matching boot image (even for ConfigMgr)x64 machines won’t support x86 OS via UEFI boot

Windows 8: Hyper-V Client HypervisorJust like the server version, with specific hardware requirements:Windows 8 64-bit4GB RAM or moreHardware-assisted virtualizationSecond-level address translation (SLAT) support

Not required on Windows Server 2012 (except for RemoteFX), just Windows 8

Tools can detect SLAT:Coreinfo from http://www.sysinternals.comMDT 2012 (via WMI) “SupportsSLAT”WMI on Windows 8 and Windows PE 4.0, Win32_Processor property SecondLevelAddressTranslationExtensions

Windows 8: Slates and tabletsNew deployment challenges:No keyboardTouch screen-onlyOften no wired networking

Expected usage:Attach a USB keyboardUse an Ethernet dongle or USB storage

Windows 8: Assessment and Deployment KitADK is the new Windows AIKAll core Windows 8 deployment tools are now part of the “Assessment and Deployment Kit” (ADK)Everyone will be able to download the ADK from the Download CenterNo ARM tools will be available, therefore MDT will not support ARM

Cannot (should not) coexist with Windows AIKCan only be installed on Windows 7, Windows Server 2008 R2, and later OSes

Windows 8: Windows AIK vs. ADK

Windows AIK

•Windows PE 3.x•USMT 4.0•Windows System Image Manager•DISM•ImageX

ADK•Windows PE 4.0•USMT 5.0•Windows System Image Manager•DISM•ImageX*•Application Compatibility Toolkit 6.0•Volume Activation Management Tool•Windows Performance Toolkit•Windows Assessment Toolkit

* ImageX is “deprecated,” replaced by DISM

Windows 8: USMT 5.0Adds support for Windows 8, while still supporting Windows XP as a sourceYou might need multiple versions:

New store verification and recovery tool/UE and /UEL now work togetherFor more detailed information, see: http://blogs.technet.com/b/askds/archive/2012/04/13/new-usmt-5-0-features-for-windows-8-consumer-preview.aspx

Windows XP Windows Vista

Windows 7 Windows 8

Windows XP USMT 3 USMT 4 USMT 4, 5 USMT 5

Windows Vista

Not supported

USMT 4 USMT 4, 5 USMT 5

Windows 7 Not supported

Not supported

USMT 4, 5 USMT 5

Windows 8 Not supported

Not supported

Not supported

USMT 5

Windows Store Apps: Enterprise LOB App Deployment Scenarios Michael NiehausSenior Product Marketing ManagerMicrosoft

DC-B320Windows ストアアプリの展開をDemo を中心に説明

Windows Store apps

Install via an “Enterprise App Store” using:• System Center 2012 Configuration

Manager SP1• Windows Intune

Provision using the Microsoft Deployment Toolkit 2012 or DISM• Include in sysprepped image• Customize Start screen layout

ProvisioningInstallation

Register the application for the userAlways per-userDoes not require administrator rightsSide load or from the Windows Store

Register application on the computerInstall automatically for each userSide load onlyRequires administrator rights

Enterprise side loading requirements• Windows 8 Enterprise, domain joined or with a separate side load product key • Windows 8 Pro or Windows RT, with a separate side load product key

Demo

Doing it the manual (hard) way

The manual wayThings to Remember

Prerequisites must be met:Set the Allow All Trusted Apps policyImport any needed trusted root certificatesEnable sideloading (automatic with Windows 8 Enterprise when domain joined)

PowerShell and DISM commands do the workSee http://technet.microsoft.com/library/hh852635.aspx for more information

Using ConfigMgrThings to Remember

Windows Store apps install per userCannot be installed via a task sequenceNo native support for provisioning apps, but this can be done using standard software distribution and custom command linesUse the App Catalog web site to enable self-service installation of Windows Store apps“Deep links” can be used, but the user must still log in with a Microsoft Account and click “Install”

Requires ConfigMgr 2012 SP1

Using Windows IntuneThings to Remember

Enables self-service app installationPublish apps to the Company App Portal (Windows Store app)Users can “pull” apps from the cloud, but no IT-driven “push”Requires setting up DirSync, best with single sign-on

Requires Windows Intune wave D (January release)

Windows RT in the EnterpriseMichael NiehausSenior Product Marketing ManagerMicrosoft

DC-B319Windows RT を企業で利用した場合のシナリオを説明

Choosing a Business Tablet

Windows 8 tablets with Intel

Core64-bit processors

Windows 8 tablets with Intel

Atom32-bit processors

Windows RT tablets with ARM

processors

What capabilities are needed?

CAPABILITIES CHOICE OF TABLETS

Mobility Best Mobility: Windows 8 Tablets with Intel Atom processors or Windows RT Tablets

Workload More Intensive Workloads: Windows 8 Tablets with Intel Core processors

Apps

Desktop Apps: Windows 8 Tablets with Intel Core or Intel Atom processors

Dedicated LOB Apps: Windows 8 Tablets with Intel Core or Intel Atom processors or Windows RT Tablets

Connectivity

Best Connectivity: Windows 8 Tablets with Intel Core or Intel Atom processors running Windows 8 Enterprise (DirectAccess)

Occasional Connectivity: Windows 8 Tablets with Intel Core or Intel Atom processors that can automatically sync files using SkyDrive or SkyDrive Pro

Through VPN Connections: All Windows 8 and Windows RT* tablets

Always On: Windows 8 Tablets with Intel Atom processors or Windows RT Tablets

Manageability

Full Manageability: Windows 8 Tablets with Intel Core or Intel Atom processors

Simple Manageability: All Windows 8 or Windows RT Tablets managed by Windows Intune

Governance: All Windows 8 and Windows RT Tablets with Exchange ActiveSync policies

Windows 8 Tablets with Intel Core Processors

Windows 8 Tablets with Intel Atom Processors

Windows RT Tablets with ARM Processors

Know the Choices of Windows-Powered Tablets

1

MobilityWeight | Battery Life

WorkloadCasual | Intensive

AppsDesktop apps | Windows Store appsLOB apps | Remote apps

ConnectivityCorporate Access | Always On

ManageabilityFull | Simple | Governance

Determine Customer’s Device Needs

2 Choose a Device Based on Capabilities 3

Connectivity

VPN connection• Inbox VPN client for Microsoft server is included• Inbox VPN client can interoperate with 3rd party VPN servers via

PPTP, L2TP, and IKEv2.• Multiple ways of configuration (client UX, scripts, or management

infrastructure)

Multi-factor authentication• Smartcard (PIV, GIDS)• Virtual smartcard

• Easy-to-deploy and cost effective way of enabling strong multi-factor authentication

Data and App Access

RemoteApp• Grant access to line-of-business applications and data • Seamlessly launch apps from Windows RT• Secure corporate data: avoid storing enterprise data on

consumer devices• Ensure compliance requirements

VDI• Full VDI experience supported

• Rich experience everywhere (RemoteFX, USB redirection, Multi-touch remoting)

• Best value for VDI (Fairshare)• Efficient management

Security and ManageabilitySecurity capabilities on Windows RT devices• Secured Boot, Trusted Boot• Device Encryption• Picture password, Credentials Locker• Windows Firewall, Windows Defender• NAP (Network Access Protection) supported

Governance through Exchange ActiveSync (EAS)*• Password requirements (e.g., password complexity, picture

password, device lock, password expiration etc.)• Multiple EAS accounts & settings• Report on device encryption status• Remote Content Wipe (by user or admin)

* Enabled through Mail app

Security and Manageability

Cloud-based management with Windows Intune• Single pane-of-glass administration through System Center Configuration

Manager 2012 SP1• Features:

• Distribute and manage new Windows apps (via sideloading)• Push configurations (e.g., VPN config)• Enforce more governance settings• Ensure compliance (e.g., monitor security settings) • Collect inventory information (e.g., which LOB apps are installed)

Diagnostics and troubleshooting• Windows PowerShell supported

• Scripting language, cmdlets, providers, and management capabilities • .NET Scripting tailored for power and reliability

Internet Explorer 10 AdministrationFred PullenSenior Product Marketing ManagerMicrosoft Corporation

DC-B315

Internet Explorer 10 Administration

Customizing the Browser

Browser Management

Deployment Methods

App Compat

Common Browser Customizations

Title bar, branding, graphics

Connection settings

Add-on components

Security settings

Preset web pages / links

IE Administration Kit (IEAK)Contains the Internet Explorer Customization Wizard 10 to create custom versions of IE10.

Group Policy Settings in IE10

For more information, see TechNet Library content: Group Policy Settings in Internet Explorer 10

~1500Group Policies total for

supports of all versions of IE

28New Group Policies

for Internet Explorer 10

Default Browser

Notify users if Internet Explorer is not the default web browser

Adobe FlashTurn off Adobe Flash in Internet Explorer

and prevent applications from using Internet Explorer technology to

instantiate Flash objects

Search Tool for Group Policies

• MSDN Search Tool for Group Policies: http://gpsearch.azurewebsites.net/

• Various tree views for Group Policies

• Filter based on various IE, Windows, and Office versions

• Added support for Windows 8 and Windows Server 2012

Device Management(SCCM / Intune)

デバイス管理 関連セッション (1/4)セッション ID セッションタイトル

UD-B201 Hierarchy Simplification with Configuration Manager 2012

UD-B301 Application Delivery with System Center 2012 Configuration Manager SP1 and Windows Intune

UD-B302 Reduce IT Energy Waste and Implement PC Power Management

UD-B303 Augmenting Your Windows Management Strategy with System Center 2012 Configuration Manager Task Sequences

UD-B304 Boundaries in System Center Configuration Manager 2012

UD-B305 How Microsoft IT Uses System Center Configuration Manager 2012 SP1

UD-B306 Notes From the Field: Complex and Massive Configuration Manager Migrations

UD-B307 Compliance Settings and Control End–User Installed Software

UD-B308 Advanced Infrastructure for System Center 2012 Configuration Manager SP1

UD-B309 Deploying and Configuring Mobile Device Management Infrastructure

デバイス管理 関連セッション (2/4)セッション ID セッションタイトル

UD-B310 Deploying and Managing Windows 8 with Configuration Manager 2012 SP1

UD-B311 Deploying System Center 2012 Configuration Manager SP1 With Windows Intune

UD-B313 Documentation, Disaster Recovery, and Using Scripts as Time Savers

UD-B314 Replacing BIOS With a UEFI Deployment

UD-B316 Migrating From Configuration Manager 2007 to Configuration Manager 2012

UD-B317 Manageability of Mac & Linux Using System Center 2012 Configuration Manager SP1

UD-B318 Managing Embedded Devices with Configuration Manager 2012

UD-B319 How Microsoft IT Upgrades System Center Configuration Manager 2012 Hierarchy with System Center Orchestrator Automation

UD-B320 Configuration Manager 2012: MVP Experts Panel

UD-B323 Software Deployments: From GPO–Based to Configuration Manager

デバイス管理 関連セッション (3/4)セッション ID セッションタイトル

UD-B324 SQL Server 2012 for System Center Administrators

UD-B325 System Center 2012 Configuration Manager SP1 Overview

UD-B326 Managing Third Party Updates with System Center 2012 Configuration Manager SP1

UD-B327 The WHY of Configuration Manager: Methods of Deployment

UD-B328 The Top Ten Lessons Learned in Managing SQL & Reporting

UD-B329 Top Shops: Field Notes from IT Departments That Rock

UD-B330 System Center 2012 Configuration Manager SP1 and Windows Intune: Unified Modern Device Management

UD-B331 System Center 2012 Endpoint Protection Integration With Configuration Manager 2012 SP1

UD-B333 What's New: Configuration Manager 2012 SP1 Infrastructure Improvements and Hierarchy Design

UD-B335 Windows Intune Overview

デバイス管理 関連セッション (4/4)セッション ID セッションタイトル

UD-B338 Reporting in System Center 2012 Configuration Manager SP1

UD-B340 System Center 2012 Configuration Manager SP1 Case Studies and Migration Experiences

UD-B341 Complex Maintenance Using System Center 2012 Configuration Manager and Orchestrator: Patching a Cluster

UD-B342 Configuration Manager 2012 and Orchestrator 2012

UD-B343 Deploy All of System Center: Two Real World Examples

UD-B344 Becoming a Windows Intune IT Administrator: A Real-World Perspective

UD-B391 Large Scale System Center Configuration Manager Environments: Challenges and Solutions

UD-B392 The MMS 2013 Treasure Hunt: Hidden Gems & Diamonds in Configuration Manager 2012

UD-B403 Infrastructure Changes for System Center 2012 Configuration Manager SP1: Advanced Topics and Troubleshooting

UD-B404 Migration Best Practices from System Center Configuration Manager 2007 to 2012

• モバイルデバイス管理 (Windows Intune 連携 )• 個別機能詳細

• SQL レポート , アプリケーション配布、コンプライアンス設定、電源管理Mac & Linux 管理、 Windows Embedded 管理

• SCCM サイトアーキテクチャ• SCCM 2007 から SCCM 2012 への移行• SCCM / SCO 連携• MSIT 事例

デバイス管理 関連セッション サマリ

Simplifying Management Across Platforms

Devices & Platforms

IT

Single adminconsole

Windows PCs(x86/64, Intel SoC),

Windows to GoWindows Embedded

AndroidMac OS X

Windows RT Windows Phone 8

iOSAndroid

Mobile Device Management with Configuration Manager 2012 SP1 and Windows IntuneCraig Morris, Brett FleggSenior Program Manager, Principal DeveloperMicrosoft

UD-B309

Enabling users to be productive, responsiblyFinding the right balanceDevices & Experiences Users Want

Applications and data across devices, anywhere

Empower User Productivity

Unified Management Infrastructure

Common IdentityAccess and Information Protection

Controlled access to data with seamless authentication

Unified Device Management

• Single management interface• Integrated security and

compliance• Improve IT efficiency• Reduced infrastructure complexity

Unified Management Infrastructure

+

Empower User Productivity

• Device choice• Application self-service• Personalized application

Experience• Non-intrusive management

MDM Features and Platforms

Configurations for MDM:• Windows Intune standalone• ConfigMgr 2012 SP1 +

Windows Intune Subscription

New Platforms• Windows RT• Windows Phone 8• iOS (5.x, 6.x)• Android (2.1 and later)

Features• Over the air device enrollment*• User-targeted available app

deployment• User and device settings

management*• Device inventory*• Remote device retirement*• Remote device wipe*

*Android features managed by-proxy through the Exchange Connector

Enrollment failure causes• Admin has not configured mobile device management• Admin has not enabled enrollment for specific device types• User is trying to enroll several devices at the same time or has

more than 20 mobile devices in the system• User is not provisioned by their IT admin• Windows Phone 8 Only: WP8 code signing certificate not

configured properly • iOS only: Apple Push Notification Service certificate is not

configured or expired. Or device is not running iOS 5.0 +

Application Delivery with System Center 2012 Configuration Manager SP1 and Windows IntuneDilip RadhakrishnanSenior Program Manager Microsoft Corporation

UD-B301

Heidi ChengSenior Program Manager Microsoft Corporation

主に SP1 で追加サポートとなったデバイスへのアプリ配信をカバー

Application Management ChallengesDeploy new OS and apps to PCsNew applications for Windows 8Need to learn new concepts and differences between Windows 8 & Windows RT for both IT Pros and End users

Deploy apps across mobile OS platformsiOS, Android, Windows RT, Windows Phone 8Deal with unique constraints imposed by each platform’s app concepts

Application MaintenanceDevice switch scenarioDevice lost/stolen, User role change/retirement

End user experienceApp discoverabilitySelf service

ConfigMgr 2012 Application Model

•Metadata about the application•Deployed to machine and user collections• Contains one or more deployment types

Adobe Reader(MSI)

Application (e.g. Adobe Reader)

XenApp(with XenApp Connector)

Adobe Reader(APPX/ Windows Store

Link)

Deployment Types• Windows Installer (MSI)• App-V • Windows Script• Windows Mobile (CAB)• Nokia (SISX)• XenApp (from Citrix)• Windows app packages• Windows Phone• App-V 5.0• iOS• Android• Mac OS X

Adobe Reader (App-V)

Windows8/Windows RT

Windows Phone 8

iOS Android Mac OS X

Install *.appx *.xap *.ipa *.apk *.DMG*.MPKG*.PKG*. APP

Deep links to the store

Application Model Changes in SP1

New Deployment Types for New OS Platforms

Other enhancementsSupport for App v 5.0

End User ExperienceConsistent self service experience for end user across mobile platforms

Native Windows app package (.appx)

Available in the Windows Store

Windows Phone 8 Company Portal

iOS/Android Company Portal

Native Windows Phone 8 app (.xap)

Needs to be sideloaded

Web based portal Hosted in Windows

Intune

Windows RTCompany Portal

How Microsoft IT Uses System Center 2012 Configuration Manager SP1

Shitanshu Verma: Service Engineering ManagerKarthik Jayavel: Service Engineer

UD-B305

Features and Solutions Used

• Intune Connector

User Centric Application Delivery

Macintosh Client Management

Orchestrator Runbooks

Modern Application Distribution

Software Update Point List

Automatic Client Deployment

Unified Management Infrastructure @ Microsoft IT

Redmond Site 175k

Clients

Redmond Site 275k

Clients

North & South

America35k Clients

Europe, MidEast, Africa

40k Clients

Australia & Asia

75k Clients

Unified Device MgmtSite

~98K devices *

MS Online Directory Services (MSODS)

Active Directory

Federation Server 2.0

MS Online Directory

Sync (DirSync)

ADUser

Discovery corp domains

Intune Subscriptio

n

Connector Site role

Infrastructure• 6 Primary Sites• 13 Secondary Sites• 250 Distribution

PointsPCs & Devices• ~300,000 clients• ~125k mobile

devicesUsers• ~98k FTEs• ~82k Vendors

*projected device count

Unified Device Management Scope @ MSIT

AndroidEAS Only

Native Management Scope

Windows Phone 8• Current: 140• Planned: 24k

Windows RT• Current: 35• Planned: 19k

Apps Published• 9 WP8 LOB • 1 Deep Linked

Apps Published• 12 WinRT Apps • 2 Deep Linked

Device Enrollments and Modern Apps

Unified Device Management Solution @ MSITDevice Management• Windows PCs, Mac’s: ConfigMgr SP1• WP, Android, Smart Phones, etc: EAS • WP8, WinRT, iOS: Intune (native mgmt.)

Unified Management• ConfigMgr 2012 SP1 on-prem infra• Windows Intune Wave D cloud• Exchange connector (reporting)

Administrative Experience• Single pane of glass and simplified administration • Managed via ConfigMgr console

Single pane of glass

EAS EAS

SP1

Simplified Administration

Wave D Beta

Microsoft IT Unified

Management Infrastructur

e

Administrative Experience

Windows RT, Windows Phone 8,

iOS

Windows Phone, Android, Smart Phones,

etc

Mac OSWindows PCs

(x86/64)

Devices

Unified Device Management ArchitectureUnified Management @ MSIT

Unified Device Management

Note Worthy Items• Device scale – 100k user limit• Company portal and WIPE scenarios evaluated for Windows Phone 8 and Windows

RT devices• Corporate Security EAS policies enforced via Settings Management • Exchange connector used to consolidate inventory and merge device records• End user education provided via enrollment and Microsoft IT work smart guides• Created FAQs and support guides for Help Desk and Microsoft Tier 2 support teams• Developed custom inventory reports to provide a consolidated view of enrolled

devices• Microsoft IT broad device management communications/enrollments planned for

June 2013 Wednesday, April 10, 2013 | 2:45 PM - 4:00 PM UD-B311- Deploying System Center 2012 Configuration

Manager SP1 With Windows Intune

More In Depth Session: UD-B311

Manageability of Mac & Linux Using System Center 2012 Configuration Manager SP1

Jeffrey SutherlandPrincipal PM Manager

Hassen KaraaSenior Program Manager

UD-B317

Supported Operating Systems

Microsoft Confidential

Mac Client Linux Server UNIX Server

OS X Red Hat SUSE AIX HP-UX Solaris

Configuration Manager2012 SP1

Endpoint Protection2012 No Plans

Architecture Overview – Agent for UNIX/Linux

Agent for UNIX/Linux

CIM Server

Provider 1 Provider 3

PAL (Platform Abstraction Layer)

ConfigMgr

Provider 2

OS Resources

Equivalent of ccmexec.exe in Windows

Equivalent of the WMI service in Windows

Equivalent of WMI providers in Windows

Native ConfigMgr communication with Agent

ConfigMgr 2012 SP1 Mac supportFeaturesDiscovery – Find Mac’s in Active Directory and the NetworkHardware Inventory – Inventory and audit Mac OS X machinesSoftware Inventory – Determine list of installed software Settings Mgmt - Ensure Mac OS X machines comply with company policiesApplication Deployment- required/push software distribution via app modelSoftware Updates Mgmt – via Software Distribution and Settings mgmt.

Out of scopeSelf Service Software Portal – Ability for user to select what software to installOperating System Deployment Remote Control -> achieved through Lync (desktop sharing), or other 3rd party solutions

System RequirementsClient platforms:Mac OS X 10.6 (Snow Leopard)Mac OS X 10.7 (Lion)Mac OS X 10.8 (Mountain Lion)

Server requirementsRequires ConfigMgr 2012 SP1 serverNo special infrastructure needsUses https in device mode to access Management Point

Microsoft NDA Confidential

Architecture components

User context:CCMAgent (launchagent)

ConfigMgr Notifications UXPreference Pane

System context:CCMClient daemon

Mac OS X

Management Point

Distribution Point

1. PoliciesSSL

2. Content over SSL

ConfigMgr SQL Database

Compliance inventory through

state system

File Server containing CMAppUtil

generated cmmac files

Site Server

Configuration Manager 2012 and Orchestrator 2012Steven RachuiSenior Premier Field EngineerMicrosoft

UD-B342 SCCM / SCO の連携によるクライアント関連操作の自動化

• Application Deployment• Task Sequencing/OSD• Compliance Settings• ConfigMgr Client Install

ConfigMgr and Orchestrator in Action

Demo

Steven Rachui

Application DeploymentApp ModelPackages

OSD and Orchestrator

Demo

Steven Rachui

Task Sequencing/OSDUser Initiated Imaging

Runbooks via Task Sequence

Demo

Steven Rachui

Compliance SettingsEnhanced Remediation

Demo

Steven Rachui

Client InstallUnix/Linux

Configuration Manager... ActuallyJason Sandys Kim OppalfensPrincipal ConsultantCatapult Systems Inovativ

UD-B408SCCM フォーラムなどで、よく問い合わせのある機能 ( 境界 , クライアント ID など ) について説明したセッション

Overview

Five issues, commonly addressed on the forums and mailing lists

Boundaries

Client identity

Business hours and maintenance windows

Deployment type evaluation

Upgrade to SP1

Boundaries: common questionsWhat type of boundary should I being using?Why are my resources not being assigned to my site?Should I use a site assignment boundary group for my secondary site?Why won’t my content download?

Boundary usage

Are

used for

•Content location by clients•Auto-site assignment by clients•Secondary site MP location

Are not used for

•Primary site MP or SUP selection by clients•Internet clients•Any server side processes•Client site re-assignment

ID overload

Security Identifier (SID)• Used by Windows• Known to AD and local

system but never used by anything except local client*

• Uniquely generated for each Windows system

• Not used by ConfigMgr to generate GUID

Globally Unique Identifier (GUID)• Used by ConfigMgr• Uniquely generated

by the ConfigMgr client agent

• Known to ConfigMgr site and client

• “Secret” generation process

Hardware Identifier (HWID)• Generated by

ConfigMgr client agent to uniquely identify hardware

• Known to ConfigMgr site and client

• Helps identity systems that have been “reimaged”

Resource ID• Sequential ID

known only to the site

• Used for nearly all client centric activity

Client certificate• Used to

generate new client GUID

MDOP

MDOP 関連セッションセッション ID セッションタイトル

DC-B312 What's new with Windows 8 BitLocker and Microsoft BitLocker Administration and Management 2.0

DV-B305 Better together: Application Virtualization 5.0 & Office

DV-B306 Microsoft Application Virtualization 5.0: Migration and Coexistence

DC-B307 Deploying and Managing Virtual Applications and Settings with System Center and MDOP

DV-B306 You can still tweet that140 Characters to move from App-V 4.6 to App-V 5.0

DV-B307 How to Manage and Deploy Microsoft User Experience Virtualization Across an Enterprise

DC-B321 Making PC Recovery Easier with the Microsoft Diagnostics and Recovery Toolset

DC-L301 Advanced Group Policy Management (AGPM) 4 SP1

What's new with Windows 8 BitLocker and Microsoft BitLocker Administration and Management 2.0Paul MacKnightSenior Program ManagerMicrosoft

Lance CrandallProgram ManagerMicrosoft

DC-B312

What is Microsoft BitLocker Administration and Monitoring?MBAM 1.0 objectives:

MBAM 2.0 improved 1.0 functionality and adds additional focus on:

“We can use MBAM v1.0 to get greater value from BitLocker. We can ensure that BitLocker is enabled and that we are compliant with corporate encryption mandates without taxing our

employees or IT staff.” Bob Johnson Director of IT, BT U.S. and Canada

Improving compliance and security

Integrating with existing systems (e.g.:

SCCM)

Reducing costs(e.g.: Self Service,

Simplified

Deployment)

Simplify provisioning and deployment

Provide reporting (e.g.:

compliance & audit)

Reduce costs(e.g.: Simplified

Recovery)

MBAM 2.0 Release PillarsConfiguration

Manager Integration

Compliance reporting integrated to CM environmentHardware compatibility & targeting via CM collectionsOffload MBAM client reporting workload to CM client

Windows 8 Support

Windows 8 Enterprise support Non-TPM / Windows To Go SupportBitlocker Pre-Provisioning support

Self ServiceInformation Worker able to retrieve Recovery Key via PortalRecovery Keys protected with Access ControlAuditing of all Recovery Key access

Customer Feedback

More pre-req flexibility (TDE, SPNs, SQL Server)Improved encryption flow & Smarter compliance calculation Improved scalability and performance

Configuration Manager

Configuration Manager Integrated Architecture

Active Directory Domain Services &

Group Policy Infrastructure

GPO RecoveryWeb Service

Web Services

Audit

SQL Database

Management Console

SSRS

HelpDesk Portal

Client Computer

Self-service Portal

Portals

Self-service Web Service

Recovery

MBAM Clientand BitLocker

Admin Web Service

ConfigMgrDatabase

Compliance

ConfigMgr Agent

Supported SoftwareStand Alone and Configuration Manager Mode

SQL Server:• SQL 2008 R2 Standard edition or greater w/SP1• SQL 2012 Standard edition or greater RTM / SP1

Server OS:• Windows Server 2008 SP2

Standard/Enterprise/Datacenter• Windows Server 2008 R2 SP1

Standard/Enterprise/Datacenter• Windows Server 2012 Standard/Enterprise/Datacenter

Client OS:• Windows 7 Ultimate, Enterprise w/SP1

(x86/x64 )• Windows 8 Enterprise (x86/x64 )• Windows 8 Windows to Go

System Center Configuration Manager:• Configuration Manager 2007 w/SP2• Configuration Manager 2012 w/SP1

Better together: Application Virtualization 5.0 & OfficeEle OcholiProgram ManagerMicrosoft

DV-B305

App-V and Office: a history

KB based sequencing recipe

Office Package Accelerator

RecipeIntegration via Deployment Kit

Office 365 ProPlus (Click-To-Run) Package with no sequencing

Office 2010 now supported

2006: Acquired

2008: App-V 4.5

2010: App-V 4.6

2011: App-V 4.6 SP1

2013: App-V 5.0

Integrated Platform• Virtual applications work like installed applications• Virtual applications use Windows standards • No dedicated drive letter required

App-V 5.0 Pillars

Powerful Management• New web-based management interface• One management workflow for desktop, VDI and RDS• Rich PowerShell scripting allows automation and customization

Flexible Virtualization• Multiple App-V applications can share the same virtual environment• Designed to support highly integrated applications• Preserve existing investments in App-V

Optimizing App-V

App-V 4.6

Uses dedicated drive letter (Q: drive)4GB package limitIsolated from local applicationsShare middleware with Dynamic Suite CompositionRead-only Shared Cache supports VDI/RDS environmentsLimited command-line scriptingInstalled management console

App-V 5.0

No dedicated drive letter requiredNo 4GB limitVirtual Application ExtensionShare peer applications with Virtual Application ConnectionShared Content Store can be updated with normal App-V workflowRich PowerShell scripting for sequencer, client and serverWeb-based management

A Revolution for App-V Customers

Easy to build App-V packageNo sequencing requiredNo deployment kit requiredIntegrated with local applications

EXE

A Revolution for App-V Customers

Easy to build App-V packageNo sequencing requiredNo deployment kit requiredIntegrated with local applications

EXE

Office desktop apps delivery in the new Office App-V 5.0

MSI-based Click-to-Run Office on Demand Better together

Packaged Software Software as a Service Software as a Service On Premises Service

Sign-in optional Works without SkyDrive Pro Requires SkyDrive Pro Works without SkyDrive Pro

Service Pack + Updates Updates controlled by admin Always up-to date Updates controlled by Administrator

Granular install-time controls (OCT) Fewer install-time controls + GPO Always same configuration Granular install-time controls

Software Assurance Subscription upgrade rights Subscription upgrade rights Subscription upgrade rights

Classic control is the key feature Offline is the key feature Roaming is the key feature Virtual app connections and groups

Fully installed to the machine Fully installed to the machine Transient state Granular configuration

No CTR support; App-V & TS Fast product streaming Fast product streaming Publish apps before they are streamed

Full functionality Full featured Office Excludes some Office features Features controlled by Administrator

Full Add-in support Native Add-in support like MSI No Outlook, OneNote, or Lync support GPO support, Add-ins sequenced

Group Policy management Group Policy management No add-in or GPO support Admins can deploy any combo of apps

Available for use offline Available for use offline Not intended for offline use Available for use offline

Licensed per device Licensed per user (5x) Licensed per user (Unlimited uses) Licensed per user

Device-based Subscription only Subscription only Subscription only

Sign-in optional Sign-in required Sign-in required Sign-in required

Requires admin rights to install Requires admin rights to install No admin rights required No admin rights required

Start Menu shortcuts Start Menu shortcuts No Start Menu shortcuts Start Menu shortcuts

Added to Add/Remove Programs Also in ARP Not in ARP Not in ARP – track via App-V reporting

Customizations via OCT, GP, config.xml and add-ins

Customizations via config.xml, Group Policy and add-ins

No customizations Customize with Dynamic Configuration

Comparing Office Delivery Types

Office 2010 on App-V 5.0Office Sequencing Kit for App-V 5.0App-V 5.0 Package Accelerators for Office ProPlusOffice Deployment Kit for Office 2010 still neededParity with Office 2010 on App-V 4.6Fast search in virtualized Office 2010 using Windows Desktop SearchAbility for virtualized Office 2010 applications to open, edit, and save Office files hosted with Windows SharePointSearch indexing support for Office file typesURL protocol redirection to virtualized Outlook 2010Print to virtualized OneNote 2010Mail Control Panel applet for virtualized Outlook 2010

Microsoft User Experience Virtualization: How to manage and deploy UE-V across an enterpriseTim CrabbSr. Program ManagerMicrosoft

DV-B307

Personal & flexible

App and OS personalization roam across Windows Syncs are smart and logins are fast Application or OS reconfiguration not required

Templates automate identification of settings location Custom templates define which applications should roam settings Ability to roll back settings to initial state

Use existing tools to simplify deployment ConfigMgr 2012 DCM pack to keep client configuration consistent Seamlessly integrates with Microsoft Desktop Virtualization products

Simple& versatile

Integrated & scalable

Change the Device, Keep the Experience

• Granular control - choose the settings to roam• OS settings • Application settings

• Mixed desktop environments – physical & virtual• Traditional desktops• Virtual desktops

• Mixed application environments - physical & virtual• Traditional applications• Virtual applications – App-V 4.6 and 5.0

When to use UE-V

How does UE-V compare to other User State solutions from Microsoft

Feature Roaming Profiles

Windows 7

Roaming Profiles

Windows 8

Microsoft Account

UE-V

Roam settings between multiple computers

Roam settings between physical and virtual apps

Roam Windows 8 application settings

Manage via WMI

Sync settings changes on a regular basis

Little configuration needed to setup

Supported on non-domain joined machines

Supports Primary Machine AD attribute

Roams settings between VDI/RDS and rich desktops

Unlimited setting storage space

Choice in which app settings to roam

1

1 App Settings

2 Agent Hook

2

3 Settings Package Sync

4 Collect &Apply Settings

34

TechNet - UE-V Architecture

• Installed by default with the agent• Built and supported by Microsoft• The in-box templates are for the following:

In-Box Templates

Applications: Office 2010 & 2007 Browser Options

(IE8, IE9 & IE10) Windows

Accessories WordPad Notepad Calc

Windows Settings: Desktop Settings:

Start Menu Taskbar Folder Options Region &

Language Background

Ease of Access Settings

Desktop Virtualization

デスクトップ仮想化 関連セッションセッション ID セッションタイトル

DV-B291 Microsoft Server 2012 Desktop Virtualization (VDI) on Dell Active Infrastructure

DV-B301 Designing a Virtual Desktop Infrastructure Architecture for Scale and Performance

DV-B308 Optimizing Windows 8 for Virtual Desktop Infrastructure

DV-B310 What's New in Windows Server 2012 Virtual Desktop Infrastructure and Remote Desktop Services

DV-B308: Optimizing Windows 8 for Virtual Desktop InfrastructureDoug KlokowSolution ArchitectMicrosoft

Carl LubertiPremier Field EngineerMicrosoft

Which Windows Edition for the Guest OS?Windows 8 Professional or Enterprise?

“Remote Computers running Windows 8 Enterprise provide the best user experience and support all management features. Therefore, Windows 8 Enterprise is the only supported edition for use with Windows Server 2012 virtual desktop collections (VDI).”Source: http://blogs.msdn.com/b/rds/archive/2012/11/26/remotefx-features-for-windows-8-and-windows-server-2012.aspx

Feature Windows 8 Pro

Windows 8 Enterprise

Windows 7 Enterprise (with RDP

8.0)

Ability to use RemoteApp

RemoteFX Multi-Touch

Advanced Device Redirection Features (RemoteFX USB & PnP redirection)

User Profile Disk

RemoteFX virtual Graphics Processing Unit (vGPU)

Memory AllocationDynamic memory will handle fluctuating demands for memory within a specified range

Recommended Minimum 1GB

Maximum based on workloadSmall -> 1.5 to 2GBMedium -> 2GB to 3GBLarge -> 2GB to 4GB (or more)

Consider using Blade Servers for Extra Large workloads

NOTE: If you require VDI groups with different maximum memory multiple client collections will be required.

Disk Size and PartitionsOSDisk drive size of the Virtual Desktop is impacted by the following factors:Pooled versus Personal VDI

Pooled range from 22GB to 40GBPersonal range from 40GB to 65GB

Virtualization Readiness of ApplicationsCompatibility – can the application be virtualized?Performance – Are there adverse performance impacts associated with a virtualized application versus a traditionally installed MSI?If the application is not virtualized, will it be installed local to the guest VM?

OSDisk Size for Windows 864-bit32-bit

Increase of ~2.2 GB when using 64-bit

Notes• These figures are before optimization efforts are complete• Windows Update was not run, so final used space will be slightly

higher

Multiple Display Configurations

Maximum Resolution

Number of Monitors supported

Windows 7 w/SP1 Windows 8

1024 x 768 4 8

1280 x 1024 4 8

1600 x 1200 3 4

1920 x 1200 2 4

2560 x 1600 N/A 2

Windows 8 Service ConfigurationService Name Default Recommended Details

Application Layer Gateway Service

Manual Disabled

This service manages mobile broadband (GSM & CDMA) data card/embedded module adapters and connections by auto-configuring the networks. It is strongly recommended that this service be kept running for best user experience of mobile broadband devices.

Background Intelligent Transfer Service

Manual DisabledVDI infrastructure is usually connected to fast LAN/WAN links to infrastructure servers hosting data

BitLocker Drive Encryption Service

Manual (TS) Disabled BitLocker is not available to be used on a virtual machines

Block Level Backup Engine Service

Manual DisabledService is used to backup data on the workstation – not used for virtual machines

Bluetooth Support Service Manual (TS) Disabled Bluetooth Wireless not supported from a virtual machine

BranchCache Manual ConsiderThis service caches network content from peers on the local subnet.

Computer Browser Manual (TS) DisabledMaintains an updated list of computers on the network and supplies this list to computers designated as browsers.

Device Association Service Manual (TS) DisabledEnables pairing between the system and wired or wireless devices.

Device Setup Manager Manual (TS) Disabled

Enables the detection, download and installation of device-related software. If this service is disabled, devices may be configured with outdated software, and may not work correctly.

Designing a VDI Architecture for Scale and Performance on Server 2012Ara BernardiPrincipal Program ManagerMicrosoftarabern@microsoft.com

DV-B301

Designing a large scale MS VDI deployment

We’ll do a walkthru of a 5000 seat VDI deployment80% of users running on LAN20% connecting from internet

We will explore:• Design options• Scale & Perf characteristics• Tweaks & optimizations

JBOD Enclosure

Clustered

VDI management nodes• All services are in a HA config• Typical config is to virtualized

workloads• But could use physical servers too

Optionally clustered

Infra srv-1Gateway

RDWEB

RD Broker

SQL

2X NIC

2x NIC

2x NIC

WANLAN

Storage Network

Infra srv-2

Sam

e w

ork

load a

s In

fra-

1

RD Lic Srv

SMB-12X NIC

SMB-22X NIC

2X SAS HBA

SAS Module

2X SAS HBA

\\SMB\Share1: Storage for the management VMs

VDI management nodesScale/Perf analysis1

RD GatewayAbout 1000 connections/second per RD Gateway Need min of 2 RD Gateways for HATest results:

1000 connections/s at data rate of ~60 Kbytes/sThe VSI3 medium workloads generates about 62kBytes/userConfig: four cores2 and 8Gigs of RAM

1 Perf data is highly workload sensitive2 Estimation based on dual Xeon E5-26903 VSI Benchmarking, by Login VSI B.V.

VDI management nodesScale/Perf analysis1

RD Broker5000 connections in < 5 mnts, depending on collection sizeNeed min of 2 RD Brokers for HATest results:

Ex. 50 concurrent connections in 2.1 seconds on a collection with 1000 VMs.Broker Config: one core2 and 4 Gigs per Broker

SQL (required for HA RD Broker)~60 Meg DB for a 5000 seat deploymentTest results:

Adding 100 VMs = ~1100 transactions (this is the pool VM creation/patching cycle)1 user connection = ~222 transactions (this is the login cycle)SQL config: four core2 and 8 Gigs

1 Perf data is highly workload sensitive2 Estimation based on dual Xeon E5-2690

5000 seat pool-VMs using local storageScale/Perf analysis1

Storage loadThe VSI2 medium workload creates ~10 IOPS per user, IO distribution for 150 users per host:

GoldVM ~700 reads/secDiff-disks ~400 writes/sec & ~150 reads/secUserVHD ~300 writes/sec (mostly writes)

GoldVM & Diff-disks are on local storage (per host)Load on local storage ~850 Read/sec and ~400 writes/sec

Storage size:About 5Gigs per VM for diff-disks, and about 20Gigs per GoldVMAssume a few collections per Host (a few GoldVMs)

A few TBs should be enough

1 Perf data is highly workload sensitive2 VSI Benchmarking, by Login VSI B.V.

GoldVM Diff-disks uVHD0

100

200

300

400

500

600

700

800

Read/s

Write/s

© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.