BSM M/W10Olav Tvedt
Chief Consultant
MVP – Cloud & Server Installation and Servicing
@olavtwitt olavtvedt.blogspot.com
www.evry.no/windows10
http://www.elvisnews.com/news.aspx/elvis-original-desk-and-car-for-sale/11052#.Vh0KAuTouUk
Elvis
Presley
Desktop
Tidlig visjonær
Updates installed through Windows Update as they arrive
Diversity of hundreds of millions of consumers taking advantage of latest innovation
Active listening to a large user base drives agility and fast fixes to address issues
Examples: Air Traffic Control, Data Centers, Emergency Rooms
No new functionality on long term servicing branch
Security updates and fixes provided monthly
Patches and updates delivered through WSUS
ConsumerDevices
Mission Critical Systems
Business Users
Caught in the middle?
Consumer Devices
Updates are installed as they arrive
• Updates haven't been to the broad market yet;
• You haven’t had time to plan and test
• This may be a way to embrace consumerization, BUT….
• Is this the best solution for your users’ machines?
How should you treat your business users?
Mission Critical Systems
This is how you treat many devices today
• It is expensive
• Your users are not getting access to the latest features
• Your competitors may be getting ahead with more advanced devices for their users
Treat them as the professionals they are
Update their devices after features are validated in the market • Your organization gets access to the latest technology
and value sooner
• You have time to plan and test the updates after they have been released to the broad market
• You choose how you want your users’ devices to be updated:
• Via Windows Update – validated updates delivered to professional systems after a deferral period
• Via WSUS, with control over how you deploy updates in your environment within deferral time
Hundreds of millions users
Current Branch for Consumers
Several million users
Broad External Flights
100’s of thousands users
Limited ExternalFlights
10’s of thousandsusers
Broad Internal Validation
*Conceptual illustration only
Qu
ali
ty &
Valu
e*
TimeEngineering Builds
CurrentBranch forBusiness
Long TermServicingBranch
Market Driven Product Quality
Consumer Experience
Security updates and fixes
are delivered regularly
Consumers are up to date with
features as they are released
*Conceptual illustration only
Quality & Value*
Time
Quality & Value*
Time
Business User Experience
Security updates and fixes
are delivered regularly
Consumers are up to date with
features as they are released
Business customers can delay
receiving feature updates for
a few months
*Conceptual illustration only
Current Branch for Business
Current Branch for Business
Current Branch for Business
Current Branch for Business
Flexible Options for Business Customers
Time
LTSB
LTSB
LTSB
……
……
……
*Conceptual illustration only
1. Long Term Servicing Branch (LTSB) provides long term support where mission critical systems can stay
2. Current Branch for Business (CBB) -Option to keep business users up to date while having flexibility to deploy updates after they have been tested in the broad market
CBB
CBB
CBB
CBB
CBB
CBB
Windows 10 Deployment Options for Enterprises
Long Term Servicing BranchMission–critical ready
Current Branch for BusinessUp to date with the latest innovation
Update your devices frequently with latest features
• New enterprise deployment option for Windows 10
• Your devices can take advantage of the latest
innovation on an ongoing basis
• Features are released first to tech enthusiasts and
Windows Insiders and validated prior to getting
installed on your business devices
• You have several months to plan and test the updates
• You choose how you want the devices to be updated:
• Via Windows Update - reducing your
management costs
• Via WSUS using traditional mechanics
Receive security updates regularly; no new features
• Similar to what you have today with Windows 7
SP1/Windows 8.1
• Your mission critical environments are supported with
no change in functionality for duration of mainstream
and extended support (5+5 years)
• You control deployment of patches using WSUS
• You are able to use in-place upgrade to move from
one LTSB to another
WINDOWS
PHONE 8.1
WINDOWS 8.1
WINDOWS 10
• A single store for Windows devices: PCs, tablets,
phones, etc.
• A single Windows Dev Center for developers
• Fully converged experience
• Best features from each
• New capabilities
XBOX
Windows Store
• Windows Store apps
• Sign in with MSA
• Pay with credit card, gift card,
PayPal, Alipay, INICIS, mobile
operators
Business Store Portal “Company Portal”
• Windows Store apps
• Leverages Azure Active Directory for
administration, some scenarios
• Private store for the org’s preferred
or LOB apps
• Pay with credit card or PO/invoice
• Deploy Windows Store apps offline,
in images, and more
• Windows Store app license
management
• Sideload line-of-business apps
• Deploy apps from the Windows Store
(even when the Store UI is disabled)
as well as uploaded LOB apps
through BSP integration using MDM
Hardware based security for better malware protection.Secure Boot
Enterprise credential protection via hardware-based isolation
Help secure corporate identity to protect against modern threats. Microsoft Passport
Windows Hello
Help protect your corporate data, wherever the data is.Enterprise data protection
Help eliminate malware on your devices.Device Guard
More secure per-app connection for mobile workers.Secure Remote Connection
Windows 10 identity choices
It All Start With Identity
Organization-owned
• Computer joins AD to
establish trust
• User signs on using AD
account
• Group Policy + System
Center Configuration
Manager
Personally-owned
• Computer joins Azure
AD to establish trust
• User signs on using
Azure AD account
• MDM auto enroll with
Intune or 3rd party MDM
• Settings roaming
• Computer registers with AD or Azure AD via
Device Registration to establish trust for
remote resource access
• User signs in with a Microsoft account,
associates an Azure AD account
• MDM auto enroll with Intune or 3rd party MDM
Single sign-on to enterprise + cloud-based services
Secure Boot
Credential Guard
Device Guard
Enterprise Data Protection
Windows Hello
Enterprise Security
Enterprise Data Protection
How it works Enterprise Data Protection relies on existing OS encryption technology - EFS used for Work Folders in Windows
8.1. Enterprise Data Protection supports both Modern and Win32 applications
Define Enterprise Boundaries
Configure Enterprise Data Protection
Enterprise boundaries are defined in one of two ways: Administrator defines a set of enterprise approved applications that are allowed to access data Network Boundaries are defines (IP ranges, Cloud locations e.g. O365) - Defines if data is coming from or going
to a defined "Enterprise" location
Administrators can configure Enterprise Data Protection in one of three ways: Blocking - blocks data from being moved to non-Enterprise locations Policy Override - provides a prompt, but allows users to confirm they want to copy to non-enterprise locations,
audits event Reporting Only - no blocks/roadblocks, just audits events
Multiple layers of protection
Identify and authorize user
Apply device policies
Apply application policies
Apply content policies
User IT
Active Directory Premium
Rights Management
Enterprise Mobility Suite
52% of information workers
across 17 countries report
using three or more devices
for work*
>80% of employees admit to
using non-approved software-
as-a-service (SaaS) applications
in their jobs***
90% of enterprises will have
two or more mobile operating
systems to support in 2017**
Mobility is the new normal52% 90% >80%
* Forrester Research: “BT Futures Report: Info workers will erase boundary between enterprise & consumer technologies,” Feb. 21 , 2013** Gartner Source: Press Release, Oct. 25, 2012, http://www.gartner.com/newsroom/id/2213115*** http://www.computing.co.uk/ctg/news/2321750/more-than-80-per-cent-of-employees-use-non-approved-saas-apps-report
• Conditional Access
• Data Protection
• Data Loss Prevention
• Resource Access
o Applications
o Access
o Configurations
o Certificates
Protect And Serve
Mobilt
Enterprise Mobility Suite + Office 365
• Common identity infrastructure
• Control access to on prem and SaaS
• Authentication and SSO
• Encryption and policy at the file level
Azure ADAzure RMSIdentity & Access
• World class productivity and collaboration
• Consistent experience across all devices
• IT compliance and data protectionOffice 365
Productivity
IntuneDevice & App Management
• Mobile device management
• Mobile application management
• Contain corporate data on devices
Integrated experiences• Conditional email access• Secure collaboration• Email based enrollment• Device and user provisioning• Single sign-on• Device compliance• App restriction• Lost or stolen device• Device wipe• Employee leaves the company• …and more in the works