Embed Size (px)
Citation preview
Windows 8DeploymentBest Practices andLessons Learned
Martin Weber
Technology Solution Professional
Microsoft Switzerland GmbH
Preparation is key
Create repeatable, automated processes
The result: A permanent part of your infrastructure
Project Management
Office
Application Management
Infrastructure Readiness
Image Engineering
Deployment
Windows 8 tablets
with Intel Core
64-bit processors
Windows 8 tablets
with Intel Atom
32-bit processors
Windows RT tablets
with ARM
processors
CAPABILITIES CHOICE OF TABLETS
MobilityBest Mobility: Windows 8 Tablets with Intel Atom processors
or Windows RT Tablets
Workload More Intensive Workloads: Windows 8 Tablets with Intel Core processors
Apps
Desktop Apps: Windows 8 Tablets with Intel Core or Intel Atom
processors
Dedicated LOB Apps: Windows 8 Tablets with Intel Core or Intel Atom
processors or Windows RT Tablets
Connectivity
Best Connectivity: Windows 8 Tablets with Intel Core or Intel Atom
processors running Windows 8 Enterprise (DirectAccess)
Occasional Connectivity: Windows 8 Tablets with Intel Core or Intel Atom
processors that can automatically sync files using SkyDrive
or SkyDrive Pro
Through VPN Connections: All Windows 8 and Windows RT* tablets
Always On: Windows 8 Tablets with Intel Atom processors or Windows RT
Tablets
Manageability
Full Manageability: Windows 8 Tablets with Intel Core or Intel
Atom processors
Simple Manageability: All Windows 8 or Windows RT Tablets managed
by Windows Intune
Governance: All Windows 8 and Windows RT Tablets with Exchange
ActiveSync policies
Windows 8 Tablets with Intel Core Processors
Windows 8 Tablets with Intel Atom Processors
Windows RT Tablets with ARM Processors
Know the Choices of Windows-Powered Tablets
1
MobilityWeight | Battery Life
WorkloadCasual | Intensive
AppsDesktop apps | Windows Store appsLOB apps | Remote apps
ConnectivityCorporate Access | Always On
ManageabilityFull | Simple | Governance
Determine Customer’s Device Needs
2 Choose a Device Based on Capabilities 3
• Desktop Apps (x86/x64) and Modern Apps
• Compatible with broad range of peripherals
• Full enterprise management and rich security
• Running on low power ARM Processors
• Office pre-installed (Home & Student 2013 RT)
• Compatible with printers, mice, keyboards etc.
• Device Encryption for advanced data protection
• Inbox VPN client: MS, Cisco, CheckPoint, Juniper
• Non Domain-Joined // No Group Policies
• No Windows Media Player // No Media Center
• Security Policies by Exchange ActiveSync (EAS)
• Cloud Management capable by Windows Intune
on x86/x64
on ARM
RT Pro Win 8 AOAC*
Form Factor
Boot Time
Heat and Noise
x86 or x64
Battery Life
Industry Target
Many Many Many Many
Good Okay Okay Best
Fanless More More Fanless
ARM x64 Both x86 UEFI
Good Okay n/a Both
Consumer Both Both Both
Always On Always Connected (AOAC) is a new Windows 8 device type
RT Pro Win8 AOAC
Domain join capable
Group Policy capable
Cost
AOAC capable
Able to run classic
applications
TPM
DirectAccess
$$$ $$$$ $$$ $$$
Group policy
Roaming profiles• Other options
Activation
Coexistence
• System Center
Configuration
Manager
• Windows Intune
• Third-party tools
Management
• Network load
• Disk storage• User data
• Applications
• Images
Helpdesk
Capacity
• Wireless access
• Proxy configuration
(WPAD)
Bring Your Own
Device
Project Management
Office
Application Management
Infrastructure Readiness
Image Engineering
Deployment
Tools to help• Application
Compatibility Toolkit
• Microsoft Assessment
and Planning Toolkit
• System Center 2012
Configuration
Manager
• Windows Intune
Categorize• Critical
• Supported
• Unsupported
• Blocked
Rationalize
Perfection is
impossible, focus
based on risk
and cost• Don’t test everything
• Choose when to be
reactive instead of
proactive
Simplify the
structured testing
process
Choices• Shim
• Upgrade
• Replace
• Eliminate
Windows 7 applications are compatible with Windows 8
Project Management
Office
Application Management
Infrastructure Readiness
Image Engineering
Deployment
Remediate
when needed
Prioritize your
portfolio
Perform testing
when appropriateGather inventory
Tools to help• Line-of-business sites
• Third-party internal
sites
• External sites
Categorize• Critical
• Supported
• Unsupported
• Blocked
Rationalize
Perfection is
impossible, focus
based on risk
and cost• Don’t test everything
• Choose when to be
reactive instead of
proactive
Simplify the
structured testing
process
Choices• Fix
• Upgrade
• Replace
• Eliminate
Many web site compatibility issues are easy to fix
Project Management
Office
Application Management
Infrastructure Readiness
Image Engineering
Deployment
Remediate
when needed
Prioritize your
portfolio
Perform testing
when appropriateGather inventory
•
•
•
•
•
•
•
•
New Features
LTI / ZTI / UDI
Installation
30 customers
worldwide
Accelerates
Windows to GoWork on the Road
Services Offered
Utilize Windows to Go as a disaster recovery tool
Allow true transportable model
ConstructionBanking Oil and Gas Aerospace
Windows 8 ApplicationWindows to GoWork on the Road
Services Offered
Touch First Applications + Device
Work on the Road: Executives being effective on the road
Win 8 Style Application PC Refresh, PC Reset, Secure Boot
Services Offered
Reduce helpdesk PC repair time
Machine refreshed to resolve the issue
Win 8 style application,Windows to Go,end-to-end security
Services
Touch-enabled interactive selling
Implement changes to data integrity and stability
Win 8 style application,VDI
Services
Allows sales transaction without leaving the customer’s side
Accelerate the deployment of VDI
European Insurance
ProviderRetail Education Hospitality
Number of applications 1512
Services Offered
Vendor research, install and launch testing, remediation, and packaging
Win 8 application,enhanced end-to-end security.
Services offered
Windows tablets to Students
Ability to manage stable devices
Protect student data
Win 8 style application,enhanced end-to-end security, Windows to Go
Services offered
Provide an improved mobile experience to executives
Allow guests to boot corporate images
Repeatable and automated
Keep it simple• Strive for a single image
• Include only what is needed for the
majority, or what saves time
• Leverage the deployment process for
per-computer customization
• Don’t get carried away with
configuration
Decide on security settings and
runtime components early
Project Management
Office
Application Management
Infrastructure Readiness
Image Engineering
Deployment
Install operating
system
Install common
applications
Apply updates
and patches
Configure OS
settings and
default
Capture new
image
http://www.microsoft.com/en-us/download/details.aspx?id=25175
Install corporate apps (SideLoading)Download public apps from Windows Store
Windows 8 or Windows RT devices Custom LOB Supported Windows
Store app links
Through
the cloud
Directly
on-premise
Modern Application Deployment
Windows 8
Configure
AllowAllTrustedApps
registry key***
Sign .appx file with trusted
enterprise code signing
certificate
Side loading key required Client is Domain joined
Windows 8 Enterprise Yes Yes** Required if client is not
joined to a domainYes
Windows 8
ProfessionalYes Yes** Yes
Does not enable side-
loading*
Windows RT Yes Yes** YesCannot be joined to a
domain*
Windows Server
2012Yes Yes**
Does not support
sideloading keyYes
* The side-loading key must be configured
** Signed using trusted code signing CA on Windows 8 clients
*** HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Appx\AllowAllTrustedApps = 1
Note: The Publisher Name in the app package manifest must match the Publisher Name in the certificate that is used to sign the app.
👤
💻
(Get-AppxPackage –name Contoso.SampleLOBApp).version
Detect sideloaded LoB App
Detect
Install sideloaded LoB App
Detect
Add-AppxPackage \\fileserver\Contoso\SampleLOBApp.appx
Remove sideloaded LoB App
Detect Install/Update
Get-AppxPackage -name Contoso.SampleLOBApp | Remove-AppxPackage
Administration
Available user targeted apps
DeepLink support
In console deployment monitoring
Simplified
Administration
Experience
Advanced
Modern Device
Management
Enterprise builds LoB app or gets
app from ISV outside of the store
Bui ld
SignSign with Enterprise trusted cert
Publisher name in the certificate and
package must match
Deploy
Deploy using System Center
2012 Configuration Manager
SP1
Cer t i f y
Certify LoB app using Windows App
Certification kit
Point to the lower right
corner of the screen.
Right click the app to see the
app commands. Drag an app
to the lower edge to close.
Point to an item to see more
options.
Press the Ctrl key while
moving the mouse wheel
to zoom in and out.
Point to the bottom of
the app and use the
scrollbar.
Mouse alternatives for touch gestures
TOUCH MOUSE TOUCH MOUSE
Click an item to perform
an action.
Xperf Performance Analysis unchained, Windows Assessment Toolkit revealed
http://blogs.technet.com/b/jeff_stokes/archive/2013/03/16/xperf-for-the-layman-
performance-analysis-unchained-windows-assessment-toolkit-revealed.aspx
Windows Assessment and Deployment Kit (ADK) for Windows 8
http://www.microsoft.com/en-us/download/details.aspx?id=30652
Can I customize the Start screen layout?http://technet.microsoft.com/en-us/library/jj134269.aspx
Can I prevent users from installing <Windows Store app>?
http://companystore.codeplex.com/[email protected]
Why is the Windows Store disabled on Windows To Go?
Where can I get a SideLoad Product Key?
http://www.microsoft.com/licensing/servicecenter
Can I use the Mail app without a Microsoft ID?
Can I programmatically install an app from the Windows Store?
Why can’t the Windows Store apps find my proxy server?
http://support.microsoft.com/kb/2777643 http://support.microsoft.com/kb/2778122http://windows8ready
http://infopedia/docstore/pages/kcdoc.aspx?DocId=191045
+ Creation
Full productivity applications
Full peripheral support
Full business integration
Full Security & Management
iPad10” OEM
Android
tablets
Kindle Fire
Google Nexus 7
Windows 8 Windows RT
+ Office
Productivity & Fun
iPhone
7” OEM
Android
tablets Entertainment only
55
Key Threats• Internet was just growing
• Mail was on the verge
Key Threats• Melissa (1999), Love Letter
(2000)
• Mainly leveraging social
engineering
Key Threats• Code Red and Nimda
(2001), Blaster (2003),
Slammer (2003)
• 9/11
• Mainly exploiting buffer
overflows
• Script kiddies
• Time from patch to exploit:
Several days to weeks
Key Threats• Zotob (2005)
• Attacks «moving up the
stack» (Summer of Office
0-day)
• Rootkits
• Exploitation of Buffer
Overflows
• Script Kiddies
• Raise of Phishing
• User running as Admin
Key Threats• Organized Crime
• Botnets
• Identity Theft
• Conficker (2008)
• Time from patch to exploit:
days
Key Threats• Organized Crime, potential
state actors
• Sophisticated Targeted
Attacks
• Operation Aurora (2009)
• Stuxnet (2010)
Windows 95• -
Windows XP• Logon (Ctrl+Alt+Del)
• Access Control
• User Profiles
• Security Policy
• Encrypting File System (File
Based)
• Smartcard and PKI Support
• Windows Update
Windows XP SP2• Address Space Layout
Randomization (ASLR)
• Data Execution Prevention
(DEP)
• Security Development
Lifecycle (SDL)
• Auto Update on by Default
• Firewall on by Default
• Windows Security Center
• WPA Support
Windows Vista• Bitlocker
• Patchguard
• Improved ASLR and DEP
• Full SDL
• User Account Control
• Internet Explorer Smart
Screen Filter
• Digital Right Management
• Firewall improvements
• Signed Device Driver
Requirements
• TPM Support
• Windows Integrity Levels
• Secure “by default”
configuration (Windows
features and IE)
Windows 7• Improved ASLR and DEP
• Full SDL
• Improved IPSec stack
• Managed Service Accounts
• Improved User Account
Control
• Enhanced Auditing
• Internet Explorer Smart
Screen Filter
• AppLocker
• BitLocker to Go
• Windows Biometric Service
• Windows Action Center
• Windows Defender
Windows 8• UEFI (Secure Boot)
• Firmware Based TPM
• Trusted Boot (w/ELAM)
• Measured Boot and
Remote Attestation
Support
• Significant Improvements
to ASLR and DEP
• AppContainer
• Windows Store
• Internet Explorer 10
(Plugin-less and Enhanced
Protected Modes)
• Application Reputation
moved into Core OS
• BitLocker: Encrypted Hard
Drive and Used Disk Space
Only Encryption Support
• Virtual Smartcard
• Picture Password, PIN
• Dynamic Access Control
• Built-in Anti-Virus
1995 2001 2004 2007 2009 2012
Devices & Platforms
Single admin
console
