News in ConfigMgr EWUG 1610
Per Larsen Microsoft MVP – Enterprise Mobility Solution Architect | per.larsen@atea.dk | m: +45 3078 1828 | f: +45 7025 2575 Co-Organizer - Everything Windows User Group Denmark | www.ewug.dk Microsoft Partner Technology Solutions Professional (P-TSP) in: http://www.linkedin.com/in/perlarsen1975 | t: @PerLarsen1975 Blog: http://osddeployment.dk P
News in Config Manager Config Manager as a Service Optimized on Azure Windows Store for Business Windows Defender Advanced Threat Protection Health Attestation Windows Upgrade Analytics Operations Management Suite (OMS)
1511 Deploy, upgrade, and manage Windows 10, including new features Manage Windows as a Service Servicing model for ConfigMgr Current Branch Combined end-user portal 1602 Client online status Support for SQL Server Always On Windows 10 Device Health Attestation reporting Office 365 update management Conditional Access support for PC management 1606 Windows Anniversary Edition support Windows Information Protection Windows Defender Advanced Threat Protection Windows Store for Business integration Windows Hello for Business Content status links in admin console End user portal improvements
20,533 total tenants
40,497,142 million total clients
1511 Deploy, upgrade, and manage Windows 10, including new features Manage Windows as a Service Servicing model for ConfigMgr Current Branch Combined end-user portal 1602 Client online status Support for SQL Server Always On Windows 10 Device Health Attestation reporting Office 365 update management Conditional Access support for PC management 1606 Windows Anniversary Edition support Windows Information Protection Windows Defender Advanced Threat Protection Windows Store for Business integration Windows Hello for Business Content status links in admin console End user portal improvements
20,533 total tenants
40,497,142 million total clients
Configuration Manager Branch Availability Windows 10 features supported Support Windows Servicing Model supported Current Branch Generally available on 12/8/2015 with updates released periodically throughout the year New features, security updates, and bug fixes Can defer updates for up to 12 months before you must deploy updates to maintain support Windows 10 Current Branch, Current Branch for Business, and Long Term Servicing Branch CB (1602) CB (1606) Fall 2015 2016 Current branch (version 1511) CB (1602) CB (1606) Fall 2015 2016 Long-Term Servicing Branch (LTSB) Generally available on 10/12/2016. No new features and support for new OS releases. Security fixes only. Only the Windows 10 mgmt. features released up to ConfigMgr version 1606. No new Windows features will be supported in the future. 10-year fixed support; different from traditional 5+5. Only up to Windows Server 2016 and Windows 10 LTSB (1607). CB/CBB is not supported. New OS releases won’t be supported. Periodic updates every few months CB (1610) CB (17xx) CB (17xx) Reduced features; Ad-hoc security updates only LTSB (1606) LTSB (1606) 2017 2017
Is this “Configuration Manager 2016” ? No. The Configuration Manager release included with System Center 2016 should not be considered as “System Center 2016 Configuration Manager”. The included release is a baseline version of 1606 with two installation options: Configuration Manager (current branch - version 1606) (default) Configuration Manager (LTSB – version 1606)
What is removed from LTSB? Support for the future releases of Windows 10 LTSB and Windows Server Support for Windows 10 CB/CBB The ability to add a Microsoft Intune Subscription, which prevents the use of Hybrid MDM On-premise MDM Windows 10 Servicing Dashboard and Servicing Plans Asset Intelligence Cloud-based Distribution Point Support for Exchange Online as an Exchange Connector Any pre-release features available in ConfigMgr (current branch)
Optimized on Azure
Microsoft Azure Office 365 Windows Upgrade Analytics Windows as a Service Microsoft Intune Windows Store for Business Windows Update for Business Windows Defender Advanced Threat Protection Health Attestation Configuration Manager Operations Management Suite (OMS) Azure Active Directory Microsoft Cloud Services
Cloud-based management service Manage traditional clients that roam on the Internet Without additional infrastructure Without exposing infrastructure to the Internet Easily configured through the Configuration Manager console Key features continue to work on the device when not on the corporate network Settings Software updates Applications Hardware and software inventory Endpoint protection
Cloud-based management service architecture Windows Update Cloud-based management service architecture Firewall DMZ HTTPS Mutual SSL MP AD CA SSL Cert Azure Root Cert Site Server Proxy Connector Point HTTPS Mutual SSL DP SSL Cert HTTPS Root Cert Proxy Service Cloud DP SSL Cert Client Cert Root Cert Root Cert HTTPS Mutual SSL SU P HTTPS Mutual SSL SSL Cert Root Cert Client Cert Root Cert
Windows Services Windows Store for Business Windows Defender Advanced Threat Protection Health Attestation Windows Upgrade Analytics Windows as a Service Windows Update for Business OMS
Windows Store for Business Find, acquire, manage, and distribute apps on Windows 10
Windows Store for Business One place for you To find, acquire, manage, and distribute apps on Windows 10 Designed for organizations Curated for business or for education Apps owned and managed by your organization Volume acquisition and distribution Acquire Store apps and Line-of-Business apps Flexible deployment to meet your needs Easy and familiar for your users Simple discovery and installation of apps Automatic app updates by default
App distribution options Assign app licenses directly to users Option 2 Use a private store page Option 3 Integrate with management tools For organizations and departments that do not want to use app management tools Simple invitation model targeting specific users Users receive an email or can go to My Library in Windows Store to install and launch organizational apps Provides users flexibility to choose organization apps to install Admin chooses apps to appear in company tab in the Windows Store; users self-discover For organizations that want to leverage existing app management tools Supports complex management options including dynamic groups, update management, push installation, etc. Users can find and use Windows Store for Business apps pushed to their device(s) or on a company-approved portal
MS Story 2/19/2018 1:41 AM Application Distribution via System Center Configuration Manager (CM) and/or Intune Organizational apps acquired Inventory synchronized Policies and distribution Deployed to users Windows Store for Business System Center Configuration Manager and/or Intune Windows 10 Organizations acquire apps in Windows Store for Business Includes internal line-of- business and public Store free and paid apps Paid apps are purchased in bulk during acquisition System Center Configuration Manager and/or Intune connects with Windows Store for Business APIs Apps, metadata and licensing information is synchronized Administrator defines necessary policies and distributions Distribution is performed Apps get deployed to Windows 10 users and policies enforced App updates can happen from the Store or managed with Management Tools © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Windows Defender Advanced Threat Protection
ADVANCED THREAT PROTECTION WINDOWS DEFENDER ADVANCED THREAT PROTECTION DETECT, INVESTIGATE AND RESPOND TO TARGETED ATTACKS Built in to Windows, cloud powered Behavior-based, breach detection Rich timeline for investigation Unique threat intelligence knowledge base © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION
Adding a post-breach mindset to the Windows 10 defense stack 2/19/2018 Adding a post-breach mindset to the Windows 10 defense stack PRE-BREACH POST-BREACH Device protection Device Health attestation Device Guard Device Control Security policies Device protection Device Health Attestation Threat resistance SmartScreen AppLocker Device Guard Windows Defender Network/Firewall Identity protection Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows Hello :) Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows Hello ;) Identity protection Device protection / Drive encryption Windows Information Protection Conditional access Information protection Information protection Device protection / Drive encryption Enterprise Data Protection Conditional access Threat resistance SmartScreen AppLocker Device Guard Windows Defender Network/Firewall Windows Defender ATP Breach detection investigation & response Breach detection investigation and response Windows Defender Advanced Threat Protection (ATP) © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION
Health Attestation
Device Health Attestation Builds upon existing Windows security technologies: Secure Boot, Measured Boot Early Launch Anti-Malware, TPM Attestation Boot Loaders TPM UEFI Secure Boot Platform Configuration Registers (PCRs) EK Cert OS Loader TPM Boot Log AIK Cert Windows kernel and boot drivers Early launch anti-malware Enables administrators to monitor remotely and make security decisions based on TPM-protected, tamper-resistant, and tamper-evident data
TODAY HEALTH IS ASSUMED 2/19/2018 Unknown PC health Important resources OneDrive File servers Email Network TODAY HEALTH IS ASSUMED 1 Authenticated access request 2 You’re in © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Device Health Attestation enables: 2/19/2018 Device Health Attestation enables: Windows Cloud Attestation and Intune ConfigMgr and Intune TO GATE ACCESS BASED ON DEVICE INTEGRITY AND HEALTH Attestation request 3 Attestation response 4 Important resources OneDrive File servers Email Network 1 Authenticated access request 2 Prove you are healthy 5 Here is the proof © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
45
Windows Upgrade Analytics
Windows Upgrade Analytics MS Story 2/19/2018 1:41 AM Windows Upgrade Analytics Allows the enterprise IT to quickly identify and focus on the critical issues impeding upgrades; provides data driven insights to plan and manage the upgrade process end to end Workflow visualization from pilot to deployment Powerful upgrade readiness insights and recommendations about the computers, applications and drivers Risk based approach to app rationalization Microsoft guidance on app and driver compatibility issues Sign up via http://www.microsoft.com/en-us/WindowsForBusiness/upgrade-analytics © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Windows Upgrade Analytics and ConfigMgr
Windows as a Service Manage your Windows servicing updates through a dedicated console Sync and distribute update content using peer caching to reduce bandwidth impact
Operations Management Suite (OMS) Microsoft Ignite 2016 2/19/2018 1:41 AM Operations Management Suite (OMS) © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Operations Management Suite (OMS) Synch Collections from ConfigMgr into OMS to replicate ConfiMgr grouping into your OMS environment
Thank you