Managing Windows 10 with Configuration Manager Aaron Czechowski Senior Program Manager Microsoft Avi Prasad Program Manager Microsoft Both
Aaron Czechowski Avi Prasad @AaronCzechowski @TheAviPrasad Program Manager, Configuration Manager product team Senior Program Manager, Configuration Manager product team 9 months with Microsoft and product team, adding more text to fill up space 5 years on product team, 10 years at Microsoft. 19 years working with Configuration Manager Both Dark chocolate Not dark chocolate
Introduction Configuration Manager is best for deep, traditional management and deployment of Windows 10 Why Windows 10? Secure Easy to update Mobility Windows 7 End of Support 14 January 2020 (971 days, ~2.6 years) Aaron
Windows 10 Current Branch Aaron Support in Configuration Manager
Supporting Windows 10 Current Branch SCCM current branch alignment with Windows and Office SCCM cadence continues 3x per year to better support Intune and CBB Starting in 1710 SCCM CB builds supported for 18 months SCCM supports Windows and Office 18 month lifecycles Aaron https://blogs.windows.com/business/2017/04/20/windows-office-align-feature-release-schedules-benefit-customers
Windows 10 Support Matrix Aaron Key (Green checkmark) = Supported (Blue BC) = Backwards compatible - This means that existing client management features (hardware inventory, software inventory, software updates, etc.) should work with the new Windows 10 Current Branch build. Any known issues or caveats will be documented. This approach gives you the ability to deploy and manage new Windows 10 CB builds on day one with application compatibility support without requiring a new Configuration Manager update version. (Red X) = Not supported https://docs.microsoft.com/en-us/sccm/core/plan-design/configs/support-for-windows-10
Windows ADK for Windows 10, version 1703 Aaron Key (Green checkmark) = Supported - Windows recommends using the Windows ADK that matches the version of Windows you are deploying. For example, use the Windows ADK for Windows 10 version 1703 when deploying Windows 10 version 1703. (Blue BC) = Backward compatible - This combination is not tested but should work. Any known issues or caveats will be documented. (Red X) = Not supported https://docs.microsoft.com/en-us/sccm/core/plan-design/configs/support-for-windows-10 https://blogs.technet.microsoft.com/configurationmgr/2017/04/14/known-issue-with-the-windows-adk-for-windows-10-version-1703/
New Features Avi
Device Guard Simplify deployment of Device Guard policies to clients with its native integration in 1702. Device Guard policies will lock down clients with Code Integrity so that only trusted Binaries can be executed Wednesday 10am: Managing Windows 10 Security: The Changing of the Guard (Dune & Nash) at Nokomis BC Avi
Device Guard
Windows Store for Business Online licensed apps can be deployed to ConfigMgr managed devices, to complete the Windows Store for Business app support 1703 TP – Windows Store for Business is onboarded via the new Azure Services Wizard Avi Matrix
Windows store for business Support Matrix Full Client Hybrid Free offline licensed app 1606 User/device collections For both required and available install via Software Center Required install in 1606 Available install in 1610 via new Company Portal Free online licensed app 1702 Paid offline licensed app No Paid online licensed app 1610 Avi
Windows Store for Business
Windows Fragmentation With Windows 7 and 8, servicing choices added complexity and cost, increased fragmentation, and reduced quality What we are testing What customers are running Y YY Before Windows 10, servicing added complexity and increased fragmentation. Across organizations, and even across devices in a given organization, you can find different Windows updates. This is actually a slide from the Windows team. Windows engineering is testing updates on fully patched devices, which means that the actual patch status of a given device was probably never tested by Microsoft. This is the main reason why in Windows 10, as most of you already know, updates are cumulative. Windows 7 Test Lab PC: Fully Patched Typical Windows 7 PC: Selectively Patched
Windows as a service update types Quality Updates Feature Updates A single cumulative update each month Security fixes, reliability fixes, bug fixes, etc. Supersedes the previous month’s update No new features Targeting twice per year with new capabilities Very reliable, with built-in rollback capabilities Simple deployment using in-place upgrade, driven by existing tools Try them out with Insider Preview
Express Updates Illustrated Month n Month n+1 Month n+2 Month n+3 Month n+4 KB1001 KB1002 KB1003 KB1004 KB1005 WSUS Server Older deltas New deltas Older deltas New deltas Older deltas New deltas Older deltas New deltas Older deltas New deltas New deltas New deltas New deltas New deltas Each new quality update released contains existing fixes, as well as some new ones – each of those new ones results in new file deltas being added to the package. Each month, each client PC downloads just those new file deltas and uses them to update the OS – on average, this requires only about 100MB of network traffic for each PC each month. [CLICK THROUGH the animation until the last set of deltas is downloaded] [If asked: If a PC didn’t install a previous month’s updates, maybe because it had been shut down for a while, it may need to install a larger set of deltas to catch up.] [If asked: If for some reason the files being patched don’t match what is expected by the file deltas, the full update will be downloaded and used instead.] New deltas Client PC ~100MB ~100MB ~100MB ~100MB ~100MB
Express updates The size of cumulative updates keeps increasing over time. A big concern for customers. Express updates allows clients to download only the delta between the current month’s updates and the previous month’s updates on the client. Using express installation files provides for smaller downloads and faster installation times on clients The size of the Express update is multiple times larger than the cumulative updates. Lighter on clients, heavier on the Distribution point When you use a supported version of Windows 10, you can use Configuration Manager settings to download only the changes between the current month's Windows 10 Cumulative Update and the previous month's update. Without express installation files, Configuration Manager downloads the full Windows 10 Cumulative Update (including all updates from previous months) each month.
Windows Information Protection Protect against corp data leakage, such as: Send from personal email Copy/paste to Twitter or Facebook Saving data to public cloud storage Define and deploy WIP policies via Compliance Settings Avi WIP is about keeping honest users honest Separating work content from separate content. Obvious separation between personal and corporate data, without requiring employees to switch environments or apps. Additional data protection for existing line-of-business apps without a need to update the apps. Ability to wipe corporate data from devices while leaving personal data alone. Use of audit reports for tracking issues and remedial actions. Integration with your existing management system (Microsoft Intune, System Center Configuration Manager, or your current mobile device management (MDM) system) to configure, deploy, and manage WIP for your company.
Windows Analytics Configure Windows 10 telemetry settings Commercial ID Collection level Downlevel clients Underlies Windows Analytics features Upgrade Readiness Update Compliance (and more to come!) Aaron https://docs.microsoft.com/en-us/windows/deployment/upgrade/upgrade-readiness-get-started
Windows Analytics Client Settings
Windows Defender Advanced Threat Protection Windows cloud service to help detect, investigate, and respond to advanced attacks on the network SecPro uses cloud portal to hunt threats Configuration Manager policies to onboard and monitor agent connecting with cloud IT Pro uses ConfigMgr to manage endpoints Aaron
WDATP Demo Aaron
Windows Hello for Business Manage alternative sign-in methods for Windows 10, replacing legacy passwords or smart cards. Device must be both AD and AAD joined User gets toast notification to setup Monitor compliance like any baseline Aaron
Device Health Attestation Device Health Attestation (DHA) enables enterprises to validate device health remotely based on hardware measured & attested data Builds upon: Secure Boot, Early Launch Anti-Malware and TPM Attestation 1 Authenticated Access Request 2 Prove you are Healthy 5 Here is the proof Important resources OneDrive File Servers Email Network Windows Cloud / OnPrem Attestation Attestation Request 3 Response 4 Aaron
Edition Upgrade Bit-less upgrade to higher-level edition of Windows 10 For example, Professional to Enterprise Key for desktop editions XML file for mobile editions Aaron
Edition Upgrade Demo
Logon at 2:20
Coming in Tech Preview 1705 for Windows 10 Windows 10 Express update improvements Further integration with Windows Update for Business Surface driver updates Internet-based Windows 10 to Configuration Manager Client installation/registration via CMG Azure AD integration/authentication (no client certificate!) Avi (1-2) & Aaron (3-4) Express Update Improvements 1. download performance - it's painfully slow 2. express file cleanup - DP can get bloated after a few patch Tuesday updates Further Integration with Windows Update for Business Will be including a Configuration Item to set up deferral policies for Quality updates and Feature updates for Windows 10 updates that are managed by Windows Update for Business
In the future… Aaron
What is Modern Management Aaron Mobile device and mobile application management have been key to empowering user productivity while enabling a simple, light weight IT paradigm. As the world is moving to Windows as a Service, organizations are looking to apply similar management principles to PCs, significantly lowering management costs and optimizing user productivity. This is how Microsoft is thinking about Modern PC Management. There are many ways you can modernize device management starting right now. Modern management is not tied to one technology or another. It is the idea that your can simplify IT infrastructure and processes in a way that best suits your organization’s needs. Here are some key elements of modern management to consider: Modern Procurement Customize standard gold images from any provider - eliminate the need to maintain custom corporate images and driver libraries Modern Provisioning End users can be fully provisioned just by entering credentials at startup IT can control settings and apps, as well as SKU upgrades Modern Updates No on-prem infrastructure dependency Control deferrals and rings, let go of granular policies Applies to corporate owned as well as BYO devices Modern Management Agentless and cloud optimized Identity based, role based Integrated data protection Challenges: Moving from traditional to modern management, lots of existing process and trained personnel Some technology gaps still to be closed
Summary Modern management is not about the management technology Configuration Manager continues to be the best product for traditional management and deployment of Windows 10 Configuration Manager supports modern management of Windows 10 Aaron
Final Data Points ~1 million new Windows 10 devices per week 99% are managed by Configuration Manager Source? Brad Anderson Mary Jo Foley Elvis Presley