#Build2016

Managing Windows in an Enterprise: Empower your users & protect your dataJanani Vasudevan (@jananivasudevan)Principal Program Manager Lead

Why organizations need management

Enable access & productivity for employees

Protect corporate data & resources

Maintain compliance with reporting

Windows 10 management options

Group PolicySystem Center Config

Mgr

MDM[Microsoft Intune or

3rd party]

MDM[Microsoft Intune or

3rd party]

Domain joined

Azure AD joined

COMPANY OWNED PERSONALLY OWNED

New policies New configuration policies

New config via WMI bridge

Azure AD account added

New configuration policies

Management for every Windows device

Modern management architecture

MDM Configuration Service Providers (CSP)

Device

WMI provide

r

Common component PC component

Common Device Configurator

EAS ClientMDM Client

Service/Server

Provisioning Engine WMI Bridge

EASProvisioningMDM ConfigMgr

Enterprise Management

Setup device for work

Productive at work

Productive on the go

Device & data protected

Device is current

Issue support

Retire device

StartStart

Apps from the Enterprise

• Azure AD enrollment• Bulk MDM enrollment• Easy self

provisioning• IT provisioning tool

updates

• Certificates – SCEP & PFX, Passport

• Wifi connection• Simplified Passport

deployment

• Common VPN platform• Per app VPN & lockdown VPN• App triggered VPN• Destination name based VPN

trigger• Passport VPN integration

• Health attestation• New security policies• Enterprise data protection• Mgmt. of Windows Defender Advanced

Threat Protection

• MDM policies for update

• Windows Update for Business

• Easier device unlock; LOB app signing with Ent. cert

• Win32 MSI based app deployment• App inventory, app whitelisting, UWP app

config• Centennial app mgmt.• Windows Store for Business enhancements

• Remote find/wipe• MDM config report• Enhanced logging• Remote reboot

• Retire device with server alert• Retire PC when no user logged

in• Reliable enterprise config

removal

Existing Windows 10 capabilitiesNew Capabilities in the next release of Windows

Setup device for work

Productive at work

Productive on the go

Device & data protected

Device is current

Issue support

Retire device

StartStart

Apps from the Enterprise

Look for session from Build 2015 for Windows 10 manageability support - Managing Mobile Devices and Applications in an Enterprise [Janani Vasudevan] http://aka.ms/build2015mgmt

Simplified IT provisioningSetup device for workAvoid wipe & reload

Use Windows Image Config & Designer tool

Domain join & setup deviceStreamlined & intuitive flowNEW

Better documentationNEW

Not Final UI

Easier self provisioningSetup device for work

Auto MDM enroll with Azure AD

…Now with a simpler UX

Not Final UI

Not Final UI

Not Final UI

Not Final UI

Not Final UI

Not Final UI

Not Final UI

Not Final UI

Setup device for work

Productive at work

Productive on the go

Device & data protected

Device is current

Issue support

Retire device

StartStart

Apps from the Enterprise

Get connected to work

Productive at work

Corporate Wifi connection

Certificates Direct Install (PFX) or Install through SCEP TPM, Software & Passport Certs

Simplified Passport deploymentNEW

Better support for key/cert based deployments

Look for sessions in Build - Multifactor authentication and Windows unlock with IoT devices [Anoosh Saboori] ; Windows Hello in Microsoft Edge and Apps [Anoosh Saboori]; Identity Overview [Karanbir Singh]

Setup device for work

Productive at work

Productive on the go

Device & data protected

Device is current

Issue support

Retire device

StartStart

Apps from the Enterprise

Work anywhere with VPNUniversal Windows VPN platform

Inbox VPN enhancements (Custom IPSEC crypto parameters)NEW

XML based MDM provisioning option NEW

Automatic ConnectivityAlways On; App triggered VPNDestination Name Based TriggerNEW

Securing ConnectionsTraffic filters (App, Other)Lockdown VPNVPN support for EDPNEW

Passport supportNEW

Productive on-the-go

Setup device for work

Productive at work

Productive on the go

Device & data protected

Device is current

Issue support

Retire device

StartStart

Apps from the Enterprise

Keep user devices protected!More Security Policies – MDM & Group Policy

Edge: Search Provider, Prompt when opening in IE etc.

Privacy: Consent prompts, advertising ID etc.UX policies: Notifications, Continuum etc.

Advanced security managementWindows Defender – Added policiesNEW

Device Health Attestation (with conditional access)Windows Defender Advanced Threat ProtectionNEWLook for session in Build - Windows Advance Threat Protection Service [Heike Ritter, Michael Shalev]

Stay tuned for updates to documentation for full list of policies supported - http://aka.ms/win10mdm

Device & data protected

Corporate data: Separate & Protected

Enterprise Data Protection

Manage what data is “Enterprise”Audit intentional data disclosure

Support through mgmt. solutionsConfiguration ManagerMicrosoft Intune3rd party MDMs

Device & data protected

for business

personal

Business Apps & DataManaged

Personal Apps &

DataUnmanaged

Data exchange is blocked or

audited

Look for session in Build - Enterprise Data Protection: Building Windows Apps that keep work and personal data separate and secure [Derek Adam]

Setup device for work

Productive at work

Productive on the go

Device & data protected

Device is current

Issue support

Retire device

StartStart

Apps from the Enterprise

Windows Update for BusinessDeployment Rings

Increased control over update rollout

Bandwidth OptimizationSecure peer to peer delivery of updates Manage delivery optimization settings

Integration with existing toolsDeploy updates from WU, third party content using existing toolsUpdate compliance report

Device is current

Setup device for work

Productive at work

Productive on the go

Device & data protected

Device is current

Issue support

Retire device

StartStart

Apps from the Enterprise

Unified platformEasier device unlockLOB app signing possible using Enterprise cert

UWP & desktop app mgmt.App deployment – UWP, Centennial & MSI desktopInventory based on query – UWP‘Applocker’ App restrictions – UWP & desktop

Centennial app mgmt.NEW

Managing apps in your EnterpriseStartStart

Apps from the Enterprise

Look for session in Build - Enterprise Apps and the Windows Store for Business [John Vintzel; Tejas Patel]

Extend your reach to organizations

Access to business and education users Apps can be acquired in bulk

Designed for organizationsMultiple ways to distribute apps Support for imaging and offline usage

One place, same toolsApps are submitted via Windows Dev Center Submit custom LOB apps directly to an organization

Windows Store for BusinessStartStart

Apps from the Enterprise

Setup device for work

Productive at work

Productive on the go

Device & data protected

Device is current

Issue support

Retire device

StartStart

Apps from the Enterprise

Help IT help users

Locate device remotely

Better device diagnosticsNEW

Improved loggingMDM mgmt. resultant configuration reportCan be retrieved through MDM channel

Remotely reboot deviceNEW

Issue support

Setup device for work

Productive at work

Productive on the go

Device & data protected

Device is current

Issue support

Retire device

StartStart

Apps from the Enterprise

Retire device or revoke accessRetire user/deviceEnterprise wipe

Remove policies & enterprise assets provisionedRetire lost/stolen PC– when no user logged inNEW

Azure AD account removalRemoval of config for auto-enrolled MDM cases

Device Wipe Removes all data on device

• Windows 10 MDM reference: http://aka.ms/win10mdm • Group policy ADMX/settings for Windows 10: http://

aka.ms/win10admx • What’s new in Windows 10 for MDM: http://aka.ms/newinmdm• Powershell scripting with WMI bridge: http://

aka.ms/UsingMdmWmiBridge • Windows Device Provisioning: http://aka.ms/win10provisioning

• Windows 10 Management with Intune: http://aka.ms/win10withintune

• Windows 10 Management with ConfigMan: http://aka.ms/win10configman

Resources

Evaluate Windows 10 insider preview builds https://insider.windows.com/

Stay tuned and delve into updated MDM infohttp://aka.ms/win10mdm Evaluate Windows Store for Business to get wider outreach for your Enterprise appsLet us know your feedback!Use Windows feedback app

Next Steps

© 2016 Microsoft Corporation. All rights reserved.