Modern BIOS Management from the Cloud Josué Negrón Sr. Solutions Architect VMware Brooks Peppin EUS Systems Engineer VMware
Agenda Modern Management Challenges Cloud Architecture Microsoft BIOS & Firmware Updates PowerShell Execution & Deploying Drivers Managing & Configuring BIOS for Dell Automated OEM Updates Sensors to Pull in OEM Details Intelligence Reporting & Automation Q&A
With Windows 10, Microsoft Enables Modern Management of PCs Integrated MDM Framework Simplified Device Onboarding Cloud-based Management Microsoft s own IT is moving away from traditional PC management to modern management for Windows 10.* * Source: Microsoft IT Showcase; Aug 21, 2017; https://www.microsoft.com/itshowcase/article/video/708/windows-10-deployment-tips-and-tricks-from-microsoft-it 3
Most EMMs Focus on Limited Windows 10 MDM Capabilities Modern Onboarding OOBE doesn t fit the bill in all customer situations Cloud Updates Frequency and size of cloud updates is a challenge Most EMMs + Windows 10 MDM Configuration MDM doesn t support 1000s of OS and firmware settings Device Health Modern Apps Limited features means more siloed security tools MDM supports limited Win32 app management
Workspace ONE Extends MDM to Meet Critical PC Management Needs Device and OS Lifecycle Management App Management Zero-Trust Security 1. Onboarding 2. Configuration 3. OS Updates 4. Software 5. Security Ready-to-work Experience Out-of-the-Box Deployment MDM Configuration Standard Baselines & GPOs Always-up-todate OS updates Granular Controls Win32 App Management Company App Store & SSO Device Health Attestation Data Protection Imageless Provisioning Co-exist with PCLM BIOS / Firmware Management Asset Tracking Delivery Optimization Patch Analytics & Automation Peer-to-Peer Distribution App Inventory BitLocker Management Automated Compliance Intelligent Insights and Rules Engine
Understanding the Workspace ONE UEM Solution Stack Workspace ONE UEM Console WNS AWCM Management Server PowerShell Microsoft CSPs OMA-DM Client VMware CSP CSP / GPO Protection Agent Direct Win32 WMI Management Clients Management API Firewall Updates MSI WiFi VPN Passcode ZIP, EXE, MSI, Windows OS P2P Policy Engine Scripting BitLocker OEM Updates Drivers Windows Capabilities BIOS Firmware
OEM Updates via Windows Updates You have two options when leveraging Windows Updates for OEM Updates (Firmware, BIOS, Drivers, etc.): 1. WSUS devices are on network and have access to WSUS. Very granular control over which updates are approved and when they become available however highly mobile users will never get their updates. 2. Windows Update for Business devices who are on or off the network, must enable delivery optimization to control large downloads over WAN networks. Granular control when not using auto approvals. Only works for OEMs who publish their updates to Windows Updates. Works well for Surface devices!
Live Demo: Windows Updates in a Cloud Console
Getting Granular with Scripting You can leverage scripting to modify and update devices. Intune supports PowerShell scripts, while SCCM and Workspace ONE UEM supports custom scripting (e.g. PS1, BAT, etc.) 1. PROS 1. Granular and fits every use-case 2. Automated way of updating devices 2. CONS 1. Very custom per device model and OEM 2. Time Consuming
Live Demo: Leveraging Custom Scripting
Deploying Drivers Leverage software deployment to push drivers to devices, however this might not be the most automated way. Most EMMs support deploying MSI packages. Intune now supports other files types with the latest announcement at Ignite! Workspace ONE UEM supports deploying EXEs, MSIs (MSI, MSP, MST), and custom ZIP packages (PowerShell wrapped deployments). SCCM supports all types and has built-in driver management support. Overall this is a very manual process to keep drivers updated and deployed, works well when only deploying to a single OEM/Model.
Live Demo: Leveraging Software Distribution to Deploy Drivers
Dell Command Monitor Workspace ONE UEM natively integrates with Dell Command Monitor to provide the ability to: 1. Set or Read BIOS Attributes 1. Set BIOS Password 2. Update BIOS to UEFI 2. Read System Properties via DCIM classes 3. Report on all attributes and take automated actions (e.g. replace worn batteries before users complain) 4. Supports deploying CCTK packages, created using Dell Command Configure Admins just have to create a BIOS profile in the console and Dell Command Monitor must be installed on the devices.
Live Demo: Configuring and Reading BIOS Attributes
Dell Command Update Workspace ONE UEM natively integrates with Dell Command Update to provide the ability to: 1. Set Scan Intervals, choose which Updates are Approved, how updates are applied (force reboot, etc.) 2. Provides a per-device and consolidated view of all OEM updates on the devices 3. Provides reporting and automation Admins just have to create an OEM updates profile in the console and Dell Command Update must be installed on the devices.
OEM Updates
Live Demo: Automatic OEM Updates
Custom Inventory and Scripting Run scripts and queries in real-time Make edits to the scripts in-line Admins can collect any device property and report on it in real time Inclusion in smart groups for dynamic targeting Expand to new query types for Dell BIOS Integrate with Intelligence APIs to invoke sensor through automations Create a community library on code.vmware.com for pre-defined sensors
Workspace ONE Sensors Allow admins to define and configure different sensor queries and target specific devices Write or upload scripts in-place within the console. Define multiple query types of PowerShell and Dell BIOS queries Define dynamic membership of devices in smart groups based on the attribute values. Choose datatypes for device response so they can be compared to other data
Reporting/Dashboards via Intelligence TRUST NETWORK PARTNERS UEM Workspace ONE Intelligence DASHBOARDS IDM REPORTS APTELIGENT ACTIONS HORIZON Aggregate Correlate Insights Automate NOTIFICATIONS INGESTION DECISIONS
Demo: Reporting, Dashboards and Automation
Learn Workspace ONE modern management for Windows 10 Test Drive Workspace ONE on your Windows 10 devices Get Started on Your POC or Deployment Demos https://youtu.be/3ooap0qqom Y https://vmwarelearningzone.vm ware.com/oltpublish/site/cms.d o?view=openlearning Hands-on-Labs http://labs.hol.vmware.com/hol /catalogs/catalog/878 Beginners: HOL-1857-01-UEM - Getting Started Advanced: HOL-1857-02-UEM - Unified Endpoint Management for Windows 10 Sign up to VMware TestDrive: https://portal.vmtestdrive.com/ TestDrive Getting Started Guide: https://kb.vmtestdrive.com/hc/en- us/articles/360001372254-getting- Started-with-TestDrive Workspace ONE for Windows 10 Walkthrough Guide: https://kb.vmtestdrive.com/hc/en- us/articles/360001152734-experience- Workspace-ONE-on-Windows-10 POC: Workspace ONE Windows 10 Reviewers Guide: https://techzone.vmware.com/resour ce/reviewers-guide-windows-10- unified-endpoint-managementairwatch Deployment: Professional Services Use Case Add-on for Windows 10: https://www.vmware.com/content/da m/digitalmarketing/vmware/en/pdf/d atasheet/vmware-workspace-oneairwatch-service-add-on-use-casedatasheet.pdf
You ve got questions, we got answers hopefully