Windows 8 Deployment Best Practices and Lessons Learned Martin Weber Technology Solution Professional Microsoft Switzerland GmbH
Preparation is key Application Management Create repeatable, automated processes Infrastructure Readiness Project Management Office Deployment The result: A permanent part of your infrastructure Image Engineering
Windows 8 tablets with Intel Core 64-bit processors Windows 8 tablets with Intel Atom 32-bit processors Windows RT tablets with ARM processors
Know the Choices of 1 Windows-Powered Tablets Determine Customer s Device Needs 2 Choose a Device Based on Capabilities 3 Windows 8 Tablets with Intel Core Processors Mobility Weight Battery Life CAPABILITIES Mobility CHOICE OF TABLETS Best Mobility: Windows 8 Tablets with Intel Atom processors or Windows RT Tablets Windows 8 Tablets with Intel Atom Processors Windows RT Tablets with ARM Processors Workload Casual Intensive Apps Desktop apps Windows Store apps LOB apps Remote apps Workload Apps More Intensive Workloads: Windows 8 Tablets with Intel Core processors Desktop Apps: Windows 8 Tablets with Intel Core or Intel Atom processors Dedicated LOB Apps: Windows 8 Tablets with Intel Core or Intel Atom processors or Windows RT Tablets Best Connectivity: Windows 8 Tablets with Intel Core or Intel Atom processors running Windows 8 Enterprise (DirectAccess) Connectivity Corporate Access Always On Connectivity Occasional Connectivity: Windows 8 Tablets with Intel Core or Intel Atom processors that can automatically sync files using SkyDrive or SkyDrive Pro Through VPN Connections: All Windows 8 and Windows RT* tablets Manageability Full Simple Governance Always On: Windows 8 Tablets with Intel Atom processors or Windows RT Tablets Full Manageability: Windows 8 Tablets with Intel Core or Intel Atom processors Manageability Simple Manageability: All Windows 8 or Windows RT Tablets managed by Windows Intune Governance: All Windows 8 and Windows RT Tablets with Exchange ActiveSync policies
Desktop Apps (x86/x64) and Modern Apps Compatible with broad range of peripherals Full enterprise management and rich security Running on low power ARM Processors Office pre-installed (Home & Student 2013 RT) Compatible with printers, mice, keyboards etc. Device Encryption for advanced data protection Inbox VPN client: MS, Cisco, CheckPoint, Juniper Non Domain-Joined // No Group Policies No Windows Media Player // No Media Center Security Policies by Exchange ActiveSync (EAS) Cloud Management capable by Windows Intune
on x86/x64
on ARM
Form Factor Boot Time Heat and Noise x86 or x64 Battery Life Industry Target RT Pro Win 8 AOAC* Many Many Many Many Good Okay Okay Best Fanless More More Fanless ARM x64 Both x86 UEFI Good Okay n/a Both Consumer Both Both Both Always On Always Connected (AOAC) is a new Windows 8 device type
RT Pro Win8 AOAC Domain join capable Group Policy capable Cost AOAC capable Able to run classic applications TPM DirectAccess $$$ $$$$ $$$ $$$
Group policy Roaming profiles Other options Activation Network load Disk storage User data Applications Images Helpdesk Application Management System Center Configuration Manager Windows Intune Third-party tools Coexistence Management Capacity Bring Your Own Device Wireless access Proxy configuration (WPAD) Infrastructure Readiness Project Management Office Image Engineering Deployment
Tools to help Application Compatibility Toolkit Microsoft Assessment and Planning Toolkit System Center 2012 Configuration Manager Windows Intune Categorize Critical Supported Unsupported Blocked Rationalize Perfection is impossible, focus based on risk and cost Don t test everything Choose when to be reactive instead of proactive Simplify the structured testing process Choices Shim Upgrade Replace Eliminate Infrastructure Readiness Application Management Project Management Office Deployment Image Engineering Gather inventory Prioritize your portfolio Perform testing when appropriate Remediate when needed Windows 7 applications are compatible with Windows 8
Tools to help Line-of-business sites Third-party internal sites External sites Categorize Critical Supported Unsupported Blocked Rationalize Perfection is impossible, focus based on risk and cost Don t test everything Choose when to be reactive instead of proactive Choices Fix Upgrade Replace Eliminate Application Management Simplify the structured testing process Infrastructure Readiness Project Management Office Deployment Image Engineering Gather inventory Prioritize your portfolio Perform testing when appropriate Remediate when needed Many web site compatibility issues are easy to fix
New Features LTI / ZTI / UDI Installation
Accelerates 30 customers worldwide
Banking Construction Oil and Gas Aerospace Windows to Go Work on the Road Services Offered Utilize Windows to Go as a disaster recovery tool Allow true transportable model Windows 8 Application Windows to Go Work on the Road Services Offered Touch First Applications + Device Work on the Road: Executives being effective on the road Win 8 Style Application PC Refresh, PC Reset, Secure Boot Services Offered Reduce helpdesk PC repair time Machine refreshed to resolve the issue Win 8 style application, Windows to Go, end-to-end security Services Touch-enabled interactive selling Implement changes to data integrity and stability European Insurance Retail Provider Education Hospitality Win 8 style application, VDI Services Allows sales transaction without leaving the customer s side Accelerate the deployment of VDI Number of applications 1512 Services Offered Vendor research, install and launch testing, remediation, and packaging Win 8 application, enhanced end-to-end security. Services offered Windows tablets to Students Ability to manage stable devices Protect student data Win 8 style application, enhanced end-to-end security, Windows to Go Services offered Provide an improved mobile experience to executives Allow guests to boot corporate images
Repeatable and automated Keep it simple Strive for a single image Include only what is needed for the majority, or what saves time Leverage the deployment process for per-computer customization Don t get carried away with configuration Capture new image Install operating system Install common applications Infrastructure Readiness Application Management Project Management Office Deployment Decide on security settings and runtime components early Configure OS settings and default Apply updates and patches Image Engineering
http://www.microsoft.com/en-us/download/details.aspx?id=25175
Modern Application Deployment Download public apps from Windows Store Install corporate apps (SideLoading) Through the cloud Directly on-premise Windows 8 or Windows RT devices Custom LOB Supported Windows Store app links
Windows 8 Configure AllowAllTrustedApps registry key*** Sign.appx file with trusted enterprise code signing certificate Side loading key required Client is Domain joined Windows 8 Enterprise Yes Yes** Required if client is not joined to a domain Yes Windows 8 Professional Yes Yes** Yes Does not enable sideloading* Windows RT Yes Yes** Yes Cannot be joined to a domain* Windows Server 2012 Yes Yes** Does not support sideloading key Yes * The side-loading key must be configured ** Signed using trusted code signing CA on Windows 8 clients *** HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Appx\AllowAllTrustedApps = 1 Note: The Publisher Name in the app package manifest must match the Publisher Name in the certificate that is used to sign the app.
Detect sideloaded LoB App Detect (Get-AppxPackage name Contoso.SampleLOBApp).version
Install sideloaded LoB App Detect Add-AppxPackage \\fileserver\contoso\samplelobapp.appx
Remove sideloaded LoB App Detect Install/Update Get-AppxPackage -name Contoso.SampleLOBApp Remove-AppxPackage
Advanced Modern Device Management Simplified Administration Experience Administration Available user targeted apps DeepLink support In console deployment monitoring
Build Enterprise builds LoB app or gets app from ISV outside of the store Cer tif y Certify LoB app using Windows App Certification kit Sign Sign with Enterprise trusted cert Publisher name in the certificate and package must match Deploy Deploy using System Center 2012 Configuration Manager SP1
Mouse alternatives for touch gestures TOUCH MOUSE TOUCH MOUSE Point to the lower right corner of the screen. Point to the bottom of the app and use the scrollbar. Right click the app to see the app commands. Drag an app to the lower edge to close. Press the Ctrl key while moving the mouse wheel to zoom in and out. Point to an item to see more options. Click an item to perform an action.
Xperf Performance Analysis unchained, Windows Assessment Toolkit revealed http://blogs.technet.com/b/jeff_stokes/archive/2013/03/16/xperf-for-the-laymanperformance-analysis-unchained-windows-assessment-toolkit-revealed.aspx Windows Assessment and Deployment Kit (ADK) for Windows 8 http://www.microsoft.com/en-us/download/details.aspx?id=30652
Can I customize the Start screen layout? http://technet.microsoft.com/en-us/library/jj134269.aspx Can I prevent users from installing <Windows Store app>? http://companystore.codeplex.com/ Antoine.Journaux@microsoft.com
Why is the Windows Store disabled on Windows To Go? Where can I get a SideLoad Product Key? http://www.microsoft.com/licensing/servicecenter
Can I use the Mail app without a Microsoft ID? Can I programmatically install an app from the Windows Store? Why can t the Windows Store apps find my proxy server? http://support.microsoft.com/kb/2777643 http://support.microsoft.com/kb/2778122 http://windows8ready http://infopedia/docstore/pages/kcdoc.aspx?docid=191045
7 OEM Android tablets 10 OEM Android tablets Entertainment only iphone Kindle Fire Google Nexus 7 ipad Windows 8 Windows RT + Office Productivity & Fun Full productivity applications Full peripheral support Full business integration Full Security & Management + Creation
Key Threats Internet was just growing Mail was on the verge Key Threats Melissa (1999), Love Letter (2000) Mainly leveraging social engineering Key Threats Code Red and Nimda (2001), Blaster (2003), Slammer (2003) 9/11 Mainly exploiting buffer overflows Script kiddies Time from patch to exploit: Several days to weeks Key Threats Zotob (2005) Attacks «moving up the stack» (Summer of Office 0-day) Rootkits Exploitation of Buffer Overflows Script Kiddies Raise of Phishing User running as Admin Key Threats Organized Crime Botnets Identity Theft Conficker (2008) Time from patch to exploit: days Key Threats Organized Crime, potential state actors Sophisticated Targeted Attacks Operation Aurora (2009) Stuxnet (2010) 1995 2001 2004 2007 2009 2012 Windows 95 - Windows XP Logon (Ctrl+Alt+Del) Access Control User Profiles Security Policy Encrypting File System (File Based) Smartcard and PKI Support Windows Update Windows XP SP2 Address Space Layout Randomization (ASLR) Data Execution Prevention (DEP) Security Development Lifecycle (SDL) Auto Update on by Default Firewall on by Default Windows Security Center WPA Support Windows Vista Bitlocker Patchguard Improved ASLR and DEP Full SDL User Account Control Internet Explorer Smart Screen Filter Digital Right Management Firewall improvements Signed Device Driver Requirements TPM Support Windows Integrity Levels Secure by default configuration (Windows features and IE) Windows 7 Improved ASLR and DEP Full SDL Improved IPSec stack Managed Service Accounts Improved User Account Control Enhanced Auditing Internet Explorer Smart Screen Filter AppLocker BitLocker to Go Windows Biometric Service Windows Action Center Windows Defender Windows 8 UEFI (Secure Boot) Firmware Based TPM Trusted Boot (w/elam) Measured Boot and Remote Attestation Support Significant Improvements to ASLR and DEP AppContainer Windows Store Internet Explorer 10 (Plugin-less and Enhanced Protected Modes) Application Reputation moved into Core OS BitLocker: Encrypted Hard Drive and Used Disk Space Only Encryption Support Virtual Smartcard Picture Password, PIN Dynamic Access Control Built-in Anti-Virus 55
Single admin console Devices & Platforms