MMS 2013 フィードバックセッション( クライアント編 )日本マイクロソフトクラウド & ソリューションビジネス統括本部シニアテクノロジースペシャリスト青木祐二
アジェンダ• Windows 8• デバイス管理 (SCCM / Windows Intune)• MDOP (MBAM, App-V, UE-V)• VDI
Windows 8
Windows 8 関連セッション (1/2)セッション ID セッションタイトル
DC-B301 A Geek's Guide to USMT 5.0
DC-B302 Demonstrations of Assessment and Deployment Kit Tools
DC-B303 Advanced Microsoft Deployment Toolkit 2012 Update 1 Customizations
DC-B304 Implementing the Windows To Go Concept in an Enterprise Environment
DC-B305 Application Compatibility for Windows 8
DC-B306 Building the Perfect Windows 8 Image
DC-B308 Deploying Windows 8 Using Lite Touch
DC-B310 Develop a Successful Flexible Desktop Strategy in Today’s Digital Era
DC-B311 Windows Sysinternals Primer
Windows 8 関連セッション (2/2)セッション ID セッションタイトル
DC-B315 Internet Explorer 10 Administration
DC-B316 Real World Windows 8 Deployment with MDT 2012 Update 1
DC-B317 Deploying Windows To Go in the Real World
DC-B318 What's New in Windows 8 Deployment
DC-B319 Windows RT in the Enterprise
DC-B320 Windows Store Apps: Enterprise LOB App Deployment Scenarios
DC-B401 Advanced Automation Using Windows Powershell
DC-B402 Windows 8 Security Internals
• Windows 8 の導入 / 展開 / 移行 / 互換性• Windows To Go の展開• Windows ストアアプリの展開• Windows RT の企業内利用• Internet Explorer 10
Windows 8 関連セッション サマリ
What's New in Windows 8 Deployment Michael NiehausSenior Product Marketing ManagerMicrosoft
DC-B318 Windows 8 の展開に関連したツールや依存するコンポーネントを説明
Windows 8Current observations:
15 minutes goes to 10 when using new Windows PEWindows Vista takes over 30 minutes for a clean install (no integration components)…
Windows 7•Image size:•1.97GB image (WIM), 7.87GB expanded
•Installation time (new):•15 minutes*•Upgrade time (from Vista):•30 minutes
Windows 8•Image size:•1.96GB image (WIM), 7.76GB expanded
•Installation time (new):•10 minutes•Upgrade time (from Windows 7):•20 minutes
Windows 8: UEFI is importantNew disk layoutGPT instead of MBRRequires multiple partitionsBCD is not on diskRequires FAT32 boot partition, media
New version for Windows 8 logo machinesUEFI 2.3.1Faster POST, faster bootWill be able to support PXE
No cross-platform deploymentsNeed to use matching boot image (even for ConfigMgr)x64 machines won’t support x86 OS via UEFI boot
Windows 8: Hyper-V Client HypervisorJust like the server version, with specific hardware requirements:Windows 8 64-bit4GB RAM or moreHardware-assisted virtualizationSecond-level address translation (SLAT) support
Not required on Windows Server 2012 (except for RemoteFX), just Windows 8
Tools can detect SLAT:Coreinfo from http://www.sysinternals.comMDT 2012 (via WMI) “SupportsSLAT”WMI on Windows 8 and Windows PE 4.0, Win32_Processor property SecondLevelAddressTranslationExtensions
Windows 8: Slates and tabletsNew deployment challenges:No keyboardTouch screen-onlyOften no wired networking
Expected usage:Attach a USB keyboardUse an Ethernet dongle or USB storage
Windows 8: Assessment and Deployment KitADK is the new Windows AIKAll core Windows 8 deployment tools are now part of the “Assessment and Deployment Kit” (ADK)Everyone will be able to download the ADK from the Download CenterNo ARM tools will be available, therefore MDT will not support ARM
Cannot (should not) coexist with Windows AIKCan only be installed on Windows 7, Windows Server 2008 R2, and later OSes
Windows 8: Windows AIK vs. ADK
Windows AIK
•Windows PE 3.x•USMT 4.0•Windows System Image Manager•DISM•ImageX
ADK•Windows PE 4.0•USMT 5.0•Windows System Image Manager•DISM•ImageX*•Application Compatibility Toolkit 6.0•Volume Activation Management Tool•Windows Performance Toolkit•Windows Assessment Toolkit
* ImageX is “deprecated,” replaced by DISM
Windows 8: USMT 5.0Adds support for Windows 8, while still supporting Windows XP as a sourceYou might need multiple versions:
New store verification and recovery tool/UE and /UEL now work togetherFor more detailed information, see: http://blogs.technet.com/b/askds/archive/2012/04/13/new-usmt-5-0-features-for-windows-8-consumer-preview.aspx
Windows XP Windows Vista
Windows 7 Windows 8
Windows XP USMT 3 USMT 4 USMT 4, 5 USMT 5
Windows Vista
Not supported
USMT 4 USMT 4, 5 USMT 5
Windows 7 Not supported
Not supported
USMT 4, 5 USMT 5
Windows 8 Not supported
Not supported
Not supported
USMT 5
Windows Store Apps: Enterprise LOB App Deployment Scenarios Michael NiehausSenior Product Marketing ManagerMicrosoft
DC-B320Windows ストアアプリの展開をDemo を中心に説明
Windows Store apps
Install via an “Enterprise App Store” using:• System Center 2012 Configuration
Manager SP1• Windows Intune
Provision using the Microsoft Deployment Toolkit 2012 or DISM• Include in sysprepped image• Customize Start screen layout
ProvisioningInstallation
Register the application for the userAlways per-userDoes not require administrator rightsSide load or from the Windows Store
Register application on the computerInstall automatically for each userSide load onlyRequires administrator rights
Enterprise side loading requirements• Windows 8 Enterprise, domain joined or with a separate side load product key • Windows 8 Pro or Windows RT, with a separate side load product key
Demo
Doing it the manual (hard) way
The manual wayThings to Remember
Prerequisites must be met:Set the Allow All Trusted Apps policyImport any needed trusted root certificatesEnable sideloading (automatic with Windows 8 Enterprise when domain joined)
PowerShell and DISM commands do the workSee http://technet.microsoft.com/library/hh852635.aspx for more information
Using ConfigMgrThings to Remember
Windows Store apps install per userCannot be installed via a task sequenceNo native support for provisioning apps, but this can be done using standard software distribution and custom command linesUse the App Catalog web site to enable self-service installation of Windows Store apps“Deep links” can be used, but the user must still log in with a Microsoft Account and click “Install”
Requires ConfigMgr 2012 SP1
Using Windows IntuneThings to Remember
Enables self-service app installationPublish apps to the Company App Portal (Windows Store app)Users can “pull” apps from the cloud, but no IT-driven “push”Requires setting up DirSync, best with single sign-on
Requires Windows Intune wave D (January release)
Windows RT in the EnterpriseMichael NiehausSenior Product Marketing ManagerMicrosoft
DC-B319Windows RT を企業で利用した場合のシナリオを説明
Choosing a Business Tablet
Windows 8 tablets with Intel
Core64-bit processors
Windows 8 tablets with Intel
Atom32-bit processors
Windows RT tablets with ARM
processors
What capabilities are needed?
CAPABILITIES CHOICE OF TABLETS
Mobility Best Mobility: Windows 8 Tablets with Intel Atom processors or Windows RT Tablets
Workload More Intensive Workloads: Windows 8 Tablets with Intel Core processors
Apps
Desktop Apps: Windows 8 Tablets with Intel Core or Intel Atom processors
Dedicated LOB Apps: Windows 8 Tablets with Intel Core or Intel Atom processors or Windows RT Tablets
Connectivity
Best Connectivity: Windows 8 Tablets with Intel Core or Intel Atom processors running Windows 8 Enterprise (DirectAccess)
Occasional Connectivity: Windows 8 Tablets with Intel Core or Intel Atom processors that can automatically sync files using SkyDrive or SkyDrive Pro
Through VPN Connections: All Windows 8 and Windows RT* tablets
Always On: Windows 8 Tablets with Intel Atom processors or Windows RT Tablets
Manageability
Full Manageability: Windows 8 Tablets with Intel Core or Intel Atom processors
Simple Manageability: All Windows 8 or Windows RT Tablets managed by Windows Intune
Governance: All Windows 8 and Windows RT Tablets with Exchange ActiveSync policies
Windows 8 Tablets with Intel Core Processors
Windows 8 Tablets with Intel Atom Processors
Windows RT Tablets with ARM Processors
Know the Choices of Windows-Powered Tablets
1
MobilityWeight | Battery Life
WorkloadCasual | Intensive
AppsDesktop apps | Windows Store appsLOB apps | Remote apps
ConnectivityCorporate Access | Always On
ManageabilityFull | Simple | Governance
Determine Customer’s Device Needs
2 Choose a Device Based on Capabilities 3
Connectivity
VPN connection• Inbox VPN client for Microsoft server is included• Inbox VPN client can interoperate with 3rd party VPN servers via
PPTP, L2TP, and IKEv2.• Multiple ways of configuration (client UX, scripts, or management
infrastructure)
Multi-factor authentication• Smartcard (PIV, GIDS)• Virtual smartcard
• Easy-to-deploy and cost effective way of enabling strong multi-factor authentication
Data and App Access
RemoteApp• Grant access to line-of-business applications and data • Seamlessly launch apps from Windows RT• Secure corporate data: avoid storing enterprise data on
consumer devices• Ensure compliance requirements
VDI• Full VDI experience supported
• Rich experience everywhere (RemoteFX, USB redirection, Multi-touch remoting)
• Best value for VDI (Fairshare)• Efficient management
Security and ManageabilitySecurity capabilities on Windows RT devices• Secured Boot, Trusted Boot• Device Encryption• Picture password, Credentials Locker• Windows Firewall, Windows Defender• NAP (Network Access Protection) supported
Governance through Exchange ActiveSync (EAS)*• Password requirements (e.g., password complexity, picture
password, device lock, password expiration etc.)• Multiple EAS accounts & settings• Report on device encryption status• Remote Content Wipe (by user or admin)
* Enabled through Mail app
Security and Manageability
Cloud-based management with Windows Intune• Single pane-of-glass administration through System Center Configuration
Manager 2012 SP1• Features:
• Distribute and manage new Windows apps (via sideloading)• Push configurations (e.g., VPN config)• Enforce more governance settings• Ensure compliance (e.g., monitor security settings) • Collect inventory information (e.g., which LOB apps are installed)
Diagnostics and troubleshooting• Windows PowerShell supported
• Scripting language, cmdlets, providers, and management capabilities • .NET Scripting tailored for power and reliability
Internet Explorer 10 AdministrationFred PullenSenior Product Marketing ManagerMicrosoft Corporation
DC-B315
Internet Explorer 10 Administration
Customizing the Browser
Browser Management
Deployment Methods
App Compat
Common Browser Customizations
Title bar, branding, graphics
Connection settings
Add-on components
Security settings
Preset web pages / links
IE Administration Kit (IEAK)Contains the Internet Explorer Customization Wizard 10 to create custom versions of IE10.
Group Policy Settings in IE10
For more information, see TechNet Library content: Group Policy Settings in Internet Explorer 10
~1500Group Policies total for
supports of all versions of IE
28New Group Policies
for Internet Explorer 10
Default Browser
Notify users if Internet Explorer is not the default web browser
Adobe FlashTurn off Adobe Flash in Internet Explorer
and prevent applications from using Internet Explorer technology to
instantiate Flash objects
Search Tool for Group Policies
• MSDN Search Tool for Group Policies: http://gpsearch.azurewebsites.net/
• Various tree views for Group Policies
• Filter based on various IE, Windows, and Office versions
• Added support for Windows 8 and Windows Server 2012
Device Management(SCCM / Intune)
デバイス管理 関連セッション (1/4)セッション ID セッションタイトル
UD-B201 Hierarchy Simplification with Configuration Manager 2012
UD-B301 Application Delivery with System Center 2012 Configuration Manager SP1 and Windows Intune
UD-B302 Reduce IT Energy Waste and Implement PC Power Management
UD-B303 Augmenting Your Windows Management Strategy with System Center 2012 Configuration Manager Task Sequences
UD-B304 Boundaries in System Center Configuration Manager 2012
UD-B305 How Microsoft IT Uses System Center Configuration Manager 2012 SP1
UD-B306 Notes From the Field: Complex and Massive Configuration Manager Migrations
UD-B307 Compliance Settings and Control End–User Installed Software
UD-B308 Advanced Infrastructure for System Center 2012 Configuration Manager SP1
UD-B309 Deploying and Configuring Mobile Device Management Infrastructure
デバイス管理 関連セッション (2/4)セッション ID セッションタイトル
UD-B310 Deploying and Managing Windows 8 with Configuration Manager 2012 SP1
UD-B311 Deploying System Center 2012 Configuration Manager SP1 With Windows Intune
UD-B313 Documentation, Disaster Recovery, and Using Scripts as Time Savers
UD-B314 Replacing BIOS With a UEFI Deployment
UD-B316 Migrating From Configuration Manager 2007 to Configuration Manager 2012
UD-B317 Manageability of Mac & Linux Using System Center 2012 Configuration Manager SP1
UD-B318 Managing Embedded Devices with Configuration Manager 2012
UD-B319 How Microsoft IT Upgrades System Center Configuration Manager 2012 Hierarchy with System Center Orchestrator Automation
UD-B320 Configuration Manager 2012: MVP Experts Panel
UD-B323 Software Deployments: From GPO–Based to Configuration Manager
デバイス管理 関連セッション (3/4)セッション ID セッションタイトル
UD-B324 SQL Server 2012 for System Center Administrators
UD-B325 System Center 2012 Configuration Manager SP1 Overview
UD-B326 Managing Third Party Updates with System Center 2012 Configuration Manager SP1
UD-B327 The WHY of Configuration Manager: Methods of Deployment
UD-B328 The Top Ten Lessons Learned in Managing SQL & Reporting
UD-B329 Top Shops: Field Notes from IT Departments That Rock
UD-B330 System Center 2012 Configuration Manager SP1 and Windows Intune: Unified Modern Device Management
UD-B331 System Center 2012 Endpoint Protection Integration With Configuration Manager 2012 SP1
UD-B333 What's New: Configuration Manager 2012 SP1 Infrastructure Improvements and Hierarchy Design
UD-B335 Windows Intune Overview
デバイス管理 関連セッション (4/4)セッション ID セッションタイトル
UD-B338 Reporting in System Center 2012 Configuration Manager SP1
UD-B340 System Center 2012 Configuration Manager SP1 Case Studies and Migration Experiences
UD-B341 Complex Maintenance Using System Center 2012 Configuration Manager and Orchestrator: Patching a Cluster
UD-B342 Configuration Manager 2012 and Orchestrator 2012
UD-B343 Deploy All of System Center: Two Real World Examples
UD-B344 Becoming a Windows Intune IT Administrator: A Real-World Perspective
UD-B391 Large Scale System Center Configuration Manager Environments: Challenges and Solutions
UD-B392 The MMS 2013 Treasure Hunt: Hidden Gems & Diamonds in Configuration Manager 2012
UD-B403 Infrastructure Changes for System Center 2012 Configuration Manager SP1: Advanced Topics and Troubleshooting
UD-B404 Migration Best Practices from System Center Configuration Manager 2007 to 2012
• モバイルデバイス管理 (Windows Intune 連携 )• 個別機能詳細
• SQL レポート , アプリケーション配布、コンプライアンス設定、電源管理Mac & Linux 管理、 Windows Embedded 管理
• SCCM サイトアーキテクチャ• SCCM 2007 から SCCM 2012 への移行• SCCM / SCO 連携• MSIT 事例
デバイス管理 関連セッション サマリ
Simplifying Management Across Platforms
Devices & Platforms
IT
Single adminconsole
Windows PCs(x86/64, Intel SoC),
Windows to GoWindows Embedded
AndroidMac OS X
Windows RT Windows Phone 8
iOSAndroid
Mobile Device Management with Configuration Manager 2012 SP1 and Windows IntuneCraig Morris, Brett FleggSenior Program Manager, Principal DeveloperMicrosoft
UD-B309
Enabling users to be productive, responsiblyFinding the right balanceDevices & Experiences Users Want
Applications and data across devices, anywhere
Empower User Productivity
Unified Management Infrastructure
Common IdentityAccess and Information Protection
Controlled access to data with seamless authentication
Unified Device Management
• Single management interface• Integrated security and
compliance• Improve IT efficiency• Reduced infrastructure complexity
Unified Management Infrastructure
+
Empower User Productivity
• Device choice• Application self-service• Personalized application
Experience• Non-intrusive management
MDM Features and Platforms
Configurations for MDM:• Windows Intune standalone• ConfigMgr 2012 SP1 +
Windows Intune Subscription
New Platforms• Windows RT• Windows Phone 8• iOS (5.x, 6.x)• Android (2.1 and later)
Features• Over the air device enrollment*• User-targeted available app
deployment• User and device settings
management*• Device inventory*• Remote device retirement*• Remote device wipe*
*Android features managed by-proxy through the Exchange Connector
Enrollment failure causes• Admin has not configured mobile device management• Admin has not enabled enrollment for specific device types• User is trying to enroll several devices at the same time or has
more than 20 mobile devices in the system• User is not provisioned by their IT admin• Windows Phone 8 Only: WP8 code signing certificate not
configured properly • iOS only: Apple Push Notification Service certificate is not
configured or expired. Or device is not running iOS 5.0 +
Application Delivery with System Center 2012 Configuration Manager SP1 and Windows IntuneDilip RadhakrishnanSenior Program Manager Microsoft Corporation
UD-B301
Heidi ChengSenior Program Manager Microsoft Corporation
主に SP1 で追加サポートとなったデバイスへのアプリ配信をカバー
Application Management ChallengesDeploy new OS and apps to PCsNew applications for Windows 8Need to learn new concepts and differences between Windows 8 & Windows RT for both IT Pros and End users
Deploy apps across mobile OS platformsiOS, Android, Windows RT, Windows Phone 8Deal with unique constraints imposed by each platform’s app concepts
Application MaintenanceDevice switch scenarioDevice lost/stolen, User role change/retirement
End user experienceApp discoverabilitySelf service
ConfigMgr 2012 Application Model
•Metadata about the application•Deployed to machine and user collections• Contains one or more deployment types
Adobe Reader(MSI)
Application (e.g. Adobe Reader)
XenApp(with XenApp Connector)
Adobe Reader(APPX/ Windows Store
Link)
Deployment Types• Windows Installer (MSI)• App-V • Windows Script• Windows Mobile (CAB)• Nokia (SISX)• XenApp (from Citrix)• Windows app packages• Windows Phone• App-V 5.0• iOS• Android• Mac OS X
Adobe Reader (App-V)
Windows8/Windows RT
Windows Phone 8
iOS Android Mac OS X
Install *.appx *.xap *.ipa *.apk *.DMG*.MPKG*.PKG*. APP
Deep links to the store
Application Model Changes in SP1
New Deployment Types for New OS Platforms
Other enhancementsSupport for App v 5.0
End User ExperienceConsistent self service experience for end user across mobile platforms
Native Windows app package (.appx)
Available in the Windows Store
Windows Phone 8 Company Portal
iOS/Android Company Portal
Native Windows Phone 8 app (.xap)
Needs to be sideloaded
Web based portal Hosted in Windows
Intune
Windows RTCompany Portal
How Microsoft IT Uses System Center 2012 Configuration Manager SP1
Shitanshu Verma: Service Engineering ManagerKarthik Jayavel: Service Engineer
UD-B305
Features and Solutions Used
• Intune Connector
User Centric Application Delivery
Macintosh Client Management
Orchestrator Runbooks
Modern Application Distribution
Software Update Point List
Automatic Client Deployment
Unified Management Infrastructure @ Microsoft IT
Redmond Site 175k
Clients
Redmond Site 275k
Clients
North & South
America35k Clients
Europe, MidEast, Africa
40k Clients
Australia & Asia
75k Clients
Unified Device MgmtSite
~98K devices *
MS Online Directory Services (MSODS)
Active Directory
Federation Server 2.0
MS Online Directory
Sync (DirSync)
ADUser
Discovery corp domains
Intune Subscriptio
n
Connector Site role
Infrastructure• 6 Primary Sites• 13 Secondary Sites• 250 Distribution
PointsPCs & Devices• ~300,000 clients• ~125k mobile
devicesUsers• ~98k FTEs• ~82k Vendors
*projected device count
Unified Device Management Scope @ MSIT
AndroidEAS Only
Native Management Scope
Windows Phone 8• Current: 140• Planned: 24k
Windows RT• Current: 35• Planned: 19k
Apps Published• 9 WP8 LOB • 1 Deep Linked
Apps Published• 12 WinRT Apps • 2 Deep Linked
Device Enrollments and Modern Apps
Unified Device Management Solution @ MSITDevice Management• Windows PCs, Mac’s: ConfigMgr SP1• WP, Android, Smart Phones, etc: EAS • WP8, WinRT, iOS: Intune (native mgmt.)
Unified Management• ConfigMgr 2012 SP1 on-prem infra• Windows Intune Wave D cloud• Exchange connector (reporting)
Administrative Experience• Single pane of glass and simplified administration • Managed via ConfigMgr console
Single pane of glass
EAS EAS
SP1
Simplified Administration
Wave D Beta
Microsoft IT Unified
Management Infrastructur
e
Administrative Experience
Windows RT, Windows Phone 8,
iOS
Windows Phone, Android, Smart Phones,
etc
Mac OSWindows PCs
(x86/64)
Devices
Unified Device Management ArchitectureUnified Management @ MSIT
Unified Device Management
Note Worthy Items• Device scale – 100k user limit• Company portal and WIPE scenarios evaluated for Windows Phone 8 and Windows
RT devices• Corporate Security EAS policies enforced via Settings Management • Exchange connector used to consolidate inventory and merge device records• End user education provided via enrollment and Microsoft IT work smart guides• Created FAQs and support guides for Help Desk and Microsoft Tier 2 support teams• Developed custom inventory reports to provide a consolidated view of enrolled
devices• Microsoft IT broad device management communications/enrollments planned for
June 2013 Wednesday, April 10, 2013 | 2:45 PM - 4:00 PM UD-B311- Deploying System Center 2012 Configuration
Manager SP1 With Windows Intune
More In Depth Session: UD-B311
Manageability of Mac & Linux Using System Center 2012 Configuration Manager SP1
Jeffrey SutherlandPrincipal PM Manager
Hassen KaraaSenior Program Manager
UD-B317
Supported Operating Systems
Microsoft Confidential
Mac Client Linux Server UNIX Server
OS X Red Hat SUSE AIX HP-UX Solaris
Configuration Manager2012 SP1
Endpoint Protection2012 No Plans
Architecture Overview – Agent for UNIX/Linux
Agent for UNIX/Linux
CIM Server
Provider 1 Provider 3
PAL (Platform Abstraction Layer)
ConfigMgr
Provider 2
OS Resources
Equivalent of ccmexec.exe in Windows
Equivalent of the WMI service in Windows
Equivalent of WMI providers in Windows
Native ConfigMgr communication with Agent
ConfigMgr 2012 SP1 Mac supportFeaturesDiscovery – Find Mac’s in Active Directory and the NetworkHardware Inventory – Inventory and audit Mac OS X machinesSoftware Inventory – Determine list of installed software Settings Mgmt - Ensure Mac OS X machines comply with company policiesApplication Deployment- required/push software distribution via app modelSoftware Updates Mgmt – via Software Distribution and Settings mgmt.
Out of scopeSelf Service Software Portal – Ability for user to select what software to installOperating System Deployment Remote Control -> achieved through Lync (desktop sharing), or other 3rd party solutions
System RequirementsClient platforms:Mac OS X 10.6 (Snow Leopard)Mac OS X 10.7 (Lion)Mac OS X 10.8 (Mountain Lion)
Server requirementsRequires ConfigMgr 2012 SP1 serverNo special infrastructure needsUses https in device mode to access Management Point
Microsoft NDA Confidential
Architecture components
User context:CCMAgent (launchagent)
ConfigMgr Notifications UXPreference Pane
System context:CCMClient daemon
Mac OS X
Management Point
Distribution Point
1. PoliciesSSL
2. Content over SSL
ConfigMgr SQL Database
Compliance inventory through
state system
File Server containing CMAppUtil
generated cmmac files
Site Server
Configuration Manager 2012 and Orchestrator 2012Steven RachuiSenior Premier Field EngineerMicrosoft
UD-B342 SCCM / SCO の連携によるクライアント関連操作の自動化
• Application Deployment• Task Sequencing/OSD• Compliance Settings• ConfigMgr Client Install
ConfigMgr and Orchestrator in Action
Demo
Steven Rachui
Application DeploymentApp ModelPackages
OSD and Orchestrator
Demo
Steven Rachui
Task Sequencing/OSDUser Initiated Imaging
Runbooks via Task Sequence
Demo
Steven Rachui
Compliance SettingsEnhanced Remediation
Demo
Steven Rachui
Client InstallUnix/Linux
Configuration Manager... ActuallyJason Sandys Kim OppalfensPrincipal ConsultantCatapult Systems Inovativ
UD-B408SCCM フォーラムなどで、よく問い合わせのある機能 ( 境界 , クライアント ID など ) について説明したセッション
Overview
Five issues, commonly addressed on the forums and mailing lists
Boundaries
Client identity
Business hours and maintenance windows
Deployment type evaluation
Upgrade to SP1
Boundaries: common questionsWhat type of boundary should I being using?Why are my resources not being assigned to my site?Should I use a site assignment boundary group for my secondary site?Why won’t my content download?
Boundary usage
Are
used for
•Content location by clients•Auto-site assignment by clients•Secondary site MP location
Are not used for
•Primary site MP or SUP selection by clients•Internet clients•Any server side processes•Client site re-assignment
ID overload
Security Identifier (SID)• Used by Windows• Known to AD and local
system but never used by anything except local client*
• Uniquely generated for each Windows system
• Not used by ConfigMgr to generate GUID
Globally Unique Identifier (GUID)• Used by ConfigMgr• Uniquely generated
by the ConfigMgr client agent
• Known to ConfigMgr site and client
• “Secret” generation process
Hardware Identifier (HWID)• Generated by
ConfigMgr client agent to uniquely identify hardware
• Known to ConfigMgr site and client
• Helps identity systems that have been “reimaged”
Resource ID• Sequential ID
known only to the site
• Used for nearly all client centric activity
Client certificate• Used to
generate new client GUID
MDOP
MDOP 関連セッションセッション ID セッションタイトル
DC-B312 What's new with Windows 8 BitLocker and Microsoft BitLocker Administration and Management 2.0
DV-B305 Better together: Application Virtualization 5.0 & Office
DV-B306 Microsoft Application Virtualization 5.0: Migration and Coexistence
DC-B307 Deploying and Managing Virtual Applications and Settings with System Center and MDOP
DV-B306 You can still tweet that140 Characters to move from App-V 4.6 to App-V 5.0
DV-B307 How to Manage and Deploy Microsoft User Experience Virtualization Across an Enterprise
DC-B321 Making PC Recovery Easier with the Microsoft Diagnostics and Recovery Toolset
DC-L301 Advanced Group Policy Management (AGPM) 4 SP1
What's new with Windows 8 BitLocker and Microsoft BitLocker Administration and Management 2.0Paul MacKnightSenior Program ManagerMicrosoft
Lance CrandallProgram ManagerMicrosoft
DC-B312
What is Microsoft BitLocker Administration and Monitoring?MBAM 1.0 objectives:
MBAM 2.0 improved 1.0 functionality and adds additional focus on:
“We can use MBAM v1.0 to get greater value from BitLocker. We can ensure that BitLocker is enabled and that we are compliant with corporate encryption mandates without taxing our
employees or IT staff.” Bob Johnson Director of IT, BT U.S. and Canada
Improving compliance and security
Integrating with existing systems (e.g.:
SCCM)
Reducing costs(e.g.: Self Service,
Simplified
Deployment)
Simplify provisioning and deployment
Provide reporting (e.g.:
compliance & audit)
Reduce costs(e.g.: Simplified
Recovery)
MBAM 2.0 Release PillarsConfiguration
Manager Integration
Compliance reporting integrated to CM environmentHardware compatibility & targeting via CM collectionsOffload MBAM client reporting workload to CM client
Windows 8 Support
Windows 8 Enterprise support Non-TPM / Windows To Go SupportBitlocker Pre-Provisioning support
Self ServiceInformation Worker able to retrieve Recovery Key via PortalRecovery Keys protected with Access ControlAuditing of all Recovery Key access
Customer Feedback
More pre-req flexibility (TDE, SPNs, SQL Server)Improved encryption flow & Smarter compliance calculation Improved scalability and performance
Configuration Manager
Configuration Manager Integrated Architecture
Active Directory Domain Services &
Group Policy Infrastructure
GPO RecoveryWeb Service
Web Services
Audit
SQL Database
Management Console
SSRS
HelpDesk Portal
Client Computer
Self-service Portal
Portals
Self-service Web Service
Recovery
MBAM Clientand BitLocker
Admin Web Service
ConfigMgrDatabase
Compliance
ConfigMgr Agent
Supported SoftwareStand Alone and Configuration Manager Mode
SQL Server:• SQL 2008 R2 Standard edition or greater w/SP1• SQL 2012 Standard edition or greater RTM / SP1
Server OS:• Windows Server 2008 SP2
Standard/Enterprise/Datacenter• Windows Server 2008 R2 SP1
Standard/Enterprise/Datacenter• Windows Server 2012 Standard/Enterprise/Datacenter
Client OS:• Windows 7 Ultimate, Enterprise w/SP1
(x86/x64 )• Windows 8 Enterprise (x86/x64 )• Windows 8 Windows to Go
System Center Configuration Manager:• Configuration Manager 2007 w/SP2• Configuration Manager 2012 w/SP1
Better together: Application Virtualization 5.0 & OfficeEle OcholiProgram ManagerMicrosoft
DV-B305
App-V and Office: a history
KB based sequencing recipe
Office Package Accelerator
RecipeIntegration via Deployment Kit
Office 365 ProPlus (Click-To-Run) Package with no sequencing
Office 2010 now supported
2006: Acquired
2008: App-V 4.5
2010: App-V 4.6
2011: App-V 4.6 SP1
2013: App-V 5.0
Integrated Platform• Virtual applications work like installed applications• Virtual applications use Windows standards • No dedicated drive letter required
App-V 5.0 Pillars
Powerful Management• New web-based management interface• One management workflow for desktop, VDI and RDS• Rich PowerShell scripting allows automation and customization
Flexible Virtualization• Multiple App-V applications can share the same virtual environment• Designed to support highly integrated applications• Preserve existing investments in App-V
Optimizing App-V
App-V 4.6
Uses dedicated drive letter (Q: drive)4GB package limitIsolated from local applicationsShare middleware with Dynamic Suite CompositionRead-only Shared Cache supports VDI/RDS environmentsLimited command-line scriptingInstalled management console
App-V 5.0
No dedicated drive letter requiredNo 4GB limitVirtual Application ExtensionShare peer applications with Virtual Application ConnectionShared Content Store can be updated with normal App-V workflowRich PowerShell scripting for sequencer, client and serverWeb-based management
A Revolution for App-V Customers
Easy to build App-V packageNo sequencing requiredNo deployment kit requiredIntegrated with local applications
EXE
A Revolution for App-V Customers
Easy to build App-V packageNo sequencing requiredNo deployment kit requiredIntegrated with local applications
EXE
Office desktop apps delivery in the new Office App-V 5.0
MSI-based Click-to-Run Office on Demand Better together
Packaged Software Software as a Service Software as a Service On Premises Service
Sign-in optional Works without SkyDrive Pro Requires SkyDrive Pro Works without SkyDrive Pro
Service Pack + Updates Updates controlled by admin Always up-to date Updates controlled by Administrator
Granular install-time controls (OCT) Fewer install-time controls + GPO Always same configuration Granular install-time controls
Software Assurance Subscription upgrade rights Subscription upgrade rights Subscription upgrade rights
Classic control is the key feature Offline is the key feature Roaming is the key feature Virtual app connections and groups
Fully installed to the machine Fully installed to the machine Transient state Granular configuration
No CTR support; App-V & TS Fast product streaming Fast product streaming Publish apps before they are streamed
Full functionality Full featured Office Excludes some Office features Features controlled by Administrator
Full Add-in support Native Add-in support like MSI No Outlook, OneNote, or Lync support GPO support, Add-ins sequenced
Group Policy management Group Policy management No add-in or GPO support Admins can deploy any combo of apps
Available for use offline Available for use offline Not intended for offline use Available for use offline
Licensed per device Licensed per user (5x) Licensed per user (Unlimited uses) Licensed per user
Device-based Subscription only Subscription only Subscription only
Sign-in optional Sign-in required Sign-in required Sign-in required
Requires admin rights to install Requires admin rights to install No admin rights required No admin rights required
Start Menu shortcuts Start Menu shortcuts No Start Menu shortcuts Start Menu shortcuts
Added to Add/Remove Programs Also in ARP Not in ARP Not in ARP – track via App-V reporting
Customizations via OCT, GP, config.xml and add-ins
Customizations via config.xml, Group Policy and add-ins
No customizations Customize with Dynamic Configuration
Comparing Office Delivery Types
Office 2010 on App-V 5.0Office Sequencing Kit for App-V 5.0App-V 5.0 Package Accelerators for Office ProPlusOffice Deployment Kit for Office 2010 still neededParity with Office 2010 on App-V 4.6Fast search in virtualized Office 2010 using Windows Desktop SearchAbility for virtualized Office 2010 applications to open, edit, and save Office files hosted with Windows SharePointSearch indexing support for Office file typesURL protocol redirection to virtualized Outlook 2010Print to virtualized OneNote 2010Mail Control Panel applet for virtualized Outlook 2010
Microsoft User Experience Virtualization: How to manage and deploy UE-V across an enterpriseTim CrabbSr. Program ManagerMicrosoft
DV-B307
Personal & flexible
App and OS personalization roam across Windows Syncs are smart and logins are fast Application or OS reconfiguration not required
Templates automate identification of settings location Custom templates define which applications should roam settings Ability to roll back settings to initial state
Use existing tools to simplify deployment ConfigMgr 2012 DCM pack to keep client configuration consistent Seamlessly integrates with Microsoft Desktop Virtualization products
Simple& versatile
Integrated & scalable
Change the Device, Keep the Experience
• Granular control - choose the settings to roam• OS settings • Application settings
• Mixed desktop environments – physical & virtual• Traditional desktops• Virtual desktops
• Mixed application environments - physical & virtual• Traditional applications• Virtual applications – App-V 4.6 and 5.0
When to use UE-V
How does UE-V compare to other User State solutions from Microsoft
Feature Roaming Profiles
Windows 7
Roaming Profiles
Windows 8
Microsoft Account
UE-V
Roam settings between multiple computers
Roam settings between physical and virtual apps
Roam Windows 8 application settings
Manage via WMI
Sync settings changes on a regular basis
Little configuration needed to setup
Supported on non-domain joined machines
Supports Primary Machine AD attribute
Roams settings between VDI/RDS and rich desktops
Unlimited setting storage space
Choice in which app settings to roam
1
1 App Settings
2 Agent Hook
2
3 Settings Package Sync
4 Collect &Apply Settings
34
TechNet - UE-V Architecture
• Installed by default with the agent• Built and supported by Microsoft• The in-box templates are for the following:
In-Box Templates
Applications: Office 2010 & 2007 Browser Options
(IE8, IE9 & IE10) Windows
Accessories WordPad Notepad Calc
Windows Settings: Desktop Settings:
Start Menu Taskbar Folder Options Region &
Language Background
Ease of Access Settings
Desktop Virtualization
デスクトップ仮想化 関連セッションセッション ID セッションタイトル
DV-B291 Microsoft Server 2012 Desktop Virtualization (VDI) on Dell Active Infrastructure
DV-B301 Designing a Virtual Desktop Infrastructure Architecture for Scale and Performance
DV-B308 Optimizing Windows 8 for Virtual Desktop Infrastructure
DV-B310 What's New in Windows Server 2012 Virtual Desktop Infrastructure and Remote Desktop Services
DV-B308: Optimizing Windows 8 for Virtual Desktop InfrastructureDoug KlokowSolution ArchitectMicrosoft
Carl LubertiPremier Field EngineerMicrosoft
Which Windows Edition for the Guest OS?Windows 8 Professional or Enterprise?
“Remote Computers running Windows 8 Enterprise provide the best user experience and support all management features. Therefore, Windows 8 Enterprise is the only supported edition for use with Windows Server 2012 virtual desktop collections (VDI).”Source: http://blogs.msdn.com/b/rds/archive/2012/11/26/remotefx-features-for-windows-8-and-windows-server-2012.aspx
Feature Windows 8 Pro
Windows 8 Enterprise
Windows 7 Enterprise (with RDP
8.0)
Ability to use RemoteApp
RemoteFX Multi-Touch
Advanced Device Redirection Features (RemoteFX USB & PnP redirection)
User Profile Disk
RemoteFX virtual Graphics Processing Unit (vGPU)
Memory AllocationDynamic memory will handle fluctuating demands for memory within a specified range
Recommended Minimum 1GB
Maximum based on workloadSmall -> 1.5 to 2GBMedium -> 2GB to 3GBLarge -> 2GB to 4GB (or more)
Consider using Blade Servers for Extra Large workloads
NOTE: If you require VDI groups with different maximum memory multiple client collections will be required.
Disk Size and PartitionsOSDisk drive size of the Virtual Desktop is impacted by the following factors:Pooled versus Personal VDI
Pooled range from 22GB to 40GBPersonal range from 40GB to 65GB
Virtualization Readiness of ApplicationsCompatibility – can the application be virtualized?Performance – Are there adverse performance impacts associated with a virtualized application versus a traditionally installed MSI?If the application is not virtualized, will it be installed local to the guest VM?
OSDisk Size for Windows 864-bit32-bit
Increase of ~2.2 GB when using 64-bit
Notes• These figures are before optimization efforts are complete• Windows Update was not run, so final used space will be slightly
higher
Multiple Display Configurations
Maximum Resolution
Number of Monitors supported
Windows 7 w/SP1 Windows 8
1024 x 768 4 8
1280 x 1024 4 8
1600 x 1200 3 4
1920 x 1200 2 4
2560 x 1600 N/A 2
Windows 8 Service ConfigurationService Name Default Recommended Details
Application Layer Gateway Service
Manual Disabled
This service manages mobile broadband (GSM & CDMA) data card/embedded module adapters and connections by auto-configuring the networks. It is strongly recommended that this service be kept running for best user experience of mobile broadband devices.
Background Intelligent Transfer Service
Manual DisabledVDI infrastructure is usually connected to fast LAN/WAN links to infrastructure servers hosting data
BitLocker Drive Encryption Service
Manual (TS) Disabled BitLocker is not available to be used on a virtual machines
Block Level Backup Engine Service
Manual DisabledService is used to backup data on the workstation – not used for virtual machines
Bluetooth Support Service Manual (TS) Disabled Bluetooth Wireless not supported from a virtual machine
BranchCache Manual ConsiderThis service caches network content from peers on the local subnet.
Computer Browser Manual (TS) DisabledMaintains an updated list of computers on the network and supplies this list to computers designated as browsers.
Device Association Service Manual (TS) DisabledEnables pairing between the system and wired or wireless devices.
Device Setup Manager Manual (TS) Disabled
Enables the detection, download and installation of device-related software. If this service is disabled, devices may be configured with outdated software, and may not work correctly.
Designing a VDI Architecture for Scale and Performance on Server 2012Ara BernardiPrincipal Program [email protected]
DV-B301
Designing a large scale MS VDI deployment
We’ll do a walkthru of a 5000 seat VDI deployment80% of users running on LAN20% connecting from internet
We will explore:• Design options• Scale & Perf characteristics• Tweaks & optimizations
JBOD Enclosure
Clustered
VDI management nodes• All services are in a HA config• Typical config is to virtualized
workloads• But could use physical servers too
Optionally clustered
Infra srv-1Gateway
RDWEB
RD Broker
SQL
2X NIC
2x NIC
2x NIC
WANLAN
Storage Network
Infra srv-2
Sam
e w
ork
load a
s In
fra-
1
RD Lic Srv
SMB-12X NIC
SMB-22X NIC
2X SAS HBA
SAS Module
2X SAS HBA
\\SMB\Share1: Storage for the management VMs
VDI management nodesScale/Perf analysis1
RD GatewayAbout 1000 connections/second per RD Gateway Need min of 2 RD Gateways for HATest results:
1000 connections/s at data rate of ~60 Kbytes/sThe VSI3 medium workloads generates about 62kBytes/userConfig: four cores2 and 8Gigs of RAM
1 Perf data is highly workload sensitive2 Estimation based on dual Xeon E5-26903 VSI Benchmarking, by Login VSI B.V.
VDI management nodesScale/Perf analysis1
RD Broker5000 connections in < 5 mnts, depending on collection sizeNeed min of 2 RD Brokers for HATest results:
Ex. 50 concurrent connections in 2.1 seconds on a collection with 1000 VMs.Broker Config: one core2 and 4 Gigs per Broker
SQL (required for HA RD Broker)~60 Meg DB for a 5000 seat deploymentTest results:
Adding 100 VMs = ~1100 transactions (this is the pool VM creation/patching cycle)1 user connection = ~222 transactions (this is the login cycle)SQL config: four core2 and 8 Gigs
1 Perf data is highly workload sensitive2 Estimation based on dual Xeon E5-2690
5000 seat pool-VMs using local storageScale/Perf analysis1
Storage loadThe VSI2 medium workload creates ~10 IOPS per user, IO distribution for 150 users per host:
GoldVM ~700 reads/secDiff-disks ~400 writes/sec & ~150 reads/secUserVHD ~300 writes/sec (mostly writes)
GoldVM & Diff-disks are on local storage (per host)Load on local storage ~850 Read/sec and ~400 writes/sec
Storage size:About 5Gigs per VM for diff-disks, and about 20Gigs per GoldVMAssume a few collections per Host (a few GoldVMs)
A few TBs should be enough
1 Perf data is highly workload sensitive2 VSI Benchmarking, by Login VSI B.V.
GoldVM Diff-disks uVHD0
100
200
300
400
500
600
700
800
Read/s
Write/s
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Recommended