ARE YOU READY FOR WINDOWS 10? Presented by: Todd Parkin & Chris Owens @kraftkennedy www.kraftkennedy.com/blog #ILTACON #ILTA172 www.linkedin.com/company/kraft-kennedy New York | Washington DC | Texas | California 27+ Years of Experience Long Standing Commitment to Legal ILTA Platinum Sponsor/ALA Sponsor Experienced, Highly Trained & Certified Consultants Premier Technology Partner 80 Exchange 2010/2013 Projects, 80,000+ Seats 100 Windows 7/8.1 & Office 2010/2013 Projects, 90,000+ Seats Data Center Migration Strategy and Implementation Projects Disaster Recovery/Business Continuity Planning Technology Assessments Project Management Legal Process Management Security Assessments, Digital Forensics and eDiscovery Information Security & Governance Enterprise Client Systems Support Practice Group Legal Process Managemen t Areas of Practice Infrastructure Enterprise Systems Management Consulting Project Management Our Partners Agenda What’s new for Windows 10 in the Enterprise? How do you I get there from here? Lessons learned from first adopters for Enterprise Be more Innovative devices for your business productive Protection against modern security threats Managed for continuous innovation MICROSOFT’S WINDOWS 10 VISION One converged Windows platform NEW CHALLENGES REQUIRE A NEW PLATFORM Identity protection Data protection Threat resistance Device security Windows 10 Security Approach Identity Protection Information Protection Device Protection Identity Protection Microsoft Passport Windows Hello Hyper-V “Virtual Secure Mode (VSM)” Identity Protection TYPICAL MULTI-FACTOR AUTHENTICATION IMPLEMENTATIONS High-value assets LIMITED USE OF MFA CREATES WEAK LINKS Most network resources UN/Password User Device-based multi-factor USER CREDENTIAL Your device is one of the factors An asymmetrical key pair Provisioned via PKI or created locally via Windows 10 Secured by hardware Identity Protection User proves identity MICROSOFT PASSPORT A new approach “Trust my unique key” IDP Active Directory Azure AD Google Facebook Microsoft Account Intranet resources “We trust tokens from IDP" Windows10 “Here is your authentication token” Identity Protection Two ways to access your Passport PIN Simplest implementation option Works on existing devices User familiarity Biometrics Enables multi-factor Ease of use Impossible to forget Identity Protection Hello Chris WINDOWS HELLO Fingerprint Iris Facial FIDO ALLIANCE Board level members DEMO Microsoft Passport and Windows Hello Information Protection DATA LEAKAGE 87% 58% …of senior managers admit to regularly uploading work files to a personal email or cloud account1 Have accidentally sent sensitive information to the wrong person1 1Stroz Friedberg, “On The Pulse: Information Security In American Business,” 2013 Secure Now, “A look at the cost of healthcare data breaches,” Art Gross, March 30, 2012 2HIPPA $240 PER RECORD Average per record cost of a data breach across all industries2 INFORMATION PROTECTION NEEDS DEVICE PROTECTION BitLocker Protect system and enhancements in data when device is Windows 8.1 lost or stolen InstantGo 3rd party adoption DATA SEPARATION LEAK PROTECTION SHARING PROTECTION Containment Prevent unauthorized apps from accessing data Protect data when shared with others, or shared outside of organizational devices and control BYOD separation Device Encryption is automatic encryption powered by BitLocker DATA-AT-REST PROTECTION Device Encryption and BitLocker BitLocker is provisioned by IT and includes management capability Easiest deployment, leading security, reliability, and performance Single sign-on for modern devices and configurable on legacy hardware Enterprise grade management (MBAM) and compliance (FIPS) TPM to standard equipment on all Windows devices in 2015 INFORMATION PROTECTION NEEDS DEVICE PROTECTION BitLocker Protect system and enhancements in data when device is Windows 8.1 lost or stolen InstantGo 3rd party adoption DATA SEPARATION Containment BYOD separation LEAK PROTECTION SHARING PROTECTION Protects data at rest, and wherever it rests or may roam to INTRODUCING Enterprise Data Protection A DIFFERENT APPROACH Seamless integration into the platform, No mode switching and use any app Corporate vs personal data identifiable wherever it rests on the device INFORMATION PROTECTION NEEDS DEVICE PROTECTION DATA SEPARATION LEAK PROTECTION Containment Prevent unauthorized apps from accessing data BYOD separation SHARING PROTECTION Protects data at rest, and wherever it rests or may roam to INTRODUCING Enterprise Data Protection A DIFFERENT APPROACH Seamless integration into the platform, No mode switching and use any app Corporate vs personal data identifiable wherever it rests on the device Prevents unauthorized apps from accessing business data Copy and paste protection and remote wipe data on demand Common experience across all Windows devices with cross platform support INFORMATION PROTECTION NEEDS DEVICE PROTECTION DATA SEPARATION LEAK PROTECTION SHARING PROTECTION Prevent unauthorized apps from accessing data Protect data when shared with others, or shared outside of organizational devices and control SHARING PROTECTION Rights Management Services Protect all file types, everywhere they go, cloud, email, BYOD, … Support for all commonly used devices and systems – Windows, OSX, iOS, Android Can be automatically applied to mail, OneDrive Pro, etc. Adding persistent and nonremovable protection to data Significant improvements over Windows 7 Support for B2B and B2B via Azure AD Support for on premise and cloud based scenarios (e.g.: Office 365) Seamless easy to provision and support for FIPS 140-2 regulation and compliance DEMO Enterprise Data Protection Securing the device Secure Boot Device Guard Device Health Windows Defender Windows Update for Business Device protection TWO PATHS TO CHOOSE FROM Device Guard Traditional Approach A new approach for Windows desktop The way things have always been Requires change in process for apps Requires additional software to manage Offers incredible protection Carries increased risk Windows desktop can be configured to only run trusted apps, just like many mobile OS’s (e.g.: Windows Phone) DEVICE GUARD Getting Apps into the Circle of Trust Supports all apps including Universal and Desktop (Win32). Apps must be specially signed using the Microsoft signing service. No additional modification is required. Signing service will be made available to OEM’s, IHV, ISV’s, and Enterprises. Windows desktop can be configured to only run trusted apps, just like many mobile OS’s (e.g.: Windows Phone) Windows Deployment WINDOWS 10 WORKS WITH EXISTING MS INFRASTRUCTURE Product System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager System Center Configuration Manager 2007 Windows Server 2012 R2 Windows Server 2012 Windows Server 2008 Microsoft Deployment Toolkit 2013 Update 1 Supports Windows 10 Management Supports Windows 10 Deployment DEPLOYMENT CHOICES • Wipe-and-Load • • • • • • Traditional process Capture data and settings Deploy (custom) OS image Inject drivers Install apps Restore data and settings • Still an option for all scenarios In-Place Provisioning Let Windows do the work • Preserve all data, settings, apps, drivers • Install (standard) OS image • Restore everything Configure new devices • Transform into an Enterprise device • Remove extra items, add organizational apps and config Recommended for existing devices (Windows 7/8/8.1) New capability for new devices App, web and device compatibility Managed for Continuous Innovation SET UP NEW DEVICES RIGHT OUT OF THE BOX Use off-the-shelf hardware Retail or channel devices Configure with a single file Apply a provisioning package Email the file Simple workflow Device is ready for productive use MANAGEMENT CHOICES Identity Management Updates Infrastructure Ownership Active Directory Group Policy Windows Update On-premises Corporate-owned Azure Active Directory System Center Configuration Manager Windows Update for Business In the cloud CYOD 3rd party PC management Windows Server Update Services (WSUS) Intune 3rd party MDM BYOD Intune 3rd party MDM Organizations may mix and match, depending on their specific scenario Managed for Continuous Innovation PREPARING IMAGING PROCESSES FOR WINDOWS 10 Market Driven Quality: External and Internal Users Engineering Builds 10’s of thousands Broad Microsoft Internal Validation Several Million Windows Insider Preview Branch Hundreds of millions Over 1 billion Windows users Current Branch Current Branch for Business Contoso Internal Ring 1 Contoso Internal Ring 2 Contoso Internal Ring 3 Contoso Internal Ring 4 Time Device protection WINDOWS MANAGEMENT Server Software Windows Server Windows Client Active Directory Group Policy Windows Server Update Services (WSUS) Windows Management Instrumentation (WMI) Windows Remote Management (WinRM) Windows Update Group Policy Client Mobile Device Management (MDM) Agent PowerShell AppLocker Cloud Services Azure Active Directory Azure RMS Microsoft Intune Windows Store System Center Configuration Manager Microsoft Desktop Optimization Pack (MDOP) EXTENDING WITH WINDOWS 10 – HEAT MAP Deployment Management Security Identity Provisioning CM vNext MDM Virtualization-based security Device Guard Enterprise Data Protection Microsoft Passport Windows Hello New Windows ADK WICD MDM service New feature management and configuration Secure Boot Trusted Boot Azure AD Azure AD Connect PKI Schema/DCs Device UEFI 2.3.1 or later TPM 1.2 or later Virtualization Extensions Biometric Reader Internet Browsing HTML4, ES3, CSS2 Modern Web CSS2.1 HTML5, SVG, ES5/6, CSS3 HTML4, ES3, CSS2 1995 2015 1 2 3 4 4.x 5 5.5 6 7 8 9 10 11 MICROSOFT EDGE IS… • Built for Windows 10 • Built on the Universal Windows Platform • Updated frequently, along with Windows 10 • Manageable through Group Policy, Mobile Device Management • Ready for the future • Free from legacy Internet Explorer extensibility points • Built on top of modern security protections • Able to launch Internet Explorer 11 when needed DEMO • Start Menu • Notifications • Cortana • Questions • Reminders • Taskview • Edge Browser Getting to Windows 10 Windows 8.1 (x64) / Office 2013 • • • • Tweak existing deployment process Minimal application updates required Drivers must be updated In-place upgrade worth testing Windows 7 (x64) / Office 2013 • • • • Tweak existing deployment process Minimal application updates required Drivers must be updated In-place upgrade worth testing Windows 7 or 8.1 (x86) / Office 2013 • Full images will need to be rebuilt • Many applications will require changes • Drivers must be completely regenerated Windows 7 / Office 2010 or 2007 • Full images will need to be rebuilt • All applications will require changes • Significant work required to certify all changes Lessons Learned Application Updates Group Policy review Driver Updates Waiting for Microsoft tools Microsoft Deployment Toolkit ADMX SCCM Support ADK RSAT Lessons Learned – Part 2 In-place upgrade option Remote imaging process DirectAccess benefits Default user settings Enterprise or Professional? Professional Windows Hello & Passport Enterprise Data Protection DeviceGuard Cortana Edge browser Bitlocker DirectAccess Current Branch for Business Enterprise CONTACT INFORMATION Todd Parkin, Practice Manager parkin@kraftkennedy.com 212-692-5655 Chris Owens, Practice Leader owens@kraftkennedy.com 713-221-5311 Thank you for coming!