ARE YOU READY FOR WINDOWS 10? Todd Parkin

ARE YOU READY FOR WINDOWS 10?
Presented by:
Todd Parkin & Chris Owens
@kraftkennedy
www.kraftkennedy.com/blog
#ILTACON #ILTA172
www.linkedin.com/company/kraft-kennedy
New York | Washington DC | Texas | California
27+ Years of Experience
Long Standing Commitment to
Legal
ILTA Platinum Sponsor/ALA
Sponsor
Experienced, Highly Trained &
Certified Consultants
Premier Technology
Partner
80 Exchange 2010/2013 Projects, 80,000+ Seats
100 Windows 7/8.1 & Office 2010/2013 Projects, 90,000+ Seats
Data Center Migration Strategy and Implementation Projects
Disaster Recovery/Business Continuity Planning
Technology Assessments
Project Management
Legal Process Management
Security Assessments, Digital Forensics and eDiscovery
Information Security
& Governance
Enterprise Client
Systems
Support Practice
Group
Legal
Process
Managemen
t
Areas of Practice
Infrastructure
Enterprise Systems
Management
Consulting
Project
Management
Our Partners
Agenda
What’s new for Windows 10 in the Enterprise?
How do you I get there from here?
Lessons learned from first adopters
for Enterprise
Be more
Innovative devices for
your business
productive
Protection against modern
security threats
Managed for continuous
innovation
MICROSOFT’S WINDOWS 10 VISION
One converged Windows platform
NEW CHALLENGES REQUIRE A NEW PLATFORM
Identity protection
Data protection
Threat resistance
Device security
Windows 10 Security Approach
Identity Protection
Information Protection
Device Protection
Identity
Protection
Microsoft Passport
Windows Hello
Hyper-V “Virtual Secure Mode (VSM)”
Identity Protection
TYPICAL MULTI-FACTOR AUTHENTICATION
IMPLEMENTATIONS
High-value assets
LIMITED USE
OF MFA
CREATES
WEAK LINKS
Most network resources
UN/Password
User
Device-based multi-factor
USER CREDENTIAL
Your device is one of the
factors
An asymmetrical key pair
Provisioned via PKI or created
locally via Windows 10
Secured by
hardware
Identity Protection
User proves identity
MICROSOFT
PASSPORT
A new approach
“Trust my unique key”
IDP
Active Directory
Azure AD
Google
Facebook
Microsoft Account
Intranet
resources
“We trust
tokens from IDP"
Windows10
“Here is your
authentication token”
Identity Protection
Two ways to access your Passport
PIN
Simplest implementation option
Works on existing devices
User familiarity
Biometrics
Enables multi-factor
Ease of use
Impossible to forget
Identity Protection
Hello Chris
WINDOWS
HELLO
Fingerprint
Iris
Facial
FIDO ALLIANCE
Board level members
DEMO
Microsoft Passport
and Windows Hello
Information
Protection
DATA LEAKAGE
87%
58%
…of senior managers admit to
regularly uploading work files to a
personal email or cloud account1
Have accidentally sent sensitive
information to the wrong person1
1Stroz
Friedberg, “On The Pulse: Information Security In American Business,” 2013
Secure Now, “A look at the cost of healthcare data breaches,” Art Gross, March 30, 2012
2HIPPA
$240
PER RECORD
Average per record cost of a data
breach across all industries2
INFORMATION PROTECTION NEEDS
DEVICE
PROTECTION
BitLocker
Protect
system and
enhancements
in
data
when
device
is
Windows 8.1
lost or stolen
InstantGo
3rd party adoption
DATA
SEPARATION
LEAK
PROTECTION
SHARING
PROTECTION
Containment
Prevent
unauthorized apps
from accessing data
Protect data when
shared with others,
or shared outside of
organizational
devices and control
BYOD separation
Device Encryption is automatic
encryption powered by BitLocker
DATA-AT-REST
PROTECTION
Device Encryption
and BitLocker
BitLocker is provisioned by IT and
includes management capability
Easiest deployment, leading security,
reliability, and performance
Single sign-on for modern devices and
configurable on legacy hardware
Enterprise grade management (MBAM)
and compliance (FIPS)
TPM to standard equipment on all
Windows devices in 2015
INFORMATION PROTECTION NEEDS
DEVICE
PROTECTION
BitLocker
Protect
system and
enhancements
in
data
when
device
is
Windows 8.1
lost or stolen
InstantGo
3rd party adoption
DATA
SEPARATION
Containment
BYOD separation
LEAK
PROTECTION
SHARING
PROTECTION
Protects data at rest, and wherever it
rests or may roam to
INTRODUCING
Enterprise Data
Protection
A DIFFERENT
APPROACH
Seamless integration into the platform,
No mode switching and use any app
Corporate vs personal data identifiable
wherever it rests on the device
INFORMATION PROTECTION NEEDS
DEVICE
PROTECTION
DATA
SEPARATION
LEAK
PROTECTION
Containment
Prevent
unauthorized apps
from accessing data
BYOD separation
SHARING
PROTECTION
Protects data at rest, and wherever it
rests or may roam to
INTRODUCING
Enterprise Data
Protection
A DIFFERENT
APPROACH
Seamless integration into the platform,
No mode switching and use any app
Corporate vs personal data identifiable
wherever it rests on the device
Prevents unauthorized apps from
accessing business data
Copy and paste protection and remote
wipe data on demand
Common experience across all Windows
devices with cross platform support
INFORMATION PROTECTION NEEDS
DEVICE
PROTECTION
DATA
SEPARATION
LEAK
PROTECTION
SHARING
PROTECTION
Prevent
unauthorized apps
from accessing data
Protect data when
shared with others,
or shared outside of
organizational
devices and control
SHARING
PROTECTION
Rights Management Services
Protect all file types, everywhere they go,
cloud, email, BYOD, …
Support for all commonly used devices and
systems – Windows, OSX, iOS, Android
Can be automatically applied to mail,
OneDrive Pro, etc.
Adding persistent and nonremovable protection to data
Significant improvements over
Windows 7
Support for B2B and B2B via Azure AD
Support for on premise and cloud based
scenarios (e.g.: Office 365)
Seamless easy to provision and support for
FIPS 140-2 regulation and compliance
DEMO
Enterprise Data Protection
Securing the device
Secure Boot
Device Guard
Device Health
Windows Defender
Windows Update for
Business
Device protection
TWO PATHS TO CHOOSE FROM
Device Guard
Traditional Approach
A new approach for Windows desktop
The way things have always been
Requires change in process for apps
Requires additional software to manage
Offers incredible protection
Carries increased risk
Windows desktop can be configured to
only run trusted apps, just like many
mobile OS’s (e.g.: Windows Phone)
DEVICE GUARD
Getting Apps into
the Circle of Trust
Supports all apps including Universal
and Desktop (Win32).
Apps must be specially signed using the
Microsoft signing service. No additional
modification is required.
Signing service will be made available to
OEM’s, IHV, ISV’s, and Enterprises.
Windows desktop can be configured to
only run trusted apps, just like many
mobile OS’s (e.g.: Windows Phone)
Windows
Deployment
WINDOWS 10 WORKS WITH
EXISTING MS INFRASTRUCTURE
Product
System Center 2012 R2
Configuration Manager
System Center 2012
Configuration Manager
System Center
Configuration Manager 2007
Windows Server 2012 R2
Windows Server 2012
Windows Server 2008
Microsoft Deployment Toolkit
2013 Update 1
Supports Windows 10
Management
Supports Windows 10
Deployment
DEPLOYMENT CHOICES
•
Wipe-and-Load
•
•
•
•
•
•
Traditional process
Capture data and settings
Deploy (custom) OS image
Inject drivers
Install apps
Restore data and settings
•
Still an option for all
scenarios
In-Place
Provisioning
Let Windows do the work
• Preserve all data, settings,
apps, drivers
• Install (standard) OS image
• Restore everything
Configure new devices
• Transform into an Enterprise device
• Remove extra items, add
organizational apps and config
Recommended for existing
devices (Windows 7/8/8.1)
New capability for
new devices
App, web and device compatibility
Managed for Continuous Innovation
SET UP NEW
DEVICES
RIGHT OUT OF
THE BOX
Use off-the-shelf
hardware
Retail or channel
devices
Configure with a
single file
Apply a provisioning
package
Email the file
Simple workflow
Device is ready for
productive use
MANAGEMENT CHOICES
Identity
Management
Updates
Infrastructure
Ownership
Active Directory
Group Policy
Windows Update
On-premises
Corporate-owned
Azure Active Directory
System Center
Configuration Manager
Windows Update for
Business
In the cloud
CYOD
3rd party PC
management
Windows Server
Update Services
(WSUS)
Intune
3rd party MDM
BYOD
Intune
3rd party MDM
Organizations may mix and match, depending on their specific scenario
Managed for Continuous Innovation
PREPARING IMAGING PROCESSES
FOR WINDOWS 10
Market Driven Quality: External and Internal
Users
Engineering
Builds
10’s of thousands
Broad
Microsoft
Internal
Validation
Several Million
Windows
Insider Preview
Branch
Hundreds of millions
Over 1 billion Windows users
Current Branch
Current Branch for Business
Contoso
Internal Ring 1
Contoso
Internal Ring 2
Contoso
Internal Ring 3
Contoso
Internal Ring 4
Time
Device protection
WINDOWS MANAGEMENT
Server Software
Windows Server
Windows Client
Active Directory
Group Policy
Windows Server
Update Services
(WSUS)
 Windows Management Instrumentation (WMI)
 Windows Remote Management (WinRM)
 Windows Update
 Group Policy Client
 Mobile Device Management (MDM) Agent
 PowerShell
 AppLocker
Cloud Services
Azure Active
Directory
Azure RMS
Microsoft Intune
Windows Store
System Center
Configuration Manager
Microsoft Desktop
Optimization Pack (MDOP)
EXTENDING WITH WINDOWS 10 – HEAT MAP
Deployment
Management
Security
Identity
Provisioning
CM vNext
MDM
Virtualization-based
security
Device Guard
Enterprise Data
Protection
Microsoft Passport
Windows Hello
New Windows ADK
WICD
MDM service
New feature
management and
configuration
Secure Boot
Trusted Boot
Azure AD
Azure AD Connect
PKI
Schema/DCs
Device
UEFI 2.3.1 or later
TPM 1.2 or later
Virtualization Extensions
Biometric Reader
Internet
Browsing
HTML4, ES3, CSS2
Modern Web
CSS2.1 HTML5, SVG, ES5/6, CSS3
HTML4, ES3, CSS2
1995
2015
1 2
3
4
4.x
5
5.5
6
7
8
9
10
11
MICROSOFT EDGE IS…
• Built for Windows 10
• Built on the Universal Windows Platform
• Updated frequently, along with Windows 10
• Manageable through Group Policy, Mobile Device Management
• Ready for the future
• Free from legacy Internet Explorer extensibility points
• Built on top of modern security protections
• Able to launch Internet Explorer 11 when needed
DEMO
• Start Menu
• Notifications
• Cortana
• Questions
• Reminders
• Taskview
• Edge Browser
Getting to Windows 10
Windows 8.1 (x64) / Office 2013
•
•
•
•
Tweak existing deployment process
Minimal application updates required
Drivers must be updated
In-place upgrade worth testing
Windows 7 (x64) / Office 2013
•
•
•
•
Tweak existing deployment process
Minimal application updates required
Drivers must be updated
In-place upgrade worth testing
Windows 7 or 8.1 (x86) / Office 2013
• Full images will need to be rebuilt
• Many applications will require changes
• Drivers must be completely regenerated
Windows 7 / Office 2010 or 2007
• Full images will need to be rebuilt
• All applications will require changes
• Significant work required to certify all changes
Lessons Learned
Application Updates
Group Policy review
Driver Updates
Waiting for Microsoft tools
Microsoft Deployment Toolkit
ADMX
SCCM Support
ADK
RSAT
Lessons Learned – Part 2
In-place upgrade option
Remote imaging process
DirectAccess benefits
Default user settings
Enterprise or Professional?
Professional
Windows Hello & Passport
Enterprise Data Protection
DeviceGuard
Cortana
Edge browser
Bitlocker
DirectAccess
Current Branch for Business
Enterprise
CONTACT INFORMATION
Todd Parkin, Practice Manager
parkin@kraftkennedy.com
212-692-5655
Chris Owens, Practice Leader
owens@kraftkennedy.com
713-221-5311
Thank you for coming!
Download PDF
Similar pages