• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Managing Windows RT devices in the Enterprise

Managing Windows RT devices in the Enterprise



More info on http://techdays.be.

More info on http://techdays.be.



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Managing Windows RT devices in the Enterprise Managing Windows RT devices in the Enterprise Presentation Transcript

    • Windows RT in the EnterpriseNico SienaertLead Infrastructure Consultant | GetronicsV-Technology Solutions Professional | Microsoft
    • Session Objectives and TakeawaysPositioning of Windows RT devicesWhere does Windows RT in the Enterprise makes senseWhat are the challengesHow do you manage and keep control
    • Flavors of Windows 8 tablets Windows 8 tablets Windows 8 tablets Windows RT tablets with Intel Core with Intel Atom with ARM 64-bit processors 32-bit processors processors
    • Windows tablets in Business Environments Devices & Experiences Ready for Business People Love to Embrace
    • What capabilities are needed? Windows 8 tablets with Atom or Windows RT tablets Windows 8 tablets with Intel Core Desktop Apps: W8 tablets with Intel CPU W8 LOB Apps: Intel Core, Atom or ARM (Full) Management: IntuneConfigMgr Best Connectivity: W8 tablets with Intel CPU Always on Capability: Atom or Windows RT
    • Modern Device Management Devices & Platforms Single admin console
    • Configuration Steps1. PurchaseTry Windows Intune Subscription2. Add Public Company Domain and CNAME for enrollment redirection3. Verify Users have Public Domain UPNs and perform AD User Discovery4. Deploy and Configure AD Federated Services (ADFS 2.0)5. Deploy and Configure AD Directory Synchronization6. Configuring Configuration Manager for Mobile Device Management Creating a Windows Intune Subscription in the Configuration Manager Admin Console Creating the Windows Intune Connector Site System role7. Verification of Configuration Manager is successfully connecting to Windows Intune Service. CloudUserSync DMPDownloader DMPUploader
    • Windows 8 App Delivery Download from Windows Store Side Load from Your Infrastructure Management Self-Service Portal Infrastructure Cloud (SSP) Windows RT Custom LOB Apps Public Apps App Delivery Windows 8
    • Enroll a Windows RT deviceGet a certificate (for instance internal PKI) to sign your AppsSign your Apps with the certificateUpload the certificate into ConfigMgrIntuneUpload Sideloading key into ConfigMgrIntuneGo on the Windows RT device to “Company Applications”Connect to the Windows Intune ServiceInstall Company PortalYou are ready to manage and to deploy Apps
    • Troubleshooting of Software Distribution HKCUSoftwareMicrosoftWindowsCurrentVersionMDMJobDB • BITSId • DeployRetryCount • LastError • Status Initialized /Created = 10 Download In Progress = 20 Download Failed = 30 Download Complete = 40 Install In Progress = 50 Install Failed = 60 Install Complete = 70
    • Problem Scenarios (1)Symptom:Application is not installing and Reg status of the App is 10Problem Cause:Most likely sideloading is not enabledMitigation:HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsAppxAllowTrustedApps=1Symptom:Application is not installing and Reg status of the App is 30Problem Cause:Internet Connection downDP where content is hosted was downCert to issue the device is expiredMitigation:Solve above
    • Problem Scenarios (2)Symptom:Application is not installing and Reg status of the App is 60Problem Cause:Application Package corruptCertificate expired...Mitigation:Install App locally with Add-AppxPackageSymptom:No Job entry is created in the Registry corresponding to the application requestedProblem Cause:Internet Connection lost during installnotification channel with the device is not createdMitigation:HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionMDMWNSChannelURi value inthis case would be empty.
    • User Experience on Windows RT • Run on both Windows RT• Thin, light, and sleek and x86• Long battery life • Leverage existing developer• Includes class drivers for language and tools most peripherals Hardware and Applications Software • Sideloading (for line-of-• Secure by default business WinRT apps) and (UEFI, TPM) Innovation Windows Store • New UI, including desktop• Integrated engineering with ecosystem • Office Home and Student 2013 RT is included• Predictable and reliable over time High Quality Work and Life • Inbox Mail client • Pre-configured environment • Touch, mouse, keyboard on certified hardware • Multiple user accounts
    • Driver Compatibility www.microsoft.com/en-us/windows/compatibility/winrt/CompatCenter/Home
    • Office Home and Students 2013 RT • Preinstalled on ARM-based Windows RT devices • Includes new Office applications: Word, Excel, PowerPoint, OneNote • Office Home & Student 2013 RT commercial use rights are included in: Office 365 or Office Standard/Professional Plus 2013 (as secondary use right) or Commercial use license via Volume Licensing
    • Connectivity (1) VPN connection • Inbox VPN client for Microsoft server is included • Inbox VPN client can interoperate with 3rd party VPN servers via PPTP, L2TP, SSTP and IKEv2. • Encryption: 3DES, AES_128, AES_192, AES_256, CBC_3DES, CBC_DES • Integrity: SHA1, SHA_256, SHA_384 • Password: PAP / CHAP / MS-CHAPv2 / EAP • Certificates: User & Machine • Support for split-tunnel • Web Proxy and intranet settings
    • Connectivity (2) VPN Client Provsioning • Get Connected Wizard • IntuneConfigMgr • Powershell
    • Provisioning VPN via IntuneConfigMgr InTune MDM 4 - VPN Connection establishment SCCM RRAS Server Enterprise Premises
    • Connectivity (2) VPN Client Provsioning • Get Connected Wizard • IntuneConfigMgr • Powershell Multi-factor authentication • Smartcard (PIV, GIDS) or Virtual Smartcards • RSA Token
    • OTP using RSA Secure ID VPN Tunnel Internet VPN Server Windows RT RSA Authentication device Manager Enterprise Premises TTLS-PAP authentication protocol Only one OTP vendor supported: Odyssey
    • Connectivity (2) VPN Client Provsioning • Get Connected Wizard • IntuneConfigMgr • Powershell Multi-factor authentication • Smartcard (PIV, GIDS) or Virtual Smartcards • RSA Token • Limitations: • PIN Changes • Token Challenge-Response • Workaround: • Web-login page protected by the RSA Web Agent
    • Data and App Access RemoteApp • Grant access to line-of-business applications and data • Seamlessly launch apps from Windows RT • Secure corporate data: avoid storing enterprise data on consumer devices • Ensure compliance requirements VDI • Full VDI experience (RemoteFX, USB redirection, Multi-touch remoting) 3rd Party • Citrix Receiver Remote Assistance
    • Security and Manageability (1) Security capabilities on Windows RT devices • Secured Boot, Trusted Boot • Device Encryption • Picture password • Windows Firewall, Windows Defender • NAP (Network Access Protection) supported Governance through Exchange ActiveSync (EAS)* • Password requirements (e.g., password complexity, picture password, device lock, password expiration etc.) • No support of external encryption • Remote Content Wipe & lockout behavior • Mail App limitations (Alternative OWA with Exchange 2013 or O365)* Enabled through Mail app
    • Security and Manageability (2) Diagnostics and troubleshooting • Windows PowerShell supported • The traditional Windows tools (Eventvwr, TaskMgr, Troubleshooting,…) Cloud-based management with Windows Intune Single pane-of-glass administration through ConfigMgr 2012 SP1 • Distribute and manage new Windows apps (via sideloading) • Push configurations (e.g., VPN config) • Enforce more governance settings • Ensure compliance (e.g., monitor security settings) • Collect inventory information (e.g., which LOB apps are installed)
    • Windows RT Management Details Windows RT Direct Management via Windows Intune Exchange ActiveSyncSettingAllow convenience logon policy  Alphanumeric password required policy  Attachments enabled  Hardware inventory  Maximum inactivity time lock  Password management  Require device encryption  CapabilityApplication publishing  Deep-link into public application stores  User self-service portal  VPN Client configuration ! 
    • Capabilities in a glance Capability Windows RT Portal Capability Windows RTApplication management  Enroll Device YesEndpoint Protection O Rename Device YesHardware Inventory  Retire (un-enroll local device) YesSoftware Inventory ! Wipe (remotely other devices) YesRemote control O Install LOB Applications YesReporting  Install publicly available applications YesSoftware updates O Contact IT YesCompliance settings ! Retire Device Windows RTPower management O Removal of Side-loading key YesSoftware metering O Continue usage of side-loaded Apps No Install new side-loaded Apps No Policies retain on device Yes
    • Miscellaneous
    • RECAP Windows RT devices are primarily designed as consumer devices, but can be used in corporate environments as well, either using employee-owned devices or company-owned devices depending on the situation. To properly support Windows RT devices in the workplace, enterprises should understand the capabilities provided in and restrictions imposed by Windows RT, as well as the specific infrastructure requirements for supporting Windows RT devices within their organization.
    • Interesting LinksWindows RT VPN user guide http://technet.microsoft.com/en-us/library/jj900206.aspxWindows 8 VPN – PowerShell support http://technet.microsoft.com/en-us/library/jj613766.aspxCompatibility and Interoperability http://technet.microsoft.com/en-us/library/jj613768.aspxHow to Manage Mobile Devices by Using the Windows IntuneConnector in Configuration Manager http://technet.microsoft.com/en-us/library/jj884158.aspx
    • Windows RT in the EnterpriseThank you!