Client Computing ChoicesEssential Points to Land:Complexity of OS migration, specifically in the context of Windows XP Windows 7Windows 7 is an Inflection Point: Customers are using it to think broadly about their client computing environmentThey now have a wide range of choices: trends in business (tightening budgets, mobility) and technology (virtualization, cloud services,) are generating questions about how best to decideDon’t make a decision on OS migration alone: You need a full desktop strategy Storyline: Customers have been on Windows XP for nearly 10 years. In that decade, many things have changed both in business and technology. Windows 7 is a catalyst that is causing customers to reconsider their client computing environment through the lens of making people productive – wherever they are -- while managing cost.Half of IT Pros are looking to deploy Windows 7 (Citibank), and two-thirds of firms expect to migrate to Windows 7 at some point (Forrester: Windows 7 Commercial Adoption Outlook). They have lots of questions about how to achieve this, like: How do I manage costs?According to IDC, the TCO of desktops can range widely, anywhere from $230 to $1320 per PC annually. Where organizations end up within this range depends on many factors, which we will discuss later in the presentation. Should employees bring their own PCs to work?Organizations are at risk of losing their brightest and most ambitious young employees if they cannot provide the computing environment the “digital native” generation is accustomed to. Although the present economic climate has shifted the balance of power in recruiting, this is temporary: the war for talent will persist. Some companies have responded to this war by piloting “Bring Your own PC” programs, which give workers more choice in what PC they use. This means IT departments focus more on access, security and data protection. This trend obviously has ramifications on TCO.Do I expand use of cloud services? Forrester believes that the increased availability and capabilities of all kinds of cloud services: from Web-based offerings to Software as a Service to Infrastructure as a service will be a game-changing, disruptive shift for some enterprise clients (Market Overview of Current Cloud Service Providers from Global IT providers-June 2009). The expansion of cloud services presents an opportunity for organizations to consider how best to leverage their existing investments and where to put new ones. Should I use Rich clients or thin clients? Lowering cost and improving manageability, security, and remote access drive interest in client virtualization (Forrester), and the choice between rich clients or thin clients often accompanies the choice about what kind of desktop virtualization organizations use.How do I keep my data safe and my applications secure?The average loss due to computer security incidents was $234,244 in 2009 (CSI Security Survey 2009). However, theft of proprietary data from mobile devices was far higher: According to the CSI/FBI Computer Crime & Security Survey theft of proprietarydata from mobile devices tallied to $2.3M, while theft of customer data from mobile devices came to $2.2M. Given this, it’s no surprise that more than half of the respondents in MSFT research told us they need help protecting corporate data on laptops. How do I keep mobile users productive?The number of mobile workers overall will increase to more than 30 percent by 2011 (IDC), and 68% of the companies we surveyed struggle with the inability to manage PCs when those are not physically connected to the corporate network. Much of this difficulty is due to the complex and time-consuming methods of connecting to corporate networks when away from the office. This presents a huge challenge not only for end user productivity but also for security and data protection. How can I take advantage of virtualization? The client virtualization trend has swept many industries over the past 2-3 years, leading many IT decision makers with questions about how they can benefit from the potential of virtualizing applications or full desktops. However, with the buzz around virtualization reaching a fever pitch, analysts, such as Natalie Lambert of Forrester – warn that many have misconceptions about exactly what benefits they can hope to achieve through virtualization. (Forrester: Know Your Facts: Understanding The Realities Of Desktop And Application Virtualization July 2009) Transition:Although migrating to Windows 7 might be the issue that causes enterprises to question these things, CIOs and architects should not make a decision based on migration concerns alone, but instead think about the broader desktop strategy for their organization and for their users. All Relevant Data Points: Half of IT Pros are looking to deploy to Windows 7 (Citibank Survey)TCO$230-1320 per PC per year (IDC Core IO research 2007)Forrester: IT budgets will remain flat in the next year at 1% growth68% of Enterprises struggle managing PCs (Forrester)Security and ComplianceAverage loss due to security incidents was $234,244 in 2009 (CSI Security Survey 2009). 2009 saw huge jumps in financial fraud: from 12 percent in 2008 to nearly 20 percent Theft of proprietary data from mobile devices tallied to $2.3M, while theft of customer data from mobile devices came to $2.2M. The cost of the stolen mobile hardware itself was reported at $3.8 (Computer Security Institute/FBI Computer Crime & Security Survey-looking for latest version of this)56% of respondents in MSFT research say they need help protecting corporate data on laptopsConsumerization: You lose your most ambitious employees if you cannot provide them enough computing power (anecdote of people turning down jobs bc of computing environment)
The Need for a Desktop StrategyEssential Points to Land:The desktop ismore than the OSEssential to have a complete desktop strategyThere are 4 essential components of the desktop: data, applications, OS, hardware: a complete desktop strategy should consider how these things work together Storyline:The desktop is more than just the operating system: The desktop includes the applications that make your business run, the data with which you make critical business decisions, the settings that help your employees personalize their PCs and make them more productive, and the hardware your users need to access the entire computing environment. When making client computing decisions, it is essential to have a complete desktop strategy that considers the whole desktop -- User Settings, Data, Applications, browser, and the operating system. Each one of these desktop components comes with its own set of challenges and considerations, which should be considered in combination with the others to achieve a strategically coherent whole. Transition: Regardless of your strategy, you should be able to support certain essential capabilities for your business.
Where Applications & Data Can LiveEssential Points to Land:Individual componentscan sit in multiplelocationsIt’s important to have the ability to combine them to have different choices so you can choose what works for your business and your users to keep them productiveFlexibility can be good, but it can also be evil without proper managementStoryline:No longer must all the components of the desktop be confined to a single location. As an organization, you can decide where to host the applications and data and how you provide user access to these components. You can make the decision on whether they are hosted locally, on-prem, or in the cloud, or any combination of the three. We hear from customers that they have very good reasons to deploy different components in different locations. For example: they want to be able to host, for example, apps and data in either of these locations.They also want to embrace the cloud in a way that works for themThey want to leverage investments they have made in their current infrastructure It’s important to ensure that you are choosing the right deployment/management method for the right business outcome. For example, we already have customers who are experimenting with a combination of local, on-prem, and cloud hosting by using rich clients on which the operating system resides locally, applications are provided on-prem through application virtualization, and data is accessible in the cloud via many different cloud services. Transition:These customers are enjoying flexibility to choose what is right for their business. This flexibility can be good, but without proper management it can be evil. Historically, customers have had to make a tradeoff between flexibility and control. This has caused some of our customers to throw up their hands and give up on flexibility entirely as they saw complexity increase and costs skyrocket.But in doing this these customers are essentially wasting the productivity potential of the most expensive and valuable asset they have, which is their people. But the truth of the modern desktop is that you no longer have to make the tradeoff between flexibility and control. You can have the flexibility end users need to be productive and the control IT pros need to protect the business – you can make people productive while managing risk. And to get to that level of balance, you must be able to manage the parts of your computing stack across the range of locations you intend to deploy, whether local, on-prem, or in the cloud.
Segment End Users in 4 Simple StepsEssential points to land:Use a matrix to visualize your usersX-axis is about mobilityY-axis is about autonomy over applications and data on the PCStoryline:Step 1The first step in segmenting end users is to consider the level of mobility and connectivity the user has. At one end of the spectrum are users who are always connected to the corporate network and are always at a desk or workspace. On the other end are users that are highly mobile, working both online and offline, or sometimes in places that have low bandwidth. Step 2 The second step is to consider the level of autonomy the user has over applications and data on his or her PC. It’s important to realize here that we’re not talking about job autonomy, but rather autonomy over their computer environment. For example, a doctor has a great deal of job autonomy – he can write a treatment plan and prescribe medications – but he has very little autonomy over his computer environment: he cannot simply uninstall the patient records database or delete patient data. So for the purpose of this segmentation, the doctor would fall on the low end of the autonomy spectrum. Step 3 Now that the basic matrix is set up, you can begin placing user types. The most demanding type, with high mobility and high autonomy, is the mobile worker. This is the worker who is often disconnected from the corporate network due to travel, working from home, or working in locations with limited bandwidth. Often these are highly influential users in the organization, such as senior executives, or employees that are very influential for the company’s bottom line – like field sales representatives. At the other end of the spectrum are users who are always connected to the network and have very little autonomy over their computing environment. We call this worker the Task Worker, and bank tellers and call center associates fall into this category. Task workers often work with server-based applications, such as those delivered through Terminal Services (now RDS) or the Web. The Task Worker has very little need to install applications or manipulate locally-stored data. The category just to the right of the Task Worker is the Deskless Worker, who is highly mobile, but has little need for control over applications and data. This type of worker is often the retail associate, such as a clerk, a nurse who might move from patient room to patient room, or a manufacturing floor manager. These types of workers are good candidates for Web applications. The fourth group is probably the most familiar. These are the Office Workers, who are always connected yet require a high level of autonomy and control over their computing environment. Office workers need the flexibility to install applications and work with many data sources. However, this group is very broad, and they aren’t all best served by the same desktop infrastructure.
The Windows Optimized DesktopEssential points to land:We have a broad range ofrobustsolutionsWe have experience in the enterprise spaceWe have a vision for desktop optimizationStoryline:The Windows Optimized Desktop value proposition becomes crystal clear when considering our range of options and robust possibilities: Microsoft has the best solutions for desktop to datacenter management across physical and virtual targets. Microsoft is unique among vendors for the ability to provide comprehensive management across physical and virtual, datacenter to desktop from a single console. The Windows Optimized Desktop makes it easy to connect your desktop strategy with your overall strategy for managing core infrastructure. At the base level is client infrastructure, including Windows 7, Internet Explorer, and MDOP. Windows Server infrastructure supports client features like branch cache and direct access and, through Hyper-V, supports VDI environments. This is all tied together with the desktop-to-datacenter and physical-virtual management tools of System Center and security of Forefront for your clients and your servers. Management tools like System Center and MDOP provide the security, access, and application optimization that are important to keep IT costs in check across locally deployed systems, systems and apps that are hosted on-prem in your data center.We’re even extending management into the cloud with solutions like System Center Online desktop manager. Microsoft can help you deliver the right desktop to the right person and drive desktop delivery, access, and maintenance with the tools in the Windows Optimized Desktop.Transition:We all know that in today’s world, one size does not fit all users: Mobile and Office workers have different needs than contractors or task workers. The Windows Optimized Desktop is Microsoft’s vision for what desktop computing should be: it gives end users the flexibility they need to be productive anywhere, while providing IT the control they need to manage risk and keep costs in line. The Windows Optimized Desktop is the modern enterprise desktop experience for end users and IT administrators alike. (Introduce Vignettes as needed)
Configuration Manager 2012 has an entirely new approach to application delivery – one that is optimized for the end user. The administrator defines the application once and targets it to a user or group. Configuration Manager ensures that it delivers the optimal experience for that user (or those individual users in that group) by evaluating the user’s device type and network connection capabilities. So whether they are using a laptop, VDI session, or iPad – or all of those – we’ll deliver the app to that user with the best experience on each device.The reason that this is possible is that Configuration Manager 2012 has a new application model that allows the deployment of software based on the nature of the relationship between the user and device– of “User Device Affinity.” Administrators are able to assign relationships between users and devices – and whether they are “primary” devices used primarily for corporate functions, or “Non-primary Devices” that may be personal or public devices. By understanding the relations between the user and device, you can establish rules for how applications should be treated on various devices to ensure that corporate assets are kept secure. For example: It can only install the MSI version of Microsoft Visio if the device is a primary device like a corporate laptop of the targeted user, otherwise don’t install. Another example is that you can install the MSI or App-V version of Microsoft Office when the device is a primary device of the user targeted, and install the Citrix XenApp version if the device is not a primary device. For public devices – like a Kiosk – it could prohibit access to the application entirely. This ability to define user and device relationships also enables you to pre-deploy software. Pre-deployment allows software to be installedon a user’s primary devices whether or not the user is logged in. So the IT admins are able to provide the best application experience for the user which is optimized for the specific device type.
Configuration Manager 2012 is aimed right at the center of these challenges around device proliferation and user productivity, but in a way that seeks to enable the flexible workstyles demanded by users – empowering them be productive anywhere, on any device rather than seeking to “limit” or “lockdown” access. Configuration Manager 2012 provides IT a lean, unified infrastructure to deliver these new capabilities and workloads for client management, virtualization, and security. The solution puts IT in control of costs and compliance, providing an evolutionary path to new capabilities that leverage existing, people, processes, and technologies. Configuration Manager reduces the cost and complexity of IT compliance by delivering visibility, discovery, and enhanced, IT-definable remediation capabilities. It’s all designed to help IT simply and efficiently deliver a user-centric approach to client management. And because it is built by Microsoft engineers who have exceptional knowledge of Windows, Configuration Manager delivers tight interoperability with Windows, for more effective and efficient user management and security.
Microsoft offers many tools to migrate to Windows 7.Assess hardware, applications and plan for new features or services you wantPrepare applications, infrastructure and images for deployment and migrate usersExpand functionality coverage, transition applications, manage the desktop environmentKey Message: An overview of the Application Compatibility Tool and the ACM. The following is detailed info regarding the usage, options, and new features within the ACT and ACM.The Application Compatibility Manager (ACM) is a tool that enables you to configure, to collect, and to analyze your data, so that you can fix any issues prior to deploying a new operating system in your organization. When you configure the ACT using it’s wizard, the ACM automatically starts. Detailed info on ACM can be referenced at http://technet.microsoft.com/en-us/library/cc766464.aspx.You can use the ACT features to:Verify your application's, device's, and computer's compatibility with a new version of the Windows operating system, including determining your risk assessmentVerify a Windows update's compatibility, including determining your risk assessmentBecome involved in the ACT Community, including sharing your risk assessment with other ACT usersUse the provided developer and test tools to test your Web applications and Web sites for compatibility with new releases and security updates to Internet Explorer®, to determine potential compatibility issues due to the User Account Control (UAC) feature, to create compatibility fixes for your application compatibility issues, and to determine any potential application installation and setup issuesWhat’s New in ACT 5.5:Updated issue detection and supported operating systemsIntegration of data from the Windows Vista Compatibility CenterAbility to audit your application data and to selectively synchronize your applications with MicrosoftUpdated documentation for the Windows compatibility fixesAbility to customize your Quick Reports viewAbility to label your individual data-collection packagesRemoval of the Internet ExplorerCompatibility Evaluator (IECE)Ability to participate in the Customer Experience ProgramCompatibility EvaluatorsThe Application Compatibility Toolkit (ACT) includes several compatibility evaluators that can be deployed as part of a data-collection package to collect information from your client computers including:Inventory CollectorUser Account Control Compatibility Evaluator (UACCE)Windows Compatibility Evaluator (WCE)Update Compatibility Evaluator (UCE)Detailed info on each of these can be found at…http://technet.microsoft.com/en-us/library/dd638366.aspxTiming: Prepare for this discussion using the info above. This is a full-featured, in-depth tool and timing can run long unless an abbreviated subset of data is discussed. If the audience is particularly interested in this topic there is a large amount of info here, however a complete breakdown of the toolkit can be found at… *http://technet.microsoft.com/en-us/library/cc722055.aspx
Speech:So now that we are introduced to the different processes that make up the managed desktop solution, who is responsible for governing these processes? Here is a sample governance model that can be adapted to your enterprise:Hardware Council- Responsible for testing and certifying new hardware against the enterprise image.- Standardizes hardware purchases to limit the number of models and optimize purchasing power of the entire company.Image Build TeamBuilds and maintains the master image(s) for the enterpriseInteracts with other teams to define the applications, security and configurations in the master imageConfiguration Control Board- Tracks, reviews, and approves all required changes to the enterprise desktop and deployment mechanism including updating existing systems in the enterpriseApplication Compatibility TeamAbility to identify, test and help to troubleshoot most issues with Application Compatibility on the managed desktopApplication OwnersSMEs with ownership of individual applicationsResponsible for testing application packages against the enterprise image and deployment mechanismSecurity Operations TeamManages review and approvals of changes that affect desktop securityHelp Desk Managed Desktop Support- Supports the desktop and deployment processSecurity Desktop Monitoring TeamIdentify trend lines when systems are straying from the desired configurationPackaging TeamCreates packages and sequenced applications based on information from application ownersRole OwnersResponsible for assigning, certifying and licensing the group of applications assigned to a specific role in the enterpriseWork closely with Application owners and Software distribution teamTypically embedded in the Business Group they serveEnterprise Role OwnerResponsible for testing, certifying and licensing the group of applications assigned to all users in the enterpriseWork closely with Application owners and Software distribution teamTypically part of the Image Build TeamDesktop Group Policy AdministratorsDistribute security and other group policies that will affect the desktopDesktop Operations TeamResponsible for user data, file and print access and backupsNetwork Operations TeamResponsible for approving maintenance windows for software distribution and os deploymentResponsible for ensuring the network can handle the load and protocols neededActive Directory AdministratorsResponsible for maintaining computer accounts in AD for existing and new machinesSoftware Distribution Team- Responsible for distribution of software and dependencies to machines during desktop deployment and to existing machines
Notes:Speech:The deployment approach is often one of the most important decisions in the Deployment Solution design. There are several technologies that can be used to make a deployment solution and choosing the right mix of them is considered the deployment Approach. These technologies include:System Center Configuration Manager 2007 SP2 or ConfigMgr for short is part of the System Center family of software that provides operating system deployment along with software distribution technology in conjunction with lifecycle for each of the components.Microsoft Deployment Toolkit 2010 (MDT) - Microsoft Deployment Toolkit 2010 (MDT 2010) provides a common console with the comprehensive tools and guidance needed to efficiently manage deployment of Windows 7 and Windows Server 2008 R2. Microsoft Deployment Toolkit 2010 is the recommended process and toolset to automate desktop and server deployment. Microsoft Deployment Toolkit 2010 provides detailed guidance and job aids for every organizational role involved with large-scale deployment projectsWindows Server 2008 R2 includes various improvements to help deployments:WDSWindows Deployment Services has been updated to support Windows 7 unattended installations. WDS now includes the ability to be able to dynamically deploy drivers as part of the unattended install using driver groups. This allows for fewer and more streamlined images to automatically detect the drivers or driver groups needed to download during a deployment.The multicast capabilities of WDS have also been improved to support Multiple Stream transfers.BranchCacheBranchCache is the solution in Windows 7 to minimize traffic across a slow WAN link from a data center to a branch office. It is implemented in two ways: Distributed where authorized clients request data from peers in the Branch and Centralized where authorized clients can request data from a hosted cache server locally in the Branch. In both scenarios, clients can only retrieve files they are authorized by the remote server to have access to. The BranchCache protocol is used by HTTP, SSL, SMB and BITS traffic with transparency to overlayed applications. BranchCache is a great way to distribution components of the desktop to peers within a branch without invoking the WAN link.
Notes:Speech:Lite Touch Installation (LTI): LTI primarily involves the use of components and scripts in the Microsoft Deployment Toolkit (MDT) hosted on a deployment share. A script-based engine is used to run a task sequence to perform the deployment based on profiles stored in the MDT database or customized settings in an INI file. LTI deployments require minimal infrastructure to operate. Operating systems can be deployed over a network using a shared folder or locally using removable storage such as a CD, DVD, or USB flash drive (UFD). The deployment process can be initiated manually or automatically. LTI settings are configured using the MDT Deployment Workbench and further dynamic customization can be made for the specific environment. The configuration settings for each individual computer can be provided manually during the deployment process or via the MDT database.
Notes:Speech:OSD: ConfigMgr innately contains a collection of features for image deployment called Operating System Deployment. These tools can be used without any other products to perform image deployment but are more commonly used in conjunction with MDT in the ZTI approach.
Notes:Speech:WDS - Since Windows Server 2003 up until now with Windows Server 2008 R2 Windows Deployment Services (WDS) can be used in a standalone capacity to deploy operating systems and contains new features such as Dynamic Driver Provisioning and Allows machines being deployed through the WDS Client to get only the drivers they need as well as multicast abilities. The WDS scenario is commonly used in conjunction with LTI and ZTI solutions to provide PXE boot but rarely used in standalone mode.
Notes:Speech:Zero Touch Installation (ZTI): ZTI uses desktop components and MDT scripts stored in Microsoft® System Center Configuration Manager 2007 (Configuration Manager) Packages. Configuration Manager ® policy advertises Task Sequences that deploy these packages based on profiles stored in the MDT database. Packages are deployed from Configuration Manager distribution points and thus ZTI deployments require a Microsoft System Center Configuration Manager 2007 (Configuration Manager) infrastructure. The ZTI deployment process is always initiated automatically. In a ZTI deployment, all configuration settings must be provided for each target computer being deployed. By definition, there is no manual configuration in ZTI deployment. As a result, customizing a ZTI deployment usually requires more effort than customizing a, LTI deployment, but can take advantage of greater automation.
Outside of empowering users in this new world of device proliferation, we also invested heaving in ConfigMgr 2012’s ability to unify infrastructure in a way that helps IT reduce costs and improve efficiencies. In this section, we’ll talk about the new architecture that reduces infrastructure of the ConfigMgr deployment itself, integrated management of virtual clients, and end-to-end client security that covers AV, updates and compliance. We’ll finish up with power management and our updated approach to internet-based client management.
Microsoft has been in the client management business for 15 years, and in that time the market has evolved dramatically. We have evolved our product line to meet the new challenges that IT departments face along the way. The last big innovation was Windows Intune in response to the cloud -- allowing us to simplify management and security without the burden of the infrastructure. And now -- to address the challenges of the consumerization of IT – we are introducing Configuration Manager 2012.
First, in the 2012 release, we made a major investment to modernize the Configuration Manager architecture. You will see immediately that the Configuration Manager hierarchy is flatter than the earlier versions. This allows you to minimize infrastructure for remote offices, consolidate infrastructure for primary sites, and improve scalability. Let’s look at each of these:Minimize infrastructure for remote officesThe biggest change is that you no longer need a primary site for each remote office. Secondary sites – which can be a multipurpose server or even a user laptop – can server as the distribution point for content routing. In addition: All things like Branch distribution point, PXE service point and distribution point can now be combined in one distribution point. Distribution points can now be installed on both server and Client operating systems.Consolidating infrastructure for primary sitesNot only do you no longer need a primary site for each remote location, you no longer need to rely on separate primary sites for scale, redundancy or fault tolerance, or for geo political reasons. That means that depending on your particular environment, there could be drastic reduction in number of servers you need for primary sites. The new Central Administration Site role is used for all administration and reporting – offloading these functions from primary sites, and eliminating scale concerns. New role-based administration feature means that you no longer need a primary site for decentralized administration.Ability to create client settings at the hierarchy level – with exceptions – means you don’t need separate primary sites for servers and desktops.Multiple language packs can now be installed on primary sites, so no need for separate primary site for different language support And, as mentioned above, content distribution to remote sites is more efficient, so no longer need 3rd or 4th tier primary site for content routing – secondary sites or distribution points can be used instead. Scalability and Data Latency ImprovementsAs mentioned, the Central Administration Site is just for administration and reporting.Other work is now distributed to the primary sites as much as possible. File processing occurs once at the Primary Site and uses replication to reach other sites (no more reprocessing at each site in the hierarchy)System-generated data (HW Inventory and Status) can be configured to flow to the CAS directlyIn terms of content distribution, there are additional scalability and data improvements: PXE service point will be more scalable than the earlier version of 75 points per site and it will support multicast option.In the past you might have a secondary site with no proxy management point but a distribution point on it. Now you can get rid of that secondary site and use the distribution point to throttle and schedule content. Distribution Point grouping is also improved - you can now manage distribution to individual DPs or groups of distribution points. Content can be automatically managed based on group membership.
You will also see some enhancements in Operating System Deployments in ConfigMgr 2012. There are a few areas to highlight here:Offline servicing of images or Component-based servicing like Windows OS updates – if they are already approved,we now have the ability to deploy those updates against the images in the library offline. So as soon as the updates are available on a Patch Tuesday, these images are also made up to date.We also have improved the boot media environment- you don’t have to be site specific, boot media can be defined at a hierarchy level. This will simplify the management of your boot media – no matter where the boot media connects from, it will be able to find the right management point and right operating system images.The other area is to enable pre-execution hooks to automatically select a task sequence. This helps in that the end user doesn’t have to choose from a menu – you can automate the selection.For USMT 4.0 simplification, features like shadow copy andhardlinking are supported. The command line parameters that USMT 4.0 scans are integrated in the console so it minimizes the syntax errors for the administrators.[Graphic description]: For OS Deployment – Task Sequence:Admin creates OS image and boot image and replicates to DP.Admin creates Task Sequence and advertises to collection containing client. Client retrieves Task Sequence from MP and executes it. Client retrieves book image and OS image references in Task SequenceClient sends status as Task Sequence executes. PXE Boot (bare metal)1. Admin advertises task sequence to collection containing new computer2. New computer PXE boots3. ConfigMgr provider in WDS looks for computer in ConfigMgr database (NOTE: WDS PXE Server hosts multiple providers. ConfigMgr puts its provider first in the list)4. WDS Server downloads WinPE to new computer5. ConfigMgr code in WinPE contacts MP to get task sequence that was advertised.
Outside of the infrastructure improvements, we’ve also improved the ability for ConfigMgr2012 to unify physical and virtual management. When we talk about user centric application delivery, we have to recognize that the virtual client experience is becoming more prevalent. This makes sense, as Desktop Virtualization is one of the key technologies that enables organizations to accommodate all the new user devices in the enterprise. We work with App-V and Citrix XenAppto deliver user-centric applications across multiple platforms. We have also made improvements in Citrix XenDesktop and Microsoft Remote Desktop Services interoperability that allow us to do a better job of managing VDI environments, including: Recognizes pooled and personal virtual desktops and applies policies appropriately- Pooled desktops can be excluded from tasks- Pooled desktops uniqueness is maintained so that no obsolete records are generated.We also provide protection against VDI storms- for example you can randomize updates and scans within the virtual environment so that all VMs don’t start the update process at the same time and create resource contention. Randomized tasks include:Hardware and software inventory scanningSoftware update scanning, download and installation
In addition to the infrastructure consolidation we’ve already discussed around primary sites and virtual and physical management, we also have consolidated client management and security in one infrastructure. This is a core differentiator of our approach, since most companies continue to take the traditional security and management structure of two different teams- one managing desktops and the other managing security for these desktops. But this traditional approach brings with it two major issues:The security admins are frequently bogged down with the day-to-day operations of maintaining security and don’t have time to focus on the upcoming security strategies. Operational costs are high because of two different infrastructures for client management and security.By operationalizing desktop security- i.e. combining desktop management and security in one infrastructure –Microsoft has given organizations a powerful tool for improving security while also driving efficiency. System Center 2012 Endpoint Protection- which was previously known as Forefront Endpoint Protection-- is built directly on Configuration Manager 2012,consolidating the infrastructure. It also provides better protection since security policies and compliance visibility arenow in the same desktop management console. It frees up the security admins from day-to-day tasks like updating antivirus definitions – these can now be managed by the desktop admins using their existing update processes – allowingsecurity admins can focus on end-to-end security strategies.The tight integration of these two products starts at the setup,which is 100% unified. Once endpoint protection is enabled, the Configuration Manager console provides monitoring and reporting,as well as policy administration capabilities for client security. Your enterprise can utilize the existing infrastructure to centrally manage endpoint security now.
Another simplification we have made with Configuration Manager 2012 is in the area of Software Updates. In ConfigMgr 2007, updatingwas built on WSUS and we had a role called Software Update Point. This gave the ability to define and roll out software updates, but there was a heavy administrative workflow to get patches approved and deployed.In ConfigMgr 2012, auto deployment rules (ADR) simplify the update deployment process. For example, ADR will help you define and automate endpoint protection definition updates in the ConfigMgr console. System Center Endpoint Protection definition updates are provided 3 times a day- and with ADR, you no longer have to manually approve these update.We also have something called state-based update groups,where we can deploy updates in groups. You can think of things like Internet Explorer or laptop security as a type of group. Relevant updates can be added to these groups automatically,and they deploy to the collections targeted in those groups. So it is almost likepre-specifyinga template for the update process. Updates are also optimized with new content model to reduce replication and storage. Expired updates and content are deleted.
Remediation is an extremely important function of end-to-end client security, and we’ve added significant new functionality in ConfigMgr2012. In ConfigMgr 2007 we had what was called Desired Configuration Management.That feature has been improved upon and is now called settings management. With setting management, you can define compliance baselines across servers and clients – either manually or using pre-built baselines with tools like the IT GRC solution accelerator – and ConfigMgr will report on configuration drifts. But the big change is that now ConfigMgrwill also be able to automatically remediate the settings to bring the client back into compliance. If you don’t want to auto-remediate, you can kick off an alert to a service management console. Additional improvements to settings management include the ability to copy settings and richer reporting.
The final infrastructure improvement that we’ve made in ConfigMgr 2012 is around Internet-based client management. The scenario where you have an employee working from home – and a ConfigMgr admin wants to service that employee’s machine – that was a relatively complex process with ConfigMgr2007. You had to have certificate authority infrastructure for it to work. We’ve changed this so that you can use HTTP or HTTPS and simplified PKI infrastructure to set this up to manage Internet-facing clients. With ConfigMgr 2012, you do not need site signing certificates at the primary site. We have gone to the model of securing endpoints – i.e. Communication between roles and client. We have certificates at role and client – instead of site wide setting of native or mixed mode, now, we can configure individual roles to communicate via HTTP or HTTPS. In the above diagram, when the client machine is in the Internet, it looks to connect with MP and DP that are PKI-enabled. When this client moves to Intranet, the client is intelligent enough to analyze that no PKI MP and DP are available and will connect over HTTP. However, if PR1 had another MP on the intranet, with PKI, then this client will first communicate via PKI enabled MP. So the client will always look for the most secure communication option first. Clients are also always managed when they move between internet and intranet – in our previous version, we would always look for native mode, hence when client moved to Intranet (in the above diagram), they would go to Internet MP and DP to be managed or not be managed at all. Now this is no longer the case – when the client comes to the Intranet, it will still be managed.This release offers tighter security by providing administrators the ability to allow enterprise issued certificates for client communication We have now also increased trust from just Enterprise certificates to also include CA list.
Our goal with ConfigMgr 2012 was to make day-to-day operations easier for administrators. Configuration Manager 2012 has a new, redesigned administration interface. It is a modern application and not an MMC-based application like in the past. The user interface has improvements all around- for example, admins can now perform global searches and the organization of objects is more efficient enabling the administrators to get all the relevant data quickly.
Configuration Manager 2012 also introduces role-based administration. It uses role-based administration to secure objects such as collections,deployments, and sites. It allows IT to organize tasks by business roles and ensures that only the relevant features are visible to any given role.This administration model centrally defines and manages hierarchy-wide access for all sites. Security roles group typical administrative tasks that are assigned to admin users. While security scopes group the permissions that are applied to object instances. Combination of security roles, scope and collections define what an administrator can view and manage.
ConfigMgr2012 includes improvements that will make it much easier for administrators to monitor client health. In the admin interface, you can now get information on policy requests, heartbeat (discovery data records) information, status messages- something similar to System Center Operations Manager. We also have improved client side monitoring and remediation. There are 21 different rule checks that can be done on the client including WMI, ConfigMgr client health, antimalware service etc. The client health is seen as a live data in the console – you don’t need to run summarization of the data anymore. And you can define in-console alerts for your own customized thresholds for acceptable client health parameters.
The Proof of Concept Jumpstart is designed to assist an organization in implementing a Proof of Concept solution for deploying in a test environment to a limited number of clients. The Proof of Concept deploys Windows 7, Microsoft Office 2010, APP-V, and Internet Explorer (IE) 8 in a test environment and represents the leading desktop technologies, best practices, user testing, and architectures.The Proof of Concept Jumpstart Solution from <Partner Name> consists of a set of repeatable services using a structured delivery framework. These deliverables and activities include:Optimized desktop value overview and review of an economic justification report based on your environment. A series of workshops and demonstrations, including: Solution Definitions workshop covering Windows 7, Internet Explorer 8, and Office 2010Application VirtualizationOffice deployment Image deploymentImage creation Application compatibility Environment and hardware assessment of 5 machines, and file remediation on a maximum of 10 documents. Lab set-up, with demonstration of tools, including the following: Microsoft Deployment ToolkitSystem Center Configuration ManagerApplication Compatibility Toolkit (ACT)Microsoft Assessment and Planning (MAP) ToolkitOffice Migration Planning Manager (OMPM)Office Environment Assessment Tool (OEAT)Generate assessment reports, review, and conduct rationalization for a selection of the applications within the assessed sample. Demonstrate and discuss remediation techniques. Create one image based on feedback collected within the workshops, using Microsoft Office 2010. You will have the option to include an Application Virtualization virtualized Office (pre-sequenced). Demonstrate user-state migration techniques. Deploy the image in the lab environment.Testing demonstrations focusing on validating the image and review of optimized desktop features. IT professional solution overview, including training resources available for optimized desktop features. Engagement closeout and Optimized Desktop proposal.
Windows7/8 Migration Strategies
Migration Strategies & Tools for Windows 7 & 8Joe HonanChief Technology Officer, Janalent 2012
Janalent Snapshot• Elite Microsoft Solutions Consulting Org since 2004 • WW Headquarters: Las Vegas, Nevada • US Offices: Silicon Valley & San Diego, California • EMEA office: Brussels, Belgium • 70+ Consultants and custom developers spanning North America, EMEA , and Asia • 500+ successful engagements on 5 continents • Certified Woman, Minority-Owned Business• 3x Microsoft Worldwide Partner of the Year Recognition • Unified Communications & Messaging in 2009 and 2010 Winner • Advanced Infrastructure Solutions Finalist 2008• Awarded 8 Advanced Microsoft Competencies & Regional Awards• CRN Magazine Next Gen Award • 2011 most innovative & nimble business & technology solutions providers
Six Key Client Computing Questions How do I manage costs? How do I keep my data safe and applications secure? How do I keep my mobile users productive? How do I take advantage of virtualization? Should I embrace cloud services? Should employees bring their own PCs for work?
The Need for a Complete Desktop StrategyThe desktop is more than just the Operating System Data & Settings DataApplicationConsiderations Hardware Considerations & User Settings Considerations Operating System Considerations Applications OS How Howyou provide data How will you you support will will manage the IsWill consumer providebe Do you know access How will you devices data searchable across How will users how you How will many security will alldevices? How on you handle mobile devices? application lifecycle? How manynetworks & the data from different PCs?their PCs, localallowed on you images will access from anywhere? How can users get to manage the applications you have? migration? need to maintain? your network? cloud? environment from other PCs? hardware lifecycle? Hardware
Hybrid Clouds are becoming Mainstream On-Premise Local Cloud
The Modern User Profile – Categorizing your UsersStep 1: How mobile isuser types 3: 2: Beginmuch PC this user? placing usage autonomy does this user have? Great deal of autonomy and control over applications, dataOffice Workers Mobile WorkersSingle, always Highly mobile, worksconnected location both offline and onlineTask Workers Deskless Workers Very little autonomy and control over applications, data
Putting it all together… Windows Optimized DesktopClient, Server, Security, and Management Flexibility User Data, Profile, & Settings Applications Operating System & Browser Active directory – Group policy – Networking – Server-based client virtualization Deployment – Application management – PC Monitoring – IT Process & Compliance – Security management
Evolving to a User Centric Approach • Deliver best user experience on each device Delivery Evaluation Criteria • Define application once • User • Device type < > • Network connection User/Device Relationships Primary Devices • MSI • App-V Non-primary Devices • VDI • Presentation Server • Remote Desktop Mobile Devices
Windows 7 / 8 Migration Key Goals Empowered Users Enhanced Visibility Deployment Flexibility Enable people to be Get back control, while still Capture user files, Deploy more productive in a providing flexibility to support Operating Systems and way that is comfortable a dynamic workplace Deliver Applications in a and efficient flexible model
Migration To Windows 7Tools, guidance, programs Compatibility Imaging and Deployment Analysis and Deployment Implementation Mitigation Strategy and Migration User State Migration Tool Volume Activation 2012
The Managed “Desktop” Configuration control board Teams must interact with one another to achieve a managed Enterprise Desktop Stack desktop solution user settings user profile management Desktop Operations Team Application individual applications ownerSoftware Role role-based applicationsdistribution ownersteam enterprise applications Desktop Group Policy Enterprise Administrations role owner security security configuration management hardware hardware-based Security Operations lifecycle Team Hardware software & drivers council operating system image engineering master image Active directory Helpdesk managed desktop Image Build Team administrations support team Security desktop monitoring team image deployment Network operations team
Deployment Approach Microsoft System Center Configuration Manager 2012 Microsoft Deployment Toolkit 2010 (MDT) MDT Configmgr Windows Server 2008 R2 2010 2012 Windows Deployment Services (WDS) Windows Software Update Services 3.0 (WSUS) BranchCache Windows Server 2008 R2
Deployment Approach: LTI LTI – Lite Touch Installation Only requires Microsoft Deployment Toolkit 2010 MDT ConfigMgr (MDT) – free download 2010 2012 Lite Touch Installation Contains tools and best practice guidance for (LTI) deployment Used for Image Engineering and Image Deployment processes Includes MDT Database for role, location, computer and hardware based configurations Windows Server 2008 R2 Does not provide lifecycle for desktop components after deployment
Deployment Technologies: OSD OSD – Operating System Deployment MDT ConfigMgr 2010 Requires Microsoft Configuration Manager 2012 2012 Operating infrastructure System Deployment (OSD) Can be used for Image Deployment process Provides application, hardware and security lifecycle after deployment Windows Server 2008 R2 Does not include MDT Database for role, location, computer and hardware based configurations
Deployment Approach: WDS WDS Standalone– Windows Deployment Services in Standalone MDT ConfigMgr 2010 2012 Requires Windows Deployment Services Feature Can be used for Image Deployment process Does not provide lifecycle for desktop components after deployment Windows Deployment Services (WDS)Standalone Windows Server 2008 R2 Does not include MDT Database for role, location, computer and hardware based configurations
Deployment Approach: ZTI ZTI – Zero Touch Deployment Combines MDT DB, OSD and WDS approaches for a fully automated deployment solution Requires Microsoft Configuration Manager MDT Configmgr 2010 2012 2012 infrastructure and Microsoft Deployment Toolkit 2010 (MDT) ZTI Can be used for Image Deployment process Provides application, hardware and security lifecycle after deployment Windows Includes MDT Database for Server 2008 R2 role, location, computer and hardware based configurations
Deployment Scenarios New Computer A new installation of Windows is deployed to a new computer Upgrade Computer The current Windows operating system on the target computer is upgraded to the target operating system. Refresh Computer This scenario includes computers that must be re-imaged for image standardization or to address a problem. OEM A computer with an operating system installed at the vendor needs to be configured.
Configuration Manager 2012 At a Glance Modern Infrastructure Reduced Infrastructure Requirements Unified Management of Virtual Clients Endpoint Protection Compliance & Settings Management Software Update Management Reduce costs by unifying IT management Power Management infrastructure. Internet-based Client Management
Evolution of Microsoft Client Management 2012 Client Management Laptops, Servers, Comprehensive Management Consumerization Groups ModelInfancy (NT Domain) Enterprise Scale Management from the Cloud of IT
Reduced Infrastructure Requirements Central Administration Site Primary Sites Secondary Sites • Central primary site administration • Client management and settings • Content routing • Reporting • Delegated administration • Distributions points Central Administration Site Primary Site Primary Site Secondary Site Secondary Site Secondary Site Secondary Site Secondary Site Secondary Site
Operating System Deployment Multiple Deployment Method Support CAS • PXE initiated deployment allows client computers to request deployment over Image Task Sequence the network • Multi-cast deployment to conserve network bandwidth • Stand-alone media deployment for no network connectivity or low bandwidth Report • Pre-staged media deployment allows you to deploy an operating system to aWDS PXE Server Primary Site Primary Site computer that DP Role MP Role is not fully provisioned USMT 4.0 UI integration makes it easier transfer files and user settings from one machine to another
Unified Management of Virtual Clients User-centric application delivery through App-V or Citrix XenApp. CONNECTION BROKER Single admin experience for managing physical and virtual desktops. Integrates with RDS and XenDesktop. • Recognizes pooled and personal virtual desktops • Randomizes tasks APP-V CONFIGMGR SEQUENCER DP/MP HYPER-V
Security and ComplianceEndpoint ProtectionUnified Infrastructure• Simplified server and client deployment• Streamlined updates• Consolidated reportingComprehensive Protection Stack• Behavior monitoring• Antimalware• Dynamic Translation• Windows and Firewall Management
Security and ComplianceSoftware Update Microsoft Update Auto Deployment Identifies who needs updates • Faster deployment through search and reports on compliance Downloads updates • Schedule content download and deployment to avoid reboot during work CAS hours State-based Updates • Allows individual Primary Site or group deployment SUP Role/WSUS • Updates added to groups auto deploy to Primary Site Primary Site targeted collections DP Role MP Role Distributes updates Assigns policy to scan for update Optimized for New Content Model Reports status or to deploy update • Reduce replication and storage compliance • Expired updates and content deleted
Security and ComplianceSettings & Baseline ManagementConfigMgr MP Baseline ConfigMgr Agent Auto Remediate Assignment to OR Baseline drift collections ! Create Alert (to Service Manager) Baseline Configuration Items Active Script WMI XML SQL Directory Software File Registry MSI IIS UpdatesImproved functionality Pre-built industry standard baseline templates• Copy settings through IT GRC Solution Accelerator• Trigger console alerts• Richer reportingEnhanced versioning and audit tracking• Ability to specify versions to be used in baselines• Audit tracking includes who changed what
Power ManagementPhase 1: Monitor• Enable agent• Monitor usage and activityPhase 2: Plan• Develop power plan for peak & non-peak hours Non-Peak & PeakPhase 3: Apply Power Policy• Apply Power PlanPhase 4: Compliance & Analyze• Review before and after usage and activity• Determine savings
Internet-based Client ManagementIntranet Internet Reduced Complexity • Single Primary site can manage both Intranet clients (over HTTP) and Internet clients (over HTTPS) PR1 MP Flexibility • Primary sites can be configured to either support only HTTPS roles or both HTTP and HTTPS site DP roles MP DP Reliability • Intelligent client behavior enables client to communicate using the most secure option Non PKI enabled site system available • Tighter security enforcement by only allowing clients with Enterprise-issued certificates to PKI enabled site system communicate with the ConfigMgr roles
Modern GUI• Intuitive ribbon interface• In-console alerts• Global search capability• New collection membership rules allow better filtering of members
Role Based AdministrationMap the organizational roles of your administrators Meg- WW Central Systemto defined security roles Administrator• Security organization role• Geography Louis-Software Update Bob- US & FranceReduces error, defines span of control for the organization Manager for France Security Admin • Can see & update • Can see & modifyFunctionality ConfigMgr 2007 ConfigMgr 2012 “France” desktops security settings on • Cannot modify security “France” and “U.S.” settings on “France” desktops desktops • Cannot update “France” • Cannot see “All Systems” or “U.S.” desktops or “U.S.” desktops • Cannot see “All Systems”
Client Activity and Health• In-console view of client health• Threshold-based console alerts• Heartbeat DDRs• HW/SW inventory and status• Remediation (same as Setting Mgmt)
Asset Intelligence, Inventory, andSoftware MeteringConsolidated/simplified reporting that allows you to• Understand software installation profiles• Plan for hardware upgrades• Identify over or under licensing issues• Track custom apps or groups of titles Real-time Application Asset Intelligence Service Software Metering & License Reports and Hardware Intelligence ConfigMgr Inventory Asset Intelligence Catalog