Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Managing Windows RT devices in the Enterprise


Published on

More info on

Published in: Technology
  • Be the first to comment

Managing Windows RT devices in the Enterprise

  1. 1. Windows RT in the EnterpriseNico SienaertLead Infrastructure Consultant | GetronicsV-Technology Solutions Professional | Microsoft
  2. 2. Session Objectives and TakeawaysPositioning of Windows RT devicesWhere does Windows RT in the Enterprise makes senseWhat are the challengesHow do you manage and keep control
  3. 3. Flavors of Windows 8 tablets Windows 8 tablets Windows 8 tablets Windows RT tablets with Intel Core with Intel Atom with ARM 64-bit processors 32-bit processors processors
  4. 4. Windows tablets in Business Environments Devices & Experiences Ready for Business People Love to Embrace
  5. 5. What capabilities are needed? Windows 8 tablets with Atom or Windows RT tablets Windows 8 tablets with Intel Core Desktop Apps: W8 tablets with Intel CPU W8 LOB Apps: Intel Core, Atom or ARM (Full) Management: IntuneConfigMgr Best Connectivity: W8 tablets with Intel CPU Always on Capability: Atom or Windows RT
  6. 6. Modern Device Management Devices & Platforms Single admin console
  7. 7. Configuration Steps1. PurchaseTry Windows Intune Subscription2. Add Public Company Domain and CNAME for enrollment redirection3. Verify Users have Public Domain UPNs and perform AD User Discovery4. Deploy and Configure AD Federated Services (ADFS 2.0)5. Deploy and Configure AD Directory Synchronization6. Configuring Configuration Manager for Mobile Device Management Creating a Windows Intune Subscription in the Configuration Manager Admin Console Creating the Windows Intune Connector Site System role7. Verification of Configuration Manager is successfully connecting to Windows Intune Service. CloudUserSync DMPDownloader DMPUploader
  8. 8. Windows 8 App Delivery Download from Windows Store Side Load from Your Infrastructure Management Self-Service Portal Infrastructure Cloud (SSP) Windows RT Custom LOB Apps Public Apps App Delivery Windows 8
  9. 9. Enroll a Windows RT deviceGet a certificate (for instance internal PKI) to sign your AppsSign your Apps with the certificateUpload the certificate into ConfigMgrIntuneUpload Sideloading key into ConfigMgrIntuneGo on the Windows RT device to “Company Applications”Connect to the Windows Intune ServiceInstall Company PortalYou are ready to manage and to deploy Apps
  10. 10. Troubleshooting of Software Distribution HKCUSoftwareMicrosoftWindowsCurrentVersionMDMJobDB • BITSId • DeployRetryCount • LastError • Status Initialized /Created = 10 Download In Progress = 20 Download Failed = 30 Download Complete = 40 Install In Progress = 50 Install Failed = 60 Install Complete = 70
  11. 11. Problem Scenarios (1)Symptom:Application is not installing and Reg status of the App is 10Problem Cause:Most likely sideloading is not enabledMitigation:HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsAppxAllowTrustedApps=1Symptom:Application is not installing and Reg status of the App is 30Problem Cause:Internet Connection downDP where content is hosted was downCert to issue the device is expiredMitigation:Solve above
  12. 12. Problem Scenarios (2)Symptom:Application is not installing and Reg status of the App is 60Problem Cause:Application Package corruptCertificate expired...Mitigation:Install App locally with Add-AppxPackageSymptom:No Job entry is created in the Registry corresponding to the application requestedProblem Cause:Internet Connection lost during installnotification channel with the device is not createdMitigation:HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionMDMWNSChannelURi value inthis case would be empty.
  13. 13. User Experience on Windows RT • Run on both Windows RT• Thin, light, and sleek and x86• Long battery life • Leverage existing developer• Includes class drivers for language and tools most peripherals Hardware and Applications Software • Sideloading (for line-of-• Secure by default business WinRT apps) and (UEFI, TPM) Innovation Windows Store • New UI, including desktop• Integrated engineering with ecosystem • Office Home and Student 2013 RT is included• Predictable and reliable over time High Quality Work and Life • Inbox Mail client • Pre-configured environment • Touch, mouse, keyboard on certified hardware • Multiple user accounts
  14. 14. Driver Compatibility
  15. 15. Office Home and Students 2013 RT • Preinstalled on ARM-based Windows RT devices • Includes new Office applications: Word, Excel, PowerPoint, OneNote • Office Home & Student 2013 RT commercial use rights are included in: Office 365 or Office Standard/Professional Plus 2013 (as secondary use right) or Commercial use license via Volume Licensing
  16. 16. Connectivity (1) VPN connection • Inbox VPN client for Microsoft server is included • Inbox VPN client can interoperate with 3rd party VPN servers via PPTP, L2TP, SSTP and IKEv2. • Encryption: 3DES, AES_128, AES_192, AES_256, CBC_3DES, CBC_DES • Integrity: SHA1, SHA_256, SHA_384 • Password: PAP / CHAP / MS-CHAPv2 / EAP • Certificates: User & Machine • Support for split-tunnel • Web Proxy and intranet settings
  17. 17. Connectivity (2) VPN Client Provsioning • Get Connected Wizard • IntuneConfigMgr • Powershell
  18. 18. Provisioning VPN via IntuneConfigMgr InTune MDM 4 - VPN Connection establishment SCCM RRAS Server Enterprise Premises
  19. 19. Connectivity (2) VPN Client Provsioning • Get Connected Wizard • IntuneConfigMgr • Powershell Multi-factor authentication • Smartcard (PIV, GIDS) or Virtual Smartcards • RSA Token
  20. 20. OTP using RSA Secure ID VPN Tunnel Internet VPN Server Windows RT RSA Authentication device Manager Enterprise Premises TTLS-PAP authentication protocol Only one OTP vendor supported: Odyssey
  21. 21. Connectivity (2) VPN Client Provsioning • Get Connected Wizard • IntuneConfigMgr • Powershell Multi-factor authentication • Smartcard (PIV, GIDS) or Virtual Smartcards • RSA Token • Limitations: • PIN Changes • Token Challenge-Response • Workaround: • Web-login page protected by the RSA Web Agent
  22. 22. Data and App Access RemoteApp • Grant access to line-of-business applications and data • Seamlessly launch apps from Windows RT • Secure corporate data: avoid storing enterprise data on consumer devices • Ensure compliance requirements VDI • Full VDI experience (RemoteFX, USB redirection, Multi-touch remoting) 3rd Party • Citrix Receiver Remote Assistance
  23. 23. Security and Manageability (1) Security capabilities on Windows RT devices • Secured Boot, Trusted Boot • Device Encryption • Picture password • Windows Firewall, Windows Defender • NAP (Network Access Protection) supported Governance through Exchange ActiveSync (EAS)* • Password requirements (e.g., password complexity, picture password, device lock, password expiration etc.) • No support of external encryption • Remote Content Wipe & lockout behavior • Mail App limitations (Alternative OWA with Exchange 2013 or O365)* Enabled through Mail app
  24. 24. Security and Manageability (2) Diagnostics and troubleshooting • Windows PowerShell supported • The traditional Windows tools (Eventvwr, TaskMgr, Troubleshooting,…) Cloud-based management with Windows Intune Single pane-of-glass administration through ConfigMgr 2012 SP1 • Distribute and manage new Windows apps (via sideloading) • Push configurations (e.g., VPN config) • Enforce more governance settings • Ensure compliance (e.g., monitor security settings) • Collect inventory information (e.g., which LOB apps are installed)
  25. 25. Windows RT Management Details Windows RT Direct Management via Windows Intune Exchange ActiveSyncSettingAllow convenience logon policy  Alphanumeric password required policy  Attachments enabled  Hardware inventory  Maximum inactivity time lock  Password management  Require device encryption  CapabilityApplication publishing  Deep-link into public application stores  User self-service portal  VPN Client configuration ! 
  26. 26. Capabilities in a glance Capability Windows RT Portal Capability Windows RTApplication management  Enroll Device YesEndpoint Protection O Rename Device YesHardware Inventory  Retire (un-enroll local device) YesSoftware Inventory ! Wipe (remotely other devices) YesRemote control O Install LOB Applications YesReporting  Install publicly available applications YesSoftware updates O Contact IT YesCompliance settings ! Retire Device Windows RTPower management O Removal of Side-loading key YesSoftware metering O Continue usage of side-loaded Apps No Install new side-loaded Apps No Policies retain on device Yes
  27. 27. Miscellaneous
  28. 28. RECAP Windows RT devices are primarily designed as consumer devices, but can be used in corporate environments as well, either using employee-owned devices or company-owned devices depending on the situation. To properly support Windows RT devices in the workplace, enterprises should understand the capabilities provided in and restrictions imposed by Windows RT, as well as the specific infrastructure requirements for supporting Windows RT devices within their organization.
  29. 29. Interesting LinksWindows RT VPN user guide 8 VPN – PowerShell support and Interoperability to Manage Mobile Devices by Using the Windows IntuneConnector in Configuration Manager
  30. 30. Windows RT in the EnterpriseThank you!