Presentación sobre las novedades y ventajas de Windows 10, contada para profesionales de ITP. Esta PPT es solo un apoyo a lo que se hace mediante demos.
7. What customers are telling us
Passwords
are no
longer
sufficient
We need to be
adopting new
technologies
as fast as our
customers
My users
need access
to their apps
and data
anywhere,
anytime
Too many
tools and
too much
fragmentation
No more big
deployments
We want more
transparency
and an open
dialogue
with Microsoft
IT Budgets
are under
pressure.
Show us how
we can cut
IT costs
How do I
protect my
corporate
data
Security of
our mobile
devices is a
top concern
8. Enable mobility of the experience
Natural interactions
Most trusted platform
Innovative new hardware
Windows as a service
Create more
personal computing
13. Source: Hackers Threaten Sony Employees in New Email: ‘Your Family Will Be in Danger’, Dave McNary, MSN, December 5, 2014. Image: G. Hodan
Sony Hackers
Threaten 9/11 Attack
on Movie Theaters
BRENT LANG
Variety
December 5, 2014
“The world will be full of
fear, remember the 11th of
September 2001. We
recommend you to keep
yourself distant from the
places at that time.”
adding terror to playbook
14. Source: Hackers who breached White House network accessed sensitive data, Steven Musil, CNET, April 13, 2015
Hackers who breached
White House network
accessed sensitive data
STEVEN MUSIL
CNET
April 13, 2015
"In the State Department breach, none
of the department's classified email
system was affected, a senior
department official said, but the
hackers used that breach to break in
to the White House's network"
unlimited budget, still vulnerable
15. Security from the inside out – beyond bigger walls
RUIN THE ATTACKERS
ECONOMIC MODEL
BREAK THE ATTACK
PLAYBOOK
ELIMINATE THE
VECTORS OF ATTACK
Addressing the Threats Requires a New Approach
16. New challenges require a new platform
Data protection
Identity protection
Threat resistance
Device security
20. Malware gains admin level
privilege, gains full access
to system, and disables
system defenses to evade
detection
Processor based
virtualization isolates
critical system
components and data and
protects even in the event
full system compromise
Virtualization
Malware tampers with
hardware and corrupts
Operating System before
it even starts
UEFI Secure Boot prevents
device tampering and
ensures OS starts with
integrity
Device integrity
Attacker gains access to
users Password/PIN and
2FA device
Using a biometric for
authentication increases
the level of difficult for an
attacker to the highest
level
Biometric sensors
Malware compromises
integrity related
defenses and gains
unauthorized access to
sensitive information
(e.g.: keys)
TPM processor provides
tamper proof integrity
validation and prevents
unauthorized access to
sensitive information
Cryptographic
processor
21. The End of
Passwords,
Two-factor for
Everyone
Hardware
Rooted Trust
SECURE
DEVICES
SECURED
IDENTITIES
INFORMATION
PROTECTION
THREAT
RESISTANCE
22. Windows 10
Identity Goals Mainstream two-factor authentication
Make credential breach, theft,
and phish proof
Deliver for consumer and business users
Use credentials on familiar mobile devices
for desktop sign-in
40. Today’s Security
Challenge
Pass the Hash Attacks
Pass the hash attacks have gone
from hypothetical to very real
threats
Enables an attacker to get user
access tokens using common tools
like MimiKatz
Once obtained an attacker is often
able to steal additional access tokens
Enables an attacker to frequently
persist even once detected
41. Solution
VSM uses Hyper-V powered secure
execution environment to protect
NTLM tokens – you can get things in
but can’t get things out
Decouples NTLM hash from
logon secret
Fully randomizes and manages full
length NTLM hash to prevent brute
force attack
Requires Windows 10 client and
domain controller
Pass the Hash Attacks
42. The End of
Passwords,
Two-factor
for Everyone
Completing
the Stack
Democratizing Data
Loss Prevention
SECURE
DEVICES
SECURED
IDENTITIES
INFORMATION
PROTECTION
THREAT
RESISTANCE
43. Have accidentally sent sensitive
information to the wrong person1
58%
…of senior managers admit to
regularly uploading work files to a
personal email or cloud account1
87%
Average per record cost of a data
breach across all industries2
$240
PER
RECORD
2HIPPA Secure Now, “A look at the cost of healthcare data breaches,” Art Gross, March 30, 2012
1Stroz Friedberg, “On The Pulse: Information Security In American Business,” 2013
44. Device
Protection
Protect system and
data when device is
lost or stolen
Containment
BYOD separation
Data
Separation
Prevent unauthorized
apps from accessing
data
Leak
Protection
Protect data when
shared with others,
or shared outside of
organizational devices
and control
Sharing
Protection
46. Data-at-rest
Protection Risks of unencrypted devices
go beyond exposed data
Machine admin credentials can
be reset with offline tools
Decommissioned desktops
and servers create risk
47. Device Encryption
BitLocker
Devices can be encrypted out-of-
box with BitLocker
Easiest deployment, leading security,
reliability, and performance
Single sign-on for modern devices
and configurable Windows 7 hardware
Enterprise grade management
(MBAM) and compliance (FIPS)
Increased global acceptance of TPM
Pervasive on all Windows
devices by 2015
48. Device
Protection
Protect system and
data when device is
lost or stolen
Containment
BYOD separation
Data
Separation
Prevent unauthorized
apps from accessing
data
Leak
Protection
Protect data when
shared with others,
or shared outside of
organizational devices
and control
Sharing
Protection
50. Introducing
Enterprise Data Protection
A Different Approach
Corporate vs personal data identifiable
wherever it rests on the device
Protects data at rest, and wherever it
rests or may roam to
Seamless integration into the platform,
No mode switching and use any app
Prevents unauthorized apps from
accessing business data
IT has fully control of keys and data and
can remote wipe data on demand
Common experience across all Windows
devices with cross platform support
51. Device
Protection
Protect system and
data when device is
lost or stolen
Containment
BYOD separation
Data
Separation
Prevent unauthorized
apps from accessing
data
Leak
Protection
Protect data when
shared with others,
or shared outside of
organizational devices
and control
Sharing
Protection
52. Device
Protection
Protect system and
data when device is
lost or stolen
Containment
BYOD separation
Data
Separation
Prevent unauthorized
apps from accessing
data
Leak
Protection
Protect data when
shared with others,
or shared outside of
organizational devices
and control
Sharing
Protection
53. Sharing Protection
Rights Management Services
Adding persistent and
non-removable protection to data
Support for all commonly used devices and
systems – Windows, OSX, iOS, Android
Protect all file types, everywhere they
go, cloud, email, BYOD, …
Can be automatically applied to mail,
OneDrive Pro, etc.
Support for B2B and B2B via Azure AD
Support for on premise and cloud based
scenarios (e.g.: Office 365)
Seamless easy to provision and support
for FIPS 140-2 regulation and compliance
Significant improvements
over Windows 7
57. Según el informe de Cisco Systems: “Cisco 2014 Annual Security Report”, Windows Phone tiene las
mejores estadísticas de seguridad de la industria.
https://www.cisco.com/web/offer/gist_ty2_asset/Cisco_2014_ASR.pdf
58. Two Paths to Choose From
Device Guard
A new approach for Windows desktop
Requires change in process for apps
Offers incredible protection
Traditional Approach
The way things have always been
Requires additional software to manage
Carries increased risk
59. Device Guard
Hardware Rooted
App Control
Windows desktop can be locked down
to only run trusted apps, just like many
mobile OS’s (e.g.: Windows Phone)
Resistant to tampering by an
administrator or malware
Requires devices specially configured
by either the OEM or IT
Requires Windows Enterprise edition
Untrusted apps and executables,
such as malware, are unable to run
60. Device Guard
Getting Apps into
the Circle of Trust
Supports all apps including Universal
and Desktop (Win32).
Trusted apps can be created by IHV,
ISV, and Organizations using a
Microsoft provided signing service.
Signing service will be made available
to OEM’s, IHV, ISV’s, and Enterprises.
Apps must be specially signed using
the Microsoft signing service. No
additional modification is required.
61. Two Paths to Choose From
Device Guard
A new approach for Windows desktop
Requires change in process for apps
Offers incredible protection
Traditional Approach
The way things have always been
Requires additional software to manage
Carries increased risk
63. Device and
Platform Integrity
Ensuring Windows starts
on a trustworthy device
UEFI prevents firmware attacks
and ensures Windows starts
before any malware
TPM enables local and remote verification
of system integrity before system start
Windows Trusted Boot prevents malware
from starting during boot process and
can protects anti-virus solutions
Windows isolates system core and puts
sensitive processes into containers – offering
protection even with kernel level breach
64. App Security &
Online Safety
Protects system and apps
from the most common
forms of malware
Windows vulnerability mitigations reduce
or eliminate impact of exploits
Windows sandboxes Universal Apps, validates
app integrity, and offers app control
Windows includes Windows Defender, an
advanced antivirus and malware solution
WinRE integration helps remediate when the
OS or other defenses are inoperable
Windows and IE SmartScreen blocks
malicious websites and apps before they
get a chance to impact the device
65. Conditional
Access
Blocking unhealthy devices
to protect resources and
prevent proliferation
Windows Provable PC Health (PPCH)
provides remote attestation services, and
can initiate remediation when necessary
Denying access to end points that are unable
to “prove” that they’re healthy
Intune will provide conditional access
based on PPCH health state “claims”
PPCH cloud service and health claims are
available for use by 3rd party network access,
security, and management solutions.
70. Hardware based security for better malware protection.
Secure Boot
Enterprise credential protection via hardware-based isolation
Secure corporate identity to protect against
modern threats.
Microsoft Passport
Windows Hello
Protect your corporate data, wherever the data is.
Enterprise data protection
Eliminate malware on your devices.
Device Guard
More secure per-app connection for mobile workers.
Secure Remote Connection
72. Works with existing infrastructure
Continued support for Group Policy and WMI
Advanced MDM support
Consistent across PC/mobile
1st and 3rd party solutions
73. Available Choices
Identity Active Directory; Azure Active Directory
Management
Group Policy, System Center Configuration Manager,
3rd party PC management; Intune, 3rd party MDM
Updates
Windows Update; Windows Server Update Services (WSUS);
Intune, 3rd party MDM
Infrastructure On-premises or in the cloud
Ownership Corporate-owned, CYOD; BYOD
Organizations may mix and match, depending on their specific scenario
74. Exchange ActiveSync
Basic
Windows Update
BYOD (personal) devices
E-mail access only
Active Directory and/or
Azure Active Directory
Mobile Device Management
Lightweight
Windows Update/MDM
Company-owned
and BYOD devices
Internet-facing
or corporate network
Active Directory
Group Policy
System Center
Full Control
WSUS
Company-owned devices
Corporate network
75. Windows Client
Windows Management Instrumentation (WMI)
Windows Remote Management (WinRM)
Windows Update
Group Policy Client
Windows Server
Active Directory
Group Policy
Windows Server Update Services (WSUS)
Products
System Center Configuration Manager
Microsoft Desktop Optimization Pack (MDOP) Cloud Services
Azure Active Directory
Azure RMS
Microsoft Intune
Windows Store
Windows Update
Mobile Device Management (MDM)
PowerShell
AppLocker
76. Product
Supports Windows 10
Management
Supports Windows 10
Deployment
System Center 2012 R2
Configuration Manager
System Center 2012
Configuration Manager
System Center
Configuration Manager 2007
Windows Server 2012 R2
Windows Server 2012
Windows Server 2008
Microsoft Deployment Toolkit 2013
77. Windows 8.1 Windows 10
BYOD: simple
security settings
Device Lockdown
Fully managed
corporate device
Phone Desktop Phone Desktop
Significant investments in added functionality
for both mobile and desktop devices
78. One consistent
set of MDM
capabilities
across Mobile,
Desktop, and IoT
• Provisioning
• Bulk enrollment
• Simple bootstrap
• Converged protocol
• Azure AD Integration
• Extended set of policies
Client certificate management
• Enterprise Wi-Fi
• VPN management
• Email provisioning
• MDM Push
• Device Update control
• Kiosk, Start screen, Start menu
configuration and control
• Curated Windows Store
• Business Store Portal (BSP) app
deployment; license reclaim
• Enterprise App management
• Simplified LOB app management
• Win32 (MSI) app management
• App inventory (LOB/store apps)
• App allow/deny lists via Applocker
• Enterprise data protection
• Full device wipe
• Remote Lock, PIN reset, Ring,
& Find
• Enhanced inventory for compliance
decisions
• Unenrollment with alerts
• Removal of Enterprise
configuration (apps, certs, profiles,
policies) and Enterprise encrypted
data (with EDP)
• Additional device inventory
79. Active Directory provides key business
identity and security capabilities
Azure Active Directory takes this to the cloud
Both work together
Windows 10 fully takes advantage of both
80. Organization Owned Personally Owned (BYOD)
• Computer joins AD
to establish trust
• User signs on using AD
account
• Group Policy + System
Center
• Computer registers with AD or Azure AD via Device
Registration to establish trust for remote resource access
• User signs in with a Microsoft account, associates an
Azure AD account
• Intune/MDM
• Computer joins Azure AD
to establish trust
• User signs on using Azure
AD account
• Intune/MDM
• Settings roaming
Single sign-on to enterprise + cloud-based services
84. New policies to support Windows 10 features:
• Start screen and start menu management
• “Project Spartan” settings
• Next-Generation Credential PIN settings
• Universal app management
New in Windows 10
Capabilities from Windows 8.1:
• Policy caching
• IPv6 support for printers, VPN, targeting
Capabilities from Windows 8:
• Sign-in optimization for DirectAccess clients
• Better use of larger registry policies (registry.pol)
• Remote group policy refresh (GPUpdate)
• More efficient background processing
New from Windows 7
85. Full support for Windows 10
Product Required/Recommended Version
AGPM AGPM 4.0 SP3 (August)
App-V App-V 5.1 (August)
DaRT DaRT 10 (August)
MBAM MBAM 2.5 SP1 (August), 2.5 is OK
UE-V UE-V 2.1 SP1 (August)
87. App & Device
Compatibility Hardware requirements
are unchanged
Strong desktop app compatibility
Windows Store apps are compatible
Internet Explorer
enterprise investments
90. Wipe-and-Load
Traditional process
• Capture data and settings
• Deploy (custom) OS image
• Inject drivers
• Install apps
• Restore data and settings
Still an option for all scenarios
In-Place
Let Windows do the work
• Preserve all data, settings,
apps, drivers
• Install (standard) OS image
• Restore everything
Recommended for existing
devices (Windows 7/8/8.1)
Provisioning
Configure new devices
• Transform into an Enterprise
device
• Remove extra items, add
organizational apps and config
New capability for new devices
91. • Supported with Windows 7, Windows 8, and
Windows 8.1
• Consumers use Windows Update, but enterprises
want more control
• Use System Center Configuration Manager or
MDT for managing the process
• Uses the standard Windows 10 image
• Automatically preserves existing apps, settings,
and drivers
• Fast and reliable, with automatic roll-back if issues
are encountered
• Popular for Windows 8 to Windows 8.1
• Piloted process with a customer to upgrade from
Windows 7 to Windows 8.1, as a learning process
• Feedback integrated into Windows 10 to provide
additional capabilities for automation, drivers,
logging, etc.
• Working with ISVs for disk encryption
Preferred option for enterprises
Simplified process, builds on
prior experience
101. Provisioning, not reimaging
• Company-owned devices:
Azure AD join, either during OOBE or after from
Settings
• BYOD devices:
“Add a work account” for device registration
• Automatic MDM enrollment as part of both
• MDM policies pushed down:
• Change the Windows SKU
• Apply settings
• Install apps
• Create provisioning package using Windows
Imaging and Configuration Designer with needed
settings:
• Change Windows SKU
• Apply settings
• Install apps and updates
• Enroll a device for ongoing management (just
enough to bootstrap)
• Deploy manually, add to images
User-driven, from the cloud IT-driven, using new tools
102.
103.
104.
105.
106.
107.
108.
109.
110. Transform a Device
• Enable the Enterprise SKU
• Install apps and enterprise configuration
• Enroll the device to be managed via MDM
Flexible Methods
• Using media, USB tethering, or even e-mail
for manual distribution
• Automatically trigged from the cloud
or connection to a corporate network
• Leverage NFC or QR codes
111. Enhancements to existing tools Minimal changes to existing
deployment processes
• New Assessment and Deployment Kit includes
support for Windows 10, while continuing to
support down to Windows 7
• Minor updates to System Center 2012 to add
support
• Minor updates to Microsoft Deployment Toolkit
2013 to add support
• Will feel “natural” to IT Pros used to deploying
Windows 7 and Windows 8.1
• Drop in a Windows 10 image, use it to create your
new master image
• Capture a Windows 10 image, use it for wipe-and-
load deployments
113. Windows Store “Company Portal”
• Modern apps
• Sign in with MSA
• Pay with credit card, gift card, PayPal, Alipay,
INICIS, mobile operators (Phone)
• MDM-driven
• Sideload line-of-business modern apps
• Link to apps in the Windows Store
114. Convergence
WINDOWS
PHONE 8.1
WINDOWS 8.1
WINDOWS 10
• Converged developer portal for Windows
and Windows Phone
• Separate user and developer capabilities
• Fully converged experience
• Best features from each
• New capabilities
XBOX
115.
116. Windows Store
• Modern apps
• Sign in with MSA
• Pay with credit card, gift card,
PayPal, Alipay, INICIS, mobile
operators
Windows Store for Business “Company Portal”
• Modern apps
• Leverages Azure Active Directory for
administration, some scenarios
• Private organization store for the
org’s preferred or LOB apps
• Pay with credit card or PO/invoice
• Deploy modern apps offline, in
images, and more
• Modern app license management
• Sideload line-of-business modern
apps
• Deploy apps from the Windows Store
(even when the Store UI is disabled)
as well as uploaded LOB apps
through BSP integration using MDM
117. Flexible app deployment
Online, offline, or included
in images
Through the store, via MDM,
or using System Center
LOB apps can be kept private
Support for any
organization
Teacher and classroom
Small businesses and other
organizations
Large enterprises
Simplify via convergence
One store, one Dev Center, one
Business Store Portal
Universal apps across
all device types
Reconciled sideloading processes
118.
119.
120.
121.
122.
123.
124.
125.
126.
127. • Org users do not need Azure AD accounts
• Installation files are downloaded and deployed
using org’s infrastructure
• No license tracking
• Updates installed via Windows Update
• All org users need Azure AD accounts
• Installation files managed and deployed
by the Windows Store
• Licenses tracked by the Windows Store
• Updates installed via Windows Update
Online Offline
Private Store
MDM /
ConfigMgr
(deep links)
Direct
Assignment
Imaging
MDM /
ConfigMgr
(sideload)
Manual
128. IT Administrator
SIGN IN TO WINDOWS
STORE FOR BUSINESS
• Using Azure AD account
APPS ACQUIRED
• Free apps
• Purchased using
a PO, invoice, or credit
card
End User
ORGANIZATION STORE
CREATED
• Desired apps added
LOG INTO WINDOWS
• Using AD or Azure AD account
ACCESS WINDOWS
STORE
• Sees organization store
and public categories
INSTALL APPS
• Selected from the
Private Store using
Azure AD, or public
categories using MSA
NOTES
• Cloud-based
• No on-prem infrastructure
requirements
• No MDM service required
• Apps automatically updated
from the Windows Store
• Can include LOB apps
129. Scenarios
Mobile Device Management (ONLINE)
IT Administrator
SIGN IN TO WINDOWS
STORE FOR BUSINESS
• Using Azure AD account
APPS ACQUIRED
• Free apps
• Purchased using
a PO or invoice
End User
APPS ADDED TO MDM
SERVICE
• Link to the app
in the BSP
LOG INTO WINDOWS
• Using AD or Azure AD account
LAUNCH ENTERPRISE
APP STORE (MDM)
• Sees available app
INSTALL APPS
• Selected from the MDM-
provided list
• Installed by the Windows
Store, as directed by the
MDM service
NOTES
• Cloud-based or on-prem
(depending on the MDM
service used)
• Apps automatically updated
from the Windows Store
• The Windows Store can be
disabled if desired
• APIs available to ISVs to
automate the BSP
interactions
130. Scenarios
License Management (ONLINE)
IT Administrator
SIGN IN TO WINDOWS
STORE FOR BUSINESS
• Using Azure AD account
VIEW ASSIGNED
LICENSES
• For any BSP app (LOB,
free, paid)
End User
RECLAIM LICENSE
• Available for use by
another user
LOG INTO WINDOWS
• Using any account
LAUNCH APP
• Informed that license is
no longer available
NOTES
• Devices periodically check to
see if licenses are still valid
• APIs available to ISVs to
automate this process
131. Scenarios
Imaging (OFFLINE)
IT Administrator
SIGN IN TO
WINDOWS STORE
FOR BUSINESS
• Using Azure AD
account
APPS
ACQUIRED
• Free apps
• Purchased using
a PO or invoice
End User
DOWNLOAD
APP
INSTALLATION
FILES
• APPX files
LOG INTO WINDOWS
• Using AD or Azure AD account
APPS INSTALL
AUTOMATICALLY
NOTES
• Apps available to every user
when they log in
• Apps automatically updated
from the Windows Store
• The Windows Store can be
disabled if desired
ADD APPS TO
ENTERPRISE
IMAGE
• Provisioned
for all users
132. Scenarios
Enterprise App Store using System Center Configuration Manager (OFFLINE)
IT Administrator
SIGN IN TO
WINDOWS STORE
FOR BUSINESS
• Using Azure AD
account
APPS
ACQUIRED
• Free apps
• Purchased using
a PO or invoice
End User
DOWNLOAD
APP
INSTALLATION
FILES
• APPX files
NOTES
• Per-user app installation
• ConfigMgr can push apps as
well to users or groups
• Apps automatically updated
from the Windows Store
• The Windows Store can be
disabled if desired
• ConfigMgr v.Next may
integrate with the BSP to
simplify this process
ADD APPS TO
CONFIGMGR
• Available for
installation
(pull), or
required (push)
LOG INTO WINDOWS
• Using AD or Azure AD account
LAUNCH COMPANY
PORTAL
• Shows all available apps
added by IT
administrator
INSTALL APPS
• Installed by ConfigMgr
133. Scenarios
Line of business apps (ONLINE or OFFLINE)
IT Developer
SIGN IN TO DEV
PORTAL
• Using Microsoft
account
ACCEPT INVITE
• Authorizes
developer to submit
apps to the
organization
SUBMIT APP
• Upload package
• Choose
organization’s
catalog
NOTES
• Simplified app validation
process, allowing use of
enterprise capabilities
• No sideloading needed in
this case
• Process will be streamlined
later this year, with Dev
Center support for Azure AD
IT Administrator
SIGN IN TO
WINDOWS STORE
FOR BUSINESS
• Using Azure AD
account
INVITES
DEVELOPER
• Specified by e-
mail address
MAKE APP
AVAILABLE
• Via any
scenario, online
or offline
134. Choose management solutions that work best for you.
Mobile Device Management
Group Policy
End of wipe and replace deployment.
Dynamic provisioning
In-place upgrade
Corporate identity for the mobile-first, cloud-first world
Azure AD Join (desktop and phone)
Single sign on to apps, devices, data
User state roaming
Power your business with Universal Apps.
Private catalog
The Business Store
Keep your devices secure and up to date
with the latest technology.
Windows Update for Business
140. Familiar Office experience on Windows
Phones, Tablets, and Desktops
Built for touch and mobile
Office universal apps increase
phone productivity
Mail and Calendar apps
Present from PowerPoint
Edit Word documents
144. A familiar user experience that
adapts to your device.
Start menu
Continuum
Continuum for Phone
Apps that can run on any Windows device.
Windows Universal Apps
The best productivity experience
across all Windows devices.
Office for Windows
Modernize your web experience, stay compatible.
Microsoft Edge
Internet Explorer 11
149. Exceptional way to create
and brainstorm with others
Engaging and
productive meetings
Platform for amazing
large screen apps
Advanced technology
for the modern workplace
150.
151. Latest Windows innovations
on your existing PC fleet.
Great mouse & keyboard support
Hardware compatibility
Granular UX Control
Choose from the range of
innovative Windows devices.
Broad industry innovation
2-in-1 devices
Surface
Lumia
Redefine productivity with
revolutionary Windows devices.
Surface Hub
HoloLens
154. Consumer devices
Updates installed via Windows Update
as they arrive
Keeping hundreds of millions of consumers
up to date and secure on the Current Branch
Large and diverse user base helps drive
quality of the OS updates
BYOD devices are up to date & secure
No new functionality on
Long Term Servicing Branch
Regular security updates
Control with WSUS
Examples: Air Traffic Control,
Emergency Rooms
Specialized systems
Update their devices
after features are validated
in the market
Current Branch for business
Business users
156. Specialized systems
Windows Update for Business
Consumer devices Business users
Integration with System Center Configuration Manager and customers’ existing tools
Windows Server Update Services
(WSUS)
Windows Update
157. *Conceptual illustration only
Current Branch for BusinessCurrent Branch
Microsoft
Insider Preview
Branch
Broad
Microsoft
internal
validation
Engineering
builds
Customer
Internal Ring
I
Customer
Internal Ring
II
Customer
Internal Ring
III
Customer
Internal Ring
IV
Users
10’s of
thousands
Several Million
Hundreds
of millions
158. Long Term
Servicing Branch*
Deploy for mission critical
systems via WSUS
Windows Insider
Preview Branch
Specific feature and
performance feedback
Application compatibility
validation
Ongoing
engineering
development
Feedback
and asks
Stage broad deployment
via WU for Business
Current Branch
For Business
Deploy to appropriate
audiences via WUB
Test and prepare for broad
deployment
Current Branch
*Enterprise or Education edition required
159. Hardware based security for
better malware protection.
Secure Boot
Enterprise credential protection via
hardware-based isolation
Secure corporate identity to
protect against modern threats.
Microsoft Passport
Windows Hello
Protect your corporate data,
wherever the data is.
Enterprise data protection
Eliminate malware on your devices.
Device Guard
More secure per-app connection
for mobile workers.
Secure Remote Connection
Choose management solutions
that work best for you.
Mobile Device Management
Group Policy
End of wipe and
replace deployment.
Dynamic provisioning
In-place upgrade
Corporate identity for the mobile-
first, cloud-first world
Azure AD Join (desktop and phone)
Single sign on to apps, devices, data
User state roaming
Power your business
with Universal Apps.
Private catalog
The Business Store
Keep your devices secure and up
to date with latest technology.
Windows Update for Business
A familiar user experience
that adapts to your device.
Start menu
Continuum
Continuum for Phone
Apps that can run on any
Windows device.
Windows Universal Apps
The best productivity experience
across all Windows devices.
Office for Windows
Modernize your web experience,
stay compatible.
Microsoft Edge
Internet Explorer 11
Latest Windows innovations
on your existing PC fleet.
Great mouse & keyboard support
Hardware compatibility
Granular UX Control
Choose from the range of
innovative Windows devices.
Broad industry innovation
2-in-1 devices
Surface
Lumia
Redefine productivity with
revolutionary Windows devices.
Surface Hub
HoloLens
Be more productive
Protection against
modern security threats
Innovative devices
for your business
Managed for
continuous innovation
160. Get ready for Windows 10
Accelerate migration to IE11
Pilot Windows 10; build deployment plan
Profile your systems and user groups
Windows Update for Business
Current Branch for Business
WSUS / Long Term Servicing Branch
Start adopting Windows Update for Business
Test upcoming Windows Preview features
Join the Windows Insider Program
Give your feedback