Choose the best deployment method for your organization

Choose the best deployment method for your organization to get to Windows 10 Keep Windows 10 up to date Manage Windows 10 security features and enhance productivity

Users Devices Apps Data IT Employees Business partners Customers

Investments for business Protection against modern security threats MDM Managed for continuous innovation Enhanced productivity Windows as a Service Innovative devices for your business New deployment options

Unify identity Manage apps and devices Azure Active Directory Premium Microsoft Intune & System Center Configuration Manager Protect data Microsoft Enterprise Mobility Suite (EMS) Easily manage identities across on-premises and cloud. Single sign-on and self-service for corporate resources. Manage and protect corporate apps and data on almost any device with MDM and MAM. Azure Rights Management Encryption, identity, and authorization policies to secure corporate files and email across phones, tablets, and PCs.

Simplify deployment Configure Windows 10 • Azure AD Join with Intune auto enrollment • Provisioning packages and profiles for bulk enrollment • In-place upgrade to Windows 10 with Config. Mgr • Expanded MDM settings • Per-app VPN • Microsoft Passport policies and certificates • Windows Universal and Win 32 apps • Support volume purchase of apps Unify device management • Intune integration with Config. Mgr to manage all devices in the environment • New in Config. Mgr: • Faster and easier Config. Mgr updates • Windows 10 servicing • On-premises MDM User IT Manage and protect • Corporate data leakage prevention through enterprise data protection (EDP) policies • RMS integration for securing shared documents/files • Device Guard and App. Locker policies • Advanced conditional access policies • Integration with Windows Health Attestation Service (HAS)

Intune standalone (cloud only) Config. Mgr integrated with Intune (hybrid) Intune web console Config. Mgr console System Center Configuration Manager Io. T/Kiosk devices Mobile devices and PCs Domain-joined PCs Mobile devices

How should I deploy Windows 10? How do I keep Windows up to date? How can I secure and improve productivity in Windows 10?

Existing Windows 7, 8, 8. 1 Win 32 Apps Config. Mgr agent New Windows 10 device Upgrade to Windows 10 with Config. Mgr Enroll into Intune (Azure AD Join/provision) Preserve apps and configuration Maintain management processes and principles of today Manage via MDM Universal apps (Store/LOB) Basic MSI support

Traditional Improved Modern Existing devices New devices Refresh Upgrade IT Provisioning Use if significant changes are needed, such as OS architecture change x 86 versus x 64 Traditional process • Capture data and settings • Deploy (custom) OS image • Inject drivers • Install apps • Restore data and settings • Let Windows and Config. Mgr do the work • Preserve all data, settings, apps, and drivers • Install (standard) OS image • Restore everything • Config. Mgr/MDT • • Recommended for existing devices (Windows 7/8/8. 1) • Windows Image and Configuration Designer (WICD) • Transform into an enterprise device Provisioning profile with Config. Mgr User Provisioning • Azure AD Join with Intune auto enrollment Config. Mgr/WICD/Intune/Azure AD

Preserve applications, drivers, user data, and settings Reduce upfront testing and deployment preparation Compared to refresh, in-place upgrade is… Zero dependencies on Windows ADK; supplemental to existing deployment scenarios Faster: 30 to 60 minutes, on average, to upgrade Another tool in the OS deployment toolbox Smaller: file size is default OS Media, no applications Refresh, replace, and bare metal More robust rollback capabilities on failure to functional down-level OS

Continue to use refresh (wipe-and-load) when… Configuration drift/change Fundamental change Custom requirements Domain membership Disk partitioning Win. PE offline operation Local administrators BIOS -> UEFI Custom base image Bulk application swap x 86 -> x 64 Third-party disk encryption Base OS language

Infrastructure • 6 Primary Sites • 13 Secondary Sites • 300 Distribution Points Active Directory Federation Server PCs and Devices • ~350, 000 clients • ~125 k mobile devices (EAS) MS Online Directory Sync User Discovery Azure Active Directory Intune subscription Users • ~98 k FTEs • ~82 k Vendors Connector site role Microsoft Intune Device Mgmt. Site ~15 K devices Redmond Site 1 75 k Clients Redmond Site 2 90 k Clients North & South America 50 k Clients Europe, Mid. East, Africa 50 k Clients Australia & Asia 75 k Clients

12 8 7 10 6 8 5 6 4 3 4 2 2 0 1 Windows 7 Windows 8. 1 Update Windows 10 80% FTE 1 Year 95% FTE 8 Months 95% FTE 3 Months 95% FTE 5 Weeks Complexity User Experience Helpdesk Setup IR 0

IT-driven, using new tools • Create provisioning package using Windows Imaging and Configuration Designer with needed settings: • Change Windows SKU • Apply settings • Install apps and updates • Provisioning profile with Intune and Config. Mgr: • Enroll a device for ongoing management (just enough to Bootstrap) • Deploy manually, add to images User-driven, from the cloud • Company-owned devices: Azure AD join, either during OOBE or after from settings • BYOD devices: “Add a work account” for device registration • Automatic MDM enrollment as part of both • MDM policies pushed down: • Change the Windows SKU • Apply settings • Install apps

Windows Imaging and Configuration Designer

Azure AD Join for Windows 10 Azure AD Join makes it possible to connect work-owned Windows 10 devices to your company’s Azure Active Directory. Apps in Azure With Azure AD Join, you can auto enroll devices in Microsoft Intune for management. Azure Active Directory Microsoft Intune 3 rd party apps & clouds Intune/MDM auto-enrollment Intune auto-enrollment Enterprise-compliant services Single sign-on from the desktop to cloud and on-premises applications with no VPN Support for hybrid environments On-premises apps Windows 10 Azure AD Joined Devices

How should I deploy Windows 10? How do I keep Windows up to date? How can I secure and improve productivity in Windows 10?

Consumer devices Business users Special systems Keeping hundreds of millions of consumers up to date Update their devices after features are validated in the market Examples: air traffic control, emergency rooms Large and diverse user base helps drive quality of the OS updates BYOD devices are up to date and secure No new functionality on Long Term Servicing Branch Regular security updates

Engineering builds Broad Microsoft internal validation Microsoft Insider Preview Branch Current Branch for business Users Tens of thousands Customer internal ring I Several Million Hundreds of millions *Conceptual illustration only Customer internal ring III Customer internal ring IV

Current Branch Windows Insider Preview Branch Current Branch for Business Long Term Servicing Branch Information workers, general population Specialized systems Stage broad deployment Deploy for mission critical systems Deploy to appropriate audiences Specific feature and performance feedback NUMBER OF DEVICES Application compatibility validation Test machines, small pilots Test and prepare for broad deployment Early adopters, initial pilots, IT devices STAGE Release

The new System Center Configuration Manager • Simplify the upgrade experience: in-place upgrade from Configuration Manager 2012 and R 2 to latest product version • Support faster paced updates for Windows 10 and Intune: new updates and servicing nodes deliver periodic updates for new features, bug fixes, and extensions for hybrid deployments using Intune • Intune updates monthly—keep Config. Mgr on pace • Listen and respond quickly to customer feedback: foundational improvements made in latest version of the product allow us to respond to customer feedback more quickly

Tech previews MSIT User. Voice Indiana University British Telecom MVP Hackathon Daimler Develop Test Flight to MSIT/TAP RTM RTM Esc Esc Flight to MSIT/TAP Test USAF Boeing S&N

Product version System Center Configuration Manager System Center 2016 Configuration Manager Release vehicle Availability Current Branch Generally available Q 4 CY 2015 with updates released periodically throughout the year Generally available CY 2016 in alignment with System Center 2016 Long Term Servicing Branch Windows 10 features supported Support Windows Servicing Model supported New features, security updates, and bug fixes Can defer updates for up to 12 months before you must deploy updates to maintain support Windows 10 Current Branch, Current Branch for Business, and Long Term Servicing Branch Support for existing features included in latest Windows LTSB at point of release; newer features will not be supported. Security updates released as needed 10 years of support: 5 mainstream + 5 extended Windows 10 Long Term Servicing Branch System Center Configuration Manager Current Branch (version 1511) Current Branch (version yymm) System Center 2016 Configuration Manager Long Term Servicing Branch FALL WINTER SUMMER

Customer environment Config. Mgr LTSB? All Windows 10 clients in my organization are on Current Branch (CB) or Current Branch for Business (CBB) No. In order to be in support on the latest Windows CB/CBB, you need the Current Branch of Config. Mgr Some Windows 10 clients in my organization are on CB/CBB, but some are on the Long Term Servicing Branch (LTSB) No. The Current Branch of Config. Mgr will support Windows CB/CBB as well as LTSB My hierarchy is completely disconnected; I cannot connect any servers to the web No. The Config. Mgr updates and servicing model allows a completely offline mode I use Config. Mgr in a hybrid environment with Intune No. In order to get the latest updates for MDM/MAM, including platform updates, you must use the Current Branch of Config. Mgr I cannot install multiple updates a year; I need more time for my change process No. The Current Branch of Config. Mgr allows you to defer updates for up to 12 months I will probably need support for future releases of SQL server, WSUS, or other components that Config. Mgr has a dependency on No. Only the Current Branch of Config. Mgr will support the latest releases of these components My environment cannot accept any updates; I do not need new functionality or platform support in the foreseeable future Yes. LTSB is the right choice for you

Type of support/Feature Request to change product design and features (e. g. Critical DCRs) New product features Security updates Non-security update support (e. g. critical bug fixes) Windows 10 (Current Branch) Windows 10 (LTSB) Support for new Windows 10 Enterprise features MDM (Intune) MDM (On Premise) App. Compat support for major upgrades (e. g. SQL v. Next, App-V v. Next, etc. ) System Center Configuration Manager (Current Branch) System Center Configuration Manager (Long Term Servicing Branch)

Product version Release vehicle Availability System Center 2012 Config. Mgr SP 2 Service packs May 2015 Cumulative updates As needed AND System Center 2012 R 2 Config. Mgr SP 1 System Center 2007 Config. Mgr Compatibility pack September 2015 Windows 10 features supported Support for existing features included in latest Windows LTSB at point of release. Newer features will not be supported Windows 10 Long Term Servicing Branch (LTSB), Current Branch (CB), and Current Branch for Business (CBB): will provide support for July 2015 LTSB + Windows CB and CBB releases through February 2016 * Support for existing features included in latest Windows LTSB at point of release (management only, no OSD). Newer features will not be supported Windows 10 July 2015 Long Term Servicing Branch * Customers using Windows 10 Current Branch (CB) or Current Branch for Business (CBB) with Configuration Manager 2012 R 2 SP 1 or Configuration Manager 2012 SP 2 will need to migrate to the Current Branch of System Center Configuration Manager after this time for continued support.

How should I deploy Windows 10? How do I keep Windows up to date? How can I secure and improve productivity in Windows 10?

Conditional access control with EMS User attributes User identity Group memberships Auth strength (MFA) Devices Conditional access control with EMS Managed by Intune or Config. Mgr Compliant with Intune or Config. Mgr policies Domain joined Application Business sensitivity Other Network location On-premises applications

Configure and manage EDP policies with Intune and Azure Rights Management Microsoft Intune & Azure Rights Management Separate personal and corporate data with limited impact on employees’ day-to-day activities Apply policies Control app access to corporate data and prevent copy- and paste-related data leaks Save File share Protect Data at Rest wherever it may roam* Secure content collaboration through integration with Azure Rights Management User Save Personal storage Share files and enforce policies Corporate network * Some roaming scenarios use Azure Right Management

Existing Windows 7, 8, 8. 1 Win 32 Apps Config. Mgr agent New Windows 10 device Upgrade to Windows 10 with Config. Mgr Enroll into Intune (Azure AD Join/provision) Preserve apps and configuration Maintain management processes and principles of today Manage via MDM Universal apps (Store/LOB) Basic MSI support

Choose the best deployment method for your organization to get to Windows 10 Keep Windows 10 up to date Manage Windows 10 security features and enhance productivity