Monday, April 22, 2013

Useful Information from MMS 2013 Las Vegas

Last week I was at Microsoft Management Summit in Las Vegas. I've done a lot of sessions which I want to share with you. More about my experience can be found in this blogpost. Hope you can find something useful in it! 

Here's the information I have gained partly during MMS:
- Ruben Spruijt first person speaking in MMS 2013 keynote opening video
- Video about Domino's Pizza, having 15.000 VM's managed with System Center
- 99% reduction in helpdesk calls to Domino’s Pizza since they moved to Hyper-V and Windows Server 2012
- System Center Advisor integration in SCOM/OpsMgr 2012 to show active alerts
- System Center Advisor is free usage, showing alerts on Windows Server 2012 and other Microsoft products
- In Windows Azure Microsoft's doing 50.000 changes a day
- Windows Intune is used or in trial about 35.000 customers right now
- Video on Toyota using Windows Intune for software deployment and monthly updates
- Enable People-Centric IT with Windows Azure Active Directory and Windows Intune
- With the SCCM/ConfigMgr 2012 Intune connector role, cloud-devices can be managed in the ConfigMgr console
- Secure your data with Windows Server 2012 permissions for mobile devices
- System Center is more powerful when using when using multiple components

Windows Server 2012 - Easy to setup, just 6 clicks needed (or PowerShell) for VDI setup
- Choice between pooled (stateless) and personal (stateful) desktops (VDI)
- User Profile Disk, store user data and settings on a seperate VHD
- High Availability with active/active broker, SQL cluster needed
- Rich user experience with RemoteFX, 90% reduce traffic possible
- RemoteFX agressive rendering for images, text is displayed immediately
- RemoteFX media streaming for QuickTime, Silverlight, flash, html5
- RemoteFX USB device redirection for all configurations
- Optimized for Windows 8 (better/faster caching)

Windows 8 (VDI)
- Always leave the 350 BitLocker partition in place (not for VDI)
- Project VRC mentioned during ‘Optimizing Windows 8 VDI’ session for anti-virus purposes
- Windows 8 Pro or Enterprise? For RemoteApp ‘Enterprise’ is needed
- 32-bit or 64-bit? It depends, 32-bit small footprint but 4GB memory max
Memory, recommended minimum in VDI: 1GB
- ‘DoNotCreateExtraPartition=Yes’ in MDT (no 350MB BitLocker partition)
- VDI optimizer (AutoIT) for Windows 7 (no Windows 8 support yet)
- VDIConfig_1.1-Win8 script
- Windows Performance Monitor (part of Windows ADK)

Windows To Go
- In reality Windows To Go needs to be domain joined
- Choose between an online or offline domain join (includes all certificates and policies)
- Direct Access is preferred for remote access with WTG
- Add drivers in the WTG image for storage, graphic and network. Other drivers will be installed by using updates
- Use Generic (oem-oem) drivers for Windows To Go
- You need a Windows To Go certified device, require 2 partitions
- Using roaming profiles with WTG is not the best solution. USB stick full within 45 minutes
- Windows To Go creator in ConfigMgr application catalog available

MDOP 2013
- MDOP 2013 is RTM (MBAM 2.0, SP1 on AGPM 4.0, DaRT 8.0, App-V 5.0, UE-V 1.0)
- ConfigMgr 2012 SP1, App-V 5.0 and UE-V 1.0 can be used together for rich management
- MBAM 2.0 has support for Windows 8 and Windows To Go
- MBAM 2.0 can be used standalone or integrated in ConfigMgr for BitLocker
- Upgrade process (MBAM 1.0 to 2.0) keeps recovery keys intact
- MBAM will encrypt one volume at a time, volumes are displayed before encryption
- MBAM integrated in task sequence for client deployment (BitLocker)
- UE-V is used for application and Windows settings on desktops, sharing the same user experience
- UE-V can be incorporated into master image as it is installed in a dormant state by default
- Settings in Active Directory home directory or storage share
- UE-V agent on the desktop is needed, not on the management server
- Use in-box templates for applications and Windows settings
- Settings management with GPO, PowerShell or Registry possible

Windows Intune
- Unified Device Management solution (cloud solution)
- Android features supported through the Exchange Connector only
- Setup single sign-on for users (AD synchronization needed)
- Directory sync configuration tool download (needed once)
- When synchronization is done for Office365 no need to sync again
- Platforms and certifications/keys are needed per Mobile device solution
- When using ConfigMgr, don't go in the Windows Intune admin console at all
- Remote retirement is removing ‘management’ from the device only
- Settings management for Windows RT, Windows Phone 8 and iOS 5.0+
- For privacy reasons, Microsoft do not collect app inventory for apps installed
- One security policy for all kind of mobile devices. System figures out for each platform
- Retirement possible only for Windows Phone and Windows RT
- Wipe effects depend on the platform, iOS and WP8 are best platforms
- Android support is minimal, maybe future support (because of custom ROMs)
- When there's no policy set, users can retire the device itself
- No Windows Intune app for iOS and Android, but only a web based portal
- Applications in the company portal will be visible with a 5 minutes delay

System Center
- All ConfigMgr upgrades must be top-down (starting with the CAS)
- System Center integration with OpsMgr, SCOrch, ConfigMgr, Service Manager
- Great integration: provisioning user creation from SCSM and creating the user through an SCOrch workflow
- Create a new VM with a SCOrch runbook in just 3 steps
- Application approval workflow with SCSM, SCOrch and ConfigMgr possible
- SCOrch and OpsMgr are the base of system center installations
- Always use an dedicated SQL server installation for OpsMgr
- Use second OpsMgr management server for a better performance

Endpoint Protection
- Merge antimalware policies in SCEP to only 1 policy (best practice?)
- SCEP offers integration with UEFI trusted boot, early-launch antimalware
- Automatic failover when using multiple SUPs (supported in SP1)
- Common antimalware platform, it's ALL the same client (Essentials, Defender, Intune, Azure)
- Secure boot loads anti-malware early in the boot process, better in Windows 8 now
- Dynamic collection with query: antimalware infection status = pendingofflinescan
- Run a Windows Defender Offline Scan using ConfigMgr 2012 OSD

For next year there is no information yet if there's an MMS again. Hope it will be mentioned soon! #mms2014

No comments:

Post a Comment