Windows RT in the Enterprise
Nico SienaertLead Infrastructure Consultant | GetronicsV-Technology Solutions Professional | Microsoft
Session Objectives and TakeawaysPositioning of Windows RT devices
Where does Windows RT in the Enterprise makes sense
What are the challenges
How do you manage and keep control
Flavors of Windows 8 tablets
Windows 8 tablets with Intel
Core64-bit processors
Windows 8 tablets with Intel
Atom32-bit processors
Windows RT tablets with ARM
processors
Windows tablets in Business Environments
Ready for Business to Embrace
Devices & Experiences People Love
High Quality Work and Life
Hardware and Software Innovation
Applications MobilityWorkload
Manageability Connectivity
Data & App Access
What capabilities are needed?
Mobility Windows 8 tablets with Atom or Windows RT tablets
Workload
Data & Apps
Manageability
Connectivity
Windows 8 tablets with Intel Core
Desktop Apps: W8 tablets with Intel CPUW8 LOB Apps: Intel Core, Atom or ARM
Best Connectivity: W8 tablets with Intel CPUAlways on Capability: Atom or Windows RT
(Full) Management: Intune\ConfigMgr
Modern Device Management
Devices & Platforms
IT
Single adminconsole
Mac OS X
Windows PCs(x86/64, Intel SoC),
Windows to GoWindows Embedded
Windows RT, Windows Phone 8
iOS, Android
Service Pack 1
Configuration Steps
1. Purchase\Try Windows Intune Subscription2. Add Public Company Domain and CNAME for enrollment redirection3. Verify Users have Public Domain UPNs and perform AD User Discovery4. Deploy and Configure AD Federated Services (ADFS 2.0)5. Deploy and Configure AD Directory Synchronization6. Configuring Configuration Manager for Mobile Device Management
Creating a Windows Intune Subscription in the Configuration Manager Admin Console
Creating the Windows Intune Connector Site System role7. Verification of Configuration Manager is successfully connecting to
Windows Intune Service.CloudUserSyncDMPDownloaderDMPUploader
Management Infrastructure Cloud
Windows 8 App Delivery
Self-Service Portal (SSP)
Side Load from Your Infrastructure
Windows 8
Download from Windows Store
Public AppsCustom LOB AppsApp Delivery
Windows RT
Enroll a Windows RT device
Get a certificate (for instance internal PKI) to sign your Apps
Sign your Apps with the certificate
Upload the certificate into ConfigMgr\Intune
Upload Sideloading key into ConfigMgr\Intune
Go on the Windows RT device to “Company Applications”
Connect to the Windows Intune Service
Install Company Portal
You are ready to manage and to deploy Apps
Troubleshooting of Software Distribution
HKCU\Software\Microsoft\Windows\CurrentVersion\MDM\JobDB
• BITSId• DeployRetryCount• LastError• Status
Initialized /Created = 10Download In Progress = 20 Download Failed = 30Download Complete = 40Install In Progress = 50Install Failed = 60Install Complete = 70
Problem Scenarios (1)
Symptom:Application is not installing and Reg status of the App is 10
Problem Cause:Most likely sideloading is not enabled
Mitigation:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx\AllowTrustedApps=1
Symptom:Application is not installing and Reg status of the App is 30
Problem Cause:Internet Connection down\DP where content is hosted was down\Cert to issue the device is expired
Mitigation:Solve above
Problem Scenarios (2)
Symptom:Application is not installing and Reg status of the App is 60
Problem Cause:Application Package corrupt\Certificate expired\...
Mitigation:Install App locally with Add-AppxPackage
Symptom:No Job entry is created in the Registry corresponding to the application requested
Problem Cause:Internet Connection lost during install\notification channel with the device is not created
Mitigation:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\MDM\WNSChannelURi value in this case would be empty.
ConfigMgr\Intune interopability
User Experience on Windows RT
• Thin, light, and sleek • Long battery life• Includes class drivers
for most peripherals• Secure by default
(UEFI, TPM)
• Integrated engineering with ecosystem
• Predictable and reliable over time• Pre-configured
environment on certified hardware
• New UI, including desktop• Office Home and Student
2013 RT is included • Inbox Mail client• Touch, mouse, keyboard• Multiple user accounts
• Run on both Windows RT and x86
• Leverage existing developer language and tools
• Sideloading (for line-of-business WinRT apps) and Windows Store
High Quality Work and Life
Hardware and Software Innovation
Applications
Driver Compatibility
www.microsoft.com/en-us/windows/compatibility/winrt/CompatCenter/Home
Office Home and Students 2013 RT
• Preinstalled on ARM-based Windows RT devices• Includes new Office applications: Word, Excel,
PowerPoint, OneNote• Office Home & Student 2013 RT commercial
use rights are included in: Office 365 orOffice Standard/Professional Plus 2013 (as secondary use right) orCommercial use license via Volume Licensing
Connectivity (1)
VPN connection• Inbox VPN client for Microsoft server is included• Inbox VPN client can interoperate with 3rd party VPN servers
via PPTP, L2TP, SSTP and IKEv2.• Encryption: 3DES, AES_128, AES_192, AES_256, CBC_3DES,
CBC_DES• Integrity: SHA1, SHA_256, SHA_384• Password: PAP / CHAP / MS-CHAPv2 / EAP• Certificates: User & Machine • Support for split-tunnel• Web Proxy and intranet settings
Connectivity (2)
VPN Client Provsioning• Get Connected Wizard• Intune\ConfigMgr• Powershell
Provisioning VPN via Intune\ConfigMgr
InTune MDM
SCCMRRAS Server
Enterprise Premises
4 - VPN Connection establishment
1 – VPN Profile XML configured
for WinRT clients
2 – WinRT cl
ients enroll f
or LOB
a
pps via “CompanyApps”
3 – InTu
ne pushes t
he VPN profile
XML to
enrolled cl
ients
Connectivity (2)
Multi-factor authentication• Smartcard (PIV, GIDS) or Virtual Smartcards• RSA Token
VPN Client Provsioning• Get Connected Wizard• Intune\ConfigMgr• Powershell
OTP using RSA Secure ID
InternetVPN Tunnel
Windows RT device
VPN ServerRSA
Authentication Manager
Enterprise PremisesTTLS-PAP authentication protocol
Only one OTP vendor supported: Odyssey
Connectivity (2)
Multi-factor authentication• Smartcard (PIV, GIDS) or Virtual Smartcards• RSA Token
VPN Client Provsioning• Get Connected Wizard• Intune\ConfigMgr• Powershell
• Limitations:• PIN Changes• Token Challenge-Response
• Workaround:• Web-login page protected by the RSA Web Agent
Data and App Access
RemoteApp• Grant access to line-of-business applications and data • Seamlessly launch apps from Windows RT• Secure corporate data: avoid storing enterprise data on
consumer devices• Ensure compliance requirements
VDI• Full VDI experience (RemoteFX, USB redirection, Multi-touch
remoting)
3rd Party• Citrix ReceiverRemote Assistance
VPN, VDI and Remote Apps
Security and Manageability (1)
Security capabilities on Windows RT devices• Secured Boot, Trusted Boot• Device Encryption• Picture password• Windows Firewall, Windows Defender• NAP (Network Access Protection) supported
Governance through Exchange ActiveSync (EAS)*• Password requirements (e.g., password complexity, picture
password, device lock, password expiration etc.)• No support of external encryption• Remote Content Wipe & lockout behavior• Mail App limitations (Alternative OWA with Exchange 2013
or O365)* Enabled through Mail app
Security and Manageability (2)
Cloud-based management with Windows IntuneSingle pane-of-glass administration through ConfigMgr 2012 SP1• Distribute and manage new Windows apps (via
sideloading)• Push configurations (e.g., VPN config)• Enforce more governance settings• Ensure compliance (e.g., monitor security settings) • Collect inventory information (e.g., which LOB apps are
installed)
Diagnostics and troubleshooting• Windows PowerShell supported• The traditional Windows tools (Eventvwr, TaskMgr,
Troubleshooting,…)
Windows RT Management Details
Windows RT Direct Management via Windows Intune
Exchange ActiveSync
Setting
Allow convenience logon policy ü üAlphanumeric password required policy ü üAttachments enabled ü üHardware inventory ü üMaximum inactivity time lock ü üPassword management ü üRequire device encryption ü üCapability
Application publishing ü ûDeep-link into public application stores ü ûUser self-service portal ü ûVPN Client configuration ü! û
Capabilities in a glance
Capability Windows RT
Application management ü
Endpoint Protection O
Hardware Inventory ü
Software Inventory ü!
Remote control O
Reporting ü
Software updates O
Compliance settings ü!
Power management O
Software metering O
Portal Capability Windows RT
Enroll Device Yes
Rename Device Yes
Retire (un-enroll local device) Yes
Wipe (remotely other devices) Yes
Install LOB Applications Yes
Install publicly available applications Yes
Contact IT Yes
Retire Device Windows RT
Removal of Side-loading key Yes
Continue usage of side-loaded Apps No
Install new side-loaded Apps No
Policies retain on device Yes
Settings Management
Miscellaneous
RECAP
Windows RT devices are primarily designed as
consumer devices, but can be used in corporate environments as well, either using employee-owned devices or company-owned
devices depending on the situation. To properly support Windows RT devices in the
workplace, enterprises should understand the capabilities provided in and
restrictions imposed by Windows RT, as well as
the specific infrastructure requirements for supporting Windows RT devices within their organization.
Interesting Links
Windows RT VPN user guide http://technet.microsoft.com/en-us/library/jj900206.aspx
Windows 8 VPN – PowerShell support
http://technet.microsoft.com/en-us/library/jj613766.aspx
Compatibility and Interoperability
http://technet.microsoft.com/en-us/library/jj613768.aspx
How to Manage Mobile Devices by Using the Windows Intune Connector in Configuration Manager
http://technet.microsoft.com/en-us/library/jj884158.aspx
Windows RT in the Enterprise
Thank you!