Supercharge Windows 10 Security with Microsoft Endpoint Manager

James Graham Partner Technical Architect – Unified Endpoint Management Poll Agenda Introduction to Microsoft Endpoint Manager Microsoft Endpoint Manager Transformative management and security

Enable Protect your users your data

PC desktop management

Mobile device Mobile application management management Configuration Manager and Microsoft Intune

Secure and Streamlined Maximizes intelligent and flexible investment Microsoft Endpoint Manager + + +

Attach the power of the cloud to your technology estate Knowledge Check Configuration Manager….

…IS A KEY SERVICE OF …POWERS MICROSOFT …IS THE INTELIIGENT MICROSOFT ENDPOINT ENDPOINT MANAGER EDGE OF MICROSOFT MANAGER ENDPOINT MANAGER

…SERVICES ON PREM …POWERS SERVER …HAS A LONG LIFE CONTENT DISTRIBUTION MANAGEMENT IN AHEAD FOR MICROSOFT MICROSOFT ENDPOINT ENDPOINT MANAGER MANAGER Deployment: Windows Autopilot Traditional Windows deployment

OFFICE & APPS

DRIVERS POLICIES

SETTINGS

Build a custom image, Deploy image to a new Time means money, making gathering everything else computer, overwriting what this an expensive proposition that’s necessary to deploy was originally on it Modern Windows deployment

Un-box and turn on Transform with minimal Device is ready off-the-shelf Windows PC user interaction for productive use Windows Autopilot One-time preparation tasks

Azure Active Directory • Configure automatic MDM enrollment. • Configure company branding. • Enable Windows Subscription Activation if desired. • Ensure users can join devices to Azure AD (for user-driven mode)

Intune: • Enable the enrollment status page • Ensure users can enroll devices in Intune • Assign licenses to users • (Optional) Set up enrollment restrictions so only Autopilot-registered devices can enroll Three simple steps

Register devices

Assign a profile

Deploy Three simple steps

• Have devices registered automatically

Register devices • Request clean images, choice of Windows 10 version at the same time (if available)

• Specify group tag to help segment devices by purpose

• Devices are automatically tagged with the purchase order ID Assign a profile • Register devices yourself via Intune for testing and evaluation using Get- WindowsAutopilotInfo PowerShell script

Deploy • Register (harvest) existing Intune-managed devices automatically Three simple steps

• Use Intune:

Register devices • Select profile scenario (user-driven, self-deploying)

• Configure needed settings

• Assign to an Azure AD group so Intune will automatically assign to all devices in the group Assign a profile • Use a dynamic Azure AD group to automate this step

• Consider static Azure AD group for exceptions Deploy Three simple steps

• Boot up each device Register devices • Connect to network (Wi-Fi, Ethernet) • Enter credentials (if required)

Assign a profile

Deploy Demo Windows Autopilot // Deployment Scenarios

AVAILABLE in 1703 AVAILABLE in 1809 AVAILABLE in 1809 AVAILABLE in 1903 AVAILABLE in 1903

User-driven User-driven Windows Windows Self-deploying mode with mode with Autopilot for Autopilot white mode (preview) Azure AD Join Hybrid Azure existing devices glove (preview) AD join Join device to Azure Join device to AD, Windows 7/8.1 to White glove partners No need to provide AD, enroll in enroll in Intune/MDM Windows 10 or IT staff can pre- credentials, Intune/MDM provision Windows 10 automatically joins Coming soon! ConfigMgr task PC to be fully Azure AD Coming soon! Deploy over VPN sequence, followed configured and Integration with by Windows business-ready for an ConfigMgr Coming soon! Autopilot user-driven org or user Integration with mode ConfigMgr New! Hybrid Azure AD Join support

Additional Windows 10 1903 enhancements: ● Self-updating Windows Autopilot ● Cortana is quiet during OOBE ● Tracking of Win32 apps Demo Demo Demo Autopilot into Configuration Manager - Today Autopilot into a Task Sequence – coming soon Autopilot into a Task Sequence – coming soon Autopilot into a Task Sequence – coming soon

Target a configuration task sequence to your provisioning computers collection

Call /ts: from ccmsetup command line

ConfigMgr client installs and immediately runs the specified task sequence

Use with nested task sequence to have a consistent new device state across OSD and Autopilot

Download on demand from CMG supported for task sequences starting 1910 Knowledge Check Poll Management Cloud powered endpoint management OR Config Mgr Cloud Attached Only

Risk-based Zero Touch Intelligent Advanced Unified Full stack Control Provisioning Security Analytics Management integration

Endpoint Windows Autopilot Secure Score Technology Mobility and PC Role Based Admin Compliance and Risk Experience Score Management Android Enterprise Advanced Threat Graph API Conditional Access ZTD Protection Desktop Analytics M365 Admin Center PowerShell App Protection Apple DEP BitLocker Log Analytics Guided Policy management Deployments Audit Samsung Knox Real time advanced Third party risk and Mobile Enrollment Security Baselines threat detection Office 365 Pro Plus Cloud content compliance optimization signaling Windows Hello, Dynamic user risk Edge Attestation assessment What is cloud attach?

Cloud Attach Tenant Attach Client Attach through co-management Connect your Configuration Manager site to Intune for Enroll your Configuration Manager devices into Intune instant cloud value. for additional cloud value. Cloud console through EMAC ATP integration Conditional access Helpdesk Modern provisioning through Autopilot Desktop Analytics Management anywhere User Experience Analytics Cloud Hosted Using Microsoft Azure to host Configuration Manager components Poll Demo

Co-Management Cloud Management Gateway Windows Update Corporate Network

AD CA Windows Update Corporate Network Datacentre AD HQ Site CA MP

MP DP SUP DP

SUP Branch DP

Branch DP Demo Security Feature Control Poll Intelligent security with Windows 10

Built-in, Automated Powered by not bolted on security intelligence Built-in, not bolted on

No additional deployment or infrastructure needed to manage endpoint security. 100% Stay current on Windows 10 and compatible by using cloud- Windows Defender Antivirus powered updates.

Reduce the surface area for threats and attacks by hardening the 100% on AV-TEST prevalence test from system. November 2017 – February 2018.

Get next generation protection to stay ahead of against 100% on AV-Comparatives real world emerging threats. test from February – March 2018. Built-in with Windows Defender Advanced Threat Protection

Block malware and Help avoid OS untrusted apps with tampering with application control system hardening

Protect against emerging threats with next-gen protection

Safely browse the Block connections to internet with malicious sites with hardware based network protection isolation Powered by intelligence

Uses the Microsoft Intelligent Security Graph to analyze data “ The Security Graph API from trillions of signals from emails, apps, websites, and Windows. allows us to receive not only Detect threats with intelligence using machine learning models actionable alert information to uncover suspicious behavior on-premise or in the cloud. but allows security analysts to pivot and enrich alerts Prevents access to sensitive resources using device trust-based with asset and user Conditional Access. information.” Customers and partners can now connect to the Intelligent Security Graph using a new Security API.

Colby DeRodeff // Chief Strategy Officer, Anomali Intelligent Security Graph

450B monthly authentications 200+ global cloud consumer and commercial services

+1B Windows devices updated 18+ billion Bing web pages scanned

400B e-mails analyzed THE WINDOWS 10 SECURITY PROTECT, DETECT & RESPOND

Threat Identity Information Protection Protection Protection Protect, detect, and Kick passwords to the Protect data on lost and respond to the most curb with a convenient, stolen devices and prevent advanced threats using easy to use and accidental data leaks advanced based hardware enterprise-grade using data separation, security and the power of alternative that is containment, and the cloud designed for today’s encryption. mobile-first world.

Servicing and Centralized Security Management WINDOWS 10 SECURITY FEATURES

Breach detection Device Threat Identity Information protection resistance protection protection investigation & response

PRE-BREACH POST-BREACH Knowledge Check Knowledge Check Knowledge Check Knowledge Check Attack Timeline Framework – Capability Mapping

Enter Establish Expand Endgame

Exchange Online Protection Microsoft Defender Azure Advanced Threat Advanced Threat Advanced e-discovery Protection Protection Office 365 Phishing Azure Active Directory Advanced Threat Attacks Microsoft Defender Azure Privilege Identity Protection Threat Experts Information Protection Management

Azure Active Directory Conditional Access Microsoft Defender Threat Microsoft Cloud Azure Active Directory Vulnerability Management App Security Right Management Service Intellectual Identity Property Theft Azure Active Directory Theft Multi-Factor Authentication Office 365 Data Loss Prevention

Document Malicious Privilege Lateral Azure Active Directory Macros Software Escalation Movement Identity Protection OneDrive for Business File Restore Windows Defender Windows Defender Antivirus Damage Browser Credential Guard And Disruption Windows Defender Exploits Application Guard Windows Windows Defender Windows Defender Information Protection Attack Surface Reduction Network Protection Microsoft Edge SmartScreen Windows Defender Mass storage Windows Defender Windows Hello Controlled Folder Access Windows Defender Devices System Guard For Business Application Control

Azure Sentinel Demo IT and Security – Better Together

ThreatGame changeprotection with overWindows time and Software

Protection Gap CAPABILITY Attackersas a Services take advantage of Disruptperiods andbetween out innovate releases our adversaries by design

TIME

P R O D U C T T H R E A T RELEASE SOPHISTICATION Windows 10 gets better with each update With enhanced security, more tools for IT and end user productivity features

▪ Windows Autopilot ▪ Windows Defender ATP ▪ Windows Defender Security Center ▪ Express update delivery ▪ Hyper-V ▪ Windows 10 Subscription Activation ▪ Windows Information Protection ▪ Windows Insider Program for Business ▪ Windows Hello for Business ▪ Paint 3D ▪ Cortana at work ▪ Mobile Device Management ▪ Windows Analytics Upgrade Readiness + ▪ Night light, mini view ▪ AAD Join ▪ App-V, UE-V ▪ Windows Store for Business ▪ Hybrid Azure Active Directory Join ▪ Windows Information Protection ▪ Windows Hello + Windows Ink ▪ Windows Hello for Business ▪ Microsoft Edge ▪ Windows Update for Business ▪ ▪ Windows Analytics Upgrade Readiness ▪ Device Guard + ▪ Mail, Calendar, Photos, Maps, Groove, Skype ▪ Mobile Device Management ▪ Device Guard ▪ App-V, UE-V ▪ Credential Guard ▪ AAD Join ▪ Credential Guard ▪ Hybrid Azure Active Directory Join ▪ BitLocker + ▪ Windows Defender Antivirus ▪ Windows as a service ▪ Windows Defender Antivirus ▪ Windows as a service ▪ Windows Store for Business ▪ BitLocker ▪ Windows Ink ▪ SmartScreen ▪ Windows Hello ▪ In-place upgrades ▪ Windows Hello ▪ In-place upgrades ▪ Windows Update for Business ▪ SmartScreen ▪ Mobile Device Management ▪ Windows as a service ▪ Microsoft Edge ▪ Continuum ▪ Microsoft Edge ▪ Continuum ▪ Mail, Calendar, Photos, Maps, Groove, ▪ Windows as a service ▪ AAD Join ▪ In-place upgrades ▪ Device Guard ▪ Cortana ▪ Device Guard ▪ Cortana Skype ▪ In-place upgrades ▪ Windows Store for Business ▪ Continuum ▪ Credential Guard ▪ Windows 10 core ▪ Credential Guard ▪ Windows 10 core ▪ Windows Defender Antivirus ▪ Continuum ▪ Windows Update for Business ▪ Cortana ▪ BitLocker ▪ BitLocker ▪ Windows Hello ▪ Cortana ▪ Mail, Calendar, Photos, Maps, Groove, Skype ▪ Windows 10 core ▪ SmartScreen ▪ SmartScreen ▪ Microsoft Edge ▪ Windows 10 core ▪ Windows Defender Antivirus 1507 1511 1607 1703 ▪ Windows Virtual Desktop (Preview) ▪ Microsoft Defender Advanced Threat Protection enhancements Windows 10 gets better with each update ▪ Attack Surface Reduction enhancements ▪ Next Generation Protection enhancements ▪ Tamper Proofing Capabilities With enhanced security, more tools for IT ▪ Windows Sandbox ▪ Application Guard enhancements ▪ Sign-on with Password-less Microsoft accounts and end user productivity features ▪ New Kaimojis and Emojis ▪ Accessibility Improvements ▪ Windows Shell enhancements ▪ Windows Timeline ▪ Device Management Policies ▪ Microsoft Defender ATP new attack surface area reduction controls ▪ Intune Security Baselines ▪ Investigation and remediation across Office 365 ATP and Microsoft ▪ Enhanced Enrollment Status Page Defender ATP ▪ Windows AutoPilot White Glove ▪ Web Authentication in Microsoft Edge ▪ Setup Diag ▪ Windows Hello with FIDO 2.0 ▪ Automatic Restart Sign On (ARSO) ▪ 30 months of support for September releases ▪ Reserved Disk Space ▪ Windows Autopilot Self-deploying mode ▪ Improved Delivery Optimization (DO) ▪ Windows Autopilot Hybrid Azure AD join ▪ Windows Analytics – Spectre & Meltdown, Delivery Optimization, ▪ S Mode Block Switch ▪ Windows Analytics – Spectre & ▪ Windows Ink Application Reliability Logon Health + Meltdown, Delivery Optimization, ▪ Mobile Device Management ▪ Microsoft Edge kiosk mode ▪ WDATP Automated Remediation Application Reliability Logon Health ▪ AAD Join ▪ Desktop Analytics (Preview) – Intelligent Pilot Selection and ConfigMgr ▪ WDATP Automated Remediation ▪ Windows Store for Business ▪ Conditional Access based on WDATP device risk Integration ▪ Conditional Access based on WDATP ▪ Windows Update for Business ▪ Threat Analytics device risk ▪ Mail, Calendar, Photos, Maps, Groove, ▪ ReadyforMicrosoft365.com ▪ Threat Analytics Skype ▪ Emergency Outbreak Updates ▪ Microsoft Edge experience improvements ▪ Emergency Outbreak Updates ▪ Windows Defender Antivirus ▪ Advanced hunting ▪ Advanced hunting ▪ Windows Hello ▪ Accessibility enhancements ▪ Cloud Credential Guard ▪ Microsoft Edge ▪ Cloud Credential Guard ▪ Access the clipboard across devices ▪ Diagnostic data viewer ▪ Device Guard ▪ Diagnostic data viewer ▪ Windows Autopilot enrollment status ▪ Credential Guard ▪ Windows Defender Exploit Guard, System Guard, Application Guard, + ▪ Your Phone ▪ Windows Autopilot enrollment status page page ▪ BitLocker Application Control ▪ Windows 10 Enterprise in S mode ▪ SmartScreen ▪ Mobile Device Management ▪ Windows 10 Enterprise in S mode ▪ Windows Analytics – Spectre & Meltdown, ▪ Windows Defender Security Center ▪ Shared Windows Devices ▪ Windows as a service ▪ Shared Windows Devices Delivery Optimization, Application Reliability ▪ Express update delivery ▪ Nearby Sharing ▪ In-place upgrades ▪ Windows Analytics Update Compliance Logon Health ▪ Hyper-V ▪ Dictation ▪ Continuum ▪ Windows Analytics Device Health ▪ Nearby Sharing ▪ WDATP Automated Remediation ▪ Windows 10 Subscription Activation ▪ Timeline ▪ Cortana ▪ Dictation ▪ Conditional Access based on WDATP device ▪ Windows Insider Program for Business ▪ Windows Defender Exploit Guard, ▪ Windows 10 core ▪ Co-management + risk ▪ Paint 3D System Guard, Application Guard, ▪ Windows Defender ATP new attack ▪ Enterprise search in Windows ▪ Timeline ▪ Threat Analytics ▪ Cortana at work Application Control surface area reduction controls ▪ Emergency Outbreak Updates ▪ Night light, mini view ▪ Mobile Device Management ▪ Investigation and remediation across ▪ Continue on PC ▪ Windows Defender Exploit Guard, System ▪ Windows Hello for Business ▪ Advanced hunting ▪ Windows Information Protection ▪ Windows Analytics Update Compliance Office 365 ATP and Windows Defender ▪ OneDrive Files On-Demand Guard, Application Guard, Application ▪ Windows Analytics Upgrade Readiness ▪ Cloud Credential Guard ▪ Windows Hello for Business ▪ Windows Analytics Device Health ATP Control ▪ App-V, UE-V ▪ Diagnostic data viewer ▪ Windows Analytics Upgrade Readiness ▪ Co-management ▪ Web Authentication in Microsoft Edge ▪ Narrator ▪ Mobile Device Management ▪ Hybrid Azure Active Directory Join ▪ Windows Autopilot enrollment status page ▪ App-V, UE-V ▪ Enterprise search in Windows ▪ Windows Hello with FIDO 2.0 + ▪ Mixed Reality Viewer ▪ Windows Analytics Update Compliance ▪ Windows Ink ▪ Windows 10 Enterprise in S mode ▪ Hybrid Azure Active Directory Join ▪ Continue on PC ▪ 30 months of support for September ▪ Windows Analytics Device Health ▪ Mobile Device Management ▪ Shared Windows Devices ▪ Windows Ink ▪ OneDrive Files On-Demand releases ▪ Windows Autopilot ▪ AAD Join ▪ Co-management ▪ AAD Join ▪ Nearby Sharing ▪ Mobile Device Management ▪ Narrator ▪ Windows Autopilot Self-deploying ▪ Windows Defender ATP ▪ Windows Store for Business ▪ Enterprise search in Windows ▪ Windows Store for Business ▪ Dictation ▪ AAD Join ▪ Mixed Reality Viewer mode ▪ Windows Defender Security Center ▪ Windows Update for Business ▪ Continue on PC ▪ Windows Update for Business ▪ Timeline ▪ Windows Store for Business ▪ Windows Autopilot ▪ Windows Autopilot Hybrid Azure AD ▪ Express update delivery ▪ Mail, Calendar, Photos, Maps, Groove, Skype ▪ OneDrive Files On-Demand ▪ Mail, Calendar, Photos, Maps, Groove, Skype ▪ Windows Defender Exploit Guard, System ▪ Windows Update for Business ▪ Microsoft Defender ATP join ▪ Hyper-V ▪ Windows Defender Antivirus ▪ Narrator ▪ Windows Defender Antivirus Guard, Application Guard, Application ▪ Mail, Calendar, Photos, Maps, Groove, Skype ▪ Windows Defender Security Center ▪ S Mode Block Switch ▪ Windows 10 Subscription Activation ▪ Windows Hello ▪ Mixed Reality Viewer ▪ Windows Hello Control ▪ Windows Defender Antivirus ▪ Express update delivery ▪ Microsoft Edge kiosk mode ▪ Windows Insider Program for Business ▪ Microsoft Edge ▪ Windows Autopilot ▪ Microsoft Edge ▪ Mobile Device Management ▪ Windows Hello ▪ Hyper-V ▪ Desktop Analytics (Preview) – Intelligent ▪ Paint 3D ▪ Device Guard ▪ Windows Defender ATP ▪ Device Guard ▪ Windows Analytics Update Compliance ▪ Microsoft Edge ▪ Windows 10 Subscription Activation Pilot Selection and ConfigMgr ▪ Cortana at work ▪ Credential Guard ▪ Windows Defender Security Center ▪ Credential Guard ▪ Windows Analytics Device Health ▪ Device Guard ▪ Windows Insider Program for Business Integration ▪ Night light, mini view ▪ BitLocker ▪ Express update delivery ▪ BitLocker ▪ Co-management ▪ Credential Guard ▪ Paint 3D ▪ ReadyforMicrosoft365.com ▪ Windows Information Protection ▪ SmartScreen ▪ Hyper-V ▪ SmartScreen ▪ Enterprise search in Windows ▪ BitLocker ▪ Cortana at work ▪ Microsoft Edge experience ▪ Windows Hello for Business ▪ Windows as a service ▪ Windows 10 Subscription Activation ▪ Windows as a service ▪ Continue on PC ▪ SmartScreen ▪ Night light, mini view improvements ▪ Windows Analytics Upgrade Readiness ▪ In-place upgrades ▪ Windows Insider Program for Business ▪ In-place upgrades ▪ OneDrive Files On-Demand ▪ Windows as a service ▪ Windows Information Protection ▪ Accessibility enhancements ▪ App-V, UE-V ▪ Continuum ▪ Paint 3D ▪ Continuum ▪ Narrator ▪ In-place upgrades ▪ Windows Hello for Business ▪ Access the clipboard across devices ▪ Hybrid Azure Active Directory Join ▪ Cortana ▪ Cortana at work ▪ Cortana ▪ Mixed Reality Viewer ▪ Continuum ▪ Windows Analytics Upgrade Readiness ▪ Your Phone ▪ Windows Ink ▪ Windows 10 core ▪ Night light, mini view ▪ Windows 10 core ▪ Windows Autopilot ▪ Cortana ▪ App-V, UE-V ▪ Mobile Device Management ▪ Windows Information Protection ▪ Windows Defender ATP ▪ Windows 10 core ▪ Hybrid Azure Active Directory Join 1709 1803 1809 1903 Demo

Demo Poll Securing WVD Endpoints Windows Virtual Desktop The best virtual desktop experience, delivered on Azure

Windows 10 Windows Deliver the only multi-session + + Windows 10 experience Office 365 Server

+ Enable optimizations for Office 365 ProPlus

+ Migrate Windows Server (RDS) desktops and apps

+ Deploy and scale in minutes

+ Improved Security (Reverse Connect) Azure AD Authentication

Clients authenticate with Azure Active Directory (Azure AD) identities

Azure AD allows usage of Conditional Access and Multi-factor Authentication

Windows VMs are AD domain-joined for optimal app compatibility

RD clients Windows Virtual Desktop Customer – managed Customer – managed Microsoft – managed Azure services Azure VMs & services

Azure AD VMs

A A Web Access Diagnostics Desktops Apps

Azure AD Connect

Gateway Broker

FIREWALL FIREWALL Active User Profile Directory File Server

Azure SQL DB User Connection Flow

1.1 User launches RD client which connects to Azure AD, user signs in, and Azure AD returns token 2.2 RD client presents token to Web Access, Broker queries DB to determine resources authorized for user 3.3 User selects resource, RD client connects to Gateway 4.4 Broker orchestrates connection from host agent to Gateway RDP traffic now flows between RD client and session host VM over connections 3 and 4

RD clients Windows Virtual Desktop Customer-managed Customer-managed Microsoft-managed Azure services Azure VMs & services 1

Azure AD VMs 2 Web Access Diagnostics 4 A A Desktops Apps

0

FIREWALL FIREWALL 3 Gateway Broker FSLogix User Active Profile Directory File Server Azure SQL DB Improved Isolation: Reverse Connect

Outbound WebSocket connections from VMs to Broker and Gateway Bidirectional communications between VMs and RD infra over https (443) No inbound ports need be opened on the VM.

RD clients Windows Virtual Desktop Customer-managed Customer-managed Microsoft-managed Azure services Azure VMs & services

Azure AD VMs

Web Access Diagnostics 4 A A Desktops Apps

0

FIREWALL FIREWALL Gateway Broker

Active User Profile Directory File Server

Azure SQL DB Demo Poll