Supercharge Windows 10 Security with Microsoft Endpoint Manager
Total Page:16
File Type:pdf, Size:1020Kb
Supercharge Windows 10 Security with Microsoft Endpoint Manager James Graham Partner Technical Architect – Unified Endpoint Management Poll Agenda Introduction to Microsoft Endpoint Manager Microsoft Endpoint Manager Transformative management and security Enable Protect your users your data PC desktop management Mobile device Mobile application management management Configuration Manager and Microsoft Intune Secure and Streamlined Maximizes intelligent and flexible investment Microsoft Endpoint Manager + + + Attach the power of the cloud to your technology estate Knowledge Check Configuration Manager…. …IS A KEY SERVICE OF …POWERS MICROSOFT …IS THE INTELIIGENT MICROSOFT ENDPOINT ENDPOINT MANAGER EDGE OF MICROSOFT MANAGER ENDPOINT MANAGER …SERVICES ON PREM …POWERS SERVER …HAS A LONG LIFE CONTENT DISTRIBUTION MANAGEMENT IN AHEAD FOR MICROSOFT MICROSOFT ENDPOINT ENDPOINT MANAGER MANAGER Deployment: Windows Autopilot Traditional Windows deployment OFFICE & APPS DRIVERS POLICIES SETTINGS Build a custom image, Deploy image to a new Time means money, making gathering everything else computer, overwriting what this an expensive proposition that’s necessary to deploy was originally on it Modern Windows deployment Un-box and turn on Transform with minimal Device is ready off-the-shelf Windows PC user interaction for productive use Windows Autopilot One-time preparation tasks Azure Active Directory • Configure automatic MDM enrollment. • Configure company branding. • Enable Windows Subscription Activation if desired. • Ensure users can join devices to Azure AD (for user-driven mode) Intune: • Enable the enrollment status page • Ensure users can enroll devices in Intune • Assign licenses to users • (Optional) Set up enrollment restrictions so only Autopilot-registered devices can enroll Three simple steps Register devices Assign a profile Deploy Three simple steps • Have devices registered automatically Register devices • Request clean images, choice of Windows 10 version at the same time (if available) • Specify group tag to help segment devices by purpose • Devices are automatically tagged with the purchase order ID Assign a profile • Register devices yourself via Intune for testing and evaluation using Get- WindowsAutopilotInfo PowerShell script Deploy • Register (harvest) existing Intune-managed devices automatically Three simple steps • Use Intune: Register devices • Select profile scenario (user-driven, self-deploying) • Configure needed settings • Assign to an Azure AD group so Intune will automatically assign to all devices in the group Assign a profile • Use a dynamic Azure AD group to automate this step • Consider static Azure AD group for exceptions Deploy Three simple steps • Boot up each device Register devices • Connect to network (Wi-Fi, Ethernet) • Enter credentials (if required) Assign a profile Deploy Demo Windows Autopilot // Deployment Scenarios AVAILABLE in 1703 AVAILABLE in 1809 AVAILABLE in 1809 AVAILABLE in 1903 AVAILABLE in 1903 User-driven User-driven Windows Windows Self-deploying mode with mode with Autopilot for Autopilot white mode (preview) Azure AD Join Hybrid Azure existing devices glove (preview) AD join Join device to Azure Join device to AD, Windows 7/8.1 to White glove partners No need to provide AD, enroll in enroll in Intune/MDM Windows 10 or IT staff can pre- credentials, Intune/MDM provision Windows 10 automatically joins Coming soon! ConfigMgr task PC to be fully Azure AD Coming soon! Deploy over VPN sequence, followed configured and Integration with by Windows business-ready for an ConfigMgr Coming soon! Autopilot user-driven org or user Integration with mode ConfigMgr New! Hybrid Azure AD Join support Additional Windows 10 1903 enhancements: ● Self-updating Windows Autopilot ● Cortana is quiet during OOBE ● Tracking of Win32 apps Demo Demo Demo Autopilot into Configuration Manager - Today Autopilot into a Task Sequence – coming soon Autopilot into a Task Sequence – coming soon Autopilot into a Task Sequence – coming soon Target a configuration task sequence to your provisioning computers collection Call /ts:<ID> from ccmsetup command line ConfigMgr client installs and immediately runs the specified task sequence Use with nested task sequence to have a consistent new device state across OSD and Autopilot Download on demand from CMG supported for task sequences starting 1910 Knowledge Check Poll Management Cloud powered endpoint management OR Config Mgr Cloud Attached Only Risk-based Zero Touch Intelligent Advanced Unified Full stack Control Provisioning Security Analytics Management integration Endpoint Windows Autopilot Secure Score Technology Mobility and PC Role Based Admin Compliance and Risk Experience Score Management Android Enterprise Advanced Threat Graph API Conditional Access ZTD Protection Desktop Analytics M365 Admin Center PowerShell App Protection Apple DEP BitLocker Log Analytics Guided Policy management Deployments Audit Samsung Knox Real time advanced Third party risk and Mobile Enrollment Security Baselines threat detection Office 365 Pro Plus Cloud content compliance optimization signaling Windows Hello, Dynamic user risk Edge Attestation assessment What is cloud attach? Cloud Attach Tenant Attach Client Attach through co-management Connect your Configuration Manager site to Intune for Enroll your Configuration Manager devices into Intune instant cloud value. for additional cloud value. Cloud console through EMAC ATP integration Conditional access Helpdesk Modern provisioning through Autopilot Desktop Analytics Management anywhere User Experience Analytics Cloud Hosted Using Microsoft Azure to host Configuration Manager components Poll Demo Co-Management Cloud Management Gateway Windows Update Corporate Network AD CA Windows Update Corporate Network Datacentre AD HQ Site CA MP MP DP SUP DP SUP Branch DP Branch DP Demo Security Feature Control Poll Intelligent security with Windows 10 Built-in, Automated Powered by not bolted on security intelligence Built-in, not bolted on No additional deployment or infrastructure needed to manage endpoint security. 100% Stay current on Windows 10 and compatible by using cloud- Windows Defender Antivirus powered updates. Reduce the surface area for threats and attacks by hardening the 100% on AV-TEST prevalence test from system. November 2017 – February 2018. Get next generation protection to stay ahead of against 100% on AV-Comparatives real world emerging threats. test from February – March 2018. Built-in with Windows Defender Advanced Threat Protection Block malware and Help avoid OS untrusted apps with tampering with application control system hardening Protect against emerging threats with next-gen protection Safely browse the Block connections to internet with malicious sites with hardware based network protection isolation Powered by intelligence Uses the Microsoft Intelligent Security Graph to analyze data “ The Security Graph API from trillions of signals from emails, apps, websites, and Windows. allows us to receive not only Detect threats with intelligence using machine learning models actionable alert information to uncover suspicious behavior on-premise or in the cloud. but allows security analysts to pivot and enrich alerts Prevents access to sensitive resources using device trust-based with asset and user Conditional Access. information.” Customers and partners can now connect to the Intelligent Security Graph using a new Security API. Colby DeRodeff // Chief Strategy Officer, Anomali Intelligent Security Graph 450B monthly authentications 200+ global cloud consumer and commercial services +1B Windows devices updated 18+ billion Bing web pages scanned 400B e-mails analyzed THE WINDOWS 10 SECURITY PROTECT, DETECT & RESPOND Threat Identity Information Protection Protection Protection Protect, detect, and Kick passwords to the Protect data on lost and respond to the most curb with a convenient, stolen devices and prevent advanced threats using easy to use and accidental data leaks advanced based hardware enterprise-grade using data separation, security and the power of alternative that is containment, and the cloud designed for today’s encryption. mobile-first world. Servicing and Centralized Security Management WINDOWS 10 SECURITY FEATURES Breach detection Device Threat Identity Information protection resistance protection protection investigation & response PRE-BREACH POST-BREACH Knowledge Check Knowledge Check Knowledge Check Knowledge Check Attack Timeline Framework – Capability Mapping Enter Establish Expand Endgame Exchange Online Protection Microsoft Defender Azure Advanced Threat Advanced Threat Advanced e-discovery Protection Protection Office 365 Phishing Azure Active Directory Advanced Threat Attacks Microsoft Defender Azure Privilege Identity Protection Threat Experts Information Protection Management Azure Active Directory Conditional Access Microsoft Defender Threat Microsoft Cloud Azure Active Directory Vulnerability Management App Security Right Management Service Intellectual Identity Property Theft Azure Active Directory Theft Multi-Factor Authentication Office 365 Data Loss Prevention Document Malicious Privilege Lateral Azure Active Directory Macros Software Escalation Movement Identity Protection OneDrive for Business File Restore Windows Defender Windows Defender Antivirus Damage Browser Credential Guard And Disruption Windows Defender Exploits Application Guard Windows Windows Defender Windows Defender Information Protection Attack Surface Reduction Network Protection Microsoft Edge SmartScreen Windows