Transcript Business Needs and IT Challenges Business Needs How can IT maintain user productivity and protect against evolving threats Agility and Flexibility How can IT reduce.

Business Needs and IT Challenges
Business Needs
How can IT maintain user productivity and protect
against evolving threats
Agility and Flexibility
How can IT reduce complexity and scale back
infrastructure requirements
IT Needs
Lower operational costs
Registering and Enrolling Devices
Users can enroll devices which
configure the device for management
with Windows Intune. The user can
then use the Company Portal for easy
access to corporate applications
Users can register BYO
devices for single sign-on
and access to corporate
data with Workplace Join.
As part of this, a certificate
is installed on the device
IT can publish access to corporate resources with
the Web Application Proxy based on device
awareness and the users identity. Multi-factor
authentication can be used through Windows
Azure Active Authentication.
Data from Windows Intune is
sync with Configuration
Manager which provides unified
management across both onpremises and in the cloud
As part of the registration
process, a new device object is
created in Active Directory,
establishing a link between the
user and their device
Microsoft System Center 2012 R2
Configuration Manager
Windows PCs
(x86/64, Intel SoC),
Windows to Go
Windows Embedded
Mac OS X
IT
Single Admin
Console
Windows RT,
Windows Phone 8
iOS, Android
ConfigMgr MP
Baseline
ConfigMgr Agent
Assignment to
collections
Baseline drift
!
Auto Remediate
OR
Create Alert
(to Service Manager)
Baseline Configuration Items
Active
Directory
Script
WMI
XML
SQL
File
Software
Updates
Registry
MSI
IIS
Improved functionality
Copy settings
Trigger console alerts
Richer reporting
Enhanced versioning and audit tracking
Ability to specify versions to be used in baselines
Audit tracking includes who changed what
Pre-built industry standard baseline templates
through IT Governance, Risk & Compliance(GRC) Solution
Accelerator
VPN Profile Management
Support for major SSL
VPN vendors
SSL VPNs from Cisco, Juniper,
Check Point, Microsoft, Dell
SonicWALL, F5
Subset of vendors have Windows
Windows RT VPN plug-in
Support for VPN
standards
PPTP ,L2TP, IKEv2
Automatic VPN
connection
DNS name-based initiation
support for Windows 8.1 and iOS
Application ID based initiation
support for Windows 8.1
Wi-Fi and Certificate Profiles
Wi-Fi settings
Manage Wi-Fi protocol and authentication settings
Provision Wi-Fi networks that device can auto connect
Specify certificate to be used for Wi-Fi connection
Manage and distribute certificates
Deploy trusted root certificates
Support for Security Center Endpoint
Protection(SCEP) protocol
Comprehensive Protection Stack
Building enterprise grade platform security
PLATFORM
Antimalware
Internet Explorer
Behavior
Monitoring
Settings
Management
Dynamic
Translation
Operating System
Deployment
Vulnerability
Shielding
Windows
Defender
Offline
AppLocker
BitLocker
Data Execution
Prevention
Windows Resource
Protection
Secure Boot
through UEFI
Early Launch
Antimalware
(ELAM)
Available only in Windows 8.x
Enhanced in Windows 8.x (or Internet Explorer 10)
Software
Distribution
Cloud clean
restore
Address Space
Layout
Randomization
Measured Boot
Exchange
Connector
DYNAMIC CLOUD
UPDATES
ELAM &
Measured Boot
User Access
Control
Microsoft Malware
Protection Center
ANTIMALWARE
Endpoint Protection
Software
Management
Updates + SCUP
Dynamic Signature
Service
MANAGEMENT
Behavior Monitoring and Dynamic Signature Service
Live system monitoring
identifies new threats
Tracks behavior of unknown processes and
known bad processes
Multiple sensors to detect operating system
anomaly
Updates for new threats
delivered through the cloud in
real time
Real time signature delivery with Microsoft
Active Protection Service
Immediate protection against new threats
without waiting for scheduled updates
Cloud Clean Restore
Advanced system file cleaning
through replacement
Replaces infected system files with clean
versions from a cloud source.
Uses a trusted Microsoft cloud source for
the replacement file
Restart requirements orchestrated on
system and wired to client UI (for in use
file replacement).
Trusted Boot: Early Load Anti-Malware
Windows 7
Malware is able to boot before Windows and Anti-malware
Malware able to hide and remain undetected
Systems can be compromised before AM starts
Windows 8
Secure Boot loads Anti-Malware early in the boot process
Early Load Anti-Malware (ELAM) driver is specially signed by Microsoft
Windows starts AM software before any 3rd party boot drivers
Malware can no longer bypass AM inspection
Simplify BitLocker Deployment
Encrypt a computer before a user receives it
Enable users to encrypt their computers after policy
Policy
Hardware Compatibility
Recovery Password Data
Group Policy:
AD, AGPM
Key Recovery
Service
Helpdesk UX
for Key
Recovery
Compliance Data
Compliance Service
HTTPS
MBAM
Client
Central Administration
Compliance Reports
File Server
AD DS
User claims
User.Department = Finance
User.Clearance = High
Device claims
Device.Department = Finance
Device.Managed = True
Resource properties
Resource.Department = Finance
Resource.Impact = High
ACCESS POLICY
Applies to: @File.Impact = High
Allow | Read, Write | if (@User.Department == @File.Department) AND (@Device.Managed == True)
31
Expression based access control
Country
x 50
Branch
x 20
Customers
x 100
PCIT-B212
Design Considerations for BYOD
PCIT-B214
Using Dynamic Access Control and Rights Management for Information Protection
PCIT-B213
Access Control in BYOD and Directory Integration in a Hybrid Identity Infrastructure
PCIT-B314
Understanding Microsoft’s BYOD Strategy and an Introduction to New Capabilities in Windows Server 2012 R2
DCIM-IL201
Implementing Desired State configuration
http://channel9.msdn.com/Events/TechEd
www.microsoft.com/learning
http://microsoft.com/technet
http://microsoft.com/msdn