Security at the endpoint or flying by autopilot
•Descargar como PPTX, PDF•
0 recomendaciones•132 vistas
How can Windows Autopilot make your Microsoft 365 environment better? Microsoft 365 Virtual Marathon session Owen Allen May 2020
Recomendados
Recomendados
Más contenido relacionado
Similar a Security at the endpoint or flying by autopilot
Similar a Security at the endpoint or flying by autopilot (20)
Más de Owen Allen
Más de Owen Allen (13)
Último
Último (20)
Security at the endpoint or flying by autopilot
- 1. MICROSOFT 365 Virtual MARATHON May 27 & 28, 2020 36 hours / 2 days MICROSOFT 365 VIRTUAL MARATHON Security at the Endpoint – or – Flying by Autopilot Owen Allen Chief Architect, Microsoft 365, at Zones @owenallen owen.allen@zones.com Broughtto youby: TheGlobalMicrosoft Community& M365Conf.com | #M365CONF #M365VM M365VirtualMarathon.com
- 2. Owen Allen, Seattle, Washington, United States Chief Architect, Microsoft 365, Zones 10+ years at Microsoft, Sr SharePoint Product Manager 4 Large/stable companies, 2 established growth companies, 5 startups 4 children, 1 ½ grandchildren Owen.Allen@zones.com, @owenallen LET ME INTRODUCE MYSELF… Broughtto youby: TheGlobalMicrosoft Community& M365Conf.com | #M365CONF #M365VM M365VirtualMarathon.com
- 3. May 27 & 28, 2020 Owen Allen | EN #M365VM Technology Needs are Evolving Integrated Cloud More Regulated Automated Managed Fragmented Closed Perimeter Less Regulated Manual Insourced
- 4. May 27 & 28, 2020 Owen Allen | EN #M365VM Traditional I.T. vs Modern I.T. Traditional IT • Multiple Devices • User and Business Owned Cloud • Managed & SaaS Apps • Automated • Proactive • Self-Service Modern IT • Single Device • Business Owned • Corporate Network & Legacy Apps • Manual • Reactive • High-touch
- 5. May 27 & 28, 2020 Owen Allen | EN #M365VM S E T T I N G S P O L I C I E S O F F I C E & A P P S D R I V E R S 1. Build & maintain custom image, gathering everything else that’s necessary to deploy 2. Wipe original OEM Windows image and replace with custom image Money Traditional Deployment
- 6. May 27 & 28, 2020 Owen Allen | EN #M365VM Traditional Modern Traditional vs Modern IT Tools
- 7. May 27 & 28, 2020 Owen Allen | EN #M365VM Modern Management
- 10. May 27 & 28, 2020 Owen Allen | EN #M365VM Automatically join devices to Azure Active Directory (Azure AD) or Active Directory (via Hybrid Azure AD Join). Auto-enroll devices into MDM services, such as Microsoft Intune (Requires an Azure AD Premium subscription for configuration). Restrict the Administrator account creation. Create and auto-assign devices to configuration groups based on a device's profile. Customize OOBE content specific to the organization. Windows Autopilot Enables You To:
- 11. May 27 & 28, 2020 Owen Allen | EN #M365VM AutoPilot Step 1 – Device Registration AutoPilot Step 2 – Profile creation and assignment AutoPilot Step 3 – Shipment User’s Role – Power on the device! AutoPilot Simple Steps
- 12. May 27 & 28, 2020 Owen Allen | EN #M365VM Skip Cortana, OneDrive and OEM registration setup pages Automatically setup for work or school Sign in experience with company branding Skip privacy settings Disable local admin account creation on the device Skip End User License Agreement (EULA) Disable Windows consumer features What are some of the profile changes that can be applied with Autopilot? Bitlocker encryption – based on the settings in the Windows 10 Endpoint Protection profile DFCI Management (Device Firmware Configuration Interface)
- 13. May 27 & 28, 2020 Owen Allen | EN #M365VM Enrollment Status Page
- 14. May 27 & 28, 2020 Owen Allen | EN #M365VM Apply a default Start menu layout Apply a default desktop wallpaper Set the time zone Remove a list of in-box provisioned apps Install the latest OneDrive client (per machine) Disable the (old) Edge desktop icon Install language packs Configure language settings Install features on demand What are some of the config changes that can be applied with Autopilot? Download needed Windows update patches and install them. https://github.com/mtniehaus/AutopilotBra nding
- 23. May 27 & 28, 2020 Owen Allen | EN #M365VM You have created a custom autopilot branding app! For the Github with this utility and for more description around this utility, https://github.com/mtniehaus/AutopilotBranding Michael Niehaus (@mniehaus) Congratulations!
- 24. MICROSOFT 365 Virtual MARATHON May 27 & 28, 2020 36 hours / 2 days Should you do it or should you allow your OEM or Reseller to do it?
- 25. May 27 & 28, 2020 Owen Allen | EN #M365VM What Makes Up the Device Identification? Hardware ID (a.k.a. Hardware Hash) 1. Manufacturer 2. Model name/number 3. Device Serial Number 4. Hard drive serial number 5. Other attributes… to Uniquely identify that device (The Hardware hash includes timestamp info that makes it change each time it is generated.) How to generate this? OEM Registration Reseller, distributor, or partner registration Automatic registration of existing devices Manual registration (ConfigMgr or Powershell)
- 26. May 27 & 28, 2020 Owen Allen | EN #M365VM Registering Devices
- 27. May 27 & 28, 2020 Owen Allen | EN #M365VM June 3rd, 2020 12 Noon US-Eastern Time (9:00AM US-Pacific Time) https://techcommunity.microsoft.com/t5/windows-it-pro-blog/ask-microsoft- anything-about-windows-autopilot-june-3rd-2020/ba-p/1371803 What is an AMA? An "Ask Microsoft Anything" (AMA) event is a live, online, text-based question-and-answer event similar to a "YamJam" on Yammer or an "Ask Me Anything" on Reddit. This AMA is your chance to get answers to your questions about things like: Using Windows Autopilot with user-owned devices Using Windows Autopilot to upgrade your Windows 7 devices to Windows 10 Deploying applications with Windows Autopilot Your question here! Ask Microsoft Anything about Windows Autopilot
- 28. May 27 & 28, 2020 Owen Allen | EN #M365VM Windows Defender Advanced Threat Protection. Office 365 Advanced Threat Protection. Azure Advanced Threat Protection. Advanced Threat Analytics. Azure Information Protection. Office 365 Data Loss Prevention. Microsoft Cloud App Security. Security Tools in Microsoft 365
- 29. May 27 & 28, 2020 Owen Allen | EN #M365VM User signs in with an organizational account, verified by an AD domain controller. Devices are joined to AD, then in the background completing the Hybrid Azure AD Join device registration process ConfigMgr is used to manage AD joined devices Intune is used to manage Azure AD joined devices A Co-Managed Device is a device that is being managed by ConfigMgr and by Intune Is this necessary? Would be better using Azure AD Join, if possible. Hybrid Azure AD Join
- 30. MICROSOFT 365 Virtual MARATHON May 27 & 28, 2020 36 hours / 2 days THANK YOU! Owen Allen Owen.allen@zones.com @owenallen
- 31. MICROSOFT 365 Virtual MARATHON May 27 & 28, 2020 36 hours / 2 days Mark Your Calendars: March 23-25, 2021, MGM Grand Resort Las Vegas, Nevada, USA M365Conf.com #M365CONF TheSharePoint Conferenceis nowTheMicrosoft 365 CollaborationConference #M365VM M365VirtualMarathon.com Broughtto youby: TheGlobalMicrosoft Community& M365Conf.com | #M365CONF
- 32. THANK YOU TO ALL OUR GENEROUS SPONSORS
- 33. Visit the Vendors Booth, Sessions and Watch the Videos Submit Your Answers to Enter the Raffle You need at least 5 correct answers then submit for a chance to win one of 3 (One in each Americas, APAC, EMEA) ARE YOU READY FOR A RAFFLE? WE ARE GIVING AWAY 3 OCULUS QUEST ALL IN ONE! https://bit.ly/m365raffle
- 34. CONSIDER DONATING TO THE FOLLOWING CHARITY RELIEF FUNDS: UNITED WAY: HTTPS://GIVE.UWKC.ORG/M365VM INTERNATIONAL MEDICAL CORPS: HTTPS://BIT.LY/MEDICALCORPSFUND 10% OF FUNDS FROMSPONSORS GOTO SUPPORT COMMUNITY RELIEF. FOR MORE INFORMATION WRITE TOINFO@M365VIRTUALMARATHON.COM
- 35. MICROSOFT 365 Virtual MARATHON May 27 & 28, 2020 36 hours / 2 days THANK YOU FOR JOINING US! DO YOU HAVE ANY QUESTIONS? Speaker feedback https://bit.ly/M365VMSpeakerFeedback Event feedback https://bit.ly/M365VMFeedback
- 36. MICROSOFT 365 Virtual MARATHON May 27 & 28, 2020 36 hours / 2 days THANK YOU! Owen Allen Owen.allen@zones.com @owenallen
Notas del editor
- What is the ideal path for the machines at your company? What would be the ideal path for machines at a mature and configured company? What does Break-fix/Reset represent? does it also mean re-assign to another user? Let’s double click on the Fulfill & Deliver truck logo there…
- https://github.com/mtniehaus/AutopilotBranding https://oofhours.com/2020/05/18/two-for-one-updated-autopilot-branding-and-update-os-scripts/ Note the URL for the github repo. So download them or clone the repository, make your changes, and then run “makeapp.cmd” to build the AutopilotBranding.intunewin file that you need to set up the app. Once you have that file, (Show Endpoint mgr admin panel, and where the apps are launched from, then come back here for the click through.)
- https://github.com/mtniehaus/AutopilotBranding https://oofhours.com/2020/05/18/two-for-one-updated-autopilot-branding-and-update-os-scripts/ Note the URL for the github repo. So download them or clone the repository, make your changes, and then run “makeapp.cmd” to build the AutopilotBranding.intunewin file that you need to set up the app. Once you have that file, (Show Endpoint mgr admin panel, and where the apps are launched from, then come back here for the click through.)
- you can sign into the Intune portal and create a new Win32 app:
- Next, browse to your AutopilotBranding.intunewin file.
- Specify an appropriate name, description and publisher.
- Specify the program details: Install command: powershell.exe -noprofile -executionpolicy bypass -file .\AutopilotBranding.ps1 Uninstall command: cmd.exe /c del %ProgramData%\Microsoft\AutopilotBranding\AutopilotBranding.ps1.tag Device restart behavior: Determine behavior based on return codes Specify both x86 and x64 for requirements (another benefit of not using an MSI, which is architecture-specific), and select Windows 10 1903 and above for OS version
- Specify both x86 and x64 for requirements (another benefit of not using an MSI, which is architecture-specific), and select Windows 10 1903 and above for OS version.
- Specify a detection rule that looks for the file that the script creates.
- No dependencies are needed. Assign to a device group as desired (I used “All devices”).
- Then create the app!
- Windows Defender Advanced Threat Protection. This is a sophisticated security solution for Windows 10 that you have to try out if you haven’t already. It helps with preventing attacks, detecting breaches, investigating and remediating breaches, and much more. Office 365 Advanced Threat Protection. This one is a security solution for your e-mail system: checking attachments and links, detecting phishing, and tracking threats. Azure Advanced Threat Protection. This one surprised me, because of how it monitors your Active Directory environment for suspicious behavior (e.g. seeing the use of scanning tools, or lateral movement of an account across many machines). Install an agent on your domain controllers and get alerts when bad things are happening. Advanced Threat Analytics. This is an on-premises tool for watching what’s going on with your Active Directory domain controllers. It’s similar in many ways to Azure Advanced Threat Protection – you probably don’t need both. Azure Information Protection. Classify and protect your data – e-mail, documents, etc. The exact capabilities can vary, see the grid for more details. Office 365 Data Loss Prevention. Make sure users don’t accidentally share sensitive information. Microsoft Cloud App Security. See what cloud apps your users are using, with or without your permission, with information fed from other apps or proxy servers (ick).
- Because it is AD joined, User and computer group policy objects (read from the domain controller) are applied automatically. After registered with both, the device will get a Kerberos ticket from Active Directory (used to authenticate with Active Directory-protected resources), and will also get an Azure AD user token that can be used to access Azure AD-protected resources like Intune, Teams, Office 365, etc. https://oofhours.com/2020/05/23/digging-into-hybrid-azure-ad-join/