1. MICROSOFT 365
Virtual MARATHON
May 27 & 28, 2020
36 hours / 2 days
MICROSOFT 365 VIRTUAL MARATHON
Security at the Endpoint – or – Flying by Autopilot
Owen Allen
Chief Architect, Microsoft 365, at Zones
@owenallen owen.allen@zones.com
Broughtto youby:
TheGlobalMicrosoft Community&
M365Conf.com | #M365CONF
#M365VM
M365VirtualMarathon.com
2. Owen Allen, Seattle, Washington, United States
Chief Architect, Microsoft 365, Zones
10+ years at Microsoft, Sr SharePoint Product Manager
4 Large/stable companies, 2 established growth companies, 5 startups
4 children, 1 ½ grandchildren
Owen.Allen@zones.com, @owenallen
LET ME INTRODUCE MYSELF…
Broughtto youby:
TheGlobalMicrosoft Community&
M365Conf.com | #M365CONF
#M365VM
M365VirtualMarathon.com
3. May 27 & 28, 2020
Owen Allen | EN
#M365VM
Technology Needs are Evolving
Integrated
Cloud
More Regulated
Automated
Managed
Fragmented
Closed Perimeter
Less Regulated
Manual
Insourced
4. May 27 & 28, 2020
Owen Allen | EN
#M365VM
Traditional I.T. vs Modern I.T.
Traditional IT
• Multiple Devices
• User and Business Owned
Cloud
• Managed & SaaS Apps
• Automated
• Proactive
• Self-Service
Modern IT
• Single Device
• Business Owned
• Corporate Network & Legacy
Apps
• Manual
• Reactive
• High-touch
5. May 27 & 28, 2020
Owen Allen | EN
#M365VM
S E T T I N G S P O L I C I E S
O F F I C E &
A P P S D R I V E R S
1. Build & maintain
custom image, gathering
everything else that’s
necessary to deploy
2. Wipe original OEM
Windows image and
replace with custom image
Money
Traditional Deployment
6. May 27 & 28, 2020
Owen Allen | EN
#M365VM
Traditional Modern
Traditional vs Modern IT Tools
7. May 27 & 28, 2020
Owen Allen | EN
#M365VM
Modern Management
10. May 27 & 28, 2020
Owen Allen | EN
#M365VM
Automatically join devices to Azure Active Directory (Azure AD) or Active
Directory (via Hybrid Azure AD Join).
Auto-enroll devices into MDM services, such as Microsoft Intune
(Requires an Azure AD Premium subscription for configuration).
Restrict the Administrator account creation.
Create and auto-assign devices to configuration groups based on a
device's profile.
Customize OOBE content specific to the organization.
Windows Autopilot Enables You To:
11. May 27 & 28, 2020
Owen Allen | EN
#M365VM
AutoPilot Step 1 – Device Registration
AutoPilot Step 2 – Profile creation and assignment
AutoPilot Step 3 – Shipment
User’s Role – Power on the device!
AutoPilot Simple Steps
12. May 27 & 28, 2020
Owen Allen | EN
#M365VM
Skip Cortana, OneDrive and OEM registration
setup pages
Automatically setup for work or school
Sign in experience with company branding
Skip privacy settings
Disable local admin account creation on the
device
Skip End User License Agreement (EULA)
Disable Windows consumer features
What are some of the profile changes that can be applied
with Autopilot?
Bitlocker encryption – based on the settings
in the Windows 10 Endpoint Protection
profile
DFCI Management
(Device Firmware Configuration Interface)
13. May 27 & 28, 2020
Owen Allen | EN
#M365VM
Enrollment Status Page
14. May 27 & 28, 2020
Owen Allen | EN
#M365VM
Apply a default Start menu layout
Apply a default desktop wallpaper
Set the time zone
Remove a list of in-box provisioned apps
Install the latest OneDrive client (per machine)
Disable the (old) Edge desktop icon
Install language packs
Configure language settings
Install features on demand
What are some of the config changes that can be applied
with Autopilot?
Download needed Windows update patches
and install them.
https://github.com/mtniehaus/AutopilotBra
nding
15.
16.
17.
18.
19.
20.
21.
22.
23. May 27 & 28, 2020
Owen Allen | EN
#M365VM
You have created a custom autopilot branding app!
For the Github with this utility and for more description
around this utility,
https://github.com/mtniehaus/AutopilotBranding
Michael Niehaus (@mniehaus)
Congratulations!
25. May 27 & 28, 2020
Owen Allen | EN
#M365VM
What Makes Up the Device Identification?
Hardware ID (a.k.a. Hardware Hash)
1. Manufacturer
2. Model name/number
3. Device Serial Number
4. Hard drive serial number
5. Other attributes… to Uniquely identify that device (The Hardware hash includes
timestamp info that makes it change each time it is generated.)
How to generate this?
OEM Registration
Reseller, distributor, or partner registration
Automatic registration of existing devices
Manual registration (ConfigMgr or Powershell)
26. May 27 & 28, 2020
Owen Allen | EN
#M365VM
Registering Devices
27. May 27 & 28, 2020
Owen Allen | EN
#M365VM
June 3rd, 2020
12 Noon US-Eastern Time (9:00AM US-Pacific Time)
https://techcommunity.microsoft.com/t5/windows-it-pro-blog/ask-microsoft-
anything-about-windows-autopilot-june-3rd-2020/ba-p/1371803
What is an AMA?
An "Ask Microsoft Anything" (AMA) event is a live, online, text-based question-and-answer event
similar to a "YamJam" on Yammer or an "Ask Me Anything" on Reddit. This AMA is your chance to get
answers to your questions about things like:
Using Windows Autopilot with user-owned devices
Using Windows Autopilot to upgrade your Windows 7 devices to Windows 10
Deploying applications with Windows Autopilot
Your question here!
Ask Microsoft Anything about Windows Autopilot
28. May 27 & 28, 2020
Owen Allen | EN
#M365VM
Windows Defender Advanced Threat Protection.
Office 365 Advanced Threat Protection.
Azure Advanced Threat Protection.
Advanced Threat Analytics.
Azure Information Protection.
Office 365 Data Loss Prevention.
Microsoft Cloud App Security.
Security Tools in Microsoft 365
29. May 27 & 28, 2020
Owen Allen | EN
#M365VM
User signs in with an organizational account, verified by an AD domain controller.
Devices are joined to AD, then in the background completing the Hybrid Azure AD Join device registration process
ConfigMgr is used to manage AD joined devices
Intune is used to manage Azure AD joined devices
A Co-Managed Device is a device that is being managed by ConfigMgr and by Intune
Is this necessary? Would be better using Azure AD Join, if possible.
Hybrid Azure AD Join
31. MICROSOFT 365
Virtual MARATHON
May 27 & 28, 2020
36 hours / 2 days
Mark Your Calendars:
March 23-25, 2021, MGM Grand Resort
Las Vegas, Nevada, USA
M365Conf.com
#M365CONF
TheSharePoint Conferenceis nowTheMicrosoft 365 CollaborationConference
#M365VM
M365VirtualMarathon.com
Broughtto youby:
TheGlobalMicrosoft Community&
M365Conf.com | #M365CONF
33. Visit the Vendors Booth, Sessions and Watch the Videos
Submit Your Answers to Enter the Raffle
You need at least 5 correct answers then submit for a chance to win one of 3
(One in each Americas, APAC, EMEA)
ARE YOU READY FOR A RAFFLE?
WE ARE GIVING AWAY 3 OCULUS QUEST ALL IN ONE!
https://bit.ly/m365raffle
34. CONSIDER DONATING TO THE FOLLOWING CHARITY RELIEF FUNDS:
UNITED WAY: HTTPS://GIVE.UWKC.ORG/M365VM
INTERNATIONAL MEDICAL CORPS: HTTPS://BIT.LY/MEDICALCORPSFUND
10% OF FUNDS FROMSPONSORS GOTO SUPPORT COMMUNITY RELIEF.
FOR MORE INFORMATION WRITE TOINFO@M365VIRTUALMARATHON.COM
35. MICROSOFT 365
Virtual MARATHON
May 27 & 28, 2020
36 hours / 2 days
THANK YOU FOR JOINING US!
DO YOU HAVE ANY QUESTIONS?
Speaker feedback
https://bit.ly/M365VMSpeakerFeedback
Event feedback
https://bit.ly/M365VMFeedback
What is the ideal path for the machines at your company?
What would be the ideal path for machines at a mature and configured company?
What does Break-fix/Reset represent?
does it also mean re-assign to another user?
Let’s double click on the Fulfill & Deliver truck logo there…
https://github.com/mtniehaus/AutopilotBranding
https://oofhours.com/2020/05/18/two-for-one-updated-autopilot-branding-and-update-os-scripts/
Note the URL for the github repo.
So download them or clone the repository, make your changes, and then run “makeapp.cmd” to build the AutopilotBranding.intunewin file that you need to set up the app. Once you have that file,
(Show Endpoint mgr admin panel, and where the apps are launched from, then come back here for the click through.)
https://github.com/mtniehaus/AutopilotBranding
https://oofhours.com/2020/05/18/two-for-one-updated-autopilot-branding-and-update-os-scripts/
Note the URL for the github repo.
So download them or clone the repository, make your changes, and then run “makeapp.cmd” to build the AutopilotBranding.intunewin file that you need to set up the app. Once you have that file,
(Show Endpoint mgr admin panel, and where the apps are launched from, then come back here for the click through.)
you can sign into the Intune portal and create a new Win32 app:
Next, browse to your AutopilotBranding.intunewin file.
Specify an appropriate name, description and publisher.
Specify the program details:
Install command: powershell.exe -noprofile -executionpolicy bypass -file .\AutopilotBranding.ps1
Uninstall command: cmd.exe /c del %ProgramData%\Microsoft\AutopilotBranding\AutopilotBranding.ps1.tag
Device restart behavior: Determine behavior based on return codes
Specify both x86 and x64 for requirements (another benefit of not using an MSI, which is architecture-specific), and select Windows 10 1903 and above for OS version
Specify both x86 and x64 for requirements (another benefit of not using an MSI, which is architecture-specific), and select Windows 10 1903 and above for OS version.
Specify a detection rule that looks for the file that the script creates.
No dependencies are needed. Assign to a device group as desired (I used “All devices”).
Then create the app!
Windows Defender Advanced Threat Protection. This is a sophisticated security solution for Windows 10 that you have to try out if you haven’t already. It helps with preventing attacks, detecting breaches, investigating and remediating breaches, and much more.
Office 365 Advanced Threat Protection. This one is a security solution for your e-mail system: checking attachments and links, detecting phishing, and tracking threats.
Azure Advanced Threat Protection. This one surprised me, because of how it monitors your Active Directory environment for suspicious behavior (e.g. seeing the use of scanning tools, or lateral movement of an account across many machines). Install an agent on your domain controllers and get alerts when bad things are happening.
Advanced Threat Analytics. This is an on-premises tool for watching what’s going on with your Active Directory domain controllers. It’s similar in many ways to Azure Advanced Threat Protection – you probably don’t need both.
Azure Information Protection. Classify and protect your data – e-mail, documents, etc. The exact capabilities can vary, see the grid for more details.
Office 365 Data Loss Prevention. Make sure users don’t accidentally share sensitive information.
Microsoft Cloud App Security. See what cloud apps your users are using, with or without your permission, with information fed from other apps or proxy servers (ick).
Because it is AD joined, User and computer group policy objects (read from the domain controller) are applied automatically.
After registered with both, the device will get a Kerberos ticket from Active Directory (used to authenticate with Active Directory-protected resources), and will also get an Azure AD user token that can be used to access Azure AD-protected resources like Intune, Teams, Office 365, etc.
https://oofhours.com/2020/05/23/digging-into-hybrid-azure-ad-join/