6/25/2018 11:13 PM BRK1076 Make Windows devices more secure by taking them out of your existing infrastructure Chris Rhodes & Andrew Bettany MCTs & MVPs IT Masterclasses © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Traditional IT environment 6/25/2018 11:13 PM Traditional IT environment © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Tech recap Kerberos authentication of computer and user account. 6/25/2018 11:13 PM Tech recap Kerberos authentication of computer and user account. Tokens granted for server access. Resources required by users are primarily on-premises. Devices are managed by Group Policy (and SCCM in larger enterprises). © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
6/25/2018 11:13 PM The proposition Windows devices can be more secure by not being part of a traditional IT infrastructure © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Azure AD Join Integration with O365 SSO with Edge or office apps 6/25/2018 11:13 PM Azure AD Join Integration with O365 SSO with Edge or office apps OneDrive access © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Cloud environment – AAD Join 6/25/2018 11:13 PM Cloud environment – AAD Join © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Demo Azure Active Directory 6/25/2018 11:13 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Registered devices vs. joined devices 6/25/2018 11:13 PM Registered devices vs. joined devices Registered Device Joined Device Personal Devices Company owned device BYOD scenario CYOD scenario Local user authentication AAD user authentication MDM capable Windows, iOS, Android Windows only Windows Hello Access Windows Store for Business © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
So how is this more secure? The cloud environment doesn’t run on Kerberos. Apps and services rely on OAUTH for cloud identities. Users may need 2 identities for on-premises and cloud resources. Ugh! Maintaining a single identity in a managed environment avoids password overlap. Cloud identities can be used inside/outside the organization.
Windows Hello for Business User authentication to an AAD account PIN, biometric or gesture is verified locally with TPM The TPM holds the private key that never leaves the device. AAD holds the public key and verifies identity against the device held private key. No passwords = more secure
Microsoft 365 Licences are out, subscriptions are in. Windows 10 & Office 365 & EMS. New kid on the block.
EMS – Enterprise Mobility & Security 6/25/2018 11:13 PM EMS – Enterprise Mobility & Security © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Azure Information Protection 6/25/2018 11:13 PM EMS breakdown AAD Premium Azure Information Protection Intune © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
AAD Premium security Adds MFA (multi-factor authentication) Self-service password reset Security reports – are your users being hacked? Cloud app discovery – understand what users actually use Bitlocker recovery Auto MDM enrolment – devices are secured from day 1
Conditional access Policies control access to cloud applications 6/25/2018 11:13 PM Conditional access Policies control access to cloud applications Example 1: AAD joined devices only Example 2: MFA required for user authentication Example 3: MDM controlled computers only Example 4: Compliant devices only may access apps © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Azure AD Identity Protection
6/25/2018 11:13 PM Intune Rich cloud-based management of Windows 10 ( as well as iOS, Android) Extends capabilities further with Enterprise Mobility Suite (EMS) Integration with Office 365 © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
6/25/2018 11:13 PM Intune Rich cloud-based management of Windows 10 ( as well as iOS, Android) Extends capabilities further with Enterprise Mobility Suite (EMS) Integration with Office 365 © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Intune Benefits Single admin portal to manage services 6/25/2018 11:13 PM Intune Benefits Single admin portal to manage services Same user identities (AAD) SMEs typically don’t deploy SCCM for management Field-based computers are always ‘in-touch’ © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Intune for MDM Assets can be viewed and managed in the cloud. Better understand apps and hardware. Allows for remote reset and selective wipe. Deploy VPN and Wi-Fi profiles.
So how is this more secure? 6/25/2018 11:13 PM So how is this more secure? Intune managed devices are controlled via CSPs. CSPs control device behaviour. Updates can be deployed without the IT infrastructure – great for road warriors. Defender and Windows updates can be deployed this way. Up to date device = more secure © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
6/25/2018 11:13 PM Humans are fallible Where do current practices allow for logon or data breach? Identify the gaps. Where can EMS plug the gaps? © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Azure Information Protection 6/25/2018 11:13 PM Azure Information Protection Known user/device to access to data. Protect company data better on managed devices. data is effectively ‘partitioned’ on devices. Devices can be used for work and play without fear. Better together – conditional access + data security © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
6/25/2018 11:13 PM Office 365 © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 MDM MDM exists in O365 subscriptions. 6/25/2018 11:13 PM Office 365 MDM MDM exists in O365 subscriptions. Devices managed in O365 portal. If you have M365, use Intune for more features. Lacks features like MAM, VPN profiles, app deployment. © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
6/25/2018 11:13 PM The proposition Windows devices can be more secure by not being part of a traditional IT infrastructure © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
6/25/2018 11:13 PM Related session BRK3260: Manage Windows devices in the complex hybrid cloud world of today Thursday 16:00–17:15 W307 © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Please evaluate this session Tech Ready 15 6/25/2018 Please evaluate this session From your Please expand notes window at bottom of slide and read. Then Delete this text box. PC or tablet: visit MyIgnite https://myignite.microsoft.com/evaluations Phone: download and use the Microsoft Ignite mobile app https://aka.ms/ignite.mobileapp Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
6/25/2018 11:13 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.