Business Needs and IT Challenges How can IT maintain user productivity and protect against evolving threats How can IT reduce complexity and scale back infrastructure requirements IT Needs Lower operational costs Business Needs Agility and Flexibility

Registering and Enrolling Devices IT can publish access to corporate resources with the Web Application Proxy based on device awareness and the users identity. Multi-factor authentication can be used through Windows Azure Active Authentication. Users can register BYO devices for single sign-on and access to corporate data with Workplace Join. As part of this, a certificate is installed on the device Users can enroll devices which configure the device for management with Windows Intune. The user can then use the Company Portal for easy access to corporate applications As part of the registration process, a new device object is created in Active Directory, establishing a link between the user and their device Data from Windows Intune is sync with Configuration Manager which provides unified management across both on- premises and in the cloud

IT Mac OS X Windows PCs (x86/64, Intel SoC), Windows to Go Windows Embedded Windows RT, Windows Phone 8 iOS, Android Single Admin Console Microsoft System Center 2012 R2 Configuration Manager

ConfigMgr MPBaseline ConfigMgr Agent WMIXML RegistryIISMSI ScriptSQL Software Updates File Active Directory Baseline Configuration Items Auto Remediate OR Create Alert (to Service Manager) ! Improved functionality Copy settings Trigger console alerts Richer reporting Enhanced versioning and audit tracking Ability to specify versions to be used in baselines Audit tracking includes who changed what Pre-built industry standard baseline templates through IT Governance, Risk & Compliance(GRC) Solution Accelerator Assignment to collections Baseline drift

VPN Profile Management Support for major SSL VPN vendors DNS name-based initiation support for Windows 8.1 and iOS Application ID based initiation support for Windows 8.1 Automatic VPN connection Support for VPN standards SSL VPNs from Cisco, Juniper, Check Point, Microsoft, Dell SonicWALL, F5 Subset of vendors have Windows Windows RT VPN plug-in PPTP,L2TP, IKEv2

Wi-Fi and Certificate Profiles Wi-Fi settings Manage and distribute certificates Deploy trusted root certificates Support for Security Center Endpoint Protection(SCEP) protocol Manage Wi-Fi protocol and authentication settings Provision Wi-Fi networks that device can auto connect Specify certificate to be used for Wi-Fi connection

Comprehensive Protection Stack Building enterprise grade platform security MANAGEMENT ANTIMALWARE Available only in Windows 8.x Endpoint Protection Management Software Updates + SCUP Operating System Deployment Settings Management Antimalware Dynamic Translation Behavior Monitoring Software Distribution Vulnerability Shielding Windows Defender Offline Internet ExplorerBitLockerAppLocker Address Space Layout Randomization Data Execution Prevention User Access Control Secure Boot through UEFI Windows Resource Protection Measured Boot Early Launch Antimalware (ELAM) Exchange Connector Enhanced in Windows 8.x (or Internet Explorer 10) ELAM & Measured Boot Cloud clean restore PLATFORM DYNAMIC CLOUD UPDATES Microsoft Malware Protection Center Dynamic Signature Service

Behavior Monitoring and Dynamic Signature Service Live system monitoring identifies new threats Tracks behavior of unknown processes and known bad processes Multiple sensors to detect operating system anomaly Updates for new threats delivered through the cloud in real time Real time signature delivery with Microsoft Active Protection Service Immediate protection against new threats without waiting for scheduled updates

Cloud Clean Restore Advanced system file cleaning through replacement Replaces infected system files with clean versions from a cloud source. Uses a trusted Microsoft cloud source for the replacement file Restart requirements orchestrated on system and wired to client UI (for in use file replacement).

Windows 7 Malware is able to boot before Windows and Anti-malware Malware able to hide and remain undetected Systems can be compromised before AM starts Secure Boot loads Anti-Malware early in the boot process Early Load Anti-Malware (ELAM) driver is specially signed by Microsoft Windows starts AM software before any 3rd party boot drivers Malware can no longer bypass AM inspection Trusted Boot: Early Load Anti- Malware Windows 8

Simplify BitLocker Deployment

Recovery Password Data Compliance Data HTTPS MBAM Client Group Policy: AD, AGPM Key Recovery Service Helpdesk UX for Key Recovery Compliance Reports Central Administration Compliance Service

User claims User.Department = Finance User.Clearance = High ACCESS POLICY Applies = High Allow | Read, Write | if AND == True) Device claims Device.Department = Finance Device.Managed = True Resource properties Resource.Department = Finance Resource.Impact = High AD DS 31 File Server

Expression based access control x 50 Country 50 Groups Branch x Groups Customers 100,000 Groups! x 100

PCIT-B212Design Considerations for BYOD PCIT-B214Using Dynamic Access Control and Rights Management for Information Protection PCIT-B213Access Control in BYOD and Directory Integration in a Hybrid Identity Infrastructure PCIT-B314Understanding Microsoft’s BYOD Strategy and an Introduction to New Capabilities in Windows Server 2012 R2 DCIM-IL201Implementing Desired State configuration