Presentation is loading. Please wait.

Presentation is loading. Please wait.

How To Implement and Stay Out of the News

Published byJared Wilson Modified over 6 years ago

Similar presentations

Presentation on theme: "How To Implement and Stay Out of the News"— Presentation transcript:

1 How To Implement and Stay Out of the News
Device Guard How To Implement and Stay Out of the News Troy L. Martin 1E.com/blogs/author/troymartin/ Technical Architect 1E Bill Moore billamoore.com IT Product Owner Client & Mobility Dell Technologies

2 Troy L. Martin Bill Moore @1E_TroyMartin @BMooreatDell
In ‘92, 2nd highest score at DeVry Described as "Best Dad ever" 20 1E) 19 years Dell client management Go NY Yankees!! Jeep junkie (no Uber in Austin!!)

3 Why Device Guard? Today’s solutions are just not enough Troy

4 Chasing malware is time consuming…
“On average, organizations receive almost 17,000 malware alerts in a typical week but only 19 percent of these alerts are deemed to be reliable. Of the 3,218 reliable alerts, only 705 are investigated.” - Ponemon Institute: The Cost of Malware Containment Signature-based solutions are reactive…can only detect “known” threats Dependent upon external sources for “threat intelligence”, remediation and solutions Slow response perpetuates risk

5 …“whitelist” as a service could be the Holy Grail
Whitelists are proactive Only authorized/trusted apps are allowed to run Rules/Policy-based system defined by the business is proactive No waiting for vendors and the community for solutions This is why Device Guard!!

6 …could Device Guard be the “Holy Grail”?
Prevents untrusted code executing in the Operating System Trusted code identified by signing Policies define which signing certificates to trust

7 How Device Guard Works ACTIVE DIRECTORY POLICY CONFIGURATION MANAGER
MICROSOFT INTUNE POLICY POLICY CODE INTEGRITY Microsoft HP Printer Driver Adobe Policy applied to clients Microsoft Word HP FileZilla FTP Administrator defines trusted signing certificates in policy Only trusted applications can execute Unsigned App

8 Are you ready? Windows 10 Advanced Security Assessment

9 Prerequisites for being “Ready”
Infrastructure Group Policy File-share PKI/certificates Hardware/Firmware UEFI & Secure Boot Virtualization Extensions TPM 1.2 or 2.0 Operating System Windows 10 Enterprise/LTSB/Education Hyper-V Virtualization Based Security (VBS)

10 Assess Endpoint Readiness
Assessment Tools Dell Command Monitor OEM Supported Tools 1E Intelligence - FREE!! References manager-inventory/

11 1E Intelligence

12 Considering the deployment options
What is the timeline to secure and how much effort willing to invest? In-place upgrade UEFI + Secure Boot strategy and required features Bare Metal and Refresh Build steps to ensure compliance

13 Assessing Application Footprint

14 Associate Applications with the Enterprise
Identify the Who/What/Where Usage vs Installation Determine/Define relationships Using Device Guard for governance Drive business to IT Ensure apps are signed and trusted i.e. “Circle of Trust” Protect sensitive systems immediately Force restrictions on unsigned apps now

15 ● Understanding Trustworthy Apps Type Digitally Signed (native)
(using Catalog files) Universal Windows Legacy/Classic/3rd Party Custom-developed

16 Application Compatibility Toolkit

17 Migrate to Windows 10 Starting with a secure baseline

18 Enable and configure Device Guard: Offline Servicing
DISM Dism /mount-wim /WimFile:<pathToImageFile> /index:<#> /MountDir:<pathToMountDir> Dism /Image:<pathToimage> /Enable-Feature /FeatureName:Microsoft-Hyper-V /all Dism /Image:<pathToimage> /Enable-Feature /FeatureName:IsolatedUserMode /all Dism /Unmount-Wim /MountDir:<pathToMountdir> /commit PowerShell Mount-WindowsImage -ImagePath <ImageFile> -Index <#> -Path <pathToMountDir> Enable-WindowsOptionalFeature -Path <pathToMountDir> –FeatureName "Microsoft- Hyper-V" -All Enable-WindowsOptionalFeature -Path <pathToMountDir> –FeatureName "IsolatedUserMode" -All Dismount-WindowsImage -Path <pathToMountDir> -Save

19 Demo 3 Enabling Device Guard during OSD Connect to 1EPRDSCCMUK01

20 Enable and configure Device Guard: OSD #1
Setting SMSTSPostAction variable to create a scheduled task to run GPUPDATE.EXE after the TS ends and the pc is rebooted

21 Enable and configure Device Guard: OSD #2
Use DISM.EXE to install/add Microsoft Hyper-V

22 Enable and configure Device Guard: OSD #3
Use DISM.EXE to install/add Microsoft Hyper-V admin tools

23 Enable and configure Device Guard: OSD #4
Use DISM.EXE to install/add IsolatedUserMode (only required in 1511). In RedStone or the upcoming anniversary build, IsolatedUserMode is part of Hyper-V. So you will be able to remove this step

24 Enable and configure Device Guard: OSD #5
Enable Secure Boot with DMA protection. If the machine does not support DMA, it will use Secure Boot without DMA.

25 Enable and configure Device Guard: OSD #6
Enable HVCI

26 Enable and configure Device Guard: OSD #7
Enable Virtualization Based Security (Device Guard)

27 Enable and configure Device Guard: OSD #8
Enable Virtualization Based Security (Credential Guard)

28 Converting BIOS to UEFI: Using OEM tools
IF Legacy BIOS THEN must convert to UEFI native and enable Secure Boot during the deployment i.e. BIOS-to-UEFI/GPT (zero touch) + Bare Metal UEFI (native) and Secure Boot disabled OR UEFI (hybrid) and GPT disk convert to UEFI native and enable Secure Boot during deployment i.e. In-Place Upgrade Pros Guaranteed to

29 Device Guard Pilot Getting started with code integrity policies

30 And Then …

31 Section Header This is the next section

32 Title Line1 Line2 Line3 Line4 Line5 Line6 Bullet Level 1

33 Title Code

34 Text Only with Border Level 1 Level 2 Level 3

35 Text Only without Border
Level 1 Level 2 Level 3

36 Title Text 1 Level 1 Level 2 Level 3 Text 2 Level 1 Level 2 Level 3

37 Title Text Text Section 1 Section 2 Level 1 Level 1 Level 2 Level 2

38 Demo Title

39

40

41

42

43

44

45

46

47

48

Download ppt "How To Implement and Stay Out of the News"

Similar presentations

Microsoft ® Official Course First Look Clinic Overview of Windows 8 By Ragowo Riantory, S.Kom, MCP.

Microsoft ® Official Course First Look Clinic Overview of Windows 8 By Ragowo Riantory, S.Kom, MCP.
Mark O’Shea | MVP Windows Expert – IT Professional.

Mark O’Shea | MVP Windows Expert – IT Professional.
Windows 8: Windows To Go Overview Zvezdan PavkovicTanya Koval Senior ConsultantArchitect WCL333.

Windows 8: Windows To Go Overview Zvezdan PavkovicTanya Koval Senior ConsultantArchitect WCL333.
Asking Questions Office Migration Planning Manager Windows Security Guides Group Policy Guides Image Servicing Operations Manager Desired Configuration.

Asking Questions Office Migration Planning Manager Windows Security Guides Group Policy Guides Image Servicing Operations Manager Desired Configuration.
Sony White House Anthem Lockheed Aramco Bushehr nuclear reactor NSA Hacked Facebook Hacked Apple,Google,Microsoft,

Sony White House Anthem Lockheed Aramco Bushehr nuclear reactor NSA Hacked Facebook Hacked Apple,Google,Microsoft,
Devices and Deployment Management & Security Identity Cloud.

Devices and Deployment Management & Security Identity Cloud.
MCITP: Microsoft Windows Vista Desktop Support - Enterprise Section 1: Prepare to Deploy.

MCITP: Microsoft Windows Vista Desktop Support - Enterprise Section 1: Prepare to Deploy.
Implementering af Windows 8 in real life Windows 8 OS Deployment Windows 8 OS Deployment features of ConfigMgr 2012 SP1 Take a look at what’s coming.

Implementering af Windows 8 in real life Windows 8 OS Deployment Windows 8 OS Deployment features of ConfigMgr 2012 SP1 Take a look at what’s coming.
Agenda Master Expert Associat e Microsoft Certified Solutions Master (MCSM) Microsoft Certified Solutions Expert (MCSE) Microsoft Certified Solutions.

Agenda Master Expert Associat e Microsoft Certified Solutions Master (MCSM) Microsoft Certified Solutions Expert (MCSE) Microsoft Certified Solutions.
Windows XP Migration Jumpstart Offering Offering Datasheet The Challenges With less than one year until the end of support for Windows XP, customer are.

Windows XP Migration Jumpstart Offering Offering Datasheet The Challenges With less than one year until the end of support for Windows XP, customer are.
Managing Your Datacenter with Microsoft System Center Configuration Manager Kent Agerlund, ECM MVP, Coretech.

Managing Your Datacenter with Microsoft System Center Configuration Manager Kent Agerlund, ECM MVP, Coretech.
Tim Vander Kooi Systems

Tim Vander Kooi Systems
Hands-On Microsoft Windows Server 2003 Administration Chapter 2 Managing Windows Server 2003 Hardware and Software.

Hands-On Microsoft Windows Server 2003 Administration Chapter 2 Managing Windows Server 2003 Hardware and Software.
Week #7 Objectives: Secure Windows 7 Desktop

Week #7 Objectives: Secure Windows 7 Desktop
Virtual techdays INDIA │ 9-11 February 2011 Security Discussion: Ask the Experts M.S.Anand │ MTC Technology Specialist │ Microsoft Corporation Anirudh.

Virtual techdays INDIA │ 9-11 February 2011 Security Discussion: Ask the Experts M.S.Anand │ MTC Technology Specialist │ Microsoft Corporation Anirudh.
MANAGEMENT ANTIMALWARE PLATFORM Microsoft Malware Protection Center Dynamic Signature Svc Available only in Windows 8 Endpoint Protection Management.

MANAGEMENT ANTIMALWARE PLATFORM Microsoft Malware Protection Center Dynamic Signature Svc Available only in Windows 8 Endpoint Protection Management.
Week #3 Objectives Partition Disks in Windows® 7 Manage Disk Volumes Maintain Disks in Windows 7 Install and Configure Device Drivers.

Week #3 Objectives Partition Disks in Windows® 7 Manage Disk Volumes Maintain Disks in Windows 7 Install and Configure Device Drivers.
TechEd 2013 4/25/2017 5:34 AM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.

TechEd /25/2017 5:34 AM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.
Are you Ready for Configuration Manager vNext?

Are you Ready for Configuration Manager vNext?
System Center 2012. Lesson 4: Overview of System Center 2012 Components System Center 2012 Private Cloud Components VMM Overview App Controller Overview.

System Center Lesson 4: Overview of System Center 2012 Components System Center 2012 Private Cloud Components VMM Overview App Controller Overview.

Similar presentations

Ads by Google