4. MANAGEMENT ANTIMALWARE PLATFORM Microsoft Malware Protection Center Dynamic Signature Svc Available only in Windows 8 Endpoint Protection Management Software Updates + SCUP Operating System Deployment Settings Management Antimalware Dynamic Translation Behavior Monitoring Software Distribution Vulnerability Shielding Windows Defender Offline Internet Explorer BitLockerAppLocker Address Space Layout Randomization Data Execution Prevention User Access Control Secure Boot through UEFI Windows Resource Protection Measured Boot Early Launch Antimalware (ELAM) MDM Software Updates ELAM & Measured Boot Cloud clean restore

5. Real time Endpoint Protection operations from console Simplified Administration Single administrator experience for simplified endpoint protection and management Simplified, 3X delivery of definitions through software updates Malware-driven operations from the console Client-side merge of antimalware policies Integrated optimizations for Windows Embedded clients New and improved Endpoint Protection client

11. PRIMARY SITE Hierarchy (Forest1)Hierarchy (Forest2) Client Software Update Point 1 Software Update Point 2 Software Update Point 3 Software Update Point 4 Client.Forest1 Client.Forest2

13. Common antimalware platform across Microsoft AM clients Proactive protection against known and unknown threats Reduced complexity while protecting clients Enhanced Protection Protect against known and unknown threats with endpoint inspection at behavior, application, and network levels Integration with UEFI Trusted Boot, early-launch antimalware

14. Diagnostics and Recovery Toolkit Windows Defender Offline

15. Updates Engine and Definitions Policy Status Events ConfigMgr Samples, Telemetry, DSS

16. Live system monitoring identifies new threats  Tracks behavior of unknown processes and known bad processes  Multiple sensors to detect OS anomaly Updates for new threats delivered through the cloud in real time  Real time signature delivery with Microsoft Active Protection Service  Immediate protection against new threats without waiting for scheduled updates RESEARCHERSREPUTATION REAL-TIME SIGNATURE DELIVERY BEHAVIOR CLASSIFIERS Microsoft Active Protection Service Properties/ Behavior Real-time signature Sample request Sample submit 1234

17. Real Time Protection Driver Intercepts Industry-leading proactive detection  Emulation based detection helps provide better protection  Safe translation in a virtual environment for analysis Enables faster scanning and response to threats  Heuristics enable one signature to detect thousands of variants Potential Malware Execution attempt on the system VIRTUALIZED RESOURCES Safe Translation Using DT Malware Detected Malicious File Blocked

18. Advanced system file cleaning through replacement  Replaces infected system files with clean versions from a cloud source.  Uses a trusted Microsoft cloud source for the replacement file  Restart requirements orchestrated on system and wired to client UI (for in use file replacement). Microsoft Symbol Store System file compromise detected (RTP or scan) Compromised file replaced Request new file 1 2 3 4 Download replacement file

20. Windows 7 Windows 8 Malware is able to boot before Windows and Anti-malware Malware able to hide and remain undetected Systems can be compromised before AM starts Secure Boot loads Anti-Malware early in the boot process Early Load Anti-Malware (ELAM) driver is specially signed by Microsoft Windows starts AM software before any 3rd party boot drivers Malware can no longer bypass AM inspection

21. Windows 8 Windows 7 Measurements of some boot components evaluated as part of boot Only enabled when BitLocker has been provisioned Measures all boot components Measurements are stored in a Trusted Platform Module (TPM) Remote attestation, if available, can evaluate client state Enabled when TPM is present. BitLocker not required

22. Windows OS Loader UEFI Boot Windows Kernel and Drivers AM Software AM software is started before all 3 rd party software Boot Policy AM Policy 3 rd Party Software 2 TPM 3 Measurements of components including AM software are stored in the TPM Client Remote Attestation Service 5 Client retrieves TPM measurements of client and sends it to Remote Attestation Service Windows Logon Client Health Claim 6 Remote Attestation Service issues Client Health Claim to Client Secure Boot prevents malicious OS loader 1 Remote Resource (Fie Server) 4 Client attempts to access resource. Server requests Client Health Claim. Remote Resource (File Server) 7 Client provides Client Health Claim. Server reviews and grants access to healthy clients.

23. Simple interface  Minimal, high-level user interactions Administrative Control  User configurability options  Central policy enforcement  UI Lockdown and disable Maintains high productivity  CPU throttling during scans  Faster scans through advanced caching Minimal network and client impact of definition updates

27. Launching a Windows Defender Offline Scan with Configuration Manager 2012 OSD Operating System Deployment and Endpoint Protection Client Installation Software Update Content Cleanup in System Center 2012 Configuration Manager Building Custom Endpoint Protection Reports in System Center 2012 Configuration Manager Managing Software Updates in Configuration Manager 2012 Endpoint Protection by the numbers Group Policy Preferences and Software Updates Software Update Points in Configuration Manager 2012 SP1 How-to-Videos Product Documentation Security and Compliance Manager – Configuration Packs

31. Complete your session evaluations today and enter to win prizes daily. Provide your feedback at a CommNet kiosk or log on at www.2013mms.com. Upon submission you will receive instant notification if you have won a prize. Prize pickup is at the Information Desk located in Attendee Services in the Mandalay Bay Foyer. Entry details can be found on the MMS website.