The document discusses new features and improvements in MBAM 2.5, including improved compliance and encryption enforcement through added grace periods, support for complex PINs and FIPS 140-2 standards. It also covers enhanced performance, localization support for 11 languages, improved Active Directory integration, and support for enterprise scenarios through features like load balancing and high availability configurations.
This document provides an overview of managing Bitlocker encryption with Microsoft Desktop Optimization Pack (MDOP). It discusses using Bitlocker encryption to encrypt drives on devices and the benefits of using disk encryption. It then compares managing Bitlocker without using Microsoft Bitlocker Administration and Monitoring (MBAM) versus using MBAM. Managing Bitlocker without MBAM involves manual scripts and management with no reporting capabilities, while MBAM simplifies deployment, provides reporting on compliance and auditing, and reduces support costs through improved key recovery.
Bit locker Drive Encryption: How it Works and How it ComparesLumension
Endpoint security is a rat’s nest of issues, risks and attack vectors. But one thing’s for sure, there is no substitute for encryption - both of local hard drives and removable storage devices. So why are so few of us using encryption at the endpoint?
View this presentation as Randy Franklin Smith from Ultimate Windows Security discusses:
* How to effectively deploy BitLocker and BitLocker To Go
* How well BitLocker To Go does at protecting data on removable devices
* Why you need to go beyond encryption and think about how to manage endpoint security holistically
This document provides an overview of BitLocker encryption in Windows and discusses:
- Why encryption is needed to protect lost or stolen devices and secure data.
- The basics of how BitLocker works including how the full volume encryption key is protected by the volume master key stored on the TPM chip.
- Different protector options for the master key like passwords, USB keys, and TPM authentication.
- Ways an attacker could try to bypass BitLocker including guessing passwords, DMA attacks to access memory, and cold boot attacks.
- Recommendations for implementing BitLocker securely including using a TPM without additional authentication for most devices and disabling DMA ports.
This chapter discusses operating systems such as Windows 2000, Windows XP, and Windows Vista. It covers installing, navigating, maintaining, and troubleshooting operating systems. The chapter objectives are to explain operating systems and determine the appropriate one based on customer needs. Activities include labs on installing Windows, creating user accounts, and managing system files and device drivers. New terms introduced include files, directories, kernels, partitions, and backups.
The document provides an overview of the System Client software. It discusses compatibility with different operating systems, installation and deployment across Windows, Linux and MacOS, and the main interface components including the dashboard, management tree, and detail tabs for system, hardware, network, storage and software information. The software allows monitoring of systems from a web browser and provides color-coded health indicators for easy visualization of system status.
In this session we will look at Windows Vista SP1 improvements and how to deploy Windows Vista SP1 using a variety of scenarios. We will cover Windows Vista features, what's in SP1, what you need to know before deploying and the pre-deployment tasks. Once ready we will then walk you through deploying Windows Vista SP1 via Windows update, Windows Server Update Services (WSUS), the installer executable, Windows Deployment Services, and System Center Configuration Manager.
The document provides an overview of new features in Windows 7, organized into three sessions:
1) Security Features such as User Account Control changes, BitLocker, and AppLocker application control.
2) Networking Functionality like DirectAccess for remote access and BranchCache for caching content at branch offices.
3) Other Features including Libraries for file management, Problem Steps Recorder for troubleshooting, and interface improvements.
The document discusses new features and improvements in MBAM 2.5, including improved compliance and encryption enforcement through added grace periods, support for complex PINs and FIPS 140-2 standards. It also covers enhanced performance, localization support for 11 languages, improved Active Directory integration, and support for enterprise scenarios through features like load balancing and high availability configurations.
This document provides an overview of managing Bitlocker encryption with Microsoft Desktop Optimization Pack (MDOP). It discusses using Bitlocker encryption to encrypt drives on devices and the benefits of using disk encryption. It then compares managing Bitlocker without using Microsoft Bitlocker Administration and Monitoring (MBAM) versus using MBAM. Managing Bitlocker without MBAM involves manual scripts and management with no reporting capabilities, while MBAM simplifies deployment, provides reporting on compliance and auditing, and reduces support costs through improved key recovery.
Bit locker Drive Encryption: How it Works and How it ComparesLumension
Endpoint security is a rat’s nest of issues, risks and attack vectors. But one thing’s for sure, there is no substitute for encryption - both of local hard drives and removable storage devices. So why are so few of us using encryption at the endpoint?
View this presentation as Randy Franklin Smith from Ultimate Windows Security discusses:
* How to effectively deploy BitLocker and BitLocker To Go
* How well BitLocker To Go does at protecting data on removable devices
* Why you need to go beyond encryption and think about how to manage endpoint security holistically
This document provides an overview of BitLocker encryption in Windows and discusses:
- Why encryption is needed to protect lost or stolen devices and secure data.
- The basics of how BitLocker works including how the full volume encryption key is protected by the volume master key stored on the TPM chip.
- Different protector options for the master key like passwords, USB keys, and TPM authentication.
- Ways an attacker could try to bypass BitLocker including guessing passwords, DMA attacks to access memory, and cold boot attacks.
- Recommendations for implementing BitLocker securely including using a TPM without additional authentication for most devices and disabling DMA ports.
This chapter discusses operating systems such as Windows 2000, Windows XP, and Windows Vista. It covers installing, navigating, maintaining, and troubleshooting operating systems. The chapter objectives are to explain operating systems and determine the appropriate one based on customer needs. Activities include labs on installing Windows, creating user accounts, and managing system files and device drivers. New terms introduced include files, directories, kernels, partitions, and backups.
The document provides an overview of the System Client software. It discusses compatibility with different operating systems, installation and deployment across Windows, Linux and MacOS, and the main interface components including the dashboard, management tree, and detail tabs for system, hardware, network, storage and software information. The software allows monitoring of systems from a web browser and provides color-coded health indicators for easy visualization of system status.
In this session we will look at Windows Vista SP1 improvements and how to deploy Windows Vista SP1 using a variety of scenarios. We will cover Windows Vista features, what's in SP1, what you need to know before deploying and the pre-deployment tasks. Once ready we will then walk you through deploying Windows Vista SP1 via Windows update, Windows Server Update Services (WSUS), the installer executable, Windows Deployment Services, and System Center Configuration Manager.
The document provides an overview of new features in Windows 7, organized into three sessions:
1) Security Features such as User Account Control changes, BitLocker, and AppLocker application control.
2) Networking Functionality like DirectAccess for remote access and BranchCache for caching content at branch offices.
3) Other Features including Libraries for file management, Problem Steps Recorder for troubleshooting, and interface improvements.
Introduction to Endpoint Encryption
If you are using a computer or a removable USB drive, chances are that you have sensitive data on these devices. Whether it is a home computer with family finances, a work computer with sensitive corporate information or a thumb drive with government secrets, you need to ensure that there is no unauthorised access to that data should the device be lost or stolen.
Endpoint encryption, also known as disc encryption, protects this data, rendering it unreadable to unauthorised users. This paper describes the differences between endpoint and file encryption, details how endpoint encryption works and addresses recovery mechanisms.
What is Endpoint Encryption
Endpoint Encryption versus File Encryption
When it comes to encrypting data there are various encryption strategies.
Endpoint encryption protects a disc in the event of theft or accidental loss by encrypting the entire disc including swap files, system files and hibernation files. If an encrypted disc is lost, stolen or placed into another computer, the encrypted state of the drive remains
unchanged, ensuring only an authorised user can access its contents.
Endpoint encryption cannot however, protect your data when you have logged into the system during startup and leave your computer unattended. In this case, your system has been unlocked and unauthorised users can access your system just as an authorised user could.
This is where file encryption comes in.
Just like an alarm system protects an entire home and a safe provides additional security, endpoint encryption protects the entire system and file encryption provides an additional layer of security.
File encryption encrypts specific files so that when a user successfully authorises to an operating system, the contents of the file still remain encrypted. An application such as Symantec™ File Share Encryption can protect individual files and folders, prompting the user for
a passphrase to permit access. File encryption requires user action while drive encryption automatically encrypts everything you or the operating system creates. File encryption can also be paired with an encryption policy server which allows IT administrators to create and
deliver encryption rules across an organisation, including automatically encrypting files from various applications and/or folders.
This document provides an overview and agenda for an SCCM 2016-17 administration training which covers topics such as Windows Server 2012 R2, Active Directory, SQL Server, SCCM architecture, site deployment, client management, software and application deployment, inventory management, software updates, endpoint protection, operating system deployment, compliance settings, remote control, maintenance and monitoring, mobile device management, and interview questions. The training will include discussions of SCCM features, comparisons of different versions, site roles, deployment scenarios, and configuration of various SCCM components and capabilities.
This document provides an overview and comparison of Microsoft's data protection solutions: BitLocker Drive Encryption (BDE), Encrypting File System (EFS), and Rights Management Services (RMS). BDE encrypts the entire hard drive to protect data when a device is lost or stolen. EFS encrypts individual files and folders on a system and when files are shared remotely. RMS allows document owners to control usage rights and enforce policies when content is distributed externally.
Symantec Endpoint Protection vs Sophos Endpoint Protection (Competitive Analy...Iftikhar Ali Iqbal
Provides a brief comparison between endpoint protection solutions provided by Symantec and Sophos based on threat intelligence network, third-party reports, key differentiators and removal information.
Managing Mobile Devices with Windows Intune and SCCM 2012 (Adrian Stoian)ITCamp
In this session we will discuss the features provided by Windows Intune and System Center 2012 Configuration Manager to manage mobile devices using Windows Phone, Windows RT, Android and iOS.
We will discuss the configuration steps and the integration between the two platforms using Windows Intune Connector.
ITCamp 2013 - Adrian Stoian - Whats new in ConfigMgr 2012 SP1ITCamp
This document summarizes a presentation on new features in System Center 2012 Configuration Manager. The presentation covers changes to managing devices in enterprise environments, including support for Windows 8 applications, Always On devices, and metered network connections. It also discusses expanded device management for platforms like Android, iOS, and Mac OS X. The presentation reviews how Configuration Manager 2012 provides a unified infrastructure through features like reduced site requirements and cloud-based distribution points. It concludes with topics on simplified administration through improved user interfaces, Application Virtualization support, expanded PowerShell capabilities, and operating system deployment enhancements.
This document provides an overview and summary of key features of Microsoft Server 2003 Service Pack 1. Some key points include:
- Service Pack 1 incorporates security technologies to reduce the attack surface and ease administration tasks related to server security. It enhances features like file/print services, internet/application services, and management/security.
- New features include improvements to download/attachment prompts, published verification for installs, data execution prevention, DCOM security, administrator tools, and Internet Explorer management.
- Virtual Server 2005 allows consolidation of server workloads and migration of legacy applications while improving hardware efficiency and manageability. It provides virtualization of PC and server hardware without emulating the operating system.
Automated Operating System Deployment Using SCCM 2012Abdelslam Elsobky
Microsoft System Center 2012 Configuration Manager (SCCM 2012) provides automated operating system deployment (OSD) capabilities. It allows IT administrators to fully deploy and configure laptops and desktops from any initial state, including bare-metal installations. SCCM 2012 offers benefits like saving time and effort through one-touch installation, capturing existing settings during re-installations, allowing multiple deployments simultaneously, and automatically backing up user data to eliminate human errors. The presentation covers OSD workflows for clean installations and refresh installations, as well as methods for backing up data, installing drivers, and the added business value of automated deployment over traditional manual installation methods.
This document provides 3 technical support summaries from a readme file for IBM Personal Communications V4.30:
1) Installation problems may occur on machines with Microsoft Windows NT 4.0 without service packs. Applying the latest service pack is recommended before installing Personal Communications.
2) When using an IBM Wide Area PCI Adapter, "OEM" must be selected as the interface for emulator sessions or "OEM-SYNgate" for device or connection configurations in SNA Node Configuration.
3) Icon problems may occur when using Excel 7.0 and embedding Personal Communications as an out-of-place object if Personal Communications was installed to a path containing spaces in directory names.
This document provides an overview of operating systems and covers topics such as the characteristics, basic functions, types, installation, and customization of operating systems. It discusses desktop and network operating systems like Windows, Mac OS, and Linux. The document explains how to select an operating system based on customer needs, install and upgrade operating systems, set up user accounts, and navigate the Windows desktop interface. It also covers operating system directories, files, virtualization, and troubleshooting techniques.
This document provides a troubleshooting guide for digital video surveillance systems. It outlines various tools and steps technicians can take to diagnose issues, including checking system resources through Task Manager and Resource Monitor, monitoring long-term performance with Performance Monitor, and using tools like RealTemp to check temperatures and GPUZ to monitor graphics card usage. The guide also lists common questions to ask to understand the problem environment and topology of the surveillance system.
Запознайте се с новите характеристики на Windows 7 в синтезиран вид:
- UAC (User Account Control) – прецизно настройване
- BitLocker Data Encryption за преносими устройства за съхранение на данни
- AppLocker - създаване и прилагане на правила за ограничаване на изпълнимите приложения
- Повишаване на сигурността чрез Windows Defender
- DirectAccess – по-добра свързаност за отдалечени потребители
- По-добра навигация и организираност, благодарение на обновените Тaskbar и Control Panel
- Windows Backup & Restore
- Ефективен troubleshooting с помощта на: Problem Steps Recorder, Performance Monitor, Event Viewer, Windows PowerShell 2.0
This document discusses Citrix's Remote PC technology which allows users to access physical PCs remotely using a virtual desktop. It provides an overview of FlexCast technology, the Remote PC service architecture, and licensing considerations. The Remote PC service runs on physical PCs and integrates with XenDesktop to provide remote access to office desktops in a simple and secure manner without requiring VPNs. Licensing is covered per user or device and does not require additional VDA licenses beyond the existing XenDesktop subscription.
SYMANTEC ENDPOINT PROTECTION Performing Server and Database ManagementDsunte Wilson
You can centrally manage all types of servers from the Admin page in the Symantec Endpoint Protection Manager Console.
The Admin page, under View Servers, lists the following groupings:
■ Local Site
The console on the local site, databases, replication partners, such as other consoles whose databases replicate, and optional Enforcers
■ Remote Sites
The console on any remote site, databases, replication partners, such as other management servers whose databases replicate, and optional Enforcers
The document discusses Microsoft's antimalware management platform which provides a common antimalware platform across Microsoft clients with proactive protection against known and unknown threats while reducing complexity. It integrates features such as early-launch antimalware, measured boot, and secure boot through UEFI to prevent malware from bypassing antimalware inspection during the boot process. The platform also provides simplified administration through a single console experience for endpoint protection and management.
This document discusses strategies for managing corporate and personal devices in a heterogeneous environment. For corporate devices, IT owns and controls the devices, hardware, applications, and configurations. Systems are homogenous and enforced through policies. For personal devices, IT uses a "system of least control" with heterogeneous systems. Users have more control and access apps and data through self-service and app stores. The strategies aim to meet IT standards while empowering users and ensuring key constraints are applied.
Strengthen Password Security for IBM i With Multi-Factor AuthenticationPrecisely
Stories of data breaches caused by stolen or guessed passwords have increased scrutiny around login practices.
Multi-factor authentication has become best practice for strengthening login security and is now required by regulations such as the latest PCI Data Security Standard, the New York Department of Financial Services’ Cybersecurity Regulation (23 NYCRR 500) and more.
Join us as we discuss how multi-factor authentication can be implemented for IBM i users to strengthen security and meet compliance requirements.
During this webinar, you will learn more about:
- What true multi-factor authentication really is
- Authentication options and tradeoffs
- Tips on implementing multi-factor authentication for IBM i
Mdop session from Microsoft partner boot campOlav Tvedt
This document summarizes Advanced Group Policy Management (AGPM), a tool that enhances group policy management in Microsoft environments. AGPM provides versioning, history, and rollback of group policy changes. It enables change management workflows and role-based administration with delegation controls. Customers report that AGPM gives them better control over group policies and reduces downtime from misconfigured policies. The architecture involves a server component that stores backups of group policy objects and an administrative client.
The document discusses shielded virtual machines (VMs) which are a new security feature in Windows Server 2016 that protects VMs from potential compromise of the host machine. Shielded VMs use virtual secure mode and virtual trust levels to isolate VM memory and processors from the host. The host guardian service verifies that the host is authorized to run a shielded VM by checking a store of keys for trustworthy hosts.
Introduction to Endpoint Encryption
If you are using a computer or a removable USB drive, chances are that you have sensitive data on these devices. Whether it is a home computer with family finances, a work computer with sensitive corporate information or a thumb drive with government secrets, you need to ensure that there is no unauthorised access to that data should the device be lost or stolen.
Endpoint encryption, also known as disc encryption, protects this data, rendering it unreadable to unauthorised users. This paper describes the differences between endpoint and file encryption, details how endpoint encryption works and addresses recovery mechanisms.
What is Endpoint Encryption
Endpoint Encryption versus File Encryption
When it comes to encrypting data there are various encryption strategies.
Endpoint encryption protects a disc in the event of theft or accidental loss by encrypting the entire disc including swap files, system files and hibernation files. If an encrypted disc is lost, stolen or placed into another computer, the encrypted state of the drive remains
unchanged, ensuring only an authorised user can access its contents.
Endpoint encryption cannot however, protect your data when you have logged into the system during startup and leave your computer unattended. In this case, your system has been unlocked and unauthorised users can access your system just as an authorised user could.
This is where file encryption comes in.
Just like an alarm system protects an entire home and a safe provides additional security, endpoint encryption protects the entire system and file encryption provides an additional layer of security.
File encryption encrypts specific files so that when a user successfully authorises to an operating system, the contents of the file still remain encrypted. An application such as Symantec™ File Share Encryption can protect individual files and folders, prompting the user for
a passphrase to permit access. File encryption requires user action while drive encryption automatically encrypts everything you or the operating system creates. File encryption can also be paired with an encryption policy server which allows IT administrators to create and
deliver encryption rules across an organisation, including automatically encrypting files from various applications and/or folders.
This document provides an overview and agenda for an SCCM 2016-17 administration training which covers topics such as Windows Server 2012 R2, Active Directory, SQL Server, SCCM architecture, site deployment, client management, software and application deployment, inventory management, software updates, endpoint protection, operating system deployment, compliance settings, remote control, maintenance and monitoring, mobile device management, and interview questions. The training will include discussions of SCCM features, comparisons of different versions, site roles, deployment scenarios, and configuration of various SCCM components and capabilities.
This document provides an overview and comparison of Microsoft's data protection solutions: BitLocker Drive Encryption (BDE), Encrypting File System (EFS), and Rights Management Services (RMS). BDE encrypts the entire hard drive to protect data when a device is lost or stolen. EFS encrypts individual files and folders on a system and when files are shared remotely. RMS allows document owners to control usage rights and enforce policies when content is distributed externally.
Symantec Endpoint Protection vs Sophos Endpoint Protection (Competitive Analy...Iftikhar Ali Iqbal
Provides a brief comparison between endpoint protection solutions provided by Symantec and Sophos based on threat intelligence network, third-party reports, key differentiators and removal information.
Managing Mobile Devices with Windows Intune and SCCM 2012 (Adrian Stoian)ITCamp
In this session we will discuss the features provided by Windows Intune and System Center 2012 Configuration Manager to manage mobile devices using Windows Phone, Windows RT, Android and iOS.
We will discuss the configuration steps and the integration between the two platforms using Windows Intune Connector.
ITCamp 2013 - Adrian Stoian - Whats new in ConfigMgr 2012 SP1ITCamp
This document summarizes a presentation on new features in System Center 2012 Configuration Manager. The presentation covers changes to managing devices in enterprise environments, including support for Windows 8 applications, Always On devices, and metered network connections. It also discusses expanded device management for platforms like Android, iOS, and Mac OS X. The presentation reviews how Configuration Manager 2012 provides a unified infrastructure through features like reduced site requirements and cloud-based distribution points. It concludes with topics on simplified administration through improved user interfaces, Application Virtualization support, expanded PowerShell capabilities, and operating system deployment enhancements.
This document provides an overview and summary of key features of Microsoft Server 2003 Service Pack 1. Some key points include:
- Service Pack 1 incorporates security technologies to reduce the attack surface and ease administration tasks related to server security. It enhances features like file/print services, internet/application services, and management/security.
- New features include improvements to download/attachment prompts, published verification for installs, data execution prevention, DCOM security, administrator tools, and Internet Explorer management.
- Virtual Server 2005 allows consolidation of server workloads and migration of legacy applications while improving hardware efficiency and manageability. It provides virtualization of PC and server hardware without emulating the operating system.
Automated Operating System Deployment Using SCCM 2012Abdelslam Elsobky
Microsoft System Center 2012 Configuration Manager (SCCM 2012) provides automated operating system deployment (OSD) capabilities. It allows IT administrators to fully deploy and configure laptops and desktops from any initial state, including bare-metal installations. SCCM 2012 offers benefits like saving time and effort through one-touch installation, capturing existing settings during re-installations, allowing multiple deployments simultaneously, and automatically backing up user data to eliminate human errors. The presentation covers OSD workflows for clean installations and refresh installations, as well as methods for backing up data, installing drivers, and the added business value of automated deployment over traditional manual installation methods.
This document provides 3 technical support summaries from a readme file for IBM Personal Communications V4.30:
1) Installation problems may occur on machines with Microsoft Windows NT 4.0 without service packs. Applying the latest service pack is recommended before installing Personal Communications.
2) When using an IBM Wide Area PCI Adapter, "OEM" must be selected as the interface for emulator sessions or "OEM-SYNgate" for device or connection configurations in SNA Node Configuration.
3) Icon problems may occur when using Excel 7.0 and embedding Personal Communications as an out-of-place object if Personal Communications was installed to a path containing spaces in directory names.
This document provides an overview of operating systems and covers topics such as the characteristics, basic functions, types, installation, and customization of operating systems. It discusses desktop and network operating systems like Windows, Mac OS, and Linux. The document explains how to select an operating system based on customer needs, install and upgrade operating systems, set up user accounts, and navigate the Windows desktop interface. It also covers operating system directories, files, virtualization, and troubleshooting techniques.
This document provides a troubleshooting guide for digital video surveillance systems. It outlines various tools and steps technicians can take to diagnose issues, including checking system resources through Task Manager and Resource Monitor, monitoring long-term performance with Performance Monitor, and using tools like RealTemp to check temperatures and GPUZ to monitor graphics card usage. The guide also lists common questions to ask to understand the problem environment and topology of the surveillance system.
Запознайте се с новите характеристики на Windows 7 в синтезиран вид:
- UAC (User Account Control) – прецизно настройване
- BitLocker Data Encryption за преносими устройства за съхранение на данни
- AppLocker - създаване и прилагане на правила за ограничаване на изпълнимите приложения
- Повишаване на сигурността чрез Windows Defender
- DirectAccess – по-добра свързаност за отдалечени потребители
- По-добра навигация и организираност, благодарение на обновените Тaskbar и Control Panel
- Windows Backup & Restore
- Ефективен troubleshooting с помощта на: Problem Steps Recorder, Performance Monitor, Event Viewer, Windows PowerShell 2.0
This document discusses Citrix's Remote PC technology which allows users to access physical PCs remotely using a virtual desktop. It provides an overview of FlexCast technology, the Remote PC service architecture, and licensing considerations. The Remote PC service runs on physical PCs and integrates with XenDesktop to provide remote access to office desktops in a simple and secure manner without requiring VPNs. Licensing is covered per user or device and does not require additional VDA licenses beyond the existing XenDesktop subscription.
SYMANTEC ENDPOINT PROTECTION Performing Server and Database ManagementDsunte Wilson
You can centrally manage all types of servers from the Admin page in the Symantec Endpoint Protection Manager Console.
The Admin page, under View Servers, lists the following groupings:
■ Local Site
The console on the local site, databases, replication partners, such as other consoles whose databases replicate, and optional Enforcers
■ Remote Sites
The console on any remote site, databases, replication partners, such as other management servers whose databases replicate, and optional Enforcers
The document discusses Microsoft's antimalware management platform which provides a common antimalware platform across Microsoft clients with proactive protection against known and unknown threats while reducing complexity. It integrates features such as early-launch antimalware, measured boot, and secure boot through UEFI to prevent malware from bypassing antimalware inspection during the boot process. The platform also provides simplified administration through a single console experience for endpoint protection and management.
This document discusses strategies for managing corporate and personal devices in a heterogeneous environment. For corporate devices, IT owns and controls the devices, hardware, applications, and configurations. Systems are homogenous and enforced through policies. For personal devices, IT uses a "system of least control" with heterogeneous systems. Users have more control and access apps and data through self-service and app stores. The strategies aim to meet IT standards while empowering users and ensuring key constraints are applied.
Strengthen Password Security for IBM i With Multi-Factor AuthenticationPrecisely
Stories of data breaches caused by stolen or guessed passwords have increased scrutiny around login practices.
Multi-factor authentication has become best practice for strengthening login security and is now required by regulations such as the latest PCI Data Security Standard, the New York Department of Financial Services’ Cybersecurity Regulation (23 NYCRR 500) and more.
Join us as we discuss how multi-factor authentication can be implemented for IBM i users to strengthen security and meet compliance requirements.
During this webinar, you will learn more about:
- What true multi-factor authentication really is
- Authentication options and tradeoffs
- Tips on implementing multi-factor authentication for IBM i
Mdop session from Microsoft partner boot campOlav Tvedt
This document summarizes Advanced Group Policy Management (AGPM), a tool that enhances group policy management in Microsoft environments. AGPM provides versioning, history, and rollback of group policy changes. It enables change management workflows and role-based administration with delegation controls. Customers report that AGPM gives them better control over group policies and reduces downtime from misconfigured policies. The architecture involves a server component that stores backups of group policy objects and an administrative client.
The document discusses shielded virtual machines (VMs) which are a new security feature in Windows Server 2016 that protects VMs from potential compromise of the host machine. Shielded VMs use virtual secure mode and virtual trust levels to isolate VM memory and processors from the host. The host guardian service verifies that the host is authorized to run a shielded VM by checking a store of keys for trustworthy hosts.
bitlocker requirement and implementation.pptxgomsllhi
Bitlocker is a data encryption feature that protects against data theft. It requires a TPM hardware component for full disk encryption. When planning Bitlocker implementation, an organization must determine which drives to encrypt, the authentication method, and how to support non-Windows 10 Pro computers. Policies are also needed to define which devices use Bitlocker, how recovery keys are stored, identity validation for recovery, access to recovery data, and device decommissioning. The document outlines a timeline for preparing the environment, initial small deployment to IT, full deployment to all environments, and final review.
Windows 7 professional Vs Windows 7 enterprise247infotech
The document compares Windows 7 Pro and Windows 7 Enterprise, highlighting additional features in Windows 7 Enterprise such as BitLocker, BitLocker To Go, AppLocker, booting from VHDs, BranchCache, and DirectAccess. BitLocker provides full disk encryption while AppLocker allows restricting applications. Booting from VHDs enables testing configurations without affecting the main OS. BranchCache and DirectAccess improve remote access performance and security by caching content locally and enabling VPN-less internet access.
Unified malware protection for business desktops, laptops and server operating systems that provides unified protection, simplified administration and visibility and control. Key features include real-time virus protection, advanced malware protection, one policy to manage client agent protection across systems, customized alerts and security assessments. The document discusses security features for Server 2008 such as BitLocker drive encryption, user account control, read-only domain controllers, network access protection and cryptography next generation.
TechNet livemeeting_Should I upgrade to SCOM 2012 (Dieter Wijckmans's conflic...psaramago1
This document discusses upgrading from System Center Operations Manager (SCOM) 2007 to SCOM 2012. It begins with an introduction and overview of the topics to be covered. The presentation is then divided into three stages: comparison of the two versions, developing an action plan for the upgrade, and post-upgrade tasks. Under the comparison stage, key differences in topology, new features, and management pack compatibility are examined. The action stage provides guidance on prerequisites, backup procedures, and implementing an upgrade plan. Finally, the post-upgrade stage recommends steps like reviewing logs and checking the health of servers and clients. Questions from attendees are invited at the end.
TechNet livemeeting_Should I upgrade to SCOM 2012 (Dieter Wijckmans's conflic...psaramago1
This document discusses upgrading from System Center Operations Manager (SCOM) 2007 to SCOM 2012. It begins with an overview and introduction, then compares the key differences between the 2007 and 2012 versions in three stages: comparison of features, developing an action plan for upgrade, and post-upgrade evaluation. The comparison stage outlines improvements in 2012 such as simplified topology, high availability, new monitoring capabilities, and management pack compatibility. The action stage provides guidance on prerequisites, backup, implementation planning and execution. The evaluation stage suggests checking logs, event flows and system states after upgrade completion.
The document discusses the deployment, configuration, and management of an IT infrastructure based on Windows Server 2008 R2 SP1. It describes setting up virtual machines using Hyper-V that run Active Directory, DNS, DHCP, file sharing, printing, Exchange, SCCM, and WDS. Group policies were implemented for security, firewall, and other settings. The virtual infrastructure allows for reliable administration of servers, users, and resources across the network.
This document provides an overview of operating systems and how to install and configure Windows 7. It discusses the characteristics and basic functions of modern operating systems, different types of operating systems, and factors to consider when selecting an OS for a customer. The document also covers installing Windows 7, including partitioning drives, creating user accounts, and custom installation options. It provides details on configuring the Windows 7 desktop and using Windows Explorer.
This document provides an overview and agenda for a presentation on installing and configuring FreePBX. It begins with introductions and an overview of the FreePBX project. It then discusses popular FreePBX distributions, registering with the FreePBX portal, obtaining the FreePBX distro, installing it, and performing initial configuration steps like registering the deployment and updating the distro. The presentation concludes with a lab overview covering tasks like creating SIP extensions, downloading and configuring X-Lite softphones, purchasing commercial modules with a discount code, setting up a desk phone with EPM, and making calls between extensions.
Modern Operating System Windows Server 2008Sneha Chopra
Windows Server 2008 shares the same code base as Windows Vista, bringing many of the same technical, security, management and administrative features to servers. It includes improvements to installation, deployment, recovery, diagnostics, monitoring, firewall security, and virtualization capabilities. A Server Core installation provides a minimal interface for remote administration via command line. Active Directory is expanded with additional identity, rights and certificate management services.
BitLocker Drive Encryption helps prevent unauthorized access to data on lost or stolen computers by encrypting volumes and verifying integrity of early boot components. It uses a Trusted Platform Module to store encryption keys and check system integrity on startup. While a TPM is preferred, BitLocker can also use a USB drive to store keys. The document discusses BitLocker concepts, architecture, system requirements, group policy settings, and getting started.
BMC Discovery is an agentless discovery and dependency mapping tool that automatically discovers configuration and relationship data across an IT infrastructure. It provides visibility into hardware, software, applications and their dependencies. BMC Discovery works by running scans from a virtual appliance using supplied credentials to retrieve configuration information. It analyzes the data to map relationships and can integrate with a CMDB. Security features include encrypted credential storage and secure communications. Prerequisites for deployment include virtual appliances, a Windows proxy server, and credentials for systems being discovered.
Bp307 Practical Solutions for Connections Administrators, tips and scrips for...Sharon James
This document provides an agenda and overview for a presentation on practical solutions and scripts for Connections administrators. The presentation covers topics like installing and configuring IBM WebSphere, DB2, and IBM HTTP Server; performance tuning datasources; setting J2EE security roles; configuring JVM log files and heap sizes; using mod_deflate to improve performance; and scripts for common administrative tasks like checking user IDs, activating/deactivating users, syncing user data, managing file policies, database maintenance, and backups. Demo scripts are provided for many of the tasks.
This module discusses securing Windows servers using Group Policy Objects. It covers configuring security settings like templates, user rights, options and auditing. It also discusses restricting software using AppLocker and configuring the Windows Firewall. The lessons include demonstrations and labs on implementing these security configurations and restrictions.
This document provides a summary of a presentation on securing Citrix environments. The presenter discusses securing physical servers by disabling boot from removable devices, setting BIOS passwords, and enabling the Trusted Platform Module (TPM). They also cover hypervisor hardening for XenServer, including using TrustedGRUB to secure the boot process and enable full disk encryption with TPM. For Windows hypervisors, they discuss using BitLocker encryption and storing recovery keys in Active Directory.
This document discusses daily health checks for IBM Tivoli Storage Manager Version 6. It provides an overview of the TSM Admin Center health check feature, including how to set it up and how to interpret the different health indicators. It also reviews how to view server details, errors, missed events and more through the health check.
Review of Hardware based solutions for trusted cloud computing.pptxssusere142fe
This document discusses and compares four hardware-based security solutions for cloud computing environments: Intel TXT, ARM TrustZone, AMD SEV, and Intel SGX. It first provides an overview of each solution, describing their basic components and architectures. It then evaluates them according to three criteria categories: security, functionality, and deployability. According to the comparison, while Intel SGX is presented as generally better than the others, it still requires code modification of legacy applications and puts responsibility on developers to prevent side channel attacks. Overall, the document analyzes and contrasts these four industrial-scale trusted execution environment approaches.
This document provides an overview of trusted computing and the Trusted Platform Module (TPM). It describes the components and functions of the TPM chip, including the endorsement key (EK), storage root key (SRK), platform configuration registers (PCRs), and operational states. The TPM uses cryptographic functions like RSA and SHA-1 to securely store keys and platform measurements within the chip. It maintains a hash-based integrity measurement of the software/firmware components executed during boot to enable remote attestation of the platform's state.
Brk30010 - With so many different ways to secure data across the Office 365 p...Olav Tvedt
From Ignite the tour 2019 in Paris
Title:
With so many different ways to secure data across the Office 365 platform, it’s hard to know what to use when
Description:
Information protection might just be one of the most important security features in Microsoft 365 for a lot of organizations, but still, most IT departments and consultants don't understand the different options and when and how to use them right and in witch scenarios.
SharePoint Conference - Secure the data, not the deviceOlav Tvedt
This document compares the security and compliance capabilities of Microsoft 365 E3 and E5 licenses. E5 provides advanced capabilities for information protection, identity, and device management. It allows for automatic classification and protection of data across devices, apps, and cloud/on-premises services. Conditional access in E5 includes identity protection and uses machine learning for real-time risk evaluation and compliance policies.
NIC - Securing one drive and its contentOlav Tvedt
This document discusses Microsoft's approach to securing information and content across different layers and levels of protection. It outlines features available in Office 365 and Microsoft 365 plans like E3 and E5 that provide basic, extended, and advanced security for devices, identity, and information. These include controls for access, encryption, monitoring, mobile device management, and automated responses. The document also demonstrates features within SharePoint, OneDrive, and other Microsoft products that can be used to securely share content and protect sensitive data.
NIC - Lets put the business into one driveOlav Tvedt
The document discusses the importance of listening over speaking. It notes that while knowledge allows one to speak, true wisdom comes from listening. It also mentions putting business discussions into perspective by listening to others.
Securing the weakest link adding security layers while keeping the useOlav Tvedt
Slidedeck from first #BrightTalk session. Covering Azure AD Identity Protection and AIP, and how it can be used in a way that does not irritate the users unnecessarily
The Windows 10 tips you wished you knew last weekOlav Tvedt
This document provides information about checking the Windows install date and last boot time using PowerShell commands. It also includes links to resources for migrating files to OneDrive, downloading a portable file tree viewer, exploring the Windows driver store, scripts for sharing files, and a Windows 10 scripting environment. Contact information is provided for Olav Tvedt, a Principal Solutions Architect who maintains a blog and LinkedIn profile.
What’s new for SMBs in fall creators updateOlav Tvedt
TechDays Sweden 2017: Windows 10 have introduced a whole new way of consumerization of operating systems. With multiple updates and releases each year, the Windows 10 Fall Creators Update is probably the most massive and feature-rich update of Windows ever. As the release provides new features for corporation, it also gives the boost into education and re-introduction to features like OneDrive on-demand. This ssession will give you and your company a great overwiew of the Fall Creators Update.
Main target: IT Pro
Second target: IT Manager
Let's put the business into onedrive for businessOlav Tvedt
This document discusses various topics related to OneDrive for Business including files on demand, visibility of shared files, limitations of OneDrive, migrating to OneDrive through folder redirection and copy/move, and controlling and monitoring OneDrive through the Office 365 admin portal, security and compliance center, and PowerShell. It also provides various links to Microsoft support articles and demo URLs related to OneDrive configuration and administration.
This document discusses security as a service and how it can provide identity-driven security through Azure Active Directory. It describes how Azure AD can secure devices, content, and the "front door" through risk-based conditional access policies leveraging machine learning. This allows blocking of risky logins while providing a great employee experience through single sign-on access to applications on any device with optional multi-factor authentication.
The document discusses Windows security features like Device Guard, Credential Guard, and virtualization-based security. It provides information on how these features help protect systems from malware, zero-days, and advanced persistent threats. It also discusses some challenges with implementing these features and provides links for further reading on deploying and managing Windows security.
MTUG - På tide med litt oversikt og kontroll?Olav Tvedt
The document discusses Microsoft's Enterprise Mobility Suite (EMS) and its components for managing user identity, protecting information, and securing mobile devices and applications. EMS includes Azure Active Directory, Microsoft Intune, Azure Rights Management, and Advanced Threat Analytics to provide single sign-on, mobile device management, information encryption, and behavioral threat detection across an organization's devices, apps, files and identity. The presentation provides an overview of each EMS component and how they work together for comprehensive enterprise mobility and security management.
ALSO Roadshow - Azure and EMS presentation Olav Tvedt
This document summarizes a presentation about Microsoft's Enterprise Mobility Suite (EMS). EMS integrates tools for identity and access management, mobile device management, application management, information protection, and advanced threat detection. It discusses how EMS can help organizations securely manage users, devices, apps and data to enable mobile productivity while protecting information and systems from threats.
The document provides information about Windows 10 deployment options for enterprises. It discusses the Long Term Servicing Branch (LTSB) which provides long term support for mission critical systems. It also discusses the Current Branch for Business (CBB) which allows business users to stay up to date while giving IT flexibility to deploy updates after they have been tested. The CBB gives businesses access to the latest features on an ongoing basis while allowing time for planning and testing updates.
Microsoft Windows 10 Bootcamp - Windows as a serviceOlav Tvedt
Microsoft is introducing new models for delivering Windows updates with Windows 10 that provide more flexibility for business users. The models include the Long Term Servicing Branch (LTSB) which provides long term support for mission critical systems and maintains the same functionality over time. The Current Branch for Business (CBB) allows business users to receive security updates regularly while giving IT departments time to test feature updates before deploying them. This provides businesses faster access to new technology while maintaining control over updates. Microsoft aims to provide options that balance keeping systems up to date and secure with allowing flexibility for IT planning and control.
Microsoft Windows 10 Bootcamp - MDT Offline mediaOlav Tvedt
The document outlines an agenda for a Microsoft Technical Bootcamp on offline patching. It discusses offline patching and provides commands and PowerShell scripts for mounting a Windows image file, adding update packages, and committing the changes back to the image file to create an offline installation media with updates pre-applied.
Microsoft Windows 10 Bootcamp - Active directoryOlav Tvedt
This document summarizes a Microsoft Technical Bootcamp on Active Directory. It includes links and information on Active Directory templates, the central store, an Excel sheet template, and cleaning up the OU structure and using group and WMI filtering. It also discusses why modernizing Active Directory is important and the benefits of the Windows 10 Enterprise Mobility Suite, including mobile device and app management, information protection, identity and access management, and its integration with Microsoft Azure. Security topics like second factor authentication are also briefly mentioned.
Modern Workplace Summit 2015 - ManagementOlav Tvedt
My slide deck from the MWS summit. Device security and management with tools like EMS, Intune, Azure Active Directory and Office 365
http://mwssummit.com/agenda/windows-10-summit-agenda/
Modern Workplace Summit 2015 - Surface and offline mediaOlav Tvedt
My slide deck from the MWS summit. How to create Offline media with MDT for OS, App and maintenance tasks, and how to deploy Surface
http://mwssummit.com/agenda/windows-10-summit-agenda/
This document discusses how Microsoft can help with mobile transformation across five key areas: device management, content management, application management, application development, and identity and access. It provides details on Microsoft solutions like Intune, Office 365, Azure, Visual Studio, and others and how they address capabilities in each area like device management, secure access to data, managing and developing apps, and unified identity. The overall message is that Microsoft provides a comprehensive set of tools to empower enterprise mobility and secure access to corporate resources from any device.
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIVladimir Iglovikov, Ph.D.
Presented by Vladimir Iglovikov:
- https://www.linkedin.com/in/iglovikov/
- https://x.com/viglovikov
- https://www.instagram.com/ternaus/
This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation.
Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners.
This case study covers various aspects, including:
People: The contributors and community that have supported Albumentations.
Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions.
Challenges: The hurdles in monetizing open-source projects and measuring user engagement.
Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration.
Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community.
Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations.
Mental Health: Maintaining balance and not feeling pressured by user demands.
Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth.
Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects.
Explore more about Albumentations and join the community at:
GitHub: https://github.com/albumentations-team/albumentations
Website: https://albumentations.ai/
LinkedIn: https://www.linkedin.com/company/100504475
Twitter: https://x.com/albumentations
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
Building RAG with self-deployed Milvus vector database and Snowpark Container...Zilliz
This talk will give hands-on advice on building RAG applications with an open-source Milvus database deployed as a docker container. We will also introduce the integration of Milvus with Snowpark Container Services.
7. Bitlocker Modes
Basic Mode:
• TPM only
• Password Mode (Windows 8)
Advanced Modes:
• TPM + PIN
• TPM + USB Dongle
• USB Dongle
• TPM + PIN + USB Dongle
8. BitLocker Are Vulnerable When:
• The Disk Have Not Yet Been Totally Encrypted
• You Don’t Use Pin
Especial If The Computer Have Or Might Get:
- Firewire
- Thunderbolt
• Fake Bios Startup (To Get Pin)
9. BitLocker Requirements
• A computer running:
• Windows 7 Enterprise/Ultimate
• Windows 8 Pro/Enterprise
• Windows Server 2008 R2
• Windows Server 2012
• With TPM
• A Trusted Computing Group (TCG)-compliant BIOS
• TPM microchip version 1.2 (turned on)
• TPM must be resettable from the operating system
• Removable Storage
• USB
• Floppy
• Memory Card
10. Enable Bitlocker On A Virtual Machine For TESTING:
1. Set “Allow Bitlocker without compatible TPM” In a GPO
2. Create a virtual floppy disk
3. Enable bitlocker with «manage-bde»
cscript c:WindowsSystem32manage-bde.wsf -on C: -rp -sk A:
4. Restart and it will start to encrypt
Window 8 Can run with Password directly in a virtual environment
12. BitLocker News In Windows 8
Overview
• Support for failover cluster and SAN storage.
• BitLocker pre-provisioning
• Used disk space-only encryption
• Standard user PIN and password selection
• Bitlocker Network Unlock
13. BitLocker News In Windows 8
BitLocker pre-provisioning
• Enable BitLocker before OS is installed
• Random encryption key stored unprotected
• Needs to be activated to protect key
15. What is Microsoft BitLocker Administration
and Monitoring (MBAM)?
MBAM builds on the BitLocker data protection offering in Windows 7 by
providing IT professionals with an enterprise-grade solution for BitLocker
provisioning, monitoring, and key recovery.
GOALS ARE:
Simplify provisioning Provide reporting Reduce support costs
1 and deployment 2 (e.g.: compliance & 3 (e.g.: improved
audit) recovery)
16. Prerequisites For Server
Operation System:
Windows Server 2008 SP2 (x86/x64)
Windows Server 2008 R2
Windows Server 2012 (Some issues with web in beta)
Database:
Compliance and Audit Report Server
Microsoft Sql Server 2008 R2 Std/Ent/Dev
Recovery and Hardware Database Server
Microsoft Sql Server 2008 R2 Enterprise Only
Security reason: Transparent Data Encryption (TDE)
17. Installing Mbam
• Single computer configuration
- Everything on a single server.
- Supported, but only recommended for testing purposes.
• Three-computer configuration
- Recovery and Hardware Database, Compliance and Audit Reports, and Compliance and
Audit Reports features are installed on a server
- Administration and Monitoring Server feature is installed on a server
- Group Policy template is installed on a server or client computer.
• Five-computer configuration
Each server feature is installed on dedicated computers:
- Recovery and Hardware Database
- Compliance Status Database
- Compliance and Audit Reports
- Administration and Monitoring Server
- Group Policy Template is installed on a server or client computer
18. Prerequisites For Clients
• A computer running:
- Windows 7 Enterprise/Ultimate
- Windows 8 Enterprise (Pro will work but not covered with SA license)
• A Trusted Computing Group (TCG)-compliant BIOS
• TPM microchip version 1.2 (turned on)
• TPM must be resettable from the operating system
19. MBAM Client
Encrypt volumes BEFORE a user receives the computer
Works with Windows 7 deployment tools (MDT/SCCM)
Client can:
Manage TPM reboot process
Be configured with TPM first and PIN later (e.g.: user provides PIN at first logon)
Recovery key escrow can be bypassed and then escrowed when user first logs on
Best Practice
Encrypt volumes AFTER a user receives a computer
Client is provides a Policy Driven Experience
Client will manage TPM reboot process
Standard or Admin users can encrypt
Only use when unencrypted machines appear on the network
20. MBAM Policy Settings
A superset of BitLocker policies
New MBAM Policies
Policy for Fixed Disk Volume Auto-unlock
Hardware capability check before encryption
Allow user to request an exemption
Interval client verifies policy compliance
(default = 90 min)
Policy location:
Computer Configuration > Administrative Templates > Windows
Components > MDOP MBAM (BitLocker Management)
22. Compliance and Reporting
• MBAM agent collects and passes data to reporting server
(All clients pass this up, encrypted or not. IT can clarify WHY a computer is not compliant)
• Built on SQL Server® Reporting Services (SSRS), it gives
you
flexibility to add your own reports
Need to know how effective Who and when keys have
Need to know the
your rollout is, or how been accessed and when
last known state of a
compliant your company is? new hardware has been
lost computer?
added?
23. Central Storage of Recovery Key
Recovery Key(s) are Escrowed
Operating System Volume
Fixed Data Volumes
Removable Data Volumes
Stored outside of Microsoft Active Directory®
3-Tier Architecture
DB encrypted with SQL Server’s Transparent
Data Encryption
Web Service API to build org-specific solutions
All logging and authorization are done at web service layer to ensure parity
for custom apps
24. Helpdesk Key Recovery UI
MBAM provides a web page for helpdesk functionality
Provide BitLocker Recovery Key for authorized users
Provide TPM unlock package for authorized users
All requests (successful or not) are logged:
who, when, which volume
Role based authorization model to get recovery info
Tier 1: Helpdesk needs to have
person/key match
Tier 2: Key ID is sufficient (limited role)
Create your own custom page leveraging web service layer
25. Single Use Recovery Keys
Once a BitLocker Recovery key has been exposed ,
the client will create a new one
As part of regular client/server communication, client checks to
see if Recovery Key has been exposed
MBAM client will create new one
Transparent to user
Recovery Keys are created once a volume is unlocked
26.
27. BitLocker With MBAM And SCCM
Overview
• Eliminates MBAM compliance infrastructure, view
compliance status and reports in SCCM Console.
• Setup integrates three elements in SCCM:
Desired Configuration Management
Components
Two Configuration items / CIs
One Baseline
One Collection
Four Reports
28. BitLocker With MBAM And SCCM
Integration Components explained
• Collection every 12 hours, finds computers with
supported OS (Win7 ent/ult and Win8), is physical
and has TPM 1.2 or higher.
• Configuration Baseline verifies compliance based
on what is defined in Group Policy.
• The CIs collects details and evaluates compliance
status for computers.
29. BitLocker With MBAM And SCCM
Reports explained
• BitLocker Computer Compliance
Look at individual computer status of compliance
• BitLocker Enterprise Compliance Dashboard
Four views: Compliance status, Non-Compliant – error distribution,
Compliance status by drive type, Top 10 non compliant hardware
• BitLocker Enterprise Compliance Details
Compliance status of the Enterprise
• BitLocker Enterprise Compliance Summary
Summary of each Computer’s state with drill-down based on state.
30. BitLocker With MBAM And SCCM
Installation
• Make sure MBAM server and databases are in
working order, then on SCCM server(s):
• Edit configuration.mof and import sms_def.mof
Look at documentation here:
https://connect.microsoft.com/MDOPTAP
• Enable the Win32_Tpm class
31. BitLocker With MBAM And SCCM
Installation
• Start ServerMBAMsetup.exe, and after initial steps,
choose Topology System Center Configuration
Manager Integration:
32. BitLocker With MBAM And SCCM
Installation
• Provided the other features are up and running on
other servers, choose only System Center CM
Integration feature:
33. BitLocker With MBAM And SCCM
T Sequence
ask
• With SCCM SP1 BitLocker support for Windows 8
and Server 2012 has been added to the Task
Sequence.
• In the Client Settings you can choose to Suspend
BitLocker PIN entry on restart.
34. THE END!
Olav Tvedt Reidar Johansen
Consigliore Senior Infrastructur Consultant
STEP Member, MVP Setup & Deployment