Tải bản đầy đủ - 0trang
Skill 2.4: Configure security for mobile devices
the computer haven’t been compromised (altered) and if the disk is still installed in the original
You can enable BitLocker before you deploy the operating system. When you do, you can opt to
encrypt used disk space only or encrypt the entire drive.
When using BitLocker, you have the option of requiring users to enter a password to unlock the
drive when they want to use it. You also have the option of requiring multifactor authentication
perhaps by adding a smart card or a USB drive with a startup key on it on computers with a
compatible TPM. BitLocker can also be managed through Group Policy. For instance, you can require
that BitLocker be enabled before the computer can be used to store data.
Two partitions are required to run BitLocker because pre-startup authentication and system integrity
confirmation have to occur on a separate partition from the drive that is encrypted.
MORE INFO OVERVIEW AND REQUIREMENTS OF BITLOCKER
For more information about Windows BitLocker, visit: http://technet.microsoft.com/enus/library/hh831507.aspx#BKMK_Overview.
When configuring BitLocker, you must consider the following:
The requirements for hardware and software This includes TPM versions, BIOS
configuration, firmware requirements, drive size, and so on.
How to tell if your computer has a TPM An administrator might opt to type TPM.msc and
click Enter in a Run dialog box. An end user might opt to access Control Panel, All Items, open
BitLocker Drive Encryption and see if he can turn on BitLocker. If a TPM isn’t found, you’ll have
to set the required Group Policy to Require Additional Authentication At Startup, which is
located in Computer Configuration, Administrative Templates, Windows Components, BitLocker
Drive Encryption, Operating System Drives. You need to enable this and then select the Allow
BitLocker Without a Compatible TPM check box.
What credentials are required to configure BitLocker Only Administrators can manage fixed
data drives, but Standard users can manage removable data drives (the latter can be disabled in
Group Policy). Standard users can also change the PIN or password on operating system drives
to which they have access via BitLocker.
How to automate BitLocker deployment in an enterprise One way is to use the command-line
tool Manage-bde.exe. Manage-bde command-line tools you might use in your own work are
detailed later in this section. There are other ways, including using Windows Management
Instrumentation (WMI) and Windows PowerShell scripts.
The reasons why BitLocker might start in recovery mode Reasons include disabling the
TPM, making changes to the TPM firmware, making changes to the master boot record, and so on.
How to manage recovery keys Recovery keys let you access a computer in the event that
BitLocker doesn’t permit access. There are many ways to store these keys for fixed drives,
including saving them to a folder or your Microsoft account online, printing them, and storing the
keys on multiple USB drives.
NOTE USING BITLOCKER WITHOUT TPM
You can only enable BitLocker on an operating system drive without a compatible TPM if the
BIOS or UEFI firmware has the ability to read from a USB flash drive in the boot environment.
This is because BitLocker requires a startup key. If you do this, though, you won’t be able to take
advantage of the pre-startup system integrity verification or multifactor authentication.
Configuring BitLocker in Control Panel
Before you configure BitLocker, there are a few more things to know. The first time you enable
BitLocker, you’ll be prompted to create a startup key. This is what’s used to encrypt and decrypt the
drive. The startup key can be stored on a USB drive or the TPM chip. If you opt for USB, you’ll have
to insert that USB drive every time you want to access the computer, and you’ll also have to enter the
key. If a compatible TPM chip is used, the key retrieval is automatic. You can also opt for a PIN.
This can be created only after BitLocker is enabled. If you lose the startup key, you’ll need to unlock
the drive using a recovery key. This is a 48-digit number that can be stored in numerous ways,
including on a USB drive.
There are five authentication methods for protecting encrypted data using BitLocker, consisting of
various combinations of TPM, startup PIN, and startup keys; just a TPM; or just a startup key. Here is
a brief summary of these options:
TPM + startup PIN + startup key This is the most secure, but it requires three authentication
tasks. The encryption key is stored on the TPM chip, but an administrator needs to type a PIN and
insert the startup key (available on a USB drive).
TPM + startup key The encryption key is stored on the TPM chip. In addition to this, the
administrator needs to insert a USB flash drive that contains a startup key.
TPM + startup PIN The encryption key is stored on the TPM chip, and an administrator needs to
enter a PIN.
Startup key only An administrator needs to insert a USB flash drive with the startup key on it.
The computer doesn’t need to have a TPM chip. The BIOS needs to support access to the USB
flash drive prior to the operating system loading.
TPM only The encryption key is stored on the TPM chip, and no administrator login is required.
TPM requires that the boot environment has not been modified or compromised.
Additionally, the drive that contains the operating system must have two partitions, the system
partition and the operating system partition, both of which need to be formatted with NTFS.
To configure BitLocker and encrypt the operating system drive on a Windows 10 computer, follow
1. Open Control Panel, change the view to Small Icons or Large Icons, and click BitLocker Drive
2. Click Turn On BitLocker (if you receive an error that no TPM chip is available, enable the
required Group Policy setting).
3. Choose how to unlock your drive at startup; Enter A Password Is Chosen in this example.
4. Enter the password, re-enter to confirm, and then click Next.
5. Opt to save the password; Save To Your Microsoft Account is selected in this example.
6. Click Next (in this instance, you can perform this step again to perform a secondary backup
before moving on).
7. Choose to encrypt either the used disk space or the entire drive. Click Next.
8. Leave Run BitLocker System Check selected, and click Continue.
9. Click Restart Now. If prompted, perform any final tasks, such as removing CDs or DVDs from
drive bays, and then click Restart Now again, if necessary.
10. On boot-up, type or provide the startup key.
11. Note the pop-up notification in the Desktop taskbar that encryption is in progress. It will take
some time to complete.
Return to Control Panel and review the BitLocker window. Note that from there you can perform
additional tasks, including backing up your recovery key, changing your password, removing the
passwords, and turning off BitLocker. You can see which actions require administrator approval by
the icon next to the options.
Configuring BitLocker by using the Manage-bde tool
You don’t have to use Control Panel to manage BitLocker Drive Encryption. You can work from a
command line, using commands that can turn on or turn off BitLocker, specify unlock mechanisms,
update recovery methods, and unlock BitLocker-protected data drives. Many of these commands are
used in large enterprises and are not applicable to this Skill; however, there are several parameters
you might use with the Manage-Bde command-line tool, including but not limited to the following:
status Use this parameter to provide information about the attached drives, including their
BitLocker status, size, BitLocker version, key protector, lock status, and more.
on This parameter encrypts the drive and turns on BitLocker, used with a drive letter such as C
that follows the on parameter.
off This parameter decrypts and then turns off BitLocker, used with a drive letter such as C that
follows the off parameter.
pause and resume Use pause with a drive letter to pause encryption; use resume with a drive
letter to resume encryption.
lock and unlock Use these parameters with a drive letter to lock and unlock the drive.
changepin This parameter changes the PIN for the BitLocker-protected drive.
recoverypassword Use this parameter to add a numerical password protector.
recoverykey This parameter adds an external key protector for recovery.
password Use this parameter to add a password key protector.
Refer to this article on TechNet to see all of the available parameters:
http://technet.microsoft.com/en-us/library/dd875513(v=WS.10).aspx. You can also type managebde /? at a command prompt to see a list on your own computer.
Configure startup key storage
This section covers how to configure startup key storage. However, to understand what a startup key
is, you need to first understand what it isn’t. There are several key management terms to contend with:
TPM owner password You need to initialize the TPM before you can use it with BitLocker
Drive Encryption. When you do, you create a TPM owner password that is associated only with
the TPM. You supply the TPM owner password when you need to enable or disable the TPM or
reset the TPM lockout.
Recovery password and recovery key The first time you set up BitLocker, you are prompted to
configure how to access BitLocker-protected drives if access is denied. This involves creating a
recovery key. You’ll need the recovery key if the TPM cannot validate the boot components, but
most of the time, a failure to access a BitLocker drive occurs because the end user has forgotten
the PIN or password.
Password A password can be used to protect fixed, removable, and operating system drives. It
can also be used with operating system drives that do not have a TPM. The password can consist
of 8 to 255 characters as specified by the Configure Use Of Passwords For Operating System
Drives, Configure Use Of Passwords For Removable Data Drives, and Configure Use Of
Passwords For Fixed Data Drives Group Policy settings.
PIN and enhanced PIN If you use a TPM, you can configure BitLocker with a PIN that the user
needs to enter to gain access to the computer. The PIN can consist of 4 to 20 digits as specified
by the Configure Minimum PIN Length For Startup Group Policy setting. Enhanced PINs use the
full keyboard character set in addition to the numeric set to allow for more possible PIN
combinations. You need to enable the Allow Enhanced PINs For Startup Group Policy setting
before adding the PIN to the drive.
Startup key You use a startup key, which is stored on a USB flash drive, with or without a TPM.
The USB flash drive must be inserted every time the computer starts. The USB flash drive needs
to be formatted by using the NTFS, FAT, or FAT32 file system.
Now that you know what a startup key is, you can save your computer’s startup key on a USB flash
drive. Right-click the BitLocker-protected drive to get started and then follow the prompts.
In these thought experiments, demonstrate your skills and knowledge of the topics covered in this
chapter. You can find the answers to these thought experiments in the next section.
You are the network administrator of a 2012 Active Directory domain. All 20 client computers run
Windows 10. One of your users purchased her own computer and brought it to work, and it too runs
Windows 10 Enterprise. You approve the computer and join it to the domain. There are some issues,
1. After logging on to the domain, the user can’t access her personal data. What should you do?
2. You want the data the user would normally save to her Documents folder to instead be saved to
a share on the network. What should you do?
3. The user wants her local user profile to follow her from computer to computer. What should you
You need to create a VM using a Windows 10 computer as the host that you can move from computer
to computer on a USB drive. You’ll be using the VM on a Windows Server 2012 computer in the
production environment. The VM needs to support Secure Boot and PXE Boot. Answer the following
1. When you create the VM, which Generation option should you choose?
2. Will you need a valid product ID for the operating system you will be installing on the VM?
3. You want the VM to be able to communicate with other VMs on the host computer, but not with
any host computer directly. What type of virtual switch should you configure?
4. When you configure your VHD, what file format should you use?
5. To export the VM stored on the USB drive, which export option should you choose?
You have users who need access to the files stored in the file servers of your company, no matter
where they are. You have configured Offline Files to enable this. It’s working well except that when
the users are on metered connections or are roaming with a cellular connection, the costs are high.
You want to reduce or better yet, eliminate these costs. All users are running Windows 10.
1. What feature available with Offline Files would you enable in Group Policy to help users avoid
high data-usage costs from synchronization while using metered connections that have usage
limits or while roaming on another network?
2. What feature available with Offline Files would you enable in Group Policy to provide fast
access to files while also limiting the bandwidth used by having the users work offline even if a
connection is available?
3. You also want users to work offline when they aren’t on metered networks if the connection is
very slow. You’ve configured a threshold for this in Group Policy. Does the user need to do
anything when this threshold is met?
4. Can you configure Offline Files and these settings if your servers are running Windows Server
A client wants to enable BitLocker on her laptop and has called you to set it up. She wants to protect
the data on the computer if the computer is stolen or if the hard drive is removed. You need to find out
if a compatible TPM chip is available, and if not, configure the computer so that BitLocker can be
1. What can you type in a Run box to find out if a compatible TPM is available on the computer?
2. If a TPM is not found, what policy do you need to change in Local Group Policy on the
3. If a TPM is not found, what must be true regarding the BIOS or UEFI firmware?
4. If a TPM is found, what is the most secure authentication option to apply during startup?
Thought experiment answers
This section provides the solutions for the tasks included in the thought experiment.
1. Use USMT to transfer the user’s local profile to her domain profile.
2. Configure folder location.
3. Configure a roaming user profile.
1. Generation 2, because it supports the listed requirements and Generation 1 doesn’t.
2. Yes. All installations of an operating system, even those installed on virtual drives, require a
3. Private. You want the VM to be able to communicate with other VMs on the host computer, but
not with any host computer directly. The other options, External and Internal, do not meet these
4. VHDX. Although you won’t likely need the feature that enables the disk to be up to 64 TB, you
do use this format when you know you’ll be using the VHD on Windows Server 2012 and later
or Windows 8 or later.
5. Restore The Virtual Machine (Use The Existing Unique ID For The VM). If your VM files are
stored on a file share, a removable drive, a network drive, and so on, and you want to move it,
choose this option.
1. Cost-Aware Synchronization
2. Always Offline Mode
3. No, the computer will go offline when the threshold is met.
4. No. Always Offline and Cost-Aware Synchronization are only available for clients and servers
running the latest operating systems.
2. You’ll need to set the required Group Policy to Require Additional Authentication At Setup,
which is located in Computer Configuration, Administrative Templates, Windows Components,
BitLocker Drive Encryption, Operating System Drives. You need to enable this and then select
the Allow BitLocker Without A Compatible TPM check box.
3. The BIOS or UEFI firmware must have the ability to read from a USB flash drive in the boot
4. TPM + startup PIN + startup key.
You can configure user profiles to support user environments in Windows with local profiles,
roaming profiles, and mandatory profiles.
You can change the default location for several folders in the user profile to another location,
including a network location.
You can use the USMT to migrate user profiles and user files for one or many Windows
To use Hyper-V in Windows 10, the host computer must:
Have Windows 10 Professional, Enterprise or Education 64-bit installed.
Have a compatible Second Level Address Translation (SLAT) processor.
Have 4 GB of RAM and BIOS-level hardware virtualization support.
You create VMs in order to use a single computer to house multiple operating systems to test
various hardware and software scenarios as well as to save money, resources, space, power
consumption, and more.
Checkpoints let you take snapshots of the configuration of a VM. You can restore to a saved
checkpoint at any time.
Virtual switches can be used to configure the network environment and to separate and secure
Virtual disks let you port VMs and are saved as either VHD or VHDX file formats. VHDX is the
newer format and is compatible only with Windows Server 2012 or later and Windows 8 or
The Offline Files feature enables users to work with their personal files even when they aren’t
connected to the network. Administrators can control behavior through Group Policy settings.
Power plans help users to manage battery life on mobile devices. Administrators can manage
power plans by using the Powercfg.exe tool and Group Policy.
Windows To Go enables users to run Windows 10 from a USB flash drive.
Wi-Fi Direct lets users share files without an intermediary network device.
BitLocker can be used to protect mobile devices and mobile drives from theft, loss, or attacks by
You need to carefully manage startup keys, recovery keys, and other items related to BitLocker
Drive Encryption so that you access the drive if it is compromised or if the user forgets the PIN
The command-line tool Manage-bde along with applicable parameters lets you manage
BitLocker from a command line.
Plan and implement a Microsoft 365 solution
Microsoft 365 provides enterprises and businesses a comprehensive solution, enabling user
productivity while simplifying the IT management, security and administration for Windows,
Windows 10 Mobile, iOS, and Android devices. You can manage enterprise devices and bring your
own device (BYOD) devices together in the same cloud-based console. Microsoft 365 provides a
bundle of essential tools, services, and support, offering a complete solution for your organization.
Windows 10 and Office 365 are at the heart of Microsoft 365. Complementing the productivity
core of Microsoft 365, Intune provides remote policies and device management such as remote wipe
and lock, application and software update deployment, and inventory and reporting. This chapter
reviews how to plan and implement Microsoft 365 in preparation for the exam.
Skills in this chapter:
Skill 3.1: Support mobile devices
Skill 3.2: Deploy software updates by using Microsoft Intune
Skill 3.3: Manage devices with Microsoft 365 Solution
Skill 3.4: Configure Information Protection
Skill 3.1: Support mobile devices
Windows 10 supports several features for mobile devices that enable greater control over and
manageability of mobile devices. Devices that are often disconnected from the corporate network and
used in a variety of physical locations warrant special consideration regarding device security,
remote management, data access, connectivity, and administration. In addition, you’ll learn how to
configure and support standalone Windows 10 devices and devices that have been enrolled into
This section covers how to:
Support mobile device policies
Support mobile access and data synchronization
Support broadband connectivity
Support Mobile Device Management by using Microsoft Intune
Support mobile device policies
Unlike traditional device management, modern mobile devices are not necessarily members of an
Active Directory domain. Enterprise BYOD and choose your own device (CYOD) allows for
diversity in hardware. A modern device can be a smartphone, tablet, laptop, desktop PC, or IoT
Mobile Device Management (MDM) requires that administrators manage a wide range of devices
and disparate operating systems including Windows, Windows 10 Mobile, iOS, and Android. Only
domain-joined Microsoft devices can be managed using Group Policy. So, you must understand how
to support other devices that can be configured and controlled using Microsoft Intune policies. If a
connected device has been enrolled into your MDM authority, it can be managed remotely using
Think of Intune policies as a group of settings that can be configured to control features on a
device. Policy templates are available within the Azure Intune administration portal and can be
applied to individual devices, or groups of devices.
Intune provides policies for hundreds of device settings across multiple platforms. Group Policy,
however, can configure thousands of settings for Windows and Server operating systems. Vendors
add functionality to devices on a regular basis, and Microsoft Intune manages this functionality with
NOTE VENDOR SPECIFIC POLICY
Mobile device vendors allow certain features to be controlled by the MDM authority. Not every
policy or remote feature, such as remote wipe or password reset, will be available on all devices
managed by Intune.
The Microsoft Intune policies fall into five categories (described in Table 3-1). These policies can
be accessed by signing into the Intune Classic admin portal at https://manage.microsoft.com/ and
then navigating to the Policy node on the left hand side.
Microsoft Intune policies
Intune policy Description
Configuration Manage security settings and features on your devices. Include deploying language
settings, or a custom firewall rule
Define the rules and settings which you want a device to comply with.
Can be used with conditional access policy rules so you can monitor whether your
devices are compliant.
Conditional Access Policies (or CAPs) can be used to allow or restrict access to a
particular service or resource, such as network access or access to Exchange
Online, or a specific app installed on a device. There are specific templates for you
to manage access to Microsoft Exchange Online, Microsoft Dynamics CRM Online,
Skype for Business Online, and Microsoft SharePoint Online.
Used to specify how devices are to be enrolled and allow administrators to deploy
an enrollment profile to Apple devices.
Most commonly deployed policies. Similar to configuration
Policies providing access to company files and resources.
There are four types of resource access policies available:
Wi-Fi profile network settings
Email client profile settings
Microsoft has stated that the Intune Classic portal will be retired starting on April 2, 2018 for
customers using Intune standalone. Therefore, you should familiarize yourself with the modern Azure
Intune Policy Templates
In the Intune classic portal there are a number of templates built into the Intune policy nodethat are
used to deliver settings to enrolled devices. The templates are listed in categories and they’re split
based on the operating system and device type.
For the exam, you should review the available templates and note that not all settings and policies
are available for each vendor or device type.
When configuring a device, it is advisable to start with a pre-configured template because they
contain recommended settings. It may be more efficient to use an existing template as a starting point,
and then customize the settings and deploy them to your managed devices. The list of templates
available is shown in Figure 3-1.