Tải bản đầy đủ - 0 (trang)
Skill 2.4: Configure security for mobile devices

Skill 2.4: Configure security for mobile devices

Tải bản đầy đủ - 0trang

the computer haven’t been compromised (altered) and if the disk is still installed in the original



You can enable BitLocker before you deploy the operating system. When you do, you can opt to

encrypt used disk space only or encrypt the entire drive.

When using BitLocker, you have the option of requiring users to enter a password to unlock the

drive when they want to use it. You also have the option of requiring multifactor authentication

perhaps by adding a smart card or a USB drive with a startup key on it on computers with a

compatible TPM. BitLocker can also be managed through Group Policy. For instance, you can require

that BitLocker be enabled before the computer can be used to store data.


Two partitions are required to run BitLocker because pre-startup authentication and system integrity

confirmation have to occur on a separate partition from the drive that is encrypted.


For more information about Windows BitLocker, visit: http://technet.microsoft.com/enus/library/hh831507.aspx#BKMK_Overview.

When configuring BitLocker, you must consider the following:

The requirements for hardware and software This includes TPM versions, BIOS

configuration, firmware requirements, drive size, and so on.

How to tell if your computer has a TPM An administrator might opt to type TPM.msc and

click Enter in a Run dialog box. An end user might opt to access Control Panel, All Items, open

BitLocker Drive Encryption and see if he can turn on BitLocker. If a TPM isn’t found, you’ll have

to set the required Group Policy to Require Additional Authentication At Startup, which is

located in Computer Configuration, Administrative Templates, Windows Components, BitLocker

Drive Encryption, Operating System Drives. You need to enable this and then select the Allow

BitLocker Without a Compatible TPM check box.

What credentials are required to configure BitLocker Only Administrators can manage fixed

data drives, but Standard users can manage removable data drives (the latter can be disabled in

Group Policy). Standard users can also change the PIN or password on operating system drives

to which they have access via BitLocker.

How to automate BitLocker deployment in an enterprise One way is to use the command-line

tool Manage-bde.exe. Manage-bde command-line tools you might use in your own work are

detailed later in this section. There are other ways, including using Windows Management

Instrumentation (WMI) and Windows PowerShell scripts.

The reasons why BitLocker might start in recovery mode Reasons include disabling the

TPM, making changes to the TPM firmware, making changes to the master boot record, and so on.

How to manage recovery keys Recovery keys let you access a computer in the event that

BitLocker doesn’t permit access. There are many ways to store these keys for fixed drives,

including saving them to a folder or your Microsoft account online, printing them, and storing the

keys on multiple USB drives.


You can only enable BitLocker on an operating system drive without a compatible TPM if the

BIOS or UEFI firmware has the ability to read from a USB flash drive in the boot environment.

This is because BitLocker requires a startup key. If you do this, though, you won’t be able to take

advantage of the pre-startup system integrity verification or multifactor authentication.

Configuring BitLocker in Control Panel

Before you configure BitLocker, there are a few more things to know. The first time you enable

BitLocker, you’ll be prompted to create a startup key. This is what’s used to encrypt and decrypt the

drive. The startup key can be stored on a USB drive or the TPM chip. If you opt for USB, you’ll have

to insert that USB drive every time you want to access the computer, and you’ll also have to enter the

key. If a compatible TPM chip is used, the key retrieval is automatic. You can also opt for a PIN.

This can be created only after BitLocker is enabled. If you lose the startup key, you’ll need to unlock

the drive using a recovery key. This is a 48-digit number that can be stored in numerous ways,

including on a USB drive.

There are five authentication methods for protecting encrypted data using BitLocker, consisting of

various combinations of TPM, startup PIN, and startup keys; just a TPM; or just a startup key. Here is

a brief summary of these options:

TPM + startup PIN + startup key This is the most secure, but it requires three authentication

tasks. The encryption key is stored on the TPM chip, but an administrator needs to type a PIN and

insert the startup key (available on a USB drive).

TPM + startup key The encryption key is stored on the TPM chip. In addition to this, the

administrator needs to insert a USB flash drive that contains a startup key.

TPM + startup PIN The encryption key is stored on the TPM chip, and an administrator needs to

enter a PIN.

Startup key only An administrator needs to insert a USB flash drive with the startup key on it.

The computer doesn’t need to have a TPM chip. The BIOS needs to support access to the USB

flash drive prior to the operating system loading.

TPM only The encryption key is stored on the TPM chip, and no administrator login is required.

TPM requires that the boot environment has not been modified or compromised.

Additionally, the drive that contains the operating system must have two partitions, the system

partition and the operating system partition, both of which need to be formatted with NTFS.

To configure BitLocker and encrypt the operating system drive on a Windows 10 computer, follow

these steps:

1. Open Control Panel, change the view to Small Icons or Large Icons, and click BitLocker Drive


2. Click Turn On BitLocker (if you receive an error that no TPM chip is available, enable the

required Group Policy setting).

3. Choose how to unlock your drive at startup; Enter A Password Is Chosen in this example.

4. Enter the password, re-enter to confirm, and then click Next.

5. Opt to save the password; Save To Your Microsoft Account is selected in this example.

6. Click Next (in this instance, you can perform this step again to perform a secondary backup

before moving on).

7. Choose to encrypt either the used disk space or the entire drive. Click Next.

8. Leave Run BitLocker System Check selected, and click Continue.

9. Click Restart Now. If prompted, perform any final tasks, such as removing CDs or DVDs from

drive bays, and then click Restart Now again, if necessary.

10. On boot-up, type or provide the startup key.

11. Note the pop-up notification in the Desktop taskbar that encryption is in progress. It will take

some time to complete.

Return to Control Panel and review the BitLocker window. Note that from there you can perform

additional tasks, including backing up your recovery key, changing your password, removing the

passwords, and turning off BitLocker. You can see which actions require administrator approval by

the icon next to the options.

Configuring BitLocker by using the Manage-bde tool

You don’t have to use Control Panel to manage BitLocker Drive Encryption. You can work from a

command line, using commands that can turn on or turn off BitLocker, specify unlock mechanisms,

update recovery methods, and unlock BitLocker-protected data drives. Many of these commands are

used in large enterprises and are not applicable to this Skill; however, there are several parameters

you might use with the Manage-Bde command-line tool, including but not limited to the following:

status Use this parameter to provide information about the attached drives, including their

BitLocker status, size, BitLocker version, key protector, lock status, and more.

on This parameter encrypts the drive and turns on BitLocker, used with a drive letter such as C

that follows the on parameter.

off This parameter decrypts and then turns off BitLocker, used with a drive letter such as C that

follows the off parameter.

pause and resume Use pause with a drive letter to pause encryption; use resume with a drive

letter to resume encryption.

lock and unlock Use these parameters with a drive letter to lock and unlock the drive.

changepin This parameter changes the PIN for the BitLocker-protected drive.

recoverypassword Use this parameter to add a numerical password protector.

recoverykey This parameter adds an external key protector for recovery.

password Use this parameter to add a password key protector.


Refer to this article on TechNet to see all of the available parameters:

http://technet.microsoft.com/en-us/library/dd875513(v=WS.10).aspx. You can also type managebde /? at a command prompt to see a list on your own computer.

Configure startup key storage

This section covers how to configure startup key storage. However, to understand what a startup key

is, you need to first understand what it isn’t. There are several key management terms to contend with:

TPM owner password You need to initialize the TPM before you can use it with BitLocker

Drive Encryption. When you do, you create a TPM owner password that is associated only with

the TPM. You supply the TPM owner password when you need to enable or disable the TPM or

reset the TPM lockout.

Recovery password and recovery key The first time you set up BitLocker, you are prompted to

configure how to access BitLocker-protected drives if access is denied. This involves creating a

recovery key. You’ll need the recovery key if the TPM cannot validate the boot components, but

most of the time, a failure to access a BitLocker drive occurs because the end user has forgotten

the PIN or password.

Password A password can be used to protect fixed, removable, and operating system drives. It

can also be used with operating system drives that do not have a TPM. The password can consist

of 8 to 255 characters as specified by the Configure Use Of Passwords For Operating System

Drives, Configure Use Of Passwords For Removable Data Drives, and Configure Use Of

Passwords For Fixed Data Drives Group Policy settings.

PIN and enhanced PIN If you use a TPM, you can configure BitLocker with a PIN that the user

needs to enter to gain access to the computer. The PIN can consist of 4 to 20 digits as specified

by the Configure Minimum PIN Length For Startup Group Policy setting. Enhanced PINs use the

full keyboard character set in addition to the numeric set to allow for more possible PIN

combinations. You need to enable the Allow Enhanced PINs For Startup Group Policy setting

before adding the PIN to the drive.

Startup key You use a startup key, which is stored on a USB flash drive, with or without a TPM.

The USB flash drive must be inserted every time the computer starts. The USB flash drive needs

to be formatted by using the NTFS, FAT, or FAT32 file system.

Now that you know what a startup key is, you can save your computer’s startup key on a USB flash

drive. Right-click the BitLocker-protected drive to get started and then follow the prompts.

Thought experiments

In these thought experiments, demonstrate your skills and knowledge of the topics covered in this

chapter. You can find the answers to these thought experiments in the next section.

Scenario 1

You are the network administrator of a 2012 Active Directory domain. All 20 client computers run

Windows 10. One of your users purchased her own computer and brought it to work, and it too runs

Windows 10 Enterprise. You approve the computer and join it to the domain. There are some issues,


1. After logging on to the domain, the user can’t access her personal data. What should you do?

2. You want the data the user would normally save to her Documents folder to instead be saved to

a share on the network. What should you do?

3. The user wants her local user profile to follow her from computer to computer. What should you


Scenario 2

You need to create a VM using a Windows 10 computer as the host that you can move from computer

to computer on a USB drive. You’ll be using the VM on a Windows Server 2012 computer in the

production environment. The VM needs to support Secure Boot and PXE Boot. Answer the following


1. When you create the VM, which Generation option should you choose?

2. Will you need a valid product ID for the operating system you will be installing on the VM?

3. You want the VM to be able to communicate with other VMs on the host computer, but not with

any host computer directly. What type of virtual switch should you configure?

4. When you configure your VHD, what file format should you use?

5. To export the VM stored on the USB drive, which export option should you choose?

Scenario 3

You have users who need access to the files stored in the file servers of your company, no matter

where they are. You have configured Offline Files to enable this. It’s working well except that when

the users are on metered connections or are roaming with a cellular connection, the costs are high.

You want to reduce or better yet, eliminate these costs. All users are running Windows 10.

1. What feature available with Offline Files would you enable in Group Policy to help users avoid

high data-usage costs from synchronization while using metered connections that have usage

limits or while roaming on another network?

2. What feature available with Offline Files would you enable in Group Policy to provide fast

access to files while also limiting the bandwidth used by having the users work offline even if a

connection is available?

3. You also want users to work offline when they aren’t on metered networks if the connection is

very slow. You’ve configured a threshold for this in Group Policy. Does the user need to do

anything when this threshold is met?

4. Can you configure Offline Files and these settings if your servers are running Windows Server

2008 R2?

Scenario 4

A client wants to enable BitLocker on her laptop and has called you to set it up. She wants to protect

the data on the computer if the computer is stolen or if the hard drive is removed. You need to find out

if a compatible TPM chip is available, and if not, configure the computer so that BitLocker can be

used effectively.

1. What can you type in a Run box to find out if a compatible TPM is available on the computer?

2. If a TPM is not found, what policy do you need to change in Local Group Policy on the


3. If a TPM is not found, what must be true regarding the BIOS or UEFI firmware?

4. If a TPM is found, what is the most secure authentication option to apply during startup?

Thought experiment answers

This section provides the solutions for the tasks included in the thought experiment.

Scenario 1

1. Use USMT to transfer the user’s local profile to her domain profile.

2. Configure folder location.

3. Configure a roaming user profile.

Scenario 2

1. Generation 2, because it supports the listed requirements and Generation 1 doesn’t.

2. Yes. All installations of an operating system, even those installed on virtual drives, require a

product ID.

3. Private. You want the VM to be able to communicate with other VMs on the host computer, but

not with any host computer directly. The other options, External and Internal, do not meet these


4. VHDX. Although you won’t likely need the feature that enables the disk to be up to 64 TB, you

do use this format when you know you’ll be using the VHD on Windows Server 2012 and later

or Windows 8 or later.

5. Restore The Virtual Machine (Use The Existing Unique ID For The VM). If your VM files are

stored on a file share, a removable drive, a network drive, and so on, and you want to move it,

choose this option.

Scenario 3

1. Cost-Aware Synchronization

2. Always Offline Mode

3. No, the computer will go offline when the threshold is met.

4. No. Always Offline and Cost-Aware Synchronization are only available for clients and servers

running the latest operating systems.

Scenario 4

1. TPM.msc.

2. You’ll need to set the required Group Policy to Require Additional Authentication At Setup,

which is located in Computer Configuration, Administrative Templates, Windows Components,

BitLocker Drive Encryption, Operating System Drives. You need to enable this and then select

the Allow BitLocker Without A Compatible TPM check box.

3. The BIOS or UEFI firmware must have the ability to read from a USB flash drive in the boot


4. TPM + startup PIN + startup key.

Chapter summary

You can configure user profiles to support user environments in Windows with local profiles,

roaming profiles, and mandatory profiles.

You can change the default location for several folders in the user profile to another location,

including a network location.

You can use the USMT to migrate user profiles and user files for one or many Windows


To use Hyper-V in Windows 10, the host computer must:

Have Windows 10 Professional, Enterprise or Education 64-bit installed.

Have a compatible Second Level Address Translation (SLAT) processor.

Have 4 GB of RAM and BIOS-level hardware virtualization support.

You create VMs in order to use a single computer to house multiple operating systems to test

various hardware and software scenarios as well as to save money, resources, space, power

consumption, and more.

Checkpoints let you take snapshots of the configuration of a VM. You can restore to a saved

checkpoint at any time.

Virtual switches can be used to configure the network environment and to separate and secure

multiple VMs.

Virtual disks let you port VMs and are saved as either VHD or VHDX file formats. VHDX is the

newer format and is compatible only with Windows Server 2012 or later and Windows 8 or


The Offline Files feature enables users to work with their personal files even when they aren’t

connected to the network. Administrators can control behavior through Group Policy settings.

Power plans help users to manage battery life on mobile devices. Administrators can manage

power plans by using the Powercfg.exe tool and Group Policy.

Windows To Go enables users to run Windows 10 from a USB flash drive.

Wi-Fi Direct lets users share files without an intermediary network device.

BitLocker can be used to protect mobile devices and mobile drives from theft, loss, or attacks by


You need to carefully manage startup keys, recovery keys, and other items related to BitLocker

Drive Encryption so that you access the drive if it is compromised or if the user forgets the PIN

or password.

The command-line tool Manage-bde along with applicable parameters lets you manage

BitLocker from a command line.


Plan and implement a Microsoft 365 solution

Microsoft 365 provides enterprises and businesses a comprehensive solution, enabling user

productivity while simplifying the IT management, security and administration for Windows,

Windows 10 Mobile, iOS, and Android devices. You can manage enterprise devices and bring your

own device (BYOD) devices together in the same cloud-based console. Microsoft 365 provides a

bundle of essential tools, services, and support, offering a complete solution for your organization.

Windows 10 and Office 365 are at the heart of Microsoft 365. Complementing the productivity

core of Microsoft 365, Intune provides remote policies and device management such as remote wipe

and lock, application and software update deployment, and inventory and reporting. This chapter

reviews how to plan and implement Microsoft 365 in preparation for the exam.

Skills in this chapter:

Skill 3.1: Support mobile devices

Skill 3.2: Deploy software updates by using Microsoft Intune

Skill 3.3: Manage devices with Microsoft 365 Solution

Skill 3.4: Configure Information Protection

Skill 3.1: Support mobile devices

Windows 10 supports several features for mobile devices that enable greater control over and

manageability of mobile devices. Devices that are often disconnected from the corporate network and

used in a variety of physical locations warrant special consideration regarding device security,

remote management, data access, connectivity, and administration. In addition, you’ll learn how to

configure and support standalone Windows 10 devices and devices that have been enrolled into

Microsoft 365.

This section covers how to:

Support mobile device policies

Support mobile access and data synchronization

Support broadband connectivity

Support Mobile Device Management by using Microsoft Intune

Support mobile device policies

Unlike traditional device management, modern mobile devices are not necessarily members of an

Active Directory domain. Enterprise BYOD and choose your own device (CYOD) allows for

diversity in hardware. A modern device can be a smartphone, tablet, laptop, desktop PC, or IoT


Mobile Device Management (MDM) requires that administrators manage a wide range of devices

and disparate operating systems including Windows, Windows 10 Mobile, iOS, and Android. Only

domain-joined Microsoft devices can be managed using Group Policy. So, you must understand how

to support other devices that can be configured and controlled using Microsoft Intune policies. If a

connected device has been enrolled into your MDM authority, it can be managed remotely using

Intune policies.

Think of Intune policies as a group of settings that can be configured to control features on a

device. Policy templates are available within the Azure Intune administration portal and can be

applied to individual devices, or groups of devices.

Intune provides policies for hundreds of device settings across multiple platforms. Group Policy,

however, can configure thousands of settings for Windows and Server operating systems. Vendors

add functionality to devices on a regular basis, and Microsoft Intune manages this functionality with

available policies.


Mobile device vendors allow certain features to be controlled by the MDM authority. Not every

policy or remote feature, such as remote wipe or password reset, will be available on all devices

managed by Intune.

The Microsoft Intune policies fall into five categories (described in Table 3-1). These policies can

be accessed by signing into the Intune Classic admin portal at https://manage.microsoft.com/ and

then navigating to the Policy node on the left hand side.


Microsoft Intune policies

Intune policy Description


Configuration Manage security settings and features on your devices. Include deploying language


settings, or a custom firewall rule




Define the rules and settings which you want a device to comply with.

Can be used with conditional access policy rules so you can monitor whether your

devices are compliant.




Conditional Access Policies (or CAPs) can be used to allow or restrict access to a

particular service or resource, such as network access or access to Exchange

Online, or a specific app installed on a device. There are specific templates for you

to manage access to Microsoft Exchange Online, Microsoft Dynamics CRM Online,

Skype for Business Online, and Microsoft SharePoint Online.





Used to specify how devices are to be enrolled and allow administrators to deploy

an enrollment profile to Apple devices.




Most commonly deployed policies. Similar to configuration

Policies providing access to company files and resources.

There are four types of resource access policies available:

Wi-Fi profile network settings

VPN settings

Email client profile settings

Certificate profiles


Microsoft has stated that the Intune Classic portal will be retired starting on April 2, 2018 for

customers using Intune standalone. Therefore, you should familiarize yourself with the modern Azure

Intune portal.

Intune Policy Templates

In the Intune classic portal there are a number of templates built into the Intune policy nodethat are

used to deliver settings to enrolled devices. The templates are listed in categories and they’re split

based on the operating system and device type.

For the exam, you should review the available templates and note that not all settings and policies

are available for each vendor or device type.

When configuring a device, it is advisable to start with a pre-configured template because they

contain recommended settings. It may be more efficient to use an existing template as a starting point,

and then customize the settings and deploy them to your managed devices. The list of templates

available is shown in Figure 3-1.

Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Skill 2.4: Configure security for mobile devices

Tải bản đầy đủ ngay(0 tr)