Microsoft Officialrms.koenig-solutions.com/Sync_data/Trainer/QMS/903...Office 365 ATP, Azure AD...

Microsoft OfficialCourse

MD-101T02Managing Modern Desktops and Devices

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED

MD-101T02Managing Modern Desktops and Devices

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

Contents

■ Module 0 Welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Welcome to Managing Modern Desktops and Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

■ Module 1 Device Enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Device management options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Manage Intune device enrollment and inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

■ Module 2 Configuring Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Configuring device profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Managing user profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Monitoring devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

■ Module 3 Application Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Implement Mobile Application Management (MAM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Deploying and updating applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Administering applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED

Module 0 Welcome

Welcome to Managing Modern Desktops and DevicesCourse IntroductionThe Modern Desktop enables simplified management of your desktops, devices, cloud services and compliance. It enables more flexibility in how your users work, while keeping organizational data safe.

These courses will help you, as the Modern Desktop Administrator, learn about these technologies and how to use them. With new cloud technologies and Microsoft 365, there are new methods and approach-es to common challenges with deployment and management. Whether you are new to a Desktop Administrator role or have several years’ experience, you’ll find new information contained in these courses.

In this series, you will learn how to:

● Plan and execute an effective deployment of Windows 10

● Keep and ensure devices are current with the latest OS and application updates

● Deploy and manage configurations and apps to organizational and user-owned devices

● Deploy and manage policies to ensure device compliance

The Modern Desktop learning track which helps prepare for the Microsoft 365 Certified: Modern Desktop Administrator Associate certification (exam MD-101) and is composed of the following courses:

● MD-101.1 Deploying the Modern Desktop

● MD-101.2 Managing Modern Desktops and Devices

● MD-101.3 Protecting Modern Desktops and Devices

Students taking this course should have experience with installing and managing Windows desktops and app. Students should also have at least a basic knowledge of:

● Authorization and authentication.

● Computer networks and cloud-based concepts.

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED

2 Module 0 Welcome

● Understanding of OS images and group policy objects.

● Understanding of managing mobile devices.

It is recommended that students complete the Windows 10 course series (MD-100) prior to taking the Modern Desktop Administrator courses.

Video: Course Introduction

As demand for organizations to enable workforces to be more mobile, a desktop administrator’s role is really is no longer about just “desktop” management. With BYOD becoming commonplace and the need for employees to access line of business apps on personal devices, the scope of desktop administration must include both desktop and mobile devices, regardless of ownership. During this course, you’ll be introduced to key components of modern management and co-management strategies. You’ll examine what it takes to incorporate Microsoft Intune into your organization and how to use it to manage modern desktops and devices. You’ll also learn about methods for deployment and management of apps and browser-based applications.

This course was designed for IT Professionals who manage and deploy desktop operating systems their organization.

In this course, you will learn how to:

● Understand the benefits and methods of co-management strategies.

● Configuring Intune

● Enroll devices in Intune and configure device policies

● Manage user profiles and folder redirection

● Plan a mobile application management strategy

● Manage and deploy apps, including Office 365 ProPlus and Internet Explorer settings

This is the second in a series of three courses for the Modern Desktop Administrator.

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

Module 1 Device Enrollment

Device management optionsLesson IntroductionThis module introduces you to modern device management options. You will be introduced to co-management, which is the first step in the journey to modern management. You will examine the benefits and prerequisites for co-management and learn how to plan for it. You will then be introduced to Group Policy migration to Mobile Device Management (MDM), and learn how to migrate Group Policy settings using the MDM Analysis Tool.

After this lesson, you should be able to:

● Define and describe co-management.

● Plan for co-management.

● Explain the options and prerequisites for co-management.

● Explain how to migrate Group Policy settings to MDM.

● Use the MDM Migration Analysis Tool.

Benefits of Modern ManagementUntil recently, managing an organization’s technological infrastructure and PCs required IT professionals to do lots of hands-on, manual, and time-consuming tasks. New kinds of device form factors, new approaches in Windows 10 management, advancements in cloud technology, and bring your own device (BYOD) trends have made the move toward modern management more compelling for many organizations - not only for mobile devices, but also for PCs.

Modern management is a novel approach of managing Windows 10 similar to how mobile devices are managed by Enterprise Mobility Management (EMM) solutions. This approach allows you to simplify deployment and management, improve security, provide better end user experiences, and lower costs for your Windows

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED

4 Module 1 Device Enrollment

devices. With modern management, you can now manage Windows 10 devices of all kinds, from desktop PCs to HoloLens and Surface Hubs, company-owned or employee-owned, as well as mobile devices using one management platform. Let’s examine why you should consider implementing a modern management approach for Windows devices in your organization.

The pillars of modern managementEasy to deploy and manage

Traditional operating system deployment (OSD) while powerful is typically complex and time consuming. There is now a simpler way to provision new Windows 10 devices. Windows Autopilot, which is deeply integrated with Azure Active Directory (Azure AD) and Intune, simplifies and personalizes out-of-the-box (OOBE) experience for users, joins the device to Azure AD, and enrolls it in Intune. Users’ email, apps, files, preferences as well organization’s security settings are also automatically applied by Intune without needing to create custom OS images.

Always up to date

Keeping up with emerging security threats and increasing user productivity requires a shift in how often Windows 10 and Office 365 ProPlus need to be updated. With aligned Windows 10 and Office 365 ProPlus updates, powerful insights driven by cloud intelligence, and a modern management approach with EMS, there is now a better way to keep devices up-to-date without the complexity of maintaining an on-premises infrastructure.

Intelligent security, built-in

Attackers are becoming more sophisticated, and Microsoft 365 was designed with security in mind. There are many new and evolving security features built directly in the Microsoft 365 platform, including Windows Hello, Windows Defender Advanced Threat Protection (ATP), Windows Information Protection, Office 365 ATP, Azure AD Identity Protection, Conditional Access, and more. These security features are powered by Microsoft Intelligent Security Graph which uses billions of signals, constantly improving machine learning algorithms, and human expertise to help you protect your company data and respond to sophisticated attacks.

Proactive insights

With rich telemetry and cloud intelligence, you can now proactively discover device and app issues before they affect end users, be more confident when applying OS updates, discover security issues, and more. The fusion of machine intelligence with human expertise can create a unique and powerful partnership.

Planning Co-managementBy bringing your devices to Azure AD, you maximize your users' productivity through single sign-on (SSO) across your cloud and on-premises resources. At the same time, you can secure access to your cloud and on-premises resources with conditional access.

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

Device management options 5

If you have an on-premises Active Directory environment and you want to join your domain-joined devices to Azure AD, you can accomplish this by configuring hybrid Azure AD joined devices.

Usage scenarios for Azure AD Join

Scenario 1: Businesses largely in the cloudAzure Active Directory join (Azure AD join) can benefit you if you currently operate and manage identities for your business in the cloud or are moving to the cloud soon. You can use an account that you have created in Azure AD to sign in to Windows 10. Through the first run experience (FRX) process, or by joining Azure AD from the settings menu, your users can join their machines to Azure AD. Your users can also enjoy single sign-on (SSO) access to cloud resources like Office 365, either in their browsers or in Office applications.

Scenario 2: Educational institutionsEducational institutions usually have two user types: faculty and students. Faculty members are considered longer-term members of the organization. Creating on-premises accounts for them is desirable. But students are shorter-term members of the organization and their accounts can be managed in Azure AD. This means that directory scale can be pushed to the cloud instead of being stored on-premises. It also means that students will be able to sign in to Windows with their Azure AD accounts and get access to Office 365 resources in Office applications.

Additional Scenarios for using Azure AD join:

● You want to transition to cloud-based infrastructure using Azure AD and MDM like Intune.

● On-premises domain join is not a good option, for example, if you need to get mobile devices such as tablets and phones under control.

● Your users primarily need to access Office 365 or other SaaS apps integrated with Azure AD.

● You want to manage a group of users in Azure AD instead of in Active Directory. This can apply, for example, to seasonal workers, contractors, or students.

● You want to provide joining capabilities to workers in remote branch offices with limited on-premises infrastructure.

● Reasons to use Hybrid Azure AD join:

● You have Win32 apps deployed to these devices that rely on Active Directory machine authentication.

● You require Group Policy to manage some of your devices.

● You want to continue to use imaging solutions to configure devices for your employees.

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


Transitioning Workloads to IntuneWhen you have prepared Intune and your Windows 10 devices for co-management, you are ready to decide which specific workloads you are going to switch to Intune. Before you switch any workloads, make sure the corresponding workload in Intune has been properly configured and deployed. Doing so ensures that workloads are always managed by one of the management tools for your devices.

The following list is an example of workloads that you can transition to Intune:

1. Resource access policies

● Email profile

● Wi-Fi profile

● VPN profile

● Certificate profile

2. Windows Update policies

3. Endpoint Protection

● Windows Defender Application Guard

● Windows Defender Firewall

● Windows Defender SmartScreen

● Windows Encryption

● Windows Defender Exploit Guard

● Windows Defender Application Control

● Windows Defender Security Center

● Windows Defender Advanced Threat Protection

● Windows Information Protection

4. Device Configuration

● This is essentially the settings you configure using Group Policy

5. Office 365 Click-to-Run apps

● After moving the workload, the app shows up in the Company Portal on the device.

You would normally identify devices with low complexity configuration settings and move those loads to Intune first. That could be Endpoint Protection, Windows Update policies, software deployment and device configuration policies which would mirror those Group Policy settings already in place.

Prerequisites for Co-managementTo enable co-management for your on-premises Active Directory devices, you must configure your devices as hybrid Azure AD joined devices.

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED


Before you start enabling hybrid Azure AD joined devices in your organization, you need to make sure that:

● You are running an up-to-date version of Azure AD connect. Beginning with version 1.1.819.0, Azure AD Connect provides you with a wizard to configure hybrid Azure AD join. Azure AD Connect has synchronized the computer objects of the devices you want to be hybrid Azure AD joined to Azure AD. If the computer objects belong to specific organizational units (OUs), then these OUs need to be configured for synchronization in Azure AD Connect as well.

● Intune MDM must be setup and configured for automatic enrollment

● Microsoft Enterprise Mobility + Security (EMS) or Intune license for all users

● Active Directory joined devices are using Windows 10 version 1709 or later. We recommended that you always use the latest version of Windows 10 so that you get the newest advances in terms of security, Azure AD and Intune features.

● Azure AD automatic enrollment enabled

Hybrid Azure AD join is a process meant to automatically register your on-premises domain-joined devices with Azure AD. There are cases though, where you don't want all your devices to register automatically. This is true for example, during the initial pilot to verify that everything works as expected.

All Windows current devices automatically register with Azure AD at device start or user sign-in. You can control this behavior either with a Group Policy Object (GPO) or System Center Configuration Manager.

To control Windows current devices:

● For all devices: Disable automatic device registration.

● For selected devices: Enable automatic device registration.

You can control the device registration behavior of your devices by deploying the following GPO: Register domain-joined computers as devices.

1. In the Group Policy Management Console, create two new GPOs and then go to Computer Configuration > Policies > Administrative Templates > Windows Components > Device Registration.

2. In the first GPO, apply the Disabled setting to prevent automatic device registration. In the second GPO apply the Enabled setting to enable automatic device registration.

3. Link the first GPO to all devices in your environment and then link the second GPO only to the OU containing your pilot devices. Alternatively, you can use Group Policy security filtering and a security group to control which devices can automatically register with Azure AD.

Migrating Group Policy management to MDMUse of personal devices for work, as well as employees working outside the office, is changing how organizations manage devices. While certain parts of some organizations might require deep, granular control over devices, other organizations are embracing lighter, scenario-based management that empowers the

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


modern workforce. Windows 10 continues the tradition of Windows delivering the best-managed operating system for organizations. Windows provides support for deep manageability and security through technologies like Group Policy, Active Directory, and System Center Configuration Manager. It also delivers a “mobile-first, cloud-first” approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility Suite (EMS).

The level of management needed, the devices and data managed, and industry requirements can all define configuration requirements. Meanwhile, employees are frequently concerned about IT applying strict policies to their personal devices, but they still want access to corporate email and documents. Windows 10 provides a consistent set of configurations across PCs, tablets, and phones through a common MDM layer. The MDM approach calls for settings that achieve the admin’s intent without exposing every possible setting. In contrast, Group Policy exposes fine-grained settings the admin controls individually. One benefit of MDM is that it enables admins to apply broader privacy, security, and application management settings through lighter and more efficient tools. This makes MDM a good choice for devices that doesn´t require that granular management offered by Group Policy and Configuration Manager.

Consider the following scenarios, where MDM should be considered over on-premise management:

● A company that have a large development department. They want to be able to manage the developers and implement some form of management. They want to require Bitlocker encryption and make some apps available. But they don´t require all the configuration offered by Group Policy and don´t need the management offered by Configuration Manager. Furthermore, they can let the developers be local administrators on their device and have them separated from the rest of the on-premise environment.

● A company need devices in their reception area, where visitors can sign in or use a browser for accessing information.

● Sales representatives from a company need a device where they can use Outlook, a browser and a sales app for registering orders.

Many organizations still need to manage domain joined computers at a granular level such as Internet Explorer’s many Group Policy settings due to support for a specific app or very specific Windows Firewall rules to meet security policy. In these cases, Group Policy and System Center Configuration Manager continue to be excellent management choices. Group Policy is the best way to granularly configure domain joined Windows PCs and tablets connected to the corporate network using Windows-based tools. Microsoft continues to add Group Policy settings with each new version of Windows. For granular configuration with robust software deployment, Windows updates, and OS deployment, Configuration Manager remains the recommended solution.

Review the roles in your organization. Identify users or devices that require Domain Join, and consider switching others to Azure AD. Below is a model of a generalized decision tree. Exceptions will apply in some cases, of course.

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED


Are there groups of devices that could benefit from lighter, simplified management? BYOD devices, for example, are natural candidates for cloud management. Users or devices handling more highly regulated data might require on-premises AD Domain Join for authentication. Configuration Manager and EMS provide you the flexibility to stage implementation of modern management scenarios while targeting different devices the way that best suits your business needs. The choice is yours.

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


What is MDM Migration Analysis ToolIncreasingly, organizations are moving to MDM to manage their devices. Microsoft is adding functionality to the Windows 10 operating system itself to make transitioning to MDM easier.

Transitioning from Group Policy to MDM can be challenging. Some organizations have Group Policies that have been in place for over a decade and which may not be fully inventoried, let alone understood. Furthermore, MDM does not have a 1 to 1 mapping for all legacy Group Policies. While it’s possible for an IT administrator to manually inventory Group Policy and cross reference MDM documentation on MSDN to determine the support level, this would be labor intensive and error prone.

For this reason, Microsoft created the MDM Migration Analysis Tool (MMAT). MMAT determines which Group Policies have been set for a target user or computer and cross-references against its built-in list of supported MDM policies. MMAT will then generate both XML and HTML reports indicating the level of support for each Group Policy in terms of MDM equivalents.

If you have a Group Policy targeting Minimum Password Length, for instance, MMAT will detect this and tell you that MDM also support this policy. If you’re using start up scripts, MMAT will report which ones you’re using and indicate they’re not supported by MDM.

The easiest way to get started with MMAT is to get started. Install MMAT’s prerequisites, run it, and then examine the HTML report. With MMAT you can greatly speed your migration to MDM managed devices.

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED


Review Activity - Device Management Options

REVIEW ACTIVITY – Device Management OptionsLet's play a quick game to test your knowledge of Device Management Options. Click on the button below to open this review activity full screen.

LAUNCH ACTIVITY1

1 https://edxinteractivepage.blob.core.windows.net/miltstatic/MD-101.2/20190117-041531079/static/MD101-2_1_1_devicemgmttutorial.html

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


Manage Intune device enrollment and inven-toryLesson IntroductionIn this lesson, you will be introduced to managing devices using Intune. You will learn how to configure and setup Intune, so you can more easily manage Windows 10, Android and iOS devices. You will examine how to enroll devices in Intune, and you will be introduced to Multi-Factor Authentication (MFA). The module will conclude with an overview of verifying device inventory in Intune using Graph API and PowerBI.


● Prepare Microsoft Intune for device enrollment.

● Configure Microsoft Intune for automatic enrollment.

● Explain how to enroll Windows 10, Android and iOS devices in Intune.

● Explain when and how to use Intune Enrollment Manager.

● Describe how to inventory Intune enrolled devices using Graph API and Power BI

Activating and Deploying MDM servicesIntune lets you manage your workforce’s devices and apps and how they access your company data. To use this Mobile Device Management (MDM), the devices must first be enrolled in the Intune service. When a device is enrolled, it’s issued an MDM certificate. This certificate is used to communicate with the Intune service.

Several methods exist to enroll your workforce’s devices. Each method depends on the device's ownership (personal or corporate), device type (iOS, Windows, Android), and management requirements (resets, affinity, locking).

By default, devices for all platforms can enroll in Intune. However, you can restrict devices by platform.

Prerequisites for iOS enrollmentBefore you can enable iOS devices, complete the following steps:

● Set up Intune - These steps set up your Intune infrastructure. In particular, device enrollment requires that you set your MDM authority. You set this item only once, when you are first setting up Intune for mobile device management.

● Get an Apple MDM Push certificate - Apple requires a certificate to enable management of iOS and macOS devices.

● Sign up for Apple Business if you intend to use Apple´s Device Enrollment Program

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

Manage Intune device enrollment and inventory 13

iOS enrollment methodsUser-owned iOS devices (BYOD)

You can let users enroll their personal devices for Intune management, known as “bring your own device” or BYOD. Once you've completed the prerequisites and assigned users licenses, they can download the Intune Company Portal app from the App Store, and follow enrollment instructions in the app.

Company-owned iOS devices

For organizations that buy devices for their users, Intune supports the following iOS company-owned device enrollment methods:

● Apple's Device Enrollment Program (DEP)

● Apple School Manager

● Apple Configurator Setup Assistant enrollment

● Apple Configurator direct enrollment

● You can also enroll company-owned iOS devices with a device enrollment manager account.

● Device Enrollment Program. Organizations can purchase iOS devices through Apple's Device Enrollment Program (DEP). DEP lets you deploy an enrollment profile “over the air” to bring devices into management.

● You can enable DEP enrollment for large numbers of devices without ever touching them. You can ship devices like iPhones and iPads directly to users. When the user turns on the device, Setup Assistant runs with preconfigured settings and the device enrolls into management.

● To enable DEP enrollment, you use both the Intune and Apple DEP portals. A list of serial numbers or a purchase order number is required so you can assign devices to Intune for management. You create DEP enrollment profiles containing settings that are applied to devices during enrollment.

Supervised mode

An iOS device in supervised mode can be managed with more controls. As such, it’s especially useful for corporate-owned devices. Intune supports configuring devices for supervised mode as part the DEP. We recommend that you use supervised mode even though it requires more configuration compared to other iOS enrollment methods. It gives you access to many policy settings in Intune that are otherwise unavailable.

For more information, go to: Automatically enroll iOS devices with Apple's Device Enrollment Program2.

Prerequisites for Android enrollmentBefore you enable Android devices, complete the following steps:

● Set up Intune - These steps set up your Intune infrastructure. In particular, device enrollment requires that you set your MDM authority. You

2 https://docs.microsoft.com/en-us/intune/device-enrollment-program-enroll-ios

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


set this item only once, when you are first setting up Intune for mobile device management.

● By default, Intune is configured to allow enrollment of Android and Samsung Knox Standard devices. Admins merely need to tell their users how to enroll their devices.

● After a user has enrolled, you can begin managing their devices in Intune, including assigning compliance policies, managing apps, and more.

Android enrollment methodsUser-owned Android devices (BYOD)

You can let users enroll their personal devices for Intune management (BYOD). Once you've completed the prerequisites and assigned users licenses, they can download the Intune Company Portal app from the Google Play Store, and follow enrollment instructions in the app.

Android work profile

Intune helps you deploy apps and settings to Android work profile devices to ensure work and personal information are separate.

To set up Android work profile management, you must connect your Intune tenant account to your Android enterprise account. Android enterprise is a set of features and services that separate personal apps and data from a work apps and data. Android enterprise provides additional management capabilities and privacy when people use their Android devices for work. Android work profiles are supported on only certain Android devices. Any device that supports Android work profiles also supports conventional Android management.

If you want to enroll devices in Android work profiles, but those devices were already enrolled as regular Android devices, those devices must first unenroll and then re-enroll.

When you manage an Android work profile device with Intune, you don’t manage the entire device. Management capabilities only affect the work profile that is created on the device during enrollment. Any apps deployed to the device with Intune get installed in the work profile. App icons in the work profile are differentiated from personal apps on the device. All Android apps and data outside the Android enterprise portion of the device remain personal and under the control of the end user. Users can install any app they choose to the personal side of the device. Administrators can manage and monitor apps and actions scoped to the work profile.

Managing Corporate Enrollment PolicyWhen your organization signs up for a Microsoft cloud-based service like Intune, you're given an initial domain name hosted in Azure AD that follows this model: your-domain.onmicrosoft.com. In this example, your-domain is the domain name that you chose when you signed up. onmicrosoft.com is the suffix assigned to the accounts you add to your subscription. You can configure your organization's custom domain to access Intune instead of the domain name provided with your subscription.

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED


Before you create user accounts or synchronize your on-premises Active Directory, we strongly recommend that you add one or more of your custom domain names. This will simplify user management and lets users sign in with the credentials they use to access other domain resources.

You can decide to use only the .onmicrosoft.com domain if you want to, but it should really only be used for the initial setup or when you are testing. You cannot rename or remove the initial onmicrosoft.com domain name. You can add, verify or remove custom domain names used with Intune to keep your business identity clear.

To add and verify your custom domain1. Go to the Office 365 management portal and sign into your administrator

account.

2. In the navigation pane, choose Setup > Domains.

3. Choose Add domain, and type your custom domain name. Click Next.

4. <img src="../..\Linked_Image_Files\MD101.3_01_02_02_image1.png" alt="Screenshot of the “Add a domain” screen, within the Office 365 management portal." title="">

5. The Verify domain dialog box opens giving you the values to create the TXT record in your DNS hosting provider.

● GoDaddy users: Office 365 Management portal redirects you to GoDaddy's login page. After you enter your credentials and accept the domain change permission agreement, the TXT record is created automatically. Alternatively, you can create the TXT record.

● Register.com users: Follow the step-by-step instructions to create the TXT record.

Once you've set up Intune, users enroll Windows devices by signing in with their work or school account.

As an Intune admin, you can simplify enrollment in the following ways:

● Enable automatic enrollment (Azure AD Premium required)

● CNAME registration

● Enable bulk enrollment (Azure AD Premium and Windows Configuration Designer required)

Configure automatic MDM enrollmentAutomatic enrollment lets users enroll their Windows 10 devices in Intune. To enroll, users add their work account to their personally owned devices or join corporate-owned devices to Azure Active Directory. In the background, the device registers and joins Azure Active Directory. Once registered, the device is managed with Intune.

1. Sign in to the Azure portal and select Azure Active Directory.

2. Select Mobility (MDM and MAM).

3. Select Microsoft Intune.

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


4. Configure the MDM User scope. Specify which users’ devices should be managed by Microsoft Intune. These Windows 10 devices can automatically enroll in Microsoft Intune.

● None - MDM automatic enrollment is disabled

● Some - Select the Groups that can automatically enroll their Windows 10 devices

● All - All users can automatically enroll their Windows 10 devices

5. Use the default values for the following URLs:

● MDM Terms of use URL

● MDM Discovery URL

● MDM Compliance URL

6. Click Save.

Azure Multi-Factor AuthenticationWhen it comes to protecting your accounts, two-step verification should be standard across your organization. This feature is especially important for accounts that have privileged access to resources. For this reason, Microsoft offers basic two-step verification features to Office 365 and Azure Active Directory (Azure AD) administrators for no extra cost. If you want to upgrade the features for your admins or extend two-step verification to the rest of your users, you can purchase Azure Multi-Factor Authentication (MFA) in several ways.

By default, two-factor authentication is not enabled for the service. However, two-factor authentication is recommended when registering a device. To enable two-factor authentication, configure a two-factor authentication provider in Azure AD and configure your user accounts for multi-factor authentication.

You can take one of two approaches for requiring two-step verification. The first option is to enable each user for Azure MFA. When users are enabled individually, they perform two-step verification each time they sign in (with some exceptions, such as when they sign in from trusted IP addresses or when the remembered devices feature is turned on). The second option is to set up a conditional access policy that requires two-step verification under certain conditions.

Choose one of these methods to require two-step verification, not both. Enabling a user for Azure MFA overrides any conditional access policies.

● Enabled by changing user state - This is the traditional method for requiring two-step verification. It works with both Azure MFA in the cloud and Azure MFA Server. Using this method requires users to perform two-step verification every time they sign in and overrides conditional access policies.

● Enabled by conditional access policy - This is the most flexible means to enable two-step verification for your users. Enabling using conditional access policy only works for Azure MFA in the cloud and is a premium feature of Azure AD.

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED


● Enabled by Azure AD Identity Protection - This method uses the Azure AD Identity Protection risk policy to require two-step verification based only on sign-in risk for all cloud applications. This method requires Azure Active Directory P2 licensing.

For more information about licensing requirements and how to get Azure Multi-Factor Authentication, refer to: How to get Azure Multi-Factor Authentication3.

Enable MFA for a single Azure AD user1. Sign in to the Azure portal as an administrator.

2. Go to Azure Active Directory > Users and groups > All users.

3. Select Multi-Factor Authentication.

4. A new page that displays the user states appears.

5. Find the user you want to enable for Azure MFA. You might need to change the view at the top.

6. Select the checkbox for each user’s name.

7. On the right, under Quick Steps, select Enable or Disable.

8. Confirm your selection in the pop-up window that appears.

After you enable users, notify them via email. Tell them that they'll be asked to register the next time they sign in. Also, if your organization uses non-browser apps that don't support modern authentication, they need to create app passwords. You can also include a link to the Azure MFA end-user guide to help them get started.

For more information, go to: What does Azure Multi-Factor Authentication mean for me4.

Simplify Windows enrollment without Azure AD PremiumTo simplify enrollment, create a domain name server (DNS) alias (CNAME record type) that redirects enrollment requests to Intune servers. While optional, if no CNAME record is found, users are prompted to manually enter the MDM server name, enrollment.manage.microsoft.com.

Step 1: Create CNAME records (optional)

Create CNAME DNS resource records for your company’s domain. For example, if your company’s website is contoso.com, you would create a CNAME in DNS that redirects EnterpriseEnrollment.contoso.com to enterpriseenrollment-s.manage.microsoft.com.

Azure Active Directory has a different CNAME that it uses for device registration for iOS, Android, and Windows devices. If you plan to use conditional access, you should also configure the EnterpriseRegistration CNAME for each company name you have.

3 https://docs.microsoft.com/da-dk/azure/active-directory/authentication/concept-mfa-licensing4 https://docs.microsoft.com/da-dk/azure/active-directory/user-help/multi-factor-authentication-end-user

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


We recommend that you create both CNAME records for all DNS names that you own.

Type Host name Points to TTL (Time-To-Live)CNAME EnterpriseEnrollment.

contoso.comEnterpriseEnrollment-s.manage.microsoft.com

1 hour

CNAME EnterpriseRegistration.contoso.com

EnterpriseRegistration.windows.net

1 hour

If the company uses more than one UPN suffix, you need to create two CNAME records for each domain name and point each one to EnterpriseEnrollment-s.manage.microsoft.com and EnterpriseRegistration.windows.net respectively.

Step 2: Verify CNAME (optional)

1. In Intune in the Azure portal, select Device enrollment > Windows enrollment > CNAME Validation.

2. In the Domain box, enter the company website and then select Test.

Changes to DNS records might take up to 72 hours to propagate. You can't verify the DNS change in Intune until the DNS record propagates.

Enrolling Windows 10 devicesThere are many ways to enroll Windows 10 devices into Microsoft Intune for device management. Some are user-driven and some controlled by IT administrators. Some exist to support BYOD programs and others to streamline modern provisioning scenarios and management for corporate-owned devices. Each enrollment method can have different setup requirements and behaviors. The following methods, that can be used to enroll in Intune are:

● Method 1: Add work or school account

● Method 2: Enroll in MDM only (user driven)

● Method 3: Azure AD join (OOBE)

● Method 4: Azure AD join (autopilot – user-driven deployment mode)

● Method 5: Azure AD join (autopilot self-deploying mode)

● Method 6: Enroll in MDM only (Device Enrollment Manager)

● Method 7: System Center Configuration Manager co-management

● Method 8: Azure AD join (bulk enrollment)

Method 1: Add work or school account

This enrollment method will Azure AD join the device. If you have Azure AD Premium licenses and your Azure AD tenant has auto-enrollment for Intune configured, your device will also be enrolled into Intune during as well. This method is the preferred method when Autopilot is not used in the environment. You would normally provide users with instructions on how to access set up a work or school account from the Settings app.

<img src="../..\Linked_Image_Files\MD101.3_01_02_03_image1.png" alt="Screenshot of the “Set up a work or school account” window which appears after clicking "Connect" from the Access work or school" page." title="">

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED


Method 2: Enroll only in device management (user driven)

This enrollment method will only enroll the device in Intune and not Azure AD join the device. You will only use this form of enrollment in environments that do not have Azure AD Premium licenses that are required to enable auto-enrollment of devices into Intune.

Method 3: Azure AD join (OOBE)

This enrollment method basically does the same as method 1, with one exception. The device is enrolled during the Out of Box Experience (OOBE) and not from with the Settings app. By choosing Setup for an organization and using a work account to sign in, the device will be Azure AD joined. If you have Azure AD Premium licenses and your Azure AD tenant has auto-enrollment for Intune configured, your device will also be enrolled into Intune during as well. This method will typically be used where you do not have direct access to your user´s and their devices. This could be a remote office where the devices are delivered directly with Windows 10 pre-installed, typically Windows 10 Pro. The user then powers on the machine and join Azure AD during OOBE. The device is enrolled in Intune and will receive apps and configuration from Intune. The version of Windows 10 is typically uplifted to Windows 10 Enterprise using an Intune profile setting.

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


Method 4: Azure AD join (autopilot – user-driven deployment mode)

This enrollment method basically does the same as method 2, with a few exceptions. The device is enrolled during the Out of Box Experience (OOBE), which is customized, and not from with the Settings app. Many of the OOBE screens can be skipped to ensure a smoother setup experience for end users. If configured, the desktop will first be shown to the user when software has been installed and policies are applied.

This method is the preferred method for enrolling device in Intune but it requires Azure AD Premium licenses and your Azure AD tenant has auto-enrollment for Intune configured.

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED


Method 5: Azure AD join (autopilot self-deploying mode)

This enrollment method basically does the same as method 4, with one exception. It allows all OOBE screens to be skipped after the device is first powered on. The Azure AD join and Intune enrollment are fully automated without any user interaction. It's currently in preview and can be configured by choosing these options in your autopilot profile in the Intune console.

This type of enrollment is primarily for user-less devices such as kiosks, but it can be used for normal users as well. You can pre-assign a user to a device so all the user has to supply is a password. This setup experience is the most streamlined compared to the other methods.

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


Method 6: Enroll in MDM only (Device Enrollment Manager)

This method of enrollment is very similar to method 3, except it’s performed by IT admins using a special type of account - A Device Enrollment Manager (DEM) account. A DEM account is useful for scenarios where devices are enrolled and prepared before handing them out to the users of the devices. The DEM would enroll the device, log on to the company portal and install the apps required by the user. This account can be used to enroll up to 1000 devices into Intune. The IT administrator who performs the enrollment must have access to local administrator credentials to complete the enrollment from the Settings menu. For more information about DEM, refer to the topic Enrollment Rules later in this lesson.

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED


Method 7: System Center Configuration Manager co-management

Co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Intune. It’s a solution that provides a bridge from traditional to modern management and gives you a path to make the transition using a phased approach. Co-management is the preferred way to enroll existing devices, that are already being managed by System Center Configuration Manager (SCCM). Once enabled, the device can be managed by SCCM and Intune, leveraging the best features of both.

Method 8: Azure AD join (bulk enrollment)

Bulk enrollment is an efficient way to set up a large number of devices to be managed by Intune without the need to re-image the devices. You enable bulk enrollment by creating a provisioning package using the Windows Configuration Designer app from the Store. You then apply this package either during the OOBE or run it from the Settings app. This method can be used instead of method 1, if you want the enrollment process to be as easy as possible for your users. You don´t have to provide users with instructions on how to access set up a work or school account from the Settings app. You just supply them with the provision package and all they have to it to click it to enroll in Azure AD and Intune.

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


Enrolling Android DevicesTo enroll an Android device using the Company Portal, perform the following steps:

1. Install the free Intune Company Portal app from Google Play.

2. Open the Company Portal app.

3. On the Company Portal Welcome screen, tap Sign in, and then sign in with your work or school account.

4. Follow the instructions given in the Company Portal. The end-user experience can vary based on the policies assigned to the user and/or device.

For a walk-through of enrolling an Android device using the Company Portal, watch the Enrolling your Android device video:

Enrolling your Android device

Enrolling IOS DevicesEnroll your iOS device using Company Portal

1. Download and install the Intune Company Portal from Apple app store.

2. Open the Company Portal app.

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED


3. On the Company Portal Welcome screen, tap Sign in, and then sign in with your work or school account.

4. Follow the instructions given in the Company Portal. The end-user experience can vary based on the policies assigned to the user and/or device.

Enrolling an iOS device configured for the Device Enrollment Program (DEP)

1. Turn on your iOS device.

2. After you select your language, connect your device to Wi-Fi.

3. On the Set up iOS device screen, choose whether you want to:

● Set up as new device

● Restore from iCloud backup

● Restore from iTunes backup

4. Once you’ve connected to Wi-Fi, the Configuration screen will appear. A message will say that:

● [Your Company] will automatically configure your device.

● Configuration allows [Your Company] to manage this device over the air. An administrator can help you set up email and network accounts, install and configure apps, and manage settings remotely. An administrator may disable features, install and remove apps, monitor and restrict your Internet traffic and remotely erase this device.

● Configuration is provided by: [Your Company's] iOS Team [Address]

5. Log in with your Apple ID. Logging in lets you install the Company Portal app and install the management profile that will let your company give you access to their resources, like email and apps.

6. Agree to the Terms and Conditions and decide whether you want to send diagnostic information to Apple.

7. Once you complete your enrollment, your device may prompt you to take more actions. Some of these steps might be entering your password for email access or setting up a passcode.

For a walk-through of enrolling an iOS device using the Company Portal, watch the Enroll your mobile device in Microsoft Intune for corporate access video:

Enrollment RulesOrganizations can use Intune to manage large numbers of mobile devices with a single user account. The device enrollment manager (DEM) account is a special user account that can enroll up to 1,000 devices. You add existing users to the DEM account to give them the special DEM options. Each enrolled device uses a

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


single license. A DEM account is useful for scenarios where devices are enrolled and prepared before handing them out to the users of the devices. The DEM would enroll the device, log on to the company portal and install the apps required by the user. If the user requires individual configuration such as e-mail profiles then the user should enroll the device themselves and DEM should not be used.

Users must exist in the Azure portal to be added as device enrollment managers. For optimal security, the DEM user shouldn't also be an Intune admin. The DEM enrollment method can't be used with these other enrollment methods: Apple Configurator with Setup Assistant, Apple Configurator with direct enrollment, Apple School Manager (ASM), or Device Enrollment Program (DEP).

Example of a device enrollment manager scenarioA restaurant wants to provide 50 point-of-sale tablets for its wait staff, and order monitors for its kitchen staff. The employees never need to access company data or sign in as users. The Intune admin creates a new device enrollment manager account for the restaurant supervisor. This account is separate from the supervisor's primary account and is used only for enrolling shared devices with Intune. The supervisor can now enroll the 50 tablets devices by using the DEM credentials.

What can a device enrollment manager do?Only users in Azure AD can be added as a device enrollment manager.

The DEM user can:

● Enroll up to 1000 devices in Intune

● Sign in to the Company Portal to get company apps

● Configure access to company data by deploying role-specific apps to the tablets

● Limitations of devices that are enrolled with a DEM account

Devices that are enrolled with a device enrollment manager account have the following limitations:

● No per-user access. Because devices don't have an assigned user, the device has no email or company data access. VPN configurations, for example, could still be used to provide device apps with access to data.

● The DEM user can't unenroll DEM-enrolled devices on the device itself by using the Company Portal. The Intune admin can unenroll.

● Only the local device appears in the Company Portal app or website.

● Users can’t use Apple Volume Purchase Program (VPP) apps with user licenses because of per-user Apple ID requirements for app management.

● (iOS only) If you use DEM to enroll iOS devices, you can't use the Apple Configurator, Apple Device Enrollment Program (DEP), or Apple School Manager (ASM) to enroll devices. This means that you can't put the device in supervised mode and thus won't have access to some configuration options.

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED


● (Android only) There's a limit to the number of Android work profile devices that can be enrolled with a single DEM account. Up to 10 Android work profile devices may be enrolled per DEM account. This limitation doesn't apply to legacy Android enrollment.

● Devices can install VPP apps if they have device licenses.

● An Intune device license isn't required to use DEM.

Add a device enrollment manager1. In Intune in the Azure portal, select Device enrollment > Device enrollment

managers.

2. Select Add.

3. On the Add User blade, enter a user principal name for the DEM user, and select Add. The DEM user is added to the list of DEM users.

Permissions for DEMGlobal or Intune Service Administrator Azure AD roles are required to:

● Complete tasks that are related to DEM enrollment in the Admin Portal

● Access all DEM users despite role-based access control (RBAC) permissions being listed and available under the custom User role

A user without the Global Administrator or Intune Service Administrator role assigned, but who has read permissions for the Device Enrollment Managers role, can access only the DEM users they created. RBAC role support for these features will be announced in the future.

Intune for Education reportingMicrosoft Intune does not include any preconfigured report that you can run out-of-the-box. Some report functionality is included in Microsoft Intune for Education though. Intune for Education is a light version of Microsoft Intune specifically designed for education. It lets you manage Windows 10 and iOS devices using the full MDM capabilities available in Intune.

In Intune for Education you can download the following reports:

● Device inventory report

● Application inventory report

● Settings error report

● Windows Defender report

To access reports in Intune for Education, do the following:

1. From the Intune for Education dashboard, click Reports.

2. Select the report you want to view.

3. Use the search boxes to find specific devices, applications, and settings.

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


4. To download a report, click Download report. Intune for Education will download a report to your computer, as a comma-separated value (.csv) file.

5. View and modify the file in Microsoft Excel.

Device and application reportingEven though Microsoft Intune doesn´t include any reports node for accessing and downloading reports, you can still report on all your devices and applications in the same way as you would do in Intune for Education.

Device reporting

To create and download a report for all your devices, in the Azure Portal, do the following:

1. Click the Intune blade

2. Click Devices and then under Manage, click All devices.

3. In the All devices blade, click Export.

4. Click yes and a report containing all your devices with hardware inventory will be downloaded to your computer, as a comma-separated value (.csv) file.

5. You can now view or modify the report in Excel.

Application reporting

To create and download a report for all your applications, in the Azure Portal, do the following:

1. Click the Intune blade.

2. Click Client apps and then under Manage, click Apps.

3. In the Apps blade, click Export.

4. Click yes and a report containing all your applications will be downloaded to your computer, as a comma-separated value (.csv) file.

5. You can now view or modify the report in Excel

You can also download Audit logs from Intune, which provides you with a record of activities that generate a change in Microsoft Intune. Create, Update (edit), Delete, and Assign actions, or remote tasks, generate audit events that you can review. You can review audit logs for most Intune workloads. Auditing is enabled by default for all customers and can't be disabled.

For more information, refer to: Audit logs for Intune activities5.

5 https://docs.microsoft.com/en-us/intune/monitor-audit-logs

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED


Building Custom Intune Inventory ReportsYou can use the Intune Data Warehouse to build professional looking reports that provide insight into your enterprise mobile environment. For example, some of the reports include:

● Trend of users enrolling in Intune so you can optimize your license purchases

● App and OS versions breakdown so you can review that status of devices

● Enrollment and device compliance trends so you can smoothly roll out policy updates

The Data Warehouse provides you access to more information about your Intune environment than the Azure portal. With the Intune Data Warehouse you can access:

● Historical Intune data

● Data refreshed on a daily cadence

● A data model using the OData standard

Requirements for accessing the Intune Data Warehouse (including the API) are:

● User must be one of:

● Azure AD global administrator

● An Intune service administrator

● User with role-based access to Intune data warehouse resources

● User-less authentication using application-only authentication

● Install the latest version of Power BI Desktop. You can download Power BI Desktop from: PowerBI.microsoft.com

When accessing data in the Data Warehouse with Power BI, you have two options:

● Load the data using the Power BI file

● Load the data in Power BI using the OData link

You can download a file for use with Microsoft Power BI that allows you to load interactive, dynamically generated reports for your Intune tenant. The Data Warehouse Power BI file (pbix) contains connection settings to your tenant, as well as the following sample reports and charts:

● Devices

● Enrollment

● App protection policy

● Compliance policy

● Device configuration profiles

● Software updates

● Device inventory logs

There are also trends highlighted for the enrollment, compliance, device configuration profile, and software updates. Sample charts and reports apply

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


user-friendly filters to the canvas. To use advanced filters, check out the Filter pane in Power BI Desktop.

Load the data using the Power BI file

1. Sign in to the Azure portal and click Intune.

2. Open the Microsoft Intune Data Warehouse API (Preview) blade.

3. Select Download PowerBI file. The file with a (pbix) extension downloads to the location you specified.

4. Open the file with Power BI. The Intune Data Warehouse Reports loads, but may take a moment to get your tenant data.

5. Select Refresh to load your tenant data and review the reports.

6. If Power BI has not authenticated with your Azure Active Directory credentials, Power BI prompts you to provide your credentials. When selecting your credentials, choose Organizational account as your authentication method.

Load the data in Power BI using the OData link

With a client authenticated to Azure AD, the OData URL connects to the RESTful endpoint in the Data Warehouse API that exposes the data model to your reporting client. Follow these instructions to use Power BI Desktop to connect and create your own reports. You’re not limited to Power BI Desktop, but can use your favorite analytic tool with the OData URL provided the client supports OAUTH2.0 authentication and the OData v4.0 standard.

1. Sign in to the Azure portal and choose Monitoring + Management > Intune. You can also search resources for Intune.

2. Open the Microsoft Intune Data Warehouse API (Preview) blade.

3. Retrieve the custom feed URL from the reporting blade, for example [code]https://fef.{yourinfo}.manage.microsoft.com/ReportingService/DataWarehouseFEService/dates?api-version=beta[/code]

4. Open Power BI Desktop.

5. Choose Home > Get Data. Select OData feed.

6. Choose Basic.

7. Type or paste the OData URL into the URL box.

8. Select OK.

9. If you have not authenticated to Azure AD for your tenant from the Power BI desktop client, type your credentials. To gain access to your data, you must authorize with Azure AD using OAuth 2.0.

● Select Organizational account.

● Type your username and password.

● Select Sign In.

● Select Connect.

10. Select Load.

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED


Accessing Intune using Microsoft Graph APIThe Microsoft Graph API for Intune enables programmatic access to Intune information for your tenant; the API performs the same Intune operations as those available through the Azure Portal. Even though Microsoft Graph is primarily used for programmatic access to your data in the cloud, and thus can be used for building automation scripts. You can also use it to extract data from Intune and further manipulate that data into your favorite analysis or reporting tool. When you use Microsoft Graph you have access to all data in Intune but it’s more complex to work with compared to Power BI and Intune Data Warehouse, for example.

<img src="../..\Linked_Image_Files\MD101.3_01_02_05_image1.png" alt="Illustration titled, “Intune APIs in Microsoft Graph: automation, integration & advanced analytics -” " title="">

For mobile device management (MDM) scenarios, the Graph API for Intune supports standalone deployments. Intune provides data into the Microsoft Graph in the same way as other cloud services do, with rich entity information and relationship navigation. Use Microsoft Graph to combine information from other services and Intune to build rich cross-service applications for IT professionals or end users.

Here’s an example of how you can determine whether an application is installed on a user's device:

1. From Azure AD, get a list of devices registered to a user:

[code]https://graph.microsoft.com/beta/users/{user}/ownedDevices[/code]

1. Then view the list of applications for your tenant:

[code]https://graph.microsoft.com/beta/deviceAppManagement/mobileApps[/code]

1. Take the ID from the application and determine the installation state for the application (and therefore user):

[code]https://graph.microsoft.com/beta/deviceAppManagement/mobileApps/{id}/deviceStatuses/[/code]

Using Microsoft Graph Explorer

You could use the Microsoft Graph Explorer, which is a tool that lets you make requests and receive responses against the Microsoft Graph. Doing so should make it easier to find out how you would build your queries against Graph for Intune. You can find the Microsoft Graph Explorer at: Graph Explorer6. For examples of scripts used to access and manipulate data in Intune using Microsoft Graph, refer to the Graph API PowerShell-Intune-Sample script at: Microsoft Graph Powershell Intune Samples7.

Before you can use Microsoft Graph Explorer or run scripts against Microsoft Graph API you need to assign permission in Azure AD to the user running the tool. Microsoft Graph controls access to resources using permission scopes. As a developer, you must specify the permission scopes you need to access Intune resources. Typically, you specify the permission scopes you need in the Azure AD

6 https://developer.microsoft.com/en-us/graph/graph-explorer7 https://github.com/microsoftgraph/powershell-intune-samples

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


portal. It is also possible to assign the required permission in Microsoft Graph Explorer if you are logged on as a Global Administrator. For more information, go to: Microsoft Graph permissions reference8.

Review Activity - Manage Intune device enroll-ment and inventory

REVIEW ACTIVITY – Intune Device EnrollmentLet's play a quick game to test your knowledge of Intune device enrollment. Click on the button below to open this review activity full screen.

LAUNCH ACTIVITY9

8 https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference9 https://edxinteractivepage.blob.core.windows.net/miltstatic/MD-101.2/20190117-041531079/static/MD101-2_1_2_deviceenrollmenttutori-

al.html

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

Module 2 Configuring Profiles

Configuring device profilesLesson IntroductionThis lesson introduces you to Intune device profiles. You will learn about the various types of device profiles and also be introduced to managing PowerShell scripts in Intune for Windows 10 devices. You will examine custom device profiles and learn how to create, manage and monitor them for Windows, Android and iOS.


● Describe the various types of device profiles in Intune

● Manage PowerShell scripts in Intune

● Explain the difference between built-in and custom profiles

● Create, manage and monitor profiles

What are Intune device profilesMicrosoft Intune includes settings and features that you can enable or disable on different devices within your organization. These settings and features are managed using profiles. Some profile examples include:

● A Wi-Fi profile that gives different devices access to your corporate Wi-Fi.

● A VPN profile that gives different devices access to your VPN server within your corporate network.

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED

34 Module 2 Configuring Profiles

Types of device profilesThe following profiles are available in Intune at the time of this writing:

● Device features - iOS and macOS. Device features control features on iOS and macOS devices, such as AirPrint, notifications, and shared device configurations.

● Device restrictions. Device restrictions control security, hardware, data sharing, and more settings on the devices. For example, create a device restriction profile that prevents iOS device users from using the device camera.

● Endpoint protection. Endpoint protection settings for Windows 10 configure BitLocker and Windows Defender settings for Windows 10 devices.

● Identity protection. Identity protection controls the Windows Hello for Business experience on Windows 10 and Windows 10 Mobile devices. Configure these settings to make Windows Hello for Business available to users and devices, and to specify requirements for device PINs and gestures.

● Kiosk. The kiosk settings profile configures a device to run one app or run multiple apps. You can also customize other features on your kiosk, including a start menu and a web browser.

● Email. The email settings profile creates, assigns, and monitors Exchange ActiveSync email settings on the devices. Email profiles help ensure consistency, reduce support calls, and let end-users access company email on their personal devices, without any required setup on their part.

● VPN. VPN settings assign VPN profiles to users and devices in your organization, so they can easily and securely connect to the network. Virtual private networks (VPNs) give users secure remote access to your company network. Devices use a VPN connection profile to start a connection with your VPN server.

● Wi-Fi. Wi-Fi settings assign wireless network settings to users and devices. When you assign a Wi-Fi profile, users get access to your corporate Wi-Fi without having to configure it themselves.

● eSIM cellular - Public preview. eSIM cellular profiles provide the ability to configure cellular data plans on your managed devices for internet and data access. After getting activation codes from your mobile operator, you can use Intune to import these activation codes, and then assign to your eSIM capable devices.

● Education

● Education settings - Windows 10: configure options for the Windows Take a Test app. When you configure these options, no other apps can run on the device until the test is complete.

● Education settings – iOS: uses the iOS Classroom app to guide learning, and control student devices in the classroom. You can configure iPad devices to multiple students can share a single device.

● Edition upgrade. Windows 10 edition upgrades automatically upgrade devices that run some versions of Windows 10 to a newer edition.

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

Configuring device profiles 35

● Update policies. iOS update policies show you how to create and assign iOS policies to install software updates on your iOS devices. You can also review the installation status.

● Certificates. Certificates configure trusted, System Center Endpoint Protection (SCEP), and Public Key Cryptography Standards (PKCS) certificates that can be assigned to devices, and used to authenticate Wi-Fi, VPN, and email profiles.

● Windows Information Protection profile. Windows Information Protection helps protect against data leakage without interfering with the employee experience. It also helps to protect enterprise apps and data against accidental data leaks on enterprise-owned devices and personal devices that employees use at work. It does this without requiring changes to your environment or other apps.

● Custom profile. Custom settings include the ability to assign device settings that are not built-into Intune. For example, on Android devices, you can enter Open Mobile Alliance Uniform Resource Identifier (OMA-URI) values. For iOS devices, you can import a configuration file you created in the Apple Configurator. Custom profiles will be explained in detail in a later topic.

Creating device profiles1. In the Azure portal, select All Services, and search for Microsoft

Intune.

2. In Microsoft Intune, select Device configuration, and select Profiles. Then select Create Profile.

3. Enter the following properties:

● Name: Enter a descriptive name for the new profile.

● Description: Enter a description for the profile. (This is optional but recommended.)

● Platform: Select the platform type:

● Android

● Android work profiles

● iOS

● macOS

● Windows Phone 8.1

● Windows 8.1 and later

● Windows 10 and later

● Profile type: Select the type you want to create.

● Settings: Lists all the profile types. The list depends on the platform you choose.

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


1. Select Create when finished.

2. The profile is created and appears in the list.

Manage PowerShell scripts in Intune for Win-dows 10 devicesThe Intune management extension lets you upload PowerShell scripts in Intune to run on Windows 10 devices. The management extension supplements Windows 10 mobile device management (MDM) capabilities and makes it easier for you to move to modern management.

You can create PowerShell scripts to run on the Windows 10 devices that provide the capabilities you need. For example, you can create a PowerShell script that installs a legacy Win32 app on your Windows 10 devices, upload the script to Intune, assign the script to an Azure Active Directory (Azure AD) group, and run

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED


the script on Windows 10 devices. You can then monitor the run status of the script on Windows 10 devices from start to finish.

The Intune management extension has the following prerequisites:

● Devices must be joined to Azure AD. This does not include Hybrid AD joined devices.

● Devices must run Windows 10, version 1607 or later.

● Automatic MDM enrollment must be enabled in Azure AD, and devices must be auto-enrolled to Intune.

Create a PowerShell script policy

1. Sign in to the Azure portal.

2. Select All services, filter on Intune, and select Microsoft Intune.

3. Select Device configuration > PowerShell scripts > Add.

4. Enter a Name and Description for the PowerShell script. For Script location, browse to the PowerShell script. The script must be less than 200KB (ASCII) or 100KB (Unicode) in size.

5. Choose Configure. Then choose to run the script with either the user's credentials on the device (by selecting Yes), or in the system context (by selecting No). By default, the script runs in the system context. Select Yes unless the script is required to run in the system context.

6. Choose if the script must be signed by a trusted publisher. By default, there is no requirement for the script to be signed.

7. Select OK, and then Create to save the script.

Creating a custom device profileIntune may not have all the built-in settings you need or want. Or you may want to use a setting available in other device profiles. To add these settings, create a device profile, and configure the profile with custom device settings. If you're looking for a specific setting, remember that the Windows 10 device restriction profile contains many settings that are built into Intune, and don't require custom values. Furthermore, new functionality is added to Intune frequently so you should always check to see if the setting you need is available as a native Intune setting.

For more information, refer to What’s new in Microsoft Intune1.

Custom settings on different platforms

Custom settings are configured differently for each platform. For example, to control features on Android and Windows devices, you can enter Open Mobile Alliance Uniform Resource Identifier (OMA-URI) values. For Apple devices, you can import a file you created with the Apple Configurator.

Creating a custom profile


1 https://docs.microsoft.com/en-us/intune/whats-new

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED



3. Select Device configuration, select Profiles, and then choose Create profile.

4. Enter a Name and Description for the custom profile.

5. From the Platform drop-down list, select the device platform to apply the custom settings.

6. Depending on the platform you choose, the settings you can configure are different. The following links provide more details on the custom settings for each platform:

Android settings2

iOS settings3

macOS settings4

Windows Phone 8.1 settings5

Windows 10 settings6

Windows Holographic for Business settings7

Android work profile settings8

1. When you're done, select Create.

The profile is created and appears on the profiles list.

Creating a custom profile for Windows 10 devicesUse the Microsoft Intune custom profile for Windows 10 and Windows 10 Mobile to deploy OMA-URI settings. These settings are used to control features on devices. Windows 10 makes many Configuration Service Provider (CSP) settings available, such as Policy CSP.

1. Create a new configuration profile using the steps in Creating a custom profile above.

2. In Custom OMA-URI Settings, select Add to create a new setting. You can also click Export to create a list of all the values you configured in a comma-separated values (.csv) file.

2 https://docs.microsoft.com/en-us/intune/custom-settings-android3 https://docs.microsoft.com/en-us/intune/custom-settings-ios4 https://docs.microsoft.com/en-us/intune/custom-settings-macos5 https://docs.microsoft.com/en-us/intune/custom-settings-windows-phone-8-16 https://docs.microsoft.com/en-us/intune/custom-settings-windows-107 https://docs.microsoft.com/en-us/intune/custom-settings-windows-holographic8 https://docs.microsoft.com/en-us/intune/custom-settings-android-for-work

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED


3. For each OMA-URI setting you want to add, enter the following information:

● Name: Enter a unique name for the OMA-URI setting to help you identify it in the list of settings.

● Description: Optionally, enter a description for the setting.

● OMA-URI (case sensitive): Enter the OMA-URI for which you want to supply a setting.

● Data type: Choose from:

● String

● String (XML)

● Date and time

● Integer

● Floating point

● Boolean

● Base64

● Value: Enter the value or file to associate with the OMA-URI you entered.

4. When you're done, select OK. In Create profile, select Create. The profile is created, and is shown in the profiles list.

Example

In the following example, the Connectivity/AllowVPNOverCellular setting is enabled. This setting allows a Windows 10 device to open a VPN connection when on a cellular network.

Find the policies you can configure

For a complete list of all CSPs that Windows 10 supports, refer to Configuration service provider reference9.

Not all settings are compatible with all Windows 10 versions. The configuration service provider reference tells you which versions are supported for each CSP. Additionally, Intune doesn't support all the settings listed. To find out if Intune supports the setting you want, open the article for that setting. Each

9 https://docs.microsoft.com/en-us/windows/client-management/mdm/configuration-service-provider-reference

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


setting page shows its supported operation. To work with Intune, the setting must support the Add or Replace operations.

Creating a custom profile for Android devicesCustom profiles use OMA-URI settings to configure different features on Android devices. These settings are typically used by mobile device manufacturers to control features on the device.

Using a custom profile, you can configure and assign the following Android settings. These settings aren't built into the Intune policies:

● Create a Wi-Fi profile with a pre-shared key

● For more information about how to create this profile, refer to Use a custom device profile to create a WiFi profile with a pre-shared key – Intune10.

● Create a per-app VPN profile

● For more information about how to create this profile, refer to Use a Microsoft Intune custom profile to create a per-app VPN profile for Android devices11.

● Allow and block apps for Samsung Knox Standard devices

● For more information about how to create this profile, refer to Use custom policies in Microsoft Intune to allow and block apps for Samsung Knox Standard devices12.

Only the settings listed can be configured by this profile type. Android devices don't expose a complete list of OMA-URI settings you can configure.

1. Create a custom profile for the Android platform using the steps in Creating a custom profile above.

2. In Custom OMA-URI Settings, select Add, and then select Add Row.

3. Enter the following properties:

● Name: Enter a unique name for the OMA-URI setting so you can easily find it.

● Description: Enter a description that gives an overview of the setting, and any other important details.

● Data type: Enter the data type you use for this OMA-URI setting. Choose from String, String (XML), Date and time, Integer, Floating point, or Boolean.

● OMA-URI: Enter the OMA-URI you want.

● Value: Enter the value you want to associate with the OMA-URI you entered.

4. Select OK to save your changes. Continue to add more settings as needed.

10 https://docs.microsoft.com/en-us/intune/wi-fi-profile-shared-key11 https://docs.microsoft.com/en-us/intune/android-pulse-secure-per-app-vpn12 https://docs.microsoft.com/en-us/intune/samsung-knox-apps-allow-block

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED


When you complete the settings, the profile is created, and appears in the list.

Creating a custom profile for iOS devicesUse the Microsoft Intune iOS custom profile to assign settings that you created by using the Apple Configurator tool to iOS devices. This tool lets you create many settings that control the operation of these devices and export them to a configuration profile. You can then import this configuration profile into an Intune iOS custom profile and assign the settings to users and devices in your organization.

This capability allows you to assign iOS settings that are not configurable with other Intune profile types.

1. Use the instructions in Creating a custom profile above.

2. On the Custom Configuration Profile pane, configure each of the following settings:

● Custom configuration profile name: Provide a name for the policy as displayed on the device, and in Intune status.

● Configuration profile file: Browse to the configuration profile that you created by using the Apple Configurator. Ensure that the settings you export from the Apple Configurator tool are compatible with the version of iOS on the devices to which you assign the iOS custom policy. For information about how incompatible settings are resolved, search for Configuration Profile Reference and Mobile Device Management Protocol Reference on the Apple Developer website.

The file you import is displayed in the File contents area of the pane.

Assigning and monitoring device profilesAfter you create a profile, you can assign the profile to the following Azure AD groups:

● Selected Groups

● All Users & All Devices

● All Devices

● All Users

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


Assign a device profile

1. In the Azure portal, select All Services, and search for Microsoft Intune.

2. In Microsoft Intune, select Device configuration, and select Profiles.

3. In the list of profiles, select the profile you want to assign, and then select Assignments.

4. Choose to Include groups or Exclude groups, and then select the applicable groups.

5. When you select your groups, you're choosing an Azure AD group. To select multiple groups, hold down the CTRL key.

6. When you are done, select Save.

Exclude groups from a profile assignment

Intune device configuration profiles let you exclude groups from policy assignment. For example, you can assign a device profile to the All sales users group, but exclude any members of the Sales Managers group.

When you exclude groups from an assignment, exclude only users, or only exclude device groups (not a mixture of groups), Intune doesn't consider any user-to-device relationship. Including user groups while excluding device groups might not create the results you expect. When mixed groups are used, or if there are other conflicts, inclusion takes precedence over exclusion.

For example, you want to assign a device profile to all devices in your organization, except kiosk devices. You include the All Users group, but exclude the All Devices group. In this case, all your users and their devices get the policy, even if the user’s device is part of the All Devices group.

Exclusion only looks at the direct members of the groups, and doesn't include devices that are associated with a user. However, devices that don't have a user don't get the policy. This occurs because those devices have no relationship to the All Users group.

If you include All Devices, and exclude All Users, then all the devices receive the policy. In this scenario, the intent is to exclude devices that have an associated user from this policy. However, it doesn't exclude the devices because the exclusion only compares direct group members.

Monitor device profiles in Microsoft IntuneIntune includes some features in the Azure portal to help monitor and manage your device configuration profiles. For example, you can check the status of a profile, see which devices are assigned, and update the properties of a profile.

View existing profiles



3. Select Device configuration > Profiles.

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED


All your existing profiles are listed, which includes details such as the platform, and shows if the profile is assigned to any devices.

View details on a profile

After you create your device profile, Intune provides graphical charts. These charts display the status of a profile, such as it being successfully assigned to devices, or if the profile shows a conflict.

1. Select an existing profile. For example, select Windows 10 profile.

2. Select the Overview tab.

The top graphical chart shows the number of devices assigned to the specific device profile. For example, if the configuration device profile applies to Windows 10 and later devices, the chart lists the count of the Windows 10 and later devices.

It also shows the number of devices for other platforms that are assigned the same device profile. For example, it shows the count of the non-Windows 10 and later devices.

The bottom graphical chart shows the number of users assigned to the specific device profile. For example, if the configuration device profile applies to Windows 10 and later users, the chart lists the count of the Windows 10 and later users.

1. Select the circle in the top graphical chart. The Device status opens.

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


2. The devices assigned to the profile are listed, and it shows if the profile is successfully deployed. Also note that it only lists the devices with the specific platform (for example, Windows 10 and later devices).

3. Close the Device status details.

4. Select the circle in the bottom graphical chart. The User status opens.

5. The users assigned to the profile are listed, and it shows if the profile is successfully deployed. Also note that it only lists the users with the specific platform (for example, Windows 10 and later devices).

6. Close the User status details.

7. Back in the Profiles list, select a specific profile. You can also change existing properties:

● Properties: Change the name or update any existing settings.

● Assignments: Include or exclude devices that the policy should apply. Choose Selected Groups to choose specific groups.

● Device status: The devices assigned to the profile are listed, and it shows if the profile is successfully deployed. You can select a specific device to get even more details, including the installed apps.

● User status: Lists the user names with devices impacted by this profile, and if the profile successfully deployed. You can select a specific user to get even more details.

● Per-setting status: Filters the output by showing the individual settings within the profile and shows if the setting is successfully applied.

View conflicts

In Devices > All devices, you can see any settings that are causing a conflict. When there's a conflict, you are also shown all the configuration profiles that contain this setting. Administrators can use this feature to help troubleshoot, and fix any discrepancies with the profiles.

1. In Intune, select Devices > All Devices > select an existing device in the list. An end user can get the device name from their Company Portal app.

2. Select Device configuration. All configuration policies that apply to the device are listed.

3. Select the policy. It shows you all the settings in that policy that apply to the device. If a device has a Conflict state, select that row. In the new window, you see all the profiles, and the profile names that have the setting causing the conflict.

Now that you know the conflicting setting, and the policies that include that setting, it should be easier to resolve the conflict.

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED


Review Activity - Configuring profiles

REVIEW ACTIVITY – Configure Intune ProfilesLet's play a quick game to test your knowledge of configuring Intune profiles. Click on the button below to open this review activity full screen.

LAUNCH ACTIVITY13

13 https://edxinteractivepage.blob.core.windows.net/miltstatic/MD-101.2/20190117-041531079/static/MD101-2_2_1_configuringprofilestuto-rial.html

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


Managing user profilesLesson IntroductionIn this lesson, you will be introduced to the various user profile types that exist in Windows for on-premises devices. You will learn about the benefits of various profiles and how to switch between types of profiles. You will examine how Folder Redirection works and how to set it up. The lesson will then conclude with an overview of Enterprise State roaming and how to configure it for Azure AD devices.


● Explain the various user profile types that exist in Windows.

● Describe how a user profile works.

● Configure user profiles to conserve space

● Explain how to deploy and configure Folder Redirection.

● Explain what Enterprise State Roaming is.

● Configure Enterprise State Roaming for Azure AD devices.

User Profile TypesThe Windows 10 operating system requires each user to have a user profile. User profiles are created during a user’s first sign-in, and they are stored in the Users folder. User profiles are created based on the content in the Default profile in the Users folder. The three different types of user profiles are:

● Local. This type is available on a single computer only.

● Roaming. This type can roam between computers that are domain members.

● Mandatory. This is a special type of preconfigured user profile that does not store user changes between sign-ins.

● Temporary User Profiles. A temporary profile is issued each time that an error condition prevents the user's profile from loading.

Local user profiles

When a user signs in for the first time, the Windows operating system automatically creates a local user profile for all subsequent sign-ins to the same computer. A local user profile is used only when a user signs in to the computer where the profile was created, and it’s useful when a user is using a single computer. If a user roams between multiple computers, then by default, separate local user profiles will be created on each computer. This means that modifications and documents that a user creates on one computer will not be available on other computers. Therefore, administrators should avoid local profiles if users sign in to multiple devices.

Roaming user profiles

In a domain environment, administrators can configure a user with a roaming user profile by configuring his or her profile path. With roaming user profiles, user settings and data are stored on a network location and locally on the computer

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

Managing user profiles 47

where a user signs in. When a user signs in, the local copy of the user profile is compared to the copy that is stored on the network location, and only newer files are copied locally. The user can change settings and create data files, which are stored in the local user profile copy. These changes copy to the network location when the user signs out. If users roam between multiple computers, their documents and settings follow them. If a user profile contains a lot of data, or if a user stores large files on the desktop, then signing in to the computer might take a long time. If a user signs in to multiple computers at the same time, changes performed on one computer override changes performed on a second computer because user profile changes copy to the network location only when the user signs out. Some parts of a user profile, such as Temporary Internet Files or AppData\Local, never copy to the network location even if roaming user profiles are used. You should be aware that roaming user profiles are incompatible between different versions of Windows operating systems.

Mandatory user profiles

A mandatory user profile is a type of roaming user profile that administrators can configure. With mandatory user profiles, user changes are stored in the local copy of a user profile but are not preserved after a user signs out from the computer. When the user signs in again, the mandatory user profile downloads from the network location, and it overrides the local user profile copy. The two types of mandatory user profiles are normal mandatory profiles and super-mandatory profiles. Administrators can configure users with mandatory user profiles first by configuring them with roaming user profiles and then by renaming the Ntuser.dat file in their profiles to Ntuser.man. The .man extension causes user modifications to the profile to be discarded at the next sign-in and user profiles to behave as read-only.

Super-mandatory user profiles

User profiles become super-mandatory when an administrator adds the .man extension to a user’s roaming user profile folder name. For example, if a roaming user profile is stored in the \\Server\Profiles \User1.V5 folder, the administrator can add the .man extension to the folder and store the roaming user profile at \\Server\Profiles\User1.man.V5. Mandatory and super-mandatory user profiles behave similarly; both do not preserve user modifications. If users are configured with a super-mandatory profile, they will not be able to sign in if the network copy of their profile is not available. In such cases, they will see a message that the user profile service failed the sign-in and that the user profile cannot be loaded. In a similar situation, users with a normal mandatory profile would still be able to sign in, and they would get temporary profiles, which might be against organizational policy. Note: If a user named User1 is configured with the \\Server\Profiles\User1 profile path location, Windows 10 automatically adds the .V5 extension to the roaming user profile folder. In this case, it creates a folder named User1.V5 in the \\Server\Profiles share.

Temporary User Profiles

A temporary profile is issued each time that an error condition prevents the user's profile from loading. Temporary profiles are deleted at the end of each

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


session, and changes made by the user to desktop settings and files are lost when the user logs off.

Profile extension for each Windows versionThe name of the folder in which you store the profile must use the correct extension for the operating system it will be applied to. The following table lists the correct extension for each operating system version.

Client operating system version

Server operating system version

Profile extension

Windows XP Windows Server 2003 Windows Server 2003 R2

none

Windows Vista Windows 7 Windows Server 2008 Windows Server 2008 R2

V2

Windows 8 Windows Server 2012 V3Wndows 8.1 Windows Server 2012 R2 V4Windows 10, version 1507 and 1511

N/A V5

Windows 10, version 1607, 1703, 1709, 1803 and 1809.

Windows Server 2016 V6

A user profile consists of the following elements:

● A registry hive. The registry hive is the file NTuser.dat. The hive is loaded by the system at user logon, and it’s mapped to the HKEY_CURRENT_USER registry key. The user's registry hive maintains the user's registry-based preferences and configuration.

● A set of profile folders stored in the file system. User-profile files are stored in the Profiles directory, on a folder per-user basis. The user-profile folder is a container for applications and other system components to populate with sub-folders, and per-user data such as documents and configuration files. Windows Explorer uses the user-profile folders extensively for such items as the user's Desktop, Start menu and Documents folder.

User profiles provide the following advantages:

● When the user logs on to a computer, the system uses the same settings that were in use when the user last logged off.

● When sharing a computer with other users, each user receives their customized desktop after logging on.

● Settings in the user profile are unique to each user. The settings cannot be accessed by other users. Changes made to one user's profile do not affect other users or other users' profiles.

How does a user profile maintain user stateIn Windows 10, a user profile contains a user state. A user profile is a set of files and folders. It is personal to each user who has signed in to the computer, and it’s stored in the Users folder. Windows 10 requires each user who

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED


signs in to have a user profile. The Windows operating system creates a user profile when a user signs in for the first time. The initial user profile is based on the default user profile and is used for all subsequent sign-ins. User profiles contain details about the user environment, such as Start menu settings, desktop settings, user documents, and the user hive of the registry. By default, a user profile is stored on the same drive as the Windows operating system, in the C:\Users folder. The user profile is used only when a user signs in to the same computer, but you can change the user profile type if you want to use it from multiple computers.

Elements in a user profileA user profile contains the following elements:

● A user part of the registry. User profiles contain the Ntuser.dat file, which is the user part of the registry. When a user signs in, the system loads this file and maps it to the HKEY_CURRENT_USER registry subtree. Ntuser.dat contains user settings, such as desktop background and screen saver.

● A set of folders. For each user who signs in, the Windows operating system creates a separate subfolder with his or her name in the Users folder. This folder is a container for user settings, application settings, and user data. Content is organized in various subfolders such as AppData, Desktop, Downloads, and Documents.

The Windows 10 operating system stores all user settings modifications in a user profile, either in Ntuser.dat if changes are written to the registry, or in one of the configuration files. Applications should also store all of their settings in a user profile—for example, if a user modifies the font size in Notepad or the default file format in Word 2013, that setting is stored in the user’s profile. Other users who sign in to the same Windows 10 computer can have different settings for the same applications, which are stored in their own user profiles.

The same is true for data. Many applications, such as Microsoft Word 2016, store user data in the Documents folder by default, which is a folder inside of the user profile. Users can change this location and store their data in any other folder to which they have Write permissions. However, by default, user data is stored in the individual user profile. User profiles are stored on the same volume where the operating system is installed, in the C:\Users folder. Although you can move this folder to a different volume, you should not do that in a production environment.

Options for minimizing user profile sizeBecause user profiles contain user state and users can modify their state, users must have Write permissions to their user profiles. As long as users have Write permissions, they can write as much data as they want if there is available free disk space, unless an administrator limits them. Because user profiles contain user data and user data can increase rapidly—for example, if users store large graphic or multimedia files in their Documents folder, which is in their profile—an administrator often limits the space for storing user profiles.

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


Administrators can do this in several ways:

● Use quotas to limit the space that is available to a user on a volume or on a shared folder where the roaming user profile is stored.

● Redirect folders that typically contain large user files and are stored in the user profile by default, for example, the Documents folder, outside of the user profile.

● Use the Group Policy setting to limit user profile sizes. You can limit the size of local or roaming user profiles by configuring settings in the user part of Group Policy.

Using quotasAn option to limit user profile sizes is to use quotas. You can use the same approach to limit the disk space that a user consumes in general, and it applies to limiting user profile sizes. You can set a disk quota on a local Windows 10 volume by using volume properties. By using File Server Resource Manager in Windows Server 2016, you can set a quota on a shared folder on the file server where roaming user profiles or redirected folders are stored. If you set a disk quota on a local volume, users will not be able to write additional data when they reach their disk quota. If a quota is set on a shared folder, the local copy of a roaming user profile will not synchronize with the network share, and changes to the user profile will not copy to the file server until the user deletes some data and the local copy of the roaming user profile is smaller than the quota limit. In such cases, users will see a message during sign-out that their roaming user profiles did not completely synchronize, and an entry will be added to Event Viewer.

Redirecting folders out of user profilesYou can make user profiles smaller by redirecting folders that typically consume a lot of space out of the user profiles. When you do that, the redirected folders are available from any computer in AD DS even if the user is configured with a local user profile. You can configure Folder Redirection by using Group Policy, and several settings are available for each redirected folder. Even if you use Folder Redirection, you can also use quotas to limit the size of redirected folders.

Using Group Policy to limit user profile sizesYou can limit local or roaming user profile sizes by enabling the Limit profile size setting in the user part of Group Policy. When you enable this setting, you can configure the maximum profile size and custom message that users see periodically when their profiles exceed the allowed size. You can limit profile size to up to 30,000,000 kilobytes (KBs). With local user profiles, users can be periodically reminded that their user profile exceeds the allowed size, but they can still write data to their profiles and sign out. If users are configured with roaming user profiles, they can also sign out, but changes to the local copy of the roaming user profile will not synchronize with the network share. This means that changes to their local copy of the user profile will not copy to

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED


the file server until the users delete some data and their local copy of the roaming user profile is smaller than the maximum profile size that is configured in Group Policy.

Users can have smaller user profiles if they store data files outside of their user profiles, for example, in a dedicated shared folder or in the home folder.

Deploying and configuring Folder RedirectionFolder Redirection is a Group Policy setting that is most often used for configuring user profiles. Administrators can use Folder Redirection to redirect individual folders from a user profile to a new location. For example, an administrator can redirect the Documents folder from a local or roaming user profile to a separate network location. Redirected folder content is available from any computer on a network, and it does not copy to the computer on which a user signs in, as with roaming user profiles. Folder Redirection also provides users with access to the same data from multiple domain computers without copying data locally, as is the case with roaming user profiles. You can configure Folder Redirection by modifying Policies\Windows Settings\Folder Redirection settings in the User Configuration part of Group Policy.

Redirected folders are stored on a network share only, and users access them transparently in the same way as when they are stored in a local user profile. The Offline Files feature, which is enabled by default when redirected folders are used, provides users with access to content in redirected folders even without network connectivity.

Administrators configure Folder Redirection by using user settings in Group Policy, and by doing so, can redirect individual folders in a user profile. In Windows 10, an administrator can redirect 13 folders in user profiles, including Desktop, Start Menu, and Documents. Administrators can redirect predefined folders and folders in a user profile only. For each user with redirected folders, Windows 10 creates a new subfolder with the user’s sign-in name, and folders can be redirected to the same location or to a different location based on user group membership.

When you configure Folder Redirection, you can configure what happens if Folder Redirection is no longer effective. The options are to leave the redirected content on the network location or to move the content to the original location to a user’s profile. Folder Redirection can redirect many parts of a user profile, but settings that are stored in Ntuser.dat cannot be redirected. Because of this, some administrators use roaming user profiles with Folder Redirection.

Folder Redirection provides several advantages:

● Redirected folder content is available from any computer in the domain.

● Redirected folder content does not copy to local computers, which minimizes network traffic during user sign-in.

● Administrators can set quotas (limiting disk space) and permissions on redirected folders. By doing so, administrators can control how much space a user can utilize and whether the user can modify contents of that part of the folder—for example, Desktop.

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


● Redirected folders are stored on network locations (network shares) and not on local computers. If a local hard drive fails, users can still access data in redirected folders from a different computer.

● Redirected folder content can be backed up centrally because it is not stored locally on user computers. If Shadow Copies for Shared Folders is configured on a network location, users can access previous versions of their redirected files.

For more about Folder Redirection, refer to Folder Redirection Overview14.

Overview of Folder Redirection deploymentThe following steps give you an overview of how to configure and test Folder Redirection. These steps contain mock details for the purposes of demonstration. You can change the details to fit your organization’s environment.

1. On a client, verify that the location of the user’s Desktop folder is C:\Users\username.

2. Verify that the location of the user’s Documents folder is C:\Users\username.

3. Create a Group Policy that redirects the Documents folder for the user to a network folder.

4. Verify that the network folder is empty.

5. On the client, run gpupdate /force, and then sign out.

6. Sign in to the client as a user that will be affected by the Group Policy.

7. On the client, verify that the location of user’s Desktop folder is still C:\Users\username, as you did not redirect it.

8. Verify that the location of user’s Documents folder is now redirected to the network folder.

9. In Notepad, create a file named Demo Document in which you type your name, and then save it in the Documents folder.

10. Verify that the network folder is no longer empty and that it has a subfolder named username.

11. Sign in to another client as the same user.

12. On the other client, verify that the location of user’s Desktop folder is still C:\Users\username, as you did not redirect it.

13. Verify that the location of the user’s Documents folder is the network folder.

14. View the content of the Demo Document file, and then verify that it has the same content that you typed on the first client.

For a detailed description on how to configure and deploy Folder Redirection, refer to Deploy Folder Redirection with Offline Files.

14 http://go.microsoft.com/fwlink/?LinkId=378224

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED


Enterprise State Roaming overviewWith Windows 10, Azure AD users gain the ability to securely synchronize their user settings and application settings data to the cloud. Enterprise State Roaming is available to any organization with an Azure AD Premium or Enterprise Mobility + Security (EMS) license.

Enterprise State Roaming provides users with a unified experience across their Windows devices and reduces the time needed for configuring a new device. Enterprise State Roaming operates like the standard consumer settings sync that was first introduced in Windows 8.

Additionally, Enterprise State Roaming offers:

● Separation of corporate and consumer data – Organizations are in control of their data, and there is no mixing of corporate data in a consumer cloud account or consumer data in an enterprise cloud account.

● Enhanced security – Data is automatically encrypted before leaving the user’s Windows 10 device by using Azure Rights Management (Azure RMS), and data stays encrypted at rest in the cloud. All content stays encrypted at rest in the cloud, except for the namespaces, like settings names and Windows app names.

● Better management and monitoring – Provides control and visibility over who syncs settings in your organization and on which devices through the Azure AD portal integration.

What data roams?Windows settings: the PC settings that are built into the Windows operating system. Generally, these are settings that personalize your PC, and they include the following broad categories:

● Theme, which includes features such as desktop theme and taskbar settings.

● Internet Explorer settings, including recently opened tabs and favorites.

● Edge browser settings, such as favorites and reading list.

● Passwords, including Internet passwords, Wi-Fi profiles, and others.

● Language preferences, which includes settings for keyboard layouts, system language, date and time, and more.

● Ease of access features, such as high-contrast theme, Narrator, and Magnifier.

● Other Windows settings, such as mouse settings.

Application data: Universal Windows apps can write settings data to a roaming folder, and any data written to this folder will automatically be synced. It’s up to the individual app developer to design an app to take advantage of this capability.

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


Configuring Enterprise State Roaming in AzureWhen you enable Enterprise State Roaming, your organization is automatically granted a free, limited-use license for Azure Rights Management protection from Azure Information Protection. This free subscription is limited to encrypting and decrypting enterprise settings and application data synced by Enterprise State Roaming. You must have a paid subscription to use the full capabilities of the Azure Rights Management service.

To enable Enterprise State Roaming


2. Select Azure Active Directory > Devices > Enterprise State Roaming.

3. Select either All or Selected next to Users may sync settings and app data across devices.

4.

For a Windows 10 device to use the Enterprise State Roaming service, the device must authenticate using an Azure AD identity. For devices that are joined to Azure AD, the user’s primary sign-in identity is their Azure AD identity, so no additional configuration is required. For devices that use on-premises Active Directory, the IT admin must Configure Hybrid Azure Active Directory joined devices.

Data storage

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED


Enterprise State Roaming data is hosted in one or more Azure regions that best align with the country/region value set in the Azure Active Directory instance. Enterprise State Roaming data is partitioned based on three major geographic regions: North America, EMEA, and APAC. Enterprise State Roaming data for the tenant is locally located with the geographical region and is not replicated across regions.

The country/region value is set as part of the Azure AD directory creation process and cannot be subsequently modified.

View per-user device sync status

Follow these steps to view a per-user device sync status report.


2. Select Azure Active Directory > Users > All users.

3. Select the user, and then select Devices.

4. Under Show, select Devices syncing settings and app data to show sync status.

5. If there are devices syncing for this user, you see the devices shown here.

Data retention

Data synced to the Microsoft cloud using Enterprise State Roaming is retained until it’s manually deleted or until the data in question is determined to be stale.

Explicit deletion

Explicit deletion is when an Azure admin deletes a user or a directory or otherwise requests explicitly that data is to be deleted.

● User deletion: When a user is deleted in Azure AD, the user account roaming data is deleted after 90 to 180 days.

● Directory deletion: Deleting an entire directory in Azure AD is an immediate operation. All the settings data associated with that directory is deleted after 90 to 180 days.

● On request deletion: If the Azure AD admin wants to manually delete a specific user’s data or settings data, the admin can file a ticket with Azure support.

Stale data deletion

Data that has not been accessed for one year (“the retention period”) will be treated as stale and may be deleted from the Microsoft cloud. The retention period is subject to change but will not be less than 90 days. The stale data may be a specific set of Windows/application settings or all settings for a user. For example:

● If no devices access a particular settings collection (for example, an application is removed from the device, or a settings group such as “Theme” is disabled for all of a user’s devices), then that collection becomes stale after the retention period and may be deleted.

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


● If a user has turned off settings sync on all his/her devices, then none of the settings data will be accessed, and all the settings data for that user will become stale and may be deleted after the retention period.

● If the Azure AD directory admin turns off Enterprise State Roaming for the entire directory, then all users in that directory will stop syncing settings, and all settings data for all users will become stale and may be deleted after the retention period.

Deleted data recovery

The data retention policy is not configurable. Once the data is permanently deleted, it’s not recoverable. However, the settings data is deleted only from the Microsoft cloud, not from the end-user device. If any device later reconnects to the Enterprise State Roaming service, the settings are again synced and stored in the Microsoft cloud.

Review Activity - Manage user profiles

REVIEW ACTIVITY – Manage User ProfilesLet's play a quick game to test your knowledge of managing user profiles. Click on the button below to open this review activity full screen.

LAUNCH ACTIVITY15

15 https://edxinteractivepage.blob.core.windows.net/miltstatic/MD-101.2/20190117-041531079/static/MD101-2_2_2_userprofilestutorial.html

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

Monitoring devices 57

Monitoring devicesLesson IntroductionIn this lesson, you will be introduced to managing and monitoring device enrolled to Intune. You will learn how to work with your devices in the Intune console such as verifying hardware inventory, configuration and how to synchronize devices to get the latest policies. You will learn about Intune automatic policy and profile synchronization as well.

The module will then conclude with an overview of Windows Analytics, which is a collection of cloud-based servicing for monitoring and automating your on-premises and cloud environments. You will learn about Update Health, Update Compliance and Upgrade readiness. Lastly, you will learn how to enroll devices into Windows Analytics.


● Explain how to manage and monitor devices in Intune.

● Describe how to run actions against your Intune devices.

● Describe what Windows Analytics is and how to start using it.

Monitor devices enrolled to IntuneAs an Intune administrator, you must ensure that managed devices are providing the resources that your users need to do their work, while protecting that data from risk.

The Devices workload gives you insights into the devices you manage, and lets you perform remote tasks on those devices.

Get to your devices



3. Select Devices. This view shows detailed information about the individual devices, and what you can do with them, including:

● Overview shows a visual snapshot of the enrolled devices, and also shows how many devices are using the different platforms, including Android, iOS, and more.

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


●

● All devices shows a list of the enrolled devices you manage.

●

● Use the Export feature to create a .csv list of all the devices, in increments of 10,000 (Internet Explorer) or 30,000 (Edge, Chrome).

● Select any device to view additional details about that device, including hardware details, installed apps, its compliance policy status, and more.

● Azure AD devices shows a list of the devices registered or joined with Azure Active Directory (Azure AD).

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED


●

● Device actions includes a history of the remote actions that were run on different devices, including the action, its status, who initiated the action, and the time.

● Audit logs is a record of activities that generate a change in Intune.

● TeamViewer Connector is a service that allows users of Intune-managed Android devices to get remote assistance from their IT administrator.

● Help and Support provides a shortcut on troubleshooting tips, requesting support, or checking the status of Intune.

See device details in Intune

The Devices feature provides additional details into the devices you manage, including their hardware and the apps installed. To view all your devices, and their properties in the Azure portal do the following:



3. Select Devices > All devices > select one of your listed devices to open its details:

● Overview shows the device name, and lists some key properties of the device, including whether it's a bring-your-own-device (BYOD) device, when it checked in, and more. The actions available depend on the device platform, and the configuration of the device. You can perform the following actions on the device:

● View device inventory

● Run the remote device actions:

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


● Retire

● Wipe

● Delete

● Remote lock

● Reset passcode

● Bypass Activation Lock (iOS only)

● Fresh Start (Windows only)

● Lost mode (iOS only)

● Locate device (iOS only)

● Restart (Windows only)

● Windows 10 PIN reset

● Remote control for Android

● Sync (Synchronize device policy)

● AutoPilot Reset

● Quick scan

● Full scan

● Update Windows Defender Signatures

●

● Use Properties to assign a device category you create and change ownership of the device to a personal device, or a corporate device.

● Hardware includes many details about the device, including the device ID, the operating system and version, storage space, the model and manufacturer, conditional access settings, and more details.

● Discovered apps lists all the apps that Intune found installed on the device, and the app versions. You can also Export the app list into a .csv file.

● Device compliance lists all assigned compliance policies, and if the device is compliant or not compliant.

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED


● Device configuration shows all device configuration policies assigned to the device, and if the policy succeeded or failed.

Intune collects an app list only on corporate-owned devices. Apps aren't checked on personal devices. For Windows 10 PCs, only modern apps are listed for corporate-owned devices. Intune doesn't collect information about Win32 apps on the device. Depending on the carrier used by the devices, not all apps may be collected.

Manage devices enrolled in IntuneYou must sync your devices with Intune to update them with the latest policies and actions. The Sync device action forces the selected device to immediately check in with Intune. When a device checks in, it immediately receives any pending actions or policies that have been assigned to it. This feature can help you immediately validate and troubleshoot policies you’ve assigned, without waiting for the next scheduled check-in.

Sync a device


2. Select All services, filter for Intune, and then select Microsoft Intune.

3. In Intune, select Devices > All devices.

4. In the list of devices you manage, select a device, select More, and then select Sync.

5. To confirm, select Yes.

6. To see the status of the sync action, choose Devices > Device actions.

Manage settings and features on your devices with Intune policiesMicrosoft Intune policies are groups of settings that control features on mobile devices and computers. You create policies by using templates that include recommended or custom settings. Then, you deploy them to device or user groups.

Intune policies fall into the following categories. The category that you use affects how you create and deploy the policy.

● Configuration policies: Commonly used to manage security settings and features on your devices, including access to company resources. Get started at Intune device profiles.

● Device compliance policies: Define the rules and settings that a device must comply with to be considered compliant by conditional access policies. You can also use compliance policies to monitor and remediate the compliance of devices independent of conditional access.

● Conditional access policies: Help secure email and other services, depending on conditions that you enter.

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


● Corporate device enrollment policies: Intune supports the enrollment of corporate-owned iOS devices using the Apple Device Enrollment Program (DEP) or the Apple Configurator tool running on a Mac computer.

When a policy or an app is deployed, Intune immediately begins notifying the device to check in with the Intune service. This step typically takes less than five minutes.

If a device doesn't check in to get the policy after the first notification is sent, Intune makes three more attempts. If the device is offline (such as being turned off, or not connected to a network), it might not receive the notifications. In this case, the device gets the policy on its next scheduled check-in with the Intune service, as follows:

Platform Check-in frequencyiOS Every 6 hoursMac OS X Every 6 hoursAndroid Every 8 hoursWindows 10 (enrolled as devices) Every 8 hoursWindows 8.1 Every 8 hours

If the device recently enrolled, the check-in frequency is more frequent, as follows:

Platform Check-in frequencyiOS Every 15 minutes for 6 hours, and then every 6

hoursMac OS X Every 15 minutes for 6 hours, and then every 6

hoursAndroid Every 3 minutes for 15 minutes, then every 15 min-

utes for 2 hours, and then every 8 hoursWindows PCs (enrolled as devices) Every 3 minutes for 30 minutes, and then every 8

hours

Users can also open the Company Portal app and sync the device to immediately check for the policy anytime.

Windows Analytics OverviewWindows Analytics is a set of solutions for Azure Log Analytics (formerly known as Microsoft Operations Management Suite (OMS)), a collection of cloud-based services for monitoring and automating your on-premises and cloud environments. It provides you with extensive data about the state of devices in your deployment. Windows Analytics is a free solution, all data ingestion, storage, and processing are exempt from billing. An Azure subscription is required to use the service though, but you will not be charged.

The OMS portal has been deprecated and you should start using the Azure portal instead as soon as possible. Many experiences are the same in the two portals, but there are some key differences, which this topic will explain.

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED


For more information refer to OMS portal moving to Azure16.

There are currently three solutions which you can use singly or in any combination:

Device Health

Device Health provides the following:

● Identification of devices that crash frequently, and therefore might need to be rebuilt or replaced.

● Identification of device drivers that are causing device crashes, with suggestions of alternative versions of those drivers that might reduce the number of crashes.

● Notification of Windows Information Protection misconfigurations that send prompts to end users.

Device Health requires one of the following licenses:

● Windows 10 Enterprise or Windows 10 Education per-device with active Software Assurance

● Windows 10 Enterprise E3 or E5 per-device or per-user subscription (including Microsoft 365 F1, E3, or E5)

● Windows 10 Education A3 or A5 (including Microsoft 365 Education A3 or A5)

● Windows VDA E3 or E5 per-device or per-user subscription

Update Compliance

Update Compliance shows you the state of your devices with respect to the Windows updates so that you can ensure that they are on the most current updates as appropriate. In addition, Update Compliance provides the following:

● Dedicated drill-downs for devices that might need attention

● An inventory of devices, including the version of Windows they are running and their update status

● The ability to track protection and threat status for Windows Defender Antivirus-enabled devices

● An overview of Windows Update for Business deferral configurations (Windows 10, version 1607 and later)

● Powerful built-in log analytics to create useful custom queries

● Cloud-connected access utilizing Windows 10 diagnostic data means no need for new complex, customized infrastructure

● Free of use

Upgrade Readiness

Upgrade Readiness offers a set of tools to plan and manage the upgrade process end to end, allowing you to adopt new Windows releases more quickly. With new Windows versions being released multiple times a year, ensuring application and driver compatibility on an ongoing basis is key to adopting new Windows versions

16 https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-oms-portal-transition

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


as they are released. Upgrade Readiness not only supports upgrade management from Windows 7 and Windows 8.1 to Windows 10, but also Windows 10 upgrades in the Windows as a Service model.

Use Upgrade Readiness to get:

● A visual workflow that guides you from pilot to production

● Detailed computer and application inventory

● Powerful computer-level search and drill-downs

● Guidance and insights into application and driver compatibility issues, with suggested fixes

● Data-driven application rationalization tools

● Application usage information, allowing targeted validation; workflow to track validation progress and decisions

● Data export to commonly used software deployment tools, including System Center Configuration Manager

● Free of use

For more information, the following video provide additional information on using Windows Analytics to help improve your Windows experience.

Device Health in Windows AnalyticsDevice Health is offered as a solution where you link to a new or existing Azure Log Analytics workspace within your Azure subscription. To configure this, follows these steps:

1. Sign in to the Azure Portal with your work or school account or a Microsoft account. If you don't already have an Azure subscription you can create one (including free trial options) through the portal.

2. In the Azure portal select Create a resource, search for “Device Health”, and then select Create on the Device Health solution.

3. Choose an existing workspace or create a new workspace to host the Device Health solution.

● If you’re using other Windows Analytics solutions (Upgrade Readiness or Update Compliance) you should add Device Health to the same workspace.

● If you’re creating a new workspace, and your organization does not have policies governing naming conventions and structure, consider the following workspace settings to get started:

● Choose a workspace name which reflects the scope of planned usage in your organization, for example PC-Analytics.

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED


● For the resource group setting select Create new and use the same name you chose for your new workspace.

● For the location setting, choose the Azure region where you would prefer the data to be stored.

● For the pricing tier select Free.

4. Now that you have selected a workspace, you can go back to the Device Health blade and select Create.

5. Watch for a Notification (in the Azure portal) that “Deployment ‘Microsoft.DeviceHealth’ to resource group 'YourResourceGroupName' was successful.” and then select Go to resource. This might take several minutes to appear.

● Suggestion: Choose the Pin to Dashboard option to make it easy to navigate to your newly added Device Health solution.

● Suggestion: If a “resource unavailable” error occurs when navigating to the solution, try again after one hour.

Enroll devices in Windows AnalyticsOnce you've added Device Health to a workspace in your Azure subscription, you can start enrolling the devices in your organization. For Device Health there are two key steps for enrollment:

1. Deploy your CommercialID (from Device Health Settings page) to your Windows 10 devices (typically using Intune or Group Policy).

2. Ensure the Windows Diagnostic Data setting on devices is set to Enhanced or Full (typically using Intune or Group Policy). Note that the Limit Enhanced policy can substantially reduce the amount of diagnostic data shared with Microsoft while still allowing Device Health to function.

After enrolling your devices (by deploying your CommercialID and Windows Diagnostic Data settings), it may take 48-72 hours for the first data to appear in the solution. Until then, the Device Health tile will show “Performing Assessment.”

For full instructions and troubleshooting refer to Enrolling devices in Windows Analytics17.

17 https://docs.microsoft.com/en-us/windows/deployment/update/windows-analytics-get-started

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


Review Activity - Configure Windows Analytics

REVIEW ACTIVITY – Configure Windows AnalyticsLet's play a quick game to test your knowledge of configuring Windows analytics. Click on the button below to open this review activity full screen.

LAUNCH ACTIVITY18

18 https://edxinteractivepage.blob.core.windows.net/miltstatic/MD-101.2/20190117-041531079/static/MD101-2_2_3_configanalyticstutorial.html

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

Module 3 Application Management

Implement Mobile Application Management (MAM)Lesson IntroductionThis lesson is intended to introduce Mobile Application Management. You will learn about considerations for implementing MAM and you will be introduced to the management of MAM in Configuration Manager. You will also learn about how to use Intune for MAM and how to implement and manage MAM policies in Intune.


● Explain Mobile Application Management

● Understand application considerations in MAM

● Explain how to use Configuration Manager for MAM

● Use Intune for MAM

● Implement and manage MAM policies

Overview of Mobile Application ManagementIntune Mobile Application Management (MAM) refers to the suite of Intune management features you can use to publish, push, configure, secure, monitor, and update mobile apps for your users. MAM protects an organization's data within an application by using Microsoft Intune app protection policies that help protect your company data and prevent data loss.

If you use MAM without enrollment (MAM-WE), a work or school-related app that contains sensitive data can be managed on almost any device, including personal devices in bring-your-own-device (BYOD) scenarios. Many productivity apps, such as the Microsoft Office apps, can be managed by Intune MAM.

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED

68 Module 3 Application Management

Your employees use mobile devices for both personal and work tasks. While making sure your employees can be productive, you want to prevent data loss, intentional and unintentional. You'll also want to protect company data that is accessed from devices that are not managed by you. You can use Intune app protection policies independent of any mobile-device management (MDM) solution. This independence helps you protect your company’s data with or without enrolling devices in a device management solution. By implementing app-level policies, you can restrict access to company resources and keep data within the purview of your IT department.

Intune MAM supports two configurations:

● Intune MDM + MAM: IT administrators can only manage apps using MAM and app protection policies on devices that are enrolled with Intune MDM. To manage apps using MDM + MAM, you should use the Intune console in the Azure portal at https://portal.azure.com.

● MAM without device enrollment: MAM without device enrollment (MAM-WE) allows IT administrators to manage apps using MAM and app protection policies on devices not enrolled with Intune MDM. This means apps can be managed by Intune on devices enrolled with third-party Enterprise Mobility Management (EMM) providers. To manage apps using MAM-WE, you should use the Intune console in the Azure portal at http://portal.azure.com. Also, apps can be managed by Intune on devices enrolled with third-party EMM providers or not enrolled with an MDM at all.

You can create mobile app management policies for Office mobile apps that connect to Office 365 services. You can also protect access to Exchange on-premises mailboxes by creating Intune app protection policies for devices with Outlook for iOS and Android-enabled devices with hybrid Modern Authentication. Before using this feature, make sure you meet the Outlook for iOS and Android requirements. App protection policies are not supported for other apps that connect to on-premises Exchange or SharePoint services.

The important benefits of using app protection policies are:

● Protecting your company data at the app level. Because mobile app management doesn't require device management, you can protect company data on both managed and unmanaged devices. The management is centered on the user identity, which removes the requirement for device management.

● End-user productivity isn't affected, and policies don't apply when using the app in a personal context. The policies are applied only in a work context, which gives you the ability to protect company data without touching personal data.

There are additional benefits to using MDM with app protection policies, and companies can use app protection policies with and without MDM at the same time. For example, consider an employee that uses both a phone issued by the company, and their own personal tablet. The company phone is enrolled in MDM and protected by app protection policies while the personal device is protected by

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

Implement Mobile Application Management (MAM) 69

app protection policies only. MDM makes sure that the device is protected. Some examples:

● You can require a PIN to access the device, or you can deploy managed apps to the device. You can also deploy apps to devices through your MDM solution, to give you more control over app management.

● App protection policies makes sure that the app-layer protections are in place. For example, you can:

● Require a PIN to open an app in a work context

● Control the sharing of data between apps

● Prevent the saving of company app data to a personal storage location

Supported platforms for app protection policies

App protection policies are only supported by Android and iOS, and Windows devices are currently not supported. However, when you enroll Windows 10 devices with Intune, you can use Windows Information Protection, which offers similar functionality.

Application Considerations in MAMIntune-managed apps are enabled with a rich set of mobile application protection policies and allow you to:

● Restrict copy-and-paste and save-as functions

● Configure web links to open inside the Intune Managed Browser app

● Enable multi-identity use and app-level conditional access

Intune-managed apps can also enable app protection without requiring enrollment, giving you the choice to apply data loss prevention policies without managing the user's device. One challenge many Intune admins face is keeping on top of which apps do or don’t support MAM policies.

Microsoft Intune Apps portal

You can use the new Microsoft Intune Apps portal that displays all the MAM enabled apps and what MAM features they support. For more information go to Microsoft Intune Apps1 and scroll down to find supported Microsoft apps in the Find the right Microsoft app for your scenario section.

1 https://www.microsoft.com/en-us/cloud-platform/microsoft-intune-apps

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


A click on an app´s icon will display the MAM scenarios they support (MDM with MAM or MAM without Enrollment), what platforms they support and whether or not they are multi-identity capable. You can also find links to view the specific apps in the Apple or Google app stores.

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED


In the Find the right partner app for your scenario section, you will see a list of currently supported third-party apps.

Intune App SDK and App Wrapping Tool

Incorporate mobile app management in your mobile and line-of-business apps using the Intune App Software Development Kit (SDK) and the Intune App Wrapping Tool.

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


Multi-identity

Apps that support multi-identity let you use different accounts (work and personal) to access the same apps, while app protection policies apply only when the apps are used in the work context.

For example, consider a user who starts the OneDrive app by using their work account. In the work context, they can't move files to a personal storage location. Later, when they use OneDrive with their personal account, they can copy and move data from their personal OneDrive without restrictions.

For information about apps that support MAM and multi-identity with Intune, refer to how to use apps with multi-identity support.2

Prepare line-of-business apps for app protection policiesYou can enable your apps to use app protection policies by using either the Intune App Wrapping Tool or the Intune App SDK.

Intune App Wrapping Tool

The App Wrapping Tool is used primarily for internal line-of-business (LOB) apps. The tool is a command-line application that creates a wrapper around the app, which then allows the app to be managed by an Intune app protection policy. When protecting an app provided by an independent software vendor (ISV) it's important to clarify if the ISV will still support the wrapped app. You don't need the source code to use the tool, but you do need signing credentials.

For more information about how to use the Android App Wrapping Tool, refer to Prepare Android apps for app protection policies with the Intune App Wrapping Tool3 and for more information about how to use the iOS App Wrapping Tool, refer to Prepare iOS apps for app protection policies with the Intune App Wrapping Tool4.

Note: The App Wrapping Tool does not support apps in the Apple App Store or Google Play Store. It also doesn't support certain features that require developer integration.

Reasons to use the App Wrapping Tool:

● Your app does not have built-in data protection features

● Your app is simple

● Your app is deployed internally

● You don't have access to the app's source code

● You didn't develop the app

● Your app has minimal user authentication experiences

Intune App SDK

2 https://docs.microsoft.com/en-us/enterprise-mobility-security/solutions/fasttrack-how-to-use-apps-with-multi-identity-support3 https://docs.microsoft.com/en-us/intune/app-wrapper-prepare-android4 https://docs.microsoft.com/en-us/intune/app-wrapper-prepare-ios

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED


The Intune App SDK is designed mainly for customers who have apps in the Apple App Store or Google Play Store, and want to be able to manage the apps with Intune. However, any app can take advantage of integrating the SDK, even line-of-business apps.

Reasons to use the SDK:

● Your app does not have built-in data protection features

● Your app is complex and contains many experiences

● Your app is deployed on a public app store such as Google Play or Apple's App Store

● You are an app developer and have the technical background to use the SDK

● Your app has other SDK integrations

● Your app is frequently updated

Apps without app protection policies

When apps are used without restrictions, company and personal data can get intermingled. Company data can end up in locations like personal storage or transferred to apps beyond your purview and result in data loss. The arrows in the preceding diagram show unrestricted data movement between both corporate and personal apps, and to storage locations.

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


You can use app protection policies to prevent company data from saving to the local storage of the device. You can also restrict data movement to other apps that aren't protected by app protection policies. App protection policy settings include:

● Data relocation policies like Prevent Save As, and Restrict cut, copy, and paste.

● Access policy settings like Require simple PIN for access, and Block managed apps from running on jailbroken or rooted devices.

Data protection with app protection policies

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED


The preceding illustration shows the layers of protection that MDM and app protection policies offer together.

The MDM solution:

● Enrolls the device

● Deploys the apps to the device

● Provides ongoing device compliance and management

App protection policies add value by:

● Helping protect company data from leaking to consumer apps and services

● Applying restrictions like save-as, clipboard, or PIN, to client apps

● Wiping company data from apps without removing those apps from the device

Data protection with app protection policies on devices managed by a Mobile Device Management solution

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


The preceding diagram illustrates how the data protection policies work at the app level without MDM.

For BYOD devices not enrolled in any MDM solution, App protection policies can help protect company data at the app level. However, there are some limitations to be aware of:

● You can't deploy apps to the device. The end user has to get the apps from the store.

● You can't provision certificate profiles on these devices.

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED


● You can't provision company Wi-Fi and VPN settings on these devices.

Data protection with app protection policies for devices without enrollment

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


Implementing MAM policies in IntuneApp protection policies can be applied to apps running on devices that may or may not be managed by Intune. In many organizations it’s common to allow end users to use both Intune MDM managed devices, such as corporate owned devices, and un-managed devices protected with only Intune app protection policies, such as bring your own devices (BYOD).

Because Intune app protection policies are targeted to a user’s identity, the protection settings for a user typically apply to both enrolled (MDM managed) and non-enrolled devices (no MDM). Therefore, you can target an Intune app protection policy to either Intune enrolled or un-enrolled iOS and Android devices. You can create one protection policy for un-managed devices in which strict data loss prevention (DLP) controls are in place, and a separate protection policy for MDM managed devices, where the DLP controls may be a little more relaxed.

Create and assign app protection policiesUse the following steps to create an app protection policy:

1. In the Azure Portal, in the navigation pane, click Intune.

2. Click Client apps and then from the Manage section, click App protection policies.

3. Click + Create Policy and type a name for the policy, add a brief description, and select the platform type for your policy.

4. Select if you want to Target to all app types. If you leave it at Yes, both Apps on unmanaged devices and Apps on Intune managed devices will be targeted. If you select No you can choose between unmanaged and Intune managed devices.

5. Choose Apps to open the Apps blade, where a list of available apps is displayed. Select one or more apps from the list that you want to associate with the policy that you're creating. You must select at least one app to create a policy.

6. Click Select to save your selection.

7. On the Add a policy blade choose Configure required settings to open settings.

8. There are three categories of policy settings, Data relocation, Access requirements and Conditional launch. Data relocation policies are applicable to data movement in and out of the apps. The access policies determine how the end user accesses the apps in a work context. The conditional launch settings control the sign-in security requirements for your access protection policy. The policies settings all have default values and if the default values meet your requirements, you don't need to make any changes.

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED


Note: These policy settings are enforced only when using apps in the work context. When end users use the app to do a personal task, they aren't affected by these policies. Note that when you create a new file it’s considered a personal file.

1. Choose OK to save this configuration. You're now back in the Add a policy blade.

2. Choose Create to create the policy and save your settings.

When you have created one or more app protection policies, they must be assigned users in order to have any effect. To assign an app protection policy, perform the following steps:

1. In the Client apps - App protection policies blade, click the policy you want to assign.

2. In the Intune App Protection blade, click Assignments, and then click Select groups to include.

3. A list of user groups is displayed on the Select groups to include blade. This list shows all the security groups in your Azure Active Directory (Azure AD) containing only users. Click the user groups you want this policy to apply to, and then click Select. Click Select again.The app protection policy is now assigned to the users in the selected groups.

4. Only users with assigned Microsoft Intune licenses are affected by the policy. Users in the selected security group that don’t have an assigned Intune license aren't affected.

Edit existing policiesYou can edit an existing policy and apply it to the targeted users. However, when you change existing policies, users who are already signed in to the apps won’t see the changes for an 8-hour period. To see the effect of the changes immediately, the end user must log out of the app, and sign back in.

Even though the steps for creating an app protection policy for either Android or iOS are similar, there are changes in the various settings than can be chosen. For more information, refer to Android app protection policy settings in Microsoft Intune5, or iOS app protection policy settings6.

Manging MAM policies in IntuneYou can monitor the compliance status of the MAM policies that you've applied to users at the Intune app protection pane in the Azure portal. You can find information about the users affected by the MAM policies, its compliance status, and any issues that your users might be experiencing.

There are three different places to monitor the compliance status:

● Summary view

● Detailed view

● Reporting view

Summary view

1. Sign into the Azure portal and in the navigation pane, click Intune.

5 https://docs.microsoft.com/en-us/intune/app-protection-policy-settings-android6 https://docs.microsoft.com/en-us/intune/app-protection-policy-settings-ios

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


2. On the Intune blade, click Client apps and then click App protection status to see the summary view.

● Users: The total number of users in your company who are using an app which is associated with a policy in a work context.

● Managed by policy: The number of users who have used an app who have a policy assigned to them in a work context.

● No policy: The number of users who are using an app that is not targeted by any policy in a work context. You might consider adding these users to the policy.

Detailed view

You can get to the detailed view from the summary view by choosing the User status tile (based on device OS platform), and the Flagged users tile.

User status

You can search for a single user and check the compliance status for that user. The App reporting pane shows the following information for a selected user:

● Devices that are associated with the user account

● Apps with a MAM policy on the device

● Status:

● Checked in: The policy was deployed to the user, and the app was used in the work context at least once.

● Not checked in: The policy was deployed to the user, but the app has not been used in the work context since then.

To see a detailed report for a user, follow these steps:



3. Click either the User status for iOS tile or the User status for Android tile.

4. On the App reporting blade, click Select user to search for an Azure AD user.

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED


5. Select a user from the list i.e Debra Berger and then click Select. You can see the user name, if the user has a license for Intune and details of the compliance status for that user:

Reporting view

You can find the same reports from the Detailed view, and additional reports to help you with the MAM policy compliance status.

To access the reports, perform the following steps:



3. On the Clients apps – App protection status blade, click Reports in the details pane. Notice that you can also export the following information to a CSV file:

● App protection report: iOS, Android

● App protection report: WIP without enrollment

● App protection report: WIP via MDM

● App configuration report

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


1. On the Reports blade, you can run the following reports:

● Users report

● App report

● User configuration report

● App configuration report

● App learning report for Windows Information Protection

● Website learning for Windows Information Protection

Note: Microsoft recommends using Intune for managing MAM policies. Managing MAM policies with ConfigMgr using the hybrid MDM model is deprecated On September 1, 2019, Microsoft will retire the hybrid MDM service offering. On September 1, 2019, any remaining hybrid MDM devices will no longer receive policy, apps, or security updates. Start planning your migration for MDM from the ConfigMgr console to Azure.

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

Deploying and updating applications 83

Deploying and updating applicationsLesson IntroductionIn this lesson, you will be introduced to application deployment in Intune. You will learn about deploying software using Group Policy and get an overview of Windows Store for Business. You will examine how to configure Windows Store for Business and how to integrate it with Intune. The lesson will then conclude with information about how to use Windows Store for Business.


● Explain how to deploy applications using Intune

● Learn how to deploy applications using Group Policy

● Understand Microsoft Store for Business

● Learn how to configure Microsoft Store for Business

● Explain how to use Microsoft Store for Business

Deploying applications with IntuneAs an IT admin, you can use Microsoft Intune to manage the client apps that your company's workforce uses. This functionality is in addition to managing devices and protecting data. One of an admin's priorities is to ensure that end users have access to the apps they need to do their work. This goal can be a challenge because:

● There are a wide range of device platforms and app types.

● You might need to manage apps on both company devices and users' personal devices.

● You must ensure that your network and your data remain secure.

Additionally, you might want to assign and manage apps on devices that are not enrolled with Intune. Intune offers a range of capabilities to help you get the apps you need on the devices you want to run them on.

For more information about the App management capabilities by platform, refer to What is Microsoft Intune app management?7

Microsoft Intune app lifecycleThe Microsoft Intune app lifecycle begins when an app is added and progresses through additional phases until you remove the app. By understanding these phases, you'll have the details you need to get started with app management in Intune.

7 https://docs.microsoft.com/en-us/intune/app-management

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


Add

The first step in app deployment is to identify the apps you want to manage and assign, and add them to Intune. You can work with many different app types, the basic procedures are the same. With Intune you can add apps written in-house (line-of-business), apps from the store, apps that are built-in, and apps on the web.

Deploy

After you've added the app to Intune, you can then assign it to users and devices that you manage. Intune makes this process easy, and after the app is deployed, you can monitor the success of the deployment from Intune within the Azure portal. Additionally, in some app stores, such as the Apple and Windows app stores, you can purchase app licenses in bulk for your company. Intune can synchronize data with these stores so that you can deploy and track license usage for these types of apps right from the Intune administration console.

Configure

As part of the app lifecycle, new versions of apps are regularly released. Intune provides tools to easily update apps that you have deployed to a newer version. Additionally, you can configure extra functionality for some apps, for example:

● iOS app configuration policies supply settings for compatible iOS apps that are used when the app is run. For example, an app might require specific branding settings or the name of a server to which it must connect.

● Managed browser policies help you to configure settings for the Intune managed browser, which replaces the default device browser and lets you restrict the websites that your users can visit.

Protect

Intune gives you many ways to help protect the data in your apps. The main methods are:

● Conditional access, which controls access to email and other services based on conditions that you specify. Conditions include device types of compliance with a device compliance policy that you deployed.

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED


● App protection policies that work with individual apps to help protect the company data that they use. For example, you can restrict copying data between unmanaged apps and managed apps, or you can prevent apps from running on devices that have been jailbroken or rooted.

Retire

Eventually, the apps that you deployed will likely become outdated and need to be removed. Intune makes it easy to retire apps from service.

Adding apps to IntuneBefore you can assign, monitor, configure, or protect apps, you must add them to Microsoft Intune. The users of apps and devices at your company (your company's workforce) might have several app requirements. Before adding apps to Intune and making them available to your workforce, you must assess and understand a few app fundamentals. You must understand the various types of apps that are available for Intune. You must assess the app requirements, such as the platforms and capabilities that your workforce needs. You must determine whether to use Intune to manage the devices (including apps) or have Intune manage the apps without managing the devices. Finally, you must determine the apps and capabilities that your workforce needs, and who needs them.

You can add the following app types in Intune:

Store app Apps that have been uploaded to either the Microsoft store, the iOS store, or the Android store are store apps. The provider of a store app maintains and provides updates to the app. You select the app in the store list and add it by using Intune as an available app for your users. For more information, refer to:

● Add Android store apps to Microsoft Intune8

● Add iOS store apps to Microsoft Intune9

● Add Microsoft Store apps to Microsoft Intune10

Office 365 Suite This app type makes it easy for you to assign Office 365 apps to devices you manage that run Windows 10 or macOS. You can also install apps for the Microsoft Project Online desktop client and Microsoft Visio Pro for Office 365, if you own licenses for them. The apps that you want are displayed as a single entry in the list of apps on the Intune console. For more information, refer to:

● Assign Office 365 apps to Windows 10 devices with Microsoft Intune11

● Assign Office 365 apps to macOS devices with Microsoft Intune12

Other

● Web link. A web app is a client-server application. The server provides the web app, which includes the UI, content, and functionality. Additionally, modern web-hosting platforms commonly offer security, load balancing, and other benefits. A web app is separately maintained on the web. You use Microsoft Intune to point to this app type. You also assign the groups of users that can access this app. For more information refer to Add web apps to Microsoft Intune.

8 https://docs.microsoft.com/en-us/intune/store-apps-android9 https://docs.microsoft.com/en-us/intune/store-apps-ios10 https://docs.microsoft.com/en-us/intune/store-apps-windows11 https://docs.microsoft.com/da-dk/intune/apps-add-office36512 https://docs.microsoft.com/da-dk/intune/apps-add-office365-macos

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


● Build-in app. The built-in app type makes it easy for you to assigN curated managed apps, such as Office 365 apps, to iOS and AndroiD devices. You can assign specific apps for this app type, such as Excel, OneDrive, Outlook, Skype, and others. After you add an app, the app type is displayed as either Built-in iOS app or Built-in Android app. By using the built-in app type, you can choose which of these apps to publish to device users. For more information refer to Add built-in apps to Microsoft Intune13.

● Line-of-business (LOB) app. An LOB app is one that you add from an app installation file. For example,to install an iOS LOB app, you add the application by selecting Line-of-business app as the App type in the Add app pane. You then select the app package file (extension .ipa), which is upload-ed to Intune. LOB app supports apps for Windows 10, Android and iOS. The following extensions are supported:

● Windows 10: .msi, .appx, appxbundle, .msix and .msixbundle

● Android: .apk

● iOS: .ipa and .intunemac

● Windows app (Win32) – preview. Building upon the existing support for line-of-business (LOB) apps and Microsoft Store for Business apps, administrators can use Intune to deploy most of their organi-zation’s existing Win32 line-of-business (LOB) applications to end users on Windows 10 devices. Administrators can add, install, and uninstall applications for Windows 10 users in a variety of formats, such as MSIs, Setup.exe, or MSP. Intune will evaluate requirement rules before downloading and installing, notifying end users of the status or reboot requirements using the Windows 10 Action Center. This feature is currently in public preview and we expect to add significant new capabilities to the feature over the next few months. For more information refer to Intune Standalone - Win32 app management (Public Preview)14.

Deploying applications with Group PolicyWindows Server 2016 and later includes a feature called Software Installation and Maintenance that Active Directory Domain Services (AD DS), Group Policy, and the Windows Installer service use to install, maintain, and remove software from your organization’s computers.

Using Group Policy to manage the software lifecycleThe software lifecycle consists of four phases: preparation, deployment, maintenance, and removal.

13 https://docs.microsoft.com/da-dk/intune/apps-add-built-in14 https://docs.microsoft.com/en-us/intune/apps-win32-app-management

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED


You can use Group Policy to manage all phases except the preparation. You can apply Group Policy settings to users or computers in a site, domain, or organizational unit (OU) to install, upgrade, or remove software automatically.

By applying Group Policy settings to software, you can manage the phases of software deployment without deploying software on each computer individually.

Using Group Policy to manage the software lifecycle has some advantages and some disadvantages that are important to consider. The advantages of using Group Policy to manage the software lifecycle are:

● Group Policy software distribution is available as part of Group Policy and AD DS. Thus, using Group Policy does not incur any additional costs for your organization, and is always available to implement because it’s already installed and ready for use.

● Group Policy software distribution does not require client software, agent software, or additional management software. IT administrators can use familiar tools to manage the software lifecycle.

● Group Policy software distribution is quick and easy to use. This allows for both faster software distribution and reduced IT training costs.

The disadvantages of using Group Policy to manage the software lifecycle are:

● Group Policy software distribution has a minimal feature set. This minimal feature set limits the ability to control aspects of the distribution such as the day and time of installation, the order of installation when deploying multiple applications, and the reboot process, such as reboot suppression or reboot windows.

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


● Group Policy software distribution does not have any reporting. Thus, you cannot easily gather information such as how many computers have the distributed software, which computers an installation failed on, or which computers do not have the distributed software. This could lead to a scenario in which you deploy an update to an application and the update attempts to install on computers that no longer have the application to be updated.

● Group Policy software distribution is limited to deployment of Windows Installer packages. IT administrators have to convert non-MSI installation programs into MSI packages before being able to deploy the software by using Group Policy.

For larger organizations, especially organizations that have more than 500 computers, and for any organizations with specific software distribution requirements, System Center Configuration Manager provides enterprise-level features and control. These enterprise-level features and control eliminate the disadvantages found in Group Policy software distribution.

How Windows Installer enhances software distribution

To enable Group Policy to deploy and manage software, Windows Server 2016 or later uses the Windows Installer service. This component automates the installation and removal of applications by applying a set of centrally-defined setup rules during the installation process. The Windows Installer service installs the .msi package files. .msi files contain a database that stores all the instructions required to install the application. Small applications may be entirely stored as .msi files, whereas other larger applications will have many associated source files that the MSI references. Many software vendors provide .msi files for their applications.

The Windows Installer service has the following characteristics:

● This service runs with elevated privileges, so that the Windows Installer service can install software regardless of which user is signed into the system. Users only require read access to the software distribution point.

● Applications are resilient. If an application becomes corrupted, the installer will detect and reinstall or repair the application.

● Windows Installer cannot install .exe files. To distribute a software package that installs with an .exe file, you must convert the .exe file must to an .msi file by using a third-party utility.

Managing software upgrades by using Group PolicySoftware vendors occasionally release software updates. These usually address minor issues, such as a performance update or a feature enhancement that does not warrant a complete application reinstallation. Microsoft releases some software patches as .msp files. Major updates that provide new functionality require users to upgrade a software package to a newer version. You can open the GPO that deploys a software package, modify the software installation settings,

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED


and then use the Upgrades tab to upgrade a package. When you perform upgrades by using Group Policy, you’ll notice the following characteristics:

● You can redeploy a package if the original Windows Installer file has been modified.

● Upgrades will often remove the old version of an application and install a newer version. These upgrades usually maintain application settings.

● You can remove software packages if they were delivered originally by using Group Policy. This is useful if you’re replacing a line-of-business (LOB) application with a different application. Removal can be mandatory or optional.

● For more information about how to use Group Policy to remotely install software in Windows, refer to Using group policy to remotely install software in Windows serv-er.15

Assigning and publishing softwareTwo deployment types are available for delivering software to clients. Administrators can either install software for users or computers in advance by assigning the software, or give users the option to install the software when they require it by publishing the software in AD DS. Both user and computer configuration sections of a GPO have a Software Settings section. You can add software to a GPO by adding a new package to the Software Installation node and then specifying whether to assign or publish it.

You also can choose advanced deployment of a package. Use this option to apply a customization file to a package for custom deployment. For example, if you use the Office Customization tool to create a setup customization file to deploy Microsoft Office.

Assigning software

Assigning software has the following characteristics:

● When you assign software to a user, the user’s Start menu advertises the software when the user logs on. Installation does not begin until the user double-clicks the application's icon or a file that is associated with the application.

● Users don’t share deployed applications. When you assign software to a user, an application that you install for one user through Group Policy may not be available to other users. Assigning software to a user is preferred when the software is used by a subset of users, or when the software has licensing costs associated with it and you don’t want to purchase licenses that will not be used.

● When you assign an application to a computer, the application is installed the next time that the computer starts. The application will be available to all users of the computer. Assigning software to a computer is preferred when you need to have the software installed on a specific set of computers or on all computers in an environment, regardless of which users use the

15 https://support.microsoft.com/en-us/help/816102/how-to-use-group-policy-to-remotely-install-software-in-windows-server

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


computers. This is a common situation when dealing with agent software, such as monitoring agents, security-related agents, or management agents.

Publishing Software

Publishing software has the following characteristics:

● The Programs>Programs and Features shortcut in Control Panel advertises a published application to the user. Users can install the application by using the Install a program from the network shortcut, or extension activation can install the application. Extension activation will initiate the program installation when a user clicks on a file type that is associated with the program.

● Control Panel does not advertise applications to users who do not have permission to install them.

● Applications cannot be published to computers.

Microsoft Store for Business OverviewOrganizations use Microsoft Store for Business, not individual customers. In the Windows 10 operating system, Microsoft introduced Microsoft Store for Business, which is meant for organizations of all sizes. Organizations can sign up for Microsoft Store for Business for free; the only requirement is that the organization must have Azure AD. If an organization doesn’t yet have Azure AD, it can create an Azure AD tenant during the sign-up process. Then, the organization can purchase modern apps and make them available to company employees in a private store. Employees can access the private store by using the Microsoft Store app, which Windows 10 includes, and then install apps from the private store.

You can sign up and manage Microsoft Store for Business by using a web browser. However, before you can access it, you must authenticate with your Azure AD account. Microsoft Store for Business supports two types of licensing: online and offline. All apps support online licensing, while offline licensing is available only for apps for which the developer selected this option. Microsoft Store for Business includes basic deployment capabilities that enable you to assign apps to company employees. Employees will receive email notifications, and they can select the link in the email message to install the app.

Features and benefits of Microsoft Store for BusinessDifferent vendors have different ways to distribute apps for their devices. Modern Windows apps are available through Microsoft Store, where anyone can purchase an app and install it on their Windows-based device. Microsoft Store for Business enables organizations to set up a private store and add modern Windows apps to that private store. An organization’s private store is available only to company employees. The private store can include publicly available, business-related apps that the organization purchased from Microsoft Store for Business. The private store can also include modern Windows apps that were developed for the organization and that must be available only to company employees.

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED


Microsoft Store for Business is a cloud service, which means that it’s scalable and available from anywhere, if you have internet connectivity. Company employees authenticate in Microsoft Store for Business with an Azure AD account, and you can delegate store permissions to any organizational user. You manage Microsoft Store for Business in a web browser, and employees can access it from the Microsoft Store app on Windows 10, or by using a web browser.

Microsoft Store for Business is available for free and provides organizations with the following benefits and features:

● Scalable to fit any size organization. For smaller organizations, you can quickly have an end-to-end process to acquire and distribute apps. Larger organizations can integrate Microsoft Store for Business with a management tool such as Microsoft Intune or Microsoft System Center Configuration Manager (Current Branch) for greater control over app deployments and updates.

● Use of familiar infrastructure. Because Microsoft Store for Business is a cloud service, it’s available around the world, and it has practically unlimited resources. It uses Azure AD for authentication, which means that organizations that are already using Azure AD authentication can easily implement it. If an organization doesn’t have Azure AD, it can create an Azure AD tenant automatically when it signs up for Microsoft Store for Business.

● Private store. Microsoft Store for Business includes a private store, which is available to all company employees after they authenticate with an Azure AD account. You can add purchased modern Windows 10 apps to a private store, and company employees can access them by using the Microsoft Store app from any Windows 10 device.

● Bulk app acquisition. Organizations can acquire and pay for apps in volume from Microsoft Store for Business.

● Centralized management. You can use Microsoft Store for Business as a central location for tracking available and installed apps, billing, and order history. You can also delegate permission for various aspects of Microsoft Store for Business management to company employees.

● App license tracking and management. In Microsoft Store for Business, you can view who installed apps and who has a license to run an app. You can also reclaim an app license from a user, which prevents them from using the app, and assign a license to another user. Online and offline licenses allow you to customize how you deploy apps.

● Flexible distribution options. Three options are available for distributing apps in Microsoft Store for Business. You can:

● Distribute apps through Microsoft Store for Business by assigning apps to company employees or by making apps available to all employees in the private store.

● Connect Microsoft Store for Business with Intune, Configuration Manager, or another management tool, and use the management tool’s advanced deployment options to deploy apps from Microsoft Store for Business.

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


● Use the offline-licensing model to distribute apps without connecting to Microsoft Store for Business.

● Support for LOB apps. An organization can submit and deploy LOB apps in Microsoft Store for Business. Developers can create LOB apps for an organization and make them available only to employees of that organization.

● Up-to-date apps. For apps with online licenses, Microsoft Store for Business can automatically update apps. Microsoft Store for Business apps also uninstall cleanly, without leaving behind extra files.

Microsoft Store for Business PrerequisitesMicrosoft Store for Business is a cloud service. To access and administer Microsoft Store for Business, and for users to be able to browse and obtain apps from it, internet connectivity is necessary. Users who want to access Microsoft Store for Business must also have a suitable web browser and an Azure AD account—their identities exist in Azure AD. This is already the case if they have an Azure subscription or if they are using cloud services such as Microsoft Office 365 or Intune.

To use Microsoft Store for Business, you must meet the following prerequisites:

● Internet connectivity. The public cloud hosts Microsoft Store for Business. A device must have internet connectivity to browse Microsoft Store for Business and to administer it. If your company restricts access to the internet, you need to provide access to a set of URLs that must be accessible for devices to use Microsoft Store for Business.

● Windows 10 devices. You can browse Microsoft Store for Business only from Windows 10 devices. Windows 10 includes the Microsoft Store app, which you can use to access the public Microsoft Store and Microsoft Store for Business.

● Windows Update service. Microsoft Store requires the Windows Update service to be enabled on the device. The Windows Update service is for detecting, downloading, and installing updates for Windows operating systems and other apps, such as apps from Microsoft Store for Business. You can’t install apps from Microsoft Store for Business if the Windows Update service is disabled.

● Supported web browser for administering Microsoft Store for Business. Although Microsoft Store for Business users don’t need a web browser for browsing and installing apps, administrators need a web browser for managing Microsoft Store for Business. You can manage Microsoft Store for Business in Internet Explorer 11, Microsoft Edge, or current versions of Google Chrome or Mozilla Firefox. In the web browser, you must enable JavaScript support.

● Azure AD account. If you want to manage or browse Microsoft Store for Business, you must first sign in to Microsoft Store for Business with an Azure AD account. If you use a management tool for deploying online-licensed apps, the users to whom you deploy apps must also have Azure AD accounts. If an app from Microsoft Store for Business supports offline licensing, an administrator can obtain and deploy it to users even if they don’t have an Azure AD account; however, the administrator must have an Azure AD account to obtain the app.

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED


If all prerequisites are met, users can access, browse, and install the apps from Microsoft Store for Business. You can also assign them apps, in which case, users will receive notifications by email and will be able to install the apps. If your organization is using a management tool such as Intune or Configuration Manager to distribute and manage apps, you can integrate it with Microsoft Store for Business. Using a management tool provides additional control and reporting in app deployments.

Implementing Microsoft Store for BusinessFor organizations that use Azure AD, Microsoft Store for Business is available without any additional fee. If an organization already has Azure AD, for example as part of an Azure or Office 365 subscription, it can sign up with its Azure AD account and start using Microsoft Store for Business. If an organization doesn’t yet have Azure AD, it can create an Azure AD tenant as part of the Microsoft Store for Business sign-up process. Users who sign up for and create a Microsoft Store for Business account must be a global administrator in Azure AD.

Before you can start using Microsoft Store for Business, you must first sign up. The sign-up process is fast, straightforward, and similar to signing up for other cloud services:

1. In your browser, go to https://www.microsoft.com/business-store, sign in with your Azure AD global administrator account.

2. When you are signed in, click Manage and then accept the licensing agreement.

3. You are now signed up for Microsoft Store for Business.

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


After signing up for Microsoft Store for Business, you can start managing it. The user account that you used to sign up for Microsoft Store for Business is already a global administrator in your Azure AD tenant, and this user has all permissions. Other Azure AD tenant users can browse Microsoft Store for Business and install available apps, but they can’t manage it. If necessary, a global administrator can delegate permissions for Microsoft Store for Business tasks by assigning store roles to other company employees; for example, to acquire and distribute apps. You can assign roles only to Azure AD user accounts and not to groups.

You can assign four user roles to manage access to apps and to perform other tasks in Microsoft Store for Business:

● Admin. Users in this role can perform all tasks and assign roles to others.

● Purchaser. Users in this role can acquire apps, add them to the private store, and distribute apps to company users.

● Basic purchaser. Users in this role can acquire apps they own, add them to the private store, and distribute apps to company users.

● Windows Defender Device Guard signer. Users in this role can manage Windows Defender Device Guard settings.

When you sign up for Microsoft Store for Business, the following five apps automatically add to the private store: Microsoft Word Mobile, Microsoft Excel

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED


Mobile, Microsoft PowerPoint Mobile, Microsoft OneNote and Microsoft Sway. It can take up to 36 hours for the apps to become visible in the private store. If a user is in the Admin role, they can add additional apps to the private store. Users in the Purchaser or Basic purchaser role can purchase apps, but they can’t add them to the private store. Users in the Basic purchaser role also can’t license apps for offline use. Users in the Admin or Global Admin roles can add Microsoft Store for Business apps and LOB apps to a private store.

A user in the Admin role can manage the following settings in Microsoft Store for Business:

● Account information and payment options. You can modify organizational information, such as the address and value-added tax number, and you can add or modify payment options, such as credit card details.

● Private store name. You can modify the name of a private store.

● Offline licensing. If apps can be offline-licensed, download the app package and distribute it to users even if they don’t connect to Microsoft Store for Business and even if they don’t have an Azure AD account. Additionally, the user with the Admin role can configure this setting if offline-licensed apps display in Microsoft Store for Business.

● Management tools. You can add a management tool such as Intune or Configuration Manager to Microsoft Store for Business. Management tools can sync with Microsoft Store for Business, and you can use them to distribute apps from Microsoft Store for Business to company users.

● Device Guard signing. Apps that install from Microsoft Store for Business can be signed automatically and added to the code integrity policy. If you configure this option, employees can install apps from Microsoft Store for Business and run them on a device that is protected by Windows Defender Device Guard.

● Permissions. You can delegate permissions for Microsoft Store for Business and allow company users to perform certain management tasks in Microsoft Store for Business.

● LOB publishers. You can invite company developers or third-party vendors to submit their LOB apps to Microsoft Store for Business. These LOB apps can be available only in your organization’s private store and not in the public Microsoft Store.

Obtaining apps based on your licensing modelHow you obtain apps from Microsoft Store for Business and install them on a device is determined by your licensing model. Microsoft Store for Business supports two licensing models to license apps from the store: online and offline.

Online licensingOnline licensing is the default licensing model in Microsoft Store for Business, and any app in the store supports this licensing model. Online licensing requires users to authenticate and connect to Microsoft Store for Business

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


before they can install an app and its license. You can install online-licensed apps from the private store and assign them to users or distribute them by using a management tool such as Intune or Configuration Manager. Users who don’t have an Azure AD account or who can’t connect to Microsoft Store for Business can’t install online-licensed apps.

License management for online-licensed apps is enforced and based on a user’s Azure AD identity. Microsoft Store for Business handles license management, and Windows Update performs app updates. Online licensing is the only option that is available for apps in the public Microsoft Store.

Offline licensingThe offline-licensing option is available only for certain apps in Microsoft Store for Business. With offline licenses, an organization can purchase multiple copies of an app for its employees, download the app package and its license, and deploy it on the organizational network. For example, you can include offline-licensed apps in the computer image and sideload or deploy them by using a management tool such as Intune or Configuration Manager.

Offline licensing is available only for apps for which developers specify this licensing option when they submit the app to the Windows Dev Center. Administrators can download and install apps that use the offline-licensing model for users who don’t connect to Microsoft Store for Business or who don’t have an Azure AD account. License management isn’t enforced, and the organization that purchases the app manages the licenses. As with online licensing, Windows Update performs app updates. Users in the Admin role control if offline-licensed apps are available in Microsoft Store for Business by configuring the offline app visibility setting.

You can configure offline app visibility by performing the following steps:

1. Sign in to Microsoft Store for Business.

2. Click Manage, and then click Settings.

3. On the Shop tab, in the Shopping experience section, turn the Show offline apps setting On.

Using Microsoft Store for BusinessAfter you set up Microsoft Store for Business, you can access the apps and add them to a private store. You can also invite company developers or independent software vendors to submit LOB apps. After you accept a submitted LOB app, you can add the app to the private store and distribute it in the same way as any other store app. Apps in Microsoft Store for Business only work on Windows 10–based devices and must be of the following types:

● Universal Windows Platform apps

● Universal Windows apps, by device: phone, Microsoft Surface Hub, Internet of Things (IoT), and Microsoft HoloLens

Deploying and managing Microsoft Store for Business apps

After you add apps to your private store in Microsoft Store for Business, you can distribute them to company employees in several ways. You can instruct

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED


employees to open the Microsoft Store app, browse the private store, and manually install the apps they need from a private store.

You can assign apps to employees in Microsoft Store for Business, and they will receive an email notification with instructions and a link to install the apps. Users just need to select the link, authenticate, and the app will install without any user interaction. The third method is more advanced and requires a management tool. You can integrate a mobile device management tool with Microsoft Store for Business, sync the list of available apps, and use the mobile device management tool to deploy the apps. If an app is licensed for offline use, the administrator can download the app package from Microsoft Store for Business and deploy it as any other modern Windows app; for example, by using imaging, sideloading, or by using an app deployment tool such as Intune or Configuration Manager.

Distribute apps by using a private store

Private store is a Microsoft Store for Business feature. Administrators can add apps from Microsoft Store for Business to a private store and make them available to company employees. Administrators can also invite developers to submit LOB apps, accept submitted apps, and add LOB apps to a private store. Only online-licensed apps can be added to a private store. When an app is in a private store, all company employees can view and install the app if sufficient licenses are available. If an app has free licenses, all company employees can install it regardless of the number of employees. For purchasable apps, any user with the Admin or Purchaser roles can buy a certain number of copies, and only that number of employees can install the app. Although the app isn’t free, employees don’t need to pay for it. The purchaser must buy a certain number of copies before an app can be added to a private store.

Note: After you add an app to a private store, it can take up to 36 hours for the app to become visible in the private store.

To acquire an app and make it available in a private store, perform the following steps:

1. Sign in to Microsoft Store for Business and click Shop for my group.

2. Search for the app that you want to add to the private store.

3. Select an app, choose the license type, if the app supports offline licensing, select Get the app, and then select Close.

4. Select the ellipsis (…), and then Manage.

5. Click the Private store availability tab, and select one of the following options:

● No one

● Everyone

● Specific groups

6. Alternatively, instead of selecting the ellipsis (…), you can select Manage on the toolbar below Microsoft Store for Business, in the navigation pane, select Products & services, and then view all the acquired apps. From the list, select the app that you want to add to the private store, and follow step 5 to add the app to the private store.

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


Company employees can install an app from a private store by using the Microsoft Store app or by using a web browser. In both cases, they must authenticate by using an Azure AD account. The Microsoft Store app automatically connects to the public Microsoft Store, and employees must select the tab for the private store (the admin can specify a name for a private store by selecting the Settings option, selecting the Distribute tab, and then changing the name there). In a web browser, employees browse to https://www.microsoft.com/business-store, and after authentication, they can view available apps in the private store.

Assigning apps to company employeesAfter you purchase an app in Microsoft Store for Business, you can add it to the private store or assign it to company employees. Apps that you add to the private store are available to all company employees, but users must visit the private store and install apps from there. If you assign an app to a user, the user will receive an email notification, and they can install the app by selecting the link in the email and authenticate in Microsoft Store for Business with their Azure AD account. You can assign any online-licensed app from Microsoft Store for Business regardless of whether the app is on the private store.

To assign an app to company employees, perform the following steps:

1. Sign in to Microsoft Store for Business. Apps that you want to assign must already have been acquired.

2. On the toolbar below Microsoft Store for Business, select Manage.

3. In the navigation pane, select Products & services, and then in the details pane, view all the acquired apps.

4. In the details pane, select the app that you want to assign. Select the Assign to Users link, and then specify the employees to whom you want to assign the app. Employees will receive an email notification to install the app.

You can assign apps from Microsoft Store for Business only to company users; you can’t assign them to groups or devices. If a user to whom you assign an app no longer needs the app, you can reclaim the license from that user.

Distributing apps with a management tool

Using a management tool to distribute apps that are in Microsoft Store for Business will provide the most flexibility. For example, you can distribute apps to users based on group membership or the configuration of their Windows 10 devices. You can use management tools for distributing apps regardless of their license type; they can distribute both online and offline-licensed apps. For online-licensed apps, Microsoft Store for Business tracks and manages app licenses. For offline-licensed apps, the management tool tracks licenses. You can use tools such as Intune or System Center Configuration Manager to distribute apps from Microsoft Store for Business.

To integrate Windows Store for business, perform the following steps:

1. Sign in to Microsoft Store for Business.


MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED


3. In the navigation pane, click Settings and then in the details pane, click the Distribute tab.

4. Switch to the Azure portal and in the navigation pane, click Intune.

5. In the Microsoft Intune blade, click Client Apps.

6. On the Client apps blade, click Microsoft Store for Business under setup.

7. Click Enable and choose the Language for the store.

8. Click Save and then click Sync. That will sync all the apps from Microsoft Store for Business that you added, to Intune. The synchronization can take a few hours depending on the number of apps.

Distributing online-licensed apps

To distribute online-licensed apps by using a mobile device management tool, you must first register and configure the tool to sync with Microsoft Store for Business. You must register the management tool in the same Azure AD tenant as Microsoft Store for Business, and you must activate the mobile device management tool in Microsoft Store for Business.

Distributing offline-licensed apps

You can also install offline-licensed apps on devices that don’t have internet connectivity and to users who don’t have an Azure AD account. Only some apps in Microsoft Store for Business support offline licensing; offline licensing allows you to download an app package, app license, and frameworks that the app from the store requires, and you then can deploy them in a way that is most appropriate for your environment.

While Microsoft Store for Business tracks and enforces licensing for online-licensed apps, you are responsible for tracking licenses for offline-licensed apps.

You can distribute offline-licensed apps in several ways, including:

● Imaging. After you download an offline-licensed app package, you can include it in an image for new devices. The image can be in .wim, .vhd, or .vhdx format, and you can include the app package by using the Dism.exe tool or by using cmdlets in the Windows PowerShell command-line interface. When you deploy the image to new devices, those devices will include the app.

● Sideloading. Sideloading is similar to imaging, but you perform it on previously deployed devices. By using sideloading, you inject an offline-licensed app into a running Windows 10 system. You can sideload an app package by using the Dism.exe tool or Windows PowerShell cmdlets.

● Provisioning packages. You can create a provisioning package that includes offline-licensed apps by using Configuration Manager, which is part of the Windows Assessment and Deployment Kit (Windows ADK). A provisioning package is in .ppkg format, and it includes changes that should be performed on a Windows 10 device. You can apply a provisioning package by running the .ppkg file or by adding a provisioning package by using the Settings app.

● Mobile device management tool. You can deploy an offline-licensed app in the same way as any other app for which you have installation files. Mobile

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


device management tools provide many options for deploying apps, such as to groups or to devices.

To download an offline-licensed app package, perform the following steps:

1. Sign in to Microsoft Store for Business. Offline-licensed apps must have been previously acquired.


3. In the navigation pane, select Products & services.

4. In the details pane, in the License type drop-down list, select Offline to view only offline-licensed apps.

5. In the details pane, select the app that you want to download.

6. On the apps page, you can download an app package for offline use, which includes app metadata, the app package, the app license, and the required app frameworks.

Review Activity - Deploying and updating appli-cations

REVIEW ACTIVITY – Applications in IntuneLet's play a quick game to test your knowledge of deploying applications in Intune. Click on the button below to open this review activity full screen.

LAUNCH ACTIVITY16

16 https://edxinteractivepage.blob.core.windows.net/miltstatic/MD-101.2/20190117-041531079/static/MD101-2_3_2_deployingappstutorial.html

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

Administering applications 101

Administering applicationsLesson IntroductionIn this lesson, you will be introduced to managing apps on Intune managed devices. You will then learn how to manage apps on non-enrolled devices. You will be introduced to the various options you have when deploying Office 365 ProPlus, such as Intune, Configuration Manager, and manually,

The module will then conclude with an overview of how to use Enterprise Mode with Internet Explorer and Microsoft Edge. Lastly you will learn how to track your installed applications, licenses, and assigned apps using Intune.


● Explain how to manage apps in Intune.

● Understand how to manage apps on non-enrolled devices.

● Understand how to deploy Office 365 ProPlus using Intune.

● Learn how to configure and manage Enterprise Site mode in Internet Explorer.

● Learn about app inventory options in Intune.

Managing apps with IntuneIntune application deployment procedures entail several considerations and settings to ensure that a deployment is successful. No matter what type of app you are deploying with Intune, the overall process is the same.

To deploy an app from Intune, perform the following steps:

1. Ensure that Intune supports the app. Make sure that Intune supports the application installation type and that the application can be installed without user intervention.

2. Create Azure AD groups for either users or devices. In Intune, you create user-based or device-based groups to help you target software

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


management tasks to specific users or devices. If you have a specific group of users that requires an application, create a user or device group for the app deployment. If you’re planning to deploy available installations, you also should link managed users to their computers to ensure that external links and company portal apps are available.

3. Add the app to Intune. You must upload LOB apps to Intune cloud storage, specify a URL for web apps, or link a store app to Intune. For LOB apps, you must configure installation requirements, detection rules, command-line arguments, and provide general information about the app. Adding the app makes it available for deployment from the Client apps blade in the Intune console. Assign the app to user or device groups. After you add an application, you can assign the app to a set of users or devices. Once assigned, the app can either be installed by the user or, if the device is managed with Intune, the app can be automatically installed.

4. Configure policies. You can manage application features and protect data by deploying app configuration and app protection policies.

5. Monitor the results of the app deployment. You can monitor the status of app deployments and installations from the Intune console by viewing the details for any app that appears in the list of apps in your Client Apps blade. You can view the installation status for the app either by device or by user.

App categories

A common setting across app types is Category. When you add more than just a few apps, organizing apps in the Company Portal into groups is helpful for your users. Creating categories allows you to do this in a way that makes the most sense for your organization. There are already nine categories created for you in Intune. You can assign apps to one category, multiple categories, or no categories.

To create your own app categories in Intune, perform the following steps:

1. In the Client apps blade, click App categories under Setup.

2. Click Add, enter a name for the category in the Default name field, and then click Create.

Assigning apps

After you add an app to Intune, you can assign the app to users and devices. Assigning apps makes them available for users to install or can cause the app to be installed automatically. You assign the apps to Azure AD groups, this can be either user groups or device groups; for each group, you choose an assignment type. The assignment type will differ depending on the app type you choose to assign.

When you assign apps by using Intune, you have the following options for the assignment TYPE column:

● Available. The app is available in the Company Portal, and users can install the app.

● Not Applicable. The app does not install and does not appear in the Company Portal.

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED


● Required. The app installs automatically on a device in the selected group.

● Uninstall. The app uninstalls automatically from a device in the selected group.

● Available for enrolled devices. The app is available to users who have devices enrolled in Intune.

● Available with or without enrollment. The app is available to users who do not have devices enrolled in Intune.

Although you assign apps to either devices or to users, the options for how you can assign them will depend on the enrollment status of the devices with Intune. The following table shows you the assignment options when a device is enrolled in Intune and when it is not enrolled. It also shows the options users have depending on the device enrollment.

Options Device enrolled in Intune Device not enrolled in IntuneAssign an app to a user Yes YesAssign an app to a device Yes NoAssign an app using the Intune SDK

Yes Yes

Assign an app as Available Yes YesAssign an app as Required Yes NoUninstall an app Yes NoUser install of an app from the Company Portal app

Yes No

User install of an app from the Company Portal website

Yes Yes

Managing apps on non-enrolled devicesThere are many different ways that applications can be made available to your users today. They can be deployed from Intune either as Required or Available or users can directly install apps from public stores.

Apps that are that are installed directly from public stores are considered to be unmanaged and apps that are deployed by Intune to be managed. For managed apps, IT has direct control over deployment, ongoing management (such as inventory or updates), and selective wipe of the apps and their associated data. Most mobile devices have OS level controls in place to limit (containerize) the movement of data. Intune supports an additional level of management for managed apps that are integrated with the Intune App SDK or the Intune App Wrapping Tool. For these MAM protected apps, additional controls such as per-app PIN, jailbreak detection, and granular control over data flow can be added. Depending on the specific DLP requirements of your organization, you can choose the right mix of unmanaged, managed and MAM-protected applications for your users.

An unmanaged app is any app available on Windows, Android and iOS. Intune doesn’t have any control over the distribution, management, or selective wipe of these apps. Intune MAM provides additional capabilities to protect managed apps by offering an additional layer of data protection.

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


A managed app is an app for which Intune manages the whole lifecycle such as:

● Deploy the app

● Manage app updates

● Monitor app installation

● Selectively wipe the entire app

Intune also supports deploying apps to unenrolled devices. Currently, you can assign iOS and Android apps and iOS and Android built-in apps to devices that aren't enrolled in Intune.

Updates for unenrolled devices

To receive app updates on devices that aren't enrolled with Intune, device users must go to their organization's Company Portal and manually install app updates.

Users can then use either the Company Portal app or go to the Intune Company Portal website at https://portal.manage.microsoft.com on any of their devices and install the application without needing the device to be enrolled in Intune. The Company Portal app will not prompt users to enroll their devices if the app is configured to not require enrollment.

Deploy apps to unenrolled devices

To deploy an app to an unenrolled device, perform the following steps:

1. In the Azure portal, in the navigation pane, click Intune.

2. In the Microsoft Intune blade, click Client Apps.

3. On the Client apps blade, click an existing application that support assignment to unenrolled devices.

4. In the apps blade, click Assignments and then click Add group.

5. In the Add group blade, under Assignment type, select Available with or without enrollment.

6. Click Included Groups and in the assign blade, you can choose whether to make the app available to all users, regardless whether their devices are enrolled in Intune. This will assign the app to all users in Intune. If you want to assign it only to specific groups, select No.

7. Click Select groups to include and select the groups to which you want to assign the app. You must choose a group which only contains users when assigning apps to unenrolled devices.

8. Click OK twice and then click Save.

You can easily make apps available on devices that cannot be enrolled in Intune and use app protection policies (MAM) to manage the apps after they have been installed. Even though this can be helpful in BYOD scenarios, we recommended that you always enroll your devices in Intune whenever possible and this will give you all of Intune´s management functionality.

Deploying Office 365 ProPlus with IntuneYou have the option of installing Office 365 ProPlus from Intune using the Office 365 Suite app type. This app type makes it easy and convenient for you to

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED


assign Office 365 apps to devices you manage that run Windows 10 or macOS. You don’t need to download the installation files as they are already present in Intune. You can also install apps for the Microsoft Project Online desktop client and Microsoft Visio Pro for Office 365, if you own licenses for them. The apps that you want are displayed as a single entry in the list of apps on the Intune console.

Be aware of the following limitations and caveats:

● If any Office apps are open when Intune installs the app suite, the installation might fail, and users might lose data from unsaved files.

● Intune does not support installing Office 365 desktop apps from the Microsoft Store (known as Office Centennial apps) on a device to which you have already deployed Office 365 apps with Intune. If you install this configuration, it might cause data loss or corruption.

● Multiple required or available app assignments are not additive. A later app assignment will overwrite pre-existing installed app assignments. For example, if the first set of Office apps contains Word, and the later one does not, Word will be uninstalled. This condition does not apply to any Visio or Project applications.

Deploy Office 365 ProPlus with Intune


2. In the Azure portal, in the navigations pane, click Intune.

3. In the Microsoft Intune blade, click Client apps.

4. In the Client apps blade, under Manage, click Apps and then click + Add.

5. In the Add app blade, in the App type list, under Office 365 Suite, select Windows 10.

6. In the Add app blade, you can configure three type of settings: Configure App Suite, App Suite Information and App Suite Settings.

7. In the Configure App Suite blade, you can select the following Office 365 apps:

● Access

● Excel

● OneDrive (Grove)

● OneDrive Desktop

● OneNote

● Outlook

● PowerPoint

● Publisher

● Skype for Business

● Word

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


● Project Online Desktop Client (Additional Office apps)

● Visio Pro for Office 365 (Additional Office apps)

8. In the App Suite blade, you can configure the following:

● Suite Name: Enter the name of the app suite as it’s displayed in the company portal. Make sure that all suite names that you use are unique. If the same app suite name exists twice, only one of the apps is displayed to users in the company portal.

● Suite Description: Enter a description for the app suite. For example, you could list the apps you've selected to include.

● Publisher: Microsoft appears as the publisher.

● Category: Optionally, select one or more of the built-in app categories or a category that you created. This setting makes it easier for users to find the app suite when they browse the company portal.

● Display this as a featured app in the Company Portal: Select this option to display the app suite prominently on the main page of the company portal when users browse for apps.

● Information URL: Optionally, enter the URL of a website that contains information about this app. The URL is displayed to users in the company portal.

● Privacy URL: Optionally, enter the URL of a website that contains privacy information for this app. The URL is displayed to users in the company portal.

● Developer: Microsoft appears as the developer.

● Owner: Microsoft appears as the owner.

● Notes: Enter any notes that you want to associate with this app.

● Logo: The Office 365 logo is displayed with the app when users browse the company portal.

9. In the App Suite Settings pane, you can configure the following:

● Office version: Choose whether you want to assign the 32-bit or 64-bit version of Office. You can install the 32-bit version on both 32-bit and 64-bit devices, but you can install the 64-bit version on 64-bit devices only.

● Update Channel: Choose how Office is updated on devices. You can choose from:

● Monthly

● Monthly (Targeted)

● Semi-Annual

● Semi-Annual (Targeted)

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED


Additional Office 365 ProPlus Deployment ToolsAfter you choose a channel, you can optionally select Specific to install a specific version of Office for the selected channel on end user devices. Then, select the Specific version of Office to use. If you leave it at Latest, you will install the latest version of Office 365 ProPlus.

● Remove other versions of Office (MSI) from end user devices: Choose whether you want to remove pre-existing Office .MSI apps from end-user devices. The installation won’t succeed if there are pre-existing .MSI apps on end-user devices. The apps to be uninstalled are not limited to the apps selected for installation in Configure App Suite, as it will remove all Office (MSI) apps from the end user device. When Intune reinstalls Office on your end user's machines, end users will automatically get the same language packs that they had with previous .MSI Office installations.

● Automatically accept the app end user license agreement: Select this option if you don't require end users to accept the license agreement. Intune then automatically accepts the agreement.

● Use shared computer activation: Select this option when multiple users share a computer.

● Languages: Office is automatically installed in any of the supported languages that are installed with Windows on the end-user's device. Select this option if you want to install additional languages with the app suite. You can deploy additional languages for Office 365 ProPlus apps managed through Intune. The list of available languages includes the Type of language pack (core, partial, and proofing).

After you have the created and configured Office 365 ProPlus, you will have to assign it to one or more Azure AD groups for it to be deployed. The groups can consist of either Windows 10 devices or Azure AD users.

Even though Intune offers a simple and easy approach for installing Office 365 on Windows and macOS devices other deployment options may be needed depending on your requirements.

If you need complete control of the Office 365 ProPlus deployment, you can choose what deployment tool to use and whether to install the Office files directly from the cloud or from a local source on your network. You have the following options for preparing and deploying Office 365:

● System Center Configuration Manager

● The Office Deployment Tool

● The Office Customization Tool

● End-user installation

System Center Configuration Manager

System Center Configuration Manager is usually a good choice for organizations that already use it to distribute and manage software. Configuration Manager scales for large environments; enables extensive control over installation, updates, and settings; and has built-in features for deploying and managing Office.

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


For more information, refer to Deploy Office 365 ProPlus with System Center Configuration Manager (Current Branch)17.

Using the Office Deployment Tool

For organizations that don't have Configuration Manager but still want to manage their deployment, the Office Deployment Tool (ODT) can be used. You can use the ODT as a standalone tool or you can use it to download installation files that can be deployed using Intune or a third-party software deployment tool. In either case, the ODT provides rich control over installation, updates, and settings.

For more information, refer to An overview of the Office Deployment Tool18.

Using the Office Customization Tool

Another option is to use the Office Customization Tool. With this new web-based tool you can easily customize the deployment of Office 365 ProPlus and other Click-to-Run managed Office products using a simple, intuitive, and web-based interface. The tool is an Azure-based cloud service which allows you to create XML configuration files that are used with the Office Deployment Tool. In the past, you needed to create the configuration files in Notepad or another text editor. The Office Customization Tool makes this part of the deployment process easier and less likely to introduce errors.

This tool provides a simple experience which allows you to create a configuration file for use with the Office Deployment Tool, for scenarios where you need to customize the installation of Office 365 ProPlus. Common scenarios include:

● Initial installation of Office 365 ProPlus or Office 365 Business suites as well as Office 2019 suites, with the ability to include standalone products such as Visio and Project and various language packs.

● Adding additional products after the initial installation of the Office suite.

● Adding additional language packs by configuring a ‘Language Only’ configuration after the installation of the Office suite or standalone products

● Standalone installation of Office 365 Access Runtime.

● Installation of volume licensed products with automatic KMS and MAK activation.

● Automatic removal of previous MSI based Office products.

You can also use the Office Customization Tool to make changes to existing configuration files, which is very useful when you need to modify the configuration of Office on devices that are already installed and configured or if you’re creating a second or third configuration and you want to use your own baseline. Simply use the Import option and select the configuration file you wish to modify, make the desired changes, and use the Export option to generate a new configuration file.

End-user installation You can have your users install Office 365 on their client devices directly from the Office 365 portal. This

17 https://docs.microsoft.com/en-us/deployoffice/deploy-office-365-proplus-with-system-center-configuration-manager18 https://docs.microsoft.com/en-us/deployoffice/overview-of-the-office-2016-deployment-tool

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED


method requires the least amount of administrative setup, but gives you less control over the deploy-ment. You can, however, still define how frequently your users receive feature updates. This option requires that your users have local administrative rights on their client devices. For more information, refer to Manage software download settings in Office 36519.

Configuring and managing Internet ExplorerFor Windows 10 and Windows 10 Mobile, Microsoft Edge is the default browser experience. However, Microsoft Edge lets you continue to use Internet Explorer 11 for sites that are on your corporate intranet or included on your Enterprise Mode site list. Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on Internet Explorer 11.

If you have specific websites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the websites automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work correctly with Microsoft Edge, you can set all intranet sites to open using Internet Explorer 11 automatically. Internet Explorer and Microsoft Edge can work together to support your legacy web apps, while still defaulting to the higher bar for security and modern experiences enabled by Microsoft Edge.

What is Enterprise ModeEnterprise Mode, a compatibility mode that runs on Internet Explorer 11 on Windows 10, Windows 8.1, and Windows 7 devices, lets websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8. Running in this mode helps to avoid many of the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.

Many companies identify web app compatibility as a significant cost to upgrading because web apps need to be tested and upgraded before adopting a new browser. The improved compatibility provided by Enterprise Mode can help organizations to upgrade to Internet Explorer 11, letting organizations benefit from modern web standards, increased performance, improved security, and better reliability.

Enterprise Mode features

Enterprise Mode includes the following features:

● Improved web app and website compatibility. Through improved emulation, Enterprise Mode lets many legacy web apps run unmodified on Internet Explorer 11, supporting several site patterns that aren’t currently supported by existing document modes.

● Tool-based management for website lists. Use the Enterprise Mode Site List Manager to add website domains and domain paths and to specify whether a site renders using Enterprise Mode. Download the Enterprise Mode Site List Manager (schema v.2) or the Enterprise Mode Site List Manager (schema v.1), based on your operating system and schema.

19 https://docs.microsoft.com/da-dk/DeployOffice/manage-software-download-settings-office-365

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


● Centralized control. You can specify the websites or web apps to interpret using Enterprise Mode, through an XML file on a website or stored locally. Domains and paths within those domains can be treated differently, allowing granular control. Use Group Policy to let users turn Enterprise Mode on or off from the Tools menu and to decide whether the Enterprise browser profile appears on the Emulation tab of the F12 developer tools.

● Integrated browsing. When Enterprise Mode is set up, users can browse the web normally, letting the browser change modes automatically to accommodate Enterprise Mode sites.

● Data gathering. You can configure Enterprise Mode to collect local override data, posting back to a named server. This lets you “crowd source” compatibility testing from key users; gathering their findings to add to your central site list.

Enterprise Mode Site List Manager

Before you can start using Enterprise mode, you must create an Enterprise Mode site list and add the individual website domains and domain paths and specify whether the site renders using Enterprise Mode or the default mode.

This tool helps you create error-free XML documents with simple n+1 versioning and URL verification. We recommend using this tool if your site list is relatively small. There are two versions of this tool, both supported on Windows 7, Windows 8.1, and Windows 10. We recommend that you only use Enterprise Mode Site List Manager (schema v.2) because the Enterprise Mode schema has been updated to v.2 to be easier to read and to provide a better foundation for future capabilities.

You can download version 2 of the tool from here: https://www.microsoft.com/en-us/download/details.aspx?id=49974.

Enterprise Mode Site List Portal

The Enterprise Mode Site List Portal is an open-source web tool on GitHub that allows you to manage your Enterprise Mode site list, hosted by the app, with multiple users. The portal is designed to use IIS and a SQL Server backend, leveraging Active Directory (AD) for employee management.

In addition to all the functionality of the Enterprise Mode Site List Manager tool, the Enterprise Mode Site List Portal helps you:

● Manage site lists from any device supporting Windows 7 or greater.

● Submit change requests.

● Operate offline through an on-premises solution.

● Provide role-based governance.

● Test configuration settings before releasing to a live environment.

Updates to your site list are made by submitting new change requests, which are then approved by a designated group of people, put into a pre-production environment for testing, and then deployed immediately, or scheduled for deployment later.

If your list is too large to add individual sites, or if you have more than one person managing the site list, we recommend using the Enterprise Site List

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED


Portal. For more information about the Enterprise Site List Portal and how to download it, visit the Enterprise Mode Site List Portal20.

Enabling Enterprise Site ModeAfter you have created the Enterprise Mode site list, you need to turn the functionality on and set up the system for centralized control. By allowing centralized control, you can create one global list of websites that render using Enterprise Mode. Approximately 65 seconds after Internet Explorer 11 starts, it looks for a properly formatted site list. If a new site list if found, with a different version number than the active list, Internet Explorer 11 loads and uses the newer version. After the initial check, Internet Explorer 11 won’t look for an updated list again until you restart the browser. Microsoft recommends that you store and download your website list from a secure web server (https://), to help protect against data tampering. After the list is downloaded, it's stored locally on your employees' computers so if the centralized file location is unavailable, they can still use Enterprise Mode.

To turn on Enterprise Mode using Group Policy

1. Open your Group Policy Management console and create a new Group Policy object.

2. Go to the Computer Configuration/Administrative Templates/Windows Components/Microsoft Edge or User Configuration/Administrative Templates/Windows Components/Microsoft Edge. Enable the setting Configure the Enterprise Mode Site List. Turning this setting on also requires you to create and store a site list.

3. Click Enabled, and then in the Options area, type the location to your site list, using the following syntax:

● HTTPS location: https://localhost:8080/ESMlist.xml

● Local network: \\network\shares\ESMlist.xml

● Local file: i.e. C:\Windows\ESMlist.xml

● You can use Group Policy Preferences to copy the Enterprise Mode site list locally on the device. You just have to make sure that you use the copy location as the local file location when configuring the Group Policy setting.

1. When using either HTTPS or Local network location, make sure all of your managed devices have access to this location if you want them to be able to access and use Enterprise Mode and your site list.

App inventory reviewIntune provides several ways to monitor the compliance status of the apps that you have assigned to users or device in the Clients apps blade in the Azure portal. You can also find information about all assigned apps and determine

20 https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


which version of a given app that you have deployed. The following blades provide that information:

● Client apps – Apps blade

● List of all apps in Intune and assignment status. You can click an app to get detailed information about the assignments and install status. You can export this information to a CSV file by clicking Export and import into Excel for further processing.

● Client apps - App licenses blade

● Lists apps from the Microsoft Store or Business. License information for the apps is shown in the list. You can click an app to get detailed information about the assignments and install status. You can export this information to a CSV file by clicking Export and import into Excel for further processing.

● Client apps - Discovered apps blade

● Lists all apps discovered by Intune at the last Hardware Inventory time. For devices with Device Ownership marked as Corporate this will be all apps installed on the device. For devices with Device Ownership marked as Personal this will be all apps installed via the Intune Company Portal or apps installed in a Required deployment. Number of devices that a given app is installed on is shown in the list. You can click an app to list the devices the app is installed on. You can export this information to a CSV file by clicking Export and import into Excel for further processing.

● Client apps - App install status blade

● Lists all apps in Intune with user and device failures listed next to app. You can click an app to get detailed information about the assignments and install status. You can export this information to a CSV file by clicking Export and import into Excel for further processing.

● Managed Apps – Preview blade

● In the Managed Apps – preview blade for a device, you can see all apps assigned to a device together with information about assignment (Available or Required) and installation status. You can click an app in the list and you will see a workflow of the app’s entire lifecycle. You can find this information at: Microsoft Intune -> Devices - All devices -> <DeviceName> - Managed Apps – Preview. You can export this information to a CSV file by clicking Export and import into Excel for further processing.

Client apps – Apps blade

To see the Client apps blade, perform the following steps:

1. In the Azure portal, in the navigation pane, click Intune

2. In the Microsoft Intune blade, click Client Apps

3. On the Client apps blade, you can see all the apps that have been added to Intune and their assignment status. You can export this information to a CSV file by clicking Export and import into Excel for further

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED


processing. In this export you will also get additional information about the apps.

1. You can click an app in the list to get more detailed information about device install status and user install status.

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


1. You can then click Assignment under Manage to get a list of all Azure AD groups to which the application is assigned.

Client apps - App licenses

To see the Client apps – App licenses blade, click App licenses in the Client Apps blade.

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED


On the Client apps blade, you can see all the apps that have been added to Intune and their assignment status. You can export this information to a CSV file by click the Export button and import into Excel for further processing. In this export you will also get additional information about the apps.

Client apps - Discovered apps blade

To see the Client apps – Discovered apps blade, click Discovered App in the Client Apps blade**.**

App install status blade

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED


To see the App install status blade, click App install status in the Client Apps blade.

Managed Apps – Preview

To see the Managed Apps - Preview blade, perform the following steps:

1. In the Azure portal in the navigation pane click, click Intune.

2. In the Microsoft Intune blade, click Devices and then click All devices.

3. In the All devices blade, click a device in the details pane, for example LON-CL1.

4. In the LON-CL1 blade, click Managed Apps – Preview.

5. In the LON-CL1 – Managed Apps – Preview blade, click an application in the details pane, for example Office 365 ProPlus.

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED

MCT

USE

ON

LY. S

TUD

ENT

USE

PRO

HIB

ITED


Review Activity - Administering applications

REVIEW ACTIVITY – Administering ApplicationsLet's play a quick game to test your knowledge of administering applications. Click on the button below to open this review activity full screen.

LAUNCH ACTIVITY21

[activity]MD101.2_03_03_activity.html[/activity]

21 https://edxinteractivepage.blob.core.windows.net/miltstatic/MD-101.2/20190117-041531079/static/MD101-2_3_3_administeringappstuto-rial.html

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED

Microsoft Officialrms.koenig-solutions.com/Sync_data/Trainer/QMS/903...Office 365 ATP, Azure AD...

Documents

Transcript of Microsoft Officialrms.koenig-solutions.com/Sync_data/Trainer/QMS/903...Office 365 ATP, Azure AD...