Mastering Microsoft Intune, Second Edition

Cover
Copyright
Contributors
Table of Contents
Preface
Section I: Understanding the Basics
Chapter 1: Introduction to Microsoft 365
	Microsoft 365 cloud services
		What do these services achieve?
		Microsoft Intune
		Intune Suite
		AVD
			Windows 365
		AVD and Windows 365 – what are the differences?
		Components that Microsoft manages and the customer manages
			Windows 11
			Windows Copilot
			Security Copilot
		Intune Copilot
		Productivity Score
			Endpoint analytics
			Microsoft 365 Apps (for Enterprise)
		OneDrive for Business (part of Microsoft 365 Apps)
			Microsoft Teams
			Microsoft Edge
			Universal Print
		Microsoft Defender for Endpoint
			Exchange Online
			SharePoint Online
	Summary
	Questions
	Answers
	Further reading
Chapter 2: Cloud-Native Endpoints
	Paths to cloud native
	Microsoft Intune
		Intune admin center portal
		Microsoft 365 admin center portal
		Intune Partner portals
		Surface Management Portal
		HP Connect
		Windows 365
		Microsoft Entra ID
		Cloud Management Gateway
			Compliance policies
			Windows Update policies
			Resource access policies
			Endpoint protection
			Device configuration
			Office Click-to-Run apps
			Client apps
		Microsoft Intune – from on-premises to the cloud
	Exploring Windows 11 Enterprise in detail
		Windows subscription activation
			Windows Autopatch
			Windows as a Service – update release cycle
		WUfB
			Who should use WUfB (now Autopatch)?
			Why do you want to leverage WUfB?
			What does WUfB allow me to configure?
			What is the WUfB deployment service?
	BYOD
	What is zero trust?
		Verifying identity
		Verifying devices
	Windows 365 for non-managed endpoints
	Summary
	Questions
	Answers
	Further reading
Chapter 3: Requirements for Microsoft Intune
	Endpoint scenarios
	Identity roles and privileges for Microsoft Intune
	Using Intune filters when assigning
		Compliance Administrator
		Compliance Data Administrator
		Intune Administrator
		Message Center Reader
		Security Administrator
		Security Operator
		Security Reader
	Identity roles and privileges for a Windows 365 Cloud PC
		Azure Subscription Owner
		Domain Administrator
	Identity roles and privileges for Universal Print
	Licensing requirements
	Supported OSes
		Required web browser versions
	Windows 11 hardware requirements
		How do you get Windows 11?
	Intune Administrator Licensing
		Entra group-based licensing
		Setting the mobile device management authority
		Enabling Windows automatic enrollment
		Using Azure Virtual Desktop with Microsoft Intune
		Microsoft Intune device restrictions for Windows
		Blocking personal Windows devices
		Microsoft Intune device limit restrictions for Windows
		Customizing Intune Company Portal apps, the Company Portal website, and the Intune app
	Microsoft Intune – network URL firewall requirements
		Access for managed devices
		Network requirements for PowerShell scripts and Win32 apps
		Microsoft Store endpoint URLs
		Windows 365 endpoint URLs
		Windows Push Notification Services – required URLs
		Windows 365 and Azure Virtual Desktop – required URLs
	Universal Print – required URLs
		Delivery Optimization
	Summary
	Questions
	Answers
	Further reading
Section II: Windows 365
Chapter 4: What Is Windows 365?
	What is Windows 365?
		Removing the complexity of traditional VDI deployments
		What to think about as a VDI administrator
			Removing complexity while increasing security
			Low costs as a fixed-price model
		The transition to modern management with Microsoft Intune
		Windows 10 ESUs
		Comparing Windows 365 Enterprise and Business
			What is Windows 365 Frontline?
			What is Windows 365 Government?
		Microsoft Intune
		High-level architecture components and responsibilities
	Configuration Manager support
		Co-management and Windows 365
		Disaster recovery
		Sizes and performance of fixed-price licenses
	GPU-Enhanced Cloud PCs
	Connect to your on-premises network
		Provisioning policies
		Windows 365 – gallery images
		Custom images
		Windows Updates via Autopatch
		Roles and delegation
		The Watchdog service
		Optimized Teams on Windows 365
		Screen capture protection and watermarking
			Migrate GPOs to a Settings Catalog policy
	Summary
	Questions
	Answers
	Further reading
Chapter 5: Deploying Windows 365
	Technical requirements for deploying Windows 365
		Required URLs
		RDP requirements and optimizations
		Connect to on-premises networks (optional)
		Purchasing and assigning Cloud PC licenses
	Provision a Cloud PC
		Image management – creating a custom image (optional)
		Reprovisioning a Cloud PC
		Local administrator permissions
		Security baselines for a Cloud PC
	Zero Trust: Conditional Access management for Cloud PCs
		Connecting to your Cloud PC
			Windows App
	Deploy Windows App via Intune
		Windows App – User Actions
	Bulk User Actions via Intune
		Supported redirections per endpoint platform
	Windows 365 Boot shared mode
	Windows 365 Boot dedicated mode
	What if you have multiple Cloud PCs?
	Battery status redirection
	Windows 365 Switch
		Resize Cloud PCs
	Bulk device actions
	Monitoring and analytics
		Intune Suite – Endpoint Privilege Management
		Intune Suite – Enterprise App Management
		Intune Suite – Remote Help
	Want to dive deeper into Windows 365?
	Summary
	Questions
	Answers
	Further reading
Section III: Mastering Microsoft Intune
Chapter 6: Windows Deployment and Management
	Deploying existing Windows devices into Microsoft Intune
		Enrolling devices – Windows enrollment
			Automatic enrollment
			Testing company domain CNAME registration for Windows enrollment
			Enrollment Status Page
			Enrollment notifications
			Windows Autopilot
			What about existing infrastructure?
			Co-management and tenant attach
		Co-management settings
	Windows Update for Business
		Types of updates managed by Windows Update for Business
		Enforcing compliance deadlines for updates
		How to handle conflicting or legacy policies
		How to set up and configure Windows Update for Business
		Safeguard holds
	Feature updates for Windows 10 and later
		Opting out of safeguard holds
		Expediting a Windows patch
		The Windows Insider Program for Business
			Updating Microsoft 365 apps
	Windows Autopatch
		Windows Autopatch requirements
		How to enable Windows Autopatch
		Optimizing Windows Update rings
		Enabling Windows Autopatch for Cloud PCs
	Summary
	Questions
	Answers
	Further reading
Chapter 7: Windows Autopilot
	Technical requirements
	Windows Autopilot overview
	Uploading the hardware ID to Windows Autopilot
		Where is Windows Autopilot device information stored?
	Windows Autopilot for existing devices
	Windows updates during the OOBE
		Auto-assigning Windows Autopilot profiles in Intune
		Signing in to Graph Explorer
	Enrollment Status Page (ESP)
		ESP implementation – Windows CSP
	Autopilot reporting and diagnostics
		Company Portal
		Configuring automatic BitLocker encryption for Autopilot devices
	Troubleshooting automatic BitLocker encryption on a VM
	Windows Hello for Business
	Cloud configuration scenario
		Introduction
			What you will need to continue
			Basics
			Resources to be created
			Apps
			Assignments
			Deploying
		Deploying essentials that users might need to access work or school resources
			Monitoring your cloud configuration devices
	SharedPC self-deployment scenario
		Creating a specific ESP for the SharedPC device
		Creating a Windows Autopilot profile
		Self-Deploying (preview)
			Creating a custom Windows profile to disable user ESP
			Creating a custom Windows 10 profile to disable FirstLogonAnimation
			Creating a Windows template SharedPC profile
		SharedPC technical reference
		Troubleshooting SharedPC
		Windows Autopilot Reset
	Wiping and resetting your devices
	Fresh Start
		Windows Recovery Environment
	Summary
	Questions
	Answers
	Further reading
Chapter 8: Application Management and Delivery
	Application delivery via Microsoft Intune
	Different application types you can deploy
		LOB applications
			MSI – via the LOB app
			MSIX – via the LOB app
			AppX – via the LOB app
			IntuneWin – via the Windows app (Win32)
		Supersedence mode
	Deploying Microsoft 365 apps
		Update channels
		Office Customization Tool
		Microsoft 365 Apps admin center
			Getting started
			Device selection criteria
			Update exclusion dates
			Update deadline
		Microsoft 365 app customization
	Deploying Microsoft Teams
	Deploying OneDrive
		Deploying Microsoft Edge
	What is WinGet?
	What is MSIX?
		AppxManifest.xml
		AppxBlockMap.xml
		AppxSignature.p7x
		How to create MSIX packages
		Pushing the MSIX package application to your endpoints
	Summary
	Questions
	Answers
	Further reading
Chapter 9: Understanding Policy Management
	Policy management
	What is a CSP policy?
	Windows Push Notification Service (WNS)
	Getting started with policy design
	Migrating existing policies from AD – Group Policy management
	Summary
	Questions
	Answers
	Further reading
Chapter 10: Advanced Policy Management
	Policy management
		Configuring a policy from the Microsoft Intune Security blade
		Configuring your Endpoint Security profile
			Microsoft Defender policy
			Antivirus reporting in Endpoint security
		Unhealthy endpoints
		Attack surface reduction
		Configuring a policy from the Settings catalog
		How do they work?
	Importing ADMX
	Configuring administrative templates
		OneDrive Known Folder Move configuration
	OneDrive – block syncing specific file extensions
	Configure device configuration (template)
		Leveraging a custom policy as a last resort
	Config Refresh
	Pushing PowerShell scripts – scripted actions to endpoints
	Multi admin approval
	Compliance policies
		Windows compliance policy
		Organizational compliance report
			Device compliance trends
			Device diagnostics settings
	Summary
	Questions
	Answers
	Further reading
Chapter 11: Intune Suite
	What is Intune Suite?
		Prerequisites
	How to get started with Intune Suite
	Specialty Device Management
	Endpoint Privileged Management
		How to configure EPM
		How to onboard devices to EPM
		Reusable settings
		Creating an EPM elevation rules policy
		Monitoring EPM events
		Elevation report
			Managed elevation report
			Elevation report by applications
			Elevation report by Publisher
			Elevation report by User
		EPM Agent
		How do you get your users’ account type to Standard?
		Configure policy for standard user
		End user process
		Enterprise App Management
			Installing applications via Enterprise App Management
			What about enhanced application updates?
	Cloud certificate management (Cloud PKI)
		How does the process work?
		Two-tier PKI hierarchy
		Certificate Revocation
			Ensuring trust and authentication:
			Reasons for certificate revocation:
			Practical scenarios:
		Remote Help for Windows
		How to enable Remote Help
		Configuring Remote Help in Intune
		How does Remote Help look from an end user’s perspective?
		How do you remotely access a managed device?
		Remote Help Windows Firewall setup
		Conditional Access for Remote Help
		How to use Remote Help as an end user and as a ServiceDesk user
		Advanced Endpoint Analytics
		Device query
		Battery health
		Why Windows 365 and Intune Suite are a great combination
	Summary
	Questions
	Answers
	Further reading
Chapter 12: Copilot/AI
	The future of AI in Windows and Intune
	Copilot in Windows
	What can you use Windows Copilot for?
		Direct instructions
		Questions
	Security Copilot (Device Management)
	Intune policy generation via Security Copilot
	Copilot assistant for Intune device queries
	Troubleshooting Intune via Security Copilot
		Troubleshooting
	Summary
	Questions
	Answers
	Further reading
Chapter 13: Identity and Security Management
	Microsoft Identity
	Entra ID
		Entra ID join
		Hybrid Entra ID join
		Entra ID users
		Entra ID guest users
		Entra ID group types
		Entra ID group membership types
	Conditional Access
		What is it?
			What are the common signals?
			What are the common decisions?
		Users and groups
	Cloud apps
		Conditions
	Grant
	Preventing users from carrying out Entra ID device registration
	Self-service Password Reset
	Entra ID password protection
	Passwordless authentication
	Enabling passwordless authentication
		What is and isn’t supported in each passwordless scenario
	Passkeys
		How do passkeys work?
		How does it relate to passwords?
		How to enable passkeys
		Manage your passkeys
	Web sign-in
	BitLocker disk encryption
	BitLocker recovery keys
	Personal Data Encryption
		Windows Local Administrator Password Solution
		Application Control for Business
	Microsoft Defender for Endpoint
		Integration with Microsoft Intune
	Security baselines
	Compliance policies
	Windows 365 security baselines
		Microsoft Defender for Endpoint
	Connecting to Intune – Microsoft Intune integration
	Alerts and security assessments
		Security recommendations
	Defender keylogger protection
		Windows 365: customer-managed keys support for data encryption
		Screen capture protection and watermarking
	Summary
	Questions
	Answers
	Further reading
Chapter 14: Monitoring and Endpoint Analytics
	Endpoint analytics
	Cloud PC overview
	Cloud attached devices (preview)
	Endpoint analytics – Advanced Monitoring
		Startup performance – logon duration
		Performance score breakdown
		Resize cloud PCs
	Top 10 processes impacting Startup performance
	OS restart history
	Resource performance
	Insights and recommendations – score trends
	Application reliability
	Windows 365-specific metrics
	Insights and recommendations
		Configuration Manager data collection
	Customizing your baselines
		Remediations
		Windows 365 Frontline
		Azure Monitor integration
	System alerts and email notifications
		Configure notifications for failed provisioning of cloud PCs
	Service health
	Advanced Endpoint analytics
	ControlUp Enrich
	Summary
	Questions
	Answers
	Further reading
Chapter 15: Universal Print
	What is Universal Print?
		Universal Print – architecture overview
		Print clients – Universal Print for Windows
		Print clients – Universal Print for Mac
		Print clients – Web applications and print APIs
		Printers – Universal Print ready printers
		Printers – Universal Print connector
		Printer shares
		Printer defaults
	Is Universal Print secure and where does my printed data go?
		Data Residency
		Data security
		Compliance and certifications
		Printer share access check
		Secure release
	Universal Print – requirements
		End user requirements
		Admin requirements for managing Universal Print
		Managing print requirements
		Universal Print – requirements
		Network requirements
			Commercial cloud
			US government GCC cloud
			US government GCC-High cloud
			Network isolation and zero-trust
	Learning how to deploy Universal Print
		Printer management – custom roles
		Connecting your existing printer to Universal Print
		Configuring Universal Print
			Log in to the Universal Print admin portal
			Register a Universal Print ready printer
			Register printer(s) with the Universal Print connector
		Enable hybrid Entra ID configuration via the Universal Print connector
			Create a printer share for the printer
			Test your Universal Print printer and printer share
		Assigning and deploying cloud printers with Microsoft Intune
	Summary
	Questions
	Answers
	Further reading
Section IV: Troubleshooting and Community
Chapter 16: Troubleshooting Microsoft Intune
Chapter 17: Troubleshooting Windows 365
Chapter 18: Community Help
	Community hall of fame
		CAUTION!
	Community events to participate in!
	MMS – Minnesota and Fort Lauderdale
	MEM Summit – Paris
	Workplace Ninja Summit – Europe
	Windows 365 Community
	Windows in the Cloud – video webcast
	Summary
PacktPage
Other Books You May Enjoy
Index