Mastering Microsoft Intune, Second Edition [Second Edition] 9781835468517

Table of contents :
Cover
Copyright
Contributors
Table of Contents
Preface
Section I: Understanding the Basics
Chapter 1: Introduction to Microsoft 365
Microsoft 365 cloud services
What do these services achieve?
Microsoft Intune
Intune Suite
AVD
Windows 365
AVD and Windows 365 – what are the differences?
Components that Microsoft manages and the customer manages
Windows 11
Windows Copilot
Security Copilot
Intune Copilot
Productivity Score
Endpoint analytics
Microsoft 365 Apps (for Enterprise)
OneDrive for Business (part of Microsoft 365 Apps)
Microsoft Teams
Microsoft Edge
Universal Print
Microsoft Defender for Endpoint
Exchange Online
SharePoint Online
Summary
Questions
Answers
Further reading
Chapter 2: Cloud-Native Endpoints
Paths to cloud native
Microsoft Intune
Intune admin center portal
Microsoft 365 admin center portal
Intune Partner portals
Surface Management Portal
HP Connect
Windows 365
Microsoft Entra ID
Cloud Management Gateway
Compliance policies
Windows Update policies
Resource access policies
Endpoint protection
Device configuration
Office Click-to-Run apps
Client apps
Microsoft Intune – from on-premises to the cloud
Exploring Windows 11 Enterprise in detail
Windows subscription activation
Windows Autopatch
Windows as a Service – update release cycle
WUfB
Who should use WUfB (now Autopatch)?
Why do you want to leverage WUfB?
What does WUfB allow me to configure?
What is the WUfB deployment service?
BYOD
What is zero trust?
Verifying identity
Verifying devices
Windows 365 for non-managed endpoints
Summary
Questions
Answers
Further reading
Chapter 3: Requirements for Microsoft Intune
Endpoint scenarios
Identity roles and privileges for Microsoft Intune
Using Intune filters when assigning
Compliance Administrator
Compliance Data Administrator
Intune Administrator
Message Center Reader
Security Administrator
Security Operator
Security Reader
Identity roles and privileges for a Windows 365 Cloud PC
Azure Subscription Owner
Domain Administrator
Identity roles and privileges for Universal Print
Licensing requirements
Supported OSes
Required web browser versions
Windows 11 hardware requirements
How do you get Windows 11?
Intune Administrator Licensing
Entra group-based licensing
Setting the mobile device management authority
Enabling Windows automatic enrollment
Using Azure Virtual Desktop with Microsoft Intune
Microsoft Intune device restrictions for Windows
Blocking personal Windows devices
Microsoft Intune device limit restrictions for Windows
Customizing Intune Company Portal apps, the Company Portal website, and the Intune app
Microsoft Intune – network URL firewall requirements
Access for managed devices
Network requirements for PowerShell scripts and Win32 apps
Microsoft Store endpoint URLs
Windows 365 endpoint URLs
Windows Push Notification Services – required URLs
Windows 365 and Azure Virtual Desktop – required URLs
Universal Print – required URLs
Delivery Optimization
Summary
Questions
Answers
Further reading
Section II: Windows 365
Chapter 4: What Is Windows 365?
What is Windows 365?
Removing the complexity of traditional VDI deployments
What to think about as a VDI administrator
Removing complexity while increasing security
Low costs as a fixed-price model
The transition to modern management with Microsoft Intune
Windows 10 ESUs
Comparing Windows 365 Enterprise and Business
What is Windows 365 Frontline?
What is Windows 365 Government?
Microsoft Intune
High-level architecture components and responsibilities
Configuration Manager support
Co-management and Windows 365
Disaster recovery
Sizes and performance of fixed-price licenses
GPU-Enhanced Cloud PCs
Connect to your on-premises network
Provisioning policies
Windows 365 – gallery images
Custom images
Windows Updates via Autopatch
Roles and delegation
The Watchdog service
Optimized Teams on Windows 365
Screen capture protection and watermarking
Migrate GPOs to a Settings Catalog policy
Summary
Questions
Answers
Further reading
Chapter 5: Deploying Windows 365
Technical requirements for deploying Windows 365
Required URLs
RDP requirements and optimizations
Connect to on-premises networks (optional)
Purchasing and assigning Cloud PC licenses
Provision a Cloud PC
Image management – creating a custom image (optional)
Reprovisioning a Cloud PC
Local administrator permissions
Security baselines for a Cloud PC
Zero Trust: Conditional Access management for Cloud PCs
Connecting to your Cloud PC
Windows App
Deploy Windows App via Intune
Windows App – User Actions
Bulk User Actions via Intune
Supported redirections per endpoint platform
Windows 365 Boot shared mode
Windows 365 Boot dedicated mode
What if you have multiple Cloud PCs?
Battery status redirection
Windows 365 Switch
Resize Cloud PCs
Bulk device actions
Monitoring and analytics
Intune Suite – Endpoint Privilege Management
Intune Suite – Enterprise App Management
Intune Suite – Remote Help
Want to dive deeper into Windows 365?
Summary
Questions
Answers
Further reading
Section III: Mastering Microsoft Intune
Chapter 6: Windows Deployment and Management
Deploying existing Windows devices into Microsoft Intune
Enrolling devices – Windows enrollment
Automatic enrollment
Testing company domain CNAME registration for Windows enrollment
Enrollment Status Page
Enrollment notifications
Windows Autopilot
What about existing infrastructure?
Co-management and tenant attach
Co-management settings
Windows Update for Business
Types of updates managed by Windows Update for Business
Enforcing compliance deadlines for updates
How to handle conflicting or legacy policies
How to set up and configure Windows Update for Business
Safeguard holds
Feature updates for Windows 10 and later
Opting out of safeguard holds
Expediting a Windows patch
The Windows Insider Program for Business
Updating Microsoft 365 apps
Windows Autopatch
Windows Autopatch requirements
How to enable Windows Autopatch
Optimizing Windows Update rings
Enabling Windows Autopatch for Cloud PCs
Summary
Questions
Answers
Further reading
Chapter 7: Windows Autopilot
Technical requirements
Windows Autopilot overview
Uploading the hardware ID to Windows Autopilot
Where is Windows Autopilot device information stored?
Windows Autopilot for existing devices
Windows updates during the OOBE
Auto-assigning Windows Autopilot profiles in Intune
Signing in to Graph Explorer
Enrollment Status Page (ESP)
ESP implementation – Windows CSP
Autopilot reporting and diagnostics
Company Portal
Configuring automatic BitLocker encryption for Autopilot devices
Troubleshooting automatic BitLocker encryption on a VM
Windows Hello for Business
Cloud configuration scenario
Introduction
What you will need to continue
Basics
Resources to be created
Apps
Assignments
Deploying
Deploying essentials that users might need to access work or school resources
Monitoring your cloud configuration devices
SharedPC self-deployment scenario
Creating a specific ESP for the SharedPC device
Creating a Windows Autopilot profile
Self-Deploying (preview)
Creating a custom Windows profile to disable user ESP
Creating a custom Windows 10 profile to disable FirstLogonAnimation
Creating a Windows template SharedPC profile
SharedPC technical reference
Troubleshooting SharedPC
Windows Autopilot Reset
Wiping and resetting your devices
Fresh Start
Windows Recovery Environment
Summary
Questions
Answers
Further reading
Chapter 8: Application Management and Delivery
Application delivery via Microsoft Intune
Different application types you can deploy
LOB applications
MSI – via the LOB app
MSIX – via the LOB app
AppX – via the LOB app
IntuneWin – via the Windows app (Win32)
Supersedence mode
Deploying Microsoft 365 apps
Update channels
Office Customization Tool
Microsoft 365 Apps admin center
Getting started
Device selection criteria
Update exclusion dates
Update deadline
Microsoft 365 app customization
Deploying Microsoft Teams
Deploying OneDrive
Deploying Microsoft Edge
What is WinGet?
What is MSIX?
AppxManifest.xml
AppxBlockMap.xml
AppxSignature.p7x
How to create MSIX packages
Pushing the MSIX package application to your endpoints
Summary
Questions
Answers
Further reading
Chapter 9: Understanding Policy Management
Policy management
What is a CSP policy?
Windows Push Notification Service (WNS)
Getting started with policy design
Migrating existing policies from AD – Group Policy management
Summary
Questions
Answers
Further reading
Chapter 10: Advanced Policy Management
Policy management
Configuring a policy from the Microsoft Intune Security blade
Configuring your Endpoint Security profile
Microsoft Defender policy
Antivirus reporting in Endpoint security
Unhealthy endpoints
Attack surface reduction
Configuring a policy from the Settings catalog
How do they work?
Importing ADMX
Configuring administrative templates
OneDrive Known Folder Move configuration
OneDrive – block syncing specific file extensions
Configure device configuration (template)
Leveraging a custom policy as a last resort
Config Refresh
Pushing PowerShell scripts – scripted actions to endpoints
Multi admin approval
Compliance policies
Windows compliance policy
Organizational compliance report
Device compliance trends
Device diagnostics settings
Summary
Questions
Answers
Further reading
Chapter 11: Intune Suite
What is Intune Suite?
Prerequisites
How to get started with Intune Suite
Specialty Device Management
Endpoint Privileged Management
How to configure EPM
How to onboard devices to EPM
Reusable settings
Creating an EPM elevation rules policy
Monitoring EPM events
Elevation report
Managed elevation report
Elevation report by applications
Elevation report by Publisher
Elevation report by User
EPM Agent
How do you get your users’ account type to Standard?
Configure policy for standard user
End user process
Enterprise App Management
Installing applications via Enterprise App Management
What about enhanced application updates?
Cloud certificate management (Cloud PKI)
How does the process work?
Two-tier PKI hierarchy
Certificate Revocation
Ensuring trust and authentication:
Reasons for certificate revocation:
Practical scenarios:
Remote Help for Windows
How to enable Remote Help
Configuring Remote Help in Intune
How does Remote Help look from an end user’s perspective?
How do you remotely access a managed device?
Remote Help Windows Firewall setup
Conditional Access for Remote Help
How to use Remote Help as an end user and as a ServiceDesk user
Advanced Endpoint Analytics
Device query
Battery health
Why Windows 365 and Intune Suite are a great combination
Summary
Questions
Answers
Further reading
Chapter 12: Copilot/AI
The future of AI in Windows and Intune
Copilot in Windows
What can you use Windows Copilot for?
Direct instructions
Questions
Security Copilot (Device Management)
Intune policy generation via Security Copilot
Copilot assistant for Intune device queries
Troubleshooting Intune via Security Copilot
Troubleshooting
Summary
Questions
Answers
Further reading
Chapter 13: Identity and Security Management
Microsoft Identity
Entra ID
Entra ID join
Hybrid Entra ID join
Entra ID users
Entra ID guest users
Entra ID group types
Entra ID group membership types
Conditional Access
What is it?
What are the common signals?
What are the common decisions?
Users and groups
Cloud apps
Conditions
Grant
Preventing users from carrying out Entra ID device registration
Self-service Password Reset
Entra ID password protection
Passwordless authentication
Enabling passwordless authentication
What is and isn’t supported in each passwordless scenario
Passkeys
How do passkeys work?
How does it relate to passwords?
How to enable passkeys
Manage your passkeys
Web sign-in
BitLocker disk encryption
BitLocker recovery keys
Personal Data Encryption
Windows Local Administrator Password Solution
Application Control for Business
Microsoft Defender for Endpoint
Integration with Microsoft Intune
Security baselines
Compliance policies
Windows 365 security baselines
Microsoft Defender for Endpoint
Connecting to Intune – Microsoft Intune integration
Alerts and security assessments
Security recommendations
Defender keylogger protection
Windows 365: customer-managed keys support for data encryption
Screen capture protection and watermarking
Summary
Questions
Answers
Further reading
Chapter 14: Monitoring and Endpoint Analytics
Endpoint analytics
Cloud PC overview
Cloud attached devices (preview)
Endpoint analytics – Advanced Monitoring
Startup performance – logon duration
Performance score breakdown
Resize cloud PCs
Top 10 processes impacting Startup performance
OS restart history
Resource performance
Insights and recommendations – score trends
Application reliability
Windows 365-specific metrics
Insights and recommendations
Configuration Manager data collection
Customizing your baselines
Remediations
Windows 365 Frontline
Azure Monitor integration
System alerts and email notifications
Configure notifications for failed provisioning of cloud PCs
Service health
Advanced Endpoint analytics
ControlUp Enrich
Summary
Questions
Answers
Further reading
Chapter 15: Universal Print
What is Universal Print?
Universal Print – architecture overview
Print clients – Universal Print for Windows
Print clients – Universal Print for Mac
Print clients – Web applications and print APIs
Printers – Universal Print ready printers
Printers – Universal Print connector
Printer shares
Printer defaults
Is Universal Print secure and where does my printed data go?
Data Residency
Data security
Compliance and certifications
Printer share access check
Secure release
Universal Print – requirements
End user requirements
Admin requirements for managing Universal Print
Managing print requirements
Universal Print – requirements
Network requirements
Commercial cloud
US government GCC cloud
US government GCC-High cloud
Network isolation and zero-trust
Learning how to deploy Universal Print
Printer management – custom roles
Connecting your existing printer to Universal Print
Configuring Universal Print
Log in to the Universal Print admin portal
Register a Universal Print ready printer
Register printer(s) with the Universal Print connector
Enable hybrid Entra ID configuration via the Universal Print connector
Create a printer share for the printer
Test your Universal Print printer and printer share
Assigning and deploying cloud printers with Microsoft Intune
Summary
Questions
Answers
Further reading
Section IV: Troubleshooting and Community
Chapter 16: Troubleshooting Microsoft Intune
Chapter 17: Troubleshooting Windows 365
Chapter 18: Community Help
Community hall of fame
CAUTION!
Community events to participate in!
MMS – Minnesota and Fort Lauderdale
MEM Summit – Paris
Workplace Ninja Summit – Europe
Windows 365 Community
Windows in the Cloud – video webcast
Summary
PacktPage
Other Books You May Enjoy
Index