Professional Documents
Culture Documents
MD-101T02
Managing Modern
Desktops and Devices
MCT USE ONLY. STUDENT USE PROHIBITED
MD-101T02
Managing Modern Desktops and
Devices
MCT USE ONLY. STUDENT USE PROHIBITED
MCT USE ONLY. STUDENT USE PROHIBITED
Contents
■■ Module 0 Welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Welcome to Managing Modern Desktops and Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
■■ Module 1 Device Enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Device management options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Manage Intune device enrollment and inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
■■ Module 2 Configuring Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Configuring device profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Managing user profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Monitoring devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
■■ Module 3 Application Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Implement Mobile Application Management (MAM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Deploying and updating applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Administering applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
MCT USE ONLY. STUDENT USE PROHIBITED
Module 0 Welcome
As demand for organizations to enable workforces to be more mobile, a desktop administrator’s role is
really is no longer about just “desktop” management. With BYOD becoming commonplace and the need
for employees to access line of business apps on personal devices, the scope of desktop administration
must include both desktop and mobile devices, regardless of ownership. During this course, you’ll be
introduced to key components of modern management and co-management strategies. You’ll examine
what it takes to incorporate Microsoft Intune into your organization and how to use it to manage modern
desktops and devices. You’ll also learn about methods for deployment and management of apps and
browser-based applications.
This course was designed for IT Professionals who manage and deploy desktop operating systems their
organization.
In this course, you will learn how to:
●● Understand the benefits and methods of co-management strategies.
●● Configuring Intune
●● Enroll devices in Intune and configure device policies
●● Manage user profiles and folder redirection
●● Plan a mobile application management strategy
●● Manage and deploy apps, including Office 365 ProPlus and Internet Explorer settings
This is the second in a series of three courses for the Modern Desktop Administrator.
MCT USE ONLY. STUDENT USE PROHIBITED
Module 1 Device Enrollment
devices. With modern management, you can now manage Windows 10 devices of all
kinds, from desktop PCs to HoloLens and Surface Hubs, company-owned or
employee-owned, as well as mobile devices using one management platform. Let’s
examine why you should consider implementing a modern management approach for
Windows devices in your organization.
Planning Co-management
By bringing your devices to Azure AD, you maximize your users' productivity
through single sign-on (SSO) across your cloud and on-premises resources. At the
same time, you can secure access to your cloud and on-premises resources with
conditional access.
MCT USE ONLY. STUDENT USE PROHIBITED
Device management options 5
If you have an on-premises Active Directory environment and you want to join
your domain-joined devices to Azure AD, you can accomplish this by configuring
hybrid Azure AD joined devices.
Before you start enabling hybrid Azure AD joined devices in your organization,
you need to make sure that:
●● You are running an up-to-date version of Azure AD connect. Beginning with
version 1.1.819.0, Azure AD Connect provides you with a wizard to configure
hybrid Azure AD join. Azure AD Connect has synchronized the computer objects
of the devices you want to be hybrid Azure AD joined to Azure AD. If the
computer objects belong to specific organizational units (OUs), then these
OUs need to be configured for synchronization in Azure AD Connect as well.
●● Intune MDM must be setup and configured for automatic enrollment
●● Microsoft Enterprise Mobility + Security (EMS) or Intune license for all
users
●● Active Directory joined devices are using Windows 10 version 1709 or later.
We recommended that you always use the latest version of Windows 10 so that
you get the newest advances in terms of security, Azure AD and Intune
features.
●● Azure AD automatic enrollment enabled
Hybrid Azure AD join is a process meant to automatically register your
on-premises domain-joined devices with Azure AD. There are cases though, where
you don't want all your devices to register automatically. This is true for
example, during the initial pilot to verify that everything works as expected.
All Windows current devices automatically register with Azure AD at device start
or user sign-in. You can control this behavior either with a Group Policy Object
(GPO) or System Center Configuration Manager.
To control Windows current devices:
●● For all devices: Disable automatic device registration.
●● For selected devices: Enable automatic device registration.
You can control the device registration behavior of your devices by deploying
the following GPO: Register domain-joined computers as devices.
1. In the Group Policy Management Console, create two new GPOs and then go to
Computer Configuration > Policies > Administrative Templates > Windows
Components > Device Registration.
2. In the first GPO, apply the Disabled setting to prevent automatic device
registration. In the second GPO apply the Enabled setting to enable
automatic device registration.
3. Link the first GPO to all devices in your environment and then link the
second GPO only to the OU containing your pilot devices. Alternatively, you
can use Group Policy security filtering and a security group to control
which devices can automatically register with Azure AD.
Are there groups of devices that could benefit from lighter, simplified
management? BYOD devices, for example, are natural candidates for cloud
management. Users or devices handling more highly regulated data might require
on-premises AD Domain Join for authentication. Configuration Manager and EMS
provide you the flexibility to stage implementation of modern management
scenarios while targeting different devices the way that best suits your
business needs. The choice is yours.
MCT USE ONLY. STUDENT USE PROHIBITED 10 Module 1 Device Enrollment
1 https://edxinteractivepage.blob.core.windows.net/miltstatic/MD-101.2/20190117-041531079/static/MD101-2_1_1_devicemgmttutorial.
html
MCT USE ONLY. STUDENT USE PROHIBITED 12 Module 1 Device Enrollment
2 https://docs.microsoft.com/en-us/intune/device-enrollment-program-enroll-ios
MCT USE ONLY. STUDENT USE PROHIBITED 14 Module 1 Device Enrollment
set this item only once, when you are first setting up Intune for mobile
device management.
●● By default, Intune is configured to allow enrollment of Android and Samsung
Knox Standard devices. Admins merely need to tell their users how to enroll
their devices.
●● After a user has enrolled, you can begin managing their devices in Intune,
including assigning compliance policies, managing apps, and more.
4. Configure the MDM User scope. Specify which users’ devices should be managed
by Microsoft Intune. These Windows 10 devices can automatically enroll in
Microsoft Intune.
●● None - MDM automatic enrollment is disabled
●● Some - Select the Groups that can automatically enroll their Windows
10 devices
●● All - All users can automatically enroll their Windows 10 devices
5. Use the default values for the following URLs:
●● MDM Terms of use URL
●● MDM Discovery URL
●● MDM Compliance URL
6. Click Save.
3 https://docs.microsoft.com/da-dk/azure/active-directory/authentication/concept-mfa-licensing
4 https://docs.microsoft.com/da-dk/azure/active-directory/user-help/multi-factor-authentication-end-user
MCT USE ONLY. STUDENT USE PROHIBITED 18 Module 1 Device Enrollment
We recommend that you create both CNAME records for all DNS names that you own.
3. On the Company Portal Welcome screen, tap Sign in, and then sign in with
your work or school account.
4. Follow the instructions given in the Company Portal. The end-user experience
can vary based on the policies assigned to the user and/or device.
Enrolling an iOS device configured for the Device Enrollment Program (DEP)
1. Turn on your iOS device.
2. After you select your language, connect your device to Wi-Fi.
3. On the Set up iOS device screen, choose whether you want to:
●● Set up as new device
●● Restore from iCloud backup
●● Restore from iTunes backup
4. Once you’ve connected to Wi-Fi, the Configuration screen will appear. A
message will say that:
●● [Your Company] will automatically configure your device.
●● Configuration allows [Your Company] to manage this device over the air.
An administrator can help you set up email and network accounts, install
and configure apps, and manage settings remotely. An administrator may
disable features, install and remove apps, monitor and restrict your
Internet traffic and remotely erase this device.
●● Configuration is provided by: [Your Company's] iOS Team [Address]
5. Log in with your Apple ID. Logging in lets you install the Company Portal
app and install the management profile that will let your company give you
access to their resources, like email and apps.
6. Agree to the Terms and Conditions and decide whether you want to send
diagnostic information to Apple.
7. Once you complete your enrollment, your device may prompt you to take more
actions. Some of these steps might be entering your password for email
access or setting up a passcode.
For a walk-through of enrolling an iOS device using the Company Portal, watch
the Enroll your mobile device in Microsoft Intune for corporate access video:
Enrollment Rules
Organizations can use Intune to manage large numbers of mobile devices with a
single user account. The device enrollment manager (DEM) account is a special
user account that can enroll up to 1,000 devices. You add existing users to the
DEM account to give them the special DEM options. Each enrolled device uses a
MCT USE ONLY. STUDENT USE PROHIBITED 26 Module 1 Device Enrollment
single license. A DEM account is useful for scenarios where devices are enrolled
and prepared before handing them out to the users of the devices. The DEM would
enroll the device, log on to the company portal and install the apps required by
the user. If the user requires individual configuration such as e-mail profiles
then the user should enroll the device themselves and DEM should not be used.
Users must exist in the Azure portal to be added as device enrollment managers.
For optimal security, the DEM user shouldn't also be an Intune admin. The DEM
enrollment method can't be used with these other enrollment methods: Apple
Configurator with Setup Assistant, Apple Configurator with direct enrollment,
Apple School Manager (ASM), or Device Enrollment Program (DEP).
●● (Android only) There's a limit to the number of Android work profile devices
that can be enrolled with a single DEM account. Up to 10 Android work
profile devices may be enrolled per DEM account. This limitation doesn't
apply to legacy Android enrollment.
●● Devices can install VPP apps if they have device licenses.
●● An Intune device license isn't required to use DEM.
5 https://docs.microsoft.com/en-us/intune/monitor-audit-logs
MCT USE ONLY. STUDENT USE PROHIBITED
Manage Intune device enrollment and inventory 29
user-friendly filters to the canvas. To use advanced filters, check out the
Filter pane in Power BI Desktop.
Load the data using the Power BI file
1. Sign in to the Azure portal and click Intune.
2. Open the Microsoft Intune Data Warehouse API (Preview) blade.
3. Select Download PowerBI file. The file with a (pbix) extension downloads
to the location you specified.
4. Open the file with Power BI. The Intune Data Warehouse Reports loads, but
may take a moment to get your tenant data.
5. Select Refresh to load your tenant data and review the reports.
6. If Power BI has not authenticated with your Azure Active Directory
credentials, Power BI prompts you to provide your credentials. When
selecting your credentials, choose Organizational account as your
authentication method.
Load the data in Power BI using the OData link
With a client authenticated to Azure AD, the OData URL connects to the RESTful
endpoint in the Data Warehouse API that exposes the data model to your reporting
client. Follow these instructions to use Power BI Desktop to connect and create
your own reports. You’re not limited to Power BI Desktop, but can use your
favorite analytic tool with the OData URL provided the client supports OAUTH2.0
authentication and the OData v4.0 standard.
1. Sign in to the Azure portal and choose Monitoring + Management >
Intune. You can also search resources for Intune.
2. Open the Microsoft Intune Data Warehouse API (Preview) blade.
3. Retrieve the custom feed URL from the reporting blade, for example
[code]https://fef.{yourinfo}.manage.microsoft.com/ReportingService/DataWarehouseFEService/
dates?api-version=beta[/code]
4. Open Power BI Desktop.
5. Choose Home > Get Data. Select OData feed.
6. Choose Basic.
7. Type or paste the OData URL into the URL box.
8. Select OK.
9. If you have not authenticated to Azure AD for your tenant from the Power BI
desktop client, type your credentials. To gain access to your data, you must
authorize with Azure AD using OAuth 2.0.
●● Select Organizational account.
●● Type your username and password.
●● Select Sign In.
●● Select Connect.
10. Select Load.
MCT USE ONLY. STUDENT USE PROHIBITED
Manage Intune device enrollment and inventory 31
6 https://developer.microsoft.com/en-us/graph/graph-explorer
7 https://github.com/microsoftgraph/powershell-intune-samples
MCT USE ONLY. STUDENT USE PROHIBITED 32 Module 1 Device Enrollment
8 https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference
9 https://edxinteractivepage.blob.core.windows.net/miltstatic/MD-101.2/20190117-041531079/static/MD101-2_1_2_deviceenrollmenttutori-
al.html
MCT USE ONLY. STUDENT USE PROHIBITED
Module 2 Configuring Profiles
●● Update policies. iOS update policies show you how to create and assign
iOS policies to install software updates on your iOS devices. You can also
review the installation status.
●● Certificates. Certificates configure trusted, System Center Endpoint
Protection (SCEP), and Public Key Cryptography Standards (PKCS) certificates
that can be assigned to devices, and used to authenticate Wi-Fi, VPN, and
email profiles.
●● Windows Information Protection profile. Windows Information Protection
helps protect against data leakage without interfering with the employee
experience. It also helps to protect enterprise apps and data against
accidental data leaks on enterprise-owned devices and personal devices that
employees use at work. It does this without requiring changes to your
environment or other apps.
●● Custom profile. Custom settings include the ability to assign device
settings that are not built-into Intune. For example, on Android devices, you
can enter Open Mobile Alliance Uniform Resource Identifier (OMA-URI) values. For
iOS devices, you can import a configuration file you created in the Apple
Configurator. Custom profiles will be explained in detail in a later topic.
the script on Windows 10 devices. You can then monitor the run status of the
script on Windows 10 devices from start to finish.
The Intune management extension has the following prerequisites:
●● Devices must be joined to Azure AD. This does not include Hybrid AD joined
devices.
●● Devices must run Windows 10, version 1607 or later.
●● Automatic MDM enrollment must be enabled in Azure AD, and devices must be
auto-enrolled to Intune.
Create a PowerShell script policy
1. Sign in to the Azure portal.
2. Select All services, filter on Intune, and select Microsoft Intune.
3. Select Device configuration > PowerShell scripts > Add.
4. Enter a Name and Description for the PowerShell script. For Script location,
browse to the PowerShell script. The script must be less than 200KB (ASCII)
or 100KB (Unicode) in size.
5. Choose Configure. Then choose to run the script with either the user's
credentials on the device (by selecting Yes), or in the system context
(by selecting No). By default, the script runs in the system context.
Select Yes unless the script is required to run in the system context.
6. Choose if the script must be signed by a trusted publisher. By default,
there is no requirement for the script to be signed.
7. Select OK, and then Create to save the script.
1 https://docs.microsoft.com/en-us/intune/whats-new
MCT USE ONLY. STUDENT USE PROHIBITED 38 Module 2 Configuring Profiles
2 https://docs.microsoft.com/en-us/intune/custom-settings-android
3 https://docs.microsoft.com/en-us/intune/custom-settings-ios
4 https://docs.microsoft.com/en-us/intune/custom-settings-macos
5 https://docs.microsoft.com/en-us/intune/custom-settings-windows-phone-8-1
6 https://docs.microsoft.com/en-us/intune/custom-settings-windows-10
7 https://docs.microsoft.com/en-us/intune/custom-settings-windows-holographic
8 https://docs.microsoft.com/en-us/intune/custom-settings-android-for-work
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring device profiles 39
3. For each OMA-URI setting you want to add, enter the following information:
●● Name: Enter a unique name for the OMA-URI setting to help you
identify it in the list of settings.
●● Description: Optionally, enter a description for the setting.
●● OMA-URI (case sensitive): Enter the OMA-URI for which you want to
supply a setting.
●● Data type: Choose from:
●● String
●● String (XML)
●● Date and time
●● Integer
●● Floating point
●● Boolean
●● Base64
●● Value: Enter the value or file to associate with the OMA-URI you
entered.
4. When you're done, select OK. In Create profile, select Create. The
profile is created, and is shown in the profiles list.
Example
In the following example, the Connectivity/AllowVPNOverCellular setting is
enabled. This setting allows a Windows 10 device to open a VPN connection when
on a cellular network.
9 https://docs.microsoft.com/en-us/windows/client-management/mdm/configuration-service-provider-reference
MCT USE ONLY. STUDENT USE PROHIBITED 40 Module 2 Configuring Profiles
setting page shows its supported operation. To work with Intune, the setting
must support the Add or Replace operations.
10 https://docs.microsoft.com/en-us/intune/wi-fi-profile-shared-key
11 https://docs.microsoft.com/en-us/intune/android-pulse-secure-per-app-vpn
12 https://docs.microsoft.com/en-us/intune/samsung-knox-apps-allow-block
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring device profiles 41
When you complete the settings, the profile is created, and appears in the list.
All your existing profiles are listed, which includes details such as the
platform, and shows if the profile is assigned to any devices.
View details on a profile
After you create your device profile, Intune provides graphical charts. These
charts display the status of a profile, such as it being successfully assigned
to devices, or if the profile shows a conflict.
1. Select an existing profile. For example, select Windows 10 profile.
2. Select the Overview tab.
The top graphical chart shows the number of devices assigned to the specific
device profile. For example, if the configuration device profile applies to
Windows 10 and later devices, the chart lists the count of the Windows 10
and later devices.
It also shows the number of devices for other platforms that are assigned
the same device profile. For example, it shows the count of the non-Windows
10 and later devices.
The bottom graphical chart shows the number of users assigned to the specific
device profile. For example, if the configuration device profile applies to
Windows 10 and later users, the chart lists the count of the Windows 10 and
later users.
1. Select the circle in the top graphical chart. The Device status opens.
MCT USE ONLY. STUDENT USE PROHIBITED 44 Module 2 Configuring Profiles
2. The devices assigned to the profile are listed, and it shows if the profile
is successfully deployed. Also note that it only lists the devices with the
specific platform (for example, Windows 10 and later devices).
3. Close the Device status details.
4. Select the circle in the bottom graphical chart. The User status opens.
5. The users assigned to the profile are listed, and it shows if the profile is
successfully deployed. Also note that it only lists the users with the
specific platform (for example, Windows 10 and later devices).
6. Close the User status details.
7. Back in the Profiles list, select a specific profile. You can also change
existing properties:
●● Properties: Change the name or update any existing settings.
●● Assignments: Include or exclude devices that the policy should
apply. Choose Selected Groups to choose specific groups.
●● Device status: The devices assigned to the profile are listed, and
it shows if the profile is successfully deployed. You can select a
specific device to get even more details, including the installed apps.
●● User status: Lists the user names with devices impacted by this
profile, and if the profile successfully deployed. You can select a
specific user to get even more details.
●● Per-setting status: Filters the output by showing the individual
settings within the profile and shows if the setting is successfully
applied.
View conflicts
In Devices > All devices, you can see any settings that are causing a
conflict. When there's a conflict, you are also shown all the configuration
profiles that contain this setting. Administrators can use this feature to help
troubleshoot, and fix any discrepancies with the profiles.
1. In Intune, select Devices > All Devices > select an existing
device in the list. An end user can get the device name from their Company
Portal app.
2. Select Device configuration. All configuration policies that apply to
the device are listed.
3. Select the policy. It shows you all the settings in that policy that apply
to the device. If a device has a Conflict state, select that row. In the new
window, you see all the profiles, and the profile names that have the
setting causing the conflict.
Now that you know the conflicting setting, and the policies that include that
setting, it should be easier to resolve the conflict.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring device profiles 45
13 https://edxinteractivepage.blob.core.windows.net/miltstatic/MD-101.2/20190117-041531079/static/MD101-2_2_1_configuringprofilestuto-
rial.html
MCT USE ONLY. STUDENT USE PROHIBITED 46 Module 2 Configuring Profiles
where a user signs in. When a user signs in, the local copy of the user profile
is compared to the copy that is stored on the network location, and only newer
files are copied locally. The user can change settings and create data files,
which are stored in the local user profile copy. These changes copy to the
network location when the user signs out. If users roam between multiple
computers, their documents and settings follow them. If a user profile contains
a lot of data, or if a user stores large files on the desktop, then signing in
to the computer might take a long time. If a user signs in to multiple computers
at the same time, changes performed on one computer override changes performed
on a second computer because user profile changes copy to the network location
only when the user signs out. Some parts of a user profile, such as Temporary
Internet Files or AppData\Local, never copy to the network location even if
roaming user profiles are used. You should be aware that roaming user profiles
are incompatible between different versions of Windows operating systems.
Mandatory user profiles
A mandatory user profile is a type of roaming user profile that administrators
can configure. With mandatory user profiles, user changes are stored in the
local copy of a user profile but are not preserved after a user signs out from
the computer. When the user signs in again, the mandatory user profile downloads
from the network location, and it overrides the local user profile copy. The two
types of mandatory user profiles are normal mandatory profiles and
super-mandatory profiles. Administrators can configure users with mandatory user
profiles first by configuring them with roaming user profiles and then by
renaming the Ntuser.dat file in their profiles to Ntuser.man. The .man extension
causes user modifications to the profile to be discarded at the next sign-in and
user profiles to behave as read-only.
Super-mandatory user profiles
User profiles become super-mandatory when an administrator adds the .man
extension to a user’s roaming user profile folder name. For example, if a
roaming user profile is stored in the
\\Server\Profiles \User1.V5 folder, the
administrator can add the .man extension to the folder and store the roaming
user profile at \\Server\Profiles\User1.man.V5. Mandatory and
super-mandatory user profiles behave similarly; both do not preserve user
modifications. If users are configured with a super-mandatory profile, they will
not be able to sign in if the network copy of their profile is not available. In
such cases, they will see a message that the user profile service failed the
sign-in and that the user profile cannot be loaded. In a similar situation,
users with a normal mandatory profile would still be able to sign in, and they
would get temporary profiles, which might be against organizational policy.
Note: If a user named User1 is configured with the \\Server\Profiles\User1
profile path location, Windows 10 automatically adds the .V5 extension to the
roaming user profile folder. In this case, it creates a folder named User1.V5 in
the \\Server\Profiles share.
Temporary User Profiles
A temporary profile is issued each time that an error condition prevents the
user's profile from loading. Temporary profiles are deleted at the end of each
MCT USE ONLY. STUDENT USE PROHIBITED 48 Module 2 Configuring Profiles
session, and changes made by the user to desktop settings and files are lost
when the user logs off.
signs in to have a user profile. The Windows operating system creates a user
profile when a user signs in for the first time. The initial user profile is
based on the default user profile and is used for all subsequent sign-ins. User
profiles contain details about the user environment, such as Start menu
settings, desktop settings, user documents, and the user hive of the registry.
By default, a user profile is stored on the same drive as the Windows operating
system, in the C:\Users folder. The user profile is used only when a user signs
in to the same computer, but you can change the user profile type if you want to
use it from multiple computers.
Using quotas
An option to limit user profile sizes is to use quotas. You can use the same
approach to limit the disk space that a user consumes in general, and it applies
to limiting user profile sizes. You can set a disk quota on a local Windows 10
volume by using volume properties. By using File Server Resource Manager in
Windows Server 2016, you can set a quota on a shared folder on the file server
where roaming user profiles or redirected folders are stored. If you set a disk
quota on a local volume, users will not be able to write additional data when
they reach their disk quota. If a quota is set on a shared folder, the local
copy of a roaming user profile will not synchronize with the network share, and
changes to the user profile will not copy to the file server until the user
deletes some data and the local copy of the roaming user profile is smaller than
the quota limit. In such cases, users will see a message during sign-out that
their roaming user profiles did not completely synchronize, and an entry will be
added to Event Viewer.
the file server until the users delete some data and their local copy of the
roaming user profile is smaller than the maximum profile size that is configured
in Group Policy.
Users can have smaller user profiles if they store data files outside of their
user profiles, for example, in a dedicated shared folder or in the home folder.
●● Redirected folders are stored on network locations (network shares) and not
on local computers. If a local hard drive fails, users can still access data
in redirected folders from a different computer.
●● Redirected folder content can be backed up centrally because it is not
stored locally on user computers. If Shadow Copies for Shared Folders is
configured on a network location, users can access previous versions of
their redirected files.
For more about Folder Redirection, refer to Folder Redirection
Overview14.
14 http://go.microsoft.com/fwlink/?LinkId=378224
MCT USE ONLY. STUDENT USE PROHIBITED
Managing user profiles 53
4.
For a Windows 10 device to use the Enterprise State Roaming service, the device
must authenticate using an Azure AD identity. For devices that are joined to
Azure AD, the user’s primary sign-in identity is their Azure AD identity, so no
additional configuration is required. For devices that use on-premises Active
Directory, the IT admin must Configure Hybrid Azure Active Directory joined
devices.
Data storage
MCT USE ONLY. STUDENT USE PROHIBITED
Managing user profiles 55
Enterprise State Roaming data is hosted in one or more Azure regions that best
align with the country/region value set in the Azure Active Directory instance.
Enterprise State Roaming data is partitioned based on three major geographic
regions: North America, EMEA, and APAC. Enterprise State Roaming data for the
tenant is locally located with the geographical region and is not replicated
across regions.
The country/region value is set as part of the Azure AD directory creation
process and cannot be subsequently modified.
View per-user device sync status
Follow these steps to view a per-user device sync status report.
1. Sign in to the Azure portal.
2. Select Azure Active Directory > Users > All users.
3. Select the user, and then select Devices.
4. Under Show, select Devices syncing settings and app data to show
sync status.
5. If there are devices syncing for this user, you see the devices shown here.
Data retention
Data synced to the Microsoft cloud using Enterprise State Roaming is retained
until it’s manually deleted or until the data in question is determined to be
stale.
Explicit deletion
Explicit deletion is when an Azure admin deletes a user or a directory or
otherwise requests explicitly that data is to be deleted.
●● User deletion: When a user is deleted in Azure AD, the user account
roaming data is deleted after 90 to 180 days.
●● Directory deletion: Deleting an entire directory in Azure AD is an
immediate operation. All the settings data associated with that directory is
deleted after 90 to 180 days.
●● On request deletion: If the Azure AD admin wants to manually delete a
specific user’s data or settings data, the admin can file a ticket with
Azure support.
Stale data deletion
Data that has not been accessed for one year (“the retention period”) will be
treated as stale and may be deleted from the Microsoft cloud. The retention
period is subject to change but will not be less than 90 days. The stale data
may be a specific set of Windows/application settings or all settings for a
user. For example:
●● If no devices access a particular settings collection (for example, an
application is removed from the device, or a settings group such as “Theme”
is disabled for all of a user’s devices), then that collection becomes stale
after the retention period and may be deleted.
MCT USE ONLY. STUDENT USE PROHIBITED 56 Module 2 Configuring Profiles
●● If a user has turned off settings sync on all his/her devices, then none of
the settings data will be accessed, and all the settings data for that user
will become stale and may be deleted after the retention period.
●● If the Azure AD directory admin turns off Enterprise State Roaming for the
entire directory, then all users in that directory will stop syncing
settings, and all settings data for all users will become stale and may be
deleted after the retention period.
Deleted data recovery
The data retention policy is not configurable. Once the data is permanently
deleted, it’s not recoverable. However, the settings data is deleted only from
the Microsoft cloud, not from the end-user device. If any device later
reconnects to the Enterprise State Roaming service, the settings are again
synced and stored in the Microsoft cloud.
15 https://edxinteractivepage.blob.core.windows.net/miltstatic/MD-101.2/20190117-041531079/static/MD101-2_2_2_userprofilestutorial.html
MCT USE ONLY. STUDENT USE PROHIBITED
Monitoring devices 57
Monitoring devices
Lesson Introduction
In this lesson, you will be introduced to managing and monitoring device
enrolled to Intune. You will learn how to work with your devices in the Intune
console such as verifying hardware inventory, configuration and how to
synchronize devices to get the latest policies. You will learn about Intune
automatic policy and profile synchronization as well.
The module will then conclude with an overview of Windows Analytics, which is a
collection of cloud-based servicing for monitoring and automating your
on-premises and cloud environments. You will learn about Update Health, Update
Compliance and Upgrade readiness. Lastly, you will learn how to enroll devices
into Windows Analytics.
After this lesson, you should be able to:
●● Explain how to manage and monitor devices in Intune.
●● Describe how to run actions against your Intune devices.
●● Describe what Windows Analytics is and how to start using it.
●●
●● All devices shows a list of the enrolled devices you manage.
●●
●● Use the Export feature to create a .csv list of all the devices, in
increments of 10,000 (Internet Explorer) or 30,000 (Edge, Chrome).
●● Select any device to view additional details about that device,
including hardware details, installed apps, its compliance policy
status, and more.
●● Azure AD devices shows a list of the devices registered or joined
with Azure Active Directory (Azure AD).
MCT USE ONLY. STUDENT USE PROHIBITED
Monitoring devices 59
●●
●● Device actions includes a history of the remote actions that were
run on different devices, including the action, its status, who
initiated the action, and the time.
●● Audit logs is a record of activities that generate a change in
Intune.
●● TeamViewer Connector is a service that allows users of
Intune-managed Android devices to get remote assistance from their IT
administrator.
●● Help and Support provides a shortcut on troubleshooting tips,
requesting support, or checking the status of Intune.
See device details in Intune
The Devices feature provides additional details into the devices you manage,
including their hardware and the apps installed. To view all your devices, and
their properties in the Azure portal do the following:
1. Sign in to the Azure portal.
2. Select All services, filter on Intune, and select Microsoft Intune.
3. Select Devices > All devices > select one of your listed devices
to open its details:
●● Overview shows the device name, and lists some key properties of the
device, including whether it's a bring-your-own-device (BYOD) device, when
it checked in, and more. The actions available depend on the device
platform, and the configuration of the device. You can perform the following
actions on the device:
●● View device inventory
●● Run the remote device actions:
MCT USE ONLY. STUDENT USE PROHIBITED 60 Module 2 Configuring Profiles
●● Retire
●● Wipe
●● Delete
●● Remote lock
●● Reset passcode
●● Bypass Activation Lock (iOS only)
●● Fresh Start (Windows only)
●● Lost mode (iOS only)
●● Locate device (iOS only)
●● Restart (Windows only)
●● Windows 10 PIN reset
●● Remote control for Android
●● Sync (Synchronize device policy)
●● AutoPilot Reset
●● Quick scan
●● Full scan
●● Update Windows Defender Signatures
●●
●● Use Properties to assign a device category you create and change
ownership of the device to a personal device, or a corporate device.
●● Hardware includes many details about the device, including the device
ID, the operating system and version, storage space, the model and
manufacturer, conditional access settings, and more details.
●● Discovered apps lists all the apps that Intune found installed on the
device, and the app versions. You can also Export the app list into a .csv
file.
●● Device compliance lists all assigned compliance policies, and if the
device is compliant or not compliant.
MCT USE ONLY. STUDENT USE PROHIBITED
Monitoring devices 61
16 https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-oms-portal-transition
MCT USE ONLY. STUDENT USE PROHIBITED 64 Module 2 Configuring Profiles
as they are released. Upgrade Readiness not only supports upgrade management
from Windows 7 and Windows 8.1 to Windows 10, but also Windows 10 upgrades in
the Windows as a Service model.
Use Upgrade Readiness to get:
●● A visual workflow that guides you from pilot to production
●● Detailed computer and application inventory
●● Powerful computer-level search and drill-downs
●● Guidance and insights into application and driver compatibility issues, with
suggested fixes
●● Data-driven application rationalization tools
●● Application usage information, allowing targeted validation; workflow to
track validation progress and decisions
●● Data export to commonly used software deployment tools, including System
Center Configuration Manager
●● Free of use
For more information, the following video provide additional information on
using Windows Analytics to help improve your Windows experience.
●● For the resource group setting select Create new and use the
same name you chose for your new workspace.
●● For the location setting, choose the Azure region where you would
prefer the data to be stored.
●● For the pricing tier select Free.
4. Now that you have selected a workspace, you can go back to the Device Health
blade and select Create.
5. Watch for a Notification (in the Azure portal) that “Deployment
‘Microsoft.DeviceHealth’ to resource group 'YourResourceGroupName' was
successful.” and then select Go to resource. This might take several
minutes to appear.
●● Suggestion: Choose the Pin to Dashboard option to make it easy to
navigate to your newly added Device Health solution.
●● Suggestion: If a “resource unavailable” error occurs when navigating to
the solution, try again after one hour.
17 https://docs.microsoft.com/en-us/windows/deployment/update/windows-analytics-get-started
MCT USE ONLY. STUDENT USE PROHIBITED 66 Module 2 Configuring Profiles
18 https://edxinteractivepage.blob.core.windows.net/miltstatic/MD-101.2/20190117-041531079/static/MD101-2_2_3_configanalyticstutorial.
html
MCT USE ONLY. STUDENT USE PROHIBITED
Module 3 Application Management
Your employees use mobile devices for both personal and work tasks. While making
sure your employees can be productive, you want to prevent data loss,
intentional and unintentional. You'll also want to protect company data that is
accessed from devices that are not managed by you. You can use Intune app
protection policies independent of any mobile-device management (MDM) solution.
This independence helps you protect your company’s data with or without
enrolling devices in a device management solution. By implementing app-level
policies, you can restrict access to company resources and keep data within the
purview of your IT department.
Intune MAM supports two configurations:
●● Intune MDM + MAM: IT administrators can only manage apps using MAM and
app protection policies on devices that are enrolled with Intune MDM. To
manage apps using MDM + MAM, you should use the Intune console in the Azure
portal at https://portal.azure.com.
●● MAM without device enrollment: MAM without device enrollment (MAM-WE)
allows IT administrators to manage apps using MAM and app protection
policies on devices not enrolled with Intune MDM. This means apps can be
managed by Intune on devices enrolled with third-party Enterprise Mobility
Management (EMM) providers. To manage apps using MAM-WE, you should use the
Intune console in the Azure portal at http://portal.azure.com. Also, apps
can be managed by Intune on devices enrolled with third-party EMM providers
or not enrolled with an MDM at all.
You can create mobile app management policies for Office mobile apps that
connect to Office 365 services. You can also protect access to Exchange
on-premises mailboxes by creating Intune app protection policies for devices
with Outlook for iOS and Android-enabled devices with hybrid Modern
Authentication. Before using this feature, make sure you meet the Outlook for
iOS and Android requirements. App protection policies are not supported for
other apps that connect to on-premises Exchange or SharePoint services.
The important benefits of using app protection policies are:
●● Protecting your company data at the app level. Because mobile app
management doesn't require device management, you can protect company data
on both managed and unmanaged devices. The management is centered on the
user identity, which removes the requirement for device management.
●● End-user productivity isn't affected, and policies don't apply when using
the app in a personal context. The policies are applied only in a work
context, which gives you the ability to protect company data without
touching personal data.
There are additional benefits to using MDM with app protection policies, and
companies can use app protection policies with and without MDM at the same time.
For example, consider an employee that uses both a phone issued by the company,
and their own personal tablet. The company phone is enrolled in MDM and
protected by app protection policies while the personal device is protected by
MCT USE ONLY. STUDENT USE PROHIBITED
Implement Mobile Application Management (MAM) 69
app protection policies only. MDM makes sure that the device is protected. Some
examples:
●● You can require a PIN to access the device, or you can deploy managed apps
to the device. You can also deploy apps to devices through your MDM
solution, to give you more control over app management.
●● App protection policies makes sure that the app-layer protections are in
place. For example, you can:
●● Require a PIN to open an app in a work context
●● Control the sharing of data between apps
●● Prevent the saving of company app data to a personal storage location
Supported platforms for app protection policies
App protection policies are only supported by Android and iOS, and Windows
devices are currently not supported. However, when you enroll Windows 10 devices
with Intune, you can use Windows Information Protection, which offers similar
functionality.
1 https://www.microsoft.com/en-us/cloud-platform/microsoft-intune-apps
MCT USE ONLY. STUDENT USE PROHIBITED 70 Module 3 Application Management
A click on an app´s icon will display the MAM scenarios they support (MDM with
MAM or MAM without Enrollment), what platforms they support and whether or not
they are multi-identity capable. You can also find links to view the specific
apps in the Apple or Google app stores.
MCT USE ONLY. STUDENT USE PROHIBITED
Implement Mobile Application Management (MAM) 71
In the Find the right partner app for your scenario section, you will see a
list of currently supported third-party apps.
Multi-identity
Apps that support multi-identity let you use different accounts (work and
personal) to access the same apps, while app protection policies apply only when
the apps are used in the work context.
For example, consider a user who starts the OneDrive app by using their work
account. In the work context, they can't move files to a personal storage
location. Later, when they use OneDrive with their personal account, they can
copy and move data from their personal OneDrive without restrictions.
For information about apps that support MAM and multi-identity with Intune,
refer to how to use apps with multi-identity support.2
2 https://docs.microsoft.com/en-us/enterprise-mobility-security/solutions/fasttrack-how-to-use-apps-with-multi-identity-support
3 https://docs.microsoft.com/en-us/intune/app-wrapper-prepare-android
4 https://docs.microsoft.com/en-us/intune/app-wrapper-prepare-ios
MCT USE ONLY. STUDENT USE PROHIBITED
Implement Mobile Application Management (MAM) 73
The Intune App SDK is designed mainly for customers who have apps in the Apple
App Store or Google Play Store, and want to be able to manage the apps with
Intune. However, any app can take advantage of integrating the SDK, even
line-of-business apps.
Reasons to use the SDK:
●● Your app does not have built-in data protection features
●● Your app is complex and contains many experiences
●● Your app is deployed on a public app store such as Google Play or Apple's
App Store
●● You are an app developer and have the technical background to use the SDK
●● Your app has other SDK integrations
●● Your app is frequently updated
Apps without app protection policies
When apps are used without restrictions, company and personal data can get
intermingled. Company data can end up in locations like personal storage or
transferred to apps beyond your purview and result in data loss. The arrows in
the preceding diagram show unrestricted data movement between both corporate and
personal apps, and to storage locations.
MCT USE ONLY. STUDENT USE PROHIBITED 74 Module 3 Application Management
You can use app protection policies to prevent company data from saving to the
local storage of the device. You can also restrict data movement to other apps
that aren't protected by app protection policies. App protection policy settings
include:
●● Data relocation policies like Prevent Save As, and Restrict cut, copy, and paste.
●● Access policy settings like Require simple PIN for access, and Block managed apps from running on
jailbroken or rooted devices.
Data protection with app protection policies
MCT USE ONLY. STUDENT USE PROHIBITED
Implement Mobile Application Management (MAM) 75
The preceding illustration shows the layers of protection that MDM and app
protection policies offer together.
The MDM solution:
●● Enrolls the device
●● Deploys the apps to the device
●● Provides ongoing device compliance and management
App protection policies add value by:
●● Helping protect company data from leaking to consumer apps and services
●● Applying restrictions like save-as, clipboard, or PIN, to client apps
●● Wiping company data from apps without removing those apps from the device
Data protection with app protection policies on devices managed by a Mobile
Device Management solution
MCT USE ONLY. STUDENT USE PROHIBITED 76 Module 3 Application Management
The preceding diagram illustrates how the data protection policies work at the
app level without MDM.
For BYOD devices not enrolled in any MDM solution, App protection policies can
help protect company data at the app level. However, there are some limitations
to be aware of:
●● You can't deploy apps to the device. The end user has to get the apps from the store.
●● You can't provision certificate profiles on these devices.
MCT USE ONLY. STUDENT USE PROHIBITED
Implement Mobile Application Management (MAM) 77
●● You can't provision company Wi-Fi and VPN settings on these devices.
Data protection with app protection policies for devices without enrollment
MCT USE ONLY. STUDENT USE PROHIBITED 78 Module 3 Application Management
Note: These policy settings are enforced only when using apps in the
work context. When end users use the app to do a personal task, they aren't
affected by these policies. Note that when you create a new file it’s
considered a personal file.
1. Choose OK to save this configuration. You're now back in the Add a policy blade.
2. Choose Create to create the policy and save your settings.
When you have created one or more app protection policies, they must be assigned
users in order to have any effect. To assign an app protection policy, perform
the following steps:
1. In the Client apps - App protection policies blade, click the policy you want to assign.
2. In the Intune App Protection blade, click Assignments, and then click Select groups to include.
3. A list of user groups is displayed on the Select groups to include blade. This list shows all the
security groups in your Azure Active Directory (Azure AD) containing only users. Click the user groups
you want this policy to apply to, and then click Select. Click Select again.The app protection policy is
now assigned to the users in the selected groups.
4. Only users with assigned Microsoft Intune licenses are affected by the policy. Users in the selected
security group that don’t have an assigned Intune license aren't affected.
5 https://docs.microsoft.com/en-us/intune/app-protection-policy-settings-android
6 https://docs.microsoft.com/en-us/intune/app-protection-policy-settings-ios
MCT USE ONLY. STUDENT USE PROHIBITED 80 Module 3 Application Management
2. On the Intune blade, click Client apps and then click App protection status to see the summary
view.
●● Users: The total number of users in your company who are using an app which is associated with a
policy in a work context.
●● Managed by policy: The number of users who have used an app who have a policy assigned to them
in a work context.
●● No policy: The number of users who are using an app that is not targeted by any policy in a work
context. You might consider adding these users to the policy.
Detailed view
You can get to the detailed view from the summary view by choosing the User
status tile (based on device OS platform), and the Flagged users tile.
User status
You can search for a single user and check the compliance status for that user.
The App reporting pane shows the following information for a selected user:
●● Devices that are associated with the user account
●● Apps with a MAM policy on the device
●● Status:
●● Checked in: The policy was deployed to the user, and the app was
used in the work context at least once.
●● Not checked in: The policy was deployed to the user, but the app has not been used in the work
context since then.
To see a detailed report for a user, follow these steps:
1. Sign into the Azure portal and in the navigation pane, click Intune.
2. On the Intune blade, click Client apps and then click App protection status to see the summary
view.
3. Click either the User status for iOS tile or the User status for Android tile.
4. On the App reporting blade, click Select user to search for an Azure AD user.
MCT USE ONLY. STUDENT USE PROHIBITED
Implement Mobile Application Management (MAM) 81
5. Select a user from the list i.e Debra Berger and then click Select. You can see the user name, if the
user has a license for Intune and details of the compliance status for that user:
Reporting view
You can find the same reports from the Detailed view, and additional reports to
help you with the MAM policy compliance status.
To access the reports, perform the following steps:
1. Sign into the Azure portal and in the navigation pane, click Intune.
2. On the Intune blade, click Client apps and then click App protection status to see the summary
view.
3. On the Clients apps – App protection status blade, click Reports in the details pane. Notice that you
can also export the following information to a CSV file:
●● App protection report: iOS, Android
●● App protection report: WIP without enrollment
●● App protection report: WIP via MDM
●● App configuration report
MCT USE ONLY. STUDENT USE PROHIBITED 82 Module 3 Application Management
7 https://docs.microsoft.com/en-us/intune/app-management
MCT USE ONLY. STUDENT USE PROHIBITED 84 Module 3 Application Management
Add
The first step in app deployment is to identify the apps you want to manage and
assign, and add them to Intune. You can work with many different app types, the
basic procedures are the same. With Intune you can add apps written in-house
(line-of-business), apps from the store, apps that are built-in, and apps on the
web.
Deploy
After you've added the app to Intune, you can then assign it to users and
devices that you manage. Intune makes this process easy, and after the app is
deployed, you can monitor the success of the deployment from Intune within the
Azure portal. Additionally, in some app stores, such as the Apple and Windows
app stores, you can purchase app licenses in bulk for your company. Intune can
synchronize data with these stores so that you can deploy and track license
usage for these types of apps right from the Intune administration console.
Configure
As part of the app lifecycle, new versions of apps are regularly released.
Intune provides tools to easily update apps that you have deployed to a newer
version. Additionally, you can configure extra functionality for some apps, for
example:
●● iOS app configuration policies supply settings for compatible iOS apps that are used when the app is
run. For example, an app might require specific branding settings or the name of a server to which it
must connect.
●● Managed browser policies help you to configure settings for the Intune managed browser, which
replaces the default device browser and lets you restrict the websites that your users can visit.
Protect
Intune gives you many ways to help protect the data in your apps. The main
methods are:
●● Conditional access, which controls access to email and other services based on conditions that you
specify. Conditions include device types of compliance with a device compliance policy that you
deployed.
MCT USE ONLY. STUDENT USE PROHIBITED
Deploying and updating applications 85
●● App protection policies that work with individual apps to help protect the company data that they
use. For example, you can restrict copying data between unmanaged apps and managed apps, or you
can prevent apps from running on devices that have been jailbroken or rooted.
Retire
Eventually, the apps that you deployed will likely become outdated and need to
be removed. Intune makes it easy to retire apps from service.
8 https://docs.microsoft.com/en-us/intune/store-apps-android
9 https://docs.microsoft.com/en-us/intune/store-apps-ios
10 https://docs.microsoft.com/en-us/intune/store-apps-windows
11 https://docs.microsoft.com/da-dk/intune/apps-add-office365
12 https://docs.microsoft.com/da-dk/intune/apps-add-office365-macos
MCT USE ONLY. STUDENT USE PROHIBITED 86 Module 3 Application Management
●● Build-in app. The built-in app type makes it easy for you to assigN curated managed apps, such as
Office 365 apps, to iOS and AndroiD devices. You can assign specific apps for this app type, such as
Excel, OneDrive, Outlook, Skype, and others. After you add an app, the app type is displayed as either
Built-in iOS app or Built-in Android app. By using the built-in app type, you can choose which of these
apps to publish to device users. For more information refer to Add built-in apps to Microsoft
Intune13.
●● Line-of-business (LOB) app. An LOB app is one that you add from an app installation file. For
example,to install an iOS LOB app, you add the application by selecting Line-of-business app as the
App type in the Add app pane. You then select the app package file (extension .ipa), which is upload-
ed to Intune. LOB app supports apps for Windows 10, Android and iOS. The following extensions are
supported:
●● Windows 10: .msi, .appx, appxbundle, .msix and .msixbundle
●● Android: .apk
●● iOS: .ipa and .intunemac
●● Windows app (Win32) – preview. Building upon the existing support for line-of-business (LOB) apps
and Microsoft Store for Business apps, administrators can use Intune to deploy most of their organi-
zation’s existing Win32 line-of-business (LOB) applications to end users on Windows 10 devices.
Administrators can add, install, and uninstall applications for Windows 10 users in a variety of formats,
such as MSIs, Setup.exe, or MSP. Intune will evaluate requirement rules before downloading and
installing, notifying end users of the status or reboot requirements using the Windows 10 Action
Center. This feature is currently in public preview and we expect to add significant new capabilities to
the feature over the next few months. For more information refer to Intune Standalone - Win32 app
management (Public
Preview)14.
13 https://docs.microsoft.com/da-dk/intune/apps-add-built-in
14 https://docs.microsoft.com/en-us/intune/apps-win32-app-management
MCT USE ONLY. STUDENT USE PROHIBITED
Deploying and updating applications 87
You can use Group Policy to manage all phases except the preparation. You can
apply Group Policy settings to users or computers in a site, domain, or
organizational unit (OU) to install, upgrade, or remove software automatically.
By applying Group Policy settings to software, you can manage the phases of
software deployment without deploying software on each computer individually.
Using Group Policy to manage the software lifecycle has some advantages and some
disadvantages that are important to consider. The advantages of using Group
Policy to manage the software lifecycle are:
●● Group Policy software distribution is available as part of Group Policy
and AD DS. Thus, using Group Policy does not incur any additional costs
for your organization, and is always available to implement because it’s
already installed and ready for use.
●● Group Policy software distribution does not require client software, agent
software, or additional management software. IT administrators can use
familiar tools to manage the software lifecycle.
●● Group Policy software distribution is quick and easy to use. This allows
for both faster software distribution and reduced IT training costs.
The disadvantages of using Group Policy to manage the software lifecycle are:
●● Group Policy software distribution has a minimal feature set. This
minimal feature set limits the ability to control aspects of the
distribution such as the day and time of installation, the order of
installation when deploying multiple applications, and the reboot process,
such as reboot suppression or reboot windows.
MCT USE ONLY. STUDENT USE PROHIBITED 88 Module 3 Application Management
●● Group Policy software distribution does not have any reporting. Thus,
you cannot easily gather information such as how many computers have the
distributed software, which computers an installation failed on, or which
computers do not have the distributed software. This could lead to a
scenario in which you deploy an update to an application and the update
attempts to install on computers that no longer have the application to be
updated.
●● Group Policy software distribution is limited to deployment of Windows
Installer packages. IT administrators have to convert non-MSI installation
programs into MSI packages before being able to deploy the software by using
Group Policy.
For larger organizations, especially organizations that have more than 500
computers, and for any organizations with specific software distribution
requirements, System Center Configuration Manager provides enterprise-level
features and control. These enterprise-level features and control eliminate the
disadvantages found in Group Policy software distribution.
How Windows Installer enhances software distribution
To enable Group Policy to deploy and manage software, Windows Server 2016 or
later uses the Windows Installer service. This component automates the
installation and removal of applications by applying a set of centrally-defined
setup rules during the installation process. The Windows Installer service
installs the .msi package files. .msi files contain a database that stores all
the instructions required to install the application. Small applications may be
entirely stored as .msi files, whereas other larger applications will have many
associated source files that the MSI references. Many software vendors provide
.msi files for their applications.
The Windows Installer service has the following characteristics:
●● This service runs with elevated privileges, so that the Windows Installer
service can install software regardless of which user is signed into the
system. Users only require read access to the software distribution point.
●● Applications are resilient. If an application becomes corrupted, the
installer will detect and reinstall or repair the application.
●● Windows Installer cannot install .exe files. To distribute a software
package that installs with an .exe file, you must convert the .exe file must
to an .msi file by using a third-party utility.
and then use the Upgrades tab to upgrade a package. When you perform upgrades by
using Group Policy, you’ll notice the following characteristics:
●● You can redeploy a package if the original Windows Installer file has been
modified.
●● Upgrades will often remove the old version of an application and install a
newer version. These upgrades usually maintain application settings.
●● You can remove software packages if they were delivered originally by using
Group Policy. This is useful if you’re replacing a line-of-business (LOB)
application with a different application. Removal can be mandatory or
optional.
●● For more information about how to use Group Policy to remotely install
software in Windows, refer to Using group policy to remotely install software in Windows serv-
er.15
15 https://support.microsoft.com/en-us/help/816102/how-to-use-group-policy-to-remotely-install-software-in-windows-server
MCT USE ONLY. STUDENT USE PROHIBITED 90 Module 3 Application Management
computers. This is a common situation when dealing with agent software, such
as monitoring agents, security-related agents, or management agents.
Publishing Software
Publishing software has the following characteristics:
●● The Programs>Programs and Features shortcut in Control Panel advertises a
published application to the user. Users can install the application by
using the Install a program from the network shortcut, or extension
activation can install the application. Extension activation will initiate
the program installation when a user clicks on a file type that is
associated with the program.
●● Control Panel does not advertise applications to users who do not have
permission to install them.
●● Applications cannot be published to computers.
Microsoft Store for Business is a cloud service, which means that it’s scalable
and available from anywhere, if you have internet connectivity. Company
employees authenticate in Microsoft Store for Business with an Azure AD account,
and you can delegate store permissions to any organizational user. You manage
Microsoft Store for Business in a web browser, and employees can access it from
the Microsoft Store app on Windows 10, or by using a web browser.
Microsoft Store for Business is available for free and provides organizations
with the following benefits and features:
●● Scalable to fit any size organization. For smaller organizations, you
can quickly have an end-to-end process to acquire and distribute apps.
Larger organizations can integrate Microsoft Store for Business with a
management tool such as Microsoft Intune or Microsoft System Center
Configuration Manager (Current Branch) for greater control over app
deployments and updates.
●● Use of familiar infrastructure. Because Microsoft Store for Business is
a cloud service, it’s available around the world, and it has practically
unlimited resources. It uses Azure AD for authentication, which means that
organizations that are already using Azure AD authentication can easily
implement it. If an organization doesn’t have Azure AD, it can create an
Azure AD tenant automatically when it signs up for Microsoft Store for
Business.
●● Private store. Microsoft Store for Business includes a private store,
which is available to all company employees after they authenticate with an
Azure AD account. You can add purchased modern Windows 10 apps to a private
store, and company employees can access them by using the Microsoft Store
app from any Windows 10 device.
●● Bulk app acquisition. Organizations can acquire and pay for apps in
volume from Microsoft Store for Business.
●● Centralized management. You can use Microsoft Store for Business as a
central location for tracking available and installed apps, billing, and
order history. You can also delegate permission for various aspects of
Microsoft Store for Business management to company employees.
●● App license tracking and management. In Microsoft Store for Business,
you can view who installed apps and who has a license to run an app. You can
also reclaim an app license from a user, which prevents them from using the
app, and assign a license to another user. Online and offline licenses allow
you to customize how you deploy apps.
●● Flexible distribution options. Three options are available for
distributing apps in Microsoft Store for Business. You can:
●● Distribute apps through Microsoft Store for Business by assigning apps
to company employees or by making apps available to all employees in the
private store.
●● Connect Microsoft Store for Business with Intune, Configuration Manager,
or another management tool, and use the management tool’s advanced
deployment options to deploy apps from Microsoft Store for Business.
MCT USE ONLY. STUDENT USE PROHIBITED 92 Module 3 Application Management
If all prerequisites are met, users can access, browse, and install the apps
from Microsoft Store for Business. You can also assign them apps, in which case,
users will receive notifications by email and will be able to install the apps.
If your organization is using a management tool such as Intune or Configuration
Manager to distribute and manage apps, you can integrate it with Microsoft Store
for Business. Using a management tool provides additional control and reporting
in app deployments.
After signing up for Microsoft Store for Business, you can start managing it.
The user account that you used to sign up for Microsoft Store for Business is
already a global administrator in your Azure AD tenant, and this user has all
permissions. Other Azure AD tenant users can browse Microsoft Store for Business
and install available apps, but they can’t manage it. If necessary, a global
administrator can delegate permissions for Microsoft Store for Business tasks by
assigning store roles to other company employees; for example, to acquire and
distribute apps. You can assign roles only to Azure AD user accounts and not to
groups.
You can assign four user roles to manage access to apps and to perform other
tasks in Microsoft Store for Business:
●● Admin. Users in this role can perform all tasks and assign roles to
others.
●● Purchaser. Users in this role can acquire apps, add them to the private
store, and distribute apps to company users.
●● Basic purchaser. Users in this role can acquire apps they own, add them
to the private store, and distribute apps to company users.
●● Windows Defender Device Guard signer. Users in this role can manage
Windows Defender Device Guard settings.
When you sign up for Microsoft Store for Business, the following five apps
automatically add to the private store: Microsoft Word Mobile, Microsoft Excel
MCT USE ONLY. STUDENT USE PROHIBITED
Deploying and updating applications 95
Online licensing
Online licensing is the default licensing model in Microsoft Store for Business,
and any app in the store supports this licensing model. Online licensing
requires users to authenticate and connect to Microsoft Store for Business
MCT USE ONLY. STUDENT USE PROHIBITED 96 Module 3 Application Management
before they can install an app and its license. You can install online-licensed
apps from the private store and assign them to users or distribute them by using
a management tool such as Intune or Configuration Manager. Users who don’t have
an Azure AD account or who can’t connect to Microsoft Store for Business can’t
install online-licensed apps.
License management for online-licensed apps is enforced and based on a user’s
Azure AD identity. Microsoft Store for Business handles license management, and
Windows Update performs app updates. Online licensing is the only option that is
available for apps in the public Microsoft Store.
Offline licensing
The offline-licensing option is available only for certain apps in Microsoft
Store for Business. With offline licenses, an organization can purchase multiple
copies of an app for its employees, download the app package and its license,
and deploy it on the organizational network. For example, you can include
offline-licensed apps in the computer image and sideload or deploy them by using
a management tool such as Intune or Configuration Manager.
Offline licensing is available only for apps for which developers specify this
licensing option when they submit the app to the Windows Dev Center.
Administrators can download and install apps that use the offline-licensing
model for users who don’t connect to Microsoft Store for Business or who don’t
have an Azure AD account. License management isn’t enforced, and the
organization that purchases the app manages the licenses. As with online
licensing, Windows Update performs app updates. Users in the Admin role control
if offline-licensed apps are available in Microsoft Store for Business by
configuring the offline app visibility setting.
You can configure offline app visibility by performing the following steps:
1. Sign in to Microsoft Store for Business.
2. Click Manage, and then click Settings.
3. On the Shop tab, in the Shopping experience section, turn the Show
offline apps setting On.
employees to open the Microsoft Store app, browse the private store, and
manually install the apps they need from a private store.
You can assign apps to employees in Microsoft Store for Business, and they will
receive an email notification with instructions and a link to install the apps.
Users just need to select the link, authenticate, and the app will install
without any user interaction. The third method is more advanced and requires a
management tool. You can integrate a mobile device management tool with
Microsoft Store for Business, sync the list of available apps, and use the
mobile device management tool to deploy the apps. If an app is licensed for
offline use, the administrator can download the app package from Microsoft Store
for Business and deploy it as any other modern Windows app; for example, by
using imaging, sideloading, or by using an app deployment tool such as Intune or
Configuration Manager.
Distribute apps by using a private store
Private store is a Microsoft Store for Business feature. Administrators can add
apps from Microsoft Store for Business to a private store and make them
available to company employees. Administrators can also invite developers to
submit LOB apps, accept submitted apps, and add LOB apps to a private store.
Only online-licensed apps can be added to a private store. When an app is in a
private store, all company employees can view and install the app if sufficient
licenses are available. If an app has free licenses, all company employees can
install it regardless of the number of employees. For purchasable apps, any user
with the Admin or Purchaser roles can buy a certain number of copies, and only
that number of employees can install the app. Although the app isn’t free,
employees don’t need to pay for it. The purchaser must buy a certain number of
copies before an app can be added to a private store.
Note: After you add an app to a private store, it can take up to 36 hours
for the app to become visible in the private store.
To acquire an app and make it available in a private store, perform the
following steps:
1. Sign in to Microsoft Store for Business and click Shop for my group.
2. Search for the app that you want to add to the private store.
3. Select an app, choose the license type, if the app supports offline
licensing, select Get the app, and then select Close.
4. Select the ellipsis (…), and then Manage.
5. Click the Private store availability tab, and select one of the following
options:
●● No one
●● Everyone
●● Specific groups
6. Alternatively, instead of selecting the ellipsis (…), you can select
Manage on the toolbar below Microsoft Store for Business, in the
navigation pane, select Products & services, and then view all the
acquired apps. From the list, select the app that you want to add to the
private store, and follow step 5 to add the app to the private store.
MCT USE ONLY. STUDENT USE PROHIBITED 98 Module 3 Application Management
Company employees can install an app from a private store by using the Microsoft
Store app or by using a web browser. In both cases, they must authenticate by
using an Azure AD account. The Microsoft Store app automatically connects to the
public Microsoft Store, and employees must select the tab for the private store
(the admin can specify a name for a private store by selecting the Settings
option, selecting the Distribute tab, and then changing the name there). In
a web browser, employees browse to https://www.microsoft.com/business-store,
and after authentication, they can view available apps in the private store.
3. In the navigation pane, click Settings and then in the details pane,
click the Distribute tab.
4. Switch to the Azure portal and in the navigation pane, click Intune.
5. In the Microsoft Intune blade, click Client Apps.
6. On the Client apps blade, click Microsoft Store for Business under
setup.
7. Click Enable and choose the Language for the store.
8. Click Save and then click Sync. That will sync all the apps from
Microsoft Store for Business that you added, to Intune. The synchronization
can take a few hours depending on the number of apps.
Distributing online-licensed apps
To distribute online-licensed apps by using a mobile device management tool, you
must first register and configure the tool to sync with Microsoft Store for
Business. You must register the management tool in the same Azure AD tenant as
Microsoft Store for Business, and you must activate the mobile device management
tool in Microsoft Store for Business.
Distributing offline-licensed apps
You can also install offline-licensed apps on devices that don’t have internet
connectivity and to users who don’t have an Azure AD account. Only some apps in
Microsoft Store for Business support offline licensing; offline licensing allows
you to download an app package, app license, and frameworks that the app from
the store requires, and you then can deploy them in a way that is most
appropriate for your environment.
While Microsoft Store for Business tracks and enforces licensing for
online-licensed apps, you are responsible for tracking licenses for
offline-licensed apps.
You can distribute offline-licensed apps in several ways, including:
●● Imaging. After you download an offline-licensed app package, you can
include it in an image for new devices. The image can be in .wim, .vhd, or
.vhdx format, and you can include the app package by using the Dism.exe tool
or by using cmdlets in the Windows PowerShell command-line interface. When
you deploy the image to new devices, those devices will include the app.
●● Sideloading. Sideloading is similar to imaging, but you perform it on
previously deployed devices. By using sideloading, you inject an
offline-licensed app into a running Windows 10 system. You can sideload an
app package by using the Dism.exe tool or Windows PowerShell cmdlets.
●● Provisioning packages. You can create a provisioning package that
includes offline-licensed apps by using Configuration Manager, which is part
of the Windows Assessment and Deployment Kit (Windows ADK). A provisioning
package is in .ppkg format, and it includes changes that should be performed
on a Windows 10 device. You can apply a provisioning package by running the
.ppkg file or by adding a provisioning package by using the Settings app.
●● Mobile device management tool. You can deploy an offline-licensed app in
the same way as any other app for which you have installation files. Mobile
MCT USE ONLY. STUDENT USE PROHIBITED 100 Module 3 Application Management
device management tools provide many options for deploying apps, such as to
groups or to devices.
To download an offline-licensed app package, perform the following steps:
1. Sign in to Microsoft Store for Business. Offline-licensed apps must have
been previously acquired.
2. On the toolbar below Microsoft Store for Business, select Manage.
3. In the navigation pane, select Products & services.
4. In the details pane, in the License type drop-down list, select
Offline to view only offline-licensed apps.
5. In the details pane, select the app that you want to download.
6. On the apps page, you can download an app package for offline use, which
includes app metadata, the app package, the app license, and the required
app frameworks.
16 https://edxinteractivepage.blob.core.windows.net/miltstatic/MD-101.2/20190117-041531079/static/MD101-2_3_2_deployingappstutorial.
html
MCT USE ONLY. STUDENT USE PROHIBITED
Administering applications 101
Administering applications
Lesson Introduction
In this lesson, you will be introduced to managing apps on Intune managed
devices. You will then learn how to manage apps on non-enrolled devices. You
will be introduced to the various options you have when deploying Office 365
ProPlus, such as Intune, Configuration Manager, and manually,
The module will then conclude with an overview of how to use Enterprise Mode
with Internet Explorer and Microsoft Edge. Lastly you will learn how to track
your installed applications, licenses, and assigned apps using Intune.
After this lesson, you should be able to:
●● Explain how to manage apps in Intune.
●● Understand how to manage apps on non-enrolled devices.
●● Understand how to deploy Office 365 ProPlus using Intune.
●● Learn how to configure and manage Enterprise Site mode in Internet Explorer.
●● Learn about app inventory options in Intune.
A managed app is an app for which Intune manages the whole lifecycle such as:
●● Deploy the app
●● Manage app updates
●● Monitor app installation
●● Selectively wipe the entire app
Intune also supports deploying apps to unenrolled devices. Currently, you can
assign iOS and Android apps and iOS and Android built-in apps to devices that
aren't enrolled in Intune.
Updates for unenrolled devices
To receive app updates on devices that aren't enrolled with Intune, device users
must go to their organization's Company Portal and manually install app updates.
Users can then use either the Company Portal app or go to the Intune Company
Portal website at https://portal.manage.microsoft.com on any of their devices
and install the application without needing the device to be enrolled in Intune.
The Company Portal app will not prompt users to enroll their devices if the app
is configured to not require enrollment.
Deploy apps to unenrolled devices
To deploy an app to an unenrolled device, perform the following steps:
1. In the Azure portal, in the navigation pane, click Intune.
2. In the Microsoft Intune blade, click Client Apps.
3. On the Client apps blade, click an existing application that support
assignment to unenrolled devices.
4. In the apps blade, click Assignments and then click Add group.
5. In the Add group blade, under Assignment type, select Available with or
without enrollment.
6. Click Included Groups and in the assign blade, you can choose
whether to make the app available to all users, regardless whether their
devices are enrolled in Intune. This will assign the app to all users in
Intune. If you want to assign it only to specific groups, select No.
7. Click Select groups to include and select the groups to which you want
to assign the app. You must choose a group which only contains users when
assigning apps to unenrolled devices.
8. Click OK twice and then click Save.
You can easily make apps available on devices that cannot be enrolled in Intune
and use app protection policies (MAM) to manage the apps after they have been
installed. Even though this can be helpful in BYOD scenarios, we recommended
that you always enroll your devices in Intune whenever possible and this will
give you all of Intune´s management functionality.
assign Office 365 apps to devices you manage that run Windows 10 or macOS. You
don’t need to download the installation files as they are already present in
Intune. You can also install apps for the Microsoft Project Online desktop
client and Microsoft Visio Pro for Office 365, if you own licenses for them. The
apps that you want are displayed as a single entry in the list of apps on the
Intune console.
Be aware of the following limitations and caveats:
●● If any Office apps are open when Intune installs the app suite, the
installation might fail, and users might lose data from unsaved files.
●● Intune does not support installing Office 365 desktop apps from the
Microsoft Store (known as Office Centennial apps) on a device to which you
have already deployed Office 365 apps with Intune. If you install this
configuration, it might cause data loss or corruption.
●● Multiple required or available app assignments are not additive. A later app
assignment will overwrite pre-existing installed app assignments. For
example, if the first set of Office apps contains Word, and the later one
does not, Word will be uninstalled. This condition does not apply to any
Visio or Project applications.
Deploy Office 365 ProPlus with Intune
1. Sign in to the Azure portal.
2. In the Azure portal, in the navigations pane, click Intune.
3. In the Microsoft Intune blade, click Client apps.
4. In the Client apps blade, under Manage, click Apps and then
click + Add.
5. In the Add app blade, in the App type list, under Office 365
Suite, select Windows 10.
6. In the Add app blade, you can configure three type of settings:
Configure App Suite, App Suite Information and App Suite
Settings.
7. In the Configure App Suite blade, you can select the following Office
365 apps:
●● Access
●● Excel
●● OneDrive (Grove)
●● OneDrive Desktop
●● OneNote
●● Outlook
●● PowerPoint
●● Publisher
●● Skype for Business
●● Word
MCT USE ONLY. STUDENT USE PROHIBITED 106 Module 3 Application Management
●● Monthly
●● Monthly (Targeted)
●● Semi-Annual
●● Semi-Annual (Targeted)
MCT USE ONLY. STUDENT USE PROHIBITED
Administering applications 107
For more information, refer to Deploy Office 365 ProPlus with System Center
Configuration Manager (Current Branch)17.
Using the Office Deployment Tool
For organizations that don't have Configuration Manager but still want to manage
their deployment, the Office Deployment Tool (ODT) can be used. You can use the
ODT as a standalone tool or you can use it to download installation files that
can be deployed using Intune or a third-party software deployment tool. In
either case, the ODT provides rich control over installation, updates, and
settings.
For more information, refer to An overview of the Office Deployment Tool18.
Using the Office Customization Tool
Another option is to use the Office Customization Tool. With this new web-based
tool you can easily customize the deployment of Office 365 ProPlus and other
Click-to-Run managed Office products using a simple, intuitive, and web-based
interface. The tool is an Azure-based cloud service which allows you to create
XML configuration files that are used with the Office Deployment Tool. In the
past, you needed to create the configuration files in Notepad or another text
editor. The Office Customization Tool makes this part of the deployment process
easier and less likely to introduce errors.
This tool provides a simple experience which allows you to create a
configuration file for use with the Office Deployment Tool, for scenarios where
you need to customize the installation of Office 365 ProPlus. Common scenarios
include:
●● Initial installation of Office 365 ProPlus or Office 365 Business suites as
well as Office 2019 suites, with the ability to include standalone products
such as Visio and Project and various language packs.
●● Adding additional products after the initial installation of the Office
suite.
●● Adding additional language packs by configuring a ‘Language Only’
configuration after the installation of the Office suite or standalone
products
●● Standalone installation of Office 365 Access Runtime.
●● Installation of volume licensed products with automatic KMS and MAK
activation.
●● Automatic removal of previous MSI based Office products.
You can also use the Office Customization Tool to make changes to existing configuration files, which is
very useful when you need to modify the configuration of Office on devices that are already installed and
configured or if you’re creating a second or third configuration and you want to use your own baseline.
Simply use the Import option and select the configuration file you wish to modify, make the desired
changes, and use the Export option to generate a new configuration file.
End-user installation
You can have your users install Office 365 on their client devices directly from the Office 365 portal. This
17 https://docs.microsoft.com/en-us/deployoffice/deploy-office-365-proplus-with-system-center-configuration-manager
18 https://docs.microsoft.com/en-us/deployoffice/overview-of-the-office-2016-deployment-tool
MCT USE ONLY. STUDENT USE PROHIBITED
Administering applications 109
method requires the least amount of administrative setup, but gives you less control over the deploy-
ment. You can, however, still define how frequently your users receive feature updates. This option
requires that your users have local administrative rights on their client devices.
For more information, refer to Manage software download settings in Office 36519.
19 https://docs.microsoft.com/da-dk/DeployOffice/manage-software-download-settings-office-365
MCT USE ONLY. STUDENT USE PROHIBITED 110 Module 3 Application Management
Portal. For more information about the Enterprise Site List Portal and how to
download it, visit the Enterprise Mode Site List Portal20.
20 https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal
MCT USE ONLY. STUDENT USE PROHIBITED 112 Module 3 Application Management
which version of a given app that you have deployed. The following blades
provide that information:
●● Client apps – Apps blade
●● List of all apps in Intune and assignment status. You can click an app
to get detailed information about the assignments and install status.
You can export this information to a CSV file by clicking Export and
import into Excel for further processing.
●● Client apps - App licenses blade
●● Lists apps from the Microsoft Store or Business. License information for
the apps is shown in the list. You can click an app to get detailed
information about the assignments and install status. You can export
this information to a CSV file by clicking Export and import into
Excel for further processing.
●● Client apps - Discovered apps blade
●● Lists all apps discovered by Intune at the last Hardware Inventory time.
For devices with Device Ownership marked as Corporate this will be all
apps installed on the device. For devices with Device Ownership marked
as Personal this will be all apps installed via the Intune Company
Portal or apps installed in a Required deployment. Number of devices
that a given app is installed on is shown in the list. You can click an
app to list the devices the app is installed on. You can export this
information to a CSV file by clicking Export and import into Excel
for further processing.
●● Client apps - App install status blade
●● Lists all apps in Intune with user and device failures listed next to
app. You can click an app to get detailed information about the
assignments and install status. You can export this information to a CSV
file by clicking Export and import into Excel for further
processing.
●● Managed Apps – Preview blade
●● In the Managed Apps – preview blade for a device, you can see all apps
assigned to a device together with information about assignment
(Available or Required) and installation status. You can click an app in
the list and you will see a workflow of the app’s entire lifecycle. You
can find this information at: Microsoft Intune -> Devices - All
devices -> <DeviceName> - Managed Apps – Preview. You can
export this information to a CSV file by clicking Export and import
into Excel for further processing.
Client apps – Apps blade
To see the Client apps blade, perform the following steps:
1. In the Azure portal, in the navigation pane, click Intune
2. In the Microsoft Intune blade, click Client Apps
3. On the Client apps blade, you can see all the apps that have been added
to Intune and their assignment status. You can export this information to a
CSV file by clicking Export and import into Excel for further
MCT USE ONLY. STUDENT USE PROHIBITED
Administering applications 113
processing. In this export you will also get additional information about
the apps.
1. You can click an app in the list to get more detailed information about
device install status and user install status.
MCT USE ONLY. STUDENT USE PROHIBITED 114 Module 3 Application Management
1. You can then click Assignment under Manage to get a list of all Azure AD
groups to which the application is assigned.
Client apps - App licenses
To see the Client apps – App licenses blade, click App licenses in the Client Apps blade.
MCT USE ONLY. STUDENT USE PROHIBITED
Administering applications 115
On the Client apps blade, you can see all the apps that have been added to
Intune and their assignment status. You can export this information to a CSV
file by click the Export button and import into Excel for further processing. In
this export you will also get additional information about the apps.
Client apps - Discovered apps blade
To see the Client apps – Discovered apps blade, click Discovered App in the Client Apps blade**.**
To see the App install status blade, click App install status in the Client Apps blade.
21 https://edxinteractivepage.blob.core.windows.net/miltstatic/MD-101.2/20190117-041531079/static/MD101-2_3_3_administeringappstuto-
rial.html