903 201995746 MD101T02AENUTrainerHandbook

MCT USE ONLY.
STUDENT USE PROHIBITED

Microsoft
Official
Course
MD-101T02
Managing Modern
Desktops and Devices
MCT USE ONLY. STUDENT USE PROHIBITED
MD-101T02
Managing Modern Desktops and
Devices
Contents
■■ Module 0 Welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Welcome to Managing Modern Desktops and Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
■■ Module 1 Device Enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Device management options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Manage Intune device enrollment and inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
■■ Module 2 Configuring Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Configuring device profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Managing user profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Monitoring devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
■■ Module 3 Application Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Implement Mobile Application Management (MAM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Deploying and updating applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Administering applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Module 0 Welcome
Welcome to Managing Modern Desktops and

Devices
Course Introduction
The Modern Desktop enables simplified management of your desktops, devices, cloud services and
compliance. It enables more flexibility in how your users work, while keeping organizational data safe.
These courses will help you, as the Modern Desktop Administrator, learn about these technologies and
how to use them. With new cloud technologies and Microsoft 365, there are new methods and approach-
es to common challenges with deployment and management. Whether you are new to a Desktop
Administrator role or have several years’ experience, you’ll find new information contained in these
courses.
In this series, you will learn how to:
●● Plan and execute an effective deployment of Windows 10
●● Keep and ensure devices are current with the latest OS and application updates
●● Deploy and manage configurations and apps to organizational and user-owned devices
●● Deploy and manage policies to ensure device compliance
The Modern Desktop learning track which helps prepare for the Microsoft 365 Certified: Modern Desktop
Administrator Associate certification (exam MD-101) and is composed of the following courses:
●● MD-101.1 Deploying the Modern Desktop
●● MD-101.2 Managing Modern Desktops and Devices
●● MD-101.3 Protecting Modern Desktops and Devices
Students taking this course should have experience with installing and managing Windows desktops and
app. Students should also have at least a basic knowledge of:
●● Authorization and authentication.
●● Computer networks and cloud-based concepts.
MCT USE ONLY. STUDENT USE PROHIBITED 2 Module 0 Welcome
●● Understanding of OS images and group policy objects.

●● Understanding of managing mobile devices.
It is recommended that students complete the Windows 10 course series (MD-100) prior to taking the
Modern Desktop Administrator courses.
Video: Course Introduction
As demand for organizations to enable workforces to be more mobile, a desktop administrator’s role is
really is no longer about just “desktop” management. With BYOD becoming commonplace and the need
for employees to access line of business apps on personal devices, the scope of desktop administration
must include both desktop and mobile devices, regardless of ownership. During this course, you’ll be
introduced to key components of modern management and co-management strategies. You’ll examine
what it takes to incorporate Microsoft Intune into your organization and how to use it to manage modern
desktops and devices. You’ll also learn about methods for deployment and management of apps and
browser-based applications.
This course was designed for IT Professionals who manage and deploy desktop operating systems their
organization.
In this course, you will learn how to:
●● Understand the benefits and methods of co-management strategies.
●● Configuring Intune
●● Enroll devices in Intune and configure device policies
●● Manage user profiles and folder redirection
●● Plan a mobile application management strategy
●● Manage and deploy apps, including Office 365 ProPlus and Internet Explorer settings
This is the second in a series of three courses for the Modern Desktop Administrator.
Module 1 Device Enrollment
Device management options

Lesson Introduction
This module introduces you to modern device management options. You will be
introduced to co-management, which is the first step in the journey to modern
management. You will examine the benefits and prerequisites for co-management
and learn how to plan for it. You will then be introduced to Group Policy
migration to Mobile Device Management (MDM), and learn how to migrate Group
Policy settings using the MDM Analysis Tool.
After this lesson, you should be able to:
●● Define and describe co-management.
●● Plan for co-management.
●● Explain the options and prerequisites for co-management.
●● Explain how to migrate Group Policy settings to MDM.
●● Use the MDM Migration Analysis Tool.
Benefits of Modern Management

Until recently, managing an organization’s technological infrastructure and PCs
required IT professionals to do lots of hands-on, manual, and time-consuming
tasks. New kinds of device form factors, new approaches in Windows 10
management, advancements in cloud technology, and bring your own device (BYOD)
trends have made the move toward modern management more compelling for many
organizations - not only for mobile devices, but also for PCs.
Modern management is a novel approach of managing Windows 10 similar to how
mobile devices are managed by Enterprise Mobility Management (EMM) solutions.
This approach allows you to simplify deployment and management, improve
security, provide better end user experiences, and lower costs for your Windows
MCT USE ONLY. STUDENT USE PROHIBITED 4 Module 1 Device Enrollment
devices. With modern management, you can now manage Windows 10 devices of all
kinds, from desktop PCs to HoloLens and Surface Hubs, company-owned or
employee-owned, as well as mobile devices using one management platform. Let’s
examine why you should consider implementing a modern management approach for
Windows devices in your organization.
The pillars of modern management

Easy to deploy and manage
Traditional operating system deployment (OSD) while powerful is typically
complex and time consuming. There is now a simpler way to provision new Windows
10 devices. Windows Autopilot, which is deeply integrated with Azure Active
Directory (Azure AD) and Intune, simplifies and personalizes out-of-the-box
(OOBE) experience for users, joins the device to Azure AD, and enrolls it in
Intune. Users’ email, apps, files, preferences as well organization’s security
settings are also automatically applied by Intune without needing to create
custom OS images.
Always up to date
Keeping up with emerging security threats and increasing user productivity
requires a shift in how often Windows 10 and Office 365 ProPlus need to be
updated. With aligned Windows 10 and Office 365 ProPlus updates, powerful
insights driven by cloud intelligence, and a modern management approach with
EMS, there is now a better way to keep devices up-to-date without the complexity
of maintaining an on-premises infrastructure.
Intelligent security, built-in
Attackers are becoming more sophisticated, and Microsoft 365 was designed with
security in mind. There are many new and evolving security features built
directly in the Microsoft 365 platform, including Windows Hello, Windows
Defender Advanced Threat Protection (ATP), Windows Information Protection,
Office 365 ATP, Azure AD Identity Protection, Conditional Access, and more.
These security features are powered by Microsoft Intelligent Security Graph
which uses billions of signals, constantly improving machine learning
algorithms, and human expertise to help you protect your company data and
respond to sophisticated attacks.
Proactive insights
With rich telemetry and cloud intelligence, you can now proactively discover
device and app issues before they affect end users, be more confident when
applying OS updates, discover security issues, and more. The fusion of machine
intelligence with human expertise can create a unique and powerful partnership.
Planning Co-management
By bringing your devices to Azure AD, you maximize your users' productivity
through single sign-on (SSO) across your cloud and on-premises resources. At the
same time, you can secure access to your cloud and on-premises resources with
conditional access.
Device management options 5
If you have an on-premises Active Directory environment and you want to join
your domain-joined devices to Azure AD, you can accomplish this by configuring
hybrid Azure AD joined devices.
Usage scenarios for Azure AD Join
Scenario 1: Businesses largely in the cloud

Azure Active Directory join (Azure AD join) can benefit you if you currently
operate and manage identities for your business in the cloud or are moving to
the cloud soon. You can use an account that you have created in Azure AD to sign
in to Windows 10. Through the first run experience (FRX) process, or by joining
Azure AD from the settings menu, your users can join their machines to Azure AD.
Your users can also enjoy single sign-on (SSO) access to cloud resources like
Office 365, either in their browsers or in Office applications.
Scenario 2: Educational institutions

Educational institutions usually have two user types: faculty and students.
Faculty members are considered longer-term members of the organization. Creating
on-premises accounts for them is desirable. But students are shorter-term
members of the organization and their accounts can be managed in Azure AD. This
means that directory scale can be pushed to the cloud instead of being stored
on-premises. It also means that students will be able to sign in to Windows with
their Azure AD accounts and get access to Office 365 resources in Office
applications.
Additional Scenarios for using Azure AD join:
●● You want to transition to cloud-based infrastructure using Azure AD and MDM
like Intune.
●● On-premises domain join is not a good option, for example, if you need to
get mobile devices such as tablets and phones under control.
●● Your users primarily need to access Office 365 or other SaaS apps integrated
with Azure AD.
●● You want to manage a group of users in Azure AD instead of in Active
Directory. This can apply, for example, to seasonal workers, contractors, or
students.
●● You want to provide joining capabilities to workers in remote branch offices
with limited on-premises infrastructure.
●● Reasons to use Hybrid Azure AD join:
●● You have Win32 apps deployed to these devices that rely on Active Directory
machine authentication.
●● You require Group Policy to manage some of your devices.
●● You want to continue to use imaging solutions to configure devices for your
employees.
Transitioning Workloads to Intune

When you have prepared Intune and your Windows 10 devices for co-management, you
are ready to decide which specific workloads you are going to switch to Intune.
Before you switch any workloads, make sure the corresponding workload in Intune
has been properly configured and deployed. Doing so ensures that workloads are
always managed by one of the management tools for your devices.
The following list is an example of workloads that you can transition to Intune:
1. Resource access policies
●● Email profile
●● Wi-Fi profile
●● VPN profile
●● Certificate profile
2. Windows Update policies
3. Endpoint Protection
●● Windows Defender Application Guard
●● Windows Defender Firewall
●● Windows Defender SmartScreen
●● Windows Encryption
●● Windows Defender Exploit Guard
●● Windows Defender Application Control
●● Windows Defender Security Center
●● Windows Defender Advanced Threat Protection
●● Windows Information Protection
4. Device Configuration
●● This is essentially the settings you configure using Group Policy
5. Office 365 Click-to-Run apps
●● After moving the workload, the app shows up in the Company Portal on the
device.
You would normally identify devices with low complexity configuration settings
and move those loads to Intune first. That could be Endpoint Protection, Windows
Update policies, software deployment and device configuration policies which
would mirror those Group Policy settings already in place.
Prerequisites for Co-management

To enable co-management for your on-premises Active Directory devices, you must
configure your devices as hybrid Azure AD joined devices.
Before you start enabling hybrid Azure AD joined devices in your organization,
you need to make sure that:
●● You are running an up-to-date version of Azure AD connect. Beginning with
version 1.1.819.0, Azure AD Connect provides you with a wizard to configure
hybrid Azure AD join. Azure AD Connect has synchronized the computer objects
of the devices you want to be hybrid Azure AD joined to Azure AD. If the
computer objects belong to specific organizational units (OUs), then these
OUs need to be configured for synchronization in Azure AD Connect as well.
●● Intune MDM must be setup and configured for automatic enrollment
●● Microsoft Enterprise Mobility + Security (EMS) or Intune license for all
users
●● Active Directory joined devices are using Windows 10 version 1709 or later.
We recommended that you always use the latest version of Windows 10 so that
you get the newest advances in terms of security, Azure AD and Intune
features.
●● Azure AD automatic enrollment enabled
Hybrid Azure AD join is a process meant to automatically register your
on-premises domain-joined devices with Azure AD. There are cases though, where
you don't want all your devices to register automatically. This is true for
example, during the initial pilot to verify that everything works as expected.
All Windows current devices automatically register with Azure AD at device start
or user sign-in. You can control this behavior either with a Group Policy Object
(GPO) or System Center Configuration Manager.
To control Windows current devices:
●● For all devices: Disable automatic device registration.
●● For selected devices: Enable automatic device registration.
You can control the device registration behavior of your devices by deploying
the following GPO: Register domain-joined computers as devices.
1. In the Group Policy Management Console, create two new GPOs and then go to
Computer Configuration > Policies > Administrative Templates > Windows
Components > Device Registration.
2. In the first GPO, apply the Disabled setting to prevent automatic device
registration. In the second GPO apply the Enabled setting to enable
automatic device registration.
3. Link the first GPO to all devices in your environment and then link the
second GPO only to the OU containing your pilot devices. Alternatively, you
can use Group Policy security filtering and a security group to control
which devices can automatically register with Azure AD.
Migrating Group Policy management to MDM

Use of personal devices for work, as well as employees working outside the
office, is changing how organizations manage devices. While certain parts of
some organizations might require deep, granular control over devices, other
organizations are embracing lighter, scenario-based management that empowers the
modern workforce. Windows 10 continues the tradition of Windows delivering the

best-managed operating system for organizations. Windows provides support for
deep manageability and security through technologies like Group Policy, Active
Directory, and System Center Configuration Manager. It also delivers a
“mobile-first, cloud-first” approach of simplified, modern management using
cloud-based device management solutions such as Microsoft Enterprise Mobility
Suite (EMS).
The level of management needed, the devices and data managed, and industry
requirements can all define configuration requirements. Meanwhile, employees are
frequently concerned about IT applying strict policies to their personal
devices, but they still want access to corporate email and documents. Windows 10
provides a consistent set of configurations across PCs, tablets, and phones
through a common MDM layer. The MDM approach calls for settings that achieve the
admin’s intent without exposing every possible setting. In contrast, Group
Policy exposes fine-grained settings the admin controls individually. One
benefit of MDM is that it enables admins to apply broader privacy, security, and
application management settings through lighter and more efficient tools. This
makes MDM a good choice for devices that doesn´t require that granular
management offered by Group Policy and Configuration Manager.
Consider the following scenarios, where MDM should be considered over on-premise
management:
●● A company that have a large development department. They want to be able to
manage the developers and implement some form of management. They want to
require Bitlocker encryption and make some apps available. But they don´t
require all the configuration offered by Group Policy and don´t need the
management offered by Configuration Manager. Furthermore, they can let the
developers be local administrators on their device and have them separated
from the rest of the on-premise environment.
●● A company need devices in their reception area, where visitors can sign in
or use a browser for accessing information.
●● Sales representatives from a company need a device where they can use
Outlook, a browser and a sales app for registering orders.
Many organizations still need to manage domain joined computers at a granular
level such as Internet Explorer’s many Group Policy settings due to support for
a specific app or very specific Windows Firewall rules to meet security policy.
In these cases, Group Policy and System Center Configuration Manager continue to
be excellent management choices. Group Policy is the best way to granularly
configure domain joined Windows PCs and tablets connected to the corporate
network using Windows-based tools. Microsoft continues to add Group Policy
settings with each new version of Windows. For granular configuration with
robust software deployment, Windows updates, and OS deployment, Configuration
Manager remains the recommended solution.
Review the roles in your organization. Identify users or devices that require
Domain Join, and consider switching others to Azure AD. Below is a model of a
generalized decision tree. Exceptions will apply in some cases, of course.
Are there groups of devices that could benefit from lighter, simplified
management? BYOD devices, for example, are natural candidates for cloud
management. Users or devices handling more highly regulated data might require
on-premises AD Domain Join for authentication. Configuration Manager and EMS
provide you the flexibility to stage implementation of modern management
scenarios while targeting different devices the way that best suits your
business needs. The choice is yours.
What is MDM Migration Analysis Tool

Increasingly, organizations are moving to MDM to manage their devices. Microsoft
is adding functionality to the Windows 10 operating system itself to make
transitioning to MDM easier.
Transitioning from Group Policy to MDM can be challenging. Some organizations
have Group Policies that have been in place for over a decade and which may not
be fully inventoried, let alone understood. Furthermore, MDM does not have a 1
to 1 mapping for all legacy Group Policies. While it’s possible for an IT
administrator to manually inventory Group Policy and cross reference MDM
documentation on MSDN to determine the support level, this would be labor
intensive and error prone.
For this reason, Microsoft created the MDM Migration Analysis Tool (MMAT). MMAT
determines which Group Policies have been set for a target user or computer and
cross-references against its built-in list of supported MDM policies. MMAT will
then generate both XML and HTML reports indicating the level of support for each
Group Policy in terms of MDM equivalents.
If you have a Group Policy targeting Minimum Password Length, for instance, MMAT
will detect this and tell you that MDM also support this policy. If you’re using
start up scripts, MMAT will report which ones you’re using and indicate they’re
not supported by MDM.
The easiest way to get started with MMAT is to get started. Install MMAT’s
prerequisites, run it, and then examine the HTML report. With MMAT you can
greatly speed your migration to MDM managed devices.
Review Activity - Device Management Options
REVIEW ACTIVITY – Device Management Options

Let's play a quick game to test your knowledge of Device Management Options. Click on the button
below to open this review activity full screen.
LAUNCH ACTIVITY1
1 https://edxinteractivepage.blob.core.windows.net/miltstatic/MD-101.2/20190117-041531079/static/MD101-2_1_1_devicemgmttutorial.
html
Manage Intune device enrollment and inven-

tory
Lesson Introduction
In this lesson, you will be introduced to managing devices using Intune. You
will learn how to configure and setup Intune, so you can more easily manage
Windows 10, Android and iOS devices. You will examine how to enroll devices in
Intune, and you will be introduced to Multi-Factor Authentication (MFA). The
module will conclude with an overview of verifying device inventory in Intune
using Graph API and PowerBI.
●● Prepare Microsoft Intune for device enrollment.
●● Configure Microsoft Intune for automatic enrollment.
●● Explain how to enroll Windows 10, Android and iOS devices in Intune.
●● Explain when and how to use Intune Enrollment Manager.
●● Describe how to inventory Intune enrolled devices using Graph API and
Power BI
Activating and Deploying MDM services

Intune lets you manage your workforce’s devices and apps and how they access
your company data. To use this Mobile Device Management (MDM), the devices must
first be enrolled in the Intune service. When a device is enrolled, it’s issued
an MDM certificate. This certificate is used to communicate with the Intune
service.
Several methods exist to enroll your workforce’s devices. Each method depends on
the device's ownership (personal or corporate), device type (iOS, Windows,
Android), and management requirements (resets, affinity, locking).
By default, devices for all platforms can enroll in Intune. However, you can
restrict devices by platform.
Prerequisites for iOS enrollment

Before you can enable iOS devices, complete the following steps:
●● Set up Intune - These steps set up your Intune infrastructure. In
particular, device enrollment requires that you set your MDM authority. You
set this item only once, when you are first setting up Intune for mobile
device management.
●● Get an Apple MDM Push certificate - Apple requires a certificate to enable
management of iOS and macOS devices.
●● Sign up for Apple Business if you intend to use Apple´s Device Enrollment
Program
Manage Intune device enrollment and inventory 13
iOS enrollment methods

User-owned iOS devices (BYOD)
You can let users enroll their personal devices for Intune management, known as
“bring your own device” or BYOD. Once you've completed the prerequisites and
assigned users licenses, they can download the Intune Company Portal app from
the App Store, and follow enrollment instructions in the app.
Company-owned iOS devices
For organizations that buy devices for their users, Intune supports the
following iOS company-owned device enrollment methods:
●● Apple's Device Enrollment Program (DEP)
●● Apple School Manager
●● Apple Configurator Setup Assistant enrollment
●● Apple Configurator direct enrollment
●● You can also enroll company-owned iOS devices with a device enrollment
manager account.
●● Device Enrollment Program. Organizations can purchase iOS devices
through Apple's Device Enrollment Program (DEP). DEP lets you deploy an
enrollment profile “over the air” to bring devices into management.
●● You can enable DEP enrollment for large numbers of devices without ever
touching them. You can ship devices like iPhones and iPads directly to
users. When the user turns on the device, Setup Assistant runs with
preconfigured settings and the device enrolls into management.
●● To enable DEP enrollment, you use both the Intune and Apple DEP portals. A
list of serial numbers or a purchase order number is required so you can
assign devices to Intune for management. You create DEP enrollment profiles
containing settings that are applied to devices during enrollment.
Supervised mode
An iOS device in supervised mode can be managed with more controls. As such,
it’s especially useful for corporate-owned devices. Intune supports configuring
devices for supervised mode as part the DEP. We recommend that you use
supervised mode even though it requires more configuration compared to other iOS
enrollment methods. It gives you access to many policy settings in Intune that
are otherwise unavailable.
For more information, go to: Automatically enroll iOS devices with Apple's
Device Enrollment
Program2.
Prerequisites for Android enrollment

Before you enable Android devices, complete the following steps:
●● Set up Intune - These steps set up your Intune infrastructure. In
particular, device enrollment requires that you set your MDM authority. You
2 https://docs.microsoft.com/en-us/intune/device-enrollment-program-enroll-ios
set this item only once, when you are first setting up Intune for mobile
device management.
●● By default, Intune is configured to allow enrollment of Android and Samsung
Knox Standard devices. Admins merely need to tell their users how to enroll
their devices.
●● After a user has enrolled, you can begin managing their devices in Intune,
including assigning compliance policies, managing apps, and more.
Android enrollment methods

User-owned Android devices (BYOD)
You can let users enroll their personal devices for Intune management (BYOD).
Once you've completed the prerequisites and assigned users licenses, they can
download the Intune Company Portal app from the Google Play Store, and follow
enrollment instructions in the app.
Android work profile
Intune helps you deploy apps and settings to Android work profile devices to
ensure work and personal information are separate.
To set up Android work profile management, you must connect your Intune tenant
account to your Android enterprise account. Android enterprise is a set of
features and services that separate personal apps and data from a work apps and
data. Android enterprise provides additional management capabilities and privacy
when people use their Android devices for work. Android work profiles are
supported on only certain Android devices. Any device that supports Android work
profiles also supports conventional Android management.
If you want to enroll devices in Android work profiles, but those devices were
already enrolled as regular Android devices, those devices must first unenroll
and then re-enroll.
When you manage an Android work profile device with Intune, you don’t manage the
entire device. Management capabilities only affect the work profile that is
created on the device during enrollment. Any apps deployed to the device with
Intune get installed in the work profile. App icons in the work profile are
differentiated from personal apps on the device. All Android apps and data
outside the Android enterprise portion of the device remain personal and under
the control of the end user. Users can install any app they choose to the
personal side of the device. Administrators can manage and monitor apps and
actions scoped to the work profile.
Managing Corporate Enrollment Policy

When your organization signs up for a Microsoft cloud-based service like Intune,
you're given an initial domain name hosted in Azure AD that follows this model:
your-domain.onmicrosoft.com. In this example, your-domain is the domain
name that you chose when you signed up. onmicrosoft.com is the suffix
assigned to the accounts you add to your subscription. You can configure your
organization's custom domain to access Intune instead of the domain name
provided with your subscription.
Before you create user accounts or synchronize your on-premises Active

Directory, we strongly recommend that you add one or more of your custom domain
names. This will simplify user management and lets users sign in with the
credentials they use to access other domain resources.
You can decide to use only the .onmicrosoft.com domain if you want to, but
it should really only be used for the initial setup or when you are testing. You
cannot rename or remove the initial onmicrosoft.com domain name. You can
add, verify or remove custom domain names used with Intune to keep your business
identity clear.
To add and verify your custom domain

1. Go to the Office 365 management portal and sign into your administrator
account.
2. In the navigation pane, choose Setup > Domains.
3. Choose Add domain, and type your custom domain name. Click Next.
4. <img src="../..\Linked_Image_Files\MD101.3_01_02_02_image1.png" alt="Screenshot of the “Add a
domain” screen, within the Office 365 management portal." title="">
5. The Verify domain dialog box opens giving you the values to create the
TXT record in your DNS hosting provider.
●● GoDaddy users: Office 365 Management portal redirects you to GoDaddy's
login page. After you enter your credentials and accept the domain
change permission agreement, the TXT record is created automatically.
Alternatively, you can create the TXT record.
●● Register.com users: Follow the step-by-step instructions to create the
TXT record.
Once you've set up Intune, users enroll Windows devices by signing in with their
work or school account.
As an Intune admin, you can simplify enrollment in the following ways:
●● Enable automatic enrollment (Azure AD Premium required)
●● CNAME registration
●● Enable bulk enrollment (Azure AD Premium and Windows Configuration Designer
required)
Configure automatic MDM enrollment

Automatic enrollment lets users enroll their Windows 10 devices in Intune. To
enroll, users add their work account to their personally owned devices or join
corporate-owned devices to Azure Active Directory. In the background, the device
registers and joins Azure Active Directory. Once registered, the device is
managed with Intune.
1. Sign in to the Azure portal and select Azure Active Directory.
2. Select Mobility (MDM and MAM).
3. Select Microsoft Intune.
4. Configure the MDM User scope. Specify which users’ devices should be managed
by Microsoft Intune. These Windows 10 devices can automatically enroll in
Microsoft Intune.
●● None - MDM automatic enrollment is disabled
●● Some - Select the Groups that can automatically enroll their Windows
10 devices
●● All - All users can automatically enroll their Windows 10 devices
5. Use the default values for the following URLs:
●● MDM Terms of use URL
●● MDM Discovery URL
●● MDM Compliance URL
6. Click Save.
Azure Multi-Factor Authentication

When it comes to protecting your accounts, two-step verification should be
standard across your organization. This feature is especially important for
accounts that have privileged access to resources. For this reason, Microsoft
offers basic two-step verification features to Office 365 and Azure Active
Directory (Azure AD) administrators for no extra cost. If you want to upgrade
the features for your admins or extend two-step verification to the rest of your
users, you can purchase Azure Multi-Factor Authentication (MFA) in several ways.
By default, two-factor authentication is not enabled for the service. However,
two-factor authentication is recommended when registering a device. To enable
two-factor authentication, configure a two-factor authentication provider in
Azure AD and configure your user accounts for multi-factor authentication.
You can take one of two approaches for requiring two-step verification. The
first option is to enable each user for Azure MFA. When users are enabled
individually, they perform two-step verification each time they sign in (with
some exceptions, such as when they sign in from trusted IP addresses or when the
remembered devices feature is turned on). The second option is to set up a
conditional access policy that requires two-step verification under certain
conditions.
Choose one of these methods to require two-step verification, not both. Enabling
a user for Azure MFA overrides any conditional access policies.
●● Enabled by changing user state - This is the traditional method for
requiring two-step verification. It works with both Azure MFA in the cloud
and Azure MFA Server. Using this method requires users to perform two-step
verification every time they sign in and overrides conditional access
policies.
●● Enabled by conditional access policy - This is the most flexible means to
enable two-step verification for your users. Enabling using conditional
access policy only works for Azure MFA in the cloud and is a premium feature
of Azure AD.
●● Enabled by Azure AD Identity Protection - This method uses the Azure AD

Identity Protection risk policy to require two-step verification based only
on sign-in risk for all cloud applications. This method requires Azure
Active Directory P2 licensing.
For more information about licensing requirements and how to get Azure
Multi-Factor Authentication, refer to: How to get Azure Multi-Factor
Authentication3.
Enable MFA for a single Azure AD user

1. Sign in to the Azure portal as an administrator.
2. Go to Azure Active Directory > Users and groups > All users.
3. Select Multi-Factor Authentication.
4. A new page that displays the user states appears.
5. Find the user you want to enable for Azure MFA. You might need to change the
view at the top.
6. Select the checkbox for each user’s name.
7. On the right, under Quick Steps, select Enable or Disable.
8. Confirm your selection in the pop-up window that appears.
After you enable users, notify them via email. Tell them that they'll be asked
to register the next time they sign in. Also, if your organization uses
non-browser apps that don't support modern authentication, they need to create
app passwords. You can also include a link to the Azure MFA end-user guide to
help them get started.
For more information, go to: What does Azure Multi-Factor Authentication mean
for
me4.
Simplify Windows enrollment without Azure AD Premium

To simplify enrollment, create a domain name server (DNS) alias (CNAME record
type) that redirects enrollment requests to Intune servers. While optional, if
no CNAME record is found, users are prompted to manually enter the MDM server
name, enrollment.manage.microsoft.com.
Step 1: Create CNAME records (optional)
Create CNAME DNS resource records for your company’s domain. For example, if
your company’s website is contoso.com, you would create a CNAME in DNS that
redirects EnterpriseEnrollment.contoso.com to
enterpriseenrollment-s.manage.microsoft.com.
Azure Active Directory has a different CNAME that it uses for device
registration for iOS, Android, and Windows devices. If you plan to use
conditional access, you should also configure the EnterpriseRegistration CNAME
for each company name you have.
3 https://docs.microsoft.com/da-dk/azure/active-directory/authentication/concept-mfa-licensing
4 https://docs.microsoft.com/da-dk/azure/active-directory/user-help/multi-factor-authentication-end-user
We recommend that you create both CNAME records for all DNS names that you own.
Type Host name Points to TTL (Time-To-Live)

CNAME EnterpriseEnrollment. EnterpriseEnrollment-s. 1 hour
contoso.com manage.microsoft.com
CNAME EnterpriseRegistration. EnterpriseRegistration. 1 hour
contoso.com windows.net
If the company uses more than one UPN suffix, you need to create two CNAME
records for each domain name and point each one to
EnterpriseEnrollment-s.manage.microsoft.com and
EnterpriseRegistration.windows.net respectively.
Step 2: Verify CNAME (optional)
1. In Intune in the Azure portal, select Device enrollment > Windows
enrollment > CNAME Validation.
2. In the Domain box, enter the company website and then select Test.
Changes to DNS records might take up to 72 hours to propagate. You can't verify
the DNS change in Intune until the DNS record propagates.
Enrolling Windows 10 devices

There are many ways to enroll Windows 10 devices into Microsoft Intune for
device management. Some are user-driven and some controlled by IT
administrators. Some exist to support BYOD programs and others to streamline
modern provisioning scenarios and management for corporate-owned devices. Each
enrollment method can have different setup requirements and behaviors. The
following methods, that can be used to enroll in Intune are:
●● Method 1: Add work or school account
●● Method 2: Enroll in MDM only (user driven)
●● Method 3: Azure AD join (OOBE)
●● Method 4: Azure AD join (autopilot – user-driven deployment mode)
●● Method 5: Azure AD join (autopilot self-deploying mode)
●● Method 6: Enroll in MDM only (Device Enrollment Manager)
●● Method 7: System Center Configuration Manager co-management
●● Method 8: Azure AD join (bulk enrollment)
Method 1: Add work or school account
This enrollment method will Azure AD join the device. If you have Azure AD
Premium licenses and your Azure AD tenant has auto-enrollment for Intune
configured, your device will also be enrolled into Intune during as well. This
method is the preferred method when Autopilot is not used in the environment.
You would normally provide users with instructions on how to access set up a
work or school account from the Settings app.
<img src="../..\Linked_Image_Files\MD101.3_01_02_03_image1.png" alt="Screenshot of the “Set up a
work or school account” window which appears after clicking "Connect" from the Access work or school"
page." title="">
Method 2: Enroll only in device management (user driven)

This enrollment method will only enroll the device in Intune and not Azure AD
join the device. You will only use this form of enrollment in environments that
do not have Azure AD Premium licenses that are required to enable
auto-enrollment of devices into Intune.
Method 3: Azure AD join (OOBE)

This enrollment method basically does the same as method 1, with one exception.
The device is enrolled during the Out of Box Experience (OOBE) and not from with
the Settings app. By choosing Setup for an organization and using a work
account to sign in, the device will be Azure AD joined. If you have Azure AD
Premium licenses and your Azure AD tenant has auto-enrollment for Intune
configured, your device will also be enrolled into Intune during as well. This
method will typically be used where you do not have direct access to your user´s
and their devices. This could be a remote office where the devices are delivered
directly with Windows 10 pre-installed, typically Windows 10 Pro. The user then
powers on the machine and join Azure AD during OOBE. The device is enrolled in
Intune and will receive apps and configuration from Intune. The version of
Windows 10 is typically uplifted to Windows 10 Enterprise using an Intune
profile setting.
Method 4: Azure AD join (autopilot – user-driven deployment mode)

This enrollment method basically does the same as method 2, with a few
exceptions. The device is enrolled during the Out of Box Experience (OOBE),
which is customized, and not from with the Settings app. Many of the OOBE
screens can be skipped to ensure a smoother setup experience for end users. If
configured, the desktop will first be shown to the user when software has been
installed and policies are applied.
This method is the preferred method for enrolling device in Intune but it
requires Azure AD Premium licenses and your Azure AD tenant has auto-enrollment
for Intune configured.
Method 5: Azure AD join (autopilot self-deploying mode)

This enrollment method basically does the same as method 4, with one exception.
It allows all OOBE screens to be skipped after the device is first powered on.
The Azure AD join and Intune enrollment are fully automated without any user
interaction. It's currently in preview and can be configured by choosing these
options in your autopilot profile in the Intune console.
This type of enrollment is primarily for user-less devices such as kiosks, but
it can be used for normal users as well. You can pre-assign a user to a device
so all the user has to supply is a password. This setup experience is the most
streamlined compared to the other methods.
Method 6: Enroll in MDM only (Device Enrollment Manager)

This method of enrollment is very similar to method 3, except it’s performed by
IT admins using a special type of account - A Device Enrollment Manager (DEM)
account. A DEM account is useful for scenarios where devices are enrolled and
prepared before handing them out to the users of the devices. The DEM would
enroll the device, log on to the company portal and install the apps required by
the user. This account can be used to enroll up to 1000 devices into Intune. The
IT administrator who performs the enrollment must have access to local
administrator credentials to complete the enrollment from the Settings menu. For
more information about DEM, refer to the topic Enrollment Rules later in
this lesson.
Method 7: System Center Configuration Manager co-management

Co-management enables you to concurrently manage Windows 10 devices by using
both Configuration Manager and Intune. It’s a solution that provides a bridge
from traditional to modern management and gives you a path to make the
transition using a phased approach. Co-management is the preferred way to enroll
existing devices, that are already being managed by System Center Configuration
Manager (SCCM). Once enabled, the device can be managed by SCCM and Intune,
leveraging the best features of both.
Method 8: Azure AD join (bulk enrollment)
Bulk enrollment is an efficient way to set up a large number of devices to be
managed by Intune without the need to re-image the devices. You enable bulk
enrollment by creating a provisioning package using the Windows Configuration
Designer app from the Store. You then apply this package either during the OOBE
or run it from the Settings app. This method can be used instead of method 1, if
you want the enrollment process to be as easy as possible for your users. You
don´t have to provide users with instructions on how to access set up a work
or school account from the Settings app. You just supply them with the
provision package and all they have to it to click it to enroll in Azure AD and
Intune.
Enrolling Android Devices

To enroll an Android device using the Company Portal, perform the following
steps:
1. Install the free Intune Company Portal app from Google Play.
2. Open the Company Portal app.
3. On the Company Portal Welcome screen, tap Sign in, and then sign in with
your work or school account.
4. Follow the instructions given in the Company Portal. The end-user experience
can vary based on the policies assigned to the user and/or device.
For a walk-through of enrolling an Android device using the Company Portal,
watch the Enrolling your Android device video:
Enrolling your Android device
Enrolling IOS Devices

Enroll your iOS device using Company Portal
1. Download and install the Intune Company Portal from Apple app store.
2. Open the Company Portal app.
3. On the Company Portal Welcome screen, tap Sign in, and then sign in with
your work or school account.
4. Follow the instructions given in the Company Portal. The end-user experience
can vary based on the policies assigned to the user and/or device.
Enrolling an iOS device configured for the Device Enrollment Program (DEP)
1. Turn on your iOS device.
2. After you select your language, connect your device to Wi-Fi.
3. On the Set up iOS device screen, choose whether you want to:
●● Set up as new device
●● Restore from iCloud backup
●● Restore from iTunes backup
4. Once you’ve connected to Wi-Fi, the Configuration screen will appear. A
message will say that:
●● [Your Company] will automatically configure your device.
●● Configuration allows [Your Company] to manage this device over the air.
An administrator can help you set up email and network accounts, install
and configure apps, and manage settings remotely. An administrator may
disable features, install and remove apps, monitor and restrict your
Internet traffic and remotely erase this device.
●● Configuration is provided by: [Your Company's] iOS Team [Address]
5. Log in with your Apple ID. Logging in lets you install the Company Portal
app and install the management profile that will let your company give you
access to their resources, like email and apps.
6. Agree to the Terms and Conditions and decide whether you want to send
diagnostic information to Apple.
7. Once you complete your enrollment, your device may prompt you to take more
actions. Some of these steps might be entering your password for email
access or setting up a passcode.
For a walk-through of enrolling an iOS device using the Company Portal, watch
the Enroll your mobile device in Microsoft Intune for corporate access video:
Enrollment Rules
Organizations can use Intune to manage large numbers of mobile devices with a
single user account. The device enrollment manager (DEM) account is a special
user account that can enroll up to 1,000 devices. You add existing users to the
DEM account to give them the special DEM options. Each enrolled device uses a
single license. A DEM account is useful for scenarios where devices are enrolled
and prepared before handing them out to the users of the devices. The DEM would
enroll the device, log on to the company portal and install the apps required by
the user. If the user requires individual configuration such as e-mail profiles
then the user should enroll the device themselves and DEM should not be used.
Users must exist in the Azure portal to be added as device enrollment managers.
For optimal security, the DEM user shouldn't also be an Intune admin. The DEM
enrollment method can't be used with these other enrollment methods: Apple
Configurator with Setup Assistant, Apple Configurator with direct enrollment,
Apple School Manager (ASM), or Device Enrollment Program (DEP).
Example of a device enrollment manager scenario

A restaurant wants to provide 50 point-of-sale tablets for its wait staff, and
order monitors for its kitchen staff. The employees never need to access company
data or sign in as users. The Intune admin creates a new device enrollment
manager account for the restaurant supervisor. This account is separate from the
supervisor's primary account and is used only for enrolling shared devices with
Intune. The supervisor can now enroll the 50 tablets devices by using the DEM
credentials.
What can a device enrollment manager do?

Only users in Azure AD can be added as a device enrollment manager.
The DEM user can:
●● Enroll up to 1000 devices in Intune
●● Sign in to the Company Portal to get company apps
●● Configure access to company data by deploying role-specific apps to the
tablets
●● Limitations of devices that are enrolled with a DEM account
Devices that are enrolled with a device enrollment manager account have the
following limitations:
●● No per-user access. Because devices don't have an assigned user, the device
has no email or company data access. VPN configurations, for example, could
still be used to provide device apps with access to data.
●● The DEM user can't unenroll DEM-enrolled devices on the device itself by
using the Company Portal. The Intune admin can unenroll.
●● Only the local device appears in the Company Portal app or website.
●● Users can’t use Apple Volume Purchase Program (VPP) apps with user licenses
because of per-user Apple ID requirements for app management.
●● (iOS only) If you use DEM to enroll iOS devices, you can't use the Apple
Configurator, Apple Device Enrollment Program (DEP), or Apple School Manager
(ASM) to enroll devices. This means that you can't put the device in
supervised mode and thus won't have access to some configuration options.
●● (Android only) There's a limit to the number of Android work profile devices
that can be enrolled with a single DEM account. Up to 10 Android work
profile devices may be enrolled per DEM account. This limitation doesn't
apply to legacy Android enrollment.
●● Devices can install VPP apps if they have device licenses.
●● An Intune device license isn't required to use DEM.
Add a device enrollment manager

1. In Intune in the Azure portal, select Device enrollment > Device enrollment
managers.
2. Select Add.
3. On the Add User blade, enter a user principal name for the DEM user, and
select Add. The DEM user is added to the list of DEM users.
Permissions for DEM

Global or Intune Service Administrator Azure AD roles are required to:
●● Complete tasks that are related to DEM enrollment in the Admin Portal
●● Access all DEM users despite role-based access control (RBAC) permissions
being listed and available under the custom User role
A user without the Global Administrator or Intune Service Administrator role
assigned, but who has read permissions for the Device Enrollment Managers role,
can access only the DEM users they created. RBAC role support for these features
will be announced in the future.
Intune for Education reporting

Microsoft Intune does not include any preconfigured report that you can run
out-of-the-box. Some report functionality is included in Microsoft Intune for
Education though. Intune for Education is a light version of Microsoft Intune
specifically designed for education. It lets you manage Windows 10 and iOS
devices using the full MDM capabilities available in Intune.
In Intune for Education you can download the following reports:
●● Device inventory report
●● Application inventory report
●● Settings error report
●● Windows Defender report
To access reports in Intune for Education, do the following:
1. From the Intune for Education dashboard, click Reports.
2. Select the report you want to view.
3. Use the search boxes to find specific devices, applications, and settings.
4. To download a report, click Download report. Intune for Education will

download a report to your computer, as a comma-separated value (.csv) file.
5. View and modify the file in Microsoft Excel.
Device and application reporting

Even though Microsoft Intune doesn´t include any reports node for accessing and
downloading reports, you can still report on all your devices and applications
in the same way as you would do in Intune for Education.
Device reporting
To create and download a report for all your devices, in the Azure Portal, do
the following:
1. Click the Intune blade
2. Click Devices and then under Manage, click All devices.
3. In the All devices blade, click Export.
4. Click yes and a report containing all your devices with hardware
inventory will be downloaded to your computer, as a comma-separated value
(.csv) file.
5. You can now view or modify the report in Excel.
Application reporting
To create and download a report for all your applications, in the Azure Portal,
do the following:
1. Click the Intune blade.
2. Click Client apps and then under Manage, click Apps.
3. In the Apps blade, click Export.
4. Click yes and a report containing all your applications will be
downloaded to your computer, as a comma-separated value (.csv) file.
5. You can now view or modify the report in Excel
You can also download Audit logs from Intune, which provides you with a record
of activities that generate a change in Microsoft Intune. Create, Update (edit),
Delete, and Assign actions, or remote tasks, generate audit events that you can
review. You can review audit logs for most Intune workloads. Auditing is enabled
by default for all customers and can't be disabled.
For more information, refer to: Audit logs for Intune
activities5.
5 https://docs.microsoft.com/en-us/intune/monitor-audit-logs
Building Custom Intune Inventory Reports

You can use the Intune Data Warehouse to build professional looking reports that
provide insight into your enterprise mobile environment. For example, some of
the reports include:
●● Trend of users enrolling in Intune so you can optimize your license
purchases
●● App and OS versions breakdown so you can review that status of devices
●● Enrollment and device compliance trends so you can smoothly roll out policy
updates
The Data Warehouse provides you access to more information about your Intune
environment than the Azure portal. With the Intune Data Warehouse you can
access:
●● Historical Intune data
●● Data refreshed on a daily cadence
●● A data model using the OData standard
Requirements for accessing the Intune Data Warehouse (including the API) are:
●● User must be one of:
●● Azure AD global administrator
●● An Intune service administrator
●● User with role-based access to Intune data warehouse resources
●● User-less authentication using application-only authentication
●● Install the latest version of Power BI Desktop. You can download Power BI
Desktop from: PowerBI.microsoft.com
When accessing data in the Data Warehouse with Power BI, you have two options:
●● Load the data using the Power BI file
●● Load the data in Power BI using the OData link
You can download a file for use with Microsoft Power BI that allows you to load
interactive, dynamically generated reports for your Intune tenant. The Data
Warehouse Power BI file (pbix) contains connection settings to your tenant, as
well as the following sample reports and charts:
●● Devices
●● Enrollment
●● App protection policy
●● Compliance policy
●● Device configuration profiles
●● Software updates
●● Device inventory logs
There are also trends highlighted for the enrollment, compliance, device
configuration profile, and software updates. Sample charts and reports apply
user-friendly filters to the canvas. To use advanced filters, check out the
Filter pane in Power BI Desktop.
Load the data using the Power BI file
1. Sign in to the Azure portal and click Intune.
2. Open the Microsoft Intune Data Warehouse API (Preview) blade.
3. Select Download PowerBI file. The file with a (pbix) extension downloads
to the location you specified.
4. Open the file with Power BI. The Intune Data Warehouse Reports loads, but
may take a moment to get your tenant data.
5. Select Refresh to load your tenant data and review the reports.
6. If Power BI has not authenticated with your Azure Active Directory
credentials, Power BI prompts you to provide your credentials. When
selecting your credentials, choose Organizational account as your
authentication method.
Load the data in Power BI using the OData link
With a client authenticated to Azure AD, the OData URL connects to the RESTful
endpoint in the Data Warehouse API that exposes the data model to your reporting
client. Follow these instructions to use Power BI Desktop to connect and create
your own reports. You’re not limited to Power BI Desktop, but can use your
favorite analytic tool with the OData URL provided the client supports OAUTH2.0
authentication and the OData v4.0 standard.
1. Sign in to the Azure portal and choose Monitoring + Management >
Intune. You can also search resources for Intune.
2. Open the Microsoft Intune Data Warehouse API (Preview) blade.
3. Retrieve the custom feed URL from the reporting blade, for example
[code]https://fef.{yourinfo}.manage.microsoft.com/ReportingService/DataWarehouseFEService/
dates?api-version=beta[/code]
4. Open Power BI Desktop.
5. Choose Home > Get Data. Select OData feed.
6. Choose Basic.
7. Type or paste the OData URL into the URL box.
8. Select OK.
9. If you have not authenticated to Azure AD for your tenant from the Power BI
desktop client, type your credentials. To gain access to your data, you must
authorize with Azure AD using OAuth 2.0.
●● Select Organizational account.
●● Type your username and password.
●● Select Sign In.
●● Select Connect.
10. Select Load.
Accessing Intune using Microsoft Graph API

The Microsoft Graph API for Intune enables programmatic access to Intune
information for your tenant; the API performs the same Intune operations as
those available through the Azure Portal. Even though Microsoft Graph is
primarily used for programmatic access to your data in the cloud, and thus can
be used for building automation scripts. You can also use it to extract data
from Intune and further manipulate that data into your favorite analysis or
reporting tool. When you use Microsoft Graph you have access to all data in
Intune but it’s more complex to work with compared to Power BI and Intune Data
Warehouse, for example.
<img src="../..\Linked_Image_Files\MD101.3_01_02_05_image1.png" alt="Illustration titled, “Intune APIs in
Microsoft Graph: automation, integration & advanced analytics -” " title="">
For mobile device management (MDM) scenarios, the Graph API for Intune supports
standalone deployments. Intune provides data into the Microsoft Graph in the
same way as other cloud services do, with rich entity information and
relationship navigation. Use Microsoft Graph to combine information from other
services and Intune to build rich cross-service applications for IT
professionals or end users.
Here’s an example of how you can determine whether an application is installed
on a user's device:
1. From Azure AD, get a list of devices registered to a user:
[code]https://graph.microsoft.com/beta/users/{user}/ownedDevices[/code]
1. Then view the list of applications for your tenant:
[code]https://graph.microsoft.com/beta/deviceAppManagement/mobileApps[/code]
1. Take the ID from the application and determine the installation state for
the application (and therefore user):
[code]https://graph.microsoft.com/beta/deviceAppManagement/mobileApps/{id}/deviceStatuses/[/code]
Using Microsoft Graph Explorer
You could use the Microsoft Graph Explorer, which is a tool that lets you make
requests and receive responses against the Microsoft Graph. Doing so should make
it easier to find out how you would build your queries against Graph for Intune.
You can find the Microsoft Graph Explorer at: Graph
Explorer6. For
examples of scripts used to access and manipulate data in Intune using Microsoft
Graph, refer to the Graph API PowerShell-Intune-Sample script at: Microsoft
Graph Powershell Intune
Samples7.
Before you can use Microsoft Graph Explorer or run scripts against Microsoft
Graph API you need to assign permission in Azure AD to the user running the
tool. Microsoft Graph controls access to resources using permission scopes. As a
developer, you must specify the permission scopes you need to access Intune
resources. Typically, you specify the permission scopes you need in the Azure AD
6 https://developer.microsoft.com/en-us/graph/graph-explorer
7 https://github.com/microsoftgraph/powershell-intune-samples
portal. It is also possible to assign the required permission in Microsoft Graph

Explorer if you are logged on as a Global Administrator. For more information,
go to: Microsoft Graph permissions
reference8.
Review Activity - Manage Intune device enroll-

ment and inventory
REVIEW ACTIVITY – Intune Device Enrollment

Let's play a quick game to test your knowledge of Intune device enrollment. Click on the button below to
open this review activity full screen.
LAUNCH ACTIVITY9
8 https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference
9 https://edxinteractivepage.blob.core.windows.net/miltstatic/MD-101.2/20190117-041531079/static/MD101-2_1_2_deviceenrollmenttutori-
al.html
Module 2 Configuring Profiles
Configuring device profiles

Lesson Introduction
This lesson introduces you to Intune device profiles. You will learn about the
various types of device profiles and also be introduced to managing PowerShell
scripts in Intune for Windows 10 devices. You will examine custom device
profiles and learn how to create, manage and monitor them for Windows, Android
and iOS.
●● Describe the various types of device profiles in Intune
●● Manage PowerShell scripts in Intune
●● Explain the difference between built-in and custom profiles
●● Create, manage and monitor profiles
What are Intune device profiles

Microsoft Intune includes settings and features that you can enable or disable
on different devices within your organization. These settings and features are
managed using profiles. Some profile examples include:
●● A Wi-Fi profile that gives different devices access to your corporate Wi-Fi.
●● A VPN profile that gives different devices access to your VPN server within
your corporate network.
MCT USE ONLY. STUDENT USE PROHIBITED 34 Module 2 Configuring Profiles
Types of device profiles

The following profiles are available in Intune at the time of this writing:
●● Device features - iOS and macOS. Device features control features on iOS
and macOS devices, such as AirPrint, notifications, and shared device
configurations.
●● Device restrictions. Device restrictions control security, hardware,
data sharing, and more settings on the devices. For example, create a device
restriction profile that prevents iOS device users from using the device
camera.
●● Endpoint protection. Endpoint protection settings for Windows 10
configure BitLocker and Windows Defender settings for Windows 10 devices.
●● Identity protection. Identity protection controls the Windows Hello for
Business experience on Windows 10 and Windows 10 Mobile devices. Configure
these settings to make Windows Hello for Business available to users and
devices, and to specify requirements for device PINs and gestures.
●● Kiosk. The kiosk settings profile configures a device to run one app or
run multiple apps. You can also customize other features on your kiosk,
including a start menu and a web browser.
●● Email. The email settings profile creates, assigns, and monitors
Exchange ActiveSync email settings on the devices. Email profiles help
ensure consistency, reduce support calls, and let end-users access company
email on their personal devices, without any required setup on their part.
●● VPN. VPN settings assign VPN profiles to users and devices in your
organization, so they can easily and securely connect to the network.
Virtual private networks (VPNs) give users secure remote access to your
company network. Devices use a VPN connection profile to start a connection
with your VPN server.
●● Wi-Fi. Wi-Fi settings assign wireless network settings to users and
devices. When you assign a Wi-Fi profile, users get access to your corporate
Wi-Fi without having to configure it themselves.
●● eSIM cellular - Public preview. eSIM cellular profiles provide the
ability to configure cellular data plans on your managed devices for
internet and data access. After getting activation codes from your mobile
operator, you can use Intune to import these activation codes, and then
assign to your eSIM capable devices.
●● Education
●● Education settings - Windows 10: configure options for the Windows Take
a Test app. When you configure these options, no other apps can run on
the device until the test is complete.
●● Education settings – iOS: uses the iOS Classroom app to guide learning,
and control student devices in the classroom. You can configure iPad
devices to multiple students can share a single device.
●● Edition upgrade. Windows 10 edition upgrades automatically upgrade
devices that run some versions of Windows 10 to a newer edition.
Configuring device profiles 35
●● Update policies. iOS update policies show you how to create and assign
iOS policies to install software updates on your iOS devices. You can also
review the installation status.
●● Certificates. Certificates configure trusted, System Center Endpoint
Protection (SCEP), and Public Key Cryptography Standards (PKCS) certificates
that can be assigned to devices, and used to authenticate Wi-Fi, VPN, and
email profiles.
●● Windows Information Protection profile. Windows Information Protection
helps protect against data leakage without interfering with the employee
experience. It also helps to protect enterprise apps and data against
accidental data leaks on enterprise-owned devices and personal devices that
employees use at work. It does this without requiring changes to your
environment or other apps.
●● Custom profile. Custom settings include the ability to assign device
settings that are not built-into Intune. For example, on Android devices, you
can enter Open Mobile Alliance Uniform Resource Identifier (OMA-URI) values. For
iOS devices, you can import a configuration file you created in the Apple
Configurator. Custom profiles will be explained in detail in a later topic.
Creating device profiles

1. In the Azure portal, select All Services, and search for Microsoft
Intune.
2. In Microsoft Intune, select Device configuration, and select
Profiles. Then select Create Profile.
3. Enter the following properties:
●● Name: Enter a descriptive name for the new profile.
●● Description: Enter a description for the profile. (This is optional
but recommended.)
●● Platform: Select the platform type:
●● Android
●● Android work profiles
●● iOS
●● macOS
●● Windows Phone 8.1
●● Windows 8.1 and later
●● Windows 10 and later
●● Profile type: Select the type you want to create.
●● Settings: Lists all the profile types. The list depends on the
platform you choose.
1. Select Create when finished.

2. The profile is created and appears in the list.
Manage PowerShell scripts in Intune for Win-

dows 10 devices
The Intune management extension lets you upload PowerShell scripts in Intune to
run on Windows 10 devices. The management extension supplements Windows 10
mobile device management (MDM) capabilities and makes it easier for you to move
to modern management.
You can create PowerShell scripts to run on the Windows 10 devices that provide
the capabilities you need. For example, you can create a PowerShell script that
installs a legacy Win32 app on your Windows 10 devices, upload the script to
Intune, assign the script to an Azure Active Directory (Azure AD) group, and run
the script on Windows 10 devices. You can then monitor the run status of the
script on Windows 10 devices from start to finish.
The Intune management extension has the following prerequisites:
●● Devices must be joined to Azure AD. This does not include Hybrid AD joined
devices.
●● Devices must run Windows 10, version 1607 or later.
●● Automatic MDM enrollment must be enabled in Azure AD, and devices must be
auto-enrolled to Intune.
Create a PowerShell script policy
1. Sign in to the Azure portal.
2. Select All services, filter on Intune, and select Microsoft Intune.
3. Select Device configuration > PowerShell scripts > Add.
4. Enter a Name and Description for the PowerShell script. For Script location,
browse to the PowerShell script. The script must be less than 200KB (ASCII)
or 100KB (Unicode) in size.
5. Choose Configure. Then choose to run the script with either the user's
credentials on the device (by selecting Yes), or in the system context
(by selecting No). By default, the script runs in the system context.
Select Yes unless the script is required to run in the system context.
6. Choose if the script must be signed by a trusted publisher. By default,
there is no requirement for the script to be signed.
7. Select OK, and then Create to save the script.
Creating a custom device profile

Intune may not have all the built-in settings you need or want. Or you may want
to use a setting available in other device profiles. To add these settings,
create a device profile, and configure the profile with custom device settings.
If you're looking for a specific setting, remember that the Windows 10 device
restriction profile contains many settings that are built into Intune, and don't
require custom values. Furthermore, new functionality is added to Intune
frequently so you should always check to see if the setting you need is
available as a native Intune setting.
For more information, refer to What’s new in Microsoft
Intune1.
Custom settings on different platforms
Custom settings are configured differently for each platform. For example, to
control features on Android and Windows devices, you can enter Open Mobile
Alliance Uniform Resource Identifier (OMA-URI) values. For Apple devices, you
can import a file you created with the Apple Configurator.
Creating a custom profile
1 https://docs.microsoft.com/en-us/intune/whats-new

3. Select Device configuration, select Profiles, and then choose
Create profile.
4. Enter a Name and Description for the custom profile.
5. From the Platform drop-down list, select the device platform to apply the
custom settings.
6. Depending on the platform you choose, the settings you can configure are
different. The following links provide more details on the custom settings
for each platform:
Android
settings2
iOS settings3
macOS
settings4
Windows Phone 8.1
settings5
Windows 10
settings6
Windows Holographic for Business
settings7
Android work profile
settings8
1. When you're done, select Create.
The profile is created and appears on the profiles list.
Creating a custom profile for Windows 10 devices

Use the Microsoft Intune custom profile for Windows 10 and Windows 10 Mobile to
deploy OMA-URI settings. These settings are used to control features on devices.
Windows 10 makes many Configuration Service Provider (CSP) settings available,
such as Policy CSP.
1. Create a new configuration profile using the steps in Creating a custom
profile above.
2. In Custom OMA-URI Settings, select Add to create a new setting. You can
also click Export to create a list of all the values you configured in a
comma-separated values (.csv) file.
2 https://docs.microsoft.com/en-us/intune/custom-settings-android
3 https://docs.microsoft.com/en-us/intune/custom-settings-ios
4 https://docs.microsoft.com/en-us/intune/custom-settings-macos
5 https://docs.microsoft.com/en-us/intune/custom-settings-windows-phone-8-1
6 https://docs.microsoft.com/en-us/intune/custom-settings-windows-10
7 https://docs.microsoft.com/en-us/intune/custom-settings-windows-holographic
8 https://docs.microsoft.com/en-us/intune/custom-settings-android-for-work
3. For each OMA-URI setting you want to add, enter the following information:
●● Name: Enter a unique name for the OMA-URI setting to help you
identify it in the list of settings.
●● Description: Optionally, enter a description for the setting.
●● OMA-URI (case sensitive): Enter the OMA-URI for which you want to
supply a setting.
●● Data type: Choose from:
●● String
●● String (XML)
●● Date and time
●● Integer
●● Floating point
●● Boolean
●● Base64
●● Value: Enter the value or file to associate with the OMA-URI you
entered.
4. When you're done, select OK. In Create profile, select Create. The
profile is created, and is shown in the profiles list.
Example
In the following example, the Connectivity/AllowVPNOverCellular setting is
enabled. This setting allows a Windows 10 device to open a VPN connection when
on a cellular network.
Find the policies you can configure

For a complete list of all CSPs that Windows 10 supports, refer to
Configuration service provider
reference9.
Not all settings are compatible with all Windows 10 versions. The configuration
service provider reference tells you which versions are supported for each CSP.
Additionally, Intune doesn't support all the settings listed. To find out if
Intune supports the setting you want, open the article for that setting. Each
9 https://docs.microsoft.com/en-us/windows/client-management/mdm/configuration-service-provider-reference
setting page shows its supported operation. To work with Intune, the setting
must support the Add or Replace operations.
Creating a custom profile for Android devices

Custom profiles use OMA-URI settings to configure different features on Android
devices. These settings are typically used by mobile device manufacturers to
control features on the device.
Using a custom profile, you can configure and assign the following Android
settings. These settings aren't built into the Intune policies:
●● Create a Wi-Fi profile with a pre-shared key
●● For more information about how to create this profile, refer to Use a
custom device profile to create a WiFi profile with a pre-shared key –
Intune10.
●● Create a per-app VPN profile
●● For more information about how to create this profile, refer to Use a
Microsoft Intune custom profile to create a per-app VPN profile for Android
devices11.
●● Allow and block apps for Samsung Knox Standard devices
●● For more information about how to create this profile, refer to Use custom
policies in Microsoft Intune to allow and block apps for Samsung Knox
Standard
devices12.
Only the settings listed can be configured by this profile type. Android devices
don't expose a complete list of OMA-URI settings you can configure.
1. Create a custom profile for the Android platform using the steps in
Creating a custom profile above.
2. In Custom OMA-URI Settings, select Add, and then select Add Row.
3. Enter the following properties:
●● Name: Enter a unique name for the OMA-URI setting so you can easily
find it.
●● Description: Enter a description that gives an overview of the
setting, and any other important details.
●● Data type: Enter the data type you use for this OMA-URI setting.
Choose from String, String (XML), Date and time, Integer, Floating
point, or Boolean.
●● OMA-URI: Enter the OMA-URI you want.
●● Value: Enter the value you want to associate with the OMA-URI you
entered.
4. Select OK to save your changes. Continue to add more settings as needed.
10 https://docs.microsoft.com/en-us/intune/wi-fi-profile-shared-key
11 https://docs.microsoft.com/en-us/intune/android-pulse-secure-per-app-vpn
12 https://docs.microsoft.com/en-us/intune/samsung-knox-apps-allow-block
When you complete the settings, the profile is created, and appears in the list.
Creating a custom profile for iOS devices

Use the Microsoft Intune iOS custom profile to assign settings that you created
by using the Apple Configurator tool to iOS devices. This tool lets you create
many settings that control the operation of these devices and export them to a
configuration profile. You can then import this configuration profile into an
Intune iOS custom profile and assign the settings to users and devices in your
organization.
This capability allows you to assign iOS settings that are not configurable with
other Intune profile types.
1. Use the instructions in Creating a custom profile above.
2. On the Custom Configuration Profile pane, configure each of the following
settings:
●● Custom configuration profile name: Provide a name for the policy as
displayed on the device, and in Intune status.
●● Configuration profile file: Browse to the configuration profile that
you created by using the Apple Configurator. Ensure that the settings
you export from the Apple Configurator tool are compatible with the
version of iOS on the devices to which you assign the iOS custom policy.
For information about how incompatible settings are resolved, search for
Configuration Profile Reference and Mobile Device Management Protocol
Reference on the Apple Developer website.
The file you import is displayed in the File contents area of the pane.
Assigning and monitoring device profiles

After you create a profile, you can assign the profile to the following Azure AD
groups:
●● Selected Groups
●● All Users & All Devices
●● All Devices
●● All Users
Assign a device profile

1. In the Azure portal, select All Services, and search for Microsoft
Intune.
2. In Microsoft Intune, select Device configuration, and select
Profiles.
3. In the list of profiles, select the profile you want to assign, and then
select Assignments.
4. Choose to Include groups or Exclude groups, and then select the applicable
groups.
5. When you select your groups, you're choosing an Azure AD group. To select
multiple groups, hold down the CTRL key.
6. When you are done, select Save.
Exclude groups from a profile assignment
Intune device configuration profiles let you exclude groups from policy
assignment. For example, you can assign a device profile to the All sales users
group, but exclude any members of the Sales Managers group.
When you exclude groups from an assignment, exclude only users, or only exclude
device groups (not a mixture of groups), Intune doesn't consider any
user-to-device relationship. Including user groups while excluding device groups
might not create the results you expect. When mixed groups are used, or if there
are other conflicts, inclusion takes precedence over exclusion.
For example, you want to assign a device profile to all devices in your
organization, except kiosk devices. You include the All Users group, but exclude
the All Devices group. In this case, all your users and their devices get the
policy, even if the user’s device is part of the All Devices group.
Exclusion only looks at the direct members of the groups, and doesn't include
devices that are associated with a user. However, devices that don't have a user
don't get the policy. This occurs because those devices have no relationship to
the All Users group.
If you include All Devices, and exclude All Users, then all the devices receive
the policy. In this scenario, the intent is to exclude devices that have an
associated user from this policy. However, it doesn't exclude the devices
because the exclusion only compares direct group members.
Monitor device profiles in Microsoft Intune

Intune includes some features in the Azure portal to help monitor and manage
your device configuration profiles. For example, you can check the status of a
profile, see which devices are assigned, and update the properties of a profile.
View existing profiles
3. Select Device configuration > Profiles.
All your existing profiles are listed, which includes details such as the
platform, and shows if the profile is assigned to any devices.
View details on a profile
After you create your device profile, Intune provides graphical charts. These
charts display the status of a profile, such as it being successfully assigned
to devices, or if the profile shows a conflict.
1. Select an existing profile. For example, select Windows 10 profile.
2. Select the Overview tab.
The top graphical chart shows the number of devices assigned to the specific
device profile. For example, if the configuration device profile applies to
Windows 10 and later devices, the chart lists the count of the Windows 10
and later devices.
It also shows the number of devices for other platforms that are assigned
the same device profile. For example, it shows the count of the non-Windows
10 and later devices.
The bottom graphical chart shows the number of users assigned to the specific
device profile. For example, if the configuration device profile applies to
Windows 10 and later users, the chart lists the count of the Windows 10 and
later users.
1. Select the circle in the top graphical chart. The Device status opens.
2. The devices assigned to the profile are listed, and it shows if the profile
is successfully deployed. Also note that it only lists the devices with the
specific platform (for example, Windows 10 and later devices).
3. Close the Device status details.
4. Select the circle in the bottom graphical chart. The User status opens.
5. The users assigned to the profile are listed, and it shows if the profile is
successfully deployed. Also note that it only lists the users with the
specific platform (for example, Windows 10 and later devices).
6. Close the User status details.
7. Back in the Profiles list, select a specific profile. You can also change
existing properties:
●● Properties: Change the name or update any existing settings.
●● Assignments: Include or exclude devices that the policy should
apply. Choose Selected Groups to choose specific groups.
●● Device status: The devices assigned to the profile are listed, and
it shows if the profile is successfully deployed. You can select a
specific device to get even more details, including the installed apps.
●● User status: Lists the user names with devices impacted by this
profile, and if the profile successfully deployed. You can select a
specific user to get even more details.
●● Per-setting status: Filters the output by showing the individual
settings within the profile and shows if the setting is successfully
applied.
View conflicts
In Devices > All devices, you can see any settings that are causing a
conflict. When there's a conflict, you are also shown all the configuration
profiles that contain this setting. Administrators can use this feature to help
troubleshoot, and fix any discrepancies with the profiles.
1. In Intune, select Devices > All Devices > select an existing
device in the list. An end user can get the device name from their Company
Portal app.
2. Select Device configuration. All configuration policies that apply to
the device are listed.
3. Select the policy. It shows you all the settings in that policy that apply
to the device. If a device has a Conflict state, select that row. In the new
window, you see all the profiles, and the profile names that have the
setting causing the conflict.
Now that you know the conflicting setting, and the policies that include that
setting, it should be easier to resolve the conflict.
Review Activity - Configuring profiles
REVIEW ACTIVITY – Configure Intune Profiles

Let's play a quick game to test your knowledge of configuring Intune profiles. Click on the button below
to open this review activity full screen.
LAUNCH ACTIVITY13
13 https://edxinteractivepage.blob.core.windows.net/miltstatic/MD-101.2/20190117-041531079/static/MD101-2_2_1_configuringprofilestuto-
rial.html
Managing user profiles

Lesson Introduction
In this lesson, you will be introduced to the various user profile types that
exist in Windows for on-premises devices. You will learn about the benefits of
various profiles and how to switch between types of profiles. You will examine
how Folder Redirection works and how to set it up. The lesson will then conclude
with an overview of Enterprise State roaming and how to configure it for Azure
AD devices.
●● Explain the various user profile types that exist in Windows.
●● Describe how a user profile works.
●● Configure user profiles to conserve space
●● Explain how to deploy and configure Folder Redirection.
●● Explain what Enterprise State Roaming is.
●● Configure Enterprise State Roaming for Azure AD devices.
User Profile Types

The Windows 10 operating system requires each user to have a user profile. User
profiles are created during a user’s first sign-in, and they are stored in the
Users folder. User profiles are created based on the content in the Default
profile in the Users folder. The three different types of user profiles are:
●● Local. This type is available on a single computer only.
●● Roaming. This type can roam between computers that are domain members.
●● Mandatory. This is a special type of preconfigured user profile that
does not store user changes between sign-ins.
●● Temporary User Profiles. A temporary profile is issued each time that an
error condition prevents the user's profile from loading.
Local user profiles
When a user signs in for the first time, the Windows operating system
automatically creates a local user profile for all subsequent sign-ins to the
same computer. A local user profile is used only when a user signs in to the
computer where the profile was created, and it’s useful when a user is using a
single computer. If a user roams between multiple computers, then by default,
separate local user profiles will be created on each computer. This means that
modifications and documents that a user creates on one computer will not be
available on other computers. Therefore, administrators should avoid local
profiles if users sign in to multiple devices.
Roaming user profiles
In a domain environment, administrators can configure a user with a roaming user
profile by configuring his or her profile path. With roaming user profiles, user
settings and data are stored on a network location and locally on the computer
Managing user profiles 47
where a user signs in. When a user signs in, the local copy of the user profile
is compared to the copy that is stored on the network location, and only newer
files are copied locally. The user can change settings and create data files,
which are stored in the local user profile copy. These changes copy to the
network location when the user signs out. If users roam between multiple
computers, their documents and settings follow them. If a user profile contains
a lot of data, or if a user stores large files on the desktop, then signing in
to the computer might take a long time. If a user signs in to multiple computers
at the same time, changes performed on one computer override changes performed
on a second computer because user profile changes copy to the network location
only when the user signs out. Some parts of a user profile, such as Temporary
Internet Files or AppData\Local, never copy to the network location even if
roaming user profiles are used. You should be aware that roaming user profiles
are incompatible between different versions of Windows operating systems.
Mandatory user profiles
A mandatory user profile is a type of roaming user profile that administrators
can configure. With mandatory user profiles, user changes are stored in the
local copy of a user profile but are not preserved after a user signs out from
the computer. When the user signs in again, the mandatory user profile downloads
from the network location, and it overrides the local user profile copy. The two
types of mandatory user profiles are normal mandatory profiles and
super-mandatory profiles. Administrators can configure users with mandatory user
profiles first by configuring them with roaming user profiles and then by
renaming the Ntuser.dat file in their profiles to Ntuser.man. The .man extension
causes user modifications to the profile to be discarded at the next sign-in and
user profiles to behave as read-only.
Super-mandatory user profiles
User profiles become super-mandatory when an administrator adds the .man
extension to a user’s roaming user profile folder name. For example, if a
roaming user profile is stored in the
\\Server\Profiles \User1.V5 folder, the
administrator can add the .man extension to the folder and store the roaming
user profile at \\Server\Profiles\User1.man.V5. Mandatory and
super-mandatory user profiles behave similarly; both do not preserve user
modifications. If users are configured with a super-mandatory profile, they will
not be able to sign in if the network copy of their profile is not available. In
such cases, they will see a message that the user profile service failed the
sign-in and that the user profile cannot be loaded. In a similar situation,
users with a normal mandatory profile would still be able to sign in, and they
would get temporary profiles, which might be against organizational policy.
Note: If a user named User1 is configured with the \\Server\Profiles\User1
profile path location, Windows 10 automatically adds the .V5 extension to the
roaming user profile folder. In this case, it creates a folder named User1.V5 in
the \\Server\Profiles share.
Temporary User Profiles
A temporary profile is issued each time that an error condition prevents the
user's profile from loading. Temporary profiles are deleted at the end of each
session, and changes made by the user to desktop settings and files are lost
when the user logs off.
Profile extension for each Windows version

The name of the folder in which you store the profile must use the correct
extension for the operating system it will be applied to. The following table
lists the correct extension for each operating system version.
Client operating system Server operating system Profile extension

version version
Windows XP Windows Server 2003 Windows none
Server 2003 R2
Windows Vista Windows 7 Windows Server 2008 Windows V2
Server 2008 R2
Windows 8 Windows Server 2012 V3
Wndows 8.1 Windows Server 2012 R2 V4
Windows 10, version 1507 and N/A V5
1511
Windows 10, version 1607, 1703, Windows Server 2016 V6
1709, 1803 and 1809.
A user profile consists of the following elements:
●● A registry hive. The registry hive is the file NTuser.dat. The hive is
loaded by the system at user logon, and it’s mapped to the HKEY_CURRENT_USER
registry key. The user's registry hive maintains the user's registry-based
preferences and configuration.
●● A set of profile folders stored in the file system. User-profile files
are stored in the Profiles directory, on a folder per-user basis. The
user-profile folder is a container for applications and other system
components to populate with sub-folders, and per-user data such as documents
and configuration files. Windows Explorer uses the user-profile folders
extensively for such items as the user's Desktop, Start menu and Documents
folder.
User profiles provide the following advantages:
●● When the user logs on to a computer, the system uses the same settings that
were in use when the user last logged off.
●● When sharing a computer with other users, each user receives their
customized desktop after logging on.
●● Settings in the user profile are unique to each user. The settings cannot be
accessed by other users. Changes made to one user's profile do not affect other
users or other users' profiles.
How does a user profile maintain user state

In Windows 10, a user profile contains a user state. A user profile is a set of
files and folders. It is personal to each user who has signed in to the
computer, and it’s stored in the Users folder. Windows 10 requires each user who
signs in to have a user profile. The Windows operating system creates a user
profile when a user signs in for the first time. The initial user profile is
based on the default user profile and is used for all subsequent sign-ins. User
profiles contain details about the user environment, such as Start menu
settings, desktop settings, user documents, and the user hive of the registry.
By default, a user profile is stored on the same drive as the Windows operating
system, in the C:\Users folder. The user profile is used only when a user signs
in to the same computer, but you can change the user profile type if you want to
use it from multiple computers.
Elements in a user profile

A user profile contains the following elements:
●● A user part of the registry. User profiles contain the Ntuser.dat file,
which is the user part of the registry. When a user signs in, the system
loads this file and maps it to the HKEY_CURRENT_USER registry subtree.
Ntuser.dat contains user settings, such as desktop background and screen
saver.
●● A set of folders. For each user who signs in, the Windows operating
system creates a separate subfolder with his or her name in the Users
folder. This folder is a container for user settings, application settings,
and user data. Content is organized in various subfolders such as AppData,
Desktop, Downloads, and Documents.
The Windows 10 operating system stores all user settings modifications in a user
profile, either in Ntuser.dat if changes are written to the registry, or in one
of the configuration files. Applications should also store all of their settings
in a user profile—for example, if a user modifies the font size in Notepad or
the default file format in Word 2013, that setting is stored in the user’s
profile. Other users who sign in to the same Windows 10 computer can have
different settings for the same applications, which are stored in their own user
profiles.
The same is true for data. Many applications, such as Microsoft Word 2016, store
user data in the Documents folder by default, which is a folder inside of the
user profile. Users can change this location and store their data in any other
folder to which they have Write permissions. However, by default, user data is
stored in the individual user profile. User profiles are stored on the same
volume where the operating system is installed, in the C:\Users folder.
Although you can move this folder to a different volume, you should not do that
in a production environment.
Options for minimizing user profile size

Because user profiles contain user state and users can modify their state, users
must have Write permissions to their user profiles. As long as users have Write
permissions, they can write as much data as they want if there is available free
disk space, unless an administrator limits them. Because user profiles contain
user data and user data can increase rapidly—for example, if users store large
graphic or multimedia files in their Documents folder, which is in their
profile—an administrator often limits the space for storing user profiles.
Administrators can do this in several ways:

●● Use quotas to limit the space that is available to a user on a volume or on
a shared folder where the roaming user profile is stored.
●● Redirect folders that typically contain large user files and are stored in
the user profile by default, for example, the Documents folder, outside of
the user profile.
●● Use the Group Policy setting to limit user profile sizes. You can limit the
size of local or roaming user profiles by configuring settings in the user
part of Group Policy.
Using quotas
An option to limit user profile sizes is to use quotas. You can use the same
approach to limit the disk space that a user consumes in general, and it applies
to limiting user profile sizes. You can set a disk quota on a local Windows 10
volume by using volume properties. By using File Server Resource Manager in
Windows Server 2016, you can set a quota on a shared folder on the file server
where roaming user profiles or redirected folders are stored. If you set a disk
quota on a local volume, users will not be able to write additional data when
they reach their disk quota. If a quota is set on a shared folder, the local
copy of a roaming user profile will not synchronize with the network share, and
changes to the user profile will not copy to the file server until the user
deletes some data and the local copy of the roaming user profile is smaller than
the quota limit. In such cases, users will see a message during sign-out that
their roaming user profiles did not completely synchronize, and an entry will be
added to Event Viewer.
Redirecting folders out of user profiles

You can make user profiles smaller by redirecting folders that typically consume
a lot of space out of the user profiles. When you do that, the redirected
folders are available from any computer in AD DS even if the user is configured
with a local user profile. You can configure Folder Redirection by using Group
Policy, and several settings are available for each redirected folder. Even if
you use Folder Redirection, you can also use quotas to limit the size of
redirected folders.
Using Group Policy to limit user profile sizes

You can limit local or roaming user profile sizes by enabling the Limit profile
size setting in the user part of Group Policy. When you enable this setting, you
can configure the maximum profile size and custom message that users see
periodically when their profiles exceed the allowed size. You can limit profile
size to up to 30,000,000 kilobytes (KBs). With local user profiles, users can be
periodically reminded that their user profile exceeds the allowed size, but they
can still write data to their profiles and sign out. If users are configured
with roaming user profiles, they can also sign out, but changes to the local
copy of the roaming user profile will not synchronize with the network share.
This means that changes to their local copy of the user profile will not copy to
the file server until the users delete some data and their local copy of the
roaming user profile is smaller than the maximum profile size that is configured
in Group Policy.
Users can have smaller user profiles if they store data files outside of their
user profiles, for example, in a dedicated shared folder or in the home folder.
Deploying and configuring Folder Redirection

Folder Redirection is a Group Policy setting that is most often used for
configuring user profiles. Administrators can use Folder Redirection to redirect
individual folders from a user profile to a new location. For example, an
administrator can redirect the Documents folder from a local or roaming user
profile to a separate network location. Redirected folder content is available
from any computer on a network, and it does not copy to the computer on which a
user signs in, as with roaming user profiles. Folder Redirection also provides
users with access to the same data from multiple domain computers without
copying data locally, as is the case with roaming user profiles. You can
configure Folder Redirection by modifying Policies\Windows Settings\Folder
Redirection settings in the User Configuration part of Group Policy.
Redirected folders are stored on a network share only, and users access them
transparently in the same way as when they are stored in a local user profile.
The Offline Files feature, which is enabled by default when redirected folders
are used, provides users with access to content in redirected folders even
without network connectivity.
Administrators configure Folder Redirection by using user settings in Group
Policy, and by doing so, can redirect individual folders in a user profile. In
Windows 10, an administrator can redirect 13 folders in user profiles, including
Desktop, Start Menu, and Documents. Administrators can redirect predefined
folders and folders in a user profile only. For each user with redirected
folders, Windows 10 creates a new subfolder with the user’s sign-in name, and
folders can be redirected to the same location or to a different location based
on user group membership.
When you configure Folder Redirection, you can configure what happens if Folder
Redirection is no longer effective. The options are to leave the redirected
content on the network location or to move the content to the original location
to a user’s profile. Folder Redirection can redirect many parts of a user
profile, but settings that are stored in Ntuser.dat cannot be redirected.
Because of this, some administrators use roaming user profiles with Folder
Redirection.
Folder Redirection provides several advantages:
●● Redirected folder content is available from any computer in the domain.
●● Redirected folder content does not copy to local computers, which minimizes
network traffic during user sign-in.
●● Administrators can set quotas (limiting disk space) and permissions on
redirected folders. By doing so, administrators can control how much space a
user can utilize and whether the user can modify contents of that part of
the folder—for example, Desktop.
●● Redirected folders are stored on network locations (network shares) and not
on local computers. If a local hard drive fails, users can still access data
in redirected folders from a different computer.
●● Redirected folder content can be backed up centrally because it is not
stored locally on user computers. If Shadow Copies for Shared Folders is
configured on a network location, users can access previous versions of
their redirected files.
For more about Folder Redirection, refer to Folder Redirection
Overview14.
Overview of Folder Redirection deployment

The following steps give you an overview of how to configure and test Folder
Redirection. These steps contain mock details for the purposes of demonstration.
You can change the details to fit your organization’s environment.
1. On a client, verify that the location of the user’s Desktop folder is
C:\Users\username.
2. Verify that the location of the user’s Documents folder is
C:\Users\username.
3. Create a Group Policy that redirects the Documents folder for the user
to a network folder.
4. Verify that the network folder is empty.
5. On the client, run gpupdate /force, and then sign out.
6. Sign in to the client as a user that will be affected by the Group Policy.
7. On the client, verify that the location of user’s Desktop folder is still
C:\Users\username, as you did not redirect it.
8. Verify that the location of user’s Documents folder is now redirected to
the network folder.
9. In Notepad, create a file named Demo Document in which you type your
name, and then save it in the Documents folder.
10. Verify that the network folder is no longer empty and that it has a
subfolder named username.
11. Sign in to another client as the same user.
12. On the other client, verify that the location of user’s Desktop folder
is still C:\Users\username, as you did not redirect it.
13. Verify that the location of the user’s Documents folder is the network
folder.
14. View the content of the Demo Document file, and then verify that it has
the same content that you typed on the first client.
For a detailed description on how to configure and deploy Folder Redirection, refer to Deploy Folder
Redirection with Offline Files.
14 http://go.microsoft.com/fwlink/?LinkId=378224
Enterprise State Roaming overview

With Windows 10, Azure AD users gain the ability to securely synchronize their
user settings and application settings data to the cloud. Enterprise State
Roaming is available to any organization with an Azure AD Premium or Enterprise
Mobility + Security (EMS) license.
Enterprise State Roaming provides users with a unified experience across their
Windows devices and reduces the time needed for configuring a new device.
Enterprise State Roaming operates like the standard consumer settings sync that
was first introduced in Windows 8.
Additionally, Enterprise State Roaming offers:
●● Separation of corporate and consumer data – Organizations are in control
of their data, and there is no mixing of corporate data in a consumer cloud
account or consumer data in an enterprise cloud account.
●● Enhanced security – Data is automatically encrypted before leaving the
user’s Windows 10 device by using Azure Rights Management (Azure RMS), and
data stays encrypted at rest in the cloud. All content stays encrypted at
rest in the cloud, except for the namespaces, like settings names and
Windows app names.
●● Better management and monitoring – Provides control and visibility over
who syncs settings in your organization and on which devices through the
Azure AD portal integration.
What data roams?

Windows settings: the PC settings that are built into the Windows operating
system. Generally, these are settings that personalize your PC, and they include
the following broad categories:
●● Theme, which includes features such as desktop theme and taskbar settings.
●● Internet Explorer settings, including recently opened tabs and favorites.
●● Edge browser settings, such as favorites and reading list.
●● Passwords, including Internet passwords, Wi-Fi profiles, and others.
●● Language preferences, which includes settings for keyboard layouts, system
language, date and time, and more.
●● Ease of access features, such as high-contrast theme, Narrator, and
Magnifier.
●● Other Windows settings, such as mouse settings.
Application data: Universal Windows apps can write settings data to a
roaming folder, and any data written to this folder will automatically be
synced. It’s up to the individual app developer to design an app to take
advantage of this capability.
Configuring Enterprise State Roaming in Azure

When you enable Enterprise State Roaming, your organization is automatically
granted a free, limited-use license for Azure Rights Management protection from
Azure Information Protection. This free subscription is limited to encrypting
and decrypting enterprise settings and application data synced by Enterprise
State Roaming. You must have a paid subscription to use the full capabilities of
the Azure Rights Management service.
To enable Enterprise State Roaming
2. Select Azure Active Directory > Devices > Enterprise State
Roaming.
3. Select either All or Selected next to Users may sync settings and
app data across devices.
4.
For a Windows 10 device to use the Enterprise State Roaming service, the device
must authenticate using an Azure AD identity. For devices that are joined to
Azure AD, the user’s primary sign-in identity is their Azure AD identity, so no
additional configuration is required. For devices that use on-premises Active
Directory, the IT admin must Configure Hybrid Azure Active Directory joined
devices.
Data storage
Enterprise State Roaming data is hosted in one or more Azure regions that best
align with the country/region value set in the Azure Active Directory instance.
Enterprise State Roaming data is partitioned based on three major geographic
regions: North America, EMEA, and APAC. Enterprise State Roaming data for the
tenant is locally located with the geographical region and is not replicated
across regions.
The country/region value is set as part of the Azure AD directory creation
process and cannot be subsequently modified.
View per-user device sync status
Follow these steps to view a per-user device sync status report.
2. Select Azure Active Directory > Users > All users.
3. Select the user, and then select Devices.
4. Under Show, select Devices syncing settings and app data to show
sync status.
5. If there are devices syncing for this user, you see the devices shown here.
Data retention
Data synced to the Microsoft cloud using Enterprise State Roaming is retained
until it’s manually deleted or until the data in question is determined to be
stale.
Explicit deletion
Explicit deletion is when an Azure admin deletes a user or a directory or
otherwise requests explicitly that data is to be deleted.
●● User deletion: When a user is deleted in Azure AD, the user account
roaming data is deleted after 90 to 180 days.
●● Directory deletion: Deleting an entire directory in Azure AD is an
immediate operation. All the settings data associated with that directory is
deleted after 90 to 180 days.
●● On request deletion: If the Azure AD admin wants to manually delete a
specific user’s data or settings data, the admin can file a ticket with
Azure support.
Stale data deletion
Data that has not been accessed for one year (“the retention period”) will be
treated as stale and may be deleted from the Microsoft cloud. The retention
period is subject to change but will not be less than 90 days. The stale data
may be a specific set of Windows/application settings or all settings for a
user. For example:
●● If no devices access a particular settings collection (for example, an
application is removed from the device, or a settings group such as “Theme”
is disabled for all of a user’s devices), then that collection becomes stale
after the retention period and may be deleted.
●● If a user has turned off settings sync on all his/her devices, then none of
the settings data will be accessed, and all the settings data for that user
will become stale and may be deleted after the retention period.
●● If the Azure AD directory admin turns off Enterprise State Roaming for the
entire directory, then all users in that directory will stop syncing
settings, and all settings data for all users will become stale and may be
deleted after the retention period.
Deleted data recovery
The data retention policy is not configurable. Once the data is permanently
deleted, it’s not recoverable. However, the settings data is deleted only from
the Microsoft cloud, not from the end-user device. If any device later
reconnects to the Enterprise State Roaming service, the settings are again
synced and stored in the Microsoft cloud.
Review Activity - Manage user profiles
REVIEW ACTIVITY – Manage User Profiles

Let's play a quick game to test your knowledge of managing user profiles. Click on the button below to
open this review activity full screen.
LAUNCH ACTIVITY15
15 https://edxinteractivepage.blob.core.windows.net/miltstatic/MD-101.2/20190117-041531079/static/MD101-2_2_2_userprofilestutorial.html
Monitoring devices 57
Monitoring devices
Lesson Introduction
In this lesson, you will be introduced to managing and monitoring device
enrolled to Intune. You will learn how to work with your devices in the Intune
console such as verifying hardware inventory, configuration and how to
synchronize devices to get the latest policies. You will learn about Intune
automatic policy and profile synchronization as well.
The module will then conclude with an overview of Windows Analytics, which is a
collection of cloud-based servicing for monitoring and automating your
on-premises and cloud environments. You will learn about Update Health, Update
Compliance and Upgrade readiness. Lastly, you will learn how to enroll devices
into Windows Analytics.
●● Explain how to manage and monitor devices in Intune.
●● Describe how to run actions against your Intune devices.
●● Describe what Windows Analytics is and how to start using it.
Monitor devices enrolled to Intune

As an Intune administrator, you must ensure that managed devices are providing
the resources that your users need to do their work, while protecting that data
from risk.
The Devices workload gives you insights into the devices you manage, and lets
you perform remote tasks on those devices.
Get to your devices
3. Select Devices. This view shows detailed information about the
individual devices, and what you can do with them, including:
●● Overview shows a visual snapshot of the enrolled devices, and also
shows how many devices are using the different platforms, including
Android, iOS, and more.
●●
●● All devices shows a list of the enrolled devices you manage.
●●
●● Use the Export feature to create a .csv list of all the devices, in
increments of 10,000 (Internet Explorer) or 30,000 (Edge, Chrome).
●● Select any device to view additional details about that device,
including hardware details, installed apps, its compliance policy
status, and more.
●● Azure AD devices shows a list of the devices registered or joined
with Azure Active Directory (Azure AD).
●●
●● Device actions includes a history of the remote actions that were
run on different devices, including the action, its status, who
initiated the action, and the time.
●● Audit logs is a record of activities that generate a change in
Intune.
●● TeamViewer Connector is a service that allows users of
Intune-managed Android devices to get remote assistance from their IT
administrator.
●● Help and Support provides a shortcut on troubleshooting tips,
requesting support, or checking the status of Intune.
See device details in Intune
The Devices feature provides additional details into the devices you manage,
including their hardware and the apps installed. To view all your devices, and
their properties in the Azure portal do the following:
3. Select Devices > All devices > select one of your listed devices
to open its details:
●● Overview shows the device name, and lists some key properties of the
device, including whether it's a bring-your-own-device (BYOD) device, when
it checked in, and more. The actions available depend on the device
platform, and the configuration of the device. You can perform the following
actions on the device:
●● View device inventory
●● Run the remote device actions:
●● Retire
●● Wipe
●● Delete
●● Remote lock
●● Reset passcode
●● Bypass Activation Lock (iOS only)
●● Fresh Start (Windows only)
●● Lost mode (iOS only)
●● Locate device (iOS only)
●● Restart (Windows only)
●● Windows 10 PIN reset
●● Remote control for Android
●● Sync (Synchronize device policy)
●● AutoPilot Reset
●● Quick scan
●● Full scan
●● Update Windows Defender Signatures
●●
●● Use Properties to assign a device category you create and change
ownership of the device to a personal device, or a corporate device.
●● Hardware includes many details about the device, including the device
ID, the operating system and version, storage space, the model and
manufacturer, conditional access settings, and more details.
●● Discovered apps lists all the apps that Intune found installed on the
device, and the app versions. You can also Export the app list into a .csv
file.
●● Device compliance lists all assigned compliance policies, and if the
device is compliant or not compliant.
●● Device configuration shows all device configuration policies assigned to

the device, and if the policy succeeded or failed.
Intune collects an app list only on corporate-owned devices. Apps aren't checked
on personal devices. For Windows 10 PCs, only modern apps are listed for
corporate-owned devices. Intune doesn't collect information about Win32 apps on
the device. Depending on the carrier used by the devices, not all apps may be
collected.
Manage devices enrolled in Intune

You must sync your devices with Intune to update them with the latest policies
and actions. The Sync device action forces the selected device to
immediately check in with Intune. When a device checks in, it immediately
receives any pending actions or policies that have been assigned to it. This
feature can help you immediately validate and troubleshoot policies you’ve
assigned, without waiting for the next scheduled check-in.
Sync a device
2. Select All services, filter for Intune, and then select Microsoft
Intune.
3. In Intune, select Devices > All devices.
4. In the list of devices you manage, select a device, select More, and
then select Sync.
5. To confirm, select Yes.
6. To see the status of the sync action, choose Devices > Device
actions.
Manage settings and features on your devices with Intune

policies
Microsoft Intune policies are groups of settings that control features on mobile
devices and computers. You create policies by using templates that include
recommended or custom settings. Then, you deploy them to device or user groups.
Intune policies fall into the following categories. The category that you use
affects how you create and deploy the policy.
●● Configuration policies: Commonly used to manage security settings and
features on your devices, including access to company resources. Get started
at Intune device profiles.
●● Device compliance policies: Define the rules and settings that a device
must comply with to be considered compliant by conditional access policies.
You can also use compliance policies to monitor and remediate the compliance
of devices independent of conditional access.
●● Conditional access policies: Help secure email and other services,
depending on conditions that you enter.
●● Corporate device enrollment policies: Intune supports the enrollment of

corporate-owned iOS devices using the Apple Device Enrollment Program (DEP)
or the Apple Configurator tool running on a Mac computer.
When a policy or an app is deployed, Intune immediately begins notifying the
device to check in with the Intune service. This step typically takes less than
five minutes.
If a device doesn't check in to get the policy after the first notification is
sent, Intune makes three more attempts. If the device is offline (such as being
turned off, or not connected to a network), it might not receive the
notifications. In this case, the device gets the policy on its next scheduled
check-in with the Intune service, as follows:
Platform Check-in frequency

iOS Every 6 hours
Mac OS X Every 6 hours
Android Every 8 hours
Windows 10 (enrolled as devices) Every 8 hours
Windows 8.1 Every 8 hours
If the device recently enrolled, the check-in frequency is more frequent, as
follows:
Platform Check-in frequency

iOS Every 15 minutes for 6 hours, and then every 6
hours
Mac OS X Every 15 minutes for 6 hours, and then every 6
hours
Android Every 3 minutes for 15 minutes, then every 15 min-
utes for 2 hours, and then every 8 hours
Windows PCs (enrolled as devices) Every 3 minutes for 30 minutes, and then every 8
hours
Users can also open the Company Portal app and sync the device to immediately
check for the policy anytime.
Windows Analytics Overview

Windows Analytics is a set of solutions for Azure Log Analytics (formerly known
as Microsoft Operations Management Suite (OMS)), a collection of cloud-based
services for monitoring and automating your on-premises and cloud environments.
It provides you with extensive data about the state of devices in your
deployment. Windows Analytics is a free solution, all data ingestion, storage,
and processing are exempt from billing. An Azure subscription is required to use
the service though, but you will not be charged.
The OMS portal has been deprecated and you should start using the Azure portal
instead as soon as possible. Many experiences are the same in the two portals,
but there are some key differences, which this topic will explain.
For more information refer to OMS portal moving to

Azure16.
There are currently three solutions which you can use singly or in any
combination:
Device Health
Device Health provides the following:
●● Identification of devices that crash frequently, and therefore might need to
be rebuilt or replaced.
●● Identification of device drivers that are causing device crashes, with
suggestions of alternative versions of those drivers that might reduce the
number of crashes.
●● Notification of Windows Information Protection misconfigurations that send
prompts to end users.
Device Health requires one of the following licenses:
●● Windows 10 Enterprise or Windows 10 Education per-device with active
Software Assurance
●● Windows 10 Enterprise E3 or E5 per-device or per-user subscription
(including Microsoft 365 F1, E3, or E5)
●● Windows 10 Education A3 or A5 (including Microsoft 365 Education A3 or A5)
●● Windows VDA E3 or E5 per-device or per-user subscription
Update Compliance
Update Compliance shows you the state of your devices with respect to the
Windows updates so that you can ensure that they are on the most current updates
as appropriate. In addition, Update Compliance provides the following:
●● Dedicated drill-downs for devices that might need attention
●● An inventory of devices, including the version of Windows they are running
and their update status
●● The ability to track protection and threat status for Windows Defender
Antivirus-enabled devices
●● An overview of Windows Update for Business deferral configurations (Windows
10, version 1607 and later)
●● Powerful built-in log analytics to create useful custom queries
●● Cloud-connected access utilizing Windows 10 diagnostic data means no need
for new complex, customized infrastructure
●● Free of use
Upgrade Readiness
Upgrade Readiness offers a set of tools to plan and manage the upgrade process
end to end, allowing you to adopt new Windows releases more quickly. With new
Windows versions being released multiple times a year, ensuring application and
driver compatibility on an ongoing basis is key to adopting new Windows versions
16 https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-oms-portal-transition
as they are released. Upgrade Readiness not only supports upgrade management
from Windows 7 and Windows 8.1 to Windows 10, but also Windows 10 upgrades in
the Windows as a Service model.
Use Upgrade Readiness to get:
●● A visual workflow that guides you from pilot to production
●● Detailed computer and application inventory
●● Powerful computer-level search and drill-downs
●● Guidance and insights into application and driver compatibility issues, with
suggested fixes
●● Data-driven application rationalization tools
●● Application usage information, allowing targeted validation; workflow to
track validation progress and decisions
●● Data export to commonly used software deployment tools, including System
Center Configuration Manager
●● Free of use
For more information, the following video provide additional information on
using Windows Analytics to help improve your Windows experience.
Device Health in Windows Analytics

Device Health is offered as a solution where you link to a new or existing Azure
Log Analytics workspace within your Azure subscription. To configure this,
follows these steps:
1. Sign in to the Azure Portal with your work or school account or a Microsoft
account. If you don't already have an Azure subscription you can create one
(including free trial options) through the portal.
2. In the Azure portal select Create a resource, search for “Device
Health”, and then select Create on the Device Health solution.
3. Choose an existing workspace or create a new workspace to host the Device
Health solution.
●● If you’re using other Windows Analytics solutions (Upgrade Readiness or
Update Compliance) you should add Device Health to the same workspace.
●● If you’re creating a new workspace, and your organization does not have
policies governing naming conventions and structure, consider the
following workspace settings to get started:
●● Choose a workspace name which reflects the scope of planned usage in
your organization, for example PC-Analytics.
●● For the resource group setting select Create new and use the
same name you chose for your new workspace.
●● For the location setting, choose the Azure region where you would
prefer the data to be stored.
●● For the pricing tier select Free.
4. Now that you have selected a workspace, you can go back to the Device Health
blade and select Create.
5. Watch for a Notification (in the Azure portal) that “Deployment
‘Microsoft.DeviceHealth’ to resource group 'YourResourceGroupName' was
successful.” and then select Go to resource. This might take several
minutes to appear.
●● Suggestion: Choose the Pin to Dashboard option to make it easy to
navigate to your newly added Device Health solution.
●● Suggestion: If a “resource unavailable” error occurs when navigating to
the solution, try again after one hour.
Enroll devices in Windows Analytics

Once you've added Device Health to a workspace in your Azure subscription, you
can start enrolling the devices in your organization. For Device Health there
are two key steps for enrollment:
1. Deploy your CommercialID (from Device Health Settings page) to your Windows
10 devices (typically using Intune or Group Policy).
2. Ensure the Windows Diagnostic Data setting on devices is set to Enhanced
or Full (typically using Intune or Group Policy). Note that the Limit
Enhanced policy can substantially reduce the amount of diagnostic data
shared with Microsoft while still allowing Device Health to function.
After enrolling your devices (by deploying your CommercialID and Windows
Diagnostic Data settings), it may take 48-72 hours for the first data to appear
in the solution. Until then, the Device Health tile will show “Performing
Assessment.”
For full instructions and troubleshooting refer to Enrolling devices in Windows
Analytics17.
17 https://docs.microsoft.com/en-us/windows/deployment/update/windows-analytics-get-started
Review Activity - Configure Windows Analytics
REVIEW ACTIVITY – Configure Windows Analytics

Let's play a quick game to test your knowledge of configuring Windows analytics. Click on the button
LAUNCH ACTIVITY18
18 https://edxinteractivepage.blob.core.windows.net/miltstatic/MD-101.2/20190117-041531079/static/MD101-2_2_3_configanalyticstutorial.
html
Module 3 Application Management
Implement Mobile Application Management

(MAM)
Lesson Introduction
This lesson is intended to introduce Mobile Application Management. You will
learn about considerations for implementing MAM and you will be introduced to
the management of MAM in Configuration Manager. You will also learn about how to
use Intune for MAM and how to implement and manage MAM policies in Intune.
●● Explain Mobile Application Management
●● Understand application considerations in MAM
●● Explain how to use Configuration Manager for MAM
●● Use Intune for MAM
●● Implement and manage MAM policies
Overview of Mobile Application Management

Intune Mobile Application Management (MAM) refers to the suite of Intune
management features you can use to publish, push, configure, secure, monitor,
and update mobile apps for your users. MAM protects an organization's data
within an application by using Microsoft Intune app protection policies that
help protect your company data and prevent data loss.
If you use MAM without enrollment (MAM-WE), a work or school-related app that
contains sensitive data can be managed on almost any device, including personal
devices in bring-your-own-device (BYOD) scenarios. Many productivity apps, such
as the Microsoft Office apps, can be managed by Intune MAM.
MCT USE ONLY. STUDENT USE PROHIBITED 68 Module 3 Application Management
Your employees use mobile devices for both personal and work tasks. While making
sure your employees can be productive, you want to prevent data loss,
intentional and unintentional. You'll also want to protect company data that is
accessed from devices that are not managed by you. You can use Intune app
protection policies independent of any mobile-device management (MDM) solution.
This independence helps you protect your company’s data with or without
enrolling devices in a device management solution. By implementing app-level
policies, you can restrict access to company resources and keep data within the
purview of your IT department.
Intune MAM supports two configurations:
●● Intune MDM + MAM: IT administrators can only manage apps using MAM and
app protection policies on devices that are enrolled with Intune MDM. To
manage apps using MDM + MAM, you should use the Intune console in the Azure
portal at https://portal.azure.com.
●● MAM without device enrollment: MAM without device enrollment (MAM-WE)
allows IT administrators to manage apps using MAM and app protection
policies on devices not enrolled with Intune MDM. This means apps can be
managed by Intune on devices enrolled with third-party Enterprise Mobility
Management (EMM) providers. To manage apps using MAM-WE, you should use the
Intune console in the Azure portal at http://portal.azure.com. Also, apps
can be managed by Intune on devices enrolled with third-party EMM providers
or not enrolled with an MDM at all.
You can create mobile app management policies for Office mobile apps that
connect to Office 365 services. You can also protect access to Exchange
on-premises mailboxes by creating Intune app protection policies for devices
with Outlook for iOS and Android-enabled devices with hybrid Modern
Authentication. Before using this feature, make sure you meet the Outlook for
iOS and Android requirements. App protection policies are not supported for
other apps that connect to on-premises Exchange or SharePoint services.
The important benefits of using app protection policies are:
●● Protecting your company data at the app level. Because mobile app
management doesn't require device management, you can protect company data
on both managed and unmanaged devices. The management is centered on the
user identity, which removes the requirement for device management.
●● End-user productivity isn't affected, and policies don't apply when using
the app in a personal context. The policies are applied only in a work
context, which gives you the ability to protect company data without
touching personal data.
There are additional benefits to using MDM with app protection policies, and
companies can use app protection policies with and without MDM at the same time.
For example, consider an employee that uses both a phone issued by the company,
and their own personal tablet. The company phone is enrolled in MDM and
protected by app protection policies while the personal device is protected by
Implement Mobile Application Management (MAM) 69
app protection policies only. MDM makes sure that the device is protected. Some
examples:
●● You can require a PIN to access the device, or you can deploy managed apps
to the device. You can also deploy apps to devices through your MDM
solution, to give you more control over app management.
●● App protection policies makes sure that the app-layer protections are in
place. For example, you can:
●● Require a PIN to open an app in a work context
●● Control the sharing of data between apps
●● Prevent the saving of company app data to a personal storage location
Supported platforms for app protection policies
App protection policies are only supported by Android and iOS, and Windows
devices are currently not supported. However, when you enroll Windows 10 devices
with Intune, you can use Windows Information Protection, which offers similar
functionality.
Application Considerations in MAM

Intune-managed apps are enabled with a rich set of mobile application protection
policies and allow you to:
●● Restrict copy-and-paste and save-as functions
●● Configure web links to open inside the Intune Managed Browser app
●● Enable multi-identity use and app-level conditional access
Intune-managed apps can also enable app protection without requiring enrollment,
giving you the choice to apply data loss prevention policies without managing
the user's device. One challenge many Intune admins face is keeping on top of
which apps do or don’t support MAM policies.
Microsoft Intune Apps portal
You can use the new Microsoft Intune Apps portal that displays all the MAM
enabled apps and what MAM features they support. For more information go to
Microsoft Intune
Apps1 and
scroll down to find supported Microsoft apps in the Find the right Microsoft
app for your scenario section.
1 https://www.microsoft.com/en-us/cloud-platform/microsoft-intune-apps
A click on an app´s icon will display the MAM scenarios they support (MDM with
MAM or MAM without Enrollment), what platforms they support and whether or not
they are multi-identity capable. You can also find links to view the specific
apps in the Apple or Google app stores.
In the Find the right partner app for your scenario section, you will see a
list of currently supported third-party apps.
Intune App SDK and App Wrapping Tool

Incorporate mobile app management in your mobile and line-of-business apps using
the Intune App Software Development Kit (SDK) and the Intune App Wrapping Tool.
Multi-identity
Apps that support multi-identity let you use different accounts (work and
personal) to access the same apps, while app protection policies apply only when
the apps are used in the work context.
For example, consider a user who starts the OneDrive app by using their work
account. In the work context, they can't move files to a personal storage
location. Later, when they use OneDrive with their personal account, they can
copy and move data from their personal OneDrive without restrictions.
For information about apps that support MAM and multi-identity with Intune,
refer to how to use apps with multi-identity support.2
Prepare line-of-business apps for app protection

policies
You can enable your apps to use app protection policies by using either the
Intune App Wrapping Tool or the Intune App SDK.
Intune App Wrapping Tool
The App Wrapping Tool is used primarily for internal line-of-business (LOB)
apps. The tool is a command-line application that creates a wrapper around the
app, which then allows the app to be managed by an Intune app protection policy.
When protecting an app provided by an independent software vendor (ISV) it's
important to clarify if the ISV will still support the wrapped app. You don't
need the source code to use the tool, but you do need signing credentials.
For more information about how to use the Android App Wrapping Tool, refer to
Prepare Android apps for app protection policies with the Intune App Wrapping
Tool3 and for more information about how to use the iOS App Wrapping Tool, refer
to Prepare iOS apps for app protection policies with the Intune App Wrapping
Tool4.
Note: The App Wrapping Tool does not support apps in the Apple App Store or
Google Play Store. It also doesn't support certain features that require
developer integration.
Reasons to use the App Wrapping Tool:
●● Your app does not have built-in data protection features
●● Your app is simple
●● Your app is deployed internally
●● You don't have access to the app's source code
●● You didn't develop the app
●● Your app has minimal user authentication experiences
Intune App SDK
2 https://docs.microsoft.com/en-us/enterprise-mobility-security/solutions/fasttrack-how-to-use-apps-with-multi-identity-support
3 https://docs.microsoft.com/en-us/intune/app-wrapper-prepare-android
4 https://docs.microsoft.com/en-us/intune/app-wrapper-prepare-ios
The Intune App SDK is designed mainly for customers who have apps in the Apple
App Store or Google Play Store, and want to be able to manage the apps with
Intune. However, any app can take advantage of integrating the SDK, even
line-of-business apps.
Reasons to use the SDK:
●● Your app does not have built-in data protection features
●● Your app is complex and contains many experiences
●● Your app is deployed on a public app store such as Google Play or Apple's
App Store
●● You are an app developer and have the technical background to use the SDK
●● Your app has other SDK integrations
●● Your app is frequently updated
Apps without app protection policies
When apps are used without restrictions, company and personal data can get
intermingled. Company data can end up in locations like personal storage or
transferred to apps beyond your purview and result in data loss. The arrows in
the preceding diagram show unrestricted data movement between both corporate and
personal apps, and to storage locations.
You can use app protection policies to prevent company data from saving to the
local storage of the device. You can also restrict data movement to other apps
that aren't protected by app protection policies. App protection policy settings
include:
●● Data relocation policies like Prevent Save As, and Restrict cut, copy, and paste.
●● Access policy settings like Require simple PIN for access, and Block managed apps from running on
jailbroken or rooted devices.
Data protection with app protection policies
The preceding illustration shows the layers of protection that MDM and app
protection policies offer together.
The MDM solution:
●● Enrolls the device
●● Deploys the apps to the device
●● Provides ongoing device compliance and management
App protection policies add value by:
●● Helping protect company data from leaking to consumer apps and services
●● Applying restrictions like save-as, clipboard, or PIN, to client apps
●● Wiping company data from apps without removing those apps from the device
Data protection with app protection policies on devices managed by a Mobile
Device Management solution
The preceding diagram illustrates how the data protection policies work at the
app level without MDM.
For BYOD devices not enrolled in any MDM solution, App protection policies can
help protect company data at the app level. However, there are some limitations
to be aware of:
●● You can't deploy apps to the device. The end user has to get the apps from the store.
●● You can't provision certificate profiles on these devices.
●● You can't provision company Wi-Fi and VPN settings on these devices.
Data protection with app protection policies for devices without enrollment
Implementing MAM policies in Intune

App protection policies can be applied to apps running on devices that may or
may not be managed by Intune. In many organizations it’s common to allow end
users to use both Intune MDM managed devices, such as corporate owned devices,
and un-managed devices protected with only Intune app protection policies, such
as bring your own devices (BYOD).
Because Intune app protection policies are targeted to a user’s identity, the
protection settings for a user typically apply to both enrolled (MDM managed)
and non-enrolled devices (no MDM). Therefore, you can target an Intune app
protection policy to either Intune enrolled or un-enrolled iOS and Android
devices. You can create one protection policy for un-managed devices in which
strict data loss prevention (DLP) controls are in place, and a separate
protection policy for MDM managed devices, where the DLP controls may be a
little more relaxed.
Create and assign app protection policies

Use the following steps to create an app protection policy:
1. In the Azure Portal, in the navigation pane, click Intune.
2. Click Client apps and then from the Manage section, click App protection policies.
3. Click + Create Policy and type a name for the policy, add a brief description, and select the platform
type for your policy.
4. Select if you want to Target to all app types. If you leave it at
Yes, both Apps on unmanaged devices and Apps on Intune managed devices will be targeted. If
you select No you can choose between unmanaged and Intune managed devices.
5. Choose Apps to open the Apps blade, where a list of available apps is displayed. Select one or more
apps from the list that you want to associate with the policy that you're creating. You must select at
least one app to create a policy.
6. Click Select to save your selection.
7. On the Add a policy blade choose Configure required settings to open settings.
8. There are three categories of policy settings, Data relocation, Access requirements and Conditional
launch. Data relocation policies are applicable to data movement in and out of the apps. The access
policies determine how the end user accesses the apps in a work context. The conditional launch
settings control the sign-in security requirements for your access protection policy. The policies
settings all have default values and if the default values meet your requirements, you don't need to
make any changes.
Note: These policy settings are enforced only when using apps in the
work context. When end users use the app to do a personal task, they aren't
affected by these policies. Note that when you create a new file it’s
considered a personal file.
1. Choose OK to save this configuration. You're now back in the Add a policy blade.
2. Choose Create to create the policy and save your settings.
When you have created one or more app protection policies, they must be assigned
users in order to have any effect. To assign an app protection policy, perform
the following steps:
1. In the Client apps - App protection policies blade, click the policy you want to assign.
2. In the Intune App Protection blade, click Assignments, and then click Select groups to include.
3. A list of user groups is displayed on the Select groups to include blade. This list shows all the
security groups in your Azure Active Directory (Azure AD) containing only users. Click the user groups
you want this policy to apply to, and then click Select. Click Select again.The app protection policy is
now assigned to the users in the selected groups.
4. Only users with assigned Microsoft Intune licenses are affected by the policy. Users in the selected
security group that don’t have an assigned Intune license aren't affected.
Edit existing policies

You can edit an existing policy and apply it to the targeted users. However,
when you change existing policies, users who are already signed in to the apps
won’t see the changes for an 8-hour period. To see the effect of the changes
immediately, the end user must log out of the app, and sign back in.
Even though the steps for creating an app protection policy for either Android
or iOS are similar, there are changes in the various settings than can be
chosen. For more information, refer to Android app protection policy settings in Microsoft Intune5, or
iOS app protection policy settings6.
Manging MAM policies in Intune

You can monitor the compliance status of the MAM policies that you've applied to
users at the Intune app protection pane in the Azure portal. You can find
information about the users affected by the MAM policies, its compliance status,
and any issues that your users might be experiencing.
There are three different places to monitor the compliance status:
●● Summary view
●● Detailed view
●● Reporting view
Summary view
1. Sign into the Azure portal and in the navigation pane, click Intune.
5 https://docs.microsoft.com/en-us/intune/app-protection-policy-settings-android
6 https://docs.microsoft.com/en-us/intune/app-protection-policy-settings-ios
2. On the Intune blade, click Client apps and then click App protection status to see the summary
view.
●● Users: The total number of users in your company who are using an app which is associated with a
policy in a work context.
●● Managed by policy: The number of users who have used an app who have a policy assigned to them
in a work context.
●● No policy: The number of users who are using an app that is not targeted by any policy in a work
context. You might consider adding these users to the policy.
Detailed view
You can get to the detailed view from the summary view by choosing the User
status tile (based on device OS platform), and the Flagged users tile.
User status
You can search for a single user and check the compliance status for that user.
The App reporting pane shows the following information for a selected user:
●● Devices that are associated with the user account
●● Apps with a MAM policy on the device
●● Status:
●● Checked in: The policy was deployed to the user, and the app was
used in the work context at least once.
●● Not checked in: The policy was deployed to the user, but the app has not been used in the work
context since then.
To see a detailed report for a user, follow these steps:
view.
3. Click either the User status for iOS tile or the User status for Android tile.
4. On the App reporting blade, click Select user to search for an Azure AD user.
5. Select a user from the list i.e Debra Berger and then click Select. You can see the user name, if the
user has a license for Intune and details of the compliance status for that user:
Reporting view
You can find the same reports from the Detailed view, and additional reports to
help you with the MAM policy compliance status.
To access the reports, perform the following steps:
view.
3. On the Clients apps – App protection status blade, click Reports in the details pane. Notice that you
can also export the following information to a CSV file:
●● App protection report: iOS, Android
●● App protection report: WIP without enrollment
●● App protection report: WIP via MDM
●● App configuration report
1. On the Reports blade, you can run the following reports:

●● Users report
●● App report
●● User configuration report
●● App configuration report
●● App learning report for Windows Information Protection
●● Website learning for Windows Information Protection
Note: Microsoft recommends using Intune for managing MAM policies. Managing
MAM policies with ConfigMgr using the hybrid MDM model is deprecated On
September 1, 2019, Microsoft will retire the hybrid MDM service offering. On
September 1, 2019, any remaining hybrid MDM devices will no longer receive
policy, apps, or security updates. Start planning your migration for MDM from
the ConfigMgr console to Azure.
Deploying and updating applications 83
Deploying and updating applications

Lesson Introduction
In this lesson, you will be introduced to application deployment in Intune. You
will learn about deploying software using Group Policy and get an overview of
Windows Store for Business. You will examine how to configure Windows Store for
Business and how to integrate it with Intune. The lesson will then conclude with
information about how to use Windows Store for Business.
●● Explain how to deploy applications using Intune
●● Learn how to deploy applications using Group Policy
●● Understand Microsoft Store for Business
●● Learn how to configure Microsoft Store for Business
●● Explain how to use Microsoft Store for Business
Deploying applications with Intune

As an IT admin, you can use Microsoft Intune to manage the client apps that your
company's workforce uses. This functionality is in addition to managing devices
and protecting data. One of an admin's priorities is to ensure that end users
have access to the apps they need to do their work. This goal can be a challenge
because:
●● There are a wide range of device platforms and app types.
●● You might need to manage apps on both company devices and users' personal
devices.
●● You must ensure that your network and your data remain secure.
Additionally, you might want to assign and manage apps on devices that are not
enrolled with Intune. Intune offers a range of capabilities to help you get the
apps you need on the devices you want to run them on.
For more information about the App management capabilities by platform, refer to
What is Microsoft Intune app management?7
Microsoft Intune app lifecycle

The Microsoft Intune app lifecycle begins when an app is added and progresses
through additional phases until you remove the app. By understanding these
phases, you'll have the details you need to get started with app management in
Intune.
7 https://docs.microsoft.com/en-us/intune/app-management
Add
The first step in app deployment is to identify the apps you want to manage and
assign, and add them to Intune. You can work with many different app types, the
basic procedures are the same. With Intune you can add apps written in-house
(line-of-business), apps from the store, apps that are built-in, and apps on the
web.
Deploy
After you've added the app to Intune, you can then assign it to users and
devices that you manage. Intune makes this process easy, and after the app is
deployed, you can monitor the success of the deployment from Intune within the
Azure portal. Additionally, in some app stores, such as the Apple and Windows
app stores, you can purchase app licenses in bulk for your company. Intune can
synchronize data with these stores so that you can deploy and track license
usage for these types of apps right from the Intune administration console.
Configure
As part of the app lifecycle, new versions of apps are regularly released.
Intune provides tools to easily update apps that you have deployed to a newer
version. Additionally, you can configure extra functionality for some apps, for
example:
●● iOS app configuration policies supply settings for compatible iOS apps that are used when the app is
run. For example, an app might require specific branding settings or the name of a server to which it
must connect.
●● Managed browser policies help you to configure settings for the Intune managed browser, which
replaces the default device browser and lets you restrict the websites that your users can visit.
Protect
Intune gives you many ways to help protect the data in your apps. The main
methods are:
●● Conditional access, which controls access to email and other services based on conditions that you
specify. Conditions include device types of compliance with a device compliance policy that you
deployed.
●● App protection policies that work with individual apps to help protect the company data that they
use. For example, you can restrict copying data between unmanaged apps and managed apps, or you
can prevent apps from running on devices that have been jailbroken or rooted.
Retire
Eventually, the apps that you deployed will likely become outdated and need to
be removed. Intune makes it easy to retire apps from service.
Adding apps to Intune

Before you can assign, monitor, configure, or protect apps, you must add them to
Microsoft Intune. The users of apps and devices at your company (your company's workforce) might have
several app requirements. Before adding apps to Intune and
making them available to your workforce, you must assess and understand a few
app fundamentals. You must understand the various types of apps that are
available for Intune. You must assess the app requirements, such as the
platforms and capabilities that your workforce needs. You must determine whether
to use Intune to manage the devices (including apps) or have Intune manage the
apps without managing the devices. Finally, you must determine the apps and
capabilities that your workforce needs, and who needs them.
You can add the following app types in Intune:
Store app
Apps that have been uploaded to either the Microsoft store, the iOS store, or the Android store are store
apps. The provider of a store app maintains and provides updates to the app. You select the app in the
store list and add it by using Intune as an available app for your users. For more information, refer to:
●● Add Android store apps to Microsoft Intune8
●● Add iOS store apps to Microsoft Intune9
●● Add Microsoft Store apps to Microsoft Intune10
Office 365 Suite
This app type makes it easy for you to assign Office 365 apps to devices you manage that run Windows
10 or macOS. You can also install apps for the Microsoft Project Online desktop client and Microsoft Visio
Pro for Office 365, if you own licenses for them. The apps that you want are displayed as a single entry in
the list of apps on the Intune console. For more information, refer to:
●● Assign Office 365 apps to Windows 10 devices with Microsoft Intune11
●● Assign Office 365 apps to macOS devices with Microsoft Intune12
Other
●● Web link. A web app is a client-server application. The server provides the web app, which includes
the UI, content, and functionality. Additionally, modern web-hosting platforms commonly offer
security, load balancing, and other benefits. A web app is separately maintained on the web. You use
Microsoft Intune to point to this app type. You also assign the groups of users that can access this
app. For more information refer to Add web apps to Microsoft Intune.
8 https://docs.microsoft.com/en-us/intune/store-apps-android
9 https://docs.microsoft.com/en-us/intune/store-apps-ios
10 https://docs.microsoft.com/en-us/intune/store-apps-windows
11 https://docs.microsoft.com/da-dk/intune/apps-add-office365
12 https://docs.microsoft.com/da-dk/intune/apps-add-office365-macos
●● Build-in app. The built-in app type makes it easy for you to assigN curated managed apps, such as
Office 365 apps, to iOS and AndroiD devices. You can assign specific apps for this app type, such as
Excel, OneDrive, Outlook, Skype, and others. After you add an app, the app type is displayed as either
Built-in iOS app or Built-in Android app. By using the built-in app type, you can choose which of these
apps to publish to device users. For more information refer to Add built-in apps to Microsoft
Intune13.
●● Line-of-business (LOB) app. An LOB app is one that you add from an app installation file. For
example,to install an iOS LOB app, you add the application by selecting Line-of-business app as the
App type in the Add app pane. You then select the app package file (extension .ipa), which is upload-
ed to Intune. LOB app supports apps for Windows 10, Android and iOS. The following extensions are
supported:
●● Windows 10: .msi, .appx, appxbundle, .msix and .msixbundle
●● Android: .apk
●● iOS: .ipa and .intunemac
●● Windows app (Win32) – preview. Building upon the existing support for line-of-business (LOB) apps
and Microsoft Store for Business apps, administrators can use Intune to deploy most of their organi-
zation’s existing Win32 line-of-business (LOB) applications to end users on Windows 10 devices.
Administrators can add, install, and uninstall applications for Windows 10 users in a variety of formats,
such as MSIs, Setup.exe, or MSP. Intune will evaluate requirement rules before downloading and
installing, notifying end users of the status or reboot requirements using the Windows 10 Action
Center. This feature is currently in public preview and we expect to add significant new capabilities to
the feature over the next few months. For more information refer to Intune Standalone - Win32 app
management (Public
Preview)14.
Deploying applications with Group Policy

Windows Server 2016 and later includes a feature called Software Installation
and Maintenance that Active Directory Domain Services (AD DS), Group Policy, and
the Windows Installer service use to install, maintain, and remove software from
your organization’s computers.
Using Group Policy to manage the software lifecycle

The software lifecycle consists of four phases: preparation, deployment,
maintenance, and removal.
13 https://docs.microsoft.com/da-dk/intune/apps-add-built-in
14 https://docs.microsoft.com/en-us/intune/apps-win32-app-management
You can use Group Policy to manage all phases except the preparation. You can
apply Group Policy settings to users or computers in a site, domain, or
organizational unit (OU) to install, upgrade, or remove software automatically.
By applying Group Policy settings to software, you can manage the phases of
software deployment without deploying software on each computer individually.
Using Group Policy to manage the software lifecycle has some advantages and some
disadvantages that are important to consider. The advantages of using Group
Policy to manage the software lifecycle are:
●● Group Policy software distribution is available as part of Group Policy
and AD DS. Thus, using Group Policy does not incur any additional costs
for your organization, and is always available to implement because it’s
already installed and ready for use.
●● Group Policy software distribution does not require client software, agent
software, or additional management software. IT administrators can use
familiar tools to manage the software lifecycle.
●● Group Policy software distribution is quick and easy to use. This allows
for both faster software distribution and reduced IT training costs.
The disadvantages of using Group Policy to manage the software lifecycle are:
●● Group Policy software distribution has a minimal feature set. This
minimal feature set limits the ability to control aspects of the
distribution such as the day and time of installation, the order of
installation when deploying multiple applications, and the reboot process,
such as reboot suppression or reboot windows.
●● Group Policy software distribution does not have any reporting. Thus,
you cannot easily gather information such as how many computers have the
distributed software, which computers an installation failed on, or which
computers do not have the distributed software. This could lead to a
scenario in which you deploy an update to an application and the update
attempts to install on computers that no longer have the application to be
updated.
●● Group Policy software distribution is limited to deployment of Windows
Installer packages. IT administrators have to convert non-MSI installation
programs into MSI packages before being able to deploy the software by using
Group Policy.
For larger organizations, especially organizations that have more than 500
computers, and for any organizations with specific software distribution
requirements, System Center Configuration Manager provides enterprise-level
features and control. These enterprise-level features and control eliminate the
disadvantages found in Group Policy software distribution.
How Windows Installer enhances software distribution
To enable Group Policy to deploy and manage software, Windows Server 2016 or
later uses the Windows Installer service. This component automates the
installation and removal of applications by applying a set of centrally-defined
setup rules during the installation process. The Windows Installer service
installs the .msi package files. .msi files contain a database that stores all
the instructions required to install the application. Small applications may be
entirely stored as .msi files, whereas other larger applications will have many
associated source files that the MSI references. Many software vendors provide
.msi files for their applications.
The Windows Installer service has the following characteristics:
●● This service runs with elevated privileges, so that the Windows Installer
service can install software regardless of which user is signed into the
system. Users only require read access to the software distribution point.
●● Applications are resilient. If an application becomes corrupted, the
installer will detect and reinstall or repair the application.
●● Windows Installer cannot install .exe files. To distribute a software
package that installs with an .exe file, you must convert the .exe file must
to an .msi file by using a third-party utility.
Managing software upgrades by using Group Policy

Software vendors occasionally release software updates. These usually address
minor issues, such as a performance update or a feature enhancement that does
not warrant a complete application reinstallation. Microsoft releases some
software patches as .msp files. Major updates that provide new functionality
require users to upgrade a software package to a newer version. You can open the
GPO that deploys a software package, modify the software installation settings,
and then use the Upgrades tab to upgrade a package. When you perform upgrades by
using Group Policy, you’ll notice the following characteristics:
●● You can redeploy a package if the original Windows Installer file has been
modified.
●● Upgrades will often remove the old version of an application and install a
newer version. These upgrades usually maintain application settings.
●● You can remove software packages if they were delivered originally by using
Group Policy. This is useful if you’re replacing a line-of-business (LOB)
application with a different application. Removal can be mandatory or
optional.
●● For more information about how to use Group Policy to remotely install
software in Windows, refer to Using group policy to remotely install software in Windows serv-
er.15
Assigning and publishing software

Two deployment types are available for delivering software to clients.
Administrators can either install software for users or computers in advance by
assigning the software, or give users the option to install the software when
they require it by publishing the software in AD DS. Both user and computer
configuration sections of a GPO have a Software Settings section. You can add
software to a GPO by adding a new package to the Software Installation node and
then specifying whether to assign or publish it.
You also can choose advanced deployment of a package. Use this option to apply a
customization file to a package for custom deployment. For example, if you use
the Office Customization tool to create a setup customization file to deploy
Microsoft Office.
Assigning software
Assigning software has the following characteristics:
●● When you assign software to a user, the user’s Start menu advertises the
software when the user logs on. Installation does not begin until the user
double-clicks the application's icon or a file that is associated with the
application.
●● Users don’t share deployed applications. When you assign software to a
user, an application that you install for one user through Group Policy may
not be available to other users. Assigning software to a user is preferred
when the software is used by a subset of users, or when the software has
licensing costs associated with it and you don’t want to purchase licenses
that will not be used.
●● When you assign an application to a computer, the application is installed
the next time that the computer starts. The application will be available
to all users of the computer. Assigning software to a computer is preferred
when you need to have the software installed on a specific set of computers
or on all computers in an environment, regardless of which users use the
15 https://support.microsoft.com/en-us/help/816102/how-to-use-group-policy-to-remotely-install-software-in-windows-server
computers. This is a common situation when dealing with agent software, such
as monitoring agents, security-related agents, or management agents.
Publishing Software
Publishing software has the following characteristics:
●● The Programs>Programs and Features shortcut in Control Panel advertises a
published application to the user. Users can install the application by
using the Install a program from the network shortcut, or extension
activation can install the application. Extension activation will initiate
the program installation when a user clicks on a file type that is
associated with the program.
●● Control Panel does not advertise applications to users who do not have
permission to install them.
●● Applications cannot be published to computers.
Microsoft Store for Business Overview

Organizations use Microsoft Store for Business, not individual customers. In the
Windows 10 operating system, Microsoft introduced Microsoft Store for Business,
which is meant for organizations of all sizes. Organizations can sign up for
Microsoft Store for Business for free; the only requirement is that the
organization must have Azure AD. If an organization doesn’t yet have Azure AD,
it can create an Azure AD tenant during the sign-up process. Then, the
organization can purchase modern apps and make them available to company
employees in a private store. Employees can access the private store by using
the Microsoft Store app, which Windows 10 includes, and then install apps from
the private store.
You can sign up and manage Microsoft Store for Business by using a web browser.
However, before you can access it, you must authenticate with your Azure AD
account. Microsoft Store for Business supports two types of licensing: online
and offline. All apps support online licensing, while offline licensing is
available only for apps for which the developer selected this option. Microsoft
Store for Business includes basic deployment capabilities that enable you to
assign apps to company employees. Employees will receive email notifications,
and they can select the link in the email message to install the app.
Features and benefits of Microsoft Store for Business

Different vendors have different ways to distribute apps for their devices.
Modern Windows apps are available through Microsoft Store, where anyone can
purchase an app and install it on their Windows-based device. Microsoft Store
for Business enables organizations to set up a private store and add modern
Windows apps to that private store. An organization’s private store is available
only to company employees. The private store can include publicly available,
business-related apps that the organization purchased from Microsoft Store for
Business. The private store can also include modern Windows apps that were
developed for the organization and that must be available only to company
employees.
Microsoft Store for Business is a cloud service, which means that it’s scalable
and available from anywhere, if you have internet connectivity. Company
employees authenticate in Microsoft Store for Business with an Azure AD account,
and you can delegate store permissions to any organizational user. You manage
Microsoft Store for Business in a web browser, and employees can access it from
the Microsoft Store app on Windows 10, or by using a web browser.
Microsoft Store for Business is available for free and provides organizations
with the following benefits and features:
●● Scalable to fit any size organization. For smaller organizations, you
can quickly have an end-to-end process to acquire and distribute apps.
Larger organizations can integrate Microsoft Store for Business with a
management tool such as Microsoft Intune or Microsoft System Center
Configuration Manager (Current Branch) for greater control over app
deployments and updates.
●● Use of familiar infrastructure. Because Microsoft Store for Business is
a cloud service, it’s available around the world, and it has practically
unlimited resources. It uses Azure AD for authentication, which means that
organizations that are already using Azure AD authentication can easily
implement it. If an organization doesn’t have Azure AD, it can create an
Azure AD tenant automatically when it signs up for Microsoft Store for
Business.
●● Private store. Microsoft Store for Business includes a private store,
which is available to all company employees after they authenticate with an
Azure AD account. You can add purchased modern Windows 10 apps to a private
store, and company employees can access them by using the Microsoft Store
app from any Windows 10 device.
●● Bulk app acquisition. Organizations can acquire and pay for apps in
volume from Microsoft Store for Business.
●● Centralized management. You can use Microsoft Store for Business as a
central location for tracking available and installed apps, billing, and
order history. You can also delegate permission for various aspects of
Microsoft Store for Business management to company employees.
●● App license tracking and management. In Microsoft Store for Business,
you can view who installed apps and who has a license to run an app. You can
also reclaim an app license from a user, which prevents them from using the
app, and assign a license to another user. Online and offline licenses allow
you to customize how you deploy apps.
●● Flexible distribution options. Three options are available for
distributing apps in Microsoft Store for Business. You can:
●● Distribute apps through Microsoft Store for Business by assigning apps
to company employees or by making apps available to all employees in the
private store.
●● Connect Microsoft Store for Business with Intune, Configuration Manager,
or another management tool, and use the management tool’s advanced
deployment options to deploy apps from Microsoft Store for Business.
●● Use the offline-licensing model to distribute apps without connecting to

Microsoft Store for Business.
●● Support for LOB apps. An organization can submit and deploy LOB apps in
Microsoft Store for Business. Developers can create LOB apps for an
organization and make them available only to employees of that organization.
●● Up-to-date apps. For apps with online licenses, Microsoft Store for
Business can automatically update apps. Microsoft Store for Business apps
also uninstall cleanly, without leaving behind extra files.
Microsoft Store for Business Prerequisites

Microsoft Store for Business is a cloud service. To access and administer
Microsoft Store for Business, and for users to be able to browse and obtain apps
from it, internet connectivity is necessary. Users who want to access Microsoft
Store for Business must also have a suitable web browser and an Azure AD
account—their identities exist in Azure AD. This is already the case if they
have an Azure subscription or if they are using cloud services such as Microsoft
Office 365 or Intune.
To use Microsoft Store for Business, you must meet the following prerequisites:
●● Internet connectivity. The public cloud hosts Microsoft Store for
Business. A device must have internet connectivity to browse Microsoft Store
for Business and to administer it. If your company restricts access to the
internet, you need to provide access to a set of URLs that must be
accessible for devices to use Microsoft Store for Business.
●● Windows 10 devices. You can browse Microsoft Store for Business only
from Windows 10 devices. Windows 10 includes the Microsoft Store app, which
you can use to access the public Microsoft Store and Microsoft Store for
Business.
●● Windows Update service. Microsoft Store requires the Windows Update
service to be enabled on the device. The Windows Update service is for
detecting, downloading, and installing updates for Windows operating systems
and other apps, such as apps from Microsoft Store for Business. You can’t
install apps from Microsoft Store for Business if the Windows Update service
is disabled.
●● Supported web browser for administering Microsoft Store for Business.
Although Microsoft Store for Business users don’t need a web browser for
browsing and installing apps, administrators need a web browser for managing
Microsoft Store for Business. You can manage Microsoft Store for Business in
Internet Explorer 11, Microsoft Edge, or current versions of Google Chrome
or Mozilla Firefox. In the web browser, you must enable JavaScript support.
●● Azure AD account. If you want to manage or browse Microsoft Store for
Business, you must first sign in to Microsoft Store for Business with an
Azure AD account. If you use a management tool for deploying online-licensed
apps, the users to whom you deploy apps must also have Azure AD accounts. If
an app from Microsoft Store for Business supports offline licensing, an
administrator can obtain and deploy it to users even if they don’t have an
Azure AD account; however, the administrator must have an Azure AD account
to obtain the app.
If all prerequisites are met, users can access, browse, and install the apps
from Microsoft Store for Business. You can also assign them apps, in which case,
users will receive notifications by email and will be able to install the apps.
If your organization is using a management tool such as Intune or Configuration
Manager to distribute and manage apps, you can integrate it with Microsoft Store
for Business. Using a management tool provides additional control and reporting
in app deployments.
Implementing Microsoft Store for Business

For organizations that use Azure AD, Microsoft Store for Business is available
without any additional fee. If an organization already has Azure AD, for example
as part of an Azure or Office 365 subscription, it can sign up with its Azure AD
account and start using Microsoft Store for Business. If an organization doesn’t
yet have Azure AD, it can create an Azure AD tenant as part of the Microsoft
Store for Business sign-up process. Users who sign up for and create a Microsoft
Store for Business account must be a global administrator in Azure AD.
Before you can start using Microsoft Store for Business, you must first sign up.
The sign-up process is fast, straightforward, and similar to signing up for
other cloud services:
1. In your browser, go to https://www.microsoft.com/business-store, sign in
with your Azure AD global administrator account.
2. When you are signed in, click Manage and then accept the licensing
agreement.
3. You are now signed up for Microsoft Store for Business.
After signing up for Microsoft Store for Business, you can start managing it.
The user account that you used to sign up for Microsoft Store for Business is
already a global administrator in your Azure AD tenant, and this user has all
permissions. Other Azure AD tenant users can browse Microsoft Store for Business
and install available apps, but they can’t manage it. If necessary, a global
administrator can delegate permissions for Microsoft Store for Business tasks by
assigning store roles to other company employees; for example, to acquire and
distribute apps. You can assign roles only to Azure AD user accounts and not to
groups.
You can assign four user roles to manage access to apps and to perform other
tasks in Microsoft Store for Business:
●● Admin. Users in this role can perform all tasks and assign roles to
others.
●● Purchaser. Users in this role can acquire apps, add them to the private
store, and distribute apps to company users.
●● Basic purchaser. Users in this role can acquire apps they own, add them
to the private store, and distribute apps to company users.
●● Windows Defender Device Guard signer. Users in this role can manage
Windows Defender Device Guard settings.
When you sign up for Microsoft Store for Business, the following five apps
automatically add to the private store: Microsoft Word Mobile, Microsoft Excel
Mobile, Microsoft PowerPoint Mobile, Microsoft OneNote and Microsoft Sway. It

can take up to 36 hours for the apps to become visible in the private store. If
a user is in the Admin role, they can add additional apps to the private store.
Users in the Purchaser or Basic purchaser role can purchase apps, but they can’t
add them to the private store. Users in the Basic purchaser role also can’t
license apps for offline use. Users in the Admin or Global Admin roles can add
Microsoft Store for Business apps and LOB apps to a private store.
A user in the Admin role can manage the following settings in Microsoft Store
for Business:
●● Account information and payment options. You can modify organizational
information, such as the address and value-added tax number, and you can add
or modify payment options, such as credit card details.
●● Private store name. You can modify the name of a private store.
●● Offline licensing. If apps can be offline-licensed, download the app
package and distribute it to users even if they don’t connect to Microsoft
Store for Business and even if they don’t have an Azure AD account.
Additionally, the user with the Admin role can configure this setting if
offline-licensed apps display in Microsoft Store for Business.
●● Management tools. You can add a management tool such as Intune or
Configuration Manager to Microsoft Store for Business. Management tools can
sync with Microsoft Store for Business, and you can use them to distribute
apps from Microsoft Store for Business to company users.
●● Device Guard signing. Apps that install from Microsoft Store for
Business can be signed automatically and added to the code integrity policy.
If you configure this option, employees can install apps from Microsoft
Store for Business and run them on a device that is protected by Windows
Defender Device Guard.
●● Permissions. You can delegate permissions for Microsoft Store for
Business and allow company users to perform certain management tasks in
Microsoft Store for Business.
●● LOB publishers. You can invite company developers or third-party vendors
to submit their LOB apps to Microsoft Store for Business. These LOB apps can
be available only in your organization’s private store and not in the public
Microsoft Store.
Obtaining apps based on your licensing model

How you obtain apps from Microsoft Store for Business and install them on a
device is determined by your licensing model. Microsoft Store for Business
supports two licensing models to license apps from the store: online and
offline.
Online licensing
Online licensing is the default licensing model in Microsoft Store for Business,
and any app in the store supports this licensing model. Online licensing
requires users to authenticate and connect to Microsoft Store for Business
before they can install an app and its license. You can install online-licensed
apps from the private store and assign them to users or distribute them by using
a management tool such as Intune or Configuration Manager. Users who don’t have
an Azure AD account or who can’t connect to Microsoft Store for Business can’t
install online-licensed apps.
License management for online-licensed apps is enforced and based on a user’s
Azure AD identity. Microsoft Store for Business handles license management, and
Windows Update performs app updates. Online licensing is the only option that is
available for apps in the public Microsoft Store.
Offline licensing
The offline-licensing option is available only for certain apps in Microsoft
Store for Business. With offline licenses, an organization can purchase multiple
copies of an app for its employees, download the app package and its license,
and deploy it on the organizational network. For example, you can include
offline-licensed apps in the computer image and sideload or deploy them by using
a management tool such as Intune or Configuration Manager.
Offline licensing is available only for apps for which developers specify this
licensing option when they submit the app to the Windows Dev Center.
Administrators can download and install apps that use the offline-licensing
model for users who don’t connect to Microsoft Store for Business or who don’t
have an Azure AD account. License management isn’t enforced, and the
organization that purchases the app manages the licenses. As with online
licensing, Windows Update performs app updates. Users in the Admin role control
if offline-licensed apps are available in Microsoft Store for Business by
configuring the offline app visibility setting.
You can configure offline app visibility by performing the following steps:
1. Sign in to Microsoft Store for Business.
2. Click Manage, and then click Settings.
3. On the Shop tab, in the Shopping experience section, turn the Show
offline apps setting On.
Using Microsoft Store for Business

After you set up Microsoft Store for Business, you can access the apps and add
them to a private store. You can also invite company developers or independent
software vendors to submit LOB apps. After you accept a submitted LOB app, you
can add the app to the private store and distribute it in the same way as any
other store app. Apps in Microsoft Store for Business only work on Windows
10–based devices and must be of the following types:
●● Universal Windows Platform apps
●● Universal Windows apps, by device: phone, Microsoft Surface Hub, Internet of
Things (IoT), and Microsoft HoloLens
Deploying and managing Microsoft Store for Business apps
After you add apps to your private store in Microsoft Store for Business, you
can distribute them to company employees in several ways. You can instruct
employees to open the Microsoft Store app, browse the private store, and
manually install the apps they need from a private store.
You can assign apps to employees in Microsoft Store for Business, and they will
receive an email notification with instructions and a link to install the apps.
Users just need to select the link, authenticate, and the app will install
without any user interaction. The third method is more advanced and requires a
management tool. You can integrate a mobile device management tool with
Microsoft Store for Business, sync the list of available apps, and use the
mobile device management tool to deploy the apps. If an app is licensed for
offline use, the administrator can download the app package from Microsoft Store
for Business and deploy it as any other modern Windows app; for example, by
using imaging, sideloading, or by using an app deployment tool such as Intune or
Configuration Manager.
Distribute apps by using a private store
Private store is a Microsoft Store for Business feature. Administrators can add
apps from Microsoft Store for Business to a private store and make them
available to company employees. Administrators can also invite developers to
submit LOB apps, accept submitted apps, and add LOB apps to a private store.
Only online-licensed apps can be added to a private store. When an app is in a
private store, all company employees can view and install the app if sufficient
licenses are available. If an app has free licenses, all company employees can
install it regardless of the number of employees. For purchasable apps, any user
with the Admin or Purchaser roles can buy a certain number of copies, and only
that number of employees can install the app. Although the app isn’t free,
employees don’t need to pay for it. The purchaser must buy a certain number of
copies before an app can be added to a private store.
Note: After you add an app to a private store, it can take up to 36 hours
for the app to become visible in the private store.
To acquire an app and make it available in a private store, perform the
following steps:
1. Sign in to Microsoft Store for Business and click Shop for my group.
2. Search for the app that you want to add to the private store.
3. Select an app, choose the license type, if the app supports offline
licensing, select Get the app, and then select Close.
4. Select the ellipsis (…), and then Manage.
5. Click the Private store availability tab, and select one of the following
options:
●● No one
●● Everyone
●● Specific groups
6. Alternatively, instead of selecting the ellipsis (…), you can select
Manage on the toolbar below Microsoft Store for Business, in the
navigation pane, select Products & services, and then view all the
acquired apps. From the list, select the app that you want to add to the
private store, and follow step 5 to add the app to the private store.
Company employees can install an app from a private store by using the Microsoft
Store app or by using a web browser. In both cases, they must authenticate by
using an Azure AD account. The Microsoft Store app automatically connects to the
public Microsoft Store, and employees must select the tab for the private store
(the admin can specify a name for a private store by selecting the Settings
option, selecting the Distribute tab, and then changing the name there). In
a web browser, employees browse to https://www.microsoft.com/business-store,
and after authentication, they can view available apps in the private store.
Assigning apps to company employees

After you purchase an app in Microsoft Store for Business, you can add it to the
private store or assign it to company employees. Apps that you add to the
private store are available to all company employees, but users must visit the
private store and install apps from there. If you assign an app to a user, the
user will receive an email notification, and they can install the app by
selecting the link in the email and authenticate in Microsoft Store for Business
with their Azure AD account. You can assign any online-licensed app from
Microsoft Store for Business regardless of whether the app is on the private
store.
To assign an app to company employees, perform the following steps:
1. Sign in to Microsoft Store for Business. Apps that you want to assign
must already have been acquired.
2. On the toolbar below Microsoft Store for Business, select Manage.
3. In the navigation pane, select Products & services, and then in the
details pane, view all the acquired apps.
4. In the details pane, select the app that you want to assign. Select the
Assign to Users link, and then specify the employees to whom you want to
assign the app. Employees will receive an email notification to install the
app.
You can assign apps from Microsoft Store for Business only to company users; you
can’t assign them to groups or devices. If a user to whom you assign an app no
longer needs the app, you can reclaim the license from that user.
Distributing apps with a management tool
Using a management tool to distribute apps that are in Microsoft Store for
Business will provide the most flexibility. For example, you can distribute apps
to users based on group membership or the configuration of their Windows 10
devices. You can use management tools for distributing apps regardless of their
license type; they can distribute both online and offline-licensed apps. For
online-licensed apps, Microsoft Store for Business tracks and manages app
licenses. For offline-licensed apps, the management tool tracks licenses. You
can use tools such as Intune or System Center Configuration Manager to
distribute apps from Microsoft Store for Business.
To integrate Windows Store for business, perform the following steps:
1. Sign in to Microsoft Store for Business.
3. In the navigation pane, click Settings and then in the details pane,
click the Distribute tab.
4. Switch to the Azure portal and in the navigation pane, click Intune.
5. In the Microsoft Intune blade, click Client Apps.
6. On the Client apps blade, click Microsoft Store for Business under
setup.
7. Click Enable and choose the Language for the store.
8. Click Save and then click Sync. That will sync all the apps from
Microsoft Store for Business that you added, to Intune. The synchronization
can take a few hours depending on the number of apps.
Distributing online-licensed apps
To distribute online-licensed apps by using a mobile device management tool, you
must first register and configure the tool to sync with Microsoft Store for
Business. You must register the management tool in the same Azure AD tenant as
Microsoft Store for Business, and you must activate the mobile device management
tool in Microsoft Store for Business.
Distributing offline-licensed apps
You can also install offline-licensed apps on devices that don’t have internet
connectivity and to users who don’t have an Azure AD account. Only some apps in
Microsoft Store for Business support offline licensing; offline licensing allows
you to download an app package, app license, and frameworks that the app from
the store requires, and you then can deploy them in a way that is most
appropriate for your environment.
While Microsoft Store for Business tracks and enforces licensing for
online-licensed apps, you are responsible for tracking licenses for
offline-licensed apps.
You can distribute offline-licensed apps in several ways, including:
●● Imaging. After you download an offline-licensed app package, you can
include it in an image for new devices. The image can be in .wim, .vhd, or
.vhdx format, and you can include the app package by using the Dism.exe tool
or by using cmdlets in the Windows PowerShell command-line interface. When
you deploy the image to new devices, those devices will include the app.
●● Sideloading. Sideloading is similar to imaging, but you perform it on
previously deployed devices. By using sideloading, you inject an
offline-licensed app into a running Windows 10 system. You can sideload an
app package by using the Dism.exe tool or Windows PowerShell cmdlets.
●● Provisioning packages. You can create a provisioning package that
includes offline-licensed apps by using Configuration Manager, which is part
of the Windows Assessment and Deployment Kit (Windows ADK). A provisioning
package is in .ppkg format, and it includes changes that should be performed
on a Windows 10 device. You can apply a provisioning package by running the
.ppkg file or by adding a provisioning package by using the Settings app.
●● Mobile device management tool. You can deploy an offline-licensed app in
the same way as any other app for which you have installation files. Mobile
device management tools provide many options for deploying apps, such as to
groups or to devices.
To download an offline-licensed app package, perform the following steps:
1. Sign in to Microsoft Store for Business. Offline-licensed apps must have
been previously acquired.
3. In the navigation pane, select Products & services.
4. In the details pane, in the License type drop-down list, select
Offline to view only offline-licensed apps.
5. In the details pane, select the app that you want to download.
6. On the apps page, you can download an app package for offline use, which
includes app metadata, the app package, the app license, and the required
app frameworks.
Review Activity - Deploying and updating appli-

cations
REVIEW ACTIVITY – Applications in Intune

Let's play a quick game to test your knowledge of deploying applications in Intune. Click on the button
LAUNCH ACTIVITY16
16 https://edxinteractivepage.blob.core.windows.net/miltstatic/MD-101.2/20190117-041531079/static/MD101-2_3_2_deployingappstutorial.
html
Administering applications 101
Administering applications
Lesson Introduction
In this lesson, you will be introduced to managing apps on Intune managed
devices. You will then learn how to manage apps on non-enrolled devices. You
will be introduced to the various options you have when deploying Office 365
ProPlus, such as Intune, Configuration Manager, and manually,
The module will then conclude with an overview of how to use Enterprise Mode
with Internet Explorer and Microsoft Edge. Lastly you will learn how to track
your installed applications, licenses, and assigned apps using Intune.
●● Explain how to manage apps in Intune.
●● Understand how to manage apps on non-enrolled devices.
●● Understand how to deploy Office 365 ProPlus using Intune.
●● Learn how to configure and manage Enterprise Site mode in Internet Explorer.
●● Learn about app inventory options in Intune.
Managing apps with Intune

Intune application deployment procedures entail several considerations and
settings to ensure that a deployment is successful. No matter what type of app
you are deploying with Intune, the overall process is the same.
To deploy an app from Intune, perform the following steps:

1. Ensure that Intune supports the app. Make sure that Intune supports the
application installation type and that the application can be installed
without user intervention.
2. Create Azure AD groups for either users or devices. In Intune, you
create user-based or device-based groups to help you target software
management tasks to specific users or devices. If you have a specific group

of users that requires an application, create a user or device group for the
app deployment. If you’re planning to deploy available installations, you
also should link managed users to their computers to ensure that external
links and company portal apps are available.
3. Add the app to Intune. You must upload LOB apps to Intune cloud storage,
specify a URL for web apps, or link a store app to Intune. For LOB apps, you
must configure installation requirements, detection rules, command-line
arguments, and provide general information about the app. Adding the app
makes it available for deployment from the Client apps blade in the Intune
console. Assign the app to user or device groups. After you add an
application, you can assign the app to a set of users or devices. Once
assigned, the app can either be installed by the user or, if the device is
managed with Intune, the app can be automatically installed.
4. Configure policies. You can manage application features and protect data
by deploying app configuration and app protection policies.
5. Monitor the results of the app deployment. You can monitor the status of
app deployments and installations from the Intune console by viewing the
details for any app that appears in the list of apps in your Client Apps
blade. You can view the installation status for the app either by device or
by user.
App categories
A common setting across app types is Category. When you add more than just a
few apps, organizing apps in the Company Portal into groups is helpful for your
users. Creating categories allows you to do this in a way that makes the most
sense for your organization. There are already nine categories created for you
in Intune. You can assign apps to one category, multiple categories, or no
categories.
To create your own app categories in Intune, perform the following steps:
1. In the Client apps blade, click App categories under Setup.
2. Click Add, enter a name for the category in the Default name field,
and then click Create.
Assigning apps
After you add an app to Intune, you can assign the app to users and devices.
Assigning apps makes them available for users to install or can cause the app to
be installed automatically. You assign the apps to Azure AD groups, this can be
either user groups or device groups; for each group, you choose an assignment
type. The assignment type will differ depending on the app type you choose to
assign.
When you assign apps by using Intune, you have the following options for the
assignment TYPE column:
●● Available. The app is available in the Company Portal, and users can
install the app.
●● Not Applicable. The app does not install and does not appear in the
Company Portal.
●● Required. The app installs automatically on a device in the selected

group.
●● Uninstall. The app uninstalls automatically from a device in the
selected group.
●● Available for enrolled devices. The app is available to users who have
devices enrolled in Intune.
●● Available with or without enrollment. The app is available to users who
do not have devices enrolled in Intune.
Although you assign apps to either devices or to users, the options for how you
can assign them will depend on the enrollment status of the devices with Intune.
The following table shows you the assignment options when a device is enrolled
in Intune and when it is not enrolled. It also shows the options users have
depending on the device enrollment.
Options Device enrolled in Intune Device not enrolled in Intune

Assign an app to a user Yes Yes
Assign an app to a device Yes No
Assign an app using the Intune Yes Yes
SDK
Assign an app as Available Yes Yes
Assign an app as Required Yes No
Uninstall an app Yes No
User install of an app from the Yes No
Company Portal app
User install of an app from the Yes Yes
Company Portal website
Managing apps on non-enrolled devices

There are many different ways that applications can be made available to your
users today. They can be deployed from Intune either as Required or Available or
users can directly install apps from public stores.
Apps that are that are installed directly from public stores are considered to
be unmanaged and apps that are deployed by Intune to be managed. For managed
apps, IT has direct control over deployment, ongoing management (such as
inventory or updates), and selective wipe of the apps and their associated data.
Most mobile devices have OS level controls in place to limit (containerize) the
movement of data. Intune supports an additional level of management for managed
apps that are integrated with the Intune App SDK or the Intune App Wrapping
Tool. For these MAM protected apps, additional controls such as per-app PIN,
jailbreak detection, and granular control over data flow can be added. Depending
on the specific DLP requirements of your organization, you can choose the right
mix of unmanaged, managed and MAM-protected applications for your users.
An unmanaged app is any app available on Windows, Android and iOS. Intune
doesn’t have any control over the distribution, management, or selective wipe of
these apps. Intune MAM provides additional capabilities to protect managed apps
by offering an additional layer of data protection.
A managed app is an app for which Intune manages the whole lifecycle such as:
●● Deploy the app
●● Manage app updates
●● Monitor app installation
●● Selectively wipe the entire app
Intune also supports deploying apps to unenrolled devices. Currently, you can
assign iOS and Android apps and iOS and Android built-in apps to devices that
aren't enrolled in Intune.
Updates for unenrolled devices
To receive app updates on devices that aren't enrolled with Intune, device users
must go to their organization's Company Portal and manually install app updates.
Users can then use either the Company Portal app or go to the Intune Company
Portal website at https://portal.manage.microsoft.com on any of their devices
and install the application without needing the device to be enrolled in Intune.
The Company Portal app will not prompt users to enroll their devices if the app
is configured to not require enrollment.
Deploy apps to unenrolled devices
To deploy an app to an unenrolled device, perform the following steps:
1. In the Azure portal, in the navigation pane, click Intune.
2. In the Microsoft Intune blade, click Client Apps.
3. On the Client apps blade, click an existing application that support
assignment to unenrolled devices.
4. In the apps blade, click Assignments and then click Add group.
5. In the Add group blade, under Assignment type, select Available with or
without enrollment.
6. Click Included Groups and in the assign blade, you can choose
whether to make the app available to all users, regardless whether their
devices are enrolled in Intune. This will assign the app to all users in
Intune. If you want to assign it only to specific groups, select No.
7. Click Select groups to include and select the groups to which you want
to assign the app. You must choose a group which only contains users when
assigning apps to unenrolled devices.
8. Click OK twice and then click Save.
You can easily make apps available on devices that cannot be enrolled in Intune
and use app protection policies (MAM) to manage the apps after they have been
installed. Even though this can be helpful in BYOD scenarios, we recommended
that you always enroll your devices in Intune whenever possible and this will
give you all of Intune´s management functionality.
Deploying Office 365 ProPlus with Intune

You have the option of installing Office 365 ProPlus from Intune using the
Office 365 Suite app type. This app type makes it easy and convenient for you to
assign Office 365 apps to devices you manage that run Windows 10 or macOS. You
don’t need to download the installation files as they are already present in
Intune. You can also install apps for the Microsoft Project Online desktop
client and Microsoft Visio Pro for Office 365, if you own licenses for them. The
apps that you want are displayed as a single entry in the list of apps on the
Intune console.
Be aware of the following limitations and caveats:
●● If any Office apps are open when Intune installs the app suite, the
installation might fail, and users might lose data from unsaved files.
●● Intune does not support installing Office 365 desktop apps from the
Microsoft Store (known as Office Centennial apps) on a device to which you
have already deployed Office 365 apps with Intune. If you install this
configuration, it might cause data loss or corruption.
●● Multiple required or available app assignments are not additive. A later app
assignment will overwrite pre-existing installed app assignments. For
example, if the first set of Office apps contains Word, and the later one
does not, Word will be uninstalled. This condition does not apply to any
Visio or Project applications.
Deploy Office 365 ProPlus with Intune
2. In the Azure portal, in the navigations pane, click Intune.
3. In the Microsoft Intune blade, click Client apps.
4. In the Client apps blade, under Manage, click Apps and then
click + Add.
5. In the Add app blade, in the App type list, under Office 365
Suite, select Windows 10.
6. In the Add app blade, you can configure three type of settings:
Configure App Suite, App Suite Information and App Suite
Settings.
7. In the Configure App Suite blade, you can select the following Office
365 apps:
●● Access
●● Excel
●● OneDrive (Grove)
●● OneDrive Desktop
●● OneNote
●● Outlook
●● PowerPoint
●● Publisher
●● Skype for Business
●● Word
●● Project Online Desktop Client (Additional Office apps)

●● Visio Pro for Office 365 (Additional Office apps)
8. In the App Suite blade, you can configure the following:
●● Suite Name: Enter the name of the app suite as it’s displayed in the
company portal. Make sure that all suite names that you use are unique. If
the same app suite name exists twice, only one of the apps is displayed to
users in the company portal.
●● Suite Description: Enter a description for the app suite. For example,
you could list the apps you've selected to include.
●● Publisher: Microsoft appears as the publisher.
●● Category: Optionally, select one or more of the built-in app categories
or a category that you created. This setting makes it easier for users to
find the app suite when they browse the company portal.
●● Display this as a featured app in the Company Portal: Select this option
to display the app suite prominently on the main page of the company portal
when users browse for apps.
●● Information URL: Optionally, enter the URL of a website that contains
information about this app. The URL is displayed to users in the company
portal.
●● Privacy URL: Optionally, enter the URL of a website that contains
privacy information for this app. The URL is displayed to users in the
company portal.
●● Developer: Microsoft appears as the developer.
●● Owner: Microsoft appears as the owner.
●● Notes: Enter any notes that you want to associate with this app.
●● Logo: The Office 365 logo is displayed with the app when users browse
the company portal.
9. In the App Suite Settings pane, you can configure the following:
●● Office version: Choose whether you want to assign the 32-bit or
64-bit version of Office. You can install the 32-bit version on both
32-bit and 64-bit devices, but you can install the 64-bit version on 64-bit
devices only.
●● Update Channel: Choose how Office is updated on devices. You can choose
from:
●● Monthly
●● Monthly (Targeted)
●● Semi-Annual
●● Semi-Annual (Targeted)
Additional Office 365 ProPlus Deployment Tools

After you choose a channel, you can optionally select Specific to install a
specific version of Office for the selected channel on end user devices. Then,
select the Specific version of Office to use. If you leave it at Latest, you
will install the latest version of Office 365 ProPlus.
●● Remove other versions of Office (MSI) from end user devices: Choose
whether you want to remove pre-existing Office .MSI apps from end-user
devices. The installation won’t succeed if there are pre-existing .MSI apps
on end-user devices. The apps to be uninstalled are not limited to the apps
selected for installation in Configure App Suite, as it will remove all
Office (MSI) apps from the end user device. When Intune reinstalls Office on
your end user's machines, end users will automatically get the same language
packs that they had with previous .MSI Office installations.
●● Automatically accept the app end user license agreement: Select this
option if you don't require end users to accept the license agreement.
Intune then automatically accepts the agreement.
●● Use shared computer activation: Select this option when multiple users
share a computer.
●● Languages: Office is automatically installed in any of the supported
languages that are installed with Windows on the end-user's device. Select
this option if you want to install additional languages with the app suite.
You can deploy additional languages for Office 365 ProPlus apps managed
through Intune. The list of available languages includes the Type of
language pack (core, partial, and proofing).
After you have the created and configured Office 365 ProPlus, you will have to
assign it to one or more Azure AD groups for it to be deployed. The groups can
consist of either Windows 10 devices or Azure AD users.
Even though Intune offers a simple and easy approach for installing Office 365
on Windows and macOS devices other deployment options may be needed depending on
your requirements.
If you need complete control of the Office 365 ProPlus deployment, you can
choose what deployment tool to use and whether to install the Office files
directly from the cloud or from a local source on your network. You have the
following options for preparing and deploying Office 365:
●● System Center Configuration Manager
●● The Office Deployment Tool
●● The Office Customization Tool
●● End-user installation
System Center Configuration Manager
System Center Configuration Manager is usually a good choice for organizations
that already use it to distribute and manage software. Configuration Manager
scales for large environments; enables extensive control over installation,
updates, and settings; and has built-in features for deploying and managing
Office.
For more information, refer to Deploy Office 365 ProPlus with System Center
Configuration Manager (Current Branch)17.
Using the Office Deployment Tool
For organizations that don't have Configuration Manager but still want to manage
their deployment, the Office Deployment Tool (ODT) can be used. You can use the
ODT as a standalone tool or you can use it to download installation files that
can be deployed using Intune or a third-party software deployment tool. In
either case, the ODT provides rich control over installation, updates, and
settings.
For more information, refer to An overview of the Office Deployment Tool18.
Using the Office Customization Tool
Another option is to use the Office Customization Tool. With this new web-based
tool you can easily customize the deployment of Office 365 ProPlus and other
Click-to-Run managed Office products using a simple, intuitive, and web-based
interface. The tool is an Azure-based cloud service which allows you to create
XML configuration files that are used with the Office Deployment Tool. In the
past, you needed to create the configuration files in Notepad or another text
editor. The Office Customization Tool makes this part of the deployment process
easier and less likely to introduce errors.
This tool provides a simple experience which allows you to create a
configuration file for use with the Office Deployment Tool, for scenarios where
you need to customize the installation of Office 365 ProPlus. Common scenarios
include:
●● Initial installation of Office 365 ProPlus or Office 365 Business suites as
well as Office 2019 suites, with the ability to include standalone products
such as Visio and Project and various language packs.
●● Adding additional products after the initial installation of the Office
suite.
●● Adding additional language packs by configuring a ‘Language Only’
configuration after the installation of the Office suite or standalone
products
●● Standalone installation of Office 365 Access Runtime.
●● Installation of volume licensed products with automatic KMS and MAK
activation.
●● Automatic removal of previous MSI based Office products.
You can also use the Office Customization Tool to make changes to existing configuration files, which is
very useful when you need to modify the configuration of Office on devices that are already installed and
configured or if you’re creating a second or third configuration and you want to use your own baseline.
Simply use the Import option and select the configuration file you wish to modify, make the desired
changes, and use the Export option to generate a new configuration file.
End-user installation
You can have your users install Office 365 on their client devices directly from the Office 365 portal. This
17 https://docs.microsoft.com/en-us/deployoffice/deploy-office-365-proplus-with-system-center-configuration-manager
18 https://docs.microsoft.com/en-us/deployoffice/overview-of-the-office-2016-deployment-tool
method requires the least amount of administrative setup, but gives you less control over the deploy-
ment. You can, however, still define how frequently your users receive feature updates. This option
requires that your users have local administrative rights on their client devices.
For more information, refer to Manage software download settings in Office 36519.
Configuring and managing Internet Explorer

For Windows 10 and Windows 10 Mobile, Microsoft Edge is the default browser
experience. However, Microsoft Edge lets you continue to use Internet Explorer
11 for sites that are on your corporate intranet or included on your Enterprise
Mode site list. Using Enterprise Mode means that you can continue to use
Microsoft Edge as your default browser, while also ensuring that your apps
continue working on Internet Explorer 11.
If you have specific websites and apps that you know have compatibility problems
with Microsoft Edge, you can use the Enterprise Mode site list so that the
websites automatically open using Internet Explorer 11. Additionally, if you
know that your intranet sites aren't going to work correctly with Microsoft
Edge, you can set all intranet sites to open using Internet Explorer 11
automatically. Internet Explorer and Microsoft Edge can work together to support
your legacy web apps, while still defaulting to the higher bar for security and
modern experiences enabled by Microsoft Edge.
What is Enterprise Mode

Enterprise Mode, a compatibility mode that runs on Internet Explorer 11 on
Windows 10, Windows 8.1, and Windows 7 devices, lets websites render using a
modified browser configuration that’s designed to emulate either Windows
Internet Explorer 7 or Windows Internet Explorer 8. Running in this mode helps
to avoid many of the common compatibility problems associated with web apps
written and tested on older versions of Internet Explorer.
Many companies identify web app compatibility as a significant cost to upgrading
because web apps need to be tested and upgraded before adopting a new browser.
The improved compatibility provided by Enterprise Mode can help organizations to
upgrade to Internet Explorer 11, letting organizations benefit from modern web
standards, increased performance, improved security, and better reliability.
Enterprise Mode features
Enterprise Mode includes the following features:
●● Improved web app and website compatibility. Through improved emulation,
Enterprise Mode lets many legacy web apps run unmodified on Internet
Explorer 11, supporting several site patterns that aren’t currently
supported by existing document modes.
●● Tool-based management for website lists. Use the Enterprise Mode Site
List Manager to add website domains and domain paths and to specify whether
a site renders using Enterprise Mode. Download the Enterprise Mode Site List
Manager (schema v.2) or the Enterprise Mode Site List Manager (schema v.1),
based on your operating system and schema.
19 https://docs.microsoft.com/da-dk/DeployOffice/manage-software-download-settings-office-365
●● Centralized control. You can specify the websites or web apps to

interpret using Enterprise Mode, through an XML file on a website or stored
locally. Domains and paths within those domains can be treated differently,
allowing granular control. Use Group Policy to let users turn Enterprise
Mode on or off from the Tools menu and to decide whether the Enterprise
browser profile appears on the Emulation tab of the F12 developer tools.
●● Integrated browsing. When Enterprise Mode is set up, users can browse
the web normally, letting the browser change modes automatically to
accommodate Enterprise Mode sites.
●● Data gathering. You can configure Enterprise Mode to collect local
override data, posting back to a named server. This lets you “crowd source”
compatibility testing from key users; gathering their findings to add to
your central site list.
Enterprise Mode Site List Manager
Before you can start using Enterprise mode, you must create an Enterprise Mode
site list and add the individual website domains and domain paths and specify
whether the site renders using Enterprise Mode or the default mode.
This tool helps you create error-free XML documents with simple n+1 versioning
and URL verification. We recommend using this tool if your site list is
relatively small. There are two versions of this tool, both supported on Windows
7, Windows 8.1, and Windows 10. We recommend that you only use Enterprise Mode
Site List Manager (schema v.2) because the Enterprise Mode schema has been
updated to v.2 to be easier to read and to provide a better foundation for
future capabilities.
You can download version 2 of the tool from here:
https://www.microsoft.com/en-us/download/details.aspx?id=49974.
Enterprise Mode Site List Portal
The Enterprise Mode Site List Portal is an open-source web tool on GitHub that
allows you to manage your Enterprise Mode site list, hosted by the app, with
multiple users. The portal is designed to use IIS and a SQL Server backend,
leveraging Active Directory (AD) for employee management.
In addition to all the functionality of the Enterprise Mode Site List Manager
tool, the Enterprise Mode Site List Portal helps you:
●● Manage site lists from any device supporting Windows 7 or greater.
●● Submit change requests.
●● Operate offline through an on-premises solution.
●● Provide role-based governance.
●● Test configuration settings before releasing to a live environment.
Updates to your site list are made by submitting new change requests, which are
then approved by a designated group of people, put into a pre-production
environment for testing, and then deployed immediately, or scheduled for
deployment later.
If your list is too large to add individual sites, or if you have more than one
person managing the site list, we recommend using the Enterprise Site List
Portal. For more information about the Enterprise Site List Portal and how to
download it, visit the Enterprise Mode Site List Portal20.
Enabling Enterprise Site Mode

After you have created the Enterprise Mode site list, you need to turn the
functionality on and set up the system for centralized control. By allowing
centralized control, you can create one global list of websites that render
using Enterprise Mode. Approximately 65 seconds after Internet Explorer 11
starts, it looks for a properly formatted site list. If a new site list if
found, with a different version number than the active list, Internet Explorer
11 loads and uses the newer version. After the initial check, Internet Explorer
11 won’t look for an updated list again until you restart the browser. Microsoft
recommends that you store and download your website list from a secure web
server (https://), to help protect against data tampering. After the list is
downloaded, it's stored locally on your employees' computers so if the
centralized file location is unavailable, they can still use Enterprise Mode.
To turn on Enterprise Mode using Group Policy
1. Open your Group Policy Management console and create a new Group Policy
object.
2. Go to the Computer Configuration/Administrative Templates/Windows
Components/Microsoft Edge or User Configuration/Administrative
Templates/Windows Components/Microsoft Edge. Enable the setting
Configure the Enterprise Mode Site List. Turning this setting on also
requires you to create and store a site list.
3. Click Enabled, and then in the Options area, type the location to
your site list, using the following syntax:
●● HTTPS location: https://localhost:8080/ESMlist.xml
●● Local network: \\network\shares\ESMlist.xml
●● Local file: i.e. C:\Windows\ESMlist.xml
●● You can use Group Policy Preferences to copy the Enterprise Mode site list
locally on the device. You just have to make sure that you use the copy
location as the local file location when configuring the Group Policy
setting.
1. When using either HTTPS or Local network location, make sure all of
your managed devices have access to this location if you want them to be
able to access and use Enterprise Mode and your site list.
App inventory review

Intune provides several ways to monitor the compliance status of the apps that
you have assigned to users or device in the Clients apps blade in the Azure
portal. You can also find information about all assigned apps and determine
20 https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal
which version of a given app that you have deployed. The following blades
provide that information:
●● Client apps – Apps blade
●● List of all apps in Intune and assignment status. You can click an app
to get detailed information about the assignments and install status.
You can export this information to a CSV file by clicking Export and
import into Excel for further processing.
●● Client apps - App licenses blade
●● Lists apps from the Microsoft Store or Business. License information for
the apps is shown in the list. You can click an app to get detailed
information about the assignments and install status. You can export
this information to a CSV file by clicking Export and import into
Excel for further processing.
●● Client apps - Discovered apps blade
●● Lists all apps discovered by Intune at the last Hardware Inventory time.
For devices with Device Ownership marked as Corporate this will be all
apps installed on the device. For devices with Device Ownership marked
as Personal this will be all apps installed via the Intune Company
Portal or apps installed in a Required deployment. Number of devices
that a given app is installed on is shown in the list. You can click an
app to list the devices the app is installed on. You can export this
information to a CSV file by clicking Export and import into Excel
for further processing.
●● Client apps - App install status blade
●● Lists all apps in Intune with user and device failures listed next to
app. You can click an app to get detailed information about the
assignments and install status. You can export this information to a CSV
file by clicking Export and import into Excel for further
processing.
●● Managed Apps – Preview blade
●● In the Managed Apps – preview blade for a device, you can see all apps
assigned to a device together with information about assignment
(Available or Required) and installation status. You can click an app in
the list and you will see a workflow of the app’s entire lifecycle. You
can find this information at: Microsoft Intune -> Devices - All
devices -> <DeviceName> - Managed Apps – Preview. You can
export this information to a CSV file by clicking Export and import
into Excel for further processing.
Client apps – Apps blade
To see the Client apps blade, perform the following steps:
1. In the Azure portal, in the navigation pane, click Intune
2. In the Microsoft Intune blade, click Client Apps
3. On the Client apps blade, you can see all the apps that have been added
to Intune and their assignment status. You can export this information to a
CSV file by clicking Export and import into Excel for further
processing. In this export you will also get additional information about
the apps.
1. You can click an app in the list to get more detailed information about
device install status and user install status.
1. You can then click Assignment under Manage to get a list of all Azure AD
groups to which the application is assigned.
Client apps - App licenses
To see the Client apps – App licenses blade, click App licenses in the Client Apps blade.
On the Client apps blade, you can see all the apps that have been added to
Intune and their assignment status. You can export this information to a CSV
file by click the Export button and import into Excel for further processing. In
this export you will also get additional information about the apps.
Client apps - Discovered apps blade
To see the Client apps – Discovered apps blade, click Discovered App in the Client Apps blade**.**
App install status blade

To see the App install status blade, click App install status in the Client Apps blade.
Managed Apps – Preview

To see the Managed Apps - Preview blade, perform the following steps:
1. In the Azure portal in the navigation pane click, click Intune.
2. In the Microsoft Intune blade, click Devices and then click All
devices.
3. In the All devices blade, click a device in the details pane, for
example LON-CL1.
4. In the LON-CL1 blade, click Managed Apps – Preview.
5. In the LON-CL1 – Managed Apps – Preview blade, click an application in
the details pane, for example Office 365 ProPlus.
Review Activity - Administering applications
REVIEW ACTIVITY – Administering Applications

Let's play a quick game to test your knowledge of administering applications. Click on the button below
to open this review activity full screen.
LAUNCH ACTIVITY21
[activity]MD101.2_03_03_activity.html[/activity]
21 https://edxinteractivepage.blob.core.windows.net/miltstatic/MD-101.2/20190117-041531079/static/MD101-2_3_3_administeringappstuto-
rial.html

903 201995746 MD101T02AENUTrainerHandbook

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

903 201995746 MD101T02AENUTrainerHandbook

Uploaded by

Copyright:

Available Formats

MCT USE ONLY.

STUDENT USE PROHIBITED

Welcome to Managing Modern Desktops and

●● Understanding of OS images and group policy objects.

Video: Course Introduction

Device management options

Benefits of Modern Management

The pillars of modern management

Usage scenarios for Azure AD Join

Scenario 1: Businesses largely in the cloud

Scenario 2: Educational institutions

Transitioning Workloads to Intune

Prerequisites for Co-management

Migrating Group Policy management to MDM

modern workforce. Windows 10 continues the tradition of Windows delivering the

What is MDM Migration Analysis Tool

Review Activity - Device Management Options

REVIEW ACTIVITY – Device Management Options

Manage Intune device enrollment and inven-

Activating and Deploying MDM services

Prerequisites for iOS enrollment

iOS enrollment methods

Prerequisites for Android enrollment

Android enrollment methods

Managing Corporate Enrollment Policy

Before you create user accounts or synchronize your on-premises Active

To add and verify your custom domain

Configure automatic MDM enrollment

Azure Multi-Factor Authentication

●● Enabled by Azure AD Identity Protection - This method uses the Azure AD

Enable MFA for a single Azure AD user

Simplify Windows enrollment without Azure AD Premium

Type Host name Points to TTL (Time-To-Live)

Enrolling Windows 10 devices

Method 2: Enroll only in device management (user driven)

Method 3: Azure AD join (OOBE)

Method 4: Azure AD join (autopilot – user-driven deployment mode)

Method 5: Azure AD join (autopilot self-deploying mode)

Method 6: Enroll in MDM only (Device Enrollment Manager)

Method 7: System Center Configuration Manager co-management

Enrolling Android Devices

Enrolling your Android device

Enrolling IOS Devices

Example of a device enrollment manager scenario

What can a device enrollment manager do?

Add a device enrollment manager

Permissions for DEM

Intune for Education reporting

4. To download a report, click Download report. Intune for Education will

Device and application reporting

Building Custom Intune Inventory Reports

Accessing Intune using Microsoft Graph API

portal. It is also possible to assign the required permission in Microsoft Graph

Review Activity - Manage Intune device enroll-

REVIEW ACTIVITY – Intune Device Enrollment

Configuring device profiles

What are Intune device profiles

Types of device profiles

Creating device profiles

1. Select Create when finished.

Manage PowerShell scripts in Intune for Win-

Creating a custom device profile

2. Select All services, filter on Intune, and select Microsoft Intune.