Learning Microsoft Endpoint Manager: Unified Endpoint Management with Intune and the Enterprise Mobility + Security Suite
By Scott Duffey
()
About this ebook
The first-ever book on Microsoft Endpoint Manager (MEM), written by Microsoft Program Manager Scott Duffey!
Microsoft Endpoint Manager (MEM) has rapidly become one of the leading products for mobile device and PC management. Organizations around the world are using it to manage settings, security, an
Related to Learning Microsoft Endpoint Manager
Related ebooks
Mastering Microsoft Endpoint Manager Rating: 0 out of 5 stars0 ratingsMicrosoft Windows Intune 2.0: Quickstart Administration Rating: 0 out of 5 stars0 ratingsMicrosoft System Center Endpoint Protection Cookbook - Second Edition Rating: 0 out of 5 stars0 ratingsMicrosoft Azure Security Rating: 0 out of 5 stars0 ratingsMastering Cloud Development using Microsoft Azure Rating: 0 out of 5 stars0 ratingsMastering the Microsoft Deployment Toolkit Rating: 0 out of 5 stars0 ratingsServiceNow Cookbook Rating: 0 out of 5 stars0 ratingsLearn Microsoft Azure: Step by Step in 7 day for .NET Developers Rating: 0 out of 5 stars0 ratingsGetting Started with PowerShell Rating: 0 out of 5 stars0 ratingsCMDB Systems: Making Change Work in the Age of Cloud and Agile Rating: 0 out of 5 stars0 ratingsMicrosoft Intune A Complete Guide - 2021 Edition Rating: 0 out of 5 stars0 ratingsMicrosoft System Center Configuration Manager High availability and performance tuning Rating: 0 out of 5 stars0 ratingsMDM: Fundamentals, Security, and the Modern Desktop: Using Intune, Autopilot, and Azure to Manage, Deploy, and Secure Windows 10 Rating: 0 out of 5 stars0 ratingsMicrosoft System Center Configuration Manager Cookbook - Second Edition Rating: 0 out of 5 stars0 ratingsMicrosoft Intune A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsActive Directory Complete Self-Assessment Guide Rating: 0 out of 5 stars0 ratingsImplementing Azure Solutions Rating: 0 out of 5 stars0 ratingsMicrosoft Azure Infrastructure Services for Architects: Designing Cloud Solutions Rating: 0 out of 5 stars0 ratingsMastering System Center Configuration Manager Rating: 0 out of 5 stars0 ratingsMastering Active Directory Rating: 0 out of 5 stars0 ratingsMicrosoft Azure Administrator Exam Prep (AZ-104) Rating: 5 out of 5 stars5/5SCCM Complete Self-Assessment Guide Rating: 5 out of 5 stars5/5PowerShell: A Comprehensive Guide to Windows PowerShell Rating: 4 out of 5 stars4/5Active Directory with PowerShell Rating: 4 out of 5 stars4/5Learning Microsoft Azure Rating: 4 out of 5 stars4/5Mastering System Center Configuration Manager Rating: 0 out of 5 stars0 ratings
System Administration For You
Linux Bible Rating: 0 out of 5 stars0 ratingsLinux Command-Line Tips & Tricks Rating: 0 out of 5 stars0 ratingsConfigMgr - An Administrator's Guide to Deploying Applications using PowerShell Rating: 5 out of 5 stars5/5Learn Windows PowerShell in a Month of Lunches Rating: 0 out of 5 stars0 ratingsLearn Cisco Network Administration in a Month of Lunches Rating: 0 out of 5 stars0 ratingsPractical Data Analysis Rating: 4 out of 5 stars4/5Cybersecurity: The Beginner's Guide: A comprehensive guide to getting started in cybersecurity Rating: 5 out of 5 stars5/5Wordpress 2023 A Beginners Guide : Design Your Own Website With WordPress 2023 Rating: 0 out of 5 stars0 ratingsCompTIA A+ Complete Review Guide: Core 1 Exam 220-1101 and Core 2 Exam 220-1102 Rating: 5 out of 5 stars5/5Operating Systems DeMYSTiFieD Rating: 0 out of 5 stars0 ratingsLinux: Learn in 24 Hours Rating: 5 out of 5 stars5/5Improve your skills with Google Sheets: Professional training Rating: 0 out of 5 stars0 ratingsLearn PowerShell in a Month of Lunches, Fourth Edition: Covers Windows, Linux, and macOS Rating: 0 out of 5 stars0 ratingsWeb Penetration Testing with Kali Linux Rating: 5 out of 5 stars5/5Learn PowerShell Scripting in a Month of Lunches Rating: 0 out of 5 stars0 ratingsLearn SQL Server Administration in a Month of Lunches Rating: 0 out of 5 stars0 ratingsLinux Commands By Example Rating: 5 out of 5 stars5/5Learning Linux Shell Scripting Rating: 4 out of 5 stars4/5Mastering Windows PowerShell Scripting Rating: 4 out of 5 stars4/5Networking for System Administrators: IT Mastery, #5 Rating: 5 out of 5 stars5/5Mastering Bash Rating: 5 out of 5 stars5/5The Complete Powershell Training for Beginners Rating: 0 out of 5 stars0 ratingsPowerShell: A Beginner's Guide to Windows PowerShell Rating: 4 out of 5 stars4/5Hyper-V Network Virtualization Cookbook Rating: 0 out of 5 stars0 ratings
Reviews for Learning Microsoft Endpoint Manager
0 ratings0 reviews
Book preview
Learning Microsoft Endpoint Manager - Scott Duffey
Copyright © 2021 Scott Duffey
All rights reserved.
Contents
About the author
Acknowledgments
Chapter 1 - Introduction
Things you will need
Chapter 2 - Getting started with Microsoft Endpoint Manager
What is Microsoft Endpoint Manager (MEM)?
Subscriptions and licensing
Do it – Create a new trial account
A quick tour of the MEM admin center
Do it – Take a tour of MEM
Azure Active Directory (Azure AD)
Creating cloud-only users
Do it – Create a new Azure AD user and assign licenses
Creating Azure AD groups
Do it – Create a user group
Do it – Create a dynamic user group
Management choices – Mobile Device Management (MDM) and Mobile Application Management (MAM)
Mobile Device Management (MDM)
An overview of Mobile Application Management (MAM)
Chapter 3 - Enrolling Devices into Management
Introduction to enrollment
Getting started with Apple enrollment
Do it – Set up Apple Push Certificate
Apple enrollment for personal devices
Do it – Enroll an iOS device into MDM
Apple enrollment for corporate devices
Do it – Set up and enroll devices with ADE
Do it – Manually register iOS devices into ABM with Apple Configurator 2
Do it – Set up a device using Apple Configurator
Getting started with Android enrollment
Do it – Set up Android Enterprise and connect it to MEM
Android enrollment for personal devices
Do it – Enroll into Android Enterprise work profile
Android enrollment for corporate devices
Do it – Try out Android Enterprise corporate enrollment with a QR code
Getting started with Windows 10 enrollment
Windows 10 enrollment for personal devices
Do it – Try out Windows 10 personal device enrollment
Windows 10 enrollment methods for (new) corporate devices
Do it – Try out Windows 10 enrollment: User-driven Azure AD Join
Do it – Try out Windows 10 enrollment: Autopilot user-driven mode
Do it – Try out Windows 10 enrollment with a bulk enrollment token
Windows 10 enrollment for existing corporate devices
Advanced enrollment concepts – DEM, enrollment restrictions and customization
Company Portal customization and branding
Do it – Try out customization and branding
Chapter 4 - Remote Device Actions
Admin device actions
Do it – Try out device actions
Bulk device actions
Do it – Try out bulk device actions
Do it – Try out self-service device actions
Chapter 5 - Configuring Device Settings
Device restriction profiles
Do it – Build your own device restriction profile8
Device features
Resource access (Wi-Fi, wired, VPN and certificates)
Windows 10-specific profiles
Administrative templates
Group Policy analytics
Custom
Do it – Create a custom profile for Windows 10
OEMConfig
Do it – Create an OEMConfig profile
Windows update policies
Chapter 6- Configuring Compliance Profiles and Settings
Compliance policies
Do it – Create a compliance policy for each platform
Device Health Attestation (DHA) for Windows 10 devices
Configuration Manager compliance for Windows 10
Global compliance settings
Notifications and actions for non-compliant devices
Do it – Try out compliance notifications
Integrating with Mobile Threat Defense (MTD) services
Compliance policies in the big picture of Conditional Access (CA)
Chapter 7 - Configuring Endpoint Security
Overview of Endpoint Security
Security baselines for Windows 10
Do it – Try out Security baselines
Antivirus policy
Do it – Deploy Antivirus Settings to MDM devices
Disk encryption policy
Do it – Try out encryption settings
Firewall policy
Do it – Try out Firewall settings
Attack Surface Reduction (ASR) for Windows 10
Do it – Try out ASR policies
Account protection policy for Windows 10
Microsoft Defender for Endpoint integration and Endpoint detection and response policy
Do it – Try out MDE integration
Security Tasks9
Do it – Try out Security tasks
Chapter 8 - Deploying Apps
Overview of app types
Assigning apps to users and devices
Do it – Create and assign a required store app for iOS
Do it – Create and assign a required Win32 app for Windows 10
Do it – Create and assign an Office App package for macOS
Managed app stores – VPP, MSFB and MGP
Do it – Set up Apple VPP
Do it – Set up MSFB
Do it – Set up Managed Google Play
End-user app stores for Available
apps
Chapter 9 - App Protection Policies
App protection policy targeting options
Do it – Try out app protection policies
Supported apps and preparing your own
Windows Information Protection (WIP) for Windows 10
Chapter 10 - App Configuration Policies
App configuration policies for managed devices
Do it – Try out app configuration policies for managed devices
App configuration policies for managed apps
Do it – Try out app configuration policies for managed apps
Chapter 11 - Conditional Access
Device CA – Require compliant devices
APP-CA and MAM-CA – Require approved apps and app protection policy
CA user experiences and broker apps
Do it – Try out device CA
Session-based controls for CA
Do it – Try out session controls for CA
Chapter 12 - Configuration Manager, Co-management and Tenant Attach
Configuration Manager device management in the MEM admin center
Do it – Try out tenant attach
Do it – Enable Hybrid Azure AD Join for on-prem Active Directory devices
Do it – Turn on co-management for existing on-prem devices
Chapter 13 - Endpoint Analytics
Do it – Try out Endpoint Analytics
Chapter 14 - Troubleshooting
Troubleshooting and support experiences
Do it – Try out the Troubleshooting + support page
Resource reports
Do it – Try out resource reports
Client logs
Audit logs
Getting help from Microsoft
Chapter 15 - Advanced Usage and Resources to Learn More
Grouping and targeting – Exclude groups
Role-based access control (RBAC) and Scope tags
Graph API
Do it – Try out Microsoft Graph Explorer
Do it – Try out browser developer tools to see Graph API calls
Do it – Try out PowerShell for MEM
Advanced reporting and automation
Do it – Try out Data Warehouse
Tips for staying up to date
Additional learning – videos, blogs, books and the MEM community
Final thoughts
About the author
I am a Program Manager at Microsoft and I work on Microsoft Endpoint Manager features. My passion for the product started in the early days when it had a lot of wrinkles and was branded Windows Intune
. I am especially proud to witness its transition to awesomeness and ascension to the top-right of the Gartner Magic Quadrant (in case you don’t follow industry analyst reports, this just means it’s one of the best UEM products in market). In my first years at Microsoft, I worked in a customer-support type role as a Premier Field Engineer (PFE). I worked with a new customer each week – helping IT folks tweak their Windows desktop configurations through Group Policy or Configuration Manager to improve performance, security or end-user experiences. I jumped on the Intune
train early because it seemed new and interesting, and I thought I could make this my new special skill. My managers at the time were all about something called a T-shape
, referring to a popular metaphor at the time for one’s breadth and depth knowledge. The top of the T-shape represents your breadth skills and the lower portion represents depth. The idea was that you should have broad technical knowledge in some areas and deep knowledge in others. I was inspired to go deep on Intune, so I learned as much as I could and started teaching the customers I worked with, doing workshops and setting up proofs-of-concepts with them. At this stage, there was very little enterprise use or interest in Intune, and it was really all about mobile phones (including Windows Phone), not PC’s. When Windows 8.1 came out there was a new cloud management stack on it and a lot of buzz around Modern Management
where admins were encouraged to throw out all the management tools they knew and loved (Group Policy and Configuration Manager), forget all the skills they had learned and earned their living on over the last ten years and move to this new, shiny, simple thing in the cloud. That message did not go down well at all.
After about a year or so of Intune deployment with customers, I had an opportunity to move from the field
into the Intune product group, in a new team called the Customer Acceleration Team (CAT). The idea behind this team was that Microsoft product groups could be directly engaged with large enterprise customers who were actively deploying Intune so that the engineering teams would gain a deep understanding of customer blockers and issues. Knowing about them sooner could fast-track important product development and prioritization. It was my job to work directly with a few special and large customers in the Asia region, understand their concerns and summarize the impact to the rest of the product team. I also helped those clients rapidly get Intune from proof-of-concept to fully deployed in their environments. There were perks to this job: the travel was fun and interesting, and I was no longer tied to an office. I worked from home 80 percent of the time and spent the rest travelling. Since I was covering the Asia region, I spent time onsite with customers from India to Japan and many across Australia. I also traveled to Microsoft headquarters in Seattle a couple of times a year to meet with the rest of my team, fill up the knowledge-tank on upcoming features and innovations and tap feature PMs on the shoulder for updates on blockers that were affecting my customers. I really enjoyed the CAT team but realized that I wanted to have a bigger role in the direction of the product and its features. On one of my trips to head office, I put out feelers and told a few folks that being a feature PM in Intune would be my dream job. Next thing I knew, I was boarding my family on a plane from Australia to start a new adventure at Microsoft head office in Redmond, Washington.
I have always had a passion for writing. I have blogged, written, and rewritten product documentation and too many product specifications to count – but never a book. When the COVID-19 pandemic broke out in March 2020, Microsoft was one of the first companies to close offices and send people home to work. I needed a creative outlet and writing this book helped me scratch that itch. It motivated me to get out of bed at 5am each morning in the dark cold in front of my computer, headphones on, cup of coffee in hand and a smile on my face. I was also motivated by the fact that there were no other Microsoft Endpoint Manager books yet. I knew admins around the world were struggling with the learning curve and I could help.
This book contains knowledge I have picked up over the years that I would gladly share with any MEM customers I meet or even new members of the MEM product development team who need to ramp up quickly. Thank you for reading it!
Acknowledgments
So many people were involved in bringing this book to you – I am thankful to the people that contributed directly but also to the people in my personal and work life that gave me a leg-up at some point so that I could eventually write this book:
• Roger Southgate – my good friend and mentor. Thank you for your contribution as Chief Technical Reviewer for this book.
• Leaders and mentors – Callan Tenabel, my first hiring manager at Microsoft who took a chance when he hired me based on potential rather than experience. Ben Francis, Martin Morrison, Ian Bartlett, Bryan Keller and Heidi Cheng too – all Microsoft managers who pointed me in the right direction.
• My brother, Chad, for being a great role model in tech and one of the most generous people I know. I won’t forget the things you do for me.
• My Microsoft colleagues and teammates, both developers and PMs, for patiently teaching me things I now can teach to others.
Lastly my wife, Mandy, for giving me the time and space to work on projects like this. Thank you.
Chapter 1
Introduction
Did you just land an IT job only to learn your new employer is using Microsoft Endpoint Manager (MEM) for device management? Perhaps you stretched the truth on your resume and suggested you knew it already? Maybe you are an old-hat, know-your-stuff device management pro for another product but your boss just told you the company is migrating? Whatever the case, this book will be your zero-to-hero ramp-up guide.
In authoring this book, I promise you a few things – firstly, I promise an easy but content-rich read. MEM is complicated enough without acronyms and tech-speak. I will keep it simple and articulate, and I’ll take the time to explain industry terminology. Second, I learn by doing stuff (and breaking stuff) and so do most of the IT admins I know. To maximize learning, I will get you ‘doing stuff’ as much as possible. Exercises will not have fine-grained, explicit steps; instead, I will guide you through the flow and prevent you from getting stuck or breaking too much stuff. The book is structured to start out simple, adding building blocks as you go until you reach a point where you can fish for yourself. I recommend that you go beyond the basic steps provided and take regular detours to explore additional configurations, settings and features along the way. At the end of this book, you should be comfortable building-out full scenarios in lab or production environments and be ready to show your boss how awesome you are.
There is one promise I cannot make. MEM is a cloud service; it gets updated super-frequently (once a month, sometimes more). So frequently that some content will get stale. Features and entire products get renamed, new features get added or just annoyingly moved around the UX! You will be fine, though – I will teach you the broad stuff, the concepts and administration patterns and give you all the resources you need to stay up to date to handle the inevitable product changes so you can be your company’s go-to MEM ninja for years to come.
Intune vs Endpoint Manager? What do we call this thing?
The first thing you need to know if you are new to this space