Mastering Microsoft Endpoint Manager E-Book

Mastering Microsoft Endpoint Manager

Deploy and manage Windows 10, Windows 11, and Windows 365 on both physical and cloud PCs

Christiaan Brinkhoff

Per Larsen

BIRMINGHAM—MUMBAI

Mastering Microsoft Endpoint Manager

Copyright © 2021 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Rahul Nair

Publishing Product Manager: Preet Ahuja

Senior Editor: Athikho Sapuni Rishana

Content Development Editor: Nihar Kapadia

Technical Editor: Nithik Cheruvakodan

Copy Editor: Safis Editing

Language Support Editor: Safis Editing

Project Coordinator: Shagun Saini

Proofreader: Safis Editing

Indexer: Tejal Daruwale Soni

Production Designer: Shankar Kalbhor

First published: October 2021

Production reference: 2121021

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

ISBN 978-1-80107-899-3

www.packt.com

"If you want to go fast, go alone. If you want to go far, go together."

– African proverb

"With Windows 365, we are making Windows available not just on Windows devices, but any device, harnessing the power of the cloud."

– Satya Nadella

Community is important for everyone: please consider sharing your knowledge to help others! Working together will help everyone get to a much higher level!

– Christiaan Brinkhoff

"The way I measure my life is "Am I better than I was last year?""

– Satya Nadella

"You renew yourself every day. Sometimes you're successful, sometimes you're not, but it's the average that counts."

– Satya Nadella

Foreword

The history behind Microsoft Endpoint Manager

I started at Microsoft as a developer right out of college in the early 90s. My first coding assignment was on Project Hermes, building an inventory and application delivery tool for the new operating system that Microsoft was about to release – Windows NT. Project Hermes later became Systems Management Server (SMS) 1.0. I stayed on the project and eventually became the product and engineering owner responsible for building and releasing Configuration Manager 2007 and 2012. Right after releasing Configuration Manager 2012, I went to lead the engineering team for Intune/MEM and re-architected Intune to become the industry-leading cloud-based device management service. At the start of 2020, I was asked whether I was interested in leading the product and engineering effort for a new startup project called Cloud PC; I remembered saying sign me up because I saw it as the last piece of the puzzle to complete the full circle for device management.

When I joined Microsoft, device management as an industry didn't exist. With the introduction of SMS 1.0 and through Configuration Manager 2012, Microsoft created a new IT function – device management. With Intune/MEM, we expanded device management from Windows devices to all devices and we brought device management to the cloud. Virtual Desktop Infrastructure (VDI) has existed for decades, but it has always been costly to set up and run and is difficult to adapt to changing business needs. With Windows 365 Cloud PC, we set out to democratize VDI. We want cloud PCs to be easy to provision and manage, just like how IT manages their physical devices today, and in addition, we wanted to remove much of the complexity and cost associated with VDI.

In the last year and a half, we built a brand-new Azure-based service to enable every MEM admin to provision and manage cloud PCs as easily as they can with their physical Windows PCs, or iOS/Android devices. With the full elasticity of Azure, the predictable pricing, and the ability to instantly purchase, provision, and resize cloud PCs, we are creating many new use cases for running a Windows PC in the cloud that cannot be easily achieved by traditional VDI or physical PCs.

On behalf of the hundreds of engineers and product managers that worked tirelessly in the middle of the COVID pandemic building the Windows 365 service, and to all the IT heroes everywhere managing and securing devices, we want to introduce to you a new category of PC – Cloud PC. This book will help you to adopt Windows 365 quickly and gain new superpowers in device management.

Enjoy your newfound power.

Ken Pan

CVP Windows 365 & MMD at Microsoft

The history behind Cloud PC

I joined Microsoft in 2001 as a Hardware Technical Evangelist and Lead Program Manager for Networking. I worked with hardware partners to improve user experiences and expand the market for consumer networking products. During this time of my career, I created several patents around wireless setup, network discovery, and media streaming technologies. The culmination of this work led to the development and standardization of Wi-Fi Protected Setup and the adoption of a number of Microsoft networking technologies in common industry products. Working with partners to bring new value to customers was ingrained in my DNA and is something I have carried forward in my career.

During the Windows 7 era, I transitioned to media streaming and led the product team implementing video in HTML5, DRM, Media CODECs, and media streaming. My team delivered a number of new end user experiences including PlayTo and remote media access to Windows Media Player. From there I moved to the Xbox team to deliver SmartGlass for Xbox One.

About 10 years into my career at Microsoft, my interests led me to virtualization, which was a culmination of all the technologies I had worked on, such as home networking, audio and video encoding, DRM, media streaming, and device redirection. At that time, Microsoft's first-party virtualization offering (RDS) had a very limited feature set and scalability. Though the technology was heavily used by the tech community for accessing personal desktops, adoption was relatively small in the enterprise space (this was largely led by Citrix).

The RDS team was ripe with talented engineers who had focused their entire careers working on virtualization and the partner ecosystem was clamoring for opportunities to engage with Microsoft to deliver value-added services. This combination of a large talent pool, ready and willing partners, and continued growth of virtualization use cases created just the right environment to develop a new virtualization platform that could reach a broader audience.

RDMi or Remote Desktop Modern Infrastructure was born from this environment of talent and opportunity. RDMi was a transformational virtualization technology built on the Azure App Service platform to provide a Platform as a Service (PaaS) virtualization solution. Not long after we introduced RDMi, through strong customer and partner feedback we pivoted to a centrally managed globally distributed implementation of RDMi we later named Windows Virtual Desktop (now called Azure Virtual Desktop). Windows Virtual Desktop was built with partners in mind – partners that extend the capabilities of the core platform, partners who resale the service as is, and partners that bundle the services with other value-added services to deliver end-to-end solutions for customers.

Azure Virtual Desktop delivered on its promise to create a highly flexible platform that offered virtualization solutions that scaled from the smallest deployment to large multi-national enterprise customers. The partner value-added market has flourished and almost every major virtualization technology company has built solutions that interop with the service. Though Azure Virtual Desktop delivered on its promise to create a flexible platform for partners and customers, there was a large untapped market yet to embrace virtualization. Even PaaS virtualization offerings require a deep understanding of virtualization technologies and management of these types of virtualization environments is quite different from how physical devices are managed.

A new opportunity arose to create a virtualization solution for everyone else, from small businesses with no admin staff to large enterprises looking to increase their security and agility and consolidate their endpoint management. A draft whitepaper I called 1DV (an acronym to represent the development of a first-party desktop virtualization solution) was developed by me and my team and was circulated across the leadership team. This paper and strong signals from our customers led to the formation of the Windows 365 team in Microsoft. Ken Pan and I were tapped to lead this team – a pairing that has proven to be as genius as the technology we have developed together.

Ken and I shared a vision that to truly develop something different, something that Microsoft and the rest of the industry would view as a new category of virtualization, we need to eliminate the complexities that exist in traditional virtualization solutions and build on the skillsets that customers have in deploying and maintaining physical Windows devices. We started with a set of principles that would guide us through the development of the product and retain our vision for a solution that would resonate with the most virtualization averse customers:

Right around the time we finalized our principles, the world was hit with a global pandemic that would forever change the way we work. The team was only a few months old when COVID hit, and we had just started building out the new team when the world went into lockdown. Seeing as we were developing a new service that would empower users to be productive anywhere in the world, we took on the challenge of putting together a globally distributed team and developing the service using Teams, SharePoint, Azure DevOps, and other tools to keep the team in sync. 8 months later we started our private preview of the service and 8 months after that we went live.

The world will forever be changed by the effects of COVID. Organizations are creating more opportunities for remote workers, and they are migrating their workloads to the cloud to expand their reach to provide corporate resources to a globally distributed workforce. Windows 365 was cast from this new environment and is just the right product to empower organizations to provide secure and elastic Windows Desktops to their globally distributed workforce.

Scott Manchester

Director of Product Management at Microsoft

Contributors

About the authors

Christiaan Brinkhoff works as a Principal Program Manager and Community Lead for the Windows 365 Engineering team at Microsoft, driving new features such as Windows 11 integration and lots of different new community initiatives while bringing his expertise to help customers imagine new virtualization experiences. Christiaan joined Microsoft in 2018 as part of the FSLogix acquisition.

He has also been rewarded with the Microsoft MVP, Citrix CTP, and VMware vExpert community achievements.

Writing a book demands huge dedication and constant energy, especially when you've relocated to Redmond, USA, and your family's growing. I'd like to thank my wife for always supporting me and allowing me to dedicate so much private time to finalizing this book!

Per Larsen works as a Senior Program Manager for Microsoft Endpoint Manager - Customer Acceleration Team - Commercial Management Experiences (CMX) Engineering, where he takes learnings from Microsoft's largest and most strategic customers back into the rest of engineering to drive improvements for the service so that customers have a continuously improving product experience. He also helps deploy and adopt Microsoft Endpoint Manager - Microsoft Intune. Per mainly focuses on the management of Windows and special devices such as HoloLens 2, Surface Hub, and Microsoft Teams Room System.

Per was also an MVP in Enterprise Mobility, from 1st July 2016 to when he joined Microsoft on 1st April 2018.

Writing a book during the pandemic and being at home all the time requires dedication and constant energy. I'd like to thank my kids for always supporting me and allowing me to dedicate so much private time to writing this book!

About the reviewers

Seif Bassem is a senior customer engineer in the global technical team at Microsoft, focusing on Azure apps and infrastructure. He has also worked in FastTrack within Microsoft, helping customers to modernize how they provision, manage, and secure their devices using Microsoft Endpoint Manager.

Prior to joining Microsoft, Seif had 10 years of experience in the IT industry leading a team of engineers who were managing and deploying various Microsoft solutions and projects in the financial services sector.

He is a certified Azure solutions architect, administrator, security engineer, and Microsoft 365 Certified Modern Desktop Administrator. He also participated as a CompTIA subject matter expert for the IT Fundamentals Certifications exam preparation.

Peter Cashen is a UK-based technology consultant working through his own company, Kloud 365 Ltd, who has specialized in end user computing since the late 1990s. He has been involved with Microsoft technologies for over 20 years including SMS, System Center Configuration Manager, Endpoint Manager, and other related tools. Peter's clients are from many sectors, including retail, banking, emergency services, secure government, pharmaceutical, legal, and engineering, and there has also been a stint at Microsoft.

Peter is currently helping clients with large Azure Active Directory-only implementations across the globe to enable them to reduce (or eliminate) their on-premises footprint.

It's hard work and challenging – but I thrive on challenges!

Paul Winstanley is a five-time Enterprise Mobility MVP who has over 25 years of IT experience. He's spent the last decade specializing in endpoint management via Microsoft Endpoint Manager, Configuration Manager, and Intune.

Paul is an independent consultant with his own endpoint management company, SCCM Solutions, which was formed in 2013.

He blogs on his SCCMentor website, sharing his knowledge of Configuration Manager, Intune, Windows 10, and MDM, and is active on Twitter @sccmentor.

Originally from Yorkshire, in the North of England, he's lived in London for the past 25 years with his wife, four children, and brother-in-law.

I'd like to thank Sheila, my wife, all the kids, Joseph, Miles, James, and Beth, and my brother-in-law, Paul, for allowing me to pour time into what I do. Also, thanks to the community for sharing ideas and solutions and communicating in a friendly way, which has helped build up great friendships, fix tricky problems, and generally makes my life easier on a day-to-day basis.

Neil McLoughlin is based out of Manchester in the UK. He has worked in the IT industry for over 20 years, working across many different sectors and roles. He spent around 10 years providing Citrix consultancy for large enterprise customers.

Around 5 years ago, Neil discovered the cloud and DaaS and since then has specialized in cloud-based desktop solutions, mainly Azure Virtual Desktop and Microsoft 365.

Neil is passionate about community work and runs the UK Citrix Azure Virtual Desktop User Group and the WVD Community, which is a worldwide community of people interested in Azure Virtual Desktop.

He is currently employed as the UK field CTO for Nerdio but has previously worked for New Signature, Computacenter, and Cap Gemini as a senior consultant.

I would like to thank my wife for giving me the time needed to spend many evenings and weekends locked away in my office reviewing this book, and also Christiaan Brinkhoff, who has been instrumental in giving a helping hand when needed. Thanks, Christiaan, really appreciate all the help and advice!

Marcel Meurer is responsible for the professional IT services business unit at sepago GmbH in Cologne and is the founder of the development company ITProCloud GmbH. In this role, he leads a team of consultants who provide their expertise in Microsoft and Citrix Technologies for customers and partners. His technical focuses are Microsoft Azure platform services, and he has been a Microsoft Azure MVP since 2016.

He loves working in the community. Besides his blog, he publishes tools that simplify working with Azure Cloud - especially in the context of Azure Virtual Desktop (AVD). His well-known tools include WVDAdmin and Hydra for AVD.

Marcel Meurer graduated as an engineer in electrical engineering from the University of Applied Science Aachen

Table of Contents

Preface

Section 1: Understanding the Basics

Chapter 1: Introduction to Microsoft 365

An introduction to Microsoft 365

What do the services achieve?

Microsoft Endpoint Manager

Azure Virtual Desktop

AVD and Windows 365 Cloud PC – shared responsibility model 1

AVD and Windows 365 Cloud PC – shared responsibility model 2

Productivity Score

OneDrive for Business (part of Microsoft 365 Apps)

Microsoft Defender for Endpoint (formerly MDATP)

Summary

Questions

Answers

Further reading

Chapter 2: What Is Unified Endpoint Management?

Paths to modern management

Microsoft Endpoint Manager and Intune

Endpoint Manager admin center portal

Microsoft 365 admin center portal

Cloud PC/Windows 365

Azure Active Directory (Azure AD)

Cloud management gateway (CMG)

Desktop Analytics

Microsoft Endpoint Manager – from on-premises to the cloud

Exploring Windows 10 Enterprise in detail

Using Windows via a Windows 365 cloud PC

Azure KMS – cloud PC/Windows 365/AVD

WUfB is the new way of manning Windows servicing

Bring your own device

What is zero trust?

Verifying identity

Verifying devices

Summary

Questions

Answers

Further reading

Section 2: Windows 365

Chapter 3: Introducing Windows 365

What is Windows 365?

Removing the complexity of traditional VDI deployments

Why virtualize Windows in the cloud?

Comparing Windows 365 Enterprise and Business

Microsoft Endpoint Manager

High-level architecture components and responsibilities

Microsoft Endpoint Configuration Manager support

Co-management and Windows 365

Sizes and performance of fixed-price licenses

On-premises connections

Provisioning policies

Windows 365 – gallery images

Custom images

Roles and delegation

The Watchdog service

Optimized Teams on Windows 365

Microsoft Edge

Sleeping tabs

Startup boost

Screen capture protection

Summary

Questions

Answers

Further reading

Chapter 4: Deploying Windows 365

Technical requirements for deploying Windows 365

Azure subscription

Azure VNet

Azure VNet – required related URLs and ports

Microsoft Endpoint Manager and AVD – service URLs

Remote Desktop Protocol requirements

Hybrid Azure AD joined

Purchasing and assigning cloud PC licenses via the Microsoft 365 admin center portal

On-premises network connections

Provisioning a cloud PC

User settings – self-service

Self-service capabilities – IT admin

Reprovisioning the cloud PC

Local administrator

VM SKU upgrades (preview feature)

Image management – creating a custom image (optional)

Supported endpoints

Information Worker Portal (IWP)

Azure AD – MyApps unified (workspace) portal

Multi-factor authentication and conditional access

Security baselines for a cloud PC

Distributing the Remote Desktop client via Microsoft Endpoint Manager – Intune to your physical endpoints

Auto-subscribing users in the Remote Desktop client

Autopilot and cloud PCs – lightweight thin client (Kiosk)

Monitoring and analytics

Shadow users with Quick Assist

Windows 11

Microsoft Managed Desktop

Summary

Questions

Answers

Further reading

Section 3: Mastering Microsoft Endpoint Manager

Chapter 5: Requirements for Microsoft Endpoint Manager

Endpoint scenarios

Identity roles and privileges for Microsoft Intune

Compliance Administrator

Compliance Data Administrator

Intune Administrator

Message Center Reader

Security Administrator

Security Operator

Security Reader

Identity roles and privileges for a Windows 365 cloud PC

Azure Subscription Owner

Intune Administrator

Domain Administrator

Identity roles and privileges for Universal Print

Printer Administrator

Printer Technician

Licensing requirements

Supported OSes

Required web browser versions

Windows 11 requirements

How do you get Windows 11?

Administrator licensing

Azure AD group-based licensing

Setting the mobile device management authority

Enabling Windows automatic enrollment

Using Azure Virtual Desktop with Intune

Microsoft Intune enrollment restriction for Windows

Microsoft Intune device restrictions for Windows

Blocking personal Windows devices

Microsoft Intune device limit restrictions for Windows

Customizing Intune company portal apps, the company portal website, and the Intune app

Associating your Microsoft Store for Business account with Intune

MEM – network URL firewall requirements

Access for managed devices

Windows 365 endpoint URLs

Network URL requirements for PowerShell scripts and Win32 apps

Windows Push Notification Services – required URLs

Windows 365 and Azure Virtual Desktop – required URLs

Universal Print – required URLs

Delivery Optimization

Summary

Questions

Answers

Further reading

Chapter 6: Windows Deployment and Management

Deploying existing Windows devices into Microsoft Endpoint Manager

Enrolling devices – Windows enrollment

When to use what solution

Windows Update for Business

Types of updates managed by Windows Update for Business

Enforcing compliance deadlines for updates

How to handle conflicting or legacy policies

How to set up and configure Windows Update for Business

Safeguard holds

Expediting a Windows patch

The Windows Insider Program for Business

Summary

Questions

Answers

Further reading

Chapter 7: Manager Windows Autopilot

Technical requirements

Windows Autopilot overview

Uploading the hardware ID to Windows Autopilot

Windows Autopilot for existing devices

Windows updates during the Out-of-Box Experience (OOBE)

Auto-assigning Windows Autopilot profiles in Intune

Signing in to Graph Explorer

Enrollment Status Page (ESP)

ESP implementation Windows CSP

Autopilot reporting and diagnostics

Company Portal

Configuring automatic BitLocker encryption for Autopilot devices

Cloud configuration scenario

Deploying essentials that users might need to access work or school resources

Edge kiosk self-deployment scenario

Creating a specific ESP for the Edge kiosk

Creating a Windows Autopilot profile

Self-Deploying (preview)

Autopilot Reset

Wiping and resetting your devices

Fresh start

Windows Recovery Environment

Summary

Questions

Answers

Further reading

Chapter 8: Application Management and Delivery

Application delivery via Microsoft Endpoint Manager

Different application types you can deploy

LOB applications

Supersedence mode

Community tool – Win32App Migration Tool

Deploying Microsoft 365 apps

Update channels

Office Customization Tool

Microsoft 365 Apps admin center

Microsoft 365 apps – customization

Deploying Microsoft Teams

OneDrive

Deploying Microsoft Edge

What is MSIX?

AppxManifest.xml

AppxBlockMap.xml

AppxSignature.p7x

How to create MSIX packages

Pushing the MSIX package application to your endpoints

Summary

Questions

Answers

Further reading

Chapter 9: Understanding Policy Management

Policy management

What is a CSP policy?

Windows Push Notification Services (WNS)

Policy management within Microsoft Endpoint Manager

Migrating existing policies from AD – Group Policy management (preview)

Summary

Questions

Answers

Further reading

Chapter 10: Advanced Policy Management

Policy management

Configuring a policy from the Endpoint Manager Security blade

Configuring your Endpoint security profile

Windows 10 unhealthy endpoints

Attack surface reduction

Configuring a policy from the Settings catalog

Configuring administrative templates

URL reputation

OneDrive Known Folder Move configuration

OneDrive – block syncing specific file extensions

Configure device configuration (template)

Leveraging a custom policy as a last resort

Pushing PowerShell scripts – scripted actions to endpoints

Compliance policies

Windows

Organizational compliance report

Summary

Questions

Answers

Further reading

Chapter 11: Office Policy Management

The Office cloud policy service

Creating a policy configuration with the OCP service

Configuring policies

Tips and tricks in the OCP service

How are Office cloud policies applied?

Security Policy Advisor

Summary

Questions

Answers

Further reading

Chapter 12: User Profile Management

Windows profiles

Modern profile management

Enterprise State Roaming

Microsoft Office's roaming settings

Outlook's signature cloud settings

OneDrive for Business Known Folder Move

Windows 10 Storage Sense

OneDrive and Storage Sense

Microsoft Edge

ESR + OneDrive + Edge + Office

Migrating from legacy to modern profile management

Summary

Questions

Answers

Further reading

Chapter 13: Identity and Security Management

Microsoft Identity

AAD

AAD users

AAD guest users

AAD group types

AAD membership types

Hybrid AAD

Conditional Access

Users and groups

Cloud apps

Conditions

Grant

Preventing users from carrying out AAD device registration

Self-service password reset

AAD password protection

Password-less authentication

Enabling password-less authentication

What is and isn't supported in each password-less scenario

BitLocker disk encryption

BitLocker recovery keys

Microsoft Defender for Endpoint

Integration with MEM

Security baselines

Compliance policies

Windows 365 security baselines

Requirements for Defender for Endpoint

Connecting to Intune – MEM integration

Alerts and security assessments

Security recommendations

Summary

Questions

Answers

Further reading

Chapter 14: Monitoring and Endpoint Analytics

Monitoring and analytics

Monitoring your physical and virtual cloud endpoints

Endpoint analytics – advanced monitoring

Start up performance – logon duration

Performance score breakdown

Top 10 impacting start up processes

OS restart history

Resource performance

Insights and recommendations – score trends

Application reliability

Windows 365-specific metrics

Insights and recommendations

Configuration Manager data collection

Customizing your baselines

Proactive remediations

Azure Monitor integration

Productivity Score

Service health

Summary

Questions

Answers

Further reading

Chapter 15: Universal Print

What is Universal Print?

Universal Print – architecture explained

The print connector

Where does my printed data go?

Printer defaults

Universal Print – service requirements

Network requirements

Learning how to deploy Universal Print

Delegating printer access – custom roles

Connecting your existing printer to Universal Print

Configuring Universal Print

Enabling Hhybrid AD configuration – via the Universal Print connector

Registering your own custom printers with Universal Print

Sharing your printers with your users

Assigning permissions to use a printer(s)

Testing your Universal Print connected printer

Assigning and deploying cloud printers with Microsoft Endpoint Manager

Summary

Questions

Answers

Further reading

Section 4: Tips and Tricks from the Field

Chapter 16: Troubleshooting Microsoft Endpoint Manager

Troubleshooting MEM

Service health and message center

Troubleshoot blade in MEM

Troubleshooting Windows 10 MEM enrollment

BitLocker failures

Windows 10 device diagnostics

Client requirements

Troubleshooting application delivery

Win32

LOB

Microsoft Store apps

Troubleshooting Autopilot

Windows 11 Autopilot diagnostics page

Troubleshooting locating a Windows device

Troubleshooting Microsoft Edge

Summary

Questions

Answers

Further reading

Chapter 17: Troubleshooting Windows 365

Troubleshooting yourself and Microsoft Support

Windows 365 provisioning errors

Cloud PC – device-based filtering

Summary

Questions

Further reading

Chapter 18: Community Help

Join the new W365 Community!

Microsoft Tech Community and MS Learn

Other community blogs, Microsoft MVPs,and more…

Summary

Other Books You May Enjoy

Preface

One of the main reasons for the slow adoption of Modern Workplace solutions designed to simplify the management layer of your environment is the lack of understanding and knowledge of the product. With this book, you'll learn everything you need to know to make the shift to the Modern Workplace, running Windows 10, Windows 11, or Windows 365.

Mastering Microsoft Endpoint Manager explains various concepts in detail to give you the clarity to plan how to use Microsoft Endpoint Manager (MEM) and eliminate potential migration challenges beforehand. You'll get to grips with using new services such as Windows 365 Cloud PC, Windows Autopilot, profile management, monitoring and analytics, Universal Print, and much more. The book will take you through the latest features and new Microsoft cloud services to help you to get to grips with the fundamentals of MEM and understand which services you can manage. Whether you are talking about physical or cloud endpoints it's all covered.

By the end of the book, you'll be able to set up MEM and use it to run Windows 10, Windows 11, and Windows 365 efficiently.

What you will learn:

Who this book is for

If you are an IT professional, enterprise mobility administrator, architect, or consultant looking to learn about managing Windows on both physical and cloud endpoints for remote working via MEM, this book is for you.

What this book covers

Chapter 1, Introduction to Microsoft 365, teaches you about keeping your resources secure while leveraging other services within Microsoft 365's broader product suite. Understanding the fundamentals of a product is the most important factor for a successful deployment.

Chapter 2, What Is Unified Endpoint Management?, acknowledges how the basics of modern management are sometimes complicated to understand, and so you will learn about the concept of modern management and zero trust with MEM (Intune), the history, and the architectural concept to get a clear understanding of how all the devices from physical, virtual, and mobile all come together in one management console.

Chapter 3, Introducing Windows 365, teaches you everything to get started with this new Microsoft cloud service that simplifies deployment as well as your cloud PC maintenance with MEM.

Chapter 4, Deploying Windows 365, teaches you everything you need to know about how to deploy Windows 365, what the requirements are, and tips and tricks.

Chapter 5, Requirements for Microsoft Endpoint Manager, provides a clear understanding of the different requirements for MEM, from OS versions and URL firewall allow-listing to the required licenses and privileges.

Chapter 6, Windows Deployment and Management, teaches you about deploying Windows 10 Enterprise with MEM – Intune.

Chapter 7, Manager Windows Autopilot, teaches you how and when to use Autopilot to enroll Windows 10 on your physical endpoint devices. What are the recommended approaches and decisions to make beforehand? You will get to know all of this in this chapter.

Chapter 8, Application Management and Delivery, teaches best practices to deploy and manage your Microsoft 365 and line-of-business applications on your Windows 10 endpoints.

Chapter 9, Understanding Policy Management, teaches you about the different policy types, what modern policy management means, and how it works on Windows 10/11 clients compared to Group Policy.

Chapter 10, Advanced Policy Management, teaches you about the different policy options to customize and secure your Windows 10 Enterprise desktops in your environment.

Chapter 11, Office Policy Management, teaches you about the different policy options to customize and secure your Windows 10 Enterprise desktops in your environment.

Chapter 12, User Profile Management, discusses how profile management is a very important factor to ensure a good user experience. You will learn about the different Windows profile types and differences in services to offer similar experiences on different endpoint devices, for example, physical and cloud endpoints with Enterprise State Roaming and Microsoft Edge.

Chapter 13, Identity and Security Management, teaches you how to configure Azure Active Directory in the most secure way possible for your end users and IT department. You will learn what the different options to enable Azure MFA are, about BitLocker, and how to configure Microsoft Defender for Endpoint with end-to-end security-level integration in MEM – Intune.

Chapter 14, Monitoring and Endpoint Analytics, looks at how, after deploying your desktops, it's important to ensure the performance, logon duration segmentation, and quality level of Windows and applications. You will learn in this chapter how you can achieve this with Endpoint Analytics, Productivity Score, and other monitoring capabilities of MEM.

Chapter 15, Universal Print, looks at Universal Print and how, despite businesses doing more and more things in a digital way, printing on physical paper remains important. Universal Print is a relatively new platform service on Azure that can simplify the whole printing configuration and maintenance process compared to a traditional print server environment.

Chapter 16, Troubleshooting Microsoft Endpoint Manager, teaches the most common causes and fixes of deploying Windows 10 Enterprise and other tips and tricks to unblock deployments to go smoothly. Both writers have over 2 decades of field experience in deploying Windows in many forms that they will share in this section.

Chapter 17, Troubleshooting Windows 365, teaches you about all the different troubleshooting errors of Windows 365 Cloud PC to prepare you to respond proactively to any errors that could occur while deploying cloud PCs in your environment.

Chapter 18, Community Help, shares, as the writers have a strong community background, some of the best community blogs out there; some are written by beginners, while some are by Microsoft MVPs.

To get the most out of this book

In order to get the most out of this book, it's good to have a base-level understanding of MEM, Azure, Microsoft 365 cloud services, and such. This is not required, however, as you'll learn all you need to know in this book!

Download the color images

We also provide a PDF file that has color images of the screenshots and diagrams used in this book. You can download it here: https://static.packt-cdn.com/downloads/9781801078993_ColorImages.pdf.

Conventions used

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "Enter Device type restriction – HR as the name."

A block of code is set as follows:

<?xml version="1.0"?>

<HardwareReport>

    <HardwareInventory>

         <p n="ToolVersion" v="3" />

         <p n="HardwareInventoryVersion" v="131" />

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

msiexec /i " RemoteDesktop_1.2.1755.0_x64.msi" /qn ALLUSERS=2 MSIINSTALLPERUSER=1

Bold: Indicates a new term, an important word, or words that you see onscreen. For instance, words in menus or dialog boxes appear in bold. Here is an example: "Go to Tenant admin | Roles | Administrator Licensing."

Tips or important notes

Appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Share Your Thoughts

Once you've read Mastering Microsoft Endpoint Manager, we'd love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we're delivering excellent quality content.

Section 1: Understanding the Basics

Learn about all the fundamentals of the different Microsoft 365 services, what the benefits are, and how they are different in comparison to other technologies and services on the market.

This part of the book comprises the following chapters:

Chapter 1: Introduction to Microsoft 365

Understanding the fundamentals of a product is the most important thing for a successful deployment. Keeping your resources secure while leveraging other services within the Microsoft 365 product suite is what you will learn about in this chapter.

In this chapter, we'll go through the following topics:

An introduction to Microsoft 365

Microsoft 365 includes many services that you might use in your day job, whether as an IT professional or a non-technical user. The services help you to become more productive by simplifying tasks that would require a lot of work in on-premises environments. A great example would be the shift we've made from Exchange Server to Exchange Online.

What do the services achieve?

In this introductory section of the book, we will briefly explain the Microsoft 365 core services and features that are relevant to the subject of this book, just to get a good baseline understanding of the differences between the various services. You'll also learn about the purpose and benefits of each service.

Microsoft Endpoint Manager

Microsoft Endpoint Manager (MEM) is the consolidation of Microsoft Intune and Microsoft Endpoint Configuration Manager (MECM). It provides one holistic management experience while adding new functionality and intelligent actions without any complex migration or disruption of productivity.

It provides a number of assets to aid your transition to modern management while also increasing customers' security and helping them move to the cloud. MEM now also includes management capabilities for different endpoints:

Figure 1.1 – MEM – service portfolio

MEM helps you manage physical and virtual desktops, laptops, tablets, and other mobile devices, including iOS, Android, and macOS devices.

MEM uses Azure Active Directory (Azure AD) as the primary identity and directory store. It replaces the traditional Active Directory, includes hybrid identity capabilities, and can also integrate with local management infrastructures such as Configuration Manager via Kerberos.

Intune is extremely helpful for devices that are beyond the management scope of Group Policy, such as mobile phones, devices that are not Active Directory Domain Services (AD DS) domain members, or Windows 10 devices that are joined to Azure AD:

Figure 1.2 – MEM – management console

With MEM, you can achieve the following:

For example, when a user attempts to open one of their line-of-business (LOB) apps on their phone or Windows 10 endpoint, Microsoft 365 checks with Azure AD to authenticate the user and verify whether that user can access the data from that app on that device. The granting of access depends on the following:

If the device and app are both compliant with all policies, Azure AD notifies Microsoft 365 that the data can be accessed.

Azure Virtual Desktop

Azure Virtual Desktop, or AVD for short, is a Microsoft-managed platform-as-a-service offering on top of the Microsoft Azure cloud. Unlike traditional virtual desktop infrastructure (VDI) deployments, all the infrastructure services, such as brokering, web access, load balancing, management, and monitoring, are all set up for you as part of a control plane offering.

Windows 365 Cloud PC

A new way of experiencing Windows, on any device – that's the best way to describe the new Microsoft cloud service Windows 365 Cloud PC. Microsoft's vision is to have people use Windows 365 the same way as they would manage a physical endpoint but with the flexibility of the cloud.

Windows 365 is everything you need if you are looking for a simple way of running your Windows desktops in the cloud. You can decrease the costs and complexity of your environment by deploying and managing virtual endpoints in MEM; no additional VDI expertise or resources are needed. More about this will be explained later in this chapter.

AVD and Windows 365 Cloud PC – shared responsibility model 1

As with many cloud services, there is a shared set of security responsibilities. You have control and flexibility, and with that comes responsibility. If you are adopting Windows 365 Cloud PC, it's important to understand that while some components come already secured for your environment, there are other areas where you will need to configure things to fit your organization's security needs:

Table 1.1 – Shared responsibility model 1

AVD and Windows 365 Cloud PC – shared responsibility model 2

The following table is an extension of the previous one, but it goes a bit deeper in terms of the differences in management experience:

Table 1.2 – Shared responsibility model 2

Windows 10 Enterprise

Windows 10 Enterprise is one of the primary components of your Microsoft 365 subscription. Windows 10 meets the needs of large and midsize organizations, providing users and organizations with the tools, services, and support to enhance their personal and organizational productivity.

Windows 10 also supports collaboration through Microsoft 365 apps, Microsoft Teams, Microsoft Whiteboard, and OneNote.

Windows 10 helps improve productivity by providing faster, safer ways to get work done across all your users' devices. Users can find apps, settings, documents, and messages by using enterprise search and Cortana, and use Timeline to see a chronological view of their activities and documents. Windows 10 has hardware options ranging from Surface Hub to the new always-connected PCs. These options support users wherever they need or prefer to work. Users can move from one device to another with Continue on PC in Microsoft Edge or take notes directly on a web page with Microsoft Ink. Windows 10 also comes with a robust set of accessibility features, such as a narrator, word prediction, and eye control.

Windows 10 includes tools to help you customize device setup, manage all your devices, and control corporate identities, data, and apps on personal devices without impacting personal data. Maximize security and productivity by staying current with Windows 10. The way to update Windows has changed completely. Major upgrades that previously happened every few years have now changed to updates that happen twice a year. Windows-as-a-Service, the model for Windows 10, provides the flexibility and control needed to manage and distribute updates using your current method or by using Microsoft's infrastructure.

Windows 10 protects, detects, and automatically responds to the most advanced malware and hacking threats, while protecting user identities, devices, and your organization's information. Windows 10 investigates threats as they evolve and automates remediation to make response times faster, thanks to Intelligent Security Graph (which uses security intelligence, machine learning, and behavioral analytics). These security solutions are built in and provide you with full security life cycle management for endpoint protection (EPP) and endpoint detection and response (EDR).

It also integrates with other Microsoft 365 services, which cover even the most complex multi-platform environments:

Windows 11 Enterprise

Windows 11 is the next evolutionary phase of Windows; it is the most significant update to the Windows operating system since Windows 10. It offers a lot of innovations focused on enhancing end user productivity in a fresh experience that is flexible and fluid. Windows 11 is designed to support today's hybrid work environment and is intended to be the most secure, reliable, connected, and performant Windows operating system ever.

Windows 11 is built on the same foundation as Windows 10, so the investments you have made in tools for update and device management are carried forward.

Windows 11 is Zero Trust ready and secure by design, with new built-in security technologies that will add protection from the chip to the cloud, while enabling productivity and new experiences. Key security features such as encryption, hardware-based isolation, and malware prevention are turned on by default. Going passwordless has also been made easier by simplifying the steps to deploy Windows Hello for Business.

To address the need for hybrid working in the market right now, location shouldn't matter. Addressing the new how, when, and where we work demands simplicity and security changes in the Windows operating system as well as the delivery of Windows in a simpler way – from the cloud with Windows 365:

Figure 1.3 – Windows 11

You can have a highly secure and consistent experience for users, with all the necessary IT controls, that delivers updates in a non-disruptive way, combined with a new, modern look and feel – that's the best way to describe what Windows 10 offers in a nutshell.

We will explain more about Windows 11 in Chapter 6, Windows Deployment and Management.

Productivity Score

The journey to digital transformation is supported by Productivity Score, which provides insights into how your organization uses Microsoft 365 and the technology experiences that support it. Your organization's score reflects the effectiveness of your people's work and technology and can be compared to benchmarks from organizations similar in size to yours.

Productivity Score provides the following:

The following Productivity Score screenshot shows you the level of insights you get based on scoring metrics in the Microsoft 365 admin portal:

Figure 1.4 – Productivity Score

Your Productivity Score is based on the combined scores of your people and technology experiences categories. Each category is weighted equally, with a total of 100 points. The highest possible Productivity Score is 800.

Endpoint Analytics

Endpoint Analytics is a service that is used to ensure the consistent performance of your MEM deployment and is part of Productivity Score. Everything that is collected comes from measurements of how your business is working. For example, Endpoint Analytics gives you insights into the boot time of your physical device, logon duration, and application startup time.

The insights enable IT admins to reduce support costs by adding capabilities to proactively solve issues in their environment. This can all happen automatically without any involvement of the IT admin:

Figure 1.5 – Endpoint Analytics

Your end-to-end experience can be dramatically improved by Endpoint Analytics and the benefits it brings. Another huge benefit is that all service costs are included; unlike the case with Azure Monitor, there is no need to pay for storage retention!

Desktop Analytics

Desktop Analytics is an important part of the full MEM service; it is cloud-based and integrates with Configuration Manager. The service also provides different levels of insights and intelligence for IT administrators to make proactive decisions about the update readiness of your Windows 10 endpoints. The service combines data from your business with data aggregated from millions of devices connected to Microsoft cloud services.

Here is a list of the different benefits of Desktop Analytics with Configuration Manager:

Here is an example screenshot of how security and feature updates come together in a single, unified experience in Desktop Analytics:

Figure 1.6 – Desktop Analytics – management console

Now that we have talked about all the different enhancements to monitor and analyze your endpoints, we're going to talk about the different Microsoft 365 services that you can use within your physical and cloud-managed desktops.

Microsoft 365 Apps (for Enterprise)

Microsoft 365 Apps for Enterprise includes the Microsoft productivity suite of applications, such as Word, Excel, PowerPoint, Outlook, and Teams, for both Windows and Mac devices. Microsoft 365 Apps isn't a web-based version of Office – instead, it's a full version of Office that your users install and run on their devices. You can use the Office applications that come with Microsoft 365 Apps with the on-premises or online versions of Exchange, SharePoint, or Skype for Business.

You can install Microsoft 365 Apps from a network share or directly from the internet. After it's installed, you don't have to be connected to the internet to use it. However, you'll need to connect at least once every 30 days to ensure that your license is still active.

Microsoft 365 Apps is updated either monthly or semi-annually with new features, security updates, and other quality updates from Microsoft. You can choose which frequency works best for your organization by selecting specific update channels.

Microsoft 365 Apps has a few benefits over Office Professional Plus 2019, such as support for air-gapped devices and device-based activation, and organizations interested in Office 2019 should contact Microsoft for more information.

OneDrive for Business (part of Microsoft 365 Apps)

Microsoft OneDrive is an enterprise file sharing service that allows you to easily store and securely access your files from all your physical, virtual, and mobile devices. You can work together with people from any location, regardless of whether they're inside or outside your organization, while also exploiting comprehensive security capabilities to, for example, only allow data sharing based on several security baseline conditions. All your data in OneDrive is protected through advanced encryption while in transit and at rest in data centers.

OneDrive enhances collaboration capabilities within Microsoft 365 apps by connecting you to your personal and shared files in Microsoft 365. With OneDrive on the web, desktop, or mobile, you can access all your personal files and any files shared with you by other people or teams, including files from Microsoft Teams and SharePoint.

Another great feature is OneDrive cloud backup – also known as OneDrive folder backup (previously Known Folder Move). This service automatically syncs your Desktop, Documents, and Pictures folders on your physical or virtual endpoints to your OneDrive cloud storage. Your files and folders stay protected and are available from any device!

Microsoft Teams

Microsoft Teams is a unified communications collaboration tool that brings different services together to modernize the way you work with colleagues and external businesses. Teams allows you to implement a chat-based workspace as part of your Windows 10 physical and virtual PCs but also as a mobile app on various platforms, which helps you stay up to date both in the office and on the go.

Teams keeps your team in sync by sharing OneDrive and SharePoint documents, insights, and status updates while being able to manage important projects and easily locate people – from anywhere and on any device!

With Microsoft Teams, you can do the following:

Microsoft Edge

Microsoft Edge has been around for a while as the next modern iteration of Internet Explorer, first released in 2015. After 5 years, a new version of Edge was released, built on top of the open source software project Chromium. This uses the same core engine as the Google Chrome browser.

Microsoft Edge has proven to be very fast. Its alignment with other Microsoft services such as MEM to set policies, as well as the cross-platform support for the app to sync data such as personal history and favorites settings, has been well received. This has resulted in Edge being the default browser for Windows 10 to date.

Microsoft Edge is available on Windows, macOS, iOS, Android, and Linux. You can choose what device you want to use with the same native Edge experience across different platforms.

Universal Print

You might remember the following workflow – or still do it to this day: spin up a Windows Server environment, add the print server role, and start adding your printers and designated drivers to the server. Not very modern or efficient, is it? Universal Print offers the same, and more, features while also eliminating the need for on-premises infrastructure. It enables you to manage printers directly through a centralized portal in Microsoft Azure. Say goodbye to installing (and maintaining) printer drivers on devices and/or golden images. As a bonus, everything works with Azure AD. This means that users can use the same set of credentials they use for other Microsoft services, whether they log on to a physical desktop or a virtual desktop running in the cloud.

Microsoft Defender for Endpoint (formerly MDATP)

Microsoft Defender for Endpoint is the enterprise version of Microsoft Defender which is standard enabled in Windows 10 Enterprise and Windows 11 Enterprise. It's a cloud security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.

The service is integrated end to end into the MEM console and therefore aligns easily with other compliance and security settings and roles as part of your security baselines.

One of the great features of integrating Defender within MEM is that after your organization onboards a device using the configuration package, you will never have to do it again. All your physical and/or cloud PC will be secured out of the box:

Figure 1.7 – Defender for Endpoint – management console

The