Mastering Microsoft Intune E-Book

Mastering Microsoft Intune

Second Edition

Deploy Windows 11, Windows 365 via Microsoft Intune, Copilot and advanced management via Intune Suite

Christiaan Brinkhoff

Per Larsen

BIRMINGHAM—MUMBAI

Mastering Microsoft Intune

Second Edition

Copyright © 2024 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Senior Publishing Product Manager: Reshma Raman

Acquisition Editor – Peer Reviews: Gaurav Gavas

Project Editor: Amisha Vathare

Content Development Editor: Soham Amburle

Copy Editor: Safis Editing

Technical Editor: Anjitha Murali

Proofreader: Safis Editing

Indexer: Subhalakshmi Govindhan

Presentation Designer: Ganesh Bhadwalkar

Developer Relations Marketing Executive: Meghal Patel

First published: October 2021

Second edition: March 2024

Production reference: 1110324

Published by Packt Publishing Ltd.

Grosvenor House

11 St Paul’s Square

Birmingham

B3 1RB, UK.

ISBN 978-1-83546-851-7

www.packt.com

Forewords

By Steve Dispensa, Corporate Vice President, Microsoft Intune

Microsoft Intune

Since Christiaan and Per’s first edition of Mastering Microsoft Endpoint Manager, a lot has changed, in the world and in the product. To begin with, MEM has gained its rightful name, Intune, Intune, and thus the title of this second edition no longer matches the first edition. (And note the lower-case “t” in “Intune” – Microsoft lore has it that every time someone writes “InTune” a unicorn dies.) We’ve moved from pandemic recovery to a world of hybrid work, however much some organizations insist employees come to the office every day. Geopolitical conflicts have fueled a rise in nation-state attacks on IT infrastructure – a rise that is likely to be permanent. And, unless you’ve been living under a rock the last year (and even if you have), you will have felt the effects of AI’s coming of age.

Intune has changed too, and more than just in name. It is now the largest endpoint management solution in the world, larger than all other products in this space combined. The move to the cloud is proceeding apace, with almost two-thirds of the managed Windows PC population now managed in the cloud. Intune has gotten much richer support for macOS, and as of last year, it now supports Linux. It is also broadening its reach from its traditional focus on information workers, with new capabilities for frontline workers and their devices. ConfigMgr is still going strong, of course, but with these improvements in Intune’s cloud-native reach, more customers than ever are choosing to move their endpoint management to the cloud.

As Intune has grown, customers have asked for help in solving problems that are adjacent to our core endpoint management mission. In response, we have released the Intune Suite, a set of six solutions that allow customers to unify and simplify their infrastructure, driving down complexity, reducing cost, and improving security. These new offerings are scenarios where Intune has a unique value proposition to offer. For example, Microsoft Cloud PKI is directly integrated into Intune and Entra and allows the direct replacement of legacy CA infrastructures with Microsoft’s cloud-based scale, availability, and security.

The rise of AI may be the most profound change of all, not only since the last edition of this book, but since the dawn of the Internet itself. Generative AI has already revolutionized the way knowledge workers get their jobs done, the way students learn, and the way coders write software.

Soon, we will bring the power of generative AI to Copilot for Security and Copilot for Admins, which will be force multipliers for security and IT pros to help them scale their impact. Intune will be fully Copilot-enabled, making life easier for hundreds of thousands of end-user computing professionals around the globe.

Yes, the world has changed dramatically since 2021, and now, it’s changing again as we create an AI-powered future. Every company, school, and individual in the world stands to benefit. These advances will be driven via the cloud, which hosts the enormous amounts of compute power and storage needed to deliver these new capabilities. And that brings us back to Intune. There has never been a better time or a more important reason to go cloud-native in your organization, and Christiaan and Per have written exactly the book to help you on your journey.

By Scott Manchester, Vice President, Windows 365 + AVD

The innovation engine that drives Windows in the cloud experience

Innovation can take many forms; as technology providers and product people, it’s often difficult to put what we’re building in context. And for many of us, we have a clear preference for the kinds of product areas we work on. When we develop products to meet the diverse needs of our customers, we are thoughtful in how we innovate. Consider there are three core types of innovation: Disruptive, Evolutionary, and Revolutionary. Let’s walk through some examples of these types of innovation.

Consider the case of innovation on televisions; while the act of watching screen-based entertainment remained the same, LCD televisions built on existing technological frameworks and material advancements to deliver a new device type that made the act of consuming new content better than on traditional CRT-based TVs. This is a great example of an evolutionary advancement in televisions.

The Internet would be an example of a revolutionary advancement. It’s changed how we buy, learn, and fundamentally communicate with each other. It has created new markets and significantly expanded others. The modern electrical vehicle is a disruptive technology. Consider 15 years ago the three leading US-based automakers were Chrysler, Ford, and Chevy. As of the time of writing, Tesla’s market capitalization is around four times the size of all of these manufacturers combined. Tesla disrupted the market by offering new value, direct-to-consumer sales, and the ability to attach services to the sale after the initial purchase.

Let’s discuss the forces that are shaping the innovation happening in the cloud virtualization world. The shift to hybrid work created new opportunities, but it also created new challenges. Things look different when the IT team isn’t down the hall from employees who need help. New employees need to be onboarded, distributed teams need to be connected, specialized workloads need to be enabled, and new projects need to be scaled up. IT needs to on-ramp employees, but they also need to be prepared to respond to rapidly changing environments, while still maintaining business continuity. And, while managing this, IT also needs to ensure they are keeping their estate secure and meeting ever-changing regulatory requirements.

It is a challenge to address these needs with agility without overburdening IT, letting costs get out of control, sacrificing productivity, or compromising security. The changing nature of work is creating a tremendous opportunity for all of us in the virtualization market. Today Microsoft can deliver Windows to users in 3 ways: on a physical device, through Azure Virtual Desktop, and through Windows 365. When you think about the innovation framework we discussed earlier, we can talk about our approach to delivering a Windows cloud experience that innovates in response to the changing nature of work.

Azure Virtual Desktop is a cloud VDI product that was a natural evolution from traditional on-prem VDI. Cloud VDI provides a PaaS-based management plane and the ultimate flexibility in computing, storage, density, and location. We think about Azure Virtual Desktop as our “any” offering – any compute and storage combination, any location, and any supported OS. Admins that are familiar with deploying and managing traditional VDI will find Azure Virtual Desktop a huge step forward that brings the reach and capabilities of Azure to bear in addressing their virtualization needs.

Windows 365 is a truly revolutionary innovation: the cloud PC allows us to create a Software as a Service, or SaaS, offering that redefines the end-user experience and can be managed by an endpoint administrator using the same tools, baselines, and processes as a traditional PC. A cloud PC can be provisioned with Zero Touch, the security principles are based on Zero Trust, and end-users can immediately be productive with Zero Ramp. We affectionately refer to Windows 365 as the “zero” offering.

Thank you, Microsoft!

We also want to say a huge thank you to the following people at Microsoft who helped contribute to this book.

We are also grateful to work at Microsoft, which supported us while writing this book. #CommunityLove

Contributors

About the authors

Christiaan Brinkhoff works as a Principal Program Manager and Community Director for Windows 365 and AVD at Microsoft. In his role at Microsoft, he works on features such as the Windows 365 app, Switch, and Boot, and lately he has also worked on Offline mode and the new Windows 10 ESU offering for Windows 365. Christiaan is also the author of 4 books and an inventor (with 4 patents). His mission is to drive innovation while bringing Windows 365, Windows, and Microsoft Intune closer together, and also drive community efforts around virtualization to empower Microsoft customers in leveraging new cloud virtualization scenarios. Christiaan joined Microsoft in 2018 as part of the FSLogix acquisition. He has also been awarded with the Microsoft MVP, Citrix CTP, and VMware Expert community achievements – for his continued support in the EUC community.

Per Larsen works as a Senior Product Manager in Customer Experience Engineering (CxE) – Microsoft Security Engineering. He plays a very crucial role in Microsoft in shaping and enhancing the product experience for customers. Per’s focus is on driving strategy and roadmap conversations with Microsoft’s most strategic customers. He also focuses heavily on driving insights and analyzing customer needs relating to security admin experience and Intune Suite product feedback.

Per is a frequent speaker at public events, conferences, and user groups on cloud-native Windows management.

He has also authored the book Mastering Microsoft Endpoint Manager: Deploy and manage Windows 10, Windows 11, and Windows 365 on both physical and cloud PCs.

Per joined Microsoft in 2019 working directly with the Intune engineering team. Prior to joining Microsoft, Per had more than 20 years of experience with device management. He has also been awarded Microsoft MVP thrice for all the exceptional community work he has done.

About the reviewers

Niall Brady is a blogger and an occasional speaker who focuses on step-by-step guides and videos for Windows 365, Intune, ConfigMgr, and more.

Niall is a 13-times Microsoft MVP (Enterprise Mobility, Windows, and Devices) based in Sweden but originally from Ireland. Niall has contributed toward several books on Configuration Manager and Intune and has even had his own book published (The Windows-noob OSD Guides for Configuration Manager 2012 R2).

Paul Winstanley is a 7-times Enterprise Mobility MVP who has 30 years of IT experience. He’s spent the last 15 years specializing in endpoint management via Microsoft Configuration Manager and Microsoft Intune.

Paul is an independent consultant with his own endpoint management company, SCCM Solutions Ltd, which celebrated its tenth-anniversary last year, and works with customers all over the globe.

He blogs on his SCCMentor website, sharing his knowledge of Intune, Configuration Manager, Windows, MDM, and security, and is active on X, formerly known as Twitter, as @sccmentor.

Originally from Barnsley, in the North of England, he’s lived in London for the past 30 years with his wife, four children, and brother-in-law.

Peter Daalmans is a Principal Workplace Architect and a Microsoft Certified Trainer at Daalmans Consulting B.V. with a primary focus on the modern management of Windows and mobile devices. He has been awarded Microsoft Security MVP (Configuration Manager/Microsoft Intune) every year since 2012.

He also writes blogs to share his knowledge on MSIntune.blog. Peter is also one of the founders and leads of the Workplace Ninja User Group, Netherlands. Along with that, he is also a part of the organizing team and the speaker manager of the Workplace Ninja Summit.

He has authored several books on Microsoft Configuration Manager and Microsoft Intune.

Peter speaks at local and international events, conferences like Microsoft Ignite, Microsoft TechEd (Australia/New Zealand), IT/Dev Connections, TechMentor, Techorama Belgium, Midwest Management Summit (MMS), BriForum (London, Denver, and Boston), TechDays Netherlands, and Experts Live Netherlands.

Learn more on Discord

To join the Discord community for this book – where you can share feedback, ask questions to the author, and learn about new releases – follow the QR code below:

https://packt.link/SecNet

Preface

The slow adoption of modern work solutions, which are designed to streamline the management of your environment, can often be attributed to a lack of understanding and familiarity with the product. This book will provide you with all the information you need to successfully transition to Microsoft Intune

Mastering Microsoft Intune explains various concepts in detail to give you the clarity to plan how to use Microsoft Intune and eliminate potential migration challenges beforehand. You’ll get to master Cloud Computing services such as Windows 365 Cloud PC, the Intune Suite, Windows Autopatch, Windows Autopilot, Profile Management, Monitoring and Analytics, Universal Print, and much more!

The book will take you through the latest features and new Microsoft cloud services to help you to get to grips with the fundamentals of Intune and understand which services you can manage. Whether you need familiarity with physical or cloud endpoints, it’s all covered.

By the end of the book, you’ll be able to set up Intune and use it to run Windows and Windows 365 efficiently via Intune with all the latest features included!

What you will learn:

Who this book is for

If you are an IT professional, enterprise mobility administrator, architect, or consultant looking to learn about managing Windows on both physical and cloud endpoints for remote working via Intune, this book is for you.

What this book covers

Chapter 1, Introduction to Microsoft 365, teaches you about keeping your resources secure while leveraging other services within Microsoft 365’s broader product suite. Understanding the fundamentals of a product is the most important factor for a successful deployment.

Chapter 2, Cloud-Native Endpoints, acknowledges how the basics of modern management are sometimes complicated to understand, and so you will learn about the concept of modern management and zero trust with Intune, the history, and the architectural concept to get a clear understanding of how all the devices from physical, virtual, and mobile all come together in one management console.

Chapter 3, Requirements for Microsoft Intune, provides a clear understanding of the different requirements for Intune, from OS versions and URL firewall allow-listing to the required licenses and privileges.

Chapter 4, What is Windows 365?, teaches you everything you need to know to get started with this Microsoft cloud service and its latest new features such as Windows 365 Boot and Switch, which simplify deployment as well as your cloud PC maintenance with Intune.

Chapter 5, Deploying Windows 365, teaches you everything you need to know about how to deploy Windows 365, what the requirements are, and tips and tricks.

Chapter 6, Windows Deployment and Management, teaches you about deploying Windows Enterprise with Intune.

Chapter 7, Windows Autopilot, teaches you how and when to use Autopilot to enroll Windows on your physical endpoint devices. What are the recommended approaches and decisions to make beforehand? You will get to know all of this in this chapter.

Chapter 8, Application Management and Delivery, teaches you best practices to deploy and manage your Microsoft 365 and line-of-business applications on your Windows 10 endpoints.

Chapter 9, Understanding Policy Management, teaches you about the different policy types, what modern policy management means, and how it works on Windows 10/11 clients compared to Group Policy.

Chapter 10, Advanced Policy Management, in extension to the previous chapter, will take a deeper look at policy management for Windows 10/11 and share the nuts and bolts of managing Windows and other tips and tricks.

Chapter 11, Intune Suite, teaches you about the new Intune Suite products in depth and what all the modules such as Endpoint Privilege Management (EPM), Enterprise App Management, Advanced Analytics, and Remote Help mean for you from both a business and technical perspective.

Chapter 12, Copilot/AI, teaches you about Microsoft’s latest new generative AI functionalities for both Windows and Microsoft Intune via the Windows and Security Copilot integrations.

Chapter 13, Identity and Security Management, teaches you how to configure Azure Active Directory in the most secure way possible for your end users and IT department. You will learn what the different options to enable Azure MFA are, about BitLocker, and how to configure Microsoft Defender for Endpoint with end-to-end security-level integration in Intune.

Chapter 14, Monitoring and Endpoint Analytics, looks at how, after deploying your desktops, it’s important to ensure the performance, logon duration segmentation, and quality level of Windows and applications. You will learn, in this chapter, how you can achieve this with Endpoint Analytics, Productivity Score, and other monitoring capabilities of Intune.

Chapter 15, Universal Print, looks at Universal Print and how, despite businesses doing more and more things in a digital way, printing on physical paper remains important. Universal Print is a relatively new platform service on Azure that can simplify the whole printing configuration and maintenance process compared to a traditional print server environment.

Chapter 16, Troubleshooting Microsoft Intune (Bonus Chapter – Online Content), teaches the most common causes and fixes of deploying Windows 10 Enterprise and other tips and tricks to unblock deployments to go smoothly. Both writers have over 2 decades of field experience in deploying Windows in many forms that they will share in this section.

Chapter 17, Troubleshooting Windows 365 (Bonus Chapter – Online Content), teaches you about all the different troubleshooting errors of Windows 365 Cloud PC to prepare you to respond proactively to any errors that could occur while deploying cloud PCs in your environment.

Chapter 18, Community Help, shares, as the writers have a strong community background, some of the best community events with Microsoft MVPs, and some of the best community blogs out there; some are written by beginners, while some are by Microsoft MVPs

To get the most out of this book

In order to get the most out of this book, it would be good to have a base-level understanding of Intune, Azure, Microsoft 365 cloud services, and so on. This is not required, however, as you’ll learn all you need to know in this book!

Download the color images

We also provide a PDF file that has color images of the screenshots and diagrams used in this book. You can download it here: https://packt.link/gbp/9781835468517.

Conventions used

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: “Enter Device type restriction – HR as the name.”

A block of code is set as follows:

Any command-line input or output is written as follows and are indicated as command-line commands in the main body of the text:

Bold: Indicates a new term, an important word, or words that you see onscreen. For instance, words in menus or dialog boxes appear in bold. Here is an example: “Go to Tenant admin | Roles | Administrator Licensing.”

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, email us at customercare@packtpub.com and mention the book title in the subject of your message.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at copyright@packt.com with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.

Share your thoughts

Once you’ve read Mastering Microsoft Intune, Second Edition, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.

Download a free PDF copy of this book

Thanks for purchasing this book!

Do you like to read on the go but are unable to carry your print books everywhere?

Is your eBook purchase not compatible with the device of your choice?

Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.

Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.

The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily

Follow these simple steps to get the benefits:

https://packt.link/free-ebook/9781835468517

Section I

Understanding the Basics

In this section, you will learn the fundamentals of the different Microsoft 365 services, what the benefits are, and how they are different in comparison to other technologies and services on the market.

This part of the book comprises the following chapters:

1

Introduction to Microsoft 365

Understanding the fundamentals of a product is the most important thing for a successful deployment. Keeping your resources secure while leveraging other services within the Microsoft 365 product suite is what you will learn about in this chapter.

In this chapter, we’ll go through the following topics:

Microsoft 365 cloud services

Microsoft 365 cloud services (hereafter referred to as Microsoft 365) includes many services that you might use in your day job, whether as an IT professional or a non-technical user. These services help you to become more productive by simplifying tasks that would require a lot of work in on-premises environments.

A great example would be the shift we’ve made from Exchange Server to Exchange Online and of course now the shift of Windows to Windows 365, which is Microsoft’s latest cloud service that allows enterprises and small businesses to leverage the power of Azure computing in Windows to improve the performance, scalability, and productivity of users across any device, any platform!

What do these services achieve?

In this introductory section of the book, we will briefly explain the core Microsoft 365 services and features that are relevant to the subject of this book, just to get a good baseline understanding of the differences between the various services. You’ll also learn about the purpose and benefits of each service.

Microsoft Intune

Microsoft Intune is a family of products and services that helps businesses manage and maintain all their devices, regardless of whether it’s a physical device, or a cloud-connected device endpoint.

The Intune family includes:

Microsoft Intune provides a holistic management experience while adding new functionality and intelligent actions, such as anomaly detection in Advanced Endpoint Analytics and remediation scripts that can proactively resolve end user issues before they see an issue – without any complex migration or disruption of productivity.

It provides several assets to aid your transition to modern management while also increasing customers’ security and helping them move to the cloud. Microsoft Intune also includes management capabilities for different endpoints. To summarize:

The figure below explains all the management features Microsoft Intune delivers:

Figure 1.1: Microsoft Intune – service portfolio

Microsoft Intune helps you manage physical and Cloud PC endpoints, laptops, tablets, and other mobile devices, including iOS, Android, and macOS devices.

Microsoft Intune is built on Entra ID (formally known as Azure Active Directory) as the identity store for users and user/device groups; this also means that Intune relies 100% on Entra ID. It replaces the traditional Active Directory, includes hybrid identity capabilities, and can also integrate with local management infrastructures such as Configuration Manager via Kerberos.

Intune is applicable for devices that don’t fall in the management scope of Group Policy, such as mobile phones, devices that are not Active Directory Domain Services (AD DS) domain members, or Windows 11 devices that are joined to Entra ID:

Figure 1.2: Microsoft Intune – admin center

With Microsoft Intune, you can achieve the following:

For example, when a user attempts to open one of their Line-of-Business (LOB) apps on their phone or Windows endpoint, Microsoft 365 checks with Entra ID to authenticate the user and verify whether that user can access the data from that app on that device. The granting of access depends on the following:

If the device and app are both compliant with all applicable policies, Entra ID tells Microsoft 365 that the data can be accessed.

This concludes the Intune section; next, we will go into the new Microsoft Intune Suite.

Intune Suite

The Microsoft Intune Suite is a comprehensive new add-on platform to the Intune core service that consolidates critical advanced endpoint management and security solutions. Its design aims to streamline the customer’s experience in managing endpoints, enhance their security stance, and deliver superior user experiences.

The Microsoft Intune Suite offers several key features:

The suite’s functionalities are integrated with Microsoft 365 and Microsoft Security across endpoint platforms, catering to both cloud and on-premises co-managed devices. The Intune Suite encompasses Remote Help (standalone) and all features included in Intune Plan 2.

AVD

AVD is a Microsoft-managed platform-as-a-service offering on top of the Microsoft Azure cloud. Unlike traditional Virtual Desktop Infrastructure (VDI) deployments, all hardware and all the infrastructure services, such as brokering, web access, load balancing, management, and monitoring, are all set up for you as part of a control plane offering. However, you would still need to configure them yourself on Azure, which means that there is a need for both Azure and VDI expertise in your business. This is where Windows 365 is different, as every Modern Desktop IT admin would be able to manage and maintain Cloud PCs – without the need for VDI and Azure expertise.

This concludes the section on AVD. In the next section, we will cover Windows 365.

Windows 365

Windows 365 is the world’s first Cloud PC service that’s designed for your hybrid work needs. Windows 365 is a new cloud service from Microsoft that securely streams your personalized Windows desktop, apps, and content from the Microsoft cloud (Microsoft Azure) to any device, anywhere. Windows 365 uses all the familiar security features implemented for physical Windows PCs to Cloud PCs to ensure safe and secure streaming. It is a revolutionary technology where both the IT admin and end user experiences are fundamentally different from traditional VDI and Cloud VDI. It combines the best of Windows, Azure, and Microsoft 365 to deliver simplified IT and modern end user experiences – providing an easy onramp for both existing and new customers.

A Cloud PC is the end user’s own personal computer in the cloud that’s optimized, scalable, and has high availability, all with a familiar Windows desktop experience. It’s hosted in the Windows 365 service and is accessible from anywhere, on any device. A Cloud PC signifies the transformation of Windows from a device-centric Operating System (OS) to a hybrid personalized computing platform.

This means that you can burst your resources to the cloud via our Azure compute backend data centers without the need to configure it yourself! This shift of Windows into a blend of local and cloud OS opens up new opportunities for organizations of all scales via the CPU, GPU, and NPU for Artificial Intelligence (AI)-based workloads. With Windows 365, Windows becomes a dual local and cloud OS. Organizations have the liberty to decide whether a traditional PC with a locally installed OS or a Cloud PC with a cloud-based OS is more suitable for a specific user or role. In certain scenarios, a user might find it advantageous to have both a local and cloud OS, selecting the appropriate one for the task at hand.

Windows 365 is suitable for organizations of all sizes that need highly secure and agile hybrid work solutions. These are valuable for elastic workforces, distributed employees, and specialized workloads that require versatile compute and storage capabilities, accessible on any device. IT administrators can swiftly scale and resize Cloud PCs to meet the changing needs of their users and have the compute power and storage they need, with predictable costs. As an example, if a user in finance gets a new application that needs more compute power (CPU), then the IT admin can resize the Cloud PC for the user. Hybrid work use cases that can be supported effectively with Windows 365 include:

AVD and Windows 365 – what are the differences?

Windows 365 is engineered for ease of use, enabling customers to enjoy the advantages of personalized Cloud PCs without the need for VDI or Azure expertise. It offers a predictable pricing model based on per-user and per-month charges, simplifying cost management. Windows 365 is ideal for customers who are not heavily invested in VDI or have virtualization expertise/resources, or for those who want to simplify their VDI infrastructure and prefer a fixed-cost, as-a-service model.

On the other hand, AVD is built for optimal flexibility. It offers a highly adaptable option for organizations with virtualization experience. Its usage-based pricing model is well suited for low-usage scenarios where customers can minimize costs by only paying for what they use. It also supports remote app streaming, multi-session virtual machines, and extensive customization.

Cloud PC – Windows 365

Cloud VDI – AVD

Optimized for experience

Optimized for flexibility

Windows 10 or Windows 11 personalized desktop

Windows 10, Windows 11, or Windows Server multi-session or personal desktops

Complete end-to-end Microsoft service

Remote app streaming

Windows 365 Boot and Switch

Not available

Requires Modern Desktop knowledge

Requires VDI and Azure infra knowledge

One-stop administration in Microsoft Intune (Enterprise edition)

Full control over configuration and management via Azure portal

Direct self-service model

(Business edition)

Citrix and VMware support

Predictable per-user pricing

Pay for what you use

Table 1.1: Windows 365 and AVD differences

Components that Microsoft manages and the customer manages

Microsoft has done a great job with Windows 365 by simplifying the creation of Cloud PCs for users. Both the IT management and end user experience are very simple to learn and use. Getting started deploying Cloud PCs can be achieved in just a few clicks and the scalability is very powerful. Even though the Windows 365 service is almost a Plug and Play solution, there are a few things you as an organization must manage yourself; you still need to manage applications, settings, and security policies on your Windows 365 devices.

Depending on your domain and network configuration, you can either go full cloud with Entra ID (formally known as Azure AD) together with hosted networks or go for hybrid Entra ID. The table below helps you clarify the level of responsibility per service component. We also added AVD as a comparison on the right side to help reflect the differences.

Figure 1.3: Service responsibilities

This concludes the section on Windows 365 and AVD. In the next section, we will cover Windows 11 Enterprise.

Windows 11

Windows 11 Enterprise is one of the primary components of your Microsoft 365 subscription. Windows 11 meets the needs of large and midsize organizations, providing users and organizations with the tools, services, and support to enhance their personal and organizational productivity.

Windows 11 also supports collaboration through Microsoft 365 apps, Microsoft Teams, Microsoft Whiteboard, and OneNote.

Windows 11 helps improve productivity by providing faster, safer ways to get work done across all your users’ devices, by having some security feature defaults turned on, like Credential Guard. Windows 11 has hardware options ranging from Surface Hub to the new always-connected PCs. These options support users wherever they need or prefer to work. Users can move from one device to another with Continue on PC in Microsoft Edge or take notes directly on a web page with Microsoft Ink. Windows 11 also comes with a robust set of accessibility features, such as a narrator, word prediction, and eye control.

Windows 11 includes tools to help you customize device setup, manage all your devices, and control corporate identities, data, and apps on personal devices without impacting personal data. You can maximize security and productivity by staying current with Windows 11. The way to update Windows has changed completely. Major upgrades that previously happened every few years have now changed to updates that happen twice a year. Windows as a service, the model for Windows 11, provides the flexibility and control needed to manage and distribute updates using your current method or by using Microsoft’s infrastructure.

Windows 11 protects, detects, and automatically responds to the most advanced malware and hacking threats while protecting user identities, devices, and your organization’s information. Windows 11 investigates threats as they evolve and automates remediation to make response times faster, thanks to Intelligent Security Graph (which uses security intelligence, machine learning, and behavioral analytics). These security solutions are built-in and provide you with full security life cycle management for Endpoint Protection (EP) and Endpoint Detection and Response (EDR).

It also integrates with other Microsoft 365 services, which cover even the most complex multi-platform environments:

Windows 11 is the next evolutionary phase of Windows; it is the most significant update to the Windows operating system since Windows 10. It offers a lot of innovations focused on enhancing end user productivity in a fresh experience that is flexible and fluid. Windows 11 is designed to support today’s hybrid work environment and is intended to be the most secure, reliable, connected, and performant Windows operating system ever.

Windows 11 is built on the same foundation as Windows 10, so the investments you have made in tools for update and device management are carried forward. But Windows 11 has some new hardware requirements, such as the device needs to have a system firmware that runs Unified Extensible Firmware Interface (UEFI), Secure Boot, and a Trusted Platform Module (TPM) 2.0, which is also recommended on Windows 10 to enable many built-in Windows security features.

Windows 11 also provides unique hybrid remote work capabilities with Windows 365, such as the new Windows 365 Boot and Switch features that allow a user to connect to their Cloud PC from either the Windows 11 logon screen or via the Windows 11 Task View feature; more about that later in the book.

Windows 11 is Zero Trust ready and secure by design, with new built-in security technologies that will add protection from the chip to the cloud, while enabling productivity and new experiences. Key security features such as encryption, hardware-based isolation, and malware prevention are turned on by default. Going passwordless has also been made easier by simplifying the steps to deploy Windows Hello for Business.

Windows 11 Enterprise is secure by default, with advanced protection against modern security threats. It also includes virtualization-based security and hypervisor-protected code integrity, which is turned on by default (on newly installed Windows 11 devices).

To address the need for hybrid working in the market right now, location shouldn’t matter. Addressing the new how, when, and where we work demands simplicity and security changes in the Windows operating system as well as the delivery of Windows in a simpler way – from the cloud with Windows 365:

Figure 1.4: Windows 11

You can have a highly secure and consistent experience for users, with all the necessary IT controls, that delivers updates in a non-disruptive way, combined with a new, modern look and feel – that’s the best way to describe what Windows 11 offers in a nutshell.

We will explain more about Windows 11 in Chapter 6, Windows Deployment and Management.

This concludes the section on Windows 11. In the next section, we will provide you with an overview of Windows Copilot.

Windows Copilot

Windows Copilot is your new assistant in Windows. It’s an AI assistant integrated into Windows 11 (and Windows 10). It aims to enhance productivity and creativity by providing real answers, inspiration, and solutions.

Here are the key features of Copilot:

Windows Copilot combines seamlessly with Bing Chat and ChatGPT plugins, allowing you to stay in your flow without switching between apps. It’s like having a smart, helpful companion right within your Windows environment!

Figure 1.5: Windows Copilot with Bing Chat

This concludes the section on Windows Copilot. In the next section, we will give you an overview of Security Copilot.

Security Copilot

Security Copilot, a novel tool powered by OpenAI GPT, is offered as a cloud-based service to enhance the security of your Microsoft Security cloud services, including Microsoft Intune.

Security Copilot is designed to work with all Microsoft Security services. This encompasses Security Operations, Device Management, Identity Management, Data Protection and Compliance, and Cloud Security. In this book, we will concentrate on the application of Security Copilot for Device Management via Microsoft Intune. Learn more about it in Chapter 12, Copilot/AI!

Intune Copilot

Intune Copilot is a new OpenAI GPT-based tool offered as a cloud-based service to bolster the security of your Microsoft Security cloud services. Microsoft Copilot addresses this security-related query and illustrates how to utilize this innovative AI tool. It employs real-world examples to delve into how Security Copilot aims to disrupt conventional methods across diverse cybersecurity domains. You will learn more about Security Copilot in Chapter 11.

Figure 1.6: Security Copilot

This concludes the section on Copilot. In the next section, we will give you an overview of Productivity Score.

Productivity Score

The journey to digital transformation is supported by Productivity Score, which provides insights into how your organization uses Microsoft 365 and the technology experiences that support it. Your organization’s score reflects the effectiveness of your people’s work and technology and can be compared to benchmarks from organizations similar in size to yours.

Productivity Score provides the following:

The following Productivity Score screenshot shows you the level of insights you get based on scoring metrics in the Microsoft 365 admin portal:

Your Productivity Score is calculated from the aggregate scores of your people and technology experiences categories. Each category carries equal weight, contributing to a total of 100 points. The maximum achievable Productivity Score is 800.

Adoption Score incorporates Endpoint analytics as well. Your Endpoint analytics score evaluates the caliber of the technology experience you’re providing for your users and suggests ways to enhance it.

This concludes the section on Productivity Score with the integration of Endpoint analytics, which you will get an overview of in the next section.

Endpoint analytics

Endpoint analytics is a service in your Intune tenant that provides you with data on the performance of your Windows devices that are managed by Microsoft Intune; this data is part of Productivity Score. Everything that is collected comes from measurements of how your business is working. For example, Endpoint analytics gives you insights into the boot time of your physical device, logon duration, and application startup time.