MDM E-Book

MDM:Fundamentals, Security,and the Modern DesktopUsing Intune, Autopilot, andAzure to Manage, Deploy,and Secure Windows® 10

Jeremy Moskowitz

Copyright © 2019 by John Wiley & Sons, Inc., Indianapolis, Indiana

Published simultaneously in Canada

ISBN: 978-1-119-56432-4ISBN: 978-1-119-56434-8 (ebk.) ISBN: 978-1-119-56427-0 (ebk.)

Manufactured in the United States of America

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read.

For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress Control Number: 2019943877

TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. Windows is a registered trademark of Microsoft Corporation. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

For all the strong women in my life.

Acknowledgments

I want to start out by thanking Cathy Moya from Microsoft, without whom this book would not be possible. Thank you so much for reaching out to help find the right people to help answer the tough questions and help me believe that this book was necessary and possible. Seriously, this book wouldn’t have existed without your help.

My next big thanks goes to Panu Saukko, Enterprise Mobility MVP who did the very un-glamorous job as my Technical Editor and made sure I didn’t “make stuff up,” called me on all my crunchy areas, and added his own deep wisdom on the subject. You’re a strong, wise man, and I’m honored to have you by my side as my technical editor on this book. An additional tip of the hat goes to Yinghua (Sandy) Zeng, Enterprise Mobility MVP, who helped double-fact-check various items and help me find the light in the dark on more than a few subjects. I cannot believe how much information and knowledge the two of you have in your heads.

Additional thanks to Stephen Rose for graciously providing the Foreword and reviewing the OneDrive content.

Thanks to full chapter reviewers and question answerers from Microsoft: Michael Neihaus, Mahyar Ghadiali, Ken Revels, Christian Refvik, Craig Marl, Aisha Wang, Dilip Radhakrishnan, Riki June, Peter Kaufman, Chris Hopkins, Jan Ketil, Skanke, Joe Kim, Sreekar Mankala and other friends and reviewers at Microsoft. Just … wow. Thank you so, so much for taking time out of your busy workdays to help me and make this book the best it could be.

Thanks to my “dream team” at Sybex: Elizabeth Campbell, Judy Flynn, Christine O’Connor, Kenyon Brown, and Pete Gaughan. You guys are the reason why quality wins out in the end.

Thanks to my wife and family for putting up with me missing some nights and weekends. And thanks to my awesome team at PolicyPak and MDMandGPanswers.com for bringing your A game every single day. I simply adore working with all of you.

Finally, if you’re holding this book (or reading it online), I want to thank you for taking a chance on learning something new, stretching to a new place, and putting your trust in me.

Thank you for buying the book, joining me at my live events and at MDMandGPanswers.com, and for using my PolicyPak software.

Meeting you in person is my favorite part of the job, and I look forward to hearing how this book has helped you out.

About the Author

Since becoming one of the world’s first MCSEs, Jeremy Moskowitz has performed Active Directory, Group Policy, and MDM planning and implementations for some of the nation’s largest organizations.

He is a 15-Year Microsoft MVP Awardee, first in Group Policy and Desktop Management, and now in Enterprise Mobility with an emphasis in Intune.

Jeremy is the founder of MDMandGPanswers.com and PolicyPak Software. Computerworld magazine ranked MDMandGPanswers.com as one of the 20 most useful Microsoft sites for IT professionals. EnterpriseMobilityExchange.com placed Jeremy (@jeremymoskowitz) on its list of the “7 Endpoint Management Voices on Twitter” for IT pros to follow on social media.

His other book from Sybex is Group Policy Fundamentals, Security, and Troubleshooting, Third Edition date, which is on the Desktops of admins everywhere.

Get signed copies of his books, and learn more about Jeremy’s Group Policy and MDM Master Class training at www.MDMandGPanswers.com. Learn more about how to secure your Desktop and applications, manage all areas of Windows 10, and deploy all Group Policy settings through your MDM service at www.policypak.com.

CONTENTS

Cover

Acknowledgments

About the Author

Foreword

Introduction

EMM and MDM Redefined

Terminology

What You’ll Need to Get Started with This Book

What I Won’t Be Covering in This Book

How Do You Know This Book Won’t Be Out-of-Date 80 Seconds after You Buy It?

A Final Note about Group Policy vs. MDM

A Little about Me, This Book, PolicyPak, and Beyond

Chapter 1 Enterprise Mobility and MDM Essentials

Getting Ready to Use This Book

Why the Need for MDM

Group Policy and MDM Compared

MDM: Guts, Protocols, and Moving Parts

Final Thoughts

Chapter 2 Set Up Azure AD and MDM

Comparative Analysis of Different MDM Services

Setting Up Auto-Enrollment and Enrolling Your First Machines

Optional Steps: Custom Domain Names and AD to AAD Synchronization

Final Thoughts

Chapter 3 MDM Profiles, Policies, and Groups

MDM Policies and the Policy CSP

Creating and Using Groups

Final Thoughts

Chapter 4 Co-Management and Co-Policy Management

Co-Management of SCCM and Intune

Co-Policy Management: Group Policy and Your MDM Service

Final Thoughts

Chapter 5 MDM Migration and MDM Troubleshooting

MMAT: Microsoft MDM Migration and Analysis Tool

Troubleshooting MDM

Final Thoughts

Chapter 6 Deploying Software and Scripts

Preparing for the Remainder of the Chapter

Deploying MSI Applications with MDM

Deploying AppX Apps via the Microsoft Store for Business

Deploying MSIX with MDM

Deploying Office 365 ProPlus with MDM

Deploying Win32 Apps with MDM

Deploying Scripts with Your MDM Service

Delivering Other Software and Files with MDM (Using PolicyPak File Delivery Manager)

Final Thoughts

Chapter 7 Enterprise State Roaming and OneDrive for Business

Pregame Setup for This Chapter

Enterprise State Roaming

OneDrive for Business

Final Thoughts

Chapter 8 Rollouts and Refreshes with Configuration Designer and Autopilot

Windows Configuration Designer

Autopilot

Scenario #2: Using a Tool, Like SCCM, to Migrate from Windows 7 to 10, then Triggering Autopilot via Configuration File

Chapter 9 Windows 10 Health and Happiness: Servicing, Readiness, Analytics, and Compliance

Windows, Office, and OneDrive as a Service

Office and Application Readiness

Desktop Analytics

Device Compliance and Health Attestation

Final Thoughts on Windows Health and Happiness

Chapter 10 Security with Baselines, BitLocker, AppLocker, and Conditional Access

Security Baselines

BitLocker: Full Disk Encryption

Application Whitelisting with AppLocker or PolicyPak Least Privilege Manager

Conditional Access

Final Thoughts on Security

Chapter 11 MDM Add-On Tools: Free and Pay

Company Portal App

Microsoft Graph and the Graph Explorer

PolicyPak On-Prem & MDM Edition

Interesting Things I Found on the Internet

Final Thoughts (on This Chapter, and about the Book!)

Index

End User License Agreement

List of Tables

Chapter 1

Table 1.1

Chapter 6

Table 6.1

Chapter 8

Table 8.1

Chapter 9

Table 9.1

Table 9.2

List of Illustrations

Chapter 2

Figure 2.1 Features and options with E3 vs. E5

Figure 2.2 Office 365’s built-in MDM

Figure 2.3 The signup page for EMS E5

Figure 2.4 Create your first user and company name.

Figure 2.5 EMS E5 trial success message

Figure 2.6 Log on using your

onmicrosoft.com

account.

Figure 2.7 Click to open Azure Active Directory.

Figure 2.8 This is where you click to turn on Intune.

Figure 2.9 Turn on MDM and, optionally, MAM for all users.

Figure 2.10 Turn on MDM for Intune Enrollment.

Figure 2.11 If you ever get lost in the Azure portal, just search for Intune.

Figure 2.12 In Intune, use “Device enrollment” to specify the MDM authority.

Figure 2.13 Choose Intune MDM Authority to manage devices.

Figure 2.14 Adding a user by hand to Azure Active Directory

Figure 2.15 Create your first user in Azure AD.

Figure 2.16 Each user needs a license.

Figure 2.17 You can give someone a username and password to enroll a machine “out of the bo…

Figure 2.18 Using Windows search to look for MDM settings

Figure 2.19 Use the Settings app

Figure 2.20 The “Set up a work or school account” dialog box. Just waiting to eat your end …

Figure 2.21 As the connection to Azure AD occurs, you’ll see something like this.

Figure 2.22 The Windows icon after enrollment means you’re “Workplace joined” and not reall…

Figure 2.23 You

don’t

want to be Workplace joined. You want to be MDM enrolled, which is …

Figure 2.24 Just click “Join this device to Azure Active Directory” for MDM enrollment.

Figure 2.25 The pre-confirmation for MDM enrollment

Figure 2.26 Explanation that you can now use the

onmicrosoft.com

account to log on direct…

Figure 2.27 The briefcase icon means you are successfully enrolled in MDM.

Figure 2.28 Now you can sign on with your Azure AD credentials to this machine.

Figure 2.29 Using the special syntax in a browser will open the correct MDM enrollment dial…

Figure 2.30 Using MDM deep links to pre-fill in user information

Figure 2.31 When you specify both the username and server in the deep link, then both are s…

Figure 2.32 Use Azure AD to see and add custom domain names.

Figure 2.33 Adding a custom domain name into Azure AD

Figure 2.34 The parameters you’ll need to inject into your domain registrar about your cust…

Figure 2.35 Using GoDaddy to place your Azure AD custom information

Figure 2.36 Adding the CNAME records for smooth auto-enrollment

Figure 2.37 Testing the CNAME before continuing

Figure 2.38 The goal is to validate the domain first (left). Then change the default primar…

Figure 2.39 The user name field will not permit you to add a domain you don’t own. You’ll s…

Figure 2.40 You can see your new user with the custom domain name.

Figure 2.41 Assign your new user a license.

Figure 2.42 Now you can have local Windows admins enroll users using your custom domain nam…

Figure 2.43 You need to add the name of your verified Azure AD domain here in on-prem AD Do…

Figure 2.44 Use Express Settings to connect your (simple) on-prem AD to Azure AD.

Figure 2.45 Give it the credentials you used when setting up your E5 account.

Figure 2.46 Provide the on-prem AD domain administrator credentials.

Figure 2.47 Be sure your UPN and Azure names match as Verified.

Figure 2.48 The AD Connect sync wizard is complete.

Figure 2.49 Refresh the page to see the newly synced users. Note new users are coming from …

Figure 2.50 Each user needs to have the correct suffix in on-prem AD for it to be synchroni…

Figure 2.51 Launching the Synchronization Service

Figure 2.52 Using PowerShell to force an AD to AAD sync

Figure 2.53 See that your one user has successfully come over from on-prem AD to Azure AD. …

Figure 2.54 After the on-prem AD PowerShell command, then a sync to Azure AD, all accounts …

Figure 2.55 How to nuke a user who is syncronized from on-prem AD

Figure 2.56 Use the Register domain-joined computers as a devices’ policy to prevent Window…

Figure 2.57 You need to specifically set up Azure AD to also sync Windows 10 computers.

Figure 2.58 How to see Hybrid Azure AD joined machines

Figure 2.59 Before a machine is automatically Azure AD joined

Figure 2.60 After a machine is automatically Azure AD joined

Figure 2.61 You can see computers joined to Azure AD through the

get-msoldevice

PowerShel…

Chapter 3

Figure 3.1 After you enroll a device, you get a success message.

Figure 3.2 The Info button within Access Work or school. Local Admins see what’s on the le…

Figure 3.3 The Sync button is like

GPUpdate

for MDM.

Figure 3.4 Click a profile type to see policies’ types within that profile type.

Figure 3.5 Making your first Device restriction policy to manage Microsoft Edge Browser

Figure 3.6 Use the Assignments blade to assign your policy to All Devices.

Figure 3.7 Your first MDM policy sets the Windows Edge home page to the value of your choi…

Figure 3.8 Use the MDM Advanced Diagnostic Report to see your settings.

Figure 3.9 Don’t be fooled: Not every CSP with familiar names will work as expected on Win…

Figure 3.10 Some MDM policies will work for both User and Device.

Figure 3.11 Getting to know a setting before deploying and testing it

Figure 3.12 Using Microsoft Intune to block Cortana

Figure 3.13 See MDM setting AllowCortana in the PolicyManager section of the Registry.

Figure 3.14 When the MDM profile is removed AllowCortana returns to 1 (Enabled).

Figure 3.15 The preview of Administrative Templates node in Intune

Figure 3.16 The list of curated ADMX settings in a flat list in Intune

Figure 3.17 Searching for relevant ADMX settings

Figure 3.18 An example ADMX-backed setting

Figure 3.19 Adobe Flash enabled by default within IE

Figure 3.20 The Group Policy setting we’re going set, but using MDM

Figure 3.21 Create a Custom profile type for ADMX-backed policies with no GUI.

Figure 3.22 Creating a custom OMA-URI setting

Figure 3.23 Flash should stop functioning in IE now.

Figure 3.24 No Group Policy involved, yet the Policies keys are manipulated.

Figure 3.25 Foxit Reader’s default update behavior

Figure 3.26 How you would use Group Policy to set Foxit Reader to stop automatic updates

Figure 3.27 Create a profile for Foxit policies with the Custom type.

Figure 3.28 Adding an ADMX file as a custom OMA-URI. The whole ADMX file gets downloaded to…

Figure 3.29 Find the policy setting within the ADMX you want to deliver.

Figure 3.30 Add the value to disable Foxit Updater. You can deliver the value to Device (le…

Figure 3.31 You can see the ingested custom ADMX policies in the MDM sync (after you close …

Figure 3.32 Successful lockout of Foxit reader with ingested ADMX file

Figure 3.33 The entire ADMX downloaded into the Registry

Figure 3.34 The Group Policy location is written to by the ADMX.

Figure 3.35 How to start to create groups in Intune

Figure 3.36 Creating Assigned groups (containing users)

Figure 3.37 Creating a Dynamic computer or user group

Figure 3.38 See the number of devices or users in a Dynamic group and/or click Members to s…

Figure 3.39 Advanced rules utilize a query language, and you can learn more about the query…

Figure 3.40 Use this query to find only Windows 1809 machines.

Figure 3.41 The full list of fields you can use for Dynamic groups

Figure 3.42 You can see the “Membership last updated” value for your Dynamic group.

Figure 3.43 You can select groups which will accept settings.

Chapter 4

Figure 4.1 The old Microsoft Intune and SCCM hybrid design with the Intune Connector

Figure 4.2 Simplified version of on-prem and cloud co-management

Figure 4.3 Microsoft SCCM co-management screen to decide which technology will handle what…

Figure 4.4 Co-management with all of its moving parts

Figure 4.5 The

dsregcmd /status

command can tell you if your Windows 10 machine is Azure…

Figure 4.6 Use the Auto MDM Enrollment with AAD Token policy to bootstrap a mass MDM enrol…

Figure 4.7 The scheduled tasks created by the Auto MDM Enrollment with AAD Token policy

Figure 4.8 The scheduled task showing that

deviceenroller.exe

is what does the lifting…

Figure 4.9 The on-prem AD now has an Info button.

Figure 4.10 Event ID 2220 shows who wins, Group Policy vs. MDM.

Figure 4.11 Create a new profile to house the new MDM policy.

Figure 4.12 The custom values to set MDM to win over Group Policy

Figure 4.13 How to know you’ve turned on MDM to win over Group Policy

Chapter 5

Figure 5.1 Download MMAT from GitHub.

Figure 5.2 Run MMAT with these PowerShell commands.

Figure 5.3 The PowerShell of MMAT completes.

Figure 5.4 Example MMAT output

Figure 5.5 Looking inside a report for Last Status Update

Figure 5.6 Using the Advanced MDM report to see set values

Figure 5.7 You can see which Group Policy settings are being overridden by MDM.

Figure 5.8 The “Unmanaged policies” section

Figure 5.9 Two profiles can have different settings and target the same user or device.

Figure 5.10 Any given device might have profile conflicts.

Figure 5.11 Click “Device configuration” first (before you get to see the various profiles …

Figure 5.12 All the profiles and any conflicts can be seen on the device.

Figure 5.13 Competing source profiles are illuminated.

Chapter 6

Figure 6.1 Windows Intune Client Apps and Apps panes

Figure 6.2 Adding application types for deployment

Figure 6.3 Only Description and Publisher are required fields for MSI applications.

Figure 6.4 Select Yes for the “Make this app required on all devices” option.

Figure 6.5 See that your application is required for all devices and installing in device …

Figure 6.6 See 7-Zip install to the Start Menu and appear in the basic MDM report.

Figure 6.7 Replace an existing MSI with an upgrade package.

Figure 6.8 Update the app Information or else you will see incorrect information in the MD…

Figure 6.9 You need to specify which users or devices will have the application uninstalle…

Figure 6.10 Cracking open the keys used in an MSI deployment

Figure 6.11 How to enable the Microsoft Store for Business within Intune

Figure 6.12 You must activate (at least) Microsoft Intune Enrollment, preferably both.

Figure 6.13 The VLC app in the Microsoft Store (and getting it ready for Microsoft Store fo…

Figure 6.14 The Company Portal app in the Microsoft Store (and getting it ready for Microso…

Figure 6.15 You now have the application available for use within your company store.

Figure 6.16 Seeing all the apps in the store, even though they are not ready yet in your pr…

Figure 6.17 Each application needs to be accepted into your company collection.

Figure 6.18 See your Microsoft Store for Business apps available for delivery.

Figure 6.19 Applications delivered from the Windows Store for Business

Figure 6.20 MSIX format enables you to take multiple package types, wrap them up, and then …

Figure 6.21 Downloading the MSIX Packaging Tool

Figure 6.22 Creating a self-signed PFX certificate for testing

Figure 6.23 Create your MSIX package by clicking on “Application package.”

Figure 6.24 Create a new package by providing an existing application and certificate.

Figure 6.25 Enter the details of the package.

Figure 6.26 The MSIX Packaging Tool installs a driver and makes recommendations for the saf…

Figure 6.27 Run the application and deploy it to the target location.

Figure 6.28 See the entrypoints of your application.

Figure 6.29 Success when creating an MSIX package

Figure 6.30 MSIX Installation fails because your computer doesn’t trust the certificate tha…

Figure 6.31 Starting the Certificate Import Wizard

Figure 6.32 Import the certificate into the Trusted Root Certification Authorities.

Figure 6.33 See your MSIX package install.

Figure 6.34 Notepad++ MSIX package can be seen in “Apps & features” but will appear as miss…

Figure 6.35 Importing your MSIX into Intune

Figure 6.36 Making the application required for all devices

Figure 6.37 Your AppX package in the application list in Intune

Figure 6.38 Result on Windows 10 deploying an MSIX app

Figure 6.39 Your MSIX application appears in the basic MDM report.

Figure 6.40 Selecting Office 365 Suite for Windows 10

Figure 6.41 Preparing to configure an Office deployment

Figure 6.42 Selecting which Office apps you want to deploy

Figure 6.43 App suite Information

Figure 6.44 Office App Suite Settings blade

Figure 6.45 After you’ve synced, sometime later, Office is installed according to your spec…

Figure 6.46 Downloading the Microsoft Intune Win32 Content Prep Tool

Figure 6.47 Have your setup and your install command in the same folder.

Figure 6.48 Seeing Firefox installed and getting its file version

Figure 6.49 Pretest the uninstall routine of your app.

Figure 6.50 Running the Win32 Content Prep Tool

Figure 6.51 The Win32 Content Prep Tool finishes.

Figure 6.52 Final result of the Win32 Content Prep Tool

Figure 6.53 Select Windows app (Win32) to deploy Win32 apps.

Figure 6.54 The categories of items you need to configure for Win32 apps

Figure 6.55 Specify the CMD file you created earlier to install, and the string you discove…

Figure 6.56 Minimum requirements are “Operating system architecture” and “Minimum operating…

Figure 6.57 Enter information that is guaranteed to detect your application.

Figure 6.58 Return codes

Figure 6.59 The Microsoft Intune Management Extension and Firefox were installed.

Figure 6.60 The (now installed) Microsoft Intune Management Extension, which is in charge o…

Figure 6.61 How to install and uninstall the AcroReader .EXE

Figure 6.62 The

IntuneManagmentExtension.log

in CMTrace and Notepad

Figure 6.63 Uploading and configuring the Chrome evergreen download script

Figure 6.64 See the applications installed after Intune deploys the PowerShell scripts.

Figure 6.65 PolicyPak Scripts lets you deploy batch, PowerShell, VB Script, or JavaScript t…

Figure 6.66 You can decide what script to run when a policy no longer applies.

Figure 6.67 When to apply or reapply scripts with PolicyPak Scripts Manager

Figure 6.68 PolicyPak File Delivery Manager

Figure 6.69 Performing a PolicyPak File Delivery Manager Post-Copy action

Figure 6.70 Revert action for PolicyPak File Delivery Manager

Figure 6.71 Staging a ZIP file on Amazon S3 for later downloading and unpacking

Figure 6.72 Selecting how to overwrite or replace existing files

Chapter 7

Figure 7.1 Getting the Azure Tennant/Directory ID

Figure 7.2 Putting your

OneDrive.admx

and

OneDrive.adml

(not shown) in the Central Sto…

Figure 7.3 Jack is now licensed for Office 365 and SharePoint (not shown), which means he …

Figure 7.4 Consumer sync settings for Windows

Figure 7.5 Using the Consumer Microsoft Store to add a personal account

Figure 7.6 Turning on Enterprise State Roaming

Figure 7.7 Changing your background picture

Figure 7.8 Locating OneDrive admin center

Figure 7.9 The per-user OneDrive settings

Figure 7.10 Add a new library before you continue.

Figure 7.11 The download of the SharePoint Migration Tool

Figure 7.12 Using the SharePoint Migration Tool with Frank’s credentials

Figure 7.13 Using the SharePoint Migration Tool for a whole file share

Figure 7.14 Selecting your on-prem share

Figure 7.15 Selecting the SharePoint Online site and document library

Figure 7.16 The SharePoint Migration Tool scans, then copies the files from the source to t…

Figure 7.17 On-Prem file share to SharePoint migration completed

Figure 7.18 Your files have been migrated up using the SharePoint Migration Tool. The Sync …

Figure 7.19 Right-click over your library and select Settings to set permissions.

Figure 7.20 Use the Configure team site libraries to sync automatically policy setting to s…

Figure 7.21 Grabbing the library ID

Figure 7.22 The Registry item that is created for each Team Site Automounted library

Figure 7.23 The Intune Administrative Template settings for OneDrive

Figure 7.24 The OneDrive sync client page expressing the rings

Figure 7.25 User-side Group Policy OneDrive settings

Figure 7.26 Manually logging onto OneDrive

Figure 7.27 Computer-side Group Policy settings for OneDrive

Figure 7.28 Using Policy to enforce Files On-Demand

Figure 7.29 How to manually start syncing a SharePoint site

Figure 7.30 OneDrive Client sync shows files on the device and on demand.

Figure 7.31 Files On-Demand take zero bytes on disk.

Figure 7.32 This is how an end user could manually initiate a Known Folder Move.

Figure 7.33 Manually kicking off a Known Folder Move

Figure 7.34 To perform a prompted Known Folder Move, drop your tenant ID into this policy s…

Figure 7.35 To perform a silent Known Folder Move, drop your tenant ID into this policy set…

Figure 7.36 Silent Known Folder Move working

Figure 7.37 Items on the Desktop are silently moved to OneDrive.

Figure 7.38 Use the Prevent users from redirecting their Windows known folders to their PC …

Figure 7.39 How a user can manually restore their own OneDrive

Figure 7.40 Pick a day ago or a custom date to restore to.

Chapter 8

Figure 8.1 Getting the Windows Store version of the WCD

Figure 8.2 WCD main screen enabling you to perform provisioning tasks

Figure 8.3 The WCD navigation for “Provision desktop devices”

Figure 8.4 The “Set up device” page of WCD

Figure 8.5 Result of supplying credentials and creating a bulk token

Figure 8.6 Adding applications through the WCD

Figure 8.7 The PPKG file can contain certificates.

Figure 8.8 WCD advanced configuration options

Figure 8.9 Exporting packages in the Advanced view requires you to specify that you’re an …

Figure 8.10 The .PPKG file is consumed during OOBE.

Figure 8.11 Selecting the .PPKG file after Windows is running

Figure 8.12 PuTTY is installed via the .PPKG file, before the rest of the items come down f…

Figure 8.13 The Autopilot infrastructure

Figure 8.14 The Autopilot section within Windows Intune

Figure 8.15 Running the

Get-WindowsAutopilotInfo

PowerShell script

Figure 8.16 Examining an Autopilot hardware ID

Figure 8.17 Feed Autopilot your CSV file.

Figure 8.18 Your device shows up as registered in Autopilot.

Figure 8.19 You can make a direct assignment to Autopilot serial numbers.

Figure 8.20 Creating a dynamic group for all Autopilot devices

Figure 8.21 The “Create profile” and “Out-of-box experience (OOBE)” blades

Figure 8.22 Make the Autopilot profile assignment to an Azure AD group.

Figure 8.23 See which devices will get the Autopilot profile you created.

Figure 8.24 The default “All users and all devices” settings, which I recommend you use in …

Figure 8.25 Additional enrollment options (which I don’t recommend for the chapter, but use…

Figure 8.26 Configuring Azure AD branding, which you’ll see in Autopilot

Figure 8.27 Using Sysprep to get back to the OOBE

Figure 8.28 Click “Get started” to reset this PC and provide admin credentials; then follow…

Figure 8.29 You can see Autopilot is working when you see your company’s custom welcome.

Figure 8.30 Waiting for Autopilot to finish configuring the machine

Figure 8.31 Autopilot details expanded

Figure 8.32 Seeing your existing dynamic group

Figure 8.33 Assigning Autopilot to the “Computers with ‘Computer’ in the Name” group

Figure 8.34 Converting targeting devices for Autopilot.

Figure 8.35 Seeing newly imported devices in Autopilot

Figure 8.36 Use Windows+Ctrl+R at the login screen to start a reset there.

Figure 8.37 The different kinds of wipes and resets in Intune

Figure 8.38 How to marry a user to a specific hardware ID

Figure 8.39 The result when a machine starts up with Autopilot and a user is married to a h…

Figure 8.40 Autopilot self-deploying mode requires a TPM 2.0 chip which is capable of attes…

Figure 8.41 The OrderID is seen in the Deployment Group field in Autopilot.

Figure 8.42 Creating a dynamic group to capture a specific OrderID (ORDER1 in this case)

Figure 8.43 Select Self-Deploying as the deployment mode within the profile.

Figure 8.44 Pre-answering the OOBE questions for self-deploying devices

Figure 8.45 Specifying the dynamic group to which the Autopilot profile will apply

Figure 8.46 Specifically excluding the self-deploy devices from the user-driven devices

Figure 8.47 Autopilot asks no questions to self-deploy machines when Ethernet is used.

Figure 8.48 Flow diagram of Hybrid Azure AD Join

Figure 8.49 Creating and inspecting an Offline Domain Join (ODJ) blob

Figure 8.50 Performing a by-hand domain-join with an ODJ blob

Figure 8.51 Delegate Control over your known default location. If it’s not the Computers fo…

Figure 8.52 Enable Computers as an Object Type.

Figure 8.53 Specify the computer where you plan to install the Intune Connector for Active …

Figure 8.54 Specify that the computer can perform the selected delegated items.

Figure 8.55 Select Full Control on the Permission page.

Figure 8.56 Downloading the Intune Connector for Active Directory

Figure 8.57 Installing the Intune Connector for Active Directory

Figure 8.58 After you give the Global Admin’s credentials, you will get a success message f…

Figure 8.59 Inspecting the Intune ODJConnector Service

Figure 8.60 Finding the ODJ Service event log

Figure 8.61 An event log item from the ODJ Connector Service

Figure 8.62 The Intune Connector should show you the connection, if it’s active, and last s…

Figure 8.63 You can select User-Driven and “Hybrid Azure AD joined” to enroll in both MDM a…

Figure 8.64 Create a Domain Join profile to tell the machine how to connect to your Active …

Figure 8.65 The Domain Join settings for the device configuration profile

Figure 8.66 You can see that you’ve joined Active Directory here.

Figure 8.67 With Hybrid joined Windows 10 machines, you must log on with an on-prem Active …

Figure 8.68 Computers appear in the Computers folder after they join Active Directory.

Figure 8.69 The 80070774 message means the computer cannot complete the ODJ handshake with …

Figure 8.70 Error message when the computer is already MDM enrolled

Figure 8.71 Autopilot provisioning after OOBE starts and the Windows key is pressed five ti…

Chapter 9

Figure 9.1 How both traditional and modern devices use the same Windows Update Service.

Figure 9.2 Setting up WUfB policies in Intune

Figure 9.3 Assigning a Windows 10 update ring to a group of computers

Figure 9.4 The Office Update Channel Group Policy setting

Figure 9.5 The Intune Administrative Template setting

Figure 9.6 Running the Office Readiness Toolkit

Figure 9.7 Choosing your report location and some other options

Figure 9.8 Advanced reports send data to Microsoft to evaluate your machine’s data.

Figure 9.9 The Readiness Toolkit starts to create the report.

Figure 9.10 Click Enable Content to display your report.

Figure 9.11 The add-in readiness report

Figure 9.12 Using App Health Analyzer on one machine in interactive mode

Figure 9.13 The “Device compliance” section is on the left, but Intune’s default Status val…

Figure 9.14 Creating a device compliance policy

Figure 9.15 Setting Require BitLocker to Require as a compliance setting

Figure 9.16 Creating a device compliance policy to check for the Windows Firewall to be on….

Figure 9.17 Seeing your two policies (and having only one enabled).

Figure 9.18 Selecting one or many actions for noncompliance

Figure 9.19 Example email that a user gets if you select to deliver an email template

Figure 9.20 The end user’s view of the problem while using the Company Portal app

Figure 9.21 A tale of two computers: COMPUTER2867 and COMPUTER10

Figure 9.22 Checking device compliance status

Chapter 10

Figure 10.1 Finding “Security baselines” in the Microsoft Intune navigation menu

Figure 10.2 New MDM Security baselines are born with each new Windows 10.

Figure 10.3 Creating your baseline and giving it a name and optional description

Figure 10.4 You can keep all or change any baseline setting, as seen here.

Figure 10.5 Assigning a security baseline to a group

Figure 10.6 See the computers lined up to get the baseline.

Figure 10.7 After you Sync with MDM, which delivers a baseline

Figure 10.8 See that Edge has been configured to honor SmartScreen via the security baselin…

Figure 10.9 The Monitor section within a baseline

Figure 10.10 Using Azure AD to see the device owner

Figure 10.11 How to turn on BitLocker for a device

Figure 10.12 Enabling BitLocker encryption for the main drive and enabling standard users to…

Figure 10.13 Forcing BitLocker encryption for removable drives and storing the recovery info…

Figure 10.14 No indication BitLocker has started for a Standard User, but the drive begins e…

Figure 10.15 For hardware with HTSI/InstantGo, do not select to perform encryption; that hap…

Figure 10.16 How a user recovers his BitLocker keys

Figure 10.17 Using Azure AD to discover the BitLocker recovery key

Figure 10.18 Using PolicyPak Least Privilege Manager to make a rule to enable standard users…

Figure 10.19 Standard users cannot back up their own BitLocker keys. But using PolicyPak MDM…

Figure 10.20 Don’t leave a DVD in the drive or BitLocker will fail to start.

Figure 10.21 Using AppLocker to dictate what item types to block

Figure 10.22 Create the AppLocker default rules.

Figure 10.23 Exporting the AppLocker policy

Figure 10.24 Preventing applications that are not sanctioned via AppLocker. Note that the Ap…

Figure 10.25 Isolating the parts of AppLocker to use with Intune

Figure 10.26 Creating a Custom profile type

Figure 10.27 Paste in your trimmed AppLocker snippet into the Value field. The highlighted s…

Figure 10.28 Result of AppLocker getting directions via Intune. Note how the Application Ide…

Figure 10.29 Using PolicyPak Least Privilege Manager SecureRun™ to perform whitelisting

Figure 10.30 Windows 10 with internal and external security components

Figure 10.31 Kicking off Azure conditional access

Figure 10.32 Creating a conditional access Policy

Figure 10.33 Use Jack Tors as your single user to have the policy apply to.

Figure 10.34 Picking the cloud apps to block when noncompliance is detected

Figure 10.35 Expressing which client apps will adhere to this policy

Figure 10.36 Specifying why a machine should be considered for blocking

Figure 10.37 Your Azure conditional access policy

Figure 10.38 Verifying that the machine is out of compliance

Figure 10.39 What the user sees when conditional access blocks resources

Figure 10.40 Use the IT Roadmap to help you plan out future ways to get more secure.

Chapter 11

Figure 11.1 Setting up the Company Portal branding

Figure 11.2 Seeing your company branding, some warnings, and how users can get around

Figure 11.3 Seeing your help and support branding

Figure 11.4 An end user can see what problem is triggering conditional access via the Compa…

Figure 11.5 Getting started with device enrollment/re-enrollment

Figure 11.6 Adding a user’s account to the device

Figure 11.7 Using the Company Portal app to enable users to change their own passwords

Figure 11.8 Users can see the available applications (which are not forcefully required).

Figure 11.9 Making an application available for enrolled devices (without forcefully requir…

Figure 11.10 How to lock or reset a phone using the Company Portal

Figure 11.11 Right-clicking over another device the user has access to enables them to check…

Figure 11.12 Sending the command to reset a device

Figure 11.13 Getting started with the Microsoft Graph Explorer

Figure 11.14 Results of clicking on the “My profile” sample query

Figure 11.15 Selecting the permission(s) you need to perform the work

Figure 11.16 Install the PolicyPak Client-Side Extension MSI to the endpoints, and install t…

Figure 11.17 PolicyPak hooks right into the Group Policy editor you already know.

Figure 11.18 Using PolicyPak Admin Templates Manager to create and then export Group Policy …

Figure 11.19 Exporting Group Policy Preferences settings as XML files

Figure 11.20 Exporting Group Policy Security settings as XMLs

Figure 11.21 Running applications that require UAC prompts

Figure 11.22 Overcoming UAC prompts with PolicyPak Least Privilege Manager

Figure 11.23 The PolicyPak Least Privilege Manager Request/Response code dialog box

Figure 11.24 Using PolicyPak Application Settings Manager to manage your browsers’ and deskt…

Figure 11.25 Use PolicyPak Browser Router to define which browser is best for what website o…

Figure 11.26 Map a specific website to a specific version of Java using PolicyPak Java Rules…

Figure 11.27 Installing or uninstalling features and optional features

Figure 11.28 Upload and target the PolicyPak Client-Side Extension, PolicyPak license file, …

Figure 11.29 Preinstalling

Microsoft.Graph.Intune

and then running Yodamiitti

Figure 11.30 Connecting to your Intune

Figure 11.31 Yodamiitti navigation and content

Figure 11.32 You can multi-select devices in Yodamiitti and perform actions upon them.

Guide

Cover

Table of Contents

Chapter

Pages

iii

iv

v

vii

ix

xix

xxi

xxii

xxiii

xxiv

xxv

xxvi

xxvii

xxviii

xxix

xxx

xxxi

1

2

3

4

5

6

7

8

9

10

11

12

13

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

473

474

475

476

477

478

479

480

481

482

483

484

485

486

487

488

489

Foreword

Shortly after starting with the Windows team in 2009, I met Jeremy at a MVP mixer in Redmond. Within minutes he had me backed into a corner was inundating me with questions on Group Policy settings for the new Windows 7 beta that we just delivered.

I was thinking, “Who is this guy?” and more so, “How could any one person be so passionate about Group Policy and desktop management?” What is most amazing is after all these years, his passion around helping IT pros to manage their Windows desktops is just as strong as it was back in 2009!

Over the years I have been able to see the amazing impact that Jeremy has made. First upon how IT organizations look to manage the fundamentals, security, and troubleshooting of Group Policy. But Jeremy has also impacted how our own Microsoft engineering teams now look at problem sets based on his guidance with his audiences.

If you don’t believe me, ask anyone who has sat one of his sessions at TechEd/Ignite. They are the stuff of geek legend. Packed to the gills with 400 level uber-admins with a plethora of questions for him.

In the past few years, he has moved from not just being the GPO guru, but now onward as the go-to guy for Intune and MDM. In this book, Jeremy provides industry standard guidance on how to best co-exist and/or transition from GPOs to MDM tools but continue to manage and secure your desktops.

As a reviewer on Amazon stated of one of his earlier books, “The difference between the good system engineer and the great system engineer is that the great system engineer reads the right book. This is the right book.”

I can honestly say he’s right. This is the right book. Enjoy!

Stephen L. Rose

Microsoft@stephenlrose

Introduction

If you’re picking up this book, it could be for several reasons:

You keep hearing Microsoft talk about “Switching to a modern, managed desktop” at a conference, online, or in someone’s speech.

You have no idea what EMM and/or MDM is, but thought, “Hmm…interesting looking cover. Let me see what’s inside it.”

You already subscribe to an MDM service, like Intune, Workspace ONE, or MobileIron, and you use it for phones and want to get started using it for Windows 10.

You know what EMM and/or MDM is, see it on the potential horizon for your company, and are looking to get a handle on it.

You purchased my “moderately famous” big, green Group Policy book, maybe even the first edition of

Group Policy, Profiles, and IntelliMirror

back in 2001, or maybe one of the more recent editions like

Group Policy: Fundamentals, Security, and the Managed Desktop, Third Edition

.

Maybe the boss walked into your office and dropped this book on your desk and said, “Learn this EMM/MDM/Modern Management

whatever-it-is

and see if we should ‘do this thing.’”

Maybe your “boss’ boss” struck a deal on the golf course, and now it’s your job to learn MDM.

So what is EMM/MDM and Modern Management? And how is it different than on-prem, traditional management?

Let’s define some terms so we can map our course and get on the road:

EMM is Enterprise Mobility Management. It’s a fancy term for “managing settings and applications and stuff over the Internet.”

MDM stands for two things. Officially, MDM is Mobile Device Management. It’s more or less the guts, protocol, and moving parts that the concept that is EMM will use to perform the work.

Modern management is a collection of overall features, concepts, how-tos, and step-by-steps of, well, rolling out, then managing a Windows Desktop (exclusively Windows 10) in a new way that opens up new opportunities and capabilities. Usually modern management also means managing (mostly) over the Internet; that is, by the cloud.

So, unofficially, MDM stands for Modern Device Management. You can see Microsoft really pushing the word modern into the conversation. So even though MDM originally had one meaning, it’s really taken on two meanings at the same time.

To be clear, the lines are a little blurry here. And EMM and MDM (the official and unofficial definitions) mean so many different things to different people. As of this writing, here’s what Wikipedia says:

“Enterprise mobility management (EMM) is the set of people, processes and technology focused on managing mobile devices, wireless networks, and other mobile computing services in a business context.”

And if you want to read Microsoft’s definition of MDM, it can be found at https://docs.microsoft.com/en-us/windows/client-management/mdm/. But here’s the important bit and opening sentence on the definition of MDM from Microsoft:

“Windows 10 provides an enterprise management solution to help IT pros manage company security policies and business applications, while avoiding compromise of the users’ privacy on their personal devices.”

It’s not super easy to find a unified definition of Modern Management anywhere. Maybe by the time you read this, some unified definition will be everywhere. But here’s a quote from Microsoft’s corporate vice president of management at Ignite 2018 that resonates with me reasonably well:

“The modern desktop is a paradigm shift which takes things to a whole different level. In the modern desktop, everything, and I mean literally mean everything is connected to the cloud: Windows, Office, management security, it’s all connected to the cloud.

And that cloud connection makes your users more productive, gives you in IT security superior insights and control. Because it gives the full power of the Microsoft Intelligent Cloud behind you.

As you cloud connect everything you have, you can take advantage of simplified management of your desktop devices, as well as compliance updates, updates which enhance your security, advanced data protection, and finally those cloud capabilities make your users far more productive.”

Another place to go for understanding Microsoft’s vision for a modern desktop can be found at:

https://www.microsoft.com/en-us/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop/

So, Modern Management is a shift not just from the traditional on-prem tooling of Active Directory, Group Policy, and SCCM toward something cloud-y. It’s rather a shift in mindset to making Windows management more proactive and automated. Think “Drop a new system out of the box on someone’s front door, and…bingo. They’re all set up, and nicely managed, and the end user didn’t have to lift a finger except for pressing the On button.” That’s the dream, anyway, of modern management.

Beyond that, the promise of modern management, in theory anyway, is that it should be simpler than traditional management with Active Directory, Group Policy, and/or SCCM. Why is that? Well, if you have zero on-prem infrastructure to babysit, that’s going to be a plus. And, all the management options are all in one place: the MDM system you choose. So instead of 80 different ways to manage a device, using Group Policy, scripts, and so on, at least you have it all reasonably centralized in one management tool and portal.

Now, for me, I’m interested in this new modernly managed desktop world because EMM and MDM doesn’t replace Group Policy; it opens up and augments new opportunities where Group Policy cannot go.

So, for me, I see a few categories of organizations. Maybe you fit into one of these categories right now, or your perspective might change over time:

Maybe you’ll stay exactly where you are; keep using on-prem Active Directory with domain-joined machines and keep using Group Policy to manage those machines. (In this case, this book might be interesting, if only to see where you could maybe stretch into the future.)

Maybe you’ll use EMM/MDM to augment your current world so you can do and accomplish new, interesting things (that you couldn’t do before with Group Policy alone). Maybe you’ll keep your traditionally managed machines for your headquarters but create a “Modern Managed parallel universe” for your non-domain-joined or far-flung machines where you have intermittent connectivity. In other words, you’ll keep doing some (or many) traditional things in the original universe and spin up a parallel universe for some of the new scenarios we’ll explore. (I foresee this scenario for many, many companies, by the way.)

Maybe you’ll completely walk away from the traditional management and rip and replace on-prem Active Directory and Group Policy and/or SCCM management. Then jump both feet in to EMM/MDM. (I call this the “Big Band-Aid rip.”)

Maybe you have zero on-prem infrastructure today and see that some of the world is heading toward a “let’s put everything in the cloud” model. So, because you’re starting with no on-prem infrastructure already, maybe it doesn’t make sense to spin up a new on-prem Active Directory and/or SCCM. You’re already all in on being a cloud-based company and this Modern Managed world would be a natural extension for your company.

So if you’ve already decided to go toward Modern Management or are still dabbling with the decision to open up some new doors that Traditional Management cannot, then this is the book for you. It could also be the book for you even if you are in the first camp; that is, you have no direct intention of walking away from Traditional Management (like on-prem Active Directory with Group Policy) but want to get a feel for what a EMM/MDM and Modern Management can do for you and start to get a handle on it.

In this book, I’m going to simply assume you’re already familiar with existing traditional, on-prem paradigms, like Active Directory, Group Policy, and maybe a little SCCM. I’m not saying you need to have “wizard level” understanding of these items, but in looking forward to MDM and Modern Management, I will often refer backward to how things are done in a traditional sense and explain how they’re different.

As such, if you haven’t got a copy of my Group Policy book and think you might need a copy, head over to www.MDMandGPanswers.com/book and get your own “author signed” copy of the big green Group Policy book as this book’s companion.

EMM and MDM Redefined

So EMM is Enterprise Mobility Management. It just means all the tools and people and stuff you need to manage your mobile devices in a modern way. So in short, EMM is the “concept.”

And, MDM stands for Mobile Device Management.

Ask some people and they will say it stands for “Modern Device Management” or “Modern Desktop Management,” which also kind of works.

I will always abbreviate it as simply MDM for short. MDM is a “cousin” to Group Policy. A newer cousin, with somewhat different goals, different parents, different upbringing, and so on. So, “cousin” is really the best analogy here. So, in short, MDM is the “worker bee.”

You can also think of MDM like it’s the moving part, or the transport for the ideas of EMM.

Like Group Policy, MDM has a moving part, or policy processing engine, inside the Windows 10 operating system. And actually, here’s the thing: MDM isn’t just inside Windows 10; that similar moving part is already embedded and inside mobile phones, tablets, and so on.

So if it’s the similar moving part in both Windows and mobile devices, a new interesting opportunity opens up: use one management system, and leverage the in-box MDM engine (in Windows and also phones, etc.) as the moving part to receive “directives” (or policies) and have “one tool to rule them all.”

Taking a step back, when you used Group Policy to manage your systems, Microsoft sold you everything, all at once, and it was all included in the box and worked “forever.” Here were the general steps:

You created an on-prem Active Directory and made a domain.

You joined machines to the domain.

You used a Microsoft MMC snap-in called the GPMC to make Group Policy Objects.

Those GPOs contained policies.

Those policies were downloaded through Ethernet or VPN.

Those policies were processed by the Group Policy engine.

Now, with EMM, the deal is a little different:

The expectation is that you walk away from or don’t need your on-prem Active Directory anymore, but you might have Azure Active Directory for Office 365, for example.

Machines are domain joined (maybe) because you had them historically joined. But the new idea is that you don’t need to have them domain joined anymore but it’s okay if they are.

If you want to, you can get a bonus by “cloud attaching” your on-prem Active Directory and/or SCCM infrastructure to the cloud and gain additional benefits by leaning on the cloud.

You purchase or otherwise acquire an MDM solution. Yes, you read that right: You have to buy something to make your EMM dreams a reality and purchase something to command the MDM moving part on your Windows and phones to perform actual work. And, if you opt for a cloud-based MDM service, you need to keep paying to keep your MDM service working.

You make policies in your MDM service to deliver software and/or lock down settings.

Those policies are downloaded through the Internet.

Those policies are processed by the MDM engine.

So, some things are kind of the same, and some things are different.

But, the gist of MDM is the same as Group Policy: You have users and devices. You make “wishes” and store those wishes somewhere centrally, and endpoints download and process those wishes. What’s majorly different is the need for being domain joined for Group Policy to work versus having zero on-prem infrastructure for MDM to work.

Group Policy and MDM have different goals and different upbringing, but we’ll dig into that in Chapter 1.

Terminology

In this book, I’ll be writing the letters (and terms) EMM, MDM, and Modern Management a lot.

I might say, “In your EMM environment” to talk about your business, or world at large.

I might refer to “an MDM system,” “an MDM solution,” or “your MDM.” That’s the thing, well, a service really, you purchase and maintain to perform the work of modern desktop management.