Learning Microsoft Endpoint Manager: Unified Endpoint Management with Intune and the Enterprise Mobility + Security Suite

Copyright © 2021 Scott Duffey

All rights reserved.

Contents

About the author

Acknowledgments

Chapter 1 - Introduction

Things you will need

Chapter 2 - Getting started with Microsoft Endpoint Manager

What is Microsoft Endpoint Manager (MEM)?

Subscriptions and licensing

Do it – Create a new trial account

A quick tour of the MEM admin center

Do it – Take a tour of MEM

Azure Active Directory (Azure AD)

Creating cloud-only users

Do it – Create a new Azure AD user and assign licenses

Creating Azure AD groups

Do it – Create a user group

Do it – Create a dynamic user group

Management choices – Mobile Device Management (MDM) and Mobile Application Management (MAM)

Mobile Device Management (MDM)

An overview of Mobile Application Management (MAM)

Chapter 3 - Enrolling Devices into Management

Introduction to enrollment

Getting started with Apple enrollment

Do it – Set up Apple Push Certificate

Apple enrollment for personal devices

Do it – Enroll an iOS device into MDM

Apple enrollment for corporate devices

Do it – Set up and enroll devices with ADE

Do it – Manually register iOS devices into ABM with Apple Configurator 2

Do it – Set up a device using Apple Configurator

Getting started with Android enrollment

Do it – Set up Android Enterprise and connect it to MEM

Android enrollment for personal devices

Do it – Enroll into Android Enterprise work profile

Android enrollment for corporate devices

Do it – Try out Android Enterprise corporate enrollment with a QR code

Getting started with Windows 10 enrollment

Windows 10 enrollment for personal devices

Do it – Try out Windows 10 personal device enrollment

Windows 10 enrollment methods for (new) corporate devices

Do it – Try out Windows 10 enrollment: User-driven Azure AD Join

Do it – Try out Windows 10 enrollment: Autopilot user-driven mode

Do it – Try out Windows 10 enrollment with a bulk enrollment token

Windows 10 enrollment for existing corporate devices

Advanced enrollment concepts – DEM, enrollment restrictions and customization

Company Portal customization and branding

Do it – Try out customization and branding

Chapter 4 - Remote Device Actions

Admin device actions

Do it – Try out device actions

Bulk device actions

Do it – Try out bulk device actions

Do it – Try out self-service device actions

Chapter 5 - Configuring Device Settings

Device restriction profiles

Do it – Build your own device restriction profile8

Device features

Email

Resource access (Wi-Fi, wired, VPN and certificates)

Windows 10-specific profiles

Administrative templates

Group Policy analytics

Custom

Do it – Create a custom profile for Windows 10

OEMConfig

Do it – Create an OEMConfig profile

Windows update policies

Chapter 6- Configuring Compliance Profiles and Settings

Compliance policies

Do it – Create a compliance policy for each platform

Device Health Attestation (DHA) for Windows 10 devices

Configuration Manager compliance for Windows 10

Global compliance settings

Notifications and actions for non-compliant devices

Do it – Try out compliance notifications

Integrating with Mobile Threat Defense (MTD) services

Compliance policies in the big picture of Conditional Access (CA)

Chapter 7 - Configuring Endpoint Security

Overview of Endpoint Security

Security baselines for Windows 10

Do it – Try out Security baselines

Antivirus policy

Do it – Deploy Antivirus Settings to MDM devices

Disk encryption policy

Do it – Try out encryption settings

Firewall policy

Do it – Try out Firewall settings

Attack Surface Reduction (ASR) for Windows 10

Do it – Try out ASR policies

Account protection policy for Windows 10

Microsoft Defender for Endpoint integration and Endpoint detection and response policy

Do it – Try out MDE integration

Security Tasks9

Do it – Try out Security tasks

Chapter 8 - Deploying Apps

Overview of app types

Assigning apps to users and devices

Do it – Create and assign a required store app for iOS

Do it – Create and assign a required Win32 app for Windows 10

Do it – Create and assign an Office App package for macOS

Managed app stores – VPP, MSFB and MGP

Do it – Set up Apple VPP

Do it – Set up MSFB

Do it – Set up Managed Google Play

End-user app stores for Available apps

Chapter 9 - App Protection Policies

App protection policy targeting options

Do it – Try out app protection policies

Supported apps and preparing your own

Windows Information Protection (WIP) for Windows 10

Chapter 10 - App Configuration Policies

App configuration policies for managed devices

Do it – Try out app configuration policies for managed devices

App configuration policies for managed apps

Do it – Try out app configuration policies for managed apps

Chapter 11 - Conditional Access

Device CA – Require compliant devices

APP-CA and MAM-CA – Require approved apps and app protection policy

CA user experiences and broker apps

Do it – Try out device CA

Session-based controls for CA

Do it – Try out session controls for CA

Chapter 12 - Configuration Manager, Co-management and Tenant Attach

Configuration Manager device management in the MEM admin center

Do it – Try out tenant attach

Do it – Enable Hybrid Azure AD Join for on-prem Active Directory devices

Do it – Turn on co-management for existing on-prem devices

Chapter 13 - Endpoint Analytics

Do it – Try out Endpoint Analytics

Chapter 14 - Troubleshooting

Troubleshooting and support experiences

Do it – Try out the Troubleshooting + support page

Resource reports

Do it – Try out resource reports

Client logs

Audit logs

Getting help from Microsoft

Chapter 15 - Advanced Usage and Resources to Learn More

Grouping and targeting – Exclude groups

Role-based access control (RBAC) and Scope tags

Graph API

Do it – Try out Microsoft Graph Explorer

Do it – Try out browser developer tools to see Graph API calls

Do it – Try out PowerShell for MEM

Advanced reporting and automation

Do it – Try out Data Warehouse

Tips for staying up to date

Additional learning – videos, blogs, books and the MEM community

Final thoughts

About the author

I am a Program Manager at Microsoft and I work on Microsoft Endpoint Manager features. My passion for the product started in the early days when it had a lot of wrinkles and was branded Windows Intune. I am especially proud to witness its transition to awesomeness and ascension to the top-right of the Gartner Magic Quadrant (in case you don’t follow industry analyst reports, this just means it’s one of the best UEM products in market). In my first years at Microsoft, I worked in a customer-support type role as a Premier Field Engineer (PFE). I worked with a new customer each week – helping IT folks tweak their Windows desktop configurations through Group Policy or Configuration Manager to improve performance, security or end-user experiences. I jumped on the Intune train early because it seemed new and interesting, and I thought I could make this my new special skill. My managers at the time were all about something called a T-shape, referring to a popular metaphor at the time for one’s breadth and depth knowledge. The top of the T-shape represents your breadth skills and the lower portion represents depth. The idea was that you should have broad technical knowledge in some areas and deep knowledge in others. I was inspired to go deep on Intune, so I learned as much as I could and started teaching the customers I worked with, doing workshops and setting up proofs-of-concepts with them. At this stage, there was very little enterprise use or interest in Intune, and it was really all about mobile phones (including Windows Phone), not PC’s. When Windows 8.1 came out there was a new cloud management stack on it and a lot of buzz around Modern Management where admins were encouraged to throw out all the management tools they knew and loved (Group Policy and Configuration Manager), forget all the skills they had learned and earned their living on over the last ten years and move to this new, shiny, simple thing in the cloud. That message did not go down well at all.

After about a year or so of Intune deployment with customers, I had an opportunity to move from the field into the Intune product group, in a new team called the Customer Acceleration Team (CAT). The idea behind this team was that Microsoft product groups could be directly engaged with large enterprise customers who were actively deploying Intune so that the engineering teams would gain a deep understanding of customer blockers and issues. Knowing about them sooner could fast-track important product development and prioritization. It was my job to work directly with a few special and large customers in the Asia region, understand their concerns and summarize the impact to the rest of the product team. I also helped those clients rapidly get Intune from proof-of-concept to fully deployed in their environments. There were perks to this job: the travel was fun and interesting, and I was no longer tied to an office. I worked from home 80 percent of the time and spent the rest travelling. Since I was covering the Asia region, I spent time onsite with customers from India to Japan and many across Australia. I also traveled to Microsoft headquarters in Seattle a couple of times a year to meet with the rest of my team, fill up the knowledge-tank on upcoming features and innovations and tap feature PMs on the shoulder for updates on blockers that were affecting my customers. I really enjoyed the CAT team but realized that I wanted to have a bigger role in the direction of the product and its features. On one of my trips to head office, I put out feelers and told a few folks that being a feature PM in Intune would be my dream job. Next thing I knew, I was boarding my family on a plane from Australia to start a new adventure at Microsoft head office in Redmond, Washington.

I have always had a passion for writing. I have blogged, written, and rewritten product documentation and too many product specifications to count – but never a book. When the COVID-19 pandemic broke out in March 2020, Microsoft was one of the first companies to close offices and send people home to work. I needed a creative outlet and writing this book helped me scratch that itch. It motivated me to get out of bed at 5am each morning in the dark cold in front of my computer, headphones on, cup of coffee in hand and a smile on my face. I was also motivated by the fact that there were no other Microsoft Endpoint Manager books yet. I knew admins around the world were struggling with the learning curve and I could help.

This book contains knowledge I have picked up over the years that I would gladly share with any MEM customers I meet or even new members of the MEM product development team who need to ramp up quickly. Thank you for reading it!

Acknowledgments

So many people were involved in bringing this book to you – I am thankful to the people that contributed directly but also to the people in my personal and work life that gave me a leg-up at some point so that I could eventually write this book:

• Roger Southgate – my good friend and mentor. Thank you for your contribution as Chief Technical Reviewer for this book.

• Leaders and mentors – Callan Tenabel, my first hiring manager at Microsoft who took a chance when he hired me based on potential rather than experience. Ben Francis, Martin Morrison, Ian Bartlett, Bryan Keller and Heidi Cheng too – all Microsoft managers who pointed me in the right direction.

• My brother, Chad, for being a great role model in tech and one of the most generous people I know. I won’t forget the things you do for me.

• My Microsoft colleagues and teammates, both developers and PMs, for patiently teaching me things I now can teach to others.

Lastly my wife, Mandy, for giving me the time and space to work on projects like this. Thank you.

Chapter 1

Introduction

Did you just land an IT job only to learn your new employer is using Microsoft Endpoint Manager (MEM) for device management? Perhaps you stretched the truth on your resume and suggested you knew it already? Maybe you are an old-hat, know-your-stuff device management pro for another product but your boss just told you the company is migrating? Whatever the case, this book will be your zero-to-hero ramp-up guide.

In authoring this book, I promise you a few things – firstly, I promise an easy but content-rich read. MEM is complicated enough without acronyms and tech-speak. I will keep it simple and articulate, and I’ll take the time to explain industry terminology. Second, I learn by doing stuff (and breaking stuff) and so do most of the IT admins I know. To maximize learning, I will get you ‘doing stuff’ as much as possible. Exercises will not have fine-grained, explicit steps; instead, I will guide you through the flow and prevent you from getting stuck or breaking too much stuff. The book is structured to start out simple, adding building blocks as you go until you reach a point where you can fish for yourself. I recommend that you go beyond the basic steps provided and take regular detours to explore additional configurations, settings and features along the way. At the end of this book, you should be comfortable building-out full scenarios in lab or production environments and be ready to show your boss how awesome you are.

There is one promise I cannot make. MEM is a cloud service; it gets updated super-frequently (once a month, sometimes more). So frequently that some content will get stale. Features and entire products get renamed, new features get added or just annoyingly moved around the UX! You will be fine, though – I will teach you the broad stuff, the concepts and administration patterns and give you all the resources you need to stay up to date to handle the inevitable product changes so you can be your company’s go-to MEM ninja for years to come.

Intune vs Endpoint Manager? What do we call this thing?

The first thing you need to know if you are new to this space