The first major book on MDM written by Group Policy and Enterprise Mobility MVP and renowned expert, Jeremy Moskowitz!
With Windows 10, organizations can create a consistent set of configurations across the modern enterprise desktop - for PCs, tablets, and phones - through the common Mobile Device Management (MDM) layer. MDM gives organizations a way to configure settings that achieve their administrative intent without exposing every possible setting. One benefit of MDM is that it enables organizations to apply broader privacy, security, and application management settings through lighter and more efficient tools. MDM also allows organizations to target Internet-connected devices to manage policies without using Group Policy (GP) that requires on-premises domain-joined devices. This makes MDM the best choice for devices that are constantly on the go.
With Microsoft making this shift to using Mobile Device Management (MDM), a cloud-based policy-management system, IT professionals need to know how to do similar tasks they do with Group Policy, but now using MDM, with its differences and pitfalls.
- What is MDM (and how is it different than GP)
- Setup Azure AD and MDM Auto-Enrollment
- New PC Rollouts and Remote Refreshes: Autopilot and Configuration Designer
- Enterprise State Roaming and OneDrive Documents Roaming
Renowned expert and Microsoft Group Policy and Enterprise Mobility MVP Jeremy Moskowitz teaches you MDM fundamentals, essential troubleshooting techniques, and how to manage your enterprise desktops.
Table of Contents
Foreword xix
Introduction xxi
Chapter 1 Enterprise Mobility and MDM Essentials 1
Getting Ready to Use This Book 2
Why the Need for MDM 3
Group Policy and MDM Compared 6
MDM: Guts, Protocols, and Moving Parts 9
OMA-DM: The Protocol 9
CSPs: Configuration Service Providers 9
MDM Service 11
Extending Your MDM Services with Third-Party Tools 12
Final Thoughts 13
Chapter 2 Set Up Azure AD and MDM 15
Comparative Analysis of Different MDM Services 15
Azure AD Premium, Enterprise Mobility + Security, and Microsoft 365 16
Office 365’s Built-In MDM Management 18
Microsoft Intune 20
VMware Workspace ONE 24
MobileIron 25
Setting Up Auto-Enrollment and Enrolling Your First Machines 25
Turning On MDM Enrollment 26
Add Your First User to Azure AD 33
Enroll Your First Windows 10 Machine into MDM 34
Optional Steps: Custom Domain Names and AD to AAD Synchronization 50
Custom Domain Names: Goodbye to “onmicrosoft.com” Names 50
Syncing Your On-Prem AD to Azure AD Automatically 58
Final Thoughts 73
Chapter 3 MDM Profiles, Policies, and Groups 75
MDM Policies and the Policy CSP 75
MDM: Getting Started with Policies 76
Profiles and Policies 77
What Makes an MDM Policy? 82
ADMX-Backed Policies 87
Ingesting Third-Party ADMX Files 96
Creating and Using Groups 108
Creating Assigned Groups 109
Creating Dynamic Groups 109
Advanced Dynamic Rules 111
Utilizing Groups in Intune 114
Final Thoughts 114
Chapter 4 Co-Management and Co-Policy Management 117
Co-Management of SCCM and Intune 117
Co-Policy Management: Group Policy and Your MDM Service 122
Auto-Enroll in Your MDM Service Using Group Policy 122
Co-Policy Management…Who Wins: MDM or Group Policy? 127
Final Thoughts 133
Chapter 5 MDM Migration and MDM Troubleshooting 135
MMAT: Microsoft MDM Migration and Analysis Tool 135
Troubleshooting MDM 139
MDM Service Reports, Diagnostic Logs, and Event Logs 139
Delivery Reports from Your MDM Service 140
Advanced Diagnostic Reports and Resolving Conflicts 141
Final Thoughts about the Advanced MDM Settings Report 143
Resolving Conflicts 144
Investigating Event Logs 148
Remotely Collecting Logs from Windows 10 149
Remember MdmWinsOverGP Setting and Gotchas 149
Other Miscellaneous Notes, Traps, and Gotchas 149
Final Thoughts 152
Chapter 6 Deploying Software and Scripts 153
Preparing for the Remainder of the Chapter 155
What to Download to Get Settled in for This Chapter 155
How to (Generally) Deploy Applications with Intune 157
Deploying MSI Applications with MDM 161
Deploying Your First MSI Application 161
Deploying AppX Apps via the Microsoft Store for Business 170
Getting Started with and Activating the Microsoft Store for Business 170
Acquiring AppX Packages to Distribute Using Microsoft Store for Business 172
Deploying MSIX with MDM 178
Repackaging an App with the MSIX Packaging Tool 181
Deploying Office 365 ProPlus with MDM 196
Deploying Win32 Apps with MDM 206
Microsoft Intune Win32 Content Prep Tool 207
Gathering All the Needed Items in One Place 208
Preparing the Win32 Application Contents 210
Add the .intunewin File to Intune 211
Assign the App and See Results 216
Other Win32 Deployment Examples, Troubleshooting, and Final Thoughts 217
Deploying Scripts with Your MDM Service 219
Deploying Scripts (That Deploy Software) with Intune 220
Delivering Other Software and Files with MDM (Using PolicyPak File Delivery Manager) 226
Downloading Unusual File Types 227
Downloading .EXEs, .MSIs, or Unusual Software, Then Running a Script (and Cleaning Up When You’re Done) 228
Downloading a ZIP and Automatically Unpacking Its Contents 229
Final Thoughts 231
Chapter 7 Enterprise State Roaming and OneDrive for Business 233
Pregame Setup for This Chapter 235
Get Your Azure Tennant ID 235
Enterprise State Roaming 239
Setting Up Enterprise State Roaming 241
OneDrive for Business 244
Managing the OneDrive Tenant 246
SharePoint and SharePoint Migration Tool 248
OneDrive Sync Client 257
OneDrive’s Magic Trick: Known Folder Move 268
Files Restore (from Malware or User Error) 276
Final Thoughts 279
Chapter 8 Rollouts and Refreshes with Configuration Designer and Autopilot 281
Windows Configuration Designer 282
Get WCD from the Windows Store 283
What Can You Do with WCD? (And What Shouldn’t You Do with WCD?) 284
WCD Example 284
Implementing the .PPKG File 290
Results from Using a .PPKG File 292
Final Thoughts about WCD 292
Autopilot 293
Getting Devices Registered into Autopilot 296
Creating Groups for Your Autopilot Machines 303
Setting Up Your Autopilot Deployment Profile 306
Automatically Harvesting Hardware IDs into Autopilot 317
Autopilot: Resets, Retire, Wipes, and Fresh Starts 324
Linking a Specific User to a Specific Hardware ID 329
Autopilot Self-Deploying Mode 330
Autopilot Hybrid Azure AD Join 339
Autopilot White Glove 356
Final Autopilot Resources 358
Chapter 9 Windows 10 Health and Happiness: Servicing, Readiness, Analytics, and Compliance 359
Windows, Office, and OneDrive as a Service 359
Servicing Windows 360
Servicing Office 365
Servicing OneDrive (Revisited) 367
Making Your Own Rings for Windows, Office, and OneDrive 367
Office and Application Readiness 375
Office 365 Readiness Toolkit 376
App Health Analyzer 380
Desktop Analytics 381
Introduction to Desktop Analytics 382
Prepare, Pilot, and Deploy Phases 383
Final Thoughts on Desktop Analytics 383
Device Compliance and Health Attestation 384
Getting Started with Compliance Policy 385
Final Thoughts on Windows Health and Happiness 393
Chapter 10 Security with Baselines, BitLocker, AppLocker, and Conditional Access 395
Security Baselines 396
Creating Your Security Baselines in Intune 397
Assigning Your Security Baseline to a Group 399
Syncing Your Client to Get the Baseline 400
Testing Your Baseline 401
Reporting and Monitoring Baselines 402
BitLocker: Full Disk Encryption 404
Enabling BitLocker Using Intune 404
BitLocker Key Recovery and Management 412
BitLocker Final Thoughts and Additional Resources 416
Application Whitelisting with AppLocker or PolicyPak Least Privilege Manager 417
Using AppLocker for Whitelisting 417
Using Your AppLocker Rule with Intune 420
PolicyPak Least Privilege Manager for Whitelisting 423
Conditional Access 426
Setting Up Azure Conditional Access 427
Final Thoughts on Security 434
Chapter 11 MDM Add-On Tools: Free and Pay 439
Company Portal App 439
Setting Up Company Portal Branding 440
Users Interacting with the Company Portal App 441
Microsoft Graph and the Graph Explorer 448
PolicyPak On-Prem & MDM Edition 455
Getting Started with PolicyPak 456
Using PolicyPak to Export Existing Group Policy to MDM 458
Using PolicyPak to Overcome UAC Prompts 461
Using PolicyPak to Block and Allow UWP Applications 463
Using PolicyPak to Manage Application, Browser, and Java Settings 463
Using PolicyPak to Manage Windows Features (and Optional Features) 466
PolicyPak Deployment with Intune (or Any MDM) 466
Interesting Things I Found on the Internet 467
Untested, but Seemingly Useful Scripts 467
Yodamiitti Intune Management GUI 468
Final Thoughts (on This Chapter, and about the Book!) 470
Index 473