MDM: Fundamentals, Security, and the Modern Desktop

Using Intune, Autopilot, and Azure to Manage, Deploy, and Secure Windows 10

The first major book on MDM written by Group Policy and Enterprise Mobility MVP and renowned expert, Jeremy Moskowitz!

With Windows 10, organizations can create a consistent set of configurations across the modern enterprise desktop-for PCs, tablets, and phones-through the common Mobile Device Management (MDM) layer. Les mer
Vår pris

(Paperback) Fri frakt!
Leveringstid: Sendes innen 21 dager
På grunn av Brexit-tilpasninger og tiltak for å begrense covid-19 kan det dessverre oppstå forsinket levering.

Legg i
Legg i
Vår pris: 641,-

(Paperback) Fri frakt!
Leveringstid: Sendes innen 21 dager
På grunn av Brexit-tilpasninger og tiltak for å begrense covid-19 kan det dessverre oppstå forsinket levering.

Om boka

The first major book on MDM written by Group Policy and Enterprise Mobility MVP and renowned expert, Jeremy Moskowitz!

With Windows 10, organizations can create a consistent set of configurations across the modern enterprise desktop-for PCs, tablets, and phones-through the common Mobile Device Management (MDM) layer. MDM gives organizations a way to configure settings that achieve their administrative intent without exposing every possible setting. One benefit of MDM is that it enables organizations to apply broader privacy, security, and application management settings through lighter and more efficient tools. MDM also allows organizations to target Internet-connected devices to manage policies without using Group Policy (GP) that requires on-premises domain-joined devices. This makes MDM the best choice for devices that are constantly on the go.

With Microsoft making this shift to using Mobile Device Management (MDM), a cloud-based policy-management system, IT professionals need to know how to do similar tasks they do with Group Policy, but now using MDM, with its differences and pitfalls.

* What is MDM (and how is it different than GP)

* Setup Azure AD and MDM Auto-Enrollment

* New PC Rollouts and Remote Refreshes: Autopilot and Configuration Designer

* Enterprise State Roaming and OneDrive Documents Roaming

Renowned expert and Microsoft Group Policy and Enterprise Mobility MVP Jeremy Moskowitz teaches you MDM fundamentals, essential troubleshooting techniques, and how to manage your enterprise desktops.



Foreword xix

Introduction xxi

Chapter 1 Enterprise Mobility and MDM Essentials 1

Getting Ready to Use This Book 2

Why the Need for MDM 3

Group Policy and MDM Compared 6

MDM: Guts, Protocols, and Moving Parts 9

OMA-DM: The Protocol 9

CSPs: Configuration Service Providers 9

MDM Service 11

Extending Your MDM Services with Third-Party Tools 12

Final Thoughts 13

Chapter 2 Set Up Azure AD and MDM 15

Comparative Analysis of Different MDM Services 15

Azure AD Premium, Enterprise Mobility + Security, and Microsoft 365 16

Office 365's Built-In MDM Management 18

Microsoft Intune 20

VMware Workspace ONE 24

MobileIron 25

Setting Up Auto-Enrollment and Enrolling Your First Machines 25

Turning On MDM Enrollment 26

Add Your First User to Azure AD 33

Enroll Your First Windows 10 Machine into MDM 34

Optional Steps: Custom Domain Names and AD to AAD Synchronization 50

Custom Domain Names: Goodbye to "" Names 50

Syncing Your On-Prem AD to Azure AD Automatically 58

Final Thoughts 73

Chapter 3 MDM Profiles, Policies, and Groups 75

MDM Policies and the Policy CSP 75

MDM: Getting Started with Policies 76

Profiles and Policies 77

What Makes an MDM Policy? 82

ADMX-Backed Policies 87

Ingesting Third-Party ADMX Files 96

Creating and Using Groups 108

Creating Assigned Groups 109

Creating Dynamic Groups 109

Advanced Dynamic Rules 111

Utilizing Groups in Intune 114

Final Thoughts 114

Chapter 4 Co-Management and Co-Policy Management 117

Co-Management of SCCM and Intune 117

Co-Policy Management: Group Policy and Your MDM Service 122

Auto-Enroll in Your MDM Service Using Group Policy 122

Co-Policy Management...Who Wins: MDM or Group Policy? 127

Final Thoughts 133

Chapter 5 MDM Migration and MDM Troubleshooting 135

MMAT: Microsoft MDM Migration and Analysis Tool 135

Troubleshooting MDM 139

MDM Service Reports, Diagnostic Logs, and Event Logs 139

Delivery Reports from Your MDM Service 140

Advanced Diagnostic Reports and Resolving Conflicts 141

Final Thoughts about the Advanced MDM Settings Report 143

Resolving Conflicts 144

Investigating Event Logs 148

Remotely Collecting Logs from Windows 10 149

Remember MdmWinsOverGP Setting and Gotchas 149

Other Miscellaneous Notes, Traps, and Gotchas 149

Final Thoughts 152

Chapter 6 Deploying Software and Scripts 153

Preparing for the Remainder of the Chapter 155

What to Download to Get Settled in for This Chapter 155

How to (Generally) Deploy Applications with Intune 157

Deploying MSI Applications with MDM 161

Deploying Your First MSI Application 161

Deploying AppX Apps via the Microsoft Store for Business 170

Getting Started with and Activating the Microsoft Store for Business 170

Acquiring AppX Packages to Distribute Using Microsoft Store for Business 172

Deploying MSIX with MDM 178

Repackaging an App with the MSIX Packaging Tool 181

Deploying Office 365 ProPlus with MDM 196

Deploying Win32 Apps with MDM 206

Microsoft Intune Win32 Content Prep Tool 207

Gathering All the Needed Items in One Place 208

Preparing the Win32 Application Contents 210

Add the .intunewin File to Intune 211

Assign the App and See Results 216

Other Win32 Deployment Examples, Troubleshooting, and Final Thoughts 217

Deploying Scripts with Your MDM Service 219

Deploying Scripts (That Deploy Software) with Intune 220

Delivering Other Software and Files with MDM (Using PolicyPak File Delivery Manager) 226

Downloading Unusual File Types 227

Downloading .EXEs, .MSIs, or Unusual Software, Then Running a Script (and Cleaning Up When You're Done) 228

Downloading a ZIP and Automatically Unpacking Its Contents 229

Final Thoughts 231

Chapter 7 Enterprise State Roaming and OneDrive for Business 233

Pregame Setup for This Chapter 235

Get Your Azure Tennant ID 235

Enterprise State Roaming 239

Setting Up Enterprise State Roaming 241

OneDrive for Business 244

Managing the OneDrive Tenant 246

SharePoint and SharePoint Migration Tool 248

OneDrive Sync Client 257

OneDrive's Magic Trick: Known Folder Move 268

Files Restore (from Malware or User Error) 276

Final Thoughts 279

Chapter 8 Rollouts and Refreshes with Configuration Designer and Autopilot 281

Windows Configuration Designer 282

Get WCD from the Windows Store 283

What Can You Do with WCD? (And What Shouldn't You Do with WCD?) 284

WCD Example 284

Implementing the .PPKG File 290

Results from Using a .PPKG File 292

Final Thoughts about WCD 292

Autopilot 293

Getting Devices Registered into Autopilot 296

Creating Groups for Your Autopilot Machines 303

Setting Up Your Autopilot Deployment Profile 306

Automatically Harvesting Hardware IDs into Autopilot 317

Autopilot: Resets, Retire, Wipes, and Fresh Starts 324

Linking a Specific User to a Specific Hardware ID 329

Autopilot Self-Deploying Mode 330

Autopilot Hybrid Azure AD Join 339

Autopilot White Glove 356

Final Autopilot Resources 358

Chapter 9 Windows 10 Health and Happiness: Servicing, Readiness, Analytics, and Compliance 359

Windows, Office, and OneDrive as a Service 359

Servicing Windows 360

Servicing Office 365

Servicing OneDrive (Revisited) 367

Making Your Own Rings for Windows, Office, and OneDrive 367

Office and Application Readiness 375

Office 365 Readiness Toolkit 376

App Health Analyzer 380

Desktop Analytics 381

Introduction to Desktop Analytics 382

Prepare, Pilot, and Deploy Phases 383

Final Thoughts on Desktop Analytics 383

Device Compliance and Health Attestation 384

Getting Started with Compliance Policy 385

Final Thoughts on Windows Health and Happiness 393

Chapter 10 Security with Baselines, BitLocker, AppLocker, and Conditional Access 395

Security Baselines 396

Creating Your Security Baselines in Intune 397

Assigning Your Security Baseline to a Group 399

Syncing Your Client to Get the Baseline 400

Testing Your Baseline 401

Reporting and Monitoring Baselines 402

BitLocker: Full Disk Encryption 404

Enabling BitLocker Using Intune 404

BitLocker Key Recovery and Management 412

BitLocker Final Thoughts and Additional Resources 416

Application Whitelisting with AppLocker or PolicyPak Least Privilege Manager 417

Using AppLocker for Whitelisting 417

Using Your AppLocker Rule with Intune 420

PolicyPak Least Privilege Manager for Whitelisting 423

Conditional Access 426

Setting Up Azure Conditional Access 427

Final Thoughts on Security 434

Chapter 11 MDM Add-On Tools: Free and Pay 439

Company Portal App 439

Setting Up Company Portal Branding 440

Users Interacting with the Company Portal App 441

Microsoft Graph and the Graph Explorer 448

PolicyPak On-Prem & MDM Edition 455

Getting Started with PolicyPak 456

Using PolicyPak to Export Existing Group Policy to MDM 458

Using PolicyPak to Overcome UAC Prompts 461

Using PolicyPak to Block and Allow UWP Applications 463

Using PolicyPak to Manage Application, Browser, and Java Settings 463

Using PolicyPak to Manage Windows Features (and Optional Features) 466

PolicyPak Deployment with Intune (or Any MDM) 466

Interesting Things I Found on the Internet 467

Untested, but Seemingly Useful Scripts 467

Yodamiitti Intune Management GUI 468

Final Thoughts (on This Chapter, and about the Book!) 470

Index 473

Om forfatteren

JEREMY MOSKOWITZ, is a 15-year Microsoft MVP awardee and is founder of and CTO of PolicyPak Software. Since becoming one of the world's first MCSEs, he has performed Active Directory, Group Policy and MDM planning and implementations for some of the nation's largest organizations. His best-selling book Group Policy Fundamentals, Security, and Troubleshooting, Third Edition is on desks of administrators everywhere.