Mastering Microsoft Endpoint Manager

Mastering Microsoft Endpoint Manager

by Christiaan Brinkhoff, Per Larsen
Released October 2021
Publisher(s): Packt Publishing
ISBN: 9781801078993

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Design and implement a secure end-to-end desktop management solution with Microsoft Endpoint Manager

Key Features

  • Learn everything you need to know about deploying and managing Windows on physical and cloud PCs
  • Simplify remote working for cloud-managed cloud PCs via new service Windows 365
  • Benefit from the authors' experience of managing physical endpoints and traditional virtual desktop infrastructures (VDI)

Book Description

Microsoft Modern Workplace solutions can simplify the management layer of your environment remarkably if you take the time to understand and implement them. With this book, you’ll learn everything you need to know to make the shift to Modern Workplace, running Windows 10, Windows 11, or Windows 365.

Mastering Microsoft Endpoint Manager explains various concepts in detail to give you the clarity to plan how to use Microsoft Endpoint Manager (MEM) and eliminate potential migration challenges beforehand. You'll get to grips with using new services such as Windows 365 Cloud PC, Windows Autopilot, profile management, monitoring and analytics, and Universal Print. The book will take you through the latest features and new Microsoft cloud services to help you to get to grips with the fundamentals of MEM and understand which services you can manage. Whether you are talking about physical or cloud endpoints—it’s all covered.

By the end of the book, you'll be able to set up MEM and use it to run Windows 10, Windows 11, and Windows 365 efficiently.

What you will learn

  • Understand how Windows 365 Cloud PC makes the deployment of Windows in the cloud easy
  • Configure advanced policy management within MEM
  • Discover modern profile management and migration options for physical and cloud PCs
  • Harden security with baseline settings and other security best practices
  • Find troubleshooting tips and tricks for MEM, Windows 365 Cloud PC, and more
  • Discover deployment best practices for physical and cloud-managed endpoints
  • Keep up with the Microsoft community and discover a list of MVPs to follow

Who this book is for

If you are an IT professional, enterprise mobility administrator, architect, or consultant looking to learn about managing Windows on both physical and cloud endpoints using Microsoft Endpoint Manager, then this book is for you.

Table of contents

  1. Mastering Microsoft Endpoint Manager
  2. Foreword
  3. Contributors
  4. About the authors
  5. About the reviewers
  6. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
    4. Download the color images
    5. Conventions used
    6. Get in touch
    7. Share Your Thoughts
  7. Section 1: Understanding the Basics
  8. Chapter 1: Introduction to Microsoft 365
    1. An introduction to Microsoft 365
      1. What do the services achieve?
      2. Microsoft Endpoint Manager
      3. Azure Virtual Desktop
      4. AVD and Windows 365 Cloud PC – shared responsibility model 1
      5. AVD and Windows 365 Cloud PC – shared responsibility model 2
      6. Productivity Score
      7. OneDrive for Business (part of Microsoft 365 Apps)
      8. Microsoft Defender for Endpoint (formerly MDATP)
    2. Summary
    3. Questions
    4. Answers
    5. Further reading
  9. Chapter 2: What Is Unified Endpoint Management?
    1. Paths to modern management
    2. Microsoft Endpoint Manager and Intune
      1. Endpoint Manager admin center portal
      2. Microsoft 365 admin center portal
      3. Cloud PC/Windows 365
      4. Azure Active Directory (Azure AD)
      5. Cloud management gateway (CMG)
      6. Desktop Analytics
      7. Microsoft Endpoint Manager – from on-premises to the cloud
    3. Exploring Windows 10 Enterprise in detail
      1. Using Windows via a Windows 365 cloud PC
      2. Azure KMS – cloud PC/Windows 365/AVD
      3. WUfB is the new way of manning Windows servicing
    4. Bring your own device
    5. What is zero trust?
      1. Verifying identity
      2. Verifying devices
    6. Summary
    7. Questions
    8. Answers
    9. Further reading
  10. Section 2: Windows 365
  11. Chapter 3: Introducing Windows 365
    1. What is Windows 365?
      1. Removing the complexity of traditional VDI deployments
      2. Why virtualize Windows in the cloud?
      3. Comparing Windows 365 Enterprise and Business
      4. Microsoft Endpoint Manager
      5. High-level architecture components and responsibilities
    2. Microsoft Endpoint Configuration Manager support
      1. Co-management and Windows 365
      2. Sizes and performance of fixed-price licenses
    3. On-premises connections
      1. Provisioning policies
      2. Windows 365 – gallery images
      3. Custom images
      4. Roles and delegation
      5. The Watchdog service
      6. Optimized Teams on Windows 365
      7. Microsoft Edge
      8. Sleeping tabs
      9. Startup boost
      10. Screen capture protection
    4. Summary
    5. Questions
    6. Answers
    7. Further reading
  12. Chapter 4: Deploying Windows 365
    1. Technical requirements for deploying Windows 365
      1. Azure subscription
      2. Azure VNet
      3. Azure VNet – required related URLs and ports
      4. Microsoft Endpoint Manager and AVD – service URLs
      5. Remote Desktop Protocol requirements
      6. Hybrid Azure AD joined
      7. Purchasing and assigning cloud PC licenses via the Microsoft 365 admin center portal
      8. On-premises network connections
      9. Provisioning a cloud PC
      10. User settings – self-service
    2. Self-service capabilities – IT admin
      1. Reprovisioning the cloud PC
      2. Local administrator
      3. VM SKU upgrades (preview feature)
      4. Image management – creating a custom image (optional)
      5. Supported endpoints
      6. Information Worker Portal (IWP)
    3. Azure AD – MyApps unified (workspace) portal
      1. Multi-factor authentication and conditional access
      2. Security baselines for a cloud PC
      3. Distributing the Remote Desktop client via Microsoft Endpoint Manager – Intune to your physical endpoints
    4. Auto-subscribing users in the Remote Desktop client
    5. Autopilot and cloud PCs – lightweight thin client (Kiosk)
    6. Monitoring and analytics
    7. Shadow users with Quick Assist
    8. Windows 11
    9. Microsoft Managed Desktop
    10. Summary
    11. Questions
    12. Answers
    13. Further reading
  13. Section 3: Mastering Microsoft Endpoint Manager
  14. Chapter 5: Requirements for Microsoft Endpoint Manager
    1. Endpoint scenarios
    2. Identity roles and privileges for Microsoft Intune
      1. Compliance Administrator
      2. Compliance Data Administrator
      3. Intune Administrator
      4. Message Center Reader
      5. Security Administrator
      6. Security Operator
      7. Security Reader
    3. Identity roles and privileges for a Windows 365 cloud PC
      1. Azure Subscription Owner
      2. Intune Administrator
      3. Domain Administrator
    4. Identity roles and privileges for Universal Print
      1. Printer Administrator
      2. Printer Technician
    5. Licensing requirements
    6. Supported OSes
      1. Required web browser versions
    7. Windows 11 requirements
      1. How do you get Windows 11?
    8. Administrator licensing
      1. Azure AD group-based licensing
      2. Setting the mobile device management authority
      3. Enabling Windows automatic enrollment
      4. Using Azure Virtual Desktop with Intune
      5. Microsoft Intune enrollment restriction for Windows
      6. Microsoft Intune device restrictions for Windows
      7. Blocking personal Windows devices
      8. Microsoft Intune device limit restrictions for Windows
      9. Customizing Intune company portal apps, the company portal website, and the Intune app
      10. Associating your Microsoft Store for Business account with Intune
    9. MEM – network URL firewall requirements
      1. Access for managed devices
      2. Windows 365 endpoint URLs
      3. Network URL requirements for PowerShell scripts and Win32 apps
      4. Windows Push Notification Services – required URLs
      5. Windows 365 and Azure Virtual Desktop – required URLs
    10. Universal Print – required URLs
      1. Delivery Optimization
    11. Summary
    12. Questions
    13. Answers
    14. Further reading
  15. Chapter 6: Windows Deployment and Management
    1. Deploying existing Windows devices into Microsoft Endpoint Manager
      1. Enrolling devices – Windows enrollment
      2. When to use what solution
    2. Windows Update for Business
      1. Types of updates managed by Windows Update for Business
      2. Enforcing compliance deadlines for updates
      3. How to handle conflicting or legacy policies
      4. How to set up and configure Windows Update for Business
      5. Safeguard holds
      6. Expediting a Windows patch
      7. The Windows Insider Program for Business
    3. Summary
    4. Questions
    5. Answers
    6. Further reading
  16. Chapter 7: Manager Windows Autopilot
    1. Technical requirements
    2. Windows Autopilot overview
    3. Uploading the hardware ID to Windows Autopilot
    4. Windows Autopilot for existing devices
    5. Windows updates during the Out-of-Box Experience (OOBE)
      1. Auto-assigning Windows Autopilot profiles in Intune
      2. Signing in to Graph Explorer
    6. Enrollment Status Page (ESP)
      1. ESP implementation Windows CSP
    7. Autopilot reporting and diagnostics
      1. Company Portal
      2. Configuring automatic BitLocker encryption for Autopilot devices
    8. Cloud configuration scenario
      1. Deploying essentials that users might need to access work or school resources
    9. Edge kiosk self-deployment scenario
      1. Creating a specific ESP for the Edge kiosk
      2. Creating a Windows Autopilot profile
      3. Self-Deploying (preview)
      4. Autopilot Reset
    10. Wiping and resetting your devices
    11. Fresh start
      1. Windows Recovery Environment
    12. Summary
    13. Questions
    14. Answers
    15. Further reading
  17. Chapter 8: Application Management and Delivery
    1. Application delivery via Microsoft Endpoint Manager
    2. Different application types you can deploy
      1. LOB applications
      2. Supersedence mode
    3. Community tool – Win32App Migration Tool
    4. Deploying Microsoft 365 apps
      1. Update channels
      2. Office Customization Tool
    5. Microsoft 365 Apps admin center
      1. Microsoft 365 apps – customization
    6. Deploying Microsoft Teams
    7. OneDrive
      1. Deploying Microsoft Edge
    8. What is MSIX?
      1. AppxManifest.xml
      2. AppxBlockMap.xml
      3. AppxSignature.p7x
      4. How to create MSIX packages
      5. Pushing the MSIX package application to your endpoints
    9. Summary
    10. Questions
    11. Answers
    12. Further reading
  18. Chapter 9: Understanding Policy Management
    1. Policy management
    2. What is a CSP policy?
    3. Windows Push Notification Services (WNS)
    4. Policy management within Microsoft Endpoint Manager
    5. Migrating existing policies from AD – Group Policy management (preview)
    6. Summary
    7. Questions
    8. Answers
    9. Further reading
  19. Chapter 10: Advanced Policy Management
    1. Policy management
      1. Configuring a policy from the Endpoint Manager Security blade
      2. Configuring your Endpoint security profile
      3. Windows 10 unhealthy endpoints
      4. Attack surface reduction
      5. Configuring a policy from the Settings catalog
    2. Configuring administrative templates
      1. URL reputation
      2. OneDrive Known Folder Move configuration
    3. OneDrive – block syncing specific file extensions
    4. Configure device configuration (template)
      1. Leveraging a custom policy as a last resort
    5. Pushing PowerShell scripts – scripted actions to endpoints
    6. Compliance policies
      1. Windows
      2. Organizational compliance report
    7. Summary
    8. Questions
    9. Answers
    10. Further reading
  20. Chapter 11: Office Policy Management
    1. The Office cloud policy service
    2. Creating a policy configuration with the OCP service
      1. Configuring policies
      2. Tips and tricks in the OCP service
      3. How are Office cloud policies applied?
    3. Security Policy Advisor
    4. Summary
    5. Questions
    6. Answers
    7. Further reading
  21. Chapter 12: User Profile Management
    1. Windows profiles
      1. Modern profile management
      2. Enterprise State Roaming
    2. Microsoft Office's roaming settings
      1. Outlook's signature cloud settings
    3. OneDrive for Business Known Folder Move
      1. Windows 10 Storage Sense
      2. OneDrive and Storage Sense
    4. Microsoft Edge
    5. ESR + OneDrive + Edge + Office
      1. Migrating from legacy to modern profile management
    6. Summary
    7. Questions
    8. Answers
    9. Further reading
  22. Chapter 13: Identity and Security Management
    1. Microsoft Identity
    2. AAD
      1. AAD users
      2. AAD guest users
      3. AAD group types
      4. AAD membership types
      5. Hybrid AAD
    3. Conditional Access
      1. Users and groups
    4. Cloud apps
      1. Conditions
    5. Grant
    6. Preventing users from carrying out AAD device registration
    7. Self-service password reset
    8. AAD password protection
    9. Password-less authentication
    10. Enabling password-less authentication
      1. What is and isn't supported in each password-less scenario
    11. BitLocker disk encryption
    12. BitLocker recovery keys
    13. Microsoft Defender for Endpoint
      1. Integration with MEM
    14. Security baselines
    15. Compliance policies
    16. Windows 365 security baselines
      1. Requirements for Defender for Endpoint
    17. Connecting to Intune – MEM integration
    18. Alerts and security assessments
      1. Security recommendations
    19. Summary
    20. Questions
    21. Answers
    22. Further reading
  23. Chapter 14: Monitoring and Endpoint Analytics
    1. Monitoring and analytics
    2. Monitoring your physical and virtual cloud endpoints
    3. Endpoint analytics – advanced monitoring
      1. Start up performance – logon duration
      2. Performance score breakdown
    4. Top 10 impacting start up processes
    5. OS restart history
    6. Resource performance
    7. Insights and recommendations – score trends
    8. Application reliability
    9. Windows 365-specific metrics
    10. Insights and recommendations
      1. Configuration Manager data collection
    11. Customizing your baselines
      1. Proactive remediations
      2. Azure Monitor integration
    12. Productivity Score
    13. Service health
    14. Summary
    15. Questions
    16. Answers
    17. Further reading
  24. Chapter 15: Universal Print
    1. What is Universal Print?
      1. Universal Print – architecture explained
      2. The print connector
      3. Where does my printed data go?
      4. Printer defaults
      5. Universal Print – service requirements
      6. Network requirements
      7. Learning how to deploy Universal Print
      8. Delegating printer access – custom roles
      9. Connecting your existing printer to Universal Print
    2. Configuring Universal Print
      1. Enabling Hhybrid AD configuration – via the Universal Print connector
      2. Registering your own custom printers with Universal Print
      3. Sharing your printers with your users
      4. Assigning permissions to use a printer(s)
      5. Testing your Universal Print connected printer
    3. Assigning and deploying cloud printers with Microsoft Endpoint Manager
    4. Summary
    5. Questions
    6. Answers
    7. Further reading
  25. Section 4: Tips and Tricks from the Field
  26. Chapter 16: Troubleshooting Microsoft Endpoint Manager
    1. Troubleshooting MEM
    2. Service health and message center
    3. Troubleshoot blade in MEM
    4. Troubleshooting Windows 10 MEM enrollment
      1. BitLocker failures
    5. Windows 10 device diagnostics
      1. Client requirements
    6. Troubleshooting application delivery
      1. Win32
      2. LOB
      3. Microsoft Store apps
    7. Troubleshooting Autopilot
    8. Windows 11 Autopilot diagnostics page
    9. Troubleshooting locating a Windows device
    10. Troubleshooting Microsoft Edge
    11. Summary
    12. Questions
    13. Answers
    14. Further reading
  27. Chapter 17: Troubleshooting Windows 365
    1. Troubleshooting yourself and Microsoft Support
      1. Windows 365 provisioning errors
      2. Cloud PC – device-based filtering
    2. Summary
    3. Questions
    4. Further reading
  28. Chapter 18: Community Help
    1. Join the new W365 Community!
    2. Microsoft Tech Community and MS Learn
    3. Other community blogs, Microsoft MVPs,and more…
    4. Summary
    5. Why subscribe?
  29. Other Books You May Enjoy
    1. Packt is searching for authors like you
    2. Share Your Thoughts

Product information

  • Title: Mastering Microsoft Endpoint Manager
  • Author(s): Christiaan Brinkhoff, Per Larsen
  • Release date: October 2021
  • Publisher(s): Packt Publishing
  • ISBN: 9781801078993