Intune Basics for SCCM Admins | Start Learning Intune with How to Manage Devices #HTMD #MSIntune

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

let's let's get started so I didn't experience so the above - associate console right or a meme Amy MCM control right why does ME ME MCM right that is Microsoft endpoint manager manager that is Amy MCM right that is the new name of a cesium okay so new brand name of a cesium I would say right the actual name of the cesium is still configuration manager right it was System Center Configuration Manager that is why because before it does a cesium but now it's changed to Microsoft point manager configuration manager so it's bit long I know that and I I don't know how to pronounce it properly so yeah I always get confused and that is why I still use that is my kind of favorite code still now okay I try to change it to contribution manager but it's still difficult for me so I'm still sticking it sticking with a cesium sometime so bear with me on that but right so so this is admin experience right first when is a cesium and the pillow - you know Microsoft endpoint manager admin cinder right so let's move to the next slide so this is this I already mentioned and basically from an architecture perspective you know you all know SVM architecture right you need to you need to build servers on Prem servers or private cloud servers and you need to you need to configure management points called distribution points all on the bird managing at an organization if you are managing your devices in a global organization you need to have distribution points and many to mean points and software update points all around the world as I show in the picture right to add to add that complexity like now be my something like it's loud management we took the session yesterday management we can connect a system in tune to manage devices in a calm and aged way right so so these these this is basically the SCC of Architecture from a high level perspective right do you know in tune architecture have you ever noticed this picture right I have I have taken this from a branch post so he posted into Intune architecture right within within the road so this is the architecture of impune basically right so from our perspective we don't have to do anything we just need to subscribe to in tune we need to get a license from Microsoft and Microsoft with automatic these are within premises right so be so this sorry for the interruption this is not question enough rather we are losing you in between now your audio is poor Oh yours is breaking thank you for that is it okay now or how is it better now look okay thank you so let me let me know let me know if I if my voice is not very good so probably I can speak up a bit or probably I need to adjust my mic or something or my internet connection is not good or something so please let me know right if if my voice is breaking in between right thank you thank you for that okay so I forgot where where was I okay anyways like so in tune architecture right so that is that is the in tune architecture so probably I don't know much about this architecture i if you want to know more about in tune architecture I would recommend to read the posts from Brad right I I can share the links with you okay and there are like I think five posts or something so all the details are there right how how we build how Microsoft built in tune architecture and what are the technologies they use K for the redundancy and all the other stuff right so that is really interesting right okay cool so so from a admin perspective right into NAT min perspective we don't need to really worry about the architecture of in tune right at least from the server side right so I I didn't mean we don't we don't have any jobs like if your architecture we don't have any job in in tune that's that's that's not the point I was making from a server perspective right server placement perspective for if you can see yes SEM server placement we need to decide where to put the servers and where to put TPS mp's and all right but in in tune we don't need to decide that kind of a architecture right and we don't need to work with SS a network team to decide like why does the firewall ports we need to open between these management points and is over or chaos over right okay I'm looking into chat I'm better I'm getting disturbed there so better I will close the chat okay so anyways like let's move to the next slide okay so in in sec immuno like we need to we need to have sequel database and do you know what is what is the database used in in tune so so as for as per Brad's post it it is no sequel I don't know like whether you are able to see the screen or and it's it's very clear or not but it's mentioned over there that no sequel is the database used in used for in tune that is what I got the information from Brad's post right so that that was one of the interesting interesting signal your interesting information for me so though so I thought like I will share this same with you all right so as you as you as you have seen this is this is the this is the thing Microsoft developed right so in Tunis be a based on service fabric cluster okay a solution in a Joel so all the in tune servers right all services are hosted within these these technology right that is called service fabrics cluster right I don't know much about this how how this works and all the other details but this is this is the technology Microsoft is using within within the within in tune service right let me let me go yeah okay so basically if you want to get a full picture of it and so this is again taken from Brad's Brad's post so as you can see there are like three three regions right in each region in tune has its own services hosted right - North America and the other one is Europe and then the - asia-pacific right so there are three three regions in tune has services offering right so when you when you take a subscription of impune or as your ad or office 365 it is it is important to select the region which which your businesses are in that is that is an important architectural decision you need to take write a yesterday rajul also explained about borders right this is to reduce the latency between the between your clients and your Intune services etc right so let me go back okay I didn't explain the service fabric bit right so so this is the service fabrics architecture or in tune architecture this is also taken from Brad's post right so this is where clients are getting connected and you can see all the service fabric ring and it is getting connected to friend end and I think there are there are two two things over here right a friend 10 machines and friends and machines are basically as you're as you're a for templates right they they are a for template servers so these these friends and missions are hosted in as array for template if I understand correctly right and a middle tier mission site so these missions are created with as your a7 templates right so if you don't know about as your a 7a for kind of templates so these are VM configurations basically right for example like 100 hundred gigabytes of RAM and 1 TB of like hard disk and 18 core processes or those kind of stuff right so that is a template if I understand it bellick correctly right okay so and as you can see over here in this in this diagram there are stateless server service process and state full service processes night in in tune right some of the services are stateless right once you close and close the console probably that will get closed right that will that will that that I will get removed right that is what my understanding is right so the as I mentioned I have not it more R&D in this so probably it is but if you are interested to model learn more about this architecture in tune architecture basically I would strongly recommend to Peru brats okay I'm sorry I'm muted someone okay so so if you are really interested to learn more about in tune architecture I think you need to go through those five hosts from Brad so I think you need to spend I probably like one day in their day in those posts to understand it better right so I'm not I'm not going to trying to explain it over here because I don't know to be honest I'd I don't know exact like 100 percentage about this architecture at all right I'm not come for comfortable explaining it right to be honest so so let's go back if I can go back okay so if you have any questions about architecture you can come off mute and ask this is the time to ask questions you you need to have only one tin and countenance of with one tenant that can be nice for the children yeah Mike you know that so if you look at services in a zoo right so there are like it's so independent services right I some some services like office 365 and other services right so Microsoft will take care of those services by by default so you don't have to worry about replicating it yourself or you need to you need to you don't need to do that if I understand it correctly thank you if we use hello yeah they good yeah so if you use thank you so we have to use any VM for that or we can use the Azure services so you know so that will be good or I I confused you all with the VM templates and all right yeah so that is Microsoft architecture in their data center so we don't have to do anything with that architecture so we don't have to define anything so that is automatically ready for you to use you don't see that architecture right anywhere so this is a virtual representation or picture pictorial representation of that architectural so I thought of sharing that because it will give you idea white as the background architecture of in tune in in as your data center right so we don't need to do anything from from a sin to admin perspective we just need to use in tune console or in console so again I am going to a cesium whirs right into in Portal and we need to configure our settings from acute portal so it means this a sad sorry such model yeah it's it's entirely a SAS model okay okay thank you let's live I don't know if you could provide the branch lengths of branch post yeah I will do that after the presentation I know thank you yeah I know this is COBOL here so uh nope you know if you know any customers running like a beer system already in the infra so if they want to migrate to in tune so they need to purchase a license for them yeah if you are if you are office 365 as summer right you you might already have a subscription right so you need to budgets you need to purchase licenses and Intune licenses or EMS III or e5 licenses or Microsoft 365 licenses right that that will make make into work that that is that is the licenses you require for that but again I am NOT a licensing expert so I don't know like what is the exact requirement for your organization and what is like it's better to contact your time or somebody from Microsoft licensing team to get more details about that so they will have some appropriate licensing materials which you can go through and they will they will give you some boys and all right it's not here okay yeah thank you so you have a license you don't need a interview license for all the devices if you're going to manage only with via KHOU management so the existing assistant license will be converted into into licenses just to manage the devices from into for Windows 10 only and that is why a co management that and in that case you need one license just to activate your Intune tenant but otherwise you are pretty much sorted and that's what is the wall to marriage mobile then you need additional licenses are fully included in to e5 or e3 there is a kites over there do you know so what about the Hazzard p1 licenses right so we need for p1 licenses if we want to manage as your ad join devices or as your hybrid as your ad join devices right that is not covered as part of its ECM like yeah this is kind of complex scenarios so that I don't want to commit anything or commit anything new license so yeah I mean that I mean the statement is partially correct that if you have a CCM license and if you don't have any entomb license it can still work yes it will still work but the user device Association will not happen so what happens is if you check the co-management handler log in the co-management analog you can actually see that the SEM client actually checks for about 24 hours whether the logged in user has an Indian license or not if the user does not have an Indian license then by default it gets it enrolled to in tune but the device is not attributed to the user in a way it becomes a device enrolled without user affinity so that's something you might wanna keep in mind is yep thank you thank you yep thank you thank you sir over here nope yeah if you have like you know I'm in with the new M ECM 2003 in tune and secm are combined right still you need a license for in tune or does that cover under the newer licensing model so that's that's what we were talking about so we honestly right I am NOT is this a licensing expert right I don't know much about it but what I know is basically if you are using Co management as Jodi mentioned you will get a free lies in tune license for those windows devices but there is a catch over there we need to think about as or p1 licenses right as your active directory p1 licenses and as as Sordo mentioned there is another catch also over there so I don't want to comment anything on that which is wrong probably that is going to be wrong so it's better to contact the licensing team from Microsoft all time for your account and get more clarity on this part right yeah make sense thank you I miss the other conversation Thanks so let's let's move on so this is this is basically as I mentioned before right so in in SCM I'm trying to compare a cesium and in tune right to to give you a better understanding okay so you can see there is a sec I'm over there and you can see a cesium console and SSE M as your Active Directory discovery and alright so in a cesium world when we implement an SCM for example for example if you are implementing a new SCM infrastructure right you need to you need to build a cesium servers then you need to connect that with Active Directory and you need discover the objects from Active Directory right Active Directory users active era cream computers active directly elect as your Active Directory groups as well right so it won't automatically come so you need to go in into in tune and you need to call a sorry again in tune and mixing in tune and a system so you need to go into a cesium console configure all these active directory discovery methods right so this is our a cesium experience right so as I mentioned over here you need to first of all extend the schema right so that is first part right in in in your a cesium infrastructure in your office and grown-man daily enrollment if you have not an ad schema extension and you are trying to install a cesium as a first there is no other a cesium infrastructure in your environment then in that case you need to extend ad schema right so there are some posts available how to extend ad schema exit ramp right so so to enable all a cesium capabilities you need to enable ad schema and all right for the forest right if you if you have enabled ad schema for some of your poorest and then you don't need to do it for domains below like child domains and so many other domain controllers right within your organization so this is per forest schema extension in if in an ACC of Romanticism perspective right so if I if I go PI so I will cover this ad user and group deployment by a collection in a different slide right so we can we can skip that for now so from an Indian perspective right there is nothing like ad discovery active directory discovery okay so in Tunis basically a service which is tightly integrated with Azure ad right so there is nothing called active directory discovery user discovery system discovery or anything calls like that in in tune right so that is that is automatically integrated so when you go to cons boat'll in tune portal you can see the users groups automatically there okay so so that is a different experience which you get in in tune yeah okay no need to contribute to group already do you think yeah so so I will cover the targeting in a different slide yeah and the the last point over here is seamless client server authentication right so that is that is also an interesting stuff right so we have lot of complex scenarios in a cesium like with different forests and untwisted for a scenario how the client will communicate if the cesium server is in a in a different forest and the client is interested a forest or something right so that kind of scene scenario is not there at the moment in in tune right because it's it's all done through as your ad and that is part of your tenon right but if you have to friend as your ad subscriptions for your different or different departments within your organization then that is going to make things worst I would say okay at the moment but Microsoft I think Microsoft is working on those kind of scenarios over as well any questions on this topic for improve you need any client or a sim we have a claim that there's a slide over this is Gopal here as I said that it's in a system infer that maybe it's already extended for as you info and if we are moving to like in two of the ejido your ad so in that case in extending there is nothing called extension schema extension or something so that is why I mentioned in those kind of stuff but that is a different so-called took that right but the schema extension in a tune world or as break evolve okay yeah he can if you can if I don't so your voice is getting good how is it no yeah yeah is it better but there is gotta you not so there is lot of you know background noise it's okay no please go unleash yeah yeah yeah perfect okay so basically I was saying like there are a lot of complex scenarios right I don't I I don't want to cover all those in this kind of session because there's nothing called extension of ad schema in Azure ad right there's nothing called nothing called like that but there are options or in Azure ad kinase re ad connect right and Ald Connect is the tool which we use basically for replicating the users on from ad users groups and to to Azure ad right so that is a different topic altogether but you don't need to go into that at this point of time right so you just need to understand that in Tunis tightly integrated with Azure ad and in Tunis into an authentication system is based out of Azure ad right so you don't need to do any special configuration apart from some configuration which are which I am going to show in the demo right about one configuration I would say okay any other questions Anoop so like in SEM we have like before installing or configuring the system we have to create the system management container so that the SSM will dump the data on system management container and a ad will use that data so is the same procedure that we have to do in in tune whether in your area or any separate container will get created no so so basically container rate system management container is part of container creation is part of extension process right it is scheme extinction process if you don't need to do ad schema extension and if you are not using that container then there is no no option like that or there is for need to do container creation in in tune at the moment okay thank you okay no other questions so let's move forward [Music] climb right so in this slide we are going to talk about climb right so there was a question before is there any client for in tune okay that's a that's a that's a really key question because the answer is yes at no okay so we will look into it in details during the demo as well right so in this slide what we are going to see is basically I'm trying to explain like a is from a system perspective right we support only like Windows and Mac devices at the moment right we don't support Android iOS iPad OS okay or next right so Linux unique support is already out of out of support I think right we don't support the latest versions of Asus eum's the cesium doesn't support Linux and unique sois so the only supported OS from a client perspective is Windows and Mac OS okay and you need to install clients from HCM right ACM console basically right so you need to configure the client installation options like client push or some other some other method right as part of our sequence you can install client or you can deploy a package if you already have a molder versions of a CCM client or you can use a group policy to install sem client so that is the associate light installation method so first first we talked about the discovery rate so that is a that is one of the step which we need to both go through when you are setting up a new a cesium in France and then you need to install clients then you basically you need to configure the boundaries as well right so there is nothing called boundaries in in in tune right I don't know like I probably I will cover that topic in the in the coming slide right about the boundaries and all okay oh it's there it's there already okay so client management within a network boundary right so we don't associate clients should be in an boundary you know right so there are there are something called boundaries and boundary grooves right so boundaries should be part of boundary grooves then only you your client will get the content and site assignments policies etc right so so that is that is typical settings for SCMS SCC I might mean we will be it me admins we will be thinking oh what is that what is what is the point of similar point in in tune right so so that that is what we are going to cover in this in this in the below points right so I will come to that in a minute the client is independent of Windows operating system so SCCM client is independent of Windows operating system right so it's a different client and you have a exe or MSI to install SCM client if you want to manually do that that is that is not part of Windows operating system right okay so if you if you come to in tune right so basically in tune can support Android iOS iPad or is Mac and Windows 10 and Windows 8 as well IP okay so I don't know how many of you are still using Windows 8 okay anyways so this there are Lord large support scenario over here right you can support you can have an Android Android devices iOS devices iPad OS devices Mac OS devices managed through in tune okay and in tune uses Windows 10 MDM component right so if you if you ask me is there any is there any special in tune client for managing managing the devices for example if I am planning to use in tune for my Windows 10 devices do I need to install in tune client or do I need to configure something like client push ok for the initial installation so the answer is no ok there is no need to install in tune client using some client push method or group policy or something like that right but the client in tune is using is called MDM component though so there is a catch in that I will come to that okay so MDM it's part of Windows 10 operating system right and it is part of it is called MPM component ok sorry yeah MDM component right and in tune is using that MDM to manage your Windows 10 devices right so here I am talking about only Windows 10 devices right so if you are if you if you ask me like about iOS Android and all the other devices right how do how do you manage those devices from in tune so basically for that you need to have something called in tune my what is that I forgot there's a there's a client which you can install client app company portal server thank you it's all that from you are your app store right from wherever like if it's a Android device you can go to Google store and download that or it depends on the scenario right so the different scenarios I enrollment scenarios right so when you have for Freight own devices you have a BYOD bring your own devices depending on that scenario you will install the clients based on that scenario some Samsonite will get automatically installed or it will get automatically pushed one example is the P right so so those things you need to take care so in this session I am going to cover only Windows right specifically Windows scenarios so for Windows 10 as I mentioned the the main client component is inbuilt in Windows 10 operating system and that is MPM component right so unlike a cesium you don't need to install any particular client too many initially manage the devices okay so that's that's one important point you just you need to understand and there is this third point I mentioned over here that is something called in tune management extension okay so if you want to have some additional capabilities for managing in tune okay for example if you want to if you want to deploy PowerShell script okay to in tune manage devices this mbm component doesn't have the capability to do that at the moment okay so what Microsoft 8 is basically they they build a new client lightweight client ok that is called impune management extension ok so that lightweight lines will help us to deploy powershell scripts if you want okay so so that that is why i may i mentioned before if you ask me like whether there is any client for in tune the answer is yes and no because this is lightweight client for deploying PowerShell it's not only PowerShell right it's there are other scenarios as well right if you want deploy a complex application like for example I don't know how many of you heard about into Nguyen format right so basically from my perspective that is kind of a into application model right similarly if I compare it with a cm application model there is a application model in in tune and that is capable to capture many scenarios of a cesium application model no 100 percentage but like the super Siddons and those kind of features are not available in in tuned application model using in tune management extension okay so in tune management the extension is there to provide these additional capabilities for managing the clients ok this is that clear ok anyways I will give you opportunity to ask questions during in in a tomb in two minutes or three minutes okay and the other point is right into management extension is this automatically deployed automatically deployed and Reigate will get installed on your Windows 10 in tune managed device okay for example if you are if you are deploying a PowerShell script to an to a Windows 10 device so first process would be basically it will automatically install the in tune management and extension you don't need to configure anything from in tune portal to install this okay so in tune is intelligent enough to understand if administer plying PowerShell script it it cannot deploy it through MDM component so it it as a prerequisite it will automatically deploy into management extension to your Windows 10 device then it it will be either powershell script right as per your deployment right if you can deploy same thing is applicated applicable for application management scenarios also right application model scenarios as also as I mentioned before okay so then you will ask like what is the update mechanism of that in tune management extension as you can see over here I have I have put a screenshot of that service right so that is a service different service running running on your Windows 10 into managed device so what it mechanism of this this component or this lightweight line okay so basically this is also automatically managed from a Microsoft side or from a Intune side we don't need to do anything I am not aware of any scenarios where we need to kind of manage or we need to kind of you land update for this this is kind of automatically managed right okay so what is the last point okay so I already mentioned company portal or in the slide and I was struggling to okay so yeah any any questions on this topic so what about servers servers in Troy into so there is no support for that yeah that's really a good question what was that Karthik yes this at the moment there is no support for servers you cannot manage servers within tune so from Microsoft perspective right so there are there are some other methods you can use to manage servers if I understand correctly so so I don't I don't know exactly what are those methods so probably it's a different discussion altogether but at the moment servers are not managed through in doing okay so what is the procedure in tune for the patching let's say it's in case of an SEM we do patching there is in sync manager car comes up comes in a picture and B we get a synchronization of the patches and we get the report how many passes are available or required in a system but but what about the case of in tune how do we manage exact number of patches what are required in case of in tune is this same component you are mentioning over here or it's all together something different thing it's so I I don't know whether I'm going to cover that in the future slides or not but I don't remember exactly but anyways like give you a straight answer right so basically if you go back and discuss about a cm patch in vs. in tune patching right you all know SEM patching is not done by associate line right yeah so so same thing right so Windows Windows Update is a Windows Update agent as the component which is doing fetching for SCCM clients right a cesium clients are just coordinating right so they will deliver the policies and they will help to get the distribution for a fan 10 etc right but say so my question my question is not regarding how we deploy or how we do something my question is just regarding the synchronization we get the data before coming to that so so to give you give you all a context that is why I went back to that discussion right Windows Update agent associate line is kind of providing the policies and then handing it over to Windows Update agent and Windows Update edge and this basically installing patches on your Windows 10 machines right okay so in in impune perspective right from any impune perspective we are just corn triggering the policies for matching for when I say configuring the policies so there are there there is there's a certain difference over here right in in a cesium world we use double users right double users to get the patches from windows 8 services in the cloud right and we will we will we will integrate up useful with SCM and that is why you can see all the patches in ACM console ok but in in tune case we are not using W source ok so we use something called Windows Update for business right so Windows updates for business is basically a cloud service ok and that will provide content our patches etc right from in tune what we are doing is basically we want recurring policies similar to two policies right so we say like ok this is this is this is the details you need to go through this is the end-user experience you should have those kind of policies want her they need to important does that is that answered your question ok and this this arise my one more question let's say B we are just configuring the policies now we need to do it one time only then yeah the really yeah we do not need to deploy before every patch then how we will be restricting the patches that say some patches get on break I'll go do my environment then how will be restricting those patches so I know I know I always get this question right so for example you are let let's go back a bit rate one point so you are your again going back to a system console and selecting like one or two patches from like 10 patches and deploying that ok so that kind of option is not there in in tune at the moment right so you cannot select a particular patch and deploy it so there is no option like that at the moment probably might come up with that kind of an option in future I don't know ok III don't know that there is any user voice requests for the same if there is no user voice request I would recommend you to put that in user bonus item right sure sure I'll do that thank you it's a very very valid point I mean yeah I mean this is one of the most common questions that we get that I mean I mean the way we are deploying patches from SCCM it's giving us such a grand main control that we can decide which patch would go and when if we compare that but in pure unlikely sir said that what we can do in in Tunis we have our ability of making a policy which is referred to as the Windows Update ring and in that policy you can only customize what the device's behavior is going to be when it gets the patches so when it gets the patches from the cloud so you can make a policy of being Windows operating policy in that you can customize as in what is going to be your maintenance window whether the device is going to reboot after the patches are in after the passes are installed or not and whatnot but you cannot select which patches will be deployed and which will not be deployed because as likely said the patches are not cached in the engine console to begin with but then that brings a very valid point that let's just say that there is a patch that you are already aware is going to break your infrastructure and you don't want to deploy it to the devices so if you already know that then what is it what is the precaution that you can probably take we get that questions are not from the customers and the answer to that is you can probably use a workaround the fusing of powershell script so you can first deploy a powershell script which is going to configure the device in a way that it is not going to reach out to the cloud and download a specific patch once that PowerShell script has been deployed then probably the windows update ring can be deployed as well so probably a little more customization probably that is something you can do by deploying a PowerShell script but yeah I mean if you are comparing it with how it worked with secm then obviously as as mentioned earlier as in tune is not cashing the patches therefore you don't have the ability of picking and choosing that which patch will go in which patch won't go you only have the option of determining how the device is going to behave once it once it is going to the pass and to add one more point I mean I mean as far as I mean I have read in the docs oh this is well I mean kind of Microsoft is heading towards as well so I mean we don't want to patch it KB by Kb therefore I mean I mean even if you were I mean I I think there are a couple of user voice regarding this but I'm quite sure that those were closed some kind of what I'm trying to say is I mean this would probably be the wave wave forward as far as patching wire with unis concerned that we won't we don't want to give the ability of patching it may be wise and deploying the KB rather than getting it fast over the cloud does that make sense yeah that that exactly makes sense but going into the pathing is complete a lot of a lot of questions I am having I don't think that's that valid for in tune case as of now because you know is not that much mature so Wow I totally agree with you and I've also read in the doc that they are heading towards it now they are including SSK I just use by which me we would if it is in solved we won't be able to uninstall and these kind of an is the Microsoft coming up so I'm okay thank you thanks for watching thank you thank you hey Anderson area so I see the like you know we are talking we are talking about the patches there is a policy called device compliance so is the one like we will come to know that you know that the patches all patches being you know compliant to that specific device or I said something different method of just managing in the internet so complain see compliance policies are with different heads not directly cling to Oh patching right but you can configure complaints policy I don't know like the latest one right but there there is there is option you can set in the complaints policies to have some patch levels right but but I have not looked into in into that in details but it's not directly linked to link to patching okay okay yeah thank you you just wander the planet yeah I am NOT it's a you said thank you for its presentation I am just a question about intern management extension especially deploying PowerShell scripts so is it required to sign the scripts before deploy it with in tune or there is some police I like like eccm execution policies script or something like this so you have good options right now if I understand correctly you can sign the script and the resorption check mark over there in the impune portal itself if I am NOT wrong right so you can it's your choice you have both options okay so I can I can run and enough in sign it the scripts right okay thank you so in daily weekly or monthly basis or because we have a patched usually in terms of assisi and we have past used a and we use the idea and we target that idea to different collections and we make past Tuesday as for patching does this you tuned does the same or daily basis or weekly basis or monthly basis I can show you that in console and that will be more clear for you in the demo session is that okay with you yes thank ya heard this is Denisha but can you let us know this is there any report available for the patch management like which patches has been installed which is not installed in in tune yeah that's that's really a good question right so that is that is Lord lot of organizations are kind of confused about this kind of reporting right yeah you are comparing again this with SEM reports and and you want to have the same similar kind of reports in in tune but probably what you can do is you need to use something called telemetry data and all the other things right you need to send those telemetry data up in what is that called I forgot the cloud service which collects all the telemetry data and produce nice report so I think sort of if you if you want to come and probably that would be yeah I mean yeah one other option might be I mean I mean a simpler option not oh not the meter although not the best option but a simpler option might be just deploying a powershell script where you only just need to put in get - hotfix which is going to give you a list of all the KB articles just export it to a CSV file then then you can deploy another PowerShell script which is just going to collate all the CSV file to one central location and then probably leverage that with something like power bi which is going to just display that in a graphical or editorial format but by default to answer the question I mean if you are enrolling a device - until just like if you if you enroll on a device if I would call it to secm SCCM shows you the OS as well as the patches installed in teen would just show you the operating system and the build version and not the fascist installed all the patches deployed to the device why are in tune windows update ring policy so yeah but a wave way yeah the other way might be leveraging something like a PowerShell which would be just a two liner come on yeah okay thank so you know by her but I have one more thing here an OPA like TM with you're getting you know software inventory and we are getting tired inventory so is there any you know any specific court or anything is there in income like if you feel more at the moment I think you are talking about like where you can see all the applications installed like like whether user installed some application or do you want to take the inventory there is no out of books and reports available and I think so Rob is already just one thing in this I mean so fall into Isis we are talking about the Windows 10 or maybe an Android or iOS device so we can get a list of all the applications that the user has installed on the device wire in tune so that is possible so once the device is enrolled we just have to click on the device and it will it has two sections one is hardware in one software if you click on Hardware impune collects a lot of hardware inventory from the device so you will be able to see what is the name of the device what is the OS version the build version the C Drive D drive space available free space available all that all the information as far as hardware is concerned as far as software is concerned it contains some information it doesn't contain some so now then we need to understand what it contains and what it does not contain so for all the software that are deployed wire in tune that list you can get for the software that are not deployed wire in tune a partial of those you can get as well so I believe there is a good post by joy on that so actually what happens is until in pure query is a specific WMI class in the operating system and in that wmii class whatever list of applications it gets that involves the applications deployed via in tune as well as some of the applications which are let's just say not deployed by a in tune as well so you will be getting a list of all those applications so plan so your question as far as the hardware inventory is concerned or very verbose hardware inventory is collected by immune anyways as far as software inventory is concerned any application deployed wire in fuel and installed on the device will be collected in additional duty we'll be getting a list of other applications as well I don't exactly remember this w my classic queries but yeah there is a good documentation around that on addition to that if it is a Windows Device on you still are not getting the software that you wished you wanted to get in the report then when always the fallback mechanism is making use of the PowerShell script yeah so just remembering just thank you thank you so dope for that just to come back to that on on that point right basically if you are if you are looking for a report or if you are looking for something like from a cesium admins perspective right if you can right-click on a device and go to resource Explorer and see all the applications or all the older like hardware inventory part so that kind of experience is still not there in in tune but us and sort of mentioned this is the cloud world right and and we Microsoft is kind of working to get the world better user experience day by day so we will be there probably in in near future right like most of the reports will be available in in in queuing portal itself you don't have to use anything like PowerShell or anything else to get these details right so we are we are reaching there we are not yet there to be honest that's that's what Microsoft is saying right so you that's basically that's basically it for management scenario right you are talking about so it depends on your organization also right there strategy also if they want to go cloud and they want to start everything is cry from the cloud they can do that also Microsoft is fully supporting scenario right in my experience my organization is starting everything's scratched from the cloud right so we are not going ahead with a co management or we are not trying planning to manage devices with Co management scenario so we are we are using a three infield kind of approach right so we will be moving from SS iam to in tune bits bits and in bits and pieces right so that is your organization's scenario so I just just to give you a context right so there are there are two entry points into for management okay so one entry point is basically from SEM to in tune so if you are an Asus iam shop okay if you are an associate oak and you want to move some workloads to cloud then that is the first scenario where you can you can integrate a system with in tune and do it for management right the second entry point is basically if you are cloud kind of a organization right you don't have any associate then then you can directly go to in tune right and if there is any requirement you can attach your in tune and build a cesium I don't recommend that but that is it's a second entry point in the command is from a core management perspective hi okay let's ask indecision yeah okay I am sure first of all I do want to thank you and big really big fan of you now so I have a to doubt in that you know this ain't even actually I already enrolled I already enable the co management and a few of the device I added in that you know SEM group that autopilot group so uh first thing I want to check that are in that sorry so thank you for the compliments okay thank you for that and if you when you say like you added devices to autopilot group what does that mean anyplace XIII autopilot yeah means I configure the COO management there I configure the collections so in that collection I added some of the devices and those devices are registered with that as your ad and even that hybrid ad joint so so that devices is showing already in that in tune and after that I created a channel Windows Update ring I created and I added this device for device but I am not getting any of any of the update for those devices so what I thought means I just gone little bit inside and there I saw like there is so many servicing channels so I selected and will say me and I just want to confirm just want to check with you like the all means is the semi-annual yeah means my name only it says that like update will come like once in a six month so basically that's a good question right so probably we can cover in this this in the demo that will clear your doubt but anyways if you give you some overview right so there are there are two kinds of updates in Windows 10 world right - feature updates that is basically upgrading from for example I don't know the Windows 10 itself OS itself right 1999 - sorry 1809 to 1909 or if I don't know whether 1909 no it's is there or not 1903 or 1803 to 1903 right so so that is feature and that feature of eight update is basically semi-annual channel right so that it is are only applicable for feature updates okay so this is something else called so if you are planning if you are planning to deploy patches then that is something called quality updates okay so in quality updates you don't see that semi-annual channel etc but I know but for where you are coming from in in the same policy you can see the semi-annual channel option also right yeah that is your like windows insider past window window inside flow and yeah means this like again for ends four five option is there so like if I want to get a monthly updated right means once Microsoft released each month patches right so those kind of update I want to get it for those devices which I added in my pilot group so is I have to select that window insider past or window insider slow no it's basically the better better option is to select semiannual or annual Channel right so that is the best option but I will I will come to that in in a demo session so that you it will be clearer for you right but it is different from the quality updates or monthly patches right so you don't need to worry about the feature updates in that in that particular policy at the moment that is for the different purpose of all together right and one more question so when I created a collections when I created a separate collection for Co management and I added that collection also but I means the next day I saw that you know are the cool management policy which was created that policy was also applied to that my under the a cesium all system collections so is this like the means is this like a default lis that you know complaints policy will apply to that all the system or no it's not it's not default I think there are different options while configuring the core management right so there are pilot options there are options like all systems options I don't remember exactly what as options at the moment top of my head but but if you select pilot you will you will get option to select specific collection so it in that case it won't do the missions all the devices yeah I am seeing like which collects which collection I created a pilot collection that is there there already you know the art of Co management policy is applied but apart from that I am seeing one more thing like a completely is also applied I don't know about that scenario to be honest yeah that's the default one that goes with co-management prod goes by something called core management prod configuration item that you would see in the system set in cm properties so so you don't you you mean to say like even if you select pilot in the core management settings right through the code while configuring the configuration management right going through the corner management wizard so even if you select Khomeini a pilot then also it will get deployed to all devices yeah so basically there are two configuration item that you would see inside your client properties and the configuration so one would be the prod that goes to all systems but the one that brings your devices to configuration manager that is the they would be actually two settings so the second one I forgot the name but that would be actually responsible to bring your client to SEC him and int even has a co management device but but Jodi via via we are here talking about a scenario where he has a SEM client he has a lot of a CCM clients and he selected only particular collection for the co-management right and yeah but but he he can see all his devices okay is having this complaints policy sitting somehow so I don't know about that I believe I might know this one so uh with the advent of I believe it is a cesium either 1902 or 1906 with one of these SEC of versions what we did was I mean because of the public demand earlier I mean it was like what you could do was you could set the workload to either pilot or to in tune if you are setting it to pilot then all the devices in the pilot collection will get the policy from in tune and all the other devices will be getting the policy from SCCM now with 1902 or with 1906 a cesium version depending upon the public demand what we did was there are two things that we can configure one is when obviously if I am moving it to pilot then all the devices in Pilot collection will be Co managed but then let's just say that we have got five workloads I have the option of moving workload differently for each collection what it means is I can move the workload for compliance through in tune for a specific collection and I can move the workload for configuration to pilot in tune for a different collection does that make sense yes or that yeah so we have an option of choosing the collection for which the workload is going to be missed for earlier we did not have this but from 1902 or from 1906 for each workload that he move at the right hand side you have an option of browsing to a collection so that workload is applicable for that collection only but before 1902 it was only applicable for one collection and we could not attach each workload with one so what I believe is happening in this case is for the compliance policy the workload might have been moved to pallet in tune and in that case the collection might have been selected as all systems does that make sense so yes all means that is there in that you know 1906 and right now my assistant is in 1902 so I I read in that you know the Microsoft article this is that this feature is available after the 1906 but my version is a 1902 yeah probably we understand that scenario probably I think this is taking so much of time right so probably we need to take this offline or some other way right you can contact me offline probably we can have a discussion if you want right thank you yeah so let's proceed we already reached 3 o clock and we only have half an hour okay I spoke a lot I think okay so this is targeting right so from in tune and sec 'm i'm trying to compare in tune targeting versus ACM targeting how do we like when I say targeting right it is basically how do we target applications application deployments device like policy deployments script deployments etcetera right in both the world right so as you know in ACM we need to use okay there there is some exception I know you can deploy some application directly to the device okay now with the latest version and you can deploy device like scripts directly to the devices right so you don't need to use collections in some scenarios but for for 99 percentage of the deployment scenarios you to use collections right so you need to use collections you need to create collections or you can use the existing collections and you can deploy the policies and applications to those collections in a cm world but in in tune worlds right there is nothing called collections at the moment right just to just to confuse you if you want to get confused there was a collection kind of scenario in in tune world when Microsoft started in tune right early years so they were ever something called collections in in tune all also it was in Silverlight portal right I don't know how many of you are how have you seen those Silverlight portal or not anyways so at the moment if I can if I came come back to the latest scenario or current scenario there is nothing called collections right in in tune we are deploying or we can deploy all the applications and policies directly to Azure ad groups ok so there is no need to create collections for deployments and a necessary world what we do is basically we attach we query Active Directory devices or we add Active Directory groups inside the collection and then we use those Active Directory groups to target applications and the deployments right so in in tune world we are eliminating that collection scenario ok if I can say like that so we are directly deploying applications and policies to Azure ad groups ok does that make sense so other two points which I wanted to highlight over here is basically you are very familiar with eight collection of eight a collection update and collection refresh dynamic collections and in dynamic collections you can have wql queries right so in in tune also there in Azure Active Directory there are dynamic queries so we will see that in a bit right in the demo and in in in SEM world you have update collections right and you can should you'll the update of collections there is a custom option in associate elections to to update the collections automatically right every every seven hours or some some people on normally keep it as like whenever or I have seen update collection configuration scheduled like 10 minutes or 15 minutes etc right so that is that is very dangerous for if you have some point a collection a bit configuration or schedule like that that is very dangerous for your SSE instruction right but if I come back to in tune part there is no custom update Yuling option available for dynamic as ready groups right so this is all all managed from microsoft side this will automatically get updated whenever it is whenever there is a schedule in the backend so we don't have from an admin perspective we don't have any option to have this custom update schedule in in tune okay and any other point I missed over here no I think we are fine in this slide let me go let me skip this question okay probably I can fake two questions in this because I want to finish in time so any questions there any limitations in in tune like accessing computer you can to say you can limit the collection in with another collection in the cesium are you asked no no I'm just I want no no I want to ask is there any limitations how many computers and uses is connected in one internal server oh you're you're you're asking about the capacity of in tune right you have like 100 T client or devices if you want to manage hundred K devices or 5500 K devices if you have weather in tune is capable to manage those kind of scale are you asking that that kind of a question or yes yes yes yes exactly so that's that's really an interesting question right and in tune doesn't have a problem with the scaling at all right so even whenever you ask this kind of question you Microsoft they will say if you have a valid business requirement and you want to have a support for 500k clients in Tunis going to support that there's no issue from a capacity perspective so you need to work with Microsoft contacts with within within your organization probably Tam and you need to discuss this with Microsoft support team and from from that perspective it is fully supported my second question is is there any database connectivity required in in tune like a cesium like SQL Server reporting services required it's all managed it's all managed by Microsoft you don't need to worry about the database connectivity I don't know whether you have seen the initial slides in that I have mentioned about database and the serving server infrastructure which Microsoft is for in tune right so so that is already managed by Microsoft so you don't need to worry about sequel connectivity and opening firewall ports between your console and database etc in Intune world okay okay thank you think we don't have a collection here and how we are going to include it load that up is going to work here in India one that's really a good question so there is a include exclude options available in in terms of deployment okay they in when you when you do a in deployment you can include and exclude some as your Active Directory groups okay and a group like whether it's user user group or device looks so probably it's better to show it in a demo so you will understand it in better way yeah I wanted no OSI BYOD goes on the user base registration services device and the hybrid auto pilot or anything we do device relation directly right so any conflict you found because of this and any challenges we found do this vio in so for are you talking about so I say yes iam admin right I always think from a Windows perspective so whenever I talk to somebody like sorrow or joy they always come from a different perspective to dislike Android devices managing Android devices iOS devices Mac devices and in Windows devices right so in this Cena in this question right which which scenario you are talking about Windows or others in a Windows Windows ok so so that is again a security related question or your initiation related question it's an initial policy in my environment where I have a BYOD and I tried to make it a hybrid a pulmonary device and the policies were getting conflicted because of Muzio policies the device based policies condition policies so yeah I just want to know sorry I didn't catch your last part last part of your approach when user is a part of BYOD also and he has a hybrid and machine let's let's go back point over there right let's let's understand what you mean by BYOD right so let let me explain what what is my understanding of pyo right so BYO in Windows perspective is basically as your ad they gestured devices right it's your personal Windows 10 device and you are logging in to that device with a local account or with your outlook thought-form account or your hotmail account or your lieth on right so that is the scenario BYO scenario for me okay from my perspective and in that BYO scenario once you logged into device with your personal ID then you are registering to Azure Active Directory registering I said registering it's not as you read give directly join that is a different scenario right so as your Active Directory registration and in TuneIn trollman right manually into an enrollment or some whatever made may be right so that is a be bio scenario for me but from your explanation I feel like you are talking about some different scenario or I am I wrong just write Windows Device personal computer joined to the augur 8 or in tune as a part of the user registration himself since device is personal device so in there in that is you are you are getting some conflict in the conditional access policies conditional exes policies or or patching point of view where mainly conditioned policies I can see where they were contacting because user with the policies are applied to user it's probably a particular scenario we may need to look into it in details because I we cannot I cannot at least comment on that at the moment I am sorry for that because it's all about the deployment of complaints policies in your organization right how do you deploy compliance policies because compliance policies are generally deployed to the users and probably you have an option to deploy to the devices as well in particular scenarios right so that's that's a different kind of discussion probably we need to take it offline if you want to discuss that right okay thank you okay let me go ahead with the presentation to demo okay it's demo time let me share my screen there is Mike interesting if you are not speaking can you please mute yourself okay thank you okay so first thing I don't know how many of you joined joined us like when we started the conversation right so we started with Ezard and in tuned architecture and I have shown you some slides from Brad's post right so we talked about service fabric clusters so this is the base of Intune architecture so I just wanted to show you this piece this is what service fabric cluster so in tune is if I understand it correctly in tune is built on top of this particular stuff right so I don't know much about that at the moment so if you probably if you want to create one you can you can create one I know like I have seen in that post Brad mentioned that in tune was or still is some of the sample scenario right some other vendors are trying to move their things to cloud for example if if you are you are an beyond pressed kind of a solution right so you know beyond trust is privileged access management kind of a solution and they have an on-prem solution at the moment and if they are planning to move their on-prem solution to the SAS solution then they are taking this similar approach which Microsoft took for is in tune right so on so they are basically building their servers using this service fabric cluster right so I as I mentioned I don't know much about this so if you if you have more if you are interested to learn more about this read posts from Brad there there are five posts and super interesting graphics super interesting information about in tune back back-end architecture over there in those posts right so as an in tune admin you don't need to worry about this back-end architecture at all this is a SAS solution software as a service solution you just need to subscribe and you just need to get a license and start working start configuring right so that is that is it wanted from indian admins perspective okay so i just wanted to show that and as i have mentioned in my one of one of my first slides there is an option in Active Directory something called where is it MDM over here right so this is this is kind of from my perspective right I always wanted to refer this as integration of your Intune services with your Azure Active Directory services so from a Seussian perspective if I want to compare it this is something like ad schema extension if you want to say that is not a correct technology but I just a correct sentence but I just wanted to explain that in a way in that way so that you understand it better right so there is nothing called ad schema extension or there is nothing called the system management container in Azure Active Directory world within tune you just need to configure this kind of stuff to have that authentication seamless authentication experience within tune and and as your Active Directory right so for example this is applicable for all other mbm solutions right so if you want to integrate your AirWatch solution with in Azure Active Directory you can click on add application and you can add your AirWatch right same applicable for IBM and mobile and right so so this is this is kind of integration with in tune and as your Active Directory right if I go in over here you can see some options like Auto enrollment right so for example in a scenario B by a CYO scenario so when I say C by u its corporate on device in Aereo if a user if a device is join to Azure Active Directory its join it's not registration right so it's similar to ad ad join right domain join scenario but it's not same okay ad join and Azure Active Directory join is similar but it's not same that decide different topic altogether which I am NOT going to cover in this we don't have time we have only ten minutes but anyways I think we can extend it for another ten minutes if you don't mind okay so so this is MBM Auto enrollment so when a for example if you have a device Windows 10 device and that device is joined to Azure Active Directory then in this configuration in this settings you can say that all the Azure Active Directory okay join devices will automatically get enrolled to in tune for MDM or device management right so this is something like group policy settings in in our in our old domain join and associate manage scenario if you have like hundreds of devices in in SEM and those devices are join join who you are domain and you set the group policy to install associate lines on those devices right so that this is kind of a similar scenario but it's not same okay so to easy and to get easy understanding I'm trying to explain in that way okay so in impune world or in in cloud management world cloud device management world we call it as MDM auto-enrollment right so so as I mentioned whenever you join a Windows 10 device to azure ad this configuration will automatically take care of MDM or in tune enrollment of those devices okay I hope that was clear so this is the only setting which you need to take care in in in in tune integration with Azure ad if I understand it correctly okay so let's go back to in tune console okay so this is in tune console again into in Portal okay so basically if I want to be 100 percentage correct then it is Microsoft endpoint manager admin Center so this is what we call it us in tune portal right so this is the new product name okay and this is this is what in tunis so if you check the URL the URL over here is its endpoint dot Microsoft comm right so that is the URL the newest URL for in tune it was like you can now access it from portal as welcome as well as from I think device management dot Microsoft outcome so that should this is the newest portal right so the over here you can see like this is the homepage and the basically dashboard right so in in the dashboard you Chansey like well how overall status of your tenant right in tune details you can see like what is healthy over here what is not what is not healthy and how many devices are complaints policy issues right though four devices are not in complaints and two devices have profile errors and client installation failures etc etc so you will will be wondering why does that client installation brilliance so you know in in tune we have a client for to provide some advanced advanced deployment features right oh so so if I can go back to dashboard right in in dashboard you can get our overall overall view so you can see like Windows devices how many windows devices I am managing here right window 10 13 windows devices as I mentioned as an SSD a madman I don't have fortunately or unfortunately I don't have any Android Mac OS or iOS devices at the moment in this pennant so so that is why I always think from a Windows admin perspective okay but in tune is capable to manage android devices iOS devices Mac OS devices right not Linux not serviced at the moment okay so this is it a dashboard and if I go to all services that that will give you a shortcut of all all the things over here but before going anywhere else I am going to go to tenant administration right in pennant administration this is one of the important thing you just need to make sure like when you whenever you have a impune subscription as I mentioned initially in the initial slide Microsoft Intune services in their three regions right - new I forgot - somewhere in America somewhere in us and the other - you are a Europe and the other - Asia back so obviously my tenon is in Asia Peck right and this is another number which you need to kind of take care or it would be interesting for you you know SSE immersion so eight 1902 and 1910 you know what what does that mean 19's year and 0 0 - 1 0 - 10 is the month right which it it normally gets released right so over here from a toon perspective 2003 is the release service release version of my tenant so what does that mean so this is March release of 2020 right 0-3 is month and 2020 is the year right so that is that is these are the two things which you have to kind of look into from a tenant and in the administration node over here and you can see tenant name and you can see all the other things over here and you can see the connection status connector status and alright so if you have Enders and all you it will come up over here right right okay so that is what I wanted to show and there is our back option available in in in tune that is over here right so I I have not covered that in the in the slide but you can create our back roles in in tune over here similar to a CMR pack okay so that is pretty much interesting I said similar it's not same right okay so and even you can see scope acts over here this is similar to scope X in in Sec 'm but it's not same again right so so from my perspective right if you are a cesium admin you can basically basically in tune into learning would be a much easy for you but it's not like two weeks work or it's not like pretty easy right but you have lot of other things coming along in in tune like Android device management and iOS and all the other compliance policy stuff integration it's a new learning it's it's very interesting learning I would recommend to start learn in tune right so other things which I wanted to show his devices right if I wanted to see the devices right so this is a placeholder for all the devices right so basically you can say this as a collection right all device collection or something like that similar to that right so this is a but you don't have any other collections and you cannot collect create any any other device groups over here right so all the devices are directly shown over here in this okay this is just for the viewing purpose right so if I want to take some device okay let's click on one device and see what are the options over here you can see primary user as we mail over here okay and you can see like options like device name is over here and you have an option to copy it over here and management name is different ownership score Freight okay because these are like already joined devices right so if you have something like Azeri Pyo scenario bring your own device in area then it will show us personal over here on ownership will be personal over here right so on the complaint policies the device is complained or not so those things you can see over here right and in over here you can see some right-click options right if you are a socio Mudman you are very familiar with right-click option side in the console so this is this is that in in a from a cloud management or into in perspective you retail you can wipe you have an option to delete you have an option to sing restart etc etc right so so that is one thing I wanted to show and somebody as I think they've asked about the hardware inventory right so this is the hardware inventory from an in tune perspective right if you are looking for a resource Explorer of that kind of experience right from a cesium admin perspective so this is the place for hardware inventory as you can see I'm using Enterprise version and you can you see all the other detail side not me every male is using this ok ok so this is a virtual mission all those things you can see ok in the hardware hardware part so this is basically III I did a mistake over here right so in a cesium World Hardware inventory is not really Hardware in memory right it's software eminently but this is Hardware details right ok so anyways discovery apps in this sorry discovered ABS right so these are the discovered apps which which my in tune is able to discover from from that Windows 10 device ID so if you see these are basic Microsoft applications right so yeah I don't know it's up to you whether to decide whether it's useful that this kind of information is useful from a cesium perspective all you need more granular information like software in not software inventory hardware inventory right so that that is going to come in future probably I don't know and but yeah device configuration yeah complaints policy as you can see like there are there are some errors in the compliance policy and you can see you can do look into that errors over here as a complaints policy are saying no applicable those kind of stuff right so I don't want to go into those details at the moment we are running out of time and I want to give some option to ask questions and application configuration so endpoint security this is another edition which is included in in in tune right so this is basically for skip in a cesium world right so you can manage those kind of policies right and and excuse me ante and hantavirus similar to that kind of a policies right it's not called antivirus at the moment right in the modern world and this is recovery key basically for BitLocker and all the other stuff right and the managed apps is is where like you can see like what are the applications installed to that particular device right so there are available applications as well as there are mandatory applications in Intune so you can see like some of the applications like seven surface of a labelled application you can go to company portal and install it right and the other ones are like the required application so that is giving us a segue to go to policies and l8i let me show you some of the windows policy side quickly before we run out of the time sorry for keeping you late create profiles write in create profiles where you can create policies right so Windows 10 in Windows 10 you will get lot of policies over here administrative templates so this is interesting topic right and administrative templates this is like similar to propolis is right let me show you who is that this you're saying policy but here it shows his profile create a profile yeah yeah that's correct okay I I'm yeah unfortunately I mute myself I don't know why anyways let's continue right so this is basically policies but they they called as profiles I don't know why what is the reason probably there could be a good reason which I I don't understand at the moment so basically this is a kind of group policy templates and all right so if I can go over here and I can show you could quickly test over here and if I say next then I can see like a lot of policies coming up here like config computer policies and if you want to control if you want to control something similar to control panel if you want to configure that you can click on it and you can enable it right you can enable it and say yes I want to enable this prevent enabling lock screen camera right so I want to deploy this particular policy to a to a device to a group of devices I can do that this is score pegging so scope tagging I'm not going to cover that this is similar to a cesium as I mentioned but it's not same okay by a if you click on scopes you can see like this is a test or default you can select a scope and then the admin can see only these test scopes if you have to find our back policies correctly right so that's a bigger topic next if I click next so this is the part over here right so there are different assignment options or targeting options so assignments are nothing but targets targeting options in Intune words right so basically you can you can have an option to deploy this policies to directly to all users all devices and both all users and devices right so this is a this is the auction where you can if you want to deploy to all the users are all the devices aside and you have an option to select as your Active Directory group over here so if I say I'm group something called device group if I want to select a group this is this device list sorry this group list is coming from as your Active Directory directly and a right so and we are deploying this policy to this particular group in Azure Active Directory this is my dynamic device group in Azure Active Directory ok so click OK and you can see like that group is added and somebody asked me like is there any option to exclude a group right so there is option to exclude a group over here as you can see and if I click on groups and say like I don't know like whether I have any group over here device group right so I excluded a group and I included a group so it will it will get deployed and this is the exclusion and inclusion logic in in in Azure Active Directory and in tune worlds right if I click yes and if I click create and then it will create and automatically deploy that particular policy to those those devices in that particular group right so that is cutely on overview of policies right basically it's called as configuration profiles but it's falsies now let's go back you took applications cutely okay so in applications you can see like a lot of applications are automatically created and application types are over there right so in application types whenever you see win32 application so this application is basically this application type is basically in tune management extension application right so this is the extra client which I talked about right so if you want to deploy this kind of application then in tune will automatically deploy an extract line lightweight into management extension client to that particular device and then it will install this particular application right so so that is that is pin 32 application and the next you can see like MSI application right so MDM component which is in Windows 10 operating system can handle MSI application deployments if you have only one MSI file and you want to deploy that MSI file then you can use this kind of deployment method right to you to deploy this particular application for example if you have to deploy I don't know I am not getting any simple MSI application anyway anyways like you can you can guess any of the simple MSI's you want to deploy right so these are the two applications here from from windows perspective I wanted to cover and if I just wanted to if you want to see what does the application addition method v1 to see over here click on Add button and click on like options over here right you can deploy Windows 10 sorry office 365 suit or you can deploy if you want to deploy off Microsoft edge you can do that from here I'm not going to cover that line of application line of business applications if you want to do you can do that from here right so it's mentioned that you can deploy MSI appx or MSI it's applications from here line of business application right so for this type of application you don't need impune management extension that is extract line so if you go to windows apps win32 apps you can see that that is a Floyd using a different format that is called vin into nguyen format right so that is deployed using in tune management extension agent which i mentioned in the presentation right so i'm not going to cover that probably in the week name in tune sessions which we are going to start from tomorrow we can cover all these topics right so i'm not going to cover all these in this but i just wanted to show you the client side of it QQ of client side i will come to questions in a minute please wait ok so company portal company portal application so this is this is company portal application which we if we want we can manually install it from from Windows Store or Microsoft Store otherwise you can deploy through in tune but this is not necessary but from a impune perspective right when when a when a say in tune enrollment so in tune enrollment will happen from settings right setting if you go to settings and if you go to accounts you can see something called access work or school right so we talked about MDM auto enrolment right in that as your ad settings so when you when you when your device Windows 10 devices join to Azure ad right this is my as your ad join device ok so this is my Azure ad so it will automatically get enrolled to mbm so this is that MDM setting right so this is basically in tune setting if I click on this and if I click on info you can see like the policies deployed to in tune and you have an option to sync the in tune policies if you want to initiate a sync like manual sync from a system admin perspective you can do that from here right and troubleshooting purpose you can create reports from here right the the advanced diagnostic reports from here and other the troubleshooting tape which I wanted to give is event log so that's a biggest change for SEM admins right we don't have in tune lakhs for MPM component let me be clear for MDM component if you are using in tune management extension there are lots available to check in tune Management extension activities but for the MDM component we don't have blocks we have to use event logs right so in event logs if you go to applications and services and Microsoft you can see windows over here and in Windows you can see something called device if you go back go down to device Enterprise Diagnostics right device management this is the MDM event log right for in tune management ok so you can see I can I have I got some CSP errors over here so this is this is one tip I wanted to quickly provide before I finish and I will give you opportunity to ask questions if you are not speaking please mute yourself ok so I will give you give you time to hand so go ask questions give me a sec please okay so the other other option right so I talked about in queue management extension and service right so this is Microsoft if I can search it correctly Microsoft Intune management extension ok so this is a service for that extra age and lightweight agenda which we talked about like if you want to deploy powershell script or if you want to deploy win32 application so so this is what I wanted to share in this session if you have any questions you can ask I keep this open for another probably 20 minutes or so not 20 minutes probably 15 minutes so okay go ahead hi first question is that you know whenever we add any application in SCCM we know that we're that a system where the application is getting stored in a system the same case for in tune if we are adding any application in in tune where that means you know the file will get stored and second question is like if you can you know show little bit in that update ring windows update ring like the service channel option that will be really help ok so I I don't know whether you have seen my first slides Prasad in that I have mentioned that we are from tomorrow onwards right we are having a half an hour session daily right 12:30 - I don't know like what what was the time I have shown there I think it's it's 12:30 to 1:00 okay - one but 12:30 to 1:00 Thank You GT SH 12:30 to 1:00 o'clock India time let me complete let me jump Li let me complete nono question regarding the timing timing itself can you just move ahead of one R if it possible because that after that we are having a waiting some in my but that's why I don't move I don't think I can move ahead because I have also conflicts because I am also working sorry about that okay okay so so coming back to your question right first question I can answer that so you there are two points over there right - server side and the client side right so are you talking about while creating an application in in tune where those source files are getting stored okay so in that scenario it will be stored in Azure blob storage right there's something called as your storage blob storage so you don't have to manage it and like a cesium in a cesium you need to create a folder or you need to have file-share or you need to have something else to store those source files right about in in a cesium sorry in Indian world but you need to have the source files with you right in some file shares but from from a package source perspective okay that you don't need to worry okay so that is managed by something called as your blob storage whenever you create an application you are so you will have to browse through and you will have to select that MSI file then then while creating while application creation process right it will automatically upload that particular source files to Azure blob storage okay okay and I think that like storage file is like unlimited I guess or is there like limit means that particular GB only we can have I don't can create I don't think there is a limit at the moment we had a great discussion about this in our watt subgroups like with sorrow and joy I think couple of weeks back or one month back yeah so so I don't think there is any limit you just need to have subscription but if you are reusing what you call I forgot the word the trial version of Intune right then there is a limit right so if you are not using the trial version and if you are having a production version of not production version protection subscription right of in tune and you have proper license then there is no limit is that you know which all the device is enrolled by the into those device only showing in the endpoint man a means a that system and point portal at Indian portal right so if I want to add any other device which is you know already hybrid join so what I usually do I go to that main in tune portal under the device from there I add that device to the particular group and once that device is get enrolled then only it will show to that you know the as it means in tune portal so like in under the in tune portal means my question is that that your device is not showing in the include portal that's why I have to go to that you know the azure portal and I have to add that device to the certain group so is this like known thing or is there any better way where I can you know add those device to the without going in as your portal I can add those device to the certain group I didn't understand your scenario to be honnest because you are you are talking about you are talking about hybrid as your ad join scenario or yeah yeah I mean some of the device means the most of the device is already hybrid ad join and if I want to add those device to the certain group so what usually I do usually I do I go to the azure portal from there you know I choose that device and I add to that group until I am NOT adding you know those device in that group those that device will not show in the Intune portal into an endpoint portal so this one I don't know what is the reason for that but probably sorry about somebody else can comment on that but from my perspective I just I don't know whether it's related to scoping over here I don't know what is your configuration over here right so if you select some overture right so some over here if you select some in instead of all then you need to select groups over here right then only those devices will be Auto info you in tune okay so over here you need to select as your ad group so if you if your organization setting is like that then then probably that is the reason you need to add devices sorry I device to that particular group okay okay okay I can cross this question yeah yeah please okay so most of the customers over here know that I has about 300-400 like application and packages from their CCM world have you come across any type of third-party tool or some kind of a migration Buddha technically move these applications you know from the SEM world through the App Engine world you are MSI that you've mentioned stuff going through manually you know there are a lot of their customers have three hundred seven hundred actual register CCM right based on experience I wanted to see if there is any type of tool or something that we can buy manually yeah that's a great question I don't know like I will let you comment on that but before that probably I can give my perspective so so basically this is this is an interesting question and this is the scenario lot of interfaces are going through right at the moment but apart from using some graph API graph API and and some power I have not seen any particular tools to do this kind of a migration but I don't know whether anybody else from the community has some other commands or the useful scenarios which which can help over here or sort of joy I don't know who is available now correct sir I mean we don't have any third-party tool or a Microsoft tool which would help us I mean let's just say we have packages and applications in secm and now the plan is I mean then again there would be two points to it let's just say that you have a device and right now the device is managed by a CCM and now you are getting the device managed wire in tune so the first phase would be getting the device co-managed where in the device can be managed by a CCM and ain't even both at the same point of time and if the workload for AK distribution is still set to SCCM your app packages which are in the SEM console we'll come down to the device now talking about a scenario wherein let's just say your phasing out SEC em and you just want in tune in that case obviously you will have to redeploy those applications from in tune as well right this means that you will have to go to into you and that go to client apps then upload dot those packages so yeah I mean as of this moment there is no third party or Microsoft provided tool that is present which would help you migrate those packages from SCCM to in tune now the packages can't be migrated but yes you can make use of something like an graph API wherein you can do this thing manually so I mean do this thing automatically so the way you'll have to do it is you'll have to store that package file in a location and then in a PowerShell script or in a graph API call you can use it to will call Microsoft graph Explorer you can use the restful api switch will create that policy for you automatically but I mean that might be a little complicated but to answer your question long story short there is no third party or Microsoft tool as of this moment which will migrate your app deployments from Sen to indium that is something that you have oh thank you that's good information because we have a team and they're pretty you know 10 15 years of packet experience actually I can give them a direction or roadmap to use the graph API tools so they can look into it at this point you right you have been on the core management for about a year and we had this planning decommissioned and get rid of this overhead completely on the inside almost 400 serious application and packages but these guys have put years of effort in creating those actual complicated applications and now they don't drop the ball on that and but I'll tell them I'll collect them so let them know that they should look into the graph API spend some time exploring that area and maybe you can get a solution Thanks I have subscriptions ready so we have been managing only I was devices in the in tune so far so moving to Windows 10 devices we would like to set up the keyway moment you know in Andhra Museum we used to have QA right so is it possible to have the attendance subscription created within the production environment or should we you know need to put is the new license my recommendation would be to have a different sources so going back to a cesium infra right so it's always recommended to have a pre prod or QA environment separate one right so that like if there is any tenant type of configuration tamenund level configuration or subscription level configuration you can test all those things in a different subscription all together rather than impacting your production subscription so my recommendation and by my experience until now is to have a different subscription but but I I will let others to comment on that point but before that right in in my organization we have for example three kind of three subscriptions - for development at the - for pre prod and the - for protection right so pre prod and prod should be kind of same configuration right so that we can test and we can reproduce the issues if you have something in in the production right so in pre prod if you have a issue in production then we can reproduce easily in pre prod if you maintain the same versioning and all the other conjugations alright yeah thank you so why I think it would be best to have the news of the new possibly a subscription to build the QA I recommend that our thanks are so honest team this is Gopal here I have one questions regarding the deployments for the in compliant devices now you know when in a system we know that and suffocates casting cesium for that they're in control of their so in Timm case how the applications on the sofa gets cast eating Tania's that's really a good question I will let so dope this is the point where I'm missing joy so wrong information I'm really sorry I'll have to look this one up that we are exactly it gets downloaded for standard history location so yeah okay there are only two kind of logs or rather three kinds of logs in India from device and that you can possibly get one is the MDM diagnostic log which server showing about the second is the Event Viewer log which under device management provider which you was showing and the third is the IME log if you are talking about any win32 app deployment or a powershell script deployment so these are the only three logs that we can get from that that we can get from a Windows 10 client machine as far as impune is concerned but yeah your question is very valid I mean it obviously has to be cached somewhere it is just that I don't have it at the top of my mind but yeah that is something that we can definitely get that information view so sorry what is the largest file that we can deploy with the help of an in tune let's say there is no I have seen I've seen I have seen applications up to 2.5 jeebies but then I'm not saying that is the limit so I mean we don't have any limitations but for just to add on that right for 4 into management extension I have seen in the documentation 8gb up you 8gb this is gonna be what's our mention for 2.5 kickoff download of an application it's no cost associated you know it's there is no cost associated it's part of license it's not it's not like other solutions right then I know from where you are coming basically if you have storage and blob storage if you download something you will get some cost right and for CMG also you will get some cost right so so that is not the case for in tune so that's part of license if I understand correctly Virginia yes so do we need any DP kind of setup you know if I am pushing an application from ACMG and or you know and old environment or you know I have CMG and old environment and how I can integrate that to in tune that so basically that's a good question right so you you don't have any DP kind of things in in in tune per se but obviously there are some content store stores available across as you'll so that is all medicaments by Microsoft you don't need to distribute applications to is June in Indian world right so when you upload an application when you create an application in the Intune if all the other things will automatically taken care by Microsoft right so you don't need to worry about that ok I can hide any application you know any MSG or app application as for many advice moaning - yeah so as I mentioned I don't know whether you fought at that point or not so there are two or more kind of applications in Indian right - win32 application so been 32 application brands with with the help of include management extension agent right and there are you in in win32 application world you can deploy all type of application right so so that's Munson has you and in there is another scenario that is MSI application right so that we can deploy it through a MDM channel okay so these are the two scenarios if I added any server means I I created a KU management settings policy and I just choose one collection so just asking in that collection if I added any server means like service or 12 or Server 2016 so that device will show in that Intune servers server support is not there right so no I I think if I added and what will happen by mystically if someone I did or I just for like stationing purpose also if I if I added in that collection in that into I don't know I have never tested that yet so you can in tune you will only see the devices which are enrolled so in an Indian you see a device after it is enrolled okay so since a server cannot be enrolled to in tune you will never be seeing a server in in tune all devices section now let's just talk about a scenario wherein let's just say we have a collection and this we did add a server and if that server did have a cesium client in it then the aiccm client is going to get a policy from Asus M which is going to trigger an enrollment it is going to try to pricker an enrollment which you will be able to see the co-management and the handler log but obviously when it runs it checks it finds out that this is an operating system which income does not support therefore the enrollment never goes through the eyes your AV registration before the enrollment also does not so to answer your question the device comes up in the interview portal after it gets enrolled and it becomes co-managed so it will never show up in the portal okay so she knocks place at CMG from PMD the package like for example we are deploying a package terms like we have same zn4 enrolled away and like environment so like we do you need MP or DP for that for example I have one more system setup at us so like how it we can like go how will be traffic yeah okay so yeah I don't know probably I am getting confused or you are getting confused okay let me let me yeah let me explain okay so EMG and in tune there is no connection okay yeah yeah so so see CMG co-management yes there like if you were I don't know like from where it's it's a big topic right I don't know from where you want to start and what is your exact scenario right if you are deploying an application from SCM okay yeah - ACM managed or ho managed client right I said if you are deploying an asus IAM application right application from a cesium from a cesium console a24 managed Windows 10 client and your workload is set client apps to associate then you need to have cloudy p CM g MP all the cesium components in tunis going not going to interfere in that process at all is that here yeah no my question is if we are deploying android apps or iOS apps do we need in tune management extension services so no this is only for Windows okay thank you I have a question regarding the infrastructure let's say I have my endpoint when I portal at a specific and some of the devices are present in you know prison will I be able to manage it or do I need an another portal at situated in the euro zone or in America zone so you don't need to create different subscription for different regions I think when one subscription would be enough I think probably sourdough if you want to come and something I mean in which region you are selecting while setting up the immune portal for the very first time by setting up the immune subscription you can enroll your device and manage your device all across the globe because it's working over the internet so irrespective whether you created in a pack and the device isn't a and the device is in necessay us I mean the management and the device enrollment functionality is supported on you yeah okay yeah now big now in this brings and second question to my previous one my device is America and my intuition is in asia-pacific region now I I'm managing the client from the America region so how my content will flow is it just the blob Microsoft will take care of this we're transferring the content to that particular system or do I need certain kind of an inquisition may as your projection how okay so first of all when years when you are creating are in tune when you are taking a in tune subscription and when you are creating a tenant you choose a location let's just say that you are choosing a a packed location which means that well obviously your tenant is going your tenant is what your tenant is like a domain right so the domain is your controller right so similarly you're telling this side is on the server right and that server has to be in any other sector right so when you are when you are selecting a pack while creating your tenant that means that the physical location most probably will be in the APAC location but then you get all your things yes when you enroll advise the device irrespective of this location the device is irrespective of the other devices in India or the devices in the US the device can always talk back to the Indian service or the azure service which is there in the open Internet because you can go to portal but I do not come from us as well as from India right so and the devices not that that's what that scenario is correct that scenarios unclear about I'm just asking about the pendant which will which let's say because if I am in Europe region and then I'm constrained for gdpr I cannot move something from Europe to get the information to my Indian portal which is there in a specific region so I'm looking towards the net net data flow how it will be going to manage is the Microsoft will going to manage it or do I need to define some things in my this is something that happens all under the and this infrastructure is managed by Microsoft so all you will need to do at your end is create the in tool port I mean create the into tenant and just select the location for the very first time and the only time when you're setting it up other than that there is no other I mean replication or firewall ports or anything that you need to take care of or that you will be able to see I mean that is something that is managed by Microsoft and working behind the hood okay thank you thank you Sarah for that and probably we can take class thank you last two questions if you have any other questions okay no questions that's great one one question so it's like is the reverse is possible means if twice is already enrolled with the Intune after that if after that I want to you know get back that device from the in tune and again manage to the a cesium is that possible that's possible that is what like I mentioned about two entry points for for management right so first entry point is if you are an ASA cm shop when I say cesium shop it is you already have an associate infrastructure right and you want to move to in tune slowly then you can use the first entry point that is moving some workloads you to in tune right the other entry point is if you have some scenario you want to have some I don't know third party products which you are using and that that scenario is are already moving away with n n that is kind of a scenario right so but it's technically possible okay okay yeah nope hi this is a Irfan here a quick question could a different topic different question I think a week ago two weeks ago you guys did a power bi workshop or presentation I completely missed it I mean New Jersey and your timing-wise I'm over here 7 a.m. 8 a.m. so I think I overslept and put in joint you guys at all is there any way any chance you guys will post the actual recording for the power bi session yeah we are planning to post that as soon as possible probably tomorrow or day after ok perfect I just I wanted to know so the public go back later in item elevator so so I know all these recordings are you're posted on the same URL or somewhere else so if you are part of our community right we publish everywhere right so so if you don't team channel we publish over there if you are part of what's up you telegrams over there is no part of ways you can get wherever you want okay thank you I have only one question I was waiting to end it up so I was waiting for my chance if I can contact whatsapp yeah please go ahead I don't know is it correct vision or not just I am curious about this in tune so if in tune is allowing machines on and rolling them or is it picking up the users from a aad so I'm just confused is it working both ways or is it working only by enrolling the window system so basically in tune as in tune is similar to SCM right so this is device management technology right so it's basically for managing the devices right so I didn't understand your question sorry about that probably it's my mistake but when you say like it's picking up from user I didn't understand that part what does that mean so such a discovery on user or is it a discovery of machines so there is no discovery over here right so in in human world right there is no discovery right so so it's automatically in the in Tunis automatically integrated with Azure ad for example there are a couple of ways it will oh it will come so you are worried about like how the devices or users are coming to Azure Active Directory right is that your question okay so so there are there are many ways right so if you if you are a kind of a hybrid customer right so if you are trying to move to cloud then or if you are an office 365 customer there are some options like as your ad connect right that is called ad Connect so what that that connector will do is basically sync all your users right and if you if if you allow them to sync the password hash of the password then they will sink that also and in some scenarios they will sync the devices on Prem devices also right into cloud using Azure ad Connect connector I think connector I think okay ad connect ad connector or ad Connect right that is the tool that is the tool which can be installed on one of your on-premise servers near to your domain controller and you can sync up all your user identities and password hash and device identities in some scenarios to Azure Active Directory right so that is the one scenario where all the devices users from your aunt remedy will get sync to as the other scenario is something like as your ad join right so as I have shown you as your ad join scenarios so in Azure ad join scenario you can have autopilot devices right you you have a autopilot profile Windows autopilot I don't know whether you are with that or not but I'm if you are then you and you will understand like if in autopilot process you will join a device automatically - as ready so once you join their device to as your active directory then then it is like domain join right so when you do a domain join of a device the device object will automatically get populated in on from ad right similar to that when you do as your ad join it will the device record will automatically get populated - as your ad okay and the same same case for BYO scenarios in BYO scenario when you do as soon as per ad registration of the device right then the device record will automatically get populated - as your ad or automatically get created in as your ad does that answer your question yes no thanks thank you all for joining and hope this was helpful and as I mentioned from tomorrow onwards we are having a half an hour session on in tune that is fully freeze we don't charge anything right so for the community built by the community thank you all

Info

Channel: Anoop C Nair

Views: 5,193

Rating: undefined out of 5

Keywords: Intune Basics for SCCM Admins, Intune Basics for ConfigMgr Admins, Learn Intune from SCCM Technologies, Use SCCM Skills to Learn Intune

Id: CgLS1N_iGT8

Channel Id: undefined

Length: 150min 46sec (9046 seconds)

Published: Thu Apr 23 2020