Microsoft Intune From Zero to Hero

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
if you're responsible for administering and managing Microsoft InTune then this is the ultimate getting started guide that you will find invaluable are you ready to learn [Music] greetings my fellow YouTubers nice to see you and I really do appreciate you visiting my channel in today's episode I've had a number of requests for Andy can you go through some of the basics of getting started in Microsoft InTune well I thought you know that's a really good idea now over the last couple of years InTune continues to go from strength to strength but along with that it becomes more and more sophisticated and perhaps a little tricky to understand so I wanted this to be the ultimate guide to take you through InTune administering in tune anyway step by step so if you haven't subscribed to the channel I would really appreciate if you would click the Subscribe button and ring that Bell and if you've got comments and questions as always get them down below now um I want to put my heart out to all of you and say a huge thank you for nominating me for the UK Community best you YouTube channel of 2023 I really do appreciate it if you'd like to vote for me then I'll put the link there below please go ahead and do that okay so I think without any further Ado let's jump in and let's take a look at administering Microsoft InTune from scratch so the first thing that we need to discuss about InTune is the license I have a user here I'm a huge Trekkie as many of you know I'm going to go into jean-luc's account here I'm just going to copy Jean-Luc here just take a note of his address first thing then is I'm going to come into licenses and you need to make sure that the user is licensed now in this example I'm using an e and what we call Enterprise mobility and security or em s and you can see there are two versions of emns you can if you've got an E5 subscription and you can bolt on the Enterprise mobility and security please note if you've got an E3 there's also an em s version for E3 and also in business premium you also get em and S as well well you get a version of it okay so you get the mobility features in business premium and ultimately though if you don't have these plans you could always bolt them on so InTune comes as a standalone license which is fairly low cost if I have to be honest with you so I'm going to just go ahead and save my changes here now the next thing that I want to talk about is machine States so let's just have a quick look at that so to understand device States we really need to talk about three different options here now in the slide of course it's referring to Azure ad do remember that I am talking about enter ID as it was recently renamed so Azure ad registered basically if it's allowed users can join their own devices typically this is used through BYOD bring your own device and elements like that now it doesn't necessarily mean that the tenant administrator or InTune administrator will be able to fully manage this device but it can take advantage of things like applications and also things like security features like conditional access um Azure ad joined is the full booner essentially full single sign-on uh into Azure active directory and you can also manage this so you can extend that and manage this device in InTune which includes the full deployment of the device applications and security the Third option is a hybrid Azure adjoin device and this is ultimately where the device is joined to active directory and in active directory it's active directory that has sole responsibility for not just provisioning the users but also managing the device properties in terms of features like group policy and security settings to understand and in tune you need to understand not only what it is but also what it can do so it's a multi-management platform that allows administrators to manage both mobile devices PCS Macs as well as other platforms these devices can be connected either directly Azure ad joined which I'll give you a demo in a second or they can be what we call hybrid Azure adjoined so hybrid means that they're connected via active directory which is the local directory service that many companies still use which is stored on of course Windows Server so in tune once the devices are inside in tune are ingested into InTune administrators can then secure them with various security and compliance policies as well as being able to deploy updates software patching as well as of course keep up to date with things like applications so I'm currently logged in at this workstation as a regular administrator and one of the first things we're going to want to do of course is join this machine to Azure active directory AKA enter ID so I'm simply going to come on to the settings here I am going to just scroll down and we have this accounts option here and all we need to do is just scroll down and it says do you want to access your work or school so I absolutely do so I'm going to click in here and I have a user here called Jean-Luc Picard now just a couple of things here if you just set up work or school account here this would just register the device okay so this means it's registered in the directory but you can't really manage it okay and often you might do this if it's say bring your own device device or something like that but the main things that we do have here are these two here so you can join this device to Azure active directory and this means that it could be fully managed in Azure ad and on top of that if you have the InTune license you can also manage it in InTune and all of the features for example deploying software managing security and so on if however you have the device connected to a local active directory domain this is more the traditional client server type model where the server is on premises and this machine would be deployed managed and administered by your domain administrator okay now it can be one or the other you can't have both and just a word of warning if you wanted to change this you would need to reset the machine okay so what I'm going to do is I am gonna just come in here and join this device I'm going to say I want to join it to Azure active directory so first of all of course we need a username so I've got my username here and this is Picard so again I've checked that he's licensed so he's fully licensed and I'm now just going to put in his uh password here so off it goes and I'm now going to do a Azure domain join okay so it takes a couple of minutes and it just says are you sure this is the organization that you want to join so I said yep absolutely I'm gonna do that okay so we're all set so now all I need to do you can see it's now connected to the organization it's also showing me the username as a UPN or user principal name so what I'm going to do is I'm going to just restart this machine and then we'll come back to it in a moment okay so you can see I'm put my password in I'm logging back on as Jean-Luc and let's have a look at what's happened well first of all I'm going to click back into the start button I'm going to come back into those settings and let's now have a look so I'm again I'm just scrolling right down I'm going to go back into the user accounts and here you can see that Jean-Luc is in here if I go back into access work and school you can see that he's connected so it's an agent the agent is connected I can have a look and it tells me all about the account and if the user was offline for some reason and this would sync any updates it would also sync any applications and data and so on so of course one of the big benefits of this is the fact that you get full single sign-on so for example if I just go to let's say office.com here you can see instant only the user gets signed in and thus a lot more productive so I don't need to sign in and do any kind of configuration so from the end user perspective this is absolutely fantastic now um so what we've talked about there is what InTune is we've talked about licensing and we've also done here an Azure adjoin now what we're going to do is let's have a look now at how you configure Microsoft engine so coming into the Microsoft 365 portal there's just a little flag here that just says you know you've got five Global admins if you're going to have a an InTune administrator um you might want to consider having a dedicated InTune administrator this is all part of Microsoft zero trust strategy only give users and admins the rights that they actually need to perform the test okay so that aside what I'm going to do is I'm going to scroll down here I'm going to come into endpoint manager and this brings us into the Microsoft InTune admin Center so let's have a look at what we can see so InTune is actually a I suppose a combination of a different products so by default you get the home screen here and you can see it gives us a nice overview of everything you can bring on you've also got this dashboard here as well and again you can see I get a nice kind of helicopter overview that everything is now up to date um so InTune itself is a combination of different products and features so we can manage devices in in tune we can also manage applications and of course Very importantly we can also manage security on those devices from that we can then produce reports and these are essentially just shortcuts into the user settings in Microsoft 365 and also enter ID we also have tenant Administration here as well which covers the entire tenant so I suppose the first place that we should start is the devices so let's have a look at this so first of all we can see that we have a number of devices already enrolled and one of the really cool things about this mobile device management platform is the fact that we've got windows we can bring in Windows devices iOS and iPads Mac OS Android Chrome OS actually which is really gaining in popularity now as well as various iterations of Linux as well now in order to get started and say okay I want to manage my Microsoft 365 the first place that we really need to come into though is we need to come into identity and when we talk about identity of course we're talking about the enter ID admin Center and initially what I'm going to do is I'm going to come down here into devices and if I click into overview here so you can see here that I have a number of devices and I've already gone ahead and added in these devices and you can see that some of these divide they're all running Windows but some of them are hybrid Azure ad joined whereas some of them are Azure ad joint like I just demonstrated so here we have our uh we've got our ws3 so here's our Seattle ws3 machine here and you can see that this has been joined by Jean-Luc Picard so I'm often asked Andy what's the difference between a hybrid Azure ad join so this is a traditional machine that's traditionally joined to active directory and if I click into the properties of this you can see that I can get a few details of the machine but the thing is you can't manage this machine yes so you can only manage the machine if it's actually with an InTune itself so you have got limited functionality here and in other words this machine The Authority for this machine lies with active directory and tools like group policy and so on all right now things that you can do with it you can add it to an administrative unit and you can take advantage of the local admin password recovery feature or lapse which is quite good but in terms of management it's pretty limited and you can use of course system Center or group policy as I've just mentioned all right um so that's the dad and now if I come back to the machine that I just added though this is my ws3 machine this is John Luke's machine you can see that I now get the full inventory of Hardware who the user is I can also manage this machine as well you can disable it you can delete it there are some functions here by the way that um you require a InTune Suite license but in terms of the management I can click in and you can see that this actually takes me this is kind of a window into InTune here so I can do things like I can retire this device I can do a remote wipe of the device as well I can delete the device I can do that sync feature you can restart it and you can also of course perform a antivirus scans and rename so again quite a lot of functionality in addition you also get at the hardware features here you get a list of any discovered applications on this device which can be useful there's nothing on it at the moment and of course you can also see the device compliance and configuration that I'm going to talk about in a moment so the key thing here is you've got a full you have full control of this device all right so John's heading back then um going back into Azure active directory or enter ID of course as it's now known um how do we switch on um this feature so um what I'm going to do is I'm going to come back into my identity so just come back into the uh just back it into enter admin Center and I'm going to scroll down I'm just going to show more and we have a settings area here and I'm going to click into this area here it says Mobility okay so in here we have a couple of really important features and the first one here is do you want to add mobile device management and mobile application management so MDM now do I have to use InTune of course not no you don't you can use AirWatch or any of these others but the fact is I'm I've got a license for it so this is the one that I'm going to use so I'm clicking into InTune here and first of all mobile device management do you want your users um to be able to use mobile device management so in other words you can have your users join it I'm going to say yes I want all of my users here and you can see how do they discover if they want to either join the device as a corporate device or as a registered device you can provide them with the discovery URL here likewise mobile application management so you can deploy applications to both managed as well as unmanaged devices so for example guest access and so on just a point about mobile device management by the way every Microsoft platform if you will has access to mobile device management in one form or another so in a most basic form you can manage mobile devices phones but if you want to manage PCS and Maps you really do need this Microsoft InTune add-on here so just be aware of that okay so the other thing that I'm going to do is I'm going to pop into my devices all devices here and you can see that you have all your devices now you can see here that although we have a number of devices here in enter ID AKA Azure active directory if I go into devices in InTune we don't have as have as many devices here that's because only these devices are actually not just Azure adjoined but they're also managed in InTune as well so however here there are some really important settings so I can go into the device settings here and then we've got some options so users may join their devices so you may only want certain users for example to be able to join their devices users can register their devices and also are you going to require multi-factor Authentication I mentioned the local admin password solution or lapse service which is currently in preview and you can see that this is all at the moment and you can also restrict users from recovering BitLocker so that's the encryption keys um we also have a really important feature now you know in Windows um every user has a user policy and a computer policy so for example you know you it stores your desktop settings or your um you know when you click on my documents it might go to your OneDrive for business for example so in Enterprise State roaming what this does it copies all your profiles your user profiles and it stores those in Microsoft Azure which absolutely rocks by the way so let's pop back then into InTune and see what we can do in InTune so first of all you're going to want to enroll your devices and you can enroll in a couple of things so you can do automatic enrollment so if you want to allow your users to automatically enroll into InTune not MDM but in tune you're going to need to come into here and you again you can see I've configured all and again all here so that's the first thing I've configured automatic enrollment now in addition you can also configure things like co-management so if you're using a config manager to manage both in cloud and on-premises solutions you've got that tool here and in addition you can also take advantage of Microsoft's autopilot deployment program and if you've not seen my video on this definitely go and check it out and I'll put the link in the description below now other types of enrollment of course as well as Windows enrollment and you can also and deploy things like Windows hello for business and so if you're using Biometrics facial recognition and so on you can deploy that here and one of my favorite ones though is Andy what if I want to deploy Apple devices in my organization well this is really simple what you're going to need to get though is an MDM push certificate from Apple so basically just follow the instructions here you go to the Apple website and you will be issued with a apple push certificate so all you do is import that certificate here the advantage of that is everything then lights up and I can then start creating if I go back into devices here for example um once your devices are enrolled then we can start configuring policies so primarily things like configuration settings you've also got compliance policies and maybe you want to run some scripts and so on but the fact is that for those mobile devices those Apple devices typically what you would do is you would create let's say a configuration profile and a configuration profile here I'll give you a little demo of it so I'm going to create a config profile and in fact you can see here's one I I created just recently actually so I'll just pop into this profile and let me just in fact I'll just edit this profile and let me just edit it here um so first of all what are the properties of the profile so you can put in the name and so on um you can then say okay who am I going to assign this profile to so in this case you can see I've assigned this to my Oslo devices and I'll show you that in a moment so I've created a group and I've added those devices in you can also of course deploy it to all users as well so for example if you were in a school or something like that you can also include and exclude users as well if you want to then the next step is of course configuring the device so what features and functionality do you want to enable for that device and you there are literally loads of settings that you can configure and you would take your time typically going through this now the nice thing about this of course is this is all the configuration settings for the devices and this can include you know for example I've switched off gaming and you might want to block in-app purchases so if you're in a school essentially you create the profile you see you deploy that profile to those devices or let's say the year five students and essentially what happens is the you you go on to your phone you dial up your Apple vendor and you go hello I'd like a thousand devices please and they would go absolutely no problem do you have are you a member of the Depp program the device enrollment program and you go I am here is my number and they will then ship those thousand devices to the school and the kids will receive them shrink wrapped there's not nothing that you need to do and when they unwrap them connect to the the internet immediately goes hang on that is managed by this organization and it will then deploy the profile of course so you deploy the profile um you can also deploy apps as well so again you have got iOS and iPad apps you can just simply add these in and deploy them um so a thousand um iPads just like that absolutely superb it is okay so a configuration profile as I've said I can create a configuration profile here and essentially you choose the platform so is this for Android so depending on the Android platform that you're using iPad iOS Mac OS Windows of course or even Windows 8.1 and lower so again I I that's what you do and you walk through those steps that I've just done now as well as um configuration profiles compliance should be at the Forefront of your mind security is so important so what I'm going to do is I'm going to create a new compliance policy and I'm going to create this for my iPad and iOS devices I'm going to click next and we'll just call this my Oslo compliance for let's say iOS okay I'll click next and again you can go through do you want email on the device what's the device hell you might want to block things like jailbroken devices so I can say Yes um what's the device properties are you going to support a minimum and maximum OS version a build version for you know so if you're supporting these devices you don't want like really old devices things like device properties uh sorry um if you're using the defender for endpoint and you want to integrate that and then you've got things like system security as well so do you want to require a password block simple passwords um you can you can force the password expiration after a number of days and check it out you can even restrict certain apps on the device as well which is really nice so you get the idea so you can enforce things like Biometrics so fingerprint facial recognition in as part of that policy so uh and you can then say okay well if what happens if the device um is non-compliant well you can in the first instance send an email to the user and then you can add in another one and so in the second instance set a notification and then if they still don't respond you can of course remotely lock the non-compliant device and then ultimately if they've not responded after a number of days you could essentially retire that device and again these are really nice options so again I'm gonna assign this to a group of users so again I could say um I'm going to bring this to my Oslo it devices and I'm going to select next and you can see I have now created my compliance policy how cool is that so now of course once my users are onboarded I will have or be able to see regular reports now in terms of applications I can also come into the applications and you can see that I have a number of platforms here um I can say hey I want to deploy a particular app so no problem I can go to the App Store so in this case I can go to the Microsoft store here okay so we now have the zoom player gives me all the publisher information and do I want to show the app in the company portal yeah I'll make it available and also you can bring in other information in here as well for example if you've got a logo so I can bring in a logo for this particular app if I wanted to so again I'm going to click on next and again I can say hey do you want to assign this user to a group of users or do I want to make it available for any enrolled devices so enrolled means that you've enrolled the device onto the machine but it's optional whether the user wants to install it and you can also this is the cool thing about this is you can uninstall this on the fly as well so again I can simply click on ADD and I'm going to add in my Oslo group again and I bring in my Oslo devices and I'll click next and I get a nice overview and finish so once the users start downloading that app this will then start to wake up you see so um there we go so you've got your apps um what else have we got here well um we talked about device compliance what about application so you might want to create what we call a protection policy you might want to configure the application again in this video I'm only doing a demo but hopefully it'll get you started so as well as configuration policies we've also got things like protection policies and this is really nice so here's one I made earlier I can go in I can look at the properties let's have a quick look here at this um and I can Target let's say specific apps so if I click onto the app I've targeted that Zoom app here and if I go into the policy um I can say okay what do I want the policy to do am I targeting all apps Microsoft apps or any kind of core Microsoft apps well in this case I'm just selecting the uh Zoom for InTune app here so that's the app that I'm targeting so I'll click on next okay and I'm going to click on just close that down so going back into the properties I can now say okay this is the app that I want to monitor so now I can say right data protection so am I going to allow iTunes to back up the data on this so I can block it or I can allow it I can set some exemptions on the apps for example if I you might block the um the app from sending information from blocking document types cut copy and paste I can encrypt the app as well I can restrict the functionality I don't want the user to be able to print so you can choose whether to print or not am I going to allow to transfer data from one device to another and so on do you get the idea so you can see here that the protection policies are absolutely so powerful so you could prevent printing downloading and so on so again an another way that you can protect not only the users but also the behavior of the device as well so again what we've looked at we've seen the devices by the platform I've talked about enrolling the devices and also a number of these profiles and policies in terms of conditional access I've run a number of sessions previously videos you can check those out in my identity playlist so check out that the other thing that you can do of course is you can also manage updates as well so typically we can create what we call update rings so an update ring is essentially here we can basically I'll just edit this one by the way so if I just go into my properties of this update ring settings so what do we mean by an update ring well Microsoft basically has two types of download updates so product updates and also things like Windows drivers and so on so we have core Windows updates and you can say Hey you know we've got quality updates which are critical and they can also include things like security features and you've also got feature updates and feature updates you know those things that are they're nice to have but not absolutely essential but you can defer them for a period of time so quality updates you can defer them for up to 30 days and feature updates you can defer them for up to 180 days or six months actually and this is great if you've got a very large environment so as well as those update Rings you can create the update Rings you can also decide how do you want to deploy those quality and feature updates as well so for example you might choose to say hey I want to deploy quality updates within seven days and feature updates within 14 days and you can see you can also control the other platform updates there as well now in addition we also have endpoint security here as well in InTune and here you can control the security features mostly Windows devices as well as other platforms as well so you have we've got some things like you know firewall settings if you want to configure things like disk encryption you've got things like app control for business and this is currently in public preview you've also got some awesome features like things like attack surface reduction so removing unwanted software shutting down certain Services closing certain ports and essentially what we're doing is we're making it less attractive to potential hackers and you can also do account protection so it protects user accounts on those devices um in addition you've also got things like reporting so you have got a whole bunch of different reports that you can look at Microsoft InTune definitely check it out and I hope that this video has given you a little bit of an eye-op so there you have it administering Microsoft InTune very very cool so there you go Microsoft engine from scratch I really hope that you find that useful if you did bump the like button up there it does make a difference to the channel now um if you want to go and take your skills even further why not considering signing up to my patreon site patreons get a whole host of extras including full length course materials uh check it out with the link below there that's it for this time I'll see you next time thanks very much hey thanks so much for dropping by today here's a couple of videos that you may enjoy and while you're here go ahead click on the Subscribe button and you won't miss out foreign [Music] foreign
Info
Channel: Andy Malone MVP
Views: 173,979
Rating: undefined out of 5
Keywords: Learn Microsoft Intune, Microsoft Intune for Beginers, Get started with Microsoft Intune, Andy Malone MVP, MVPBuzz
Id: 56Ihv5MF4_U
Channel Id: undefined
Length: 39min 5sec (2345 seconds)
Published: Thu Sep 07 2023
Related Videos
Crazy easy Intune App Deployment with Pckgr
Andy Malone MVP
30K
Microsoft Intune Suite The Essential Beginners Guide
Andy Malone MVP
46K
Goodbye VPN! Hello Microsoft Global Secure Access
Andy Malone MVP
152K
What Is Microsoft Intune? (Microsoft Endpoint Manager)
Harry Lowton
211K
10 Mistakes that a Microsoft 365 Admin Must NEVER Make!
Andy Malone MVP
30K
7 HIDDEN Apps in Microsoft 365 that will EXPLODE Productivity
Jonathan Edwards
150K
Microsoft Intune Full Course A to Z Details! How to Enroll Windows , MAC and Android Device ! Intune
Teach Me Cloud
70K
Phishing Resistant MFA How it Works!
Andy Malone MVP
11K
Microsoft Intune Suite - All You Need to Know in 30mins
Andy Malone MVP
75K
How to Migrate Group Policies into Microsoft Intune!
Andy Malone MVP
19K
Copilot for Microsoft 365 How it ACTUALLY Works!
Andy Malone MVP
168K
Don't get Hacked! Essential Admin Skills for Defender for Endpoint
Andy Malone MVP
10K
Here's how Windows Autopilot works with Microsoft Intune
Mike in the Cloud
17K
Why are you NOT Using These 5 Microsoft 365 Apps?
Andy Malone MVP
4.5K
I Built a NAS: One Year Later. EVERYTHING I Learned and the Mistakes
Jimmy Tries World
798K
Java Project Tutorial - Make Login and Register Form Step by Step Using NetBeans And MySQL Database
1BestCsharp blog
18M
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.