Microsoft Intune Suite The Essential Beginners Guide

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

you know configuring devices and Microsoft 365 can be a tricky Affair so in this episode I'm going to take you through everything you need to know in order to get you up and running as quickly as possible stay tuned you're going to learn something foreign [Music] greetings my fellow YouTuber so nice to see you and a very warm welcome to my channel especially if this is your first visit you know configuration of devices and users in the mobile space is quite confusing and it's becoming quite busy and with Microsoft InTune getting ever more complicated it's super important that you know what you're doing now Microsoft have also got a new course out md102 configuring Microsoft in June so if you're looking to get certified in this then this is definitely the course that you want to head for now in this episode we're going to take you through everything that you need to know in order to get up and running so we're going to look at not only configuring devices but also what are the different components and InTune and how they all come together now if you've got questions about this or in fact any of my sessions as always just get those down below and I'll always do my best for you and if you've not subscribed it would be great to have you on board so bump the Subscribe button up there ring that Bell and you'll be notified of any new postings and videos so without any more chipper jabber let's jump in and take a look at these demos you enjoy so here I am in Azure active directory and I just want to pop into users and all users here and I just want to mention just where I'm starting this demo I've gone ahead and deployed Azure ad connect my users have synced in and at the moment I've just gone ahead and licensed this user Aaron Nichols with an E5 and an emns license common question is Andy do I need to have that for InTune absolutely not no you can have either business premium you can have an E3 license but you do need the Enterprise mobility and security or you can purchase just a standalone InTune license for the user all right now in terms of the numbers of devices it's really it's not based on the devices it's really based on the user license so you can have up to five physical devices so PCS and Macs as well as a number of mobile devices for example iPhones iPads and so on so once you've done that I've gone ahead and configured that the next thing that I want to do is I'm going to just pop over into devices and I'm going to come in here into all devices now again I've not done anything with this demo all I've done is deployed Azure ad connect and you see that dc1 has come in it's a Windows machine but it's in hybrid mode and what that means is it's not currently being managed by any mobile device management you see there's no manage option but you can see it in Azure active directory now the benefit of this is if you do have hybrid devices and then you can manage them a little bit with things like conditional access so that's quite useful and however if you want to get full benefit of course then you really do need to switch a few settings on so for first up those settings are here so I'm going to come into my device settings and in my device settings you can see Azure ad join and registration settings so users can join their devices and I've just gone ahead and said all users can join but of course you can do it where it's just selected users as well users may also register their devices this is grayed out because you can go ahead and you can join the devices again we'll talk about devices in in tune in a moment and you'll see that um require multi-factor authentication um when you do when you join or register those devices now um by default here it's just switched off but in reality my friends you would probably want to go ahead and actually enable that for an additional layer of security Now it says how much what's the maximum number of devices per user 50 is way too many so I would probably keep that about 20 keep it manageable and easy to manage um we also have laps which is the new local administrator password service and this is currently in preview so I can go ahead and I can enable that on uh there as well and again restricting users from recovering BitLocker keys on mobile devices again you might not want users to do that you might want it to be an admin function so I'm going to go ahead I'm going to click on Save and that's the first part now a common question is Andy why is it called endpoint manager and InTune here well endpoint manager really relates to the security components so really here what we're looking at are a number of different tools so basically we've got devices and apps this is Microsoft InTune and then of course you've got the security component this is the endpoint now first of all to enable users to register devices in InTune what we need to do is we need to come into devices here and again you can choose your device so for example you it might be Windows iOS iPads Mac OS Android Chrome OS are now even Linux as well um just a common question that I always get is uh Andy um do I need to have any kind of special software or special settings the only thing you need and if you're deploying iOS and Mac OS then you will need to basically if you go into enroll devices here so it's super simple to do with apple enrollment essentially you go in and you need to basically register for what we what we call an MDM certificate and you just go through the process here and you put in your Apple ID and once you get your MDM certificate which is valid for one year by the way you can then go off and you can start configuring devices I'm going to do a separate video on this so definitely watch out for that in the not too distant future all right so again I'm going to come down into devices here I'm going to come into enrolled devices and the first thing that we've got here is something called automatic enrollment so in here you're basically giving your users the authorization to go ahead and join their devices typically mobile devices into Microsoft engine and you can say no users some users and you can specify who those users are or you can just go ahead and do a blanket join and in this case that's what I'm going to do now MDM of course means mobile device management and the other one of course is here is mobile application management so if you want to deploy applications to mobile devices again you can choose those here and there are a number of pages that you can configure so there's a discovery page there's a terms of use page and there's also a compliance page that you can configure as well so once you've done that simply click on Save and we're basically ready to go so now that we've granted access to the MDM or mobile device management the next thing is we're going to just flip over here into settings I'm going to go into accounts and scroll down and now what we want to do is we want to do an Azure ad join now when we do an Azure ad join I'm just going to click on connect here and the first thing that you need to know is do you want to join this device to Azure active directory or active directory so a lot so if you're using a local domain using Windows Server it this is one or the other and it's basically who has authority over the account so I'm going to go ahead and choose Azure active directory in this case and again I'm the reason do I'm doing that is because I'm joining the workstation to Azure active directory so I'm going to go ahead I'm going to put in Aaron's credential and click on OK and I'm going to put in his password here and again just sign in now that can take a few moments just to register that machine okay so now that Aaron is logged in what are the main benefits here so I'm going to just open up a browser here and I'm just going to go to office.com and just to show you that one of the real benefits of course is that you'll notice it didn't even prompt me for any kind of uh authentication here so the user didn't need to log in and the reason is of course is because Aaron is already authenticated into Azure active directory how cool is that that is such a great thing so he has got Pure single sign-on now although Aaron's account is actually sitting in active directory he can have a device in Azure active directory and he gets all the benefits of being still if you want to maintain his user account on premises but the device is all managed in InTune all right so now what you can do with that well what I'm going to do is now that we've logged on to InTune let's take a look at it from the management perspective so here I am back in my portal and I'm just gonna go back to the home page here and I'm going to flip down into devices so if I click into Windows devices here you can now see sure enough that Aaron's machine is now logged in to InTune and more than that is detecting that it's a corporate machine it's compliant it's running Windows and you can see the name of the user here now the big difference between this and the Azure hybrid join machine is that we can now completely manage this machine so now you can see the properties you can view the hardware of this machine what apps are actually on the device and whether the device is compliance and I'll talk about that in a moment and we'll talk about whether the device has a configuration policy and out of the box you can see that there's nothing configured at the moment so do we have a number of configuration options that we can do we can deploy a configuration profile for the device we can deploy by a compliance profile for the device we can also manage things like apps as well so app configurations and again things like BitLocker the local admin password so if you want to for example back up the local admin password this is the new lapse feature which is now available and also you can configure things like the user experience and then you've got some kind of management and Reporting options down at the bottom here so what I'm going to do is I'm just going to head back into my device so here in my ws1 device what options do I have well from a management perspective I can now retire this device so if I no longer want this device to be in our organization I can get rid of it if you think about hey you know Aaron's leaving the company I maybe want to do a remote wipe or indeed if the device has been stolen or lost this could be an invaluable function if you want to delete the Delight uh if you want to delete the device completely again you can do that we also have some new features which are available in premium so things like remote lock you can do that but you do need a premium license for that um you can sync so if you make any changes to the configuration this will force the device to synchronize likewise passcode you can reset that again some of these are premium and in fact if you're using things like multi-factor authentication some of these you may want to consider using that instead you can also restart the device you've got other features here so for example doing quick antivirus scans here they're always quite useful and we also have a new remote assistance feature which again is a premium feature so you can pay a little bit more for that but again some of these are absolutely awesome so that's managing the device right so next what we'll do is let's now take a look at configuring the device then for InTune so now we deploy the device we know how to manage the device the next thing is how can we configure the device now traditionally in Windows of course you'll be familiar with the fact that you can have things like group policies so for example um in a traditional domain environment so for example here I'm on my domain controller and if I scroll down of course we have something called group policy management so this is essentially allows you so if I just come in here and you can see that I'm just going to come into my domain called contoso and what I'm going to do is I'm going to come in here and into contoso here and let me just expand this out I've got my default domain policy now your default domain policy essentially contains your computer configuration and your user configuration settings so anything that you configure at the computer configuration will essentially affect every user who logs on at that device user configuration it will affect the user irrelevant of the device that they log into and that's typically a domain what we call group policies so how do we accomplish this then in Azure active directory so it's actually quite simple and again it's not kind of rocket science and so for this what I'm going to do is I'm going to come into devices here and now we've already talked about enrolling the devices so the next thing then is obviously configuring the devices so I'm going to scroll down and we have a number of what we call policies that you can now apply so the first one that I want to take a look at then is a configuration policy now a configuration policy as you can see um I it basically is a profile now you can actually import your group policy settings so you can export a group policy as an what we call an admx template and you can import those into Group Policy if you want to um or I can just go ahead and actually create a profile of my own so again I simply choose the platform so what platform am I choosing for here so in this case I'm choosing for a Windows 10 or later and am I looking for the settings or just certain templates let's go for the templates so we have a number of different templates here and again if you're familiar with Group Policy many of these are going to look very kind of familiar to you so again I can scroll through this you can see this wi-fi settings how self-monitoring wireless settings and so on I'm going to choose admin templates I'm going to go ahead and click on Create and again here you can see it's now asking me for a name so I'm just going to call this my Oslo office let's say we'll call this my Oslo office template I'm going to click on next and uh you can see now it's got all the settings for me so check it out if I want to let's say configure things like Google the local administrator password service um Microsoft Edge the browser again these are just some examples um things like OneDrive settings your system settings there are literally hundreds of settings here that you can go through so I can go through to the control panel here I can go into let's say things like do I want to personalize it if I want to block a certain setting and control panel for example force a specific start background color or a menu option here prevent changes to the start background and you provide prevent users from enabling the lock screen camera for example so again I could just go ahead I can click onto that and that will essentially write that into the registry um so there we go I can then click on next and then it says Okay um do you want to uh who's the scope for who is this for if you're using tagging and this can be quite useful you can add that in um and then of course I can assign it to a user or a group so I can go ahead I can add all users here if I want to or I can go ahead and add all manage devices so you can see here that I've now added my and I've only got one device here as an example but you can now see I've gone ahead and I've I can include I can exclude and so on again I'm going to go ahead I'm going to create that policy and there you go you can see it just takes a moment just to come in and I will just refresh this page and in a second you'll see that this policy has actually been created so just give it a moment okay there you go and that's how you create policies so our profiles so as I said these are device profiles so any devices that I'm are managed would then be enforced by this now another technology that you definitely want to probably take a look at are compliance policies so for example with compliance policies again with compliance policies I can create different types of policies so I mentioned earlier that for example if I've got let's say Android or let's do iOS for example so if I've got users bringing in iOS devices onto my network so I can call this my Oslo compliance policy okay foreign policy so I'll click on next and again in here this now compliance is such an important area so for example do you want to have your users required to use email and this is a particularly important one jailbroken especially on multiple devices so you definitely want to block jailbroken devices and require the device to be under a certain security level you can do that then you've got things like device properties so you know within your organization if you want to support a minimum or a maximum iOS version or operating system version or a build for support purposes you can put that in and things like do you want to enforce things like Defender for endpoint in terms of system security do you want to allow things like Biometrics so enforcing passwords Biometrics you can as I said you can configure all of these so again require a password to unlock and then of course you can then start configuring all these other features this is also really useful remember this is all about compliance I can actually go through and restrict certain apps on these devices and you can see that you get the app name I'm often asked where do you get the app bundle ID so when you install an app into our Azure active directory these days so basically if you come up here and if I go into applications so just expand this menu a little bit here so if I come into applications here and Enterprise applications because Azure active directory is a database every single thing everything essentially has a an ID so all you need to do is once you've installed the app every single app will have an app ID now irrelevant of the store that you're bringing that device or that app in so all you would then do is put in the name of the app paste in the ID and then you're pretty good to go so now that I've created that again I can now create some rules so what are the actions for non-compliance so do you want to just send a user an email and just say look you know you maybe your device is out of date maybe you want to consider updating your device and and you can have multiple attempts so ultimately of course if they just simply do not respond then you can essentially block that device there so I'm gonna click on that the next thing again I can add this to a group I can add it to all users and again I can add it to all devices as well just click on next and there we go I now go ahead and create my compliance policy and you can see here once that policy has been deployed you'll then get a an overview of exactly if there are any devices that are non-compliant perhaps the user's having an issue you can then go in and of course help the user out all right so that is that so in terms of devices the other things that we've got you can also do conditional access rules on the devices so for example the user is only allowed to use this device from a specific location um and so on other specific app on this device check out my my Microsoft enter identity playlist I've done a number of videos on conditional access that give you complete step-by-step guides so definitely check those out um so in addition to configuration and compliance I can also deploy scripts so if you've got a Powershell script you want to deploy then you can go ahead and you can do that you can also deploy updates of course and again I'll cover these in previous in future sessions um a quick tip by the way is if you don't want to deploy um policies one by one check it out you can create these things called policy sets and with a policy set it's essentially you can create bundles of rules so it includes not just devices but also app policies as well um which takes me of course to apps so one of the really cool things about InTune is that you can deploy and manage apps for any of the managed devices that you have and more than that once you've enrolled those um so again you just basically install the app and connect it to the App Store and you can then enforce kind of policies on those particular apps as well so and again I'm going to cover this in a future video so things like app protection policies at protection policies for example if a user's out of the office and they've got OneDrive you might not want the user downloading files onto personal devices you've got things like again app configuration policies so again configuring those applications um you've also got some a number of kind of dedicated policy oh and by the way of course unlike days of old you don't actually need to download physically download um Microsoft Office because users can download it themselves but what you can do of course is you can create app policies for office so I can again I'll just call this office one but again I can go in here now and I can create configuration policies from Microsoft Office and I can specify is it selected groups of users or selected devices again I can just go ahead and do a configuration so if there was a setting in Microsoft Office that you wanted to configure again you can do that now there are literally as you can see thousands of policies here so a good tip is to come in and you can actually search for the product that you want to search for and again and you can then go down and you can then configure this as you wish or as you seem fit now of course one of the cool things that's coming into Microsoft 365 is the Microsoft co-pilot service and you can bet that this is a service that is really going to make a difference here in the not too distant future so watch out for that all right now the final component just kind of giving you this walk through of course is endpoint security so the second part of endpoint manager is really endpoint security and again this really comes into its own because you can configure things like uh anti-virus policies so of course every Windows device has got Windows Defender on it so you can come in here and you can create a policy that will basically and make sure that things like Windows Defender is up to date you can also enable things like disk encryption so things like BitLocker and what this does is it backs up the users BitLocker Keys into Azure active directory in case of disaster you can also configure things like firewall rules so of course we're talking endpoint firewall here as well again you've also got other useful features which are incorporated into Defender for endpoint such as things like attack surface reduction things like a user account protection and again device compliance conditional access these are just shortcuts to what I showed you earlier so you can see that there is so much in Microsoft InTune and just by spending a little bit of time um again how do I get a chance to play with this Andy definitely take out a Microsoft E5 or an em s subscription um you can try it for 30 days just Google and just say you know I want to try a Microsoft 365 E5 trial for 30 days and you'll get one and it's absolutely free you don't need a credit card so definitely check it out and you'll definitely learn a lot so they have it Microsoft InTune in a nutshell I hope you're a little bit wiser about what this fantastic piece of software does Hey listen if you enjoyed it pump the like button it does make a difference and if you've not subscribed as always click that subscribe button ring the bell and come on board and join our learning community and if you've got questions then as always just get those down below and I'll do my best for you so that's it for this time I'll see you next time stay safe see you soon thank you hey thanks so much for dropping by today here's a couple of videos that you may enjoy and while you're here go ahead click on the Subscribe button and you won't miss out [Music] foreign

Info

Channel: Andy Malone MVP

Views: 30,600

Rating: undefined out of 5

Keywords:

Id: CbZHIn40jX4

Channel Id: undefined

Length: 30min 45sec (1845 seconds)

Published: Mon Jun 19 2023