Managing Windows 10 With Intune and Autopilot v2011

12/4/2020 v2011: Managing Windows 10 Devices with Microsoft Intune and Autopilot
#Managing Windows 10 Devices with Microsoft Intune and Autopilot
Module 01 - Overview and Lab Setup
Introduction
During this lab, you will learn how to setup the lab environment and the subscriptions for the Managing
Windows 10 Devices with Microsoft Intune and Autopilot workshop.
Estimated Time
90 minutes
Objectives
At the end of this lab, you will be able to:
Complete the lab setup
Generate and install the required virtual machines
Logon Information
Use the following credentials to login into the Lab on Demand Virtual environment on MMWS_Host
Log on to  MMWS_HOST by pressing Ctrl+Alt+Delete and typing in the following credentials:
Username: T Admin
Password: T Intune123!!
https://labondemand.com/LabProfile/Instructions/85497 1/352
Table of Contents
Lab 1: Setup Windows Machines in your Lab on Demand Environment
Exercise 1: Host machine (MMWS_HOST) housekeeping
Exercise 2: Create virtual machines (Client1)
Exercise 3: Create Client 2
Lab 2: Verify Cloud Subscriptions for Modern PC Management
Exercise 1: Sign into your pre-created Office 365 subscription
Exercise 2: Sign into your pre-created Enterprise Mobility + Security E5 subscription
Lab 1: Setup Windows Machines in your Lab on Demand

Environment
During this lab, you will create 3 Windows machines within the LOD environment.
Client 1 Client 2 Client 3
Work or School Azure AD Join

Azure AD Join Scenario for Autopilot
Account Scenario Scenario
Azure AD user Local user account for harvesting hardware ID. Later
Local user account
account Azure AD user account
Azure AD registered Azure AD

After Autopilot Azure AD joined device
device joined device
Module 3 Autopilot deployment
Module 8 Autopilot reset
Exercise 1: Host machine (MMWS_HOST) housekeeping
This exercise shows how to change your keyboard layout on your host machine.
Logon to your Host
 Log on to your  MMWS_HOST in your LOD environment. To autotype, you may click on the T to
get your account/password.
Adjust keyboard layout
 Open Settings.
 Click on Time & Language.
 Click on Language.
 Click on Add a language.
 Search for the desired language and click Next.
 Remove all checkboxes and click Install.
 Click on keyboard.
 Select the desired keyboard layout.
 Close the settings app.
 Verify your configured layout in the taskbar.
 Check for pending updates
 Optional - set your corresponding timezone
 Make sure your host machine has no pending reboots through updates. We have experienced
some issues with pending reboots and the Hyper-V guests.
Please reboot if needed.
Congratulations!
You have successfully completed this exercise. Click Next to advance to the next exercise.
Exercise 2: Create virtual machines (Client1)
This exercise shows how to create the virtual machines on the Hyper-V host.
 The machines are not pre-provisioned since Autopilot needs a unique Client ID to work.
Create the Windows 10 machines on your Hyper-V Host
 Log on to your  MMWS_HOST in your LOD Environment.

 Open PowerShell (ISE) as Administrator
 Navigate to the scripts directory with T cd C:\LAB_SOURCE\VMCreation
 Run:
PowerShell
 Set-ExecutionPolicy Unrestricted -force
 Run:
PowerShell
 .\CreateVM.ps1
 This step will provision three sysprepped virtual machines running Windows 10 Professional.
 Open the Hyper-V Console on MMWS_Host and finish installing Windows 10 on Client1
 Wait until the Windows Out of Box Experience (OOBE) screen appears.
 Select your region.
 Select the keyboard layout.
 Skip the second keyboard.
 Accept the Windows 10 Licence Agreement.
 Select Set up for personal use.
 Choose Offline Account.
 Select Limited Experience when asked to use a Microsoft Sign in instead.
 Type a local account T Admin when asked who is using the PC.
You may want to use the type fields in the LOD platform.
 Type T Intune123!! as password.
 Answer the 3 security questions.
 Click Accept on the Choose privacy settings page.
 On the Let Cortana help you get things done click Not now.
 When finished, restart CLIENT1 to activate the Enhanced Session Mode for Hyper- V.
 This lets you use the machine like an RDP connection and makes it easier to copy/paste content.
Congratulations!
In this exercise you will create a Windows 10 Professional machine for Azure Active Directory join on the
Host in Hyper-V.
 The machines are not pre-provisioned since Autopilot needs a unique Client ID to work.
 Open the Hyper-V Console on  MMWS_HOST and prepare installing Windows 10 on Client2
 Wait until the Windows Out of Box Experience (OOBE) screen appears.
 Accept the Windows 10 License Agreement.
 During the Screen How would you like to set up? Use Set up for an organization.
 Leave the Machine running at the sign in page.
Congratulations!
This exercise shows how create a Windows 10 Professional machine on the Host in Hyper-V. We will
install a full Windows 10 on this machine to prepare it for Autopilot.
 Open the Hyper-V Console on  MMWS_HOST and finish installing Windows 10 on Client3
 Wait until the Windows Out-of Box Eperience (OOBE) screen appears.
 Accept the Windows 10 Licence Agreement.
 Select Set up for personal use.
 Choose Offline Account.
 Select Limited Experience when asked to use a Microsoft Sign in instead.
 Type a local account T Admin when asked who is using the PC.
You may want to use the type fields in the LOD platform.
 Type T Intune123!! as password.
 Answer the 3 security questions.
 Click Accept on the Choose privacy settings page.
 On the Let Cortana help you get things done click Not now.
 When finished, restart CLIENT3 to activate the Enhanced Session Mode for Hyper- V.
 This lets you use the machine like an RDP connection and makes it easier to copy/paste content.
Congratulations!
Lab 2: Verify Cloud Subscriptions for Modern PC Management
During this lab, you will verify the access to your subscriptions.
Exercise 1: Sign into your pre-created Office 365 subscription
This exercise shows how to log on to the Office 365 admin portal with the pre-created subscription
admin account.
 Connect to the Lab on Demand Virtual environment on  MMWS_HOST.

 Open a Browser and sign in on T http://admin.microsoft.com
 The Lab on demand platform provides the necessary subscriptions.
 Connect with the credentials of the Office 365 subscription provided.
Username: T @lab.CloudCredential(SSGM3653sharpStakeholderJudDoran).Username
Password: T @lab.CloudCredential(SSGM3653sharpStakeholderJudDoran).Password
 Click on Billing > Your Products to see when you licenses expires.
 Optional If you want to change the branding go to
 Select custom themes.
 Either remove the current branding or select the new branding logo
 The files for the company branding are located on your MMWS_Host: Banner Logo:
C:\LAB_SOURCE\Labs\Company Branding\FC-Banner365.png
 Save and review your logo at the Office portal T http://portal.office.com
Congratulations!
Exercise 2: Sign into your pre-created Enterprise Mobility +

Security E5 subscription
This exercise shows how to log on to the Azure admin portal with the pre-created subscription admin
account.
Logon with your tenant credentials
 Open a browser session and navigate to T https://portal.azure.com. Sign in with your credentials:
 Start a tour if you have never used Microsoft Azure.
 Click the Hamburger Menu to show the portal Menu.
 Select Azure Active Directory in the Services selection on the left.
 Navigate to Licenses.
 Verify if you have Enterprise Mobility + Security E5, Microsoft 365 E5 Compliance, Office 365
E3/E5 and Windows 10 Enterprise E3 is listed as subscription.
Congratulations!
You have successfully completed this Module. Click Next to advance to the next Module.
Module 02 - Azure Active Directory
Introduction
During this lab, you will learn how to configure your Azure Active Directory and Intune environment.
Estimated Time
90 minutes
Objectives
Use the Microsoft Endpoint Manager admin center and the Azure portal
Create users and groups
Deploy licenses
Configure Azure and Company Portal branding
Configure clients for Azure AD join and Azure AD register
Logon Information
Use the following credentials to login into the Lab on Demand virtual environment on MMWS_Host
Username: T Admin
Table of Contents
Lab 1: Explore the Azure portal and the Microsoft Endpoint Manager admin center and configure
administrative roles
Exercise 1: Create additional administrative user account
Exercise 2: Deploy Windows licenses
Exercise 3: Configure automatic MDM registration
Exercise 4: Disable Windows Hello for Business
Exercise 5: Prepare branding for the Company Portal
Exercise 6: Prepare company branding for Windows Autopilot
Exercise 7: Add additional users to the local "Administrators"
Exercise 8: Deploy Windows 10 Work or school account
Exercise 9: Deploy Windows 10 AAD joined machine
Exercise 10: Enable Endpoint Analytics
Lab 1: Explore the Azure portal and the Microsoft Endpoint

Manager admin center and configure administrative roles
During this lab, you will learn how to create users, groups and administrative roles.
Exercise 1: Create additional administrative user account with the role of

an Intune Administrator
This exercise shows how to create the required user accounts.
 Use the Edge Browser on your HOST machine
 Open the Microsoft Endpoint Manager admin center T http://endpoint.microsoft.com, navigate to

Users and select New user.
 Select New user again and create T IN-Admin1

@@lab.CloudCredential(SSGM3653sharpStakeholderJudDoran).TenantName with the role of an
Intune Administrator.
 Configure User name and Name attributes.
 Select Show Password and note the user's password in the text box below.
 Select Roles and add Intune administrator as selected role.
 Change the Usage location to match your country and save the settings. In this example we used
United States.
 Finally click Create to complete the creation of IN-Admin1.
 Admins no longer require an Intune license to access Microsoft Endpoint Manager admin
console
You can now set a tenant-wide toggle that removes the Intune license requirement for admins to
access the MEM admin console and query graph APIs.
Once you remove the license requirement, you can never reinstate it.
 Change the password for IN-Admin1.
 Use a private browser session to logon with T IN-

Admin1@@lab.CloudCredential(SSGM3653sharpStakeholderJudDoran).TenantName with a
password of T <in-admin1-password> to the Microsoft Endpoint Management admin center
T http://endpoint.microsoft.com. Reset the password during first logon to T Intune123!!. Test
access to the Intune administrative features. It is considered as successful if you can view the
portal content. Close the in-private session.
Select an user for the labs and verify the licences of this user
 In this section you choose a preprovisioned working user for this lab. The lab will user Adele
Vance but if you choose to use a different user feel free to do so and select the relevant user for
the group memberships in later modules.
 Verify the assigned licence of your user.
 Change the password of the user for easier handling.
 Open the MyAccount Portal T http://myaccount.microsoft.com and click on Password
 Change the password from T

@lab.CloudCredential(SSGM3653sharpStakeholderJudDoran).Password to Intune123!!
Exercise 2: Deploy Windows licenses
This exercise shows how to assign licenses to an Azure Active Directory group
Create an Azure Active Directory group and deploy licenses to this

group.
 Use the Edge Browser on your HOST machine
 Open the Microsoft Endpoint Manager admin center T http://endpoint.microsoft.com, navigate to

Groups and select New group.
 Create a group T GL-License1 with the group type Security and Adele Vance as a member.
 Click Create to complete the group creation.
Assign licenses to the group
 Open the group settings page and navigate to Licenses. Click on + Assignments.
 Assign Windows 10 Enterprise E3 licenses to this group.
 Click Save to finish the license assignment.
 You can check in the Users properties that the licenses will appear as Inherited (click
Reprocess and Refresh to speed up the assignment).
Congratulations!
Exercise 3: Configure automatic MDM registration
This exercise shows how to configure automatic MDM registration for Azure AD joined devices.
Configure automatic MDM registration
 Use the Edge Browser on your HOST machine.
 Use your admin@@lab.CloudCredential(SSGM3653sharpStakeholderJudDoran).TenantName

browser session and navigate to Devices > Windows > Windows enrollment > Automatic
Enrollment.
 Click on Automatic Enrollment.
 Configure the MDM user scope to All and Save the configuration.
Congratulations!
Exercise 4: Disable Windows Hello for Business
 Since Hello for Business is not part of this module disable it. We will come back to it later.
Disable Windows Hello for Business.
 Navigate to Devices > Windows > Windows enrollment > Windows Hello for Business.
 Select Windows Hello for Business and configure Windows Hello for Business to Disabled.
 Click Save.
Congratulations!
Exercise 5: Prepare branding for the Company Portal
The company portal app is the main user interface for the logged-on user. It can be customized to
reflect the company's corporate identity.
Configure company portal branding.
 Navigate to Tenant administration > Customization.
 Edit the Default Policy and enter some basic support information and graphics as you desire. This
will be reflected in the Company Portal app which you will deploy later.
 The files for the company branding are located on your MMWS_Host: Banner Logo:
C:\LAB_SOURCE\Labs\Company Branding\FC-Banner.JPG
 Scroll further down and Add the required Privacy statement URL.
 Click Review + Save.
 Save the settings.
Congratulations!
Exercise 6: Prepare company branding for Windows Autopilot
This exercise shows how to configure several "Company branding" options in preparation for the
Windows Autopilot module.
Configure Azure company name.
 In that case we need the Azure Portal T http://portal.azure.com.
 Navigate to Azure Active Directory > Properties.
 Save the naming
Configure company branding.
 Navigate to Azure Active Directory > Company branding.
 Click Default to edit the branding configuration object.
 The files for the company branding are located on your MMWS_Host:
Background Image: C:\LAB_SOURCE\Labs\Company Branding\FC-Background.JPG

Banner Logo: C:\LAB_SOURCE\Labs\Company Branding\FC-Banner.JPG
Square Logo: C:\LAB_SOURCE\Labs\Company Branding\FC-Logo.JPG
 Edit the branding configuration according this screenshot.
 Click Save.
 The banner logo has no effect for the Autopilot branding but for the Azure apps website T
http://myapps.microsoft.com and logon page. Feel free to change the Sign-in page logo. The
background image sizing 1920x1080px and file size <300kb must be respected.
Congratulations!
Exercise 7: Add additional users to the local "Administrators"
This exercise shows how to add an Azure AD user account to the local group "Administrators".
Add the Intune administrator user to local administrator group
 Continue using the Azure Portal T http://portal.azure.com.
 Navigate to Azure Active Directory > Devices section in the Azure portal and select Device
settings.
 Click on Manage Additional local Administrators on all Azure AD joined devices
 Configure the following settings and add T IN-Admin1 as an additional local administrator for
Azure AD joined devices.
 Click Ok and Save.
 This operation takes only place during the Azure AD join process. It is not possible to deploy
group memberships with this option after that.
Congratulations!
Exercise 8: Deploy Windows 10 Work or school account
This exercise shows how to install Windows 10 for the Work or School Account "BYOD" scenario.
Logon to the lab environment
 Connect to the CLIENT1 machine with the Hyper-V admin console.
 Logon to the CLIENT1 machine with the local user.
Username: Admin
Register your Work or school account
 Open Settings > Accounts > Access work or school and click on Connect.
 Select your workshop test user T

AdeleV@@lab.CloudCredential(SSGM3653sharpStakeholderJudDoran).TenantName and enter the
password T Intune123!! and click Next.
 You will see your Company Branding the first time in action during authentication to Azure AD.
 Press Next to continue.
 Click Sign in.
 Your device will be registered. Verify that success is reported.
 In case that the registration fails, verify this machine has no pending reboots due to updates.
 You should see the following notification.
 Finally click Done to complete the process.
Check the device join type.
 Open the Azure Portal T http://portal.azure.com and switch to Azure Active Directory > Devices
> All devices. You will see your registered device with a join type of Azure AD registered.
 Open the Endpoint Manager portal T http://endpoint.microsoft.com and verify the Intune state of
the device by navigating to Devices > All devices. It should be automatically enrolled in Intune
with an Ownership type of Personal.
Test single sign-on the Office Portal
 Switch back to Client1.
 Open Microsoft Edge and configure the initial browser settings. Make Microsoft Edge the default
browser.
 Sign in to sync data and generate a user profile in Edge.
 Select AdeleV as the user
 No password is asked due to single sign on.
 Configure the browser to sync data.
 Open a browser session and navigate to the Office 365 portal T http://portal.office.com. The
browser session should single sign on to the portal.
Congratulations!
Exercise 9: Deploy Windows 10 AAD joined machine
This exercise shows how to install Windows 10 with the AAD joined scenario.
 Connect to the CLIENT2 machine with the Hyper-V admin console. The machine should be in the
following state.
 Enter your Azure AD credentials, T

adelev@@lab.CloudCredential(SSGM3653sharpStakeholderJudDoran).TenantName.
 Click Next and enter the user's password T Intune123!!.
 Accept the privacy settings as desired.
 You have now successfully deployed an Azure AD joined machine.
Verify the device state in the Azure portal
 Open the Azure Portal T http://portal.azure.com and switch to Azure Active Directory > Devices
> All devices. You will see your registered device with a join type of Azure AD joined.
Verify the Intune state of the device
 Open the Microsoft Endpoint Manager admin center T http://endpoint.microsoft.com and

navigate to Devices > All devices. You will see your all devices from an Intune perspective,
including attributes like Ownership and Compliance state.
 The AAD joined device is classified as Corporate, the private device (work or school account) is
classified as Personal.
 Your client has changed from a Windows 10 Professional to a Windows 10 Enterprise version.
Use the command T winver to display the versioning information.
Congratulations!
Exercise 10: Enable Endpoint Analytics
This exercise shows how to enable the Endpoint Analytics feature. We will discuss this topic on the last
workshop day but we need some reported data. This process will last around 24 hours.
 Use the Edge Browser on your HOST machine.
 Open the Microsoft Endpoint Manager admin center T http://endpoint.microsoft.com.
 Navigate to Reports > Endpoint Analytics.
 Let data collect from All cloud-managed devices and click Start to enable the feature.
 Further details will be discussed in a later module.
Congratulations!
Module 03 - Windows Autopilot
Introduction
During this lab, you will learn how to setup devices using Windows Autopilot.
Estimated Time
60 minutes
Objectives
Gather the hardware hash of a Windows 10 machine
Create Autopilot profiles and import devices
Drive the Autopilot process
Do basic Autopilot troubleshooting
Login Information
Use the following credentials to login into the virtual environment
Username: T Admin
Table of Contents
Lab1: Get ready for Autopilot 3
Exercise 1: Create a Deployment Group
Exercise 2: Configure Microsoft Intune Device Enrollment
Exercise 3 Configure an Enrollment Status Page
Exercise 4: Gather Hardware Information from a device
Exercise 5: Import device for Windows Autopilot
Exercise 6: Experience Windows Autopilot
Lab 2: Troubleshooting Autopilot
Exercise 1: Run MDMDiagnostic
Lab 1: Get ready for Autopilot on CLIENT3
During this lab, you will learn how do gather information from the device needed to enroll it for
Autopilot.
Exercise 1: Create a Deployment Group

This exercise shows how to create a deployment group for Autopilot for all registered devices.
Create an Azure Active Directory dynamic group based on an imported

value.
 Open the Microsoft Endpoint Manager admin center.
 Navigate to Groups and create a new group.
Create a new Azure Active Directory group
 Select group type Security.
 Give the group the name T Enrollment profile Windows Autopilot Demo
 Select Dynamic Device as Membership type.
 Click on Add dynamic query then use edit to add the following query.
T (device.devicePhysicalIDs -any _ -contains "[ZTDId]")
 Click Ok and Save.
 Click on Create to create the group.
 This query contains all Autopilot registered devices. You can also extend the CSV with the
additional field GroupTag. With that you can create a dynamic device rule to select devices with
this tag. Use (device.devicePhysicalIds -eq "[OrderID]:<Value of Group Tag>") as query.
Congratulations!
Exercise 2: Configure Microsoft Intune Device Enrollment
This exercise shows how to prepare Intune for Autopilot.
Sign in to the Microsoft Endpoint Manager admin center
 Navigate to Devices > Windows enrollment and then click Deployment Profiles.
Create a deployment profile
 Delete all existing Autopilot deployment profiles.
 Click Create profile.
 Choose Windows PC.
 In step 1 (Basics) specify a profile name T Windows Autopilot Demo 1
 Enable Convert all targeted Devices to Autopilot.
 Click Next.
 In step 2 (OOBE) choose User-Driven for the Deployment mode.
 For Join to Azure AD as, specify Azure AD joined.
 Hiding the Privacy Settings and EULA is recommended. Select Hide change account options.
Select user account type to Administrator. Deploy Region Settings at your choice.
 Apply a device name template T MMWS%RAND:3%
 In step 3 (Assignments) assign the profile to the group Enrollment profile Windows Autopilot
Demo.
 Click Next and Create.
Congratulations!
Exercise 3: Configure an Enrollment Status Page
This exercise shows how to prepare Intune for using the Enrollment Status Page.
Configure the Enrollment Status Page.
 Navigate to Devices > Windows > Windows enrollment > Enrollment Status Page.
 Select the Default profile.
 Click on All users and devices. In the new blade open the Properties and click on Settings.
 Enable Show app and profile installation progress.
 Configure the settings below.
 Click on Review + Save.
 Click Save.
Congratulations!
Exercise 4: Gather Hardware Information from a device
In this exercise, you will gather hardware information of an existing device to allow Windows Autopilot
enrollment.
Log on to Virtual Machine Client3
 Log on to Client3 with the local account Admin using T Intune123!! as the password - use the
Hyper-V enhanced session.
Install-Script Get-WindowsAutopilotInfo
 Run PowerShell.exe as Administrator.
 Run this command to enable scripts:
PowerShell
 Set-ExecutionPolicy Bypass -Force
 Run this command and answer "Y" to any prompts:
PowerShell
 Install-Script Get-WindowsAutoPilotInfo
Gather hardware information via command Get-

WindowsAutoPilotInfo.ps1
 Execute command:
PowerShell
 Get-WindowsAutoPilotInfo -Outputfile c:\client3.csv
 If you like to upload the csv file directly to the Intune tenant execute T Get-
WindowsAutoPilotInfo -online This will eliminate the need of manually upload the hash but
installs additional components (AzureAD Module and GraphAPI) to the machine. You will also
need to consent to Graph API permissions.
Copy Client3.csv to Hyper-V Host
 Copy Client3.csv to your host. You should have the enhanced session enabled which allows you to
copy.
 Copying is easy if Hyper-V Enhanced Session (RDP) is enabled
Congratulations!
Exercise 5: Import device for Windows Autopilot
In this exercise, you will register the device for Windows Autopilot.
Import the device to Autopilot
 Navigate to Devices > Windows > Windows enrollment.
 Click on Devices.
 Add a new device by uploading the csv.
 Choose Import.
 Then browse to the previously created CSV file and select it.
 Click Import.
 When your notification shows that the import was successful, verify if this is reflected in your group.
Observe the Autopilot profile assignment
 Observe the import -- this can take some time.
 After the import has succeeded, manually sync with the Autopilot service.
 You will experience the Updating phase.
 DO NOT CONTINUE before your device is showing as Assigned in the Intune Portal. You may
need to hit refresh to reflect the current status.
Congratulations!
Exercise 6: Experience Windows Autopilot
In this exercise, you will run through the end user experience of Windows Autopilot.
Prepare the Client3 VM
 Apply the OOBE checkpoint which was created during machine creation. Do not create additional
checkpoints.
 Start the Client3 VM.
Run through the Autopilot experience
 When the VM is booting up it will check with the Autopilot service if there is a profile assigned.
After the reboot the VM will show the Autopilot setup screen.
 You do not have to accept the EULA since this is an Autopilot setting.
 A customized sign-in screen will be presented showing the company branding.
 Type in the username, T

adelev@@lab.CloudCredential(SSGM3653sharpStakeholderJudDoran).TenantName and then click
Next.
 Type in your users password T Intune123!! and then click Next.
Preparation is running…
 The user's desktop is not accessible before the application of profiles and settings is complete. You
may click on Show details to get more detailed information.
Device is ready to use
 Once the first logon tasks are completed, it may take a while longer for the configuration of the
device to complete.
 In the Settings app, navigate to Accounts > Access work or school.

You will see that the device is joined to Azure AD.
 Click on Connected to … followed by Info to see some settings applied by Intune.
Congratulations!
Lab 2: Troubleshooting Autopilot
During this lab, you will learn how find logs and troubleshooting information regarding Autopilot.
Exercise 1: Run MDMDiagnostic
This exercise shows how to run the MDMDiagnosticsTool on an Autopilot device.
Connect to Client 3
 Open a Command Prompt with Administrative rights.
 Create a directory T md c:\temp
 Open a command line session and type T MDMDiagnosticsTooL.exe -area Autopilot -cab
c:\temp\ap.cab and monitor the execution.
Navigate and review the output
 You will find the compressed archive of logfiles in the c:\Temp directory. Extract the cab file.
 These are some example files to review:
microsoft-windows-user device registration-admin.evtx. This event log contains admin

information (and errors) regarding the device registration (status).
 You will see that Windows Helo provisioning is being disabled
DeviceHash_xyz.csv. This csv file contains the device hash information of the device.
 You might want to compare with the Client3.csv created earlier
MDMDiagReport.html. This is the same report that can be generated by using the settings
panel and generating the Advanced Diagnostics Report. That report shows the applied
configuration state of the device, including Policy CSP settings, certificates, configuration sources,
and resource information.
 Full diagnostic report.
TpmHliInfo_Output.txt. This file contains information about the support of TPM 2.0 for the TPM
of the device.
 Find information about the TPM Chipset
Congratulations!
Module 04 - Application Management
Introduction
During this lab, you will learn how to create and deploy applications.
Estimated Time
120 minutes
Objectives
Deploy different applications, like Microsoft 365 Apps, Microsoft Edge
Create Win32 and MSIX packages
Troubleshoot and monitor app deployments
Logon Information
Use the following credentials to login into the LOD environment
Username: T Admin
Table of Contents
Lab 1: Create and deploy applications
Exercise 1: Create a Software Deployment Group
Exercise 2: Create and deploy a Microsoft 365 App
Exercise 3: Setup Microsoft Store for Business
Exercise 4: Create and deploy a mandatory Microsoft Store for Business app
Exercise 5: Remove Microsoft Store for Business app
Exercise 6: Create and deploy an optional public store app
Exercise 7: Create and deploy a MSI installer
Lab2: Using Win32 App Converter
Exercise 1: Download and convert the application converter
Exercise 2: Create the application in Intune
Exercise 3: Install the application
Exercise 4: Review the Microsoft Intune Management Extension
Lab3: Using the MSIX Packaging Tool
Exercise 1: Prepare the MSIX Packaging Tool
Exercise 2: Convert an application with the MSIX Packaging Tool
Exercise 3: Deploy the MSIX package
Lab 4 Troubleshooting Deployments
Exercise 1: Troubleshooting app deployment
Lab 1: Create and deploy applications
During this lab, you will learn how to create applications in Intune.
Exercise 1: Create a Software Deployment Group

This exercise shows how to create a group which will be used to assign the applications.
Create new group
 Sign in to T http://endpoint.microsoft.com as T
admin@@lab.CloudCredential(SSGM3653sharpStakeholderJudDoran).TenantName with a password
of T @lab.CloudCredential(SSGM3653sharpStakeholderJudDoran).Password.
 Navigate to Groups > All Groups.
 Click on New Group.
 Select group type Security Enter Group name T IN-Software and use Assigned as membership
type.
 Click on No members selected and add User T adelev to this group.
Choose Select and Create to create the group.
Congratulations!

Exercise 2: Create and deploy a Microsoft 365 App
This exercise shows how to create the Microsoft 365 Apps deployment.
Create a Microsoft 365 App deployment
 Navigate to Apps > Windows > Windows Apps and select Add.
 For the app type, select Windows 10 (under the Microsoft 365 Apps category).
 Continue the process by clicking on Select.
 Confirm the App Suite Information page and click Next to continue.
 Select the desired Microsoft 365 Apps on the Configure App Suite page.
 For other Labs we need at least Excel, OneDrive Desktop, Outlook, and Word.
 Select the Current Channel.
 Click Next to continue.
 Add the T IN-Software group to the required assignment.
 Review the settings and click Create to finish the process.
 The app has now the status Assigned = YES
Verify the app deployment
 Speed up deployment by forcing the policy sync.
 On any client open Windows Settings > Accounts > Access work or school. Click on the
connected account.
 Click on Info > Sync.
 You may also use the Endpoint Manager admin center to trigger a remote sync.
 Verify the Microsoft 365 Apps deployment process with Task Manager.
 Search for the Microsoft 365 Apps to verify that the installation completed.
Congratulations!
Exercise 3: Setup Microsoft Store for Business
Link Microsoft Store for Business to Intune
 Navigate to Tenant Administration > Connectors and tokens > Microsoft Store for Business.
 Select Enable. Then click Save.
Setup Microsoft Store for Business
 Click on Open the Microsoft Store for Business.
 Sign into T https://businessstore.microsoft.com using T

@lab.CloudCredential(SSGM3653sharpStakeholderJudDoran).Username and T
@lab.CloudCredential(SSGM3653sharpStakeholderJudDoran).Password as the password.
Associate your Store for Business with Intune.
 In the Microsoft Store for Business, choose Manage > Settings > Distribute > Management
tools.
 On the Management tools page, choose Activate for Microsoft Intune.
 There may also show up an application named Microsoft Intune Enrollment. Do not to activate
this application. Leave the page open for the next exercise.
Congratulations!
Exercise 4: Create and deploy a mandatory Microsoft Store for

Business app
This exercise shows how to create and deploy the Company Portal app.
Add Intune Company Portal app to the Business Store.
 In the upper right Search Store textbox search for T Company Portal. Click on the app.
 Select Get the app.
 Accept the terms of the Microsoft Store for Business if being asked.
 The app has now been added to your inventory. Click Close.
Add the Windows Camera app to the Microsoft Store for Business
 In the upper right Search Store textbox search for T Windows Camera. Click on the app.
 Select Get the app.
 The app has now been added to your inventory. Click Close.
 This is a default Windows App which we would like to uninstall from our clients later.
Sync Microsoft Store for Business
 Go back to the Microsoft Endpoint Manager admin center and navigate to Tenant
administration > Connectors and tokens > Microsoft Store for Business and click Sync to add
new Microsoft Store for Business Apps to Intune.
 Syncing apps can take a few minutes.
 After completing the sync process the app will show under Apps > Windows > Windows apps.
 Select the Company Portal (Online) app. In the next blade select Properties.
 Scroll down to Assignments and click Edit.
 In the Required area click on Add group and add the T IN-Software group.
 Click Select and Review + save to finish the process.
Verify the deployment
 Sync the Intune policies of Client1 and/or Client2 and verify the installation of the Company
Portal app on your Windows 10 computer.
 You will find the Company Portal app in the start menu.
 Open the Company Portal and explore the features.
 You can now use the Sync this device right-click function of the Company Portal for future sync
operations.
Congratulations!
Exercise 5: Remove Microsoft Store for Business app
This exercise shows how to remove a preinstalled Windows store app.
 Verify that Windows Camera App exists on your Windows installation.
 In the Endpoint Manager portal select Apps > Windows Apps > Windows Camera.
 Select the Windows Camera app. In the next blade select Properties.
 Scroll down to Assignments and click Edit.
 Select Add all users and Add all devices for Uninstall.
 Review and save the settings.
 Sync the Intune policies of Client1 and/or Client2 and verify the removal of the Windows Camera
app on your Windows 10 computer.
Congratulations!
Exercise 6: Create and deploy an optional public store app

{#exercise-6
This exercise shows how to create and deploy the Power BI Desktop app from the public store.
Search the app store URL
 We need to identify the link to this app in the public Windows Store to create the app in Intune.
 Using the Edge browser go to the Windows Store and find the Power BI Desktop app with this URL.
T https://www.microsoft.com/en-us/store/apps/windows?icid=CNavAppsWindowsApps
 Search for Power BI desktop.
 Then type T Power Bi Desktop App.
 Once the App is displayed, Select and copy the URL to the clipboard.
Create the Power Bi Desktop App
For the app type, select Microsoft store app (under Store App).
 Click Select to continue with the process.
 Add Name and Description to the Add App page in the Microsoft Endpoint Manager admin center.
 When editing the description you can use markdown language to enrich the description. Use the
following example.
 T Microsoft PowerBI Desktop Power BI Desktop puts visual analytics at your fingertips. With this
powerful authoring tool, you can create interactive data visualizations and reports. Power BI Desktop
privacy policy http://go.microsoft.com/fwlink/p/?LinkId=282053
 Click OK.
 Add Microsoft as the Publisher.
 Use the URL copied from your browser T https://www.microsoft.com/en-us/p/power-bi-

desktop/9ntxr16hnw1t (without ?activetab=pivot:overviewtab) for the store URL. You may select a
category and configure the app as featured app in the portal. Then click OK.
 Add the Power BI logo to the app.
 A Power BI logo image can be found at T C:\LAB_SOURCE\Labs\Application

Deployment\PowerBIIcon.png.
 Select Add all users to the list of available assignments.
 A store app can only be assigned as Available for enrolled devices (not as required).
 Click Next and finally Create to finish the process.
 Verify that the app is shown in the app list as Microsoft Store App. You may need to refresh the
list.
Verify the app assignment
 Sync your device and verify the existence of the Power BI Desktop app in your Company Portal
app on your Windows 10 computer.
 Click on the app.
 Review Additional Information to find your description.
 View in Microsoft Store redirects you to the Microsoft store. Add the app.
 It is not necessary to register a Microsoft account to install public store apps. Select No, thanks
for the Sign in request.
Congratulations!
Exercise 7: Create and deploy a MSI installer
This exercise shows how to deploy a single file MSI installer. You will use an easy example, the
Configuration Support Center.
Create the MSI Installer package
 Select Line-of-business app as app type.
 Click Select to continue with the process.
 Click on Select app package file and browse the lab files for the supportcenterinstaller.msi in the
MMWS host lab source directory T C:\LAB_SOURCE\Labs\Application Deployment\MSI.
 Click Ok to continue.
 Configure the App information page according this screenshot.
 Click Next to continue. Assign the app as required for all users.
 Click Next to continue and finally Create to finish the process.
 The upload will take some minutes.
Verify the app deployment process.
 On your clients use the Company Portal to Sync the settings.
 Shortly after the refresh you will see the installed software in the C:\Program files(x86) directory.
 Also the Start menu is extended with the new apps.
Congratulations!
Lab2: Using Win32 App Converter
During this lab, you will learn how to package and deploy a Win32 Application.
Exercise 1: Download and convert the application converter

This exercise shows the steps for downloading the application converter and converting an application
to the intunewin format.
Prepare the application converter by using MMWS_HOST as the

packaging machine.
Open the browser and download the App converter.
 Create the folder C:\Intune.
 Download the file IntuneWinAppUtil.exe from T https://github.com/Microsoft/Microsoft-Win32-

Content-Prep-Tool and save the zip file.
 Extract the zip file and copy the IntuneWinAppUtil.exe tool to the C:\intune folder.
Copy sources to the relevant folders
 Create the folder C:\Intune\source.
 Copy the file 7z1900-x64.exe from the Lab source directory C:\LAB_SOURCE\Labs\Application
Deployment to C:\Intune\source.
 Right-click on C:\Intune\Source\7z1900-x64.exe and select Properties and verify that the file is
unblocked.
Open a PowerShell prompt and run the tool
 Create the folder C:\Intune\output.
 Open a PowerShell prompt as administrator by right-clicking on the Start button and select
Windows PowerShell (Admin).
 You might unblock IntuneWinAppUtil.exe too.
 Type: T Cd C:\Intune\source
 Type: T Unblock-File .\IntuneWinAppUtil.exe
 Run: T .\IntuneWinAppUtil
 When prompted, enter the details as per below:
Source Folder T C:\Intune\Source
Setup file T 7z1900-x64.exe
Output folder T C:\Intune\output
Do you want to specify catalog folder T N
 The tool will create the file C:\Intune\output\7z1900-x64.intunewin.
 The whole content of the source folder will be included in the package.
 Verify that the intunewin file is existent in the output folder, it will be uploaded in the next exercise.
Congratulations!
Exercise 2: Create the application in Intune
This exercise shows how to create a Win32 app.
 Open the Endpoint Manager admin center.
 Navigate to Apps > Windows > Windows Apps.
 In the toolbar, select Add App.
 Select Windows app (Win32).
 Click Select to continue.
 Click on Select app package file and add the previously created intunewin file.
 Configure the App information settings according the following screenshot.
 Scroll further down and add the app icon.
 You will find the logo in the lab source directory. T C:\LAB_SOURCE\Labs\Application
Deployment\7zip_icon.png
 Click Ok.
Click Next to continue.
 Configure the following settings on the Program page.
 Enter the install command as: T 7z1900-x64.exe /S
 Capital S is important
 Enter uninstall command as: T C:\Program Files\7-zip\uninstall.exe
 Set the install behavior to System.
 Choose No specific action as the device restart behavior.
 Configure the following setting on the Requirements page.
 Configure the following setting on the Detection rules page.
 Select Manually configure detection rules and click on Add.
 Add the rule type File and configure the following settings.
Path T C:\Program Files\7-zip
File or folder T 7z.exe
Detection method File or folder exists
 Click OK and Next to continue.
 Click Next on the Dependencies page.
Assign the Win32 app
 Assign the app as available for all enrolled devices.
 Click Next and finally Create to finish the process.
Congratulations!
Exercise 3: Install the application
This exercise shows how to install the Win32 application.
Sync your client from the Company Portal and install the app
 On your Client2 open the Company Portal and Sync the policies.
 Click on Apps and select 7-Zip and Install.
 You will notice the toast notification.
 Find 7-Zip File Manager in the start menu and open it.
Exercise 4: Review the Microsoft Intune Management Extension
This exercise introduces you to the Intune Management Extension.
 Some deployment types as (Win32 Apps and PowerShell scripts) rely on the Microsoft Intune
Management extension. The Intune Management Extension is installed automatically with the
first Win32 app or PowerShell deployment.
 You will find the IntuneManagementExtension running as a Windows service.
 You can find the installation in  T C:\Program Files (x86)\Microsoft Intune Management
Extension
 Logs will be written to  T C:\ProgramData\Microsoft\IntuneManagementExtension\Logs
Congratulations!
Lab3: Using the MSIX Packaging Tool
During this lab, you will learn how create a MSIX app with the MSIX Packaging Tool.
Exercise 1: Prepare the MSIX Packaging Tool

This exercise shows how to install the MSIX Packaging Tool.
Prepare the MSIX Packaging Tool
 Use CLIENT1 as the packaging machine. Logon with the local "admin" user.
 We use CLIENT 1 since the MSIX Packaging tool might require a reboot during setup.
 Open the Windows 10 Store app and search for T MSIX. You will find the MSIX Packaging Tool.
 Click on Get to install the tool.
Congratulations!
Exercise 2: Convert an application with the MSIX Packaging Tool
This exercise shows how to convert an application with the MSIX Packaging Tool to the MSIX format.
Prepare for repackaging.
 Continue using CLIENT1 as the packaging machine. Logon with the local "admin" user.
 Create the directories c:\msix\source and c:\msix\install.
 Copy the source installer file npp.7.8.7.Installer.exe from C:\LAB_SOURCE\Labs\Application

Deployment on MMWS_host lab source to the c:\msix\source directory.
 Copy the codesigning certificate MW10D-Codesign.pfx from C:\LAB_SOURCE\Labs\Certificates

to the c:\msix\source directory.
Work through the repackaging process.
 Verify if there is any pending reboot. Best would be to reboot now since the MSIX Packaging tool
will check and forces you to do so later.
 Start the MSIX Packaging Tool from the Start Menu. Consent for the required administrative
permissions and Accept the Send diagnostics data prompt. Select Application package.
 Select Create package on this computer and click Next.
 You need to wait until the MSIX Packaging tool driver is installed. Check the box for Windows
Search is active to disable it.
 A reboot might be needed in some cases. If this is detected, press cancel, reboot and repeat the
process after the reboot.
 Browse to the installer file T c:\msix\source\npp7.8.7.Installer.exe.
 Click on Signing preference and choose Sign with certificate (.pfx).
 Browse for the code signing certificate from T c:\msix\source Provide the password T
Intune123!! for the PFX file.
 Leave the Time Stamp Server URL empty.
 Configure the MSIX package information.
 The packaging tool will start the application installation process. Work through this process with the
default settings.
 Leave the Run Notepad checkbox activated and click Finish. The app will start for the first time.
 If the app asks for an updated version click No to ignore it.
 Close the app and continue with the packaging tool.
 It is recommended to start each detected app so that the packaging tool can record additional
changes. In this case the app has already been started earlier.
 Select Yes, move on and Next to continue.
Configure T c:\msix\install for the save location. Name your file accordingly.
 Click Create to continue.
 The package was created. Close the MSIX Packaging Tool.
 You will find the resulting MSIX installer package in the directory c:\msix\install.
 Copy the MSIX package to your MMWS_Host machine since we will import it to Intune in the next
step.
Congratulations!
Exercise 3: Deploy the MSIX package
This exercise shows how to deploy the MSIX package.
Deploy the trusted root certificate which signed the MSIX package
 Navigate to Devices > Windows > Configuration profiles and delete existing profiles
 click Create profile.
 Create a new profile for the platform Windows 10 and later with a type of Trusted certificate.
 Click Create to continue.
 Configure the Basics page according the following screenshot and click Next to continue.
 Configure the Configuration settings page according the following screenshot and click Next. You
find the trusted root certificate MW10D-Root.cer in the T C:\Lab_SOURCE\Labs\Certificates
directory.
 Assign the profile to the All devices group and click Next to continue.
 Click Next on the Applicability Rules page.
 Click Create on the final page.
Deploy the MSIX Package
 You already copied the MSIX file from the packaging machine to the MMWS_Host machine.
 Navigate to Apps > Windows > Windows apps and click Add. Select the Line-of-business app.
 Click Select to continue.
 Click Select app package file and add the previously created MSIX application file.
 Configure the App information page according the following screenshot and click Next to
continue.
 You find the app image in the lab source directory: T C:\LAB_SOURCE\Labs\Application
Deployment\Notepad++Icon.png
 Assign the app as available for all enrolled devices and click Next to continue.
 Click Create on the final page.
 The status messages are tracking the progress.
Verify the deployment
 Sync your device (CLIENT2 or CLIENT3) and verify with certlm.msc that the trusted root certificate
was delivered to the machine.
 Open the Company Portal and verify the existence of the repackaged MSIX app.
 Click the app icon to start the installation process.
 Start the app from the Start menu.
 Use Task Manager to explore the app characteristics. Select Open file location.
 Notice the installation path.
Congratulations!
You have successfully completed this Exercise. Click Next to advance to the next Exercise.
Lab 4 Troubleshooting Deployments
During this lab, you will learn how to troubleshoot deployments.
Exercise 1: Troubleshooting app deployment

This exercise shows how to troubleshoot an application deployment.
Locate the Troubleshooting + support blade
 Open the Microsoft Endpoint Manager admin center and click on Troubleshooting + support.
Select the user for troubleshooting
 Click Select to select a user to troubleshoot. The Select user pane will be displayed. Select your
user.
 Get an overview about Devices and Client apps and more.
Select the device
 Select the device that you want to troubleshoot from the Devices list.
Select the App
 Select Managed Apps from selected device pane. A list of managed apps is displayed.
 Select an app from the list, e.g. the Configuration Manager Support Center app.
 The app creation and deployment history is documented there.
Win32 app installation troubleshooting (only if app fails)
 Select the Win32 app that was deployed using the Intune management extension (this was 7-Zip
in our case).
 There is a little more troubleshooting possible as we can collect logs from the device.
 The app deployment must have an installation status of failed to be able to collect logs. It is
possible to deploy an app1 with the intent to fail and collect logs for app2 since there is no
restriction for the files that are collected from the device.
 Refer to T https://docs.microsoft.com/en-us/intune/troubleshoot-app-install#app-
troubleshooting-details for the process.
Congratulations!
Module 05 - Profile Management
Introduction
During this lab, you will learn how to configure and monitor Intune configuration profiles and
PowerShell Scripts
Estimated Time
120 minutes
Objectives
Create Device Restriction Profiles
Create Custom Configuration Profiles
Monitor Configuration Profiles
Deploy and monitor PowerShell Scripts
Logon Information
Username: T Admin
Table of Contents
Lab 1: Device Configuration Profiles
Exercise 1: Allow Company Store only
Exercise 2: Configure Cloud and Storage Settings
Exercise 3: Configure Edge Chromium settings
Exercise 4: Configure OneDrive for Business settings
Exercise 5: Create an E-mail profile
Exercise 6: Enable Reset Password Option
Exercise 7: Add AAD account to local group
Exercise 8: Review Group Policy Analytics
Exercise 9: Monitor the assigned configuration profiles
Lab 2: PowerShell Scripts
Exercise 1: Create PowerShell script
Lab 1: Device Configuration Profiles
During this lab, you will learn how to create and monitor several device configuration profiles.
Exercise 1: Allow Company Store only

In this exercise, you will configure the Windows Store to only show the Windows Store for Business.
Create a group to deploy the profiles.
 Open the browser and navigate to T https://endpoint.microsoft.com
 Navigate to Groups and select New Group.
 Create a Security group T IN-Win10-ConfigProfiles, Membership type Assigned with the purpose
of deploying the policy settings. Click No members selected select adelev, click Select and Create.
Create a profile for the Windows Store Settings
 Select the Devices node, click on the Windows platform, Configuration profiles and select Create
profile.
 Choose Windows 10 and later as the Platform, choose Device restrictions as Profile type and click
Create.
 In step 1 enter the Name T Allow Company Store only as Name.
 Click Next.
 Select the category App Store and set Use private store only to Allow.
 Click Next.
Assign the profile
 On Assignments click Select groups to include and search for the group T IN-Win10-
ConfigProfiles.
 Click Select and Next.
 Do not create any Applicability Rules.
Congratulations!
Exercise 2: Configure Cloud and Storage Settings
In this exercise, you will configure Windows to block the use of personally accounts.
Create a Profile for Cloud and Storage Settings
profile.
 Choose Windows 10 and later as the Platform, choose Device restrictions as profile type and click
Create.
 In Step 1 enter the Name T Block Personal Accounts as Name.
 In Step 2 select the category Cloud and Storage and configure the following settings:
 Click Next.
 In Step 3 Assignments click Select groups to include, search and select T IN-Win10-
ConfigProfiles.
 Click Next.
 Do not create any Applicability Rule.
Congratulations!
Exercise 3: Configure Edge Chromium settings
In this exercise you will configure the default homepage for the Edge Chromium browser with the
Administrative Template feature.
Create a Profile for Edge Chromium Browser Settings
profile.
 Choose Windows 10 and later as the Platform, choose Administrative Templates as profile type.
 In Step 1 enter T Edge Chromium Settings in the Name field.
 Click Next.
Configure homepage and home button settings
 In the Computer Configuration folder search for T home page and select the marked line.
 Configure the setting to Enabled and enter the homepage URL.
 Search for T home button and select the marked line.
 Configure the setting to Enabled.
Configure favorites settings
 Switch to the All settings area and search for T favorites bar and select the marked line.
 Device and user settings are displayed together and can be identified in the Settings type
column.
 Configure the setting to Enabled.
 Do not configure Scope tags. Click Next
 On the Assignments page assign the profile to the group T IN-Win10-ConfigProfiles.
 Click Next and Create to get back to the profile main page.
Congratulations!
Exercise 4: Configure OneDrive for Business settings
In this exercise you will configure OneDrive for business settings with the Administrative Template
feature.
Create a profile for OneDrive for Business settings
profile.
 Choose Windows 10 and later as the Platform, choose Administrative Templates as profile type.
 In Step 1 enter T OneDrive for Business Settings as Name.
 Click Next.
Configure OneDrive for Business settings
 In the All Settings folder search for T silent and configure the highlighted line for the Device
settings type.
 Configure the setting Silently sign in users to the OneDrive sync client with their Windows
credentials according this screenshot.
 Click Next.
 Do not assign any scope tags.
Assign the OneDrive for Business profile
 Switch to Assignments and assign the profile to the group IN-Win10-ConfigProfiles.
 The setting Silently move Windows known folders to OneDrive (aka known folder move) is
also a very interesting feature. But it interferes with the Endpoint DLP lab later.
Congratulations!
Exercise 5: Create an E-mail profile
In this exercise, you will configure the settings for your Windows 10 Mail App.
Create an E-mail profile
 Select the Devices node, click on the Windows platform, Configuration profiles and select
Create profile.
 Choose Windows 10 and later as Platform, choose Email for the profile type.
 Click Create.
 Enter T O365 Mail Profile as Name.
 Enter following Information:
 Email server  T outlook.office365.com
 Account name  T O365MailProfile
 Click Next.
 On Assignments click Select groups to include, search for T IN-Win10-ConfigProfiles and select
it.
 Do not create any Applicability rules.
Congratulations!
Exercise 6: Enable Reset Password Option
This exercise shows how to enable the reset password option on the Windows logon screen with a
custom profile through the Policy CSP.
Create a custom profile using the Policy CSP. Find the relevant settings
in the documentation.
 The Policy CSP is documented on this site T https://docs.microsoft.com/en-us/windows/client-

management/mdm/policy-configuration-service-provider
 Note the general available OMA-URI Paths on the page, which we need later in this exercise.
 Scroll down or search for Authentication policies and click on

Authentication/AllowAadPasswordReset.
 The following page will open T https://docs.microsoft.com/en-us/windows/client-

management/mdm/policy-csp-authentication#authentication-allowaadpasswordreset where we will
find the information on how to build the custom setting.
To complete the required settings, follow these steps:
 Find the setting needed for allowing the password reset option.
As we can see in the documentation that there are two supported values, 0 for not allowed and 1
for allowed, we will use the integer value 1.
 Find the complete OMA-URI Path:
As stated in the documentation, the supported scope is Device and the last part of the URI is
Authentication/AllowAadPasswordReset.
Looking at the policy service provider documentation before, we see that the complete path is:
./Device/Vendor/MSFT/Policy/Config/AreaName/PolicyName
so, for our example the complete OMA-URI:
T ./Device/Vendor/MSFT/Policy/Config/Authentication/AllowAadPasswordReset
 The OMA-URI is case sensitive!
Use the Microsoft Endpoint Manager admin center.
Create profile.
 Choose Windows 10 and later as Platform, choose Custom as Profile type.
 Click Create.
 In step 1 use T Enable reset password option as Name.
 Click Next.
 On the custom OMA-URI Settings click Add.
 Adding following Information:
 The OMA-URI is case sensitive
Name Configuration
Name T Enable AAD Password Reset
OMA-URI T ./Device/Vendor/MSFT/Policy/Config/Authentication/AllowAadPasswordReset
Data type Integer
Value T 1
 Click Save.
 Click Next.
 On Assignments click Select groups to include, search for T IN-Win10-ConfigProfiles.
 Click Next.
 Do not create an Applicability rule.
 Click Create.
Congratulations!
Exercise 7: Add AAD account to local group
This exercise shows how to modify the local group membership with the
LocalUsersAndGroups/Configure profile through the Policy CSP.
Create a custom profile using the Policy CSP. Find the relevant settings
in the documentation.
 The Policy CSP is documented on this site T https://docs.microsoft.com/en-us/windows/client-

management/mdm/policy-csp-localusersandgroups#localusersandgroups-configure
 Note the XML Syntax and OMA-URI String.
Prepare the local group membersip
 Logon to Client2 or Client3.
 Start T lusrmgr.msc
 Open the properties of the Remote Desktop Users group.
 Add the following users to the group.
 We will see the reason for this later. But you may think or discuss now what might happen.
Create the profile
 Use the Microsoft Endpoint Manager admin center.
Create profile.
 Choose Windows 10 and later as Platform, choose Custom as Profile type.
 Click Create.
 In step 1 use T Add User to Remote Desktop Users as Name.
 Click Next.
 On the custom OMA-URI Settings click Add.
 Adding following Information:
 the OMA-URI is case sensitive. you may need to change the membername.
Profile Settings
Setting Configuration
Name T LocalUsersAndGroups â€“ ConfigureGroupMembership
Description empty
OMA-URI T ./Device/Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure
Value settings of type String
 <GroupConfiguration>
<accessgroup desc = "Remote Desktop Users">
<group action = "U" />
<add member = "AzureAD\adelev@@lab.CloudCredential(SSGM3653sharpStakeholder
<remove member = "Guest" />
</accessgroup>
</GroupConfiguration>
 Click Save.
 Click Next.
 On Assignments click Select groups to include, search for T IN-Win10-ConfigProfiles.
 Click Next.
 Do not create an Applicability rule.
 Click Create.
Congratulations!
Exercise 8: Review Group Policy Analytics
This exercise shows how to monitor and check the applied configuration profiles
Upload a Group policy xml.
 Connect to the Endpoint Manager admin center.
 Navigate to Devices > Group Policy analytics and click on Import
 Import the gpreport.xml from T +C:\LAB_SOURCE\Labs\Profiles\gpreport.xml +
 After the import you will see an overwiew of setting and their migration readiness.
 You can sort by every columns to get an idea which Intune configuration type may best fit the GPO
setting.
Exercise 9: Monitor the assigned configuration profiles
This exercise shows how to monitor and check the applied configuration profiles
Check if the Settings got applied to the client.
 Connect to Client2.
 Sync the settings with the Company Portal app or with the settings app.
Check the Windows Store setting.
 Open the Windows Store you should only see the company store with the configured name (in this
case FouthCoffee).
Check adding personal accounts settings
 Go to Start > Settings > Accounts > Email & accounts -- click Add an account.
 Select Outlook.com. You should see an error message.
Check the Microsoft Edge browser settings
 Start the Microsoft Edge app and open the settings page T edge://settings/profiles
 Verify the briefcase symbol that shows the browser is in a managed state.
 Search for home in the search settings box. Note the settings enforced by the Adminstrative
template.
Check the OneDrive for Business settings.
 Sign out and Sign in again to the PC to activate the OneDrive for Business settings. After a little
while, you will see the following toast notification during the settings activation.
 It can take an additional Sign out/Sign in process if the OneDrive setup phase was not
completed.
 Check the OneDrive explorer view.
 Open the OneDrive settings with a right mouse click on the Cloud symbol in the Windows 10
notification area.
 Verify that the account is configured as displayed in the following screen shot.
Check your Windows Mail Profile.
 Open the Windows Mail app It should open preconfigured with your Azure user account.
You may need to enter your password the first time. The mail profile is now configured.
Check if the password reset option is enabled.
 In your Virtual Machine Connection Window click on Action - Ctrl+Alt+Delete
 It may be the case that "Ctrl+Alt+Delete" is greyed out. Then you are in the Enhanced Session
Mode. Switch to the Basic Mode to check the password option.
 Lock your screen.
 You should now see the Reset password option.
 This is just to show the client-side settings. We have not enabled the necessary backend feature
in Azure.
 Switch back to the Enhanced Mode.
Verify the membership of the local group Remote Desktop users

 Open T lusrmgr.msc from the run command.
 Analyze the members of the Remote Desktop Users group.
 Adelev was added since requested in the configuration.
 Guest was removed since requested in the configuration.
 WDAGUtilityAccount was not touched since it is not referenced in the configuration.
 The built-in Administrator is protected and cannot be modified.
 The Device Management eventlog shows valuable information about the group membership
operation. Goto Application and Service Logs > Microsoft > Windows > DeviceManagent-
Enterprise-Diagnostics-Provider
Create Advanced Diagnostics Report
 Go to Start > Settings > Accounts > Access work or school -- click Info on your account.
 Scroll down to Advanced Diagnostic Report and Create Report and Export.
 Go to C:\Users\Public\Public Documents\MDMDiagnostics and open the report

MDMDiagReport.html.
 Look for AllowMicrosoftAccountConnection It was configured to the value 0.
 Optional: Find your other configured settings
Generate management log files for opening a ticket within

Feedback Hub
 Go to Start > Settings > Accounts > Access work or school -- click Export your management
log files > Export management log files.
 Click on Export
 The Feedback Hub will open to create a feedback item.
 Cancel Feedback Hub.
 You will find a compressed archive with the troubleshooting logs in T

C:\Users\Public\Documents\MDMDiagnostics\MDMDiagReport.cab.
Check the registry
 Open T regedit.
 Go to HKLM\SOFTWARE\Microsoft\PolicyManager\Providers.
 Refer to your personal GUID from the report.
 In this example select the GUID based on the MDMDiagReport.html on the Screen before, in this
example 879ABBFD-74EE-4597-900A-CF1D89A62E03.
 The complete key: HKLM\SOFTWARE\Microsoft\PolicyManager\Providers\879ABBFD-74EE-

4597-900A-CF1D89A62E03\default\device and User SID
 Check your Settings:
Monitor your Profile Assignment Status in Intune
 This can take up to 30 minutes to see the first status information.
 Open the Endpoint Management console
 Click Devices > Monitor > Assignment status to get a quick overview about all success, pending
and error counts
 Click on one specific configuration profile -- for Example: Allow Company Store only to view the
profile deployment details.
 The device status shows a overview table of the deployment.
 On every status screen you can Export your view to a csv file.
Congratulations!
Lab 2: PowerShell Scripts
Exercise 1: Create PowerShell script

This exercise shows how to create and assign a PowerShell script.
 PowerShell scripts, which are not officially supported on Workplace join (WPJ) devices, can be
deployed to WPJ devices. Specifically, device context PowerShell scripts work on WPJ devices, but
user context PowerShell scripts are ignored by design. User context scripts will be ignored on
WPJ devices and will not be reported to the Microsoft Endpoint Manager console
Upload the PowerShell script to Intune
 Open the Endpoint Manager admin center.
 Select the Devices node, click on the Windows platform, PowerShell scripts and select Add.
 Configure T Remove Appx Sample as the Name for the script.
 Upload the PowerShell script Remove-Appx.ps1 from the labfiles directory and configure the
settings according this screen shot.
 Add the group T IN-WIN10-ConfigProfiles to the Selected groups.
 Click Next to continue and finally Add to complete the process.
Verify script execution
 Log on to any CLIENT (Powershell Execution is now also supported for Azure AD registered devices)
 Open Start menu and check the apps Sticky Notes, Remote Desktop, Photos or Calculator (they
will vanish later).
 Sync the settings.
 You can also restart this service to speed up the PowerShell script execution.
 The management extension writes logfiles in the

C:\ProgramData\Microsoft\IntuneManagementExtension\Logs directory.
 The Photos app will be deleted by the PowerShell script. Check the Start menu. Other apps like
Sticky Notes, Calculator and Remote Desktop, which may be not pinned to the Start menu, will
also be deleted.
 Open Windows Explorer and switch to the T %temp% directory. You will find the output file
remove-appx.log after running the script:
The environment variables of the running PowerShell security context are documented in this file.
Congratulations!
Module 06 - Enterprise Data Control
Introduction
During this lab, you will learn how to control access to company resources.
Estimated Time
90 minutes
Objectives
Configure compliance policy to classify the device compliance
Configure conditional access policy to protect cloud resources
Configure and apply Endpoint Data Loss Prevention
Logon Information
Username: T Admin
Table of Contents
Lab1: Configure Conditional Access
Exercise 1: Verify modern authentication settings of the tenant
Exercise 2: Verify general compliance settings in the tenant
Exercise 3: Create Compliance notification templates
Exercise 4: Create and deploy compliance policy
Exercise 5: Verify the result of the compliance policy
Exercise 6: Create and assign the conditional access policy
Exercise 7: Proof access to Exchange Online with a browser session
Exercise 8: Set the device in a compliant state
Lab2: Configure Endpoint Data Loss Prevention
Exercise 1: Onboard devices to the Endpoint DLP environment
Exercise 2: Configure the Endpoint DLP settings and policy
Exercise 3: Proof the Endpoint DLP policy application
Lab: 1 Configure conditional access
During this lab, you will learn how to configure the prerequisites and settings for conditional access.
Exercise 1: Verify modern authentication settings of the tenant
This exercise shows how to verify the modern authentication settings of the tenant.
Verify modern auth settings.
 For tenants created before August 1, 2017, modern authentication is turned off by default for
Exchange Online and Skype for Business Online.
 Open PowerShell ISE and run the following commands. Use your tenant global admin user T
@lab.CloudCredential(SSGM3653sharpStakeholderJudDoran).Username and T
@lab.CloudCredential(SSGM3653sharpStakeholderJudDoran).Password as the password. Add the
following lines
PowerShell
 Set-ExecutionPolicy Unrestricted -Scope Process

$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUr
Import-PSSession $Session
Get-OrganizationConfig | Format-Table -Auto Name,OAuth2ClientProfileEnab
 Provide your tenant admin credentials in the PS Credential prompt:
 This is the expected output.
 If the setting reports to False change it to True with this command.
PowerShell
 Set-OrganizationConfig -OAuth2ClientProfileEnabled $True
Congratulations!
Exercise 2: Verify general compliance settings in the tenant
This exercise shows how to verify the general compliance settings of your tenant.
Define how a device without compliance policy is handled.
 Navigate to Endpoint Security > Device compliance > Compliance policy settings.
 Configure the setting Mark devices with no compliance policy assigned as to Not compliant.
 Save the settings.
Congratulations!
Exercise 3: Create Compliance notification templates
This exercise shows how to create a compliance notification template in your tenant.
Define a user notification template
 Navigate to Devices > Compliance policies > Notifications and select + Create notification to
create a new notification.
 Create a message template:
Name: T Standard Template
 Configure the message template according the following settings.
Subject: T ACTION REQUIRED: Your device found Not Compliant with the Company Policy
Message: T Please check in the Intune Company Portal for the issue and remediate as soon as
possible
 Select Next and Create.
Congratulations!
Exercise 4: Create and deploy compliance policy
This exercise shows how to create and deploy a compliance policy.
Create Azure Active Directory group
 Navigate to Groups > All groups, click New group.
 Create a Security group named T IN-ConditionalAccess with membership type Assigned. The
purpose of this group is deploying the compliance and conditional access policy. Assign T adelev
to this group.
 Click Create.
Create and assign the device compliance policy
 Navigate to Endpoint security > Device compliance > Policies and create a policy object.
 Select Windows 10 and later as platform.
 Click Create.
 Configure the policy with the following name and setting:
Name: T Windows 10 Compliance Policy
 Click Next.
 Click Device Properties, enter T 10.0.19042.999 as Minimum OS version.
 The idea is to set the device to a non-compliant state. Adjust the Windows 10 version number
according to the actual release numbers.
 Click Next.
 In Step 3 Actions for noncomplicance add Send email to end user.
 On the Message template, select the Standard Template you have created earlier.
 Assign the compliance policy to the group T IN-ConditionalAccess and save the assignment.
 Click Next.
 Click Create.
Congratulations!
Exercise 5: Verify the result of the compliance policy
This exercise shows how to verify the result of the compliance policy locally and with the Azure portal.
Verify compliance state
 Sync the device policies using the settings app or with the Company Portal app on Client2.
 Run the Company portal app. The device will show Can't access company resources.
 The reason about the not compliant state is documented in the Company Portal app.
 The device reports its state back to Intune. Verify the state in the Microsoft Endpoint Manager
admin center at the compliance policy Device status.
Congratulations!
Exercise 6: Create and assign the conditional access policy
This exercise shows how to create and assign the conditional access policy based on the device
compliance state. In this scenario, we will block access to Email when the device is not compliant.
Create a basic conditional access policy for Exchange Online access
 Navigate to Devices > Conditional access > Policies, click New policy.
 Ensure that already existing compliance policies are turned off.
 Name the policy T CA Policy1
 Select Users and groups and include the group T IN-ConditionalAccess.
 Click on Exclude.
 It is a best practice to exclude critical directory roles to prevent lock outs.
 Click on Directory Roles and exclude users with the Global administrator role.
 Select Cloud apps or actions and select the app Office 365.
 Select Conditions > Device platforms. Configure Yes and Enable the Windows platform.
 Click Done.
 Select Conditions > Client apps.
 Configure: Yes, and accept the default settings.
 Click Done.
 Under Access controls select Grant. Configure Required device to be marked as compliant.
 Click Select.
 Finally, Enable the policy.
 Choose Create.
Congratulations!
Exercise 7: Proof access to Exchange Online with a browser

session
This exercise shows how to verify the effect of the conditional access policy.
Try to access the Office portal
 Log on to any Windows 10 machine. It makes no difference if you use the AAD joined or the BYOD
(Work or school account) machine.
 Open a browser and open T http://portal.office.com. The Conditional Access policy will block
access since your device is not compliant.
Congratulations!
Exercise 8: Set the device in a compliant state
This exercise shows how to set the device back in a compliant state.
 Open the Microsoft Endpoint Manager admin center.
 Get to Devices > Compliance Policies > Policies and select the Windows 10 Compliance Policy.
 Click Properties.
 In Compliance settings click on Edit.
 Open Device Properties and revert the configuration to a lower OS Version number. Type T
10.0.19042.0.
 Click Review + Save.
 Click Save.
Update the policies on the Windows 10 machines and verify

access to Exchange Online with the browser session
 Log on to the AAD joined Windows 10 machine (CLIENT2).
 Sync the device policies using the settings app or the Company Portal. In the Company Portal
click on your device and Check access.
 Wait until your device is showing the status Can access Contoso resources.
 Open a browser to T http://portal.office.com. Access is possible again.
 Also, open your Mailbox with Outlook for the web or the Outlook app and check access to your
emails.
 You should also find your noncompliance notification email.
Congratulations!
Lab: 2 Configure Endpoint Data Loss Prevention
Exercise 1: Onboard devices to the Endpoint DLP environment
This exercise shows how to onboard your Windows devices to the Endpoint DLP environment. This
feature is only supported on AAD joined or Hybrid AAD joined devices. So you have to use CLIENT2
or CLIENT3 to see the client experience.
Extend users licenses
 Navigate to the Azure AD portal T http://aad.portal.azure.com/. Navigate to Users and select your
testuser Adelev. Open the licenses area and activate all services in the Microsoft 365 E5
Compliance product.
Prepare for the initial steps
 Open the Microsoft 365 admin center T http://admin.microsoft.com.
 Click Show all and navigate to Compliance.
 Click on Settings to continue the process.
 Click on Device onboarding.
 Click on Turn on device onboarding.
 Accept the following message with OK.
 If there were devices already onboarded to Defender for Endpoint it is not necessary to onboard
them for Endpoint DLP again.
 Close the final message.
 The activation will last some minutes. Refresh the browser window to see if the process completed.
This device list will populate later with the onboarded devices.
Onboard the devices to the Endpoint DLP environment with Intune
 Navigate to the onboarding window. Select the Mobile Device Management / Microsoft Intune
onboarding option.
 Download the onboarding package. Open the downloaded ZIP file and copy the onboarding file
named DeviceCompliance.onboarding to your desktop.
 Switch to the Endpoint Manager admin center T http://endpoint.microsoft.com and navigate to

Endpoint security. Create a new policy.
 Select the platform Windows 10 and later. The second option is valid for Configuration Manager
agents which are integrated by the Tenant attach feature.
 Choose the only option Endpoint detection and response (MDM) and click Create.
 Name the profile T Endpoint DLP Onboarding and click Next.
 Configure the settings according the following screenshot and click Next to continue. Do not
assign any Scope tags.
 Assign the profile to All devices.
 Click Next and Create to finish the process.
 Sync your clients and wait till they appear in the devices list in the Microsoft 365 compliance center.
Thias may last some time. You can continue with the next steps. Please check back from time to
time to see if the devices are listed.
Congratulations!
Exercise 2: Configure the Endpoint DLP settings and policy
This exercise shows how to create and deploy the Endpoint DLP policy. You will configure the restriction
and runtime settings that will get in effect on the Windows 10 device.
 Endpoint DLP is GA shortly and some experiences around timing and functionality are still open.
Take this lab as an idea how it may work. Use primarily the case studies in the slideset to see the
features. If the policy in this excercise will not download or work, continue with the next module
and come back hours or a day later.
Configure general Endpoint DLP settings
 Navigate the Microsoft 365 compliance center T http://compliance.microsoft.com.
 Switch to the Policies area.
 Click on Data loss prevention.
 Switch to Endpoint DLP settings and open the Browser and domain restrictions to sensitive
data area.
 Add Google Chrome to the list of unallowed browsers.
 Click Allow for the Service domains and add your Onedrive for Business URL to the service domain
list. Click the + sign and Add to add the domain for your tenant. Allowing one or more service
domains will automatically deny all other domains.
 Type T @lab.CloudCredential(SSGM3653sharpStakeholderJudDoran).TenantPrefix T -
my.sharepoint.com
 Pay attention to the -my part of your Onedrive for Business URL.
 The settings are saved automatically.
Create, configure and deploy the Endpoint DLP policy
 Switch back to Policies and delete all existing policies.
 The policies will go into a Pending deletion state prior the effective deletion.
 Continue with click on create policy.
 Select the Custom policy template and click Next to continue.
 Name your policy T EDLP Policy and click Next to continue.
 Disable all locations except Devices. Verify that All users are included and None is excluded. Click
Next to continue.
 Click on Create or customize advanced DLP rules and Next to continue.
 Click Create rule to open the rule editor.
 Name the rule T EDLP Policy Rule 1. Click on Add condition and on Content contains.
 Add Sensitive info types to define rules which define protected documents.
 Using sensitivity labels is currently (Nov. 2020) in preview state. Thats the reason we use sensitive
info types and not lablels. And we can also skip the effort to create a label.
 Select the predefined info type Credit card number and click Add.
 Scroll down to Actions. Click on Add an action and on Audit or restrict activities on Windows
devices.
 Configure the Actions according the following screenshot.
 Enable user notifications.
 Click Save to close the rule editor and Next to continue with configuring the policy.
 Enable to policy, click Next and Submit to finish the process.
Congratulations!
Exercise 3: Proof the Endpoint DLP policy application
In this exercise you will proof the effect of the Endpoint DLP policy on your Windows 10 devices. Use
CLIENT2 or CLIENT3 in this excercise.
Validate the existence of the Endpoint DLP Onboarding registry value
 Logon to the device and use regedit to verify this value to see if the DLP onboarding process has
happened.
Proof document protection
 Create a new Word document numbers.docx on the desktop and add all these simulated credit
card numbers in the document.
Content
 Visa 4539 1050 1153 9664

Visa 4544 1821 7453 7267
Visa 4716 9147 0653 4228
Visa 4916 5417 1375 7159
Visa 4916 6156 3934 6972
MC 4242 4242 4242 4242
MC 4242 4242 4242 4242
MC 4242 4242 4242 4242
MC 4242 4242 4242 4242
 Remove the checkbox for any automatic label. Select any justification during removal of the label.
Save the document.
 Open a session to your private Onedrive folder T http://onedrive.microsoft.com logged on with

your Microsoft account. Drag the document to Onedrive and expect the warning message. Click
Override to allow copying.
 You can also try with Google Drive, Box or any other storage provider if you like.
Additional optional tests
 Copy some text from the document to the clipboard and try to insert it in a notepad window.
Inserting will not work and a similar toast from will come up to inform the user.
 Install Google Chrome and open a browser session with it to your OneDrive for Business folder. Try
to drag the file to OneDrive for Business. The Endpoint DLP warning toast will show up.
 In Endpoint DLP Settings add wordpad.exe to the list of unallowed applications. Try to open the
document with wordpad.exe. This will be blocked and the Endpoint DLP warning toast will show
up.
 Navigate to the Activity Explorer to track all your events during playing with Endpoint DLP.
Congratulations!
Module 07 - Endpoint Security
Introduction
During this lab, you will learn how to configure and monitor Microsoft Defender, Windows BitLocker,
Hello for Business and Windows Update in Intune
Estimated Time
75 minutes
Objectives
Configure Microsoft Defender
Configure Windows BitLocker
Configure and enroll to Hello for Business
Configure Windows Update
Logon Information
Username: T Admin
Table of Contents
Lab1: Configure Windows Security in Intune
Exercise 1: Create a configuration profile with Defender Settings
Exercise 2: Create a configuration profile with BitLocker Settings
Exercise 3: Get and use the BitLocker recovery key
Exercise 4: Configure Hello for Business
Exercise 5: Configure Windows Update
Lab 1: Configure Windows Security in Intune
During this lab, you will learn how to create and monitor Microsoft Defender, Windows BitLocker, and
Windows Updates.
Exercise 1: Create a configuration profile with Defender Settings
In this exercise, you will learn how to configure Microsoft Defender with Intune.
 Connect to the Microsoft Endpoint Manager admin center.
 Navigate to Endpoint Security > Antivirus and Create Policy.
 Create a profile for the platform Windows 10 and later and of the Microsoft Defender Antivirus
type.
 In Step 1 enter T Microsoft Defender Settings as Name.
 Click Next.
 Configure the settings according the following screenshot. Add more settings as you like.
 Click Next twice.
it.
 Click Next and Create to finish the process.
Verify the profile deployment
 Sync the policies.
 Go to Start > Settings > Update & Security > Windows Security. Open Windows Security.
 Select Virus & Threat Protection.
 Select Virus & Threat protection settings.
 Confirm that Real-time protection and Cloud-delivered protection is On and there is a message
This setting is managed by your administrator.
Create a malware event
 Open a browser session and navigate to T https://demo.wd.microsoft.com/.
 Click on the test scenario Cloud-delivered protection.
 Click to download the test file.
 Klick on the ellipsis … and click on keep the downloaded file. You have to confirm multiple times
that you like to keep the file. But at the end it will be detected and removed by Defender and you
will see this notification.
 The alert reporting in Intune is only very basic. Microsoft Defender for Endpoint is the
recommended product to raise the security level.
Congratulations!
Exercise 2: Create a configuration profile with BitLocker Settings
This exercise shows how to create Windows BitLocker Settings in Intune.
Create a profile with Windows BitLocker Settings
 Navigate to Endpoint Security > Disk encryption and Create Policy.
 Create a profile for the platform Windows 10 and later and of the Bitlocker type.
 In Step 1 enter T Bitlocker as Name.
 Click Next.
 Configure the settings according the following screenshots.
 Click Next twice.
it.
 Click Create to finish the process.
Verify the Bitlocker profile
 Sync the policies.
 The device should start automatically with the encryption process. You can verify this by running the
T Get-BitlockerVolume PowerShell cmdlet with administrative permissions.
 Optionally view the Bitlocker Event-log to get further insights.
Check the overall encryption status
 Navigate to Devices > Monitor > Encryption report to get the encryption overview.
Congratulations!
Exercise 3: Get and use the BitLocker recovery key
In this exercise, you will check how to find your BitLocker recovery keys as a user and as an
administrator.
Get BitLocker recovery keys as administrator
 Navigate to Devices > All devices with the Endpoint Manager admin center.
 Click on your desired Client (CLIENT2) and find the BitLocker recovery key information.
 Copy the recovery key into the clipboard.
Get the BitLocker recovery key information as a user in the users

portal
 On CLIENT2 open your browser and navigate to T http://myaccount.microsoft.com to connect to

your app portal.
 Click on Devices.
 Click View BitLocker Keys to view your keys.
 Click on Show recovery key.
Force a Bitlocker recovery
 Start a PowerShell session with administrative permissions on your client and enter the following
command to force a recovery at the next boot:
PowerShell
 manage-bde -forcerecovery c:
 Reboot the computer. It will stop at the Bitlocker recovery screen. Enter the recovery key (use the
clipboard, type clipboard text of the Hyper-V connection tool to enter the key)
 Since you have Bitlocker key rotation enabled, you can see that the device starts the recovery key
rotation process since the old one was used.
 Verify with the eventlog that the rotation started to process.
 Since we deleted the TPM protector to force recovery we have to add it back again to get the
device in a normal automatic boot state.
 Use the following command in an administrative PowerShell session:
PowerShell
 manage-bde -protectors -add c: -tpm
 Reboot the machine. It should reboot normally without getting in the Bitlocker recovery step.
Congratulations!
Exercise 4: Configure Hello for Business
This exercise shows how to configure Hello for Business with the key trust scenario.
 You need a physical mobile phone to complete the lab. You do not need to provide a phone
number as we use the Authenticator app.
Analyze the client state
 Use the Client2 or Client3 device for this lab.
 Disable the Hyper-V enhanced session since Hello for Business will not work within a RDP session.
 Open a PowerShell or cmd session with administrative permissions and use the following
command:
PowerShell
 Dsregcmd /status
 NGC stands for Next generation credential and documents the enrollment state for Hello for
Business.
In this case the state is:
No enrollment policy assigned to the device

The session is not a RDP session (ok)
The prerequisites are not fulfilled for an enrollment (because of the missing policy)
Connect to the Microsoft Endpoint Manager admin center
 Click Devices > Windows > Configuration profiles and select Create profile.
 Create a profile for the platform Windows 10 and later and of the Identity protection type and
click Create.
 In Step 1 enter T Windows Hello for Business as Name.
 Click Next.
 Configure the settings according the following screenshots.
 Click Next.
it.
 Click two times Next and Create to complete the process.
Analyze the client state again
 Sync your client.
 Repeat the command maybe multiple times to see the profile result.
PowerShell
 The NGC check will change to this state.
 Switch to your mobile phone and Install the Microsoft Authenticator app.
 The Hello for Business provisioning assistant will start after a new sign in. So now sign out and
sign in to the device to continue the process.
The provisioning assistant starts.
 Click on Set up PIN. The provisioning assistant forces multifactor authentication. Click Next to
continue. Enter your password and continue. The process starts provisioning the Authenticator app.
 Click Next to continue on the enrollment screen.
 Start the authenticator app on the mobile phone and add a new account by Scan a QR code. Scan
the QR code on the screen and click Next on the enrollment screen.
qivqu8at.jpg
 Verify the account with the Authenticator app and click Next.
 Click Done to complete the process.
 Create the required PIN and click OK to continue. You may use T 1122 for the PIN.
 Finally click OK to finish the enrollment process.
 Repeat the following command line:
PowerShell
 The output shows that a Hello for Business credential was successfully registered.
 Sign out from the machine. Windows will now prefer to use the PIN for logon. Enter the PIN to
sign in.
 The Hello for Business provisioning assistant would register also Biometrics like fingerprint or
face recognition on a physical device.
Congratulations!
Exercise 5: Configure Windows Update
This exercise shows how to configure Windows Update in Intune for a pilot update group.
Connect to the Microsoft Endpoint Manager admin center
 Click Devices > Windows > Windows 10 update rings and select Create profile.
Configure a Windows Update Ring for the Semi-Annual Channel
 In Step 1 enter T Windows Update Pilot Group as Name.
 Click Next and configure the following settings.
 Click Next.
it.
 Click Next and Create to complete the process.
Create the Delivery Optimization profile
 Click Devices > Windows > Configuration profiles and select Create profile.
 Create a new profile named T Delivery Optimization for the platform Windows 10 and later with
the profile type of Delivery Optimization.
 Select the Download mode HTTP blended with peering behind the same NAT.
 The minimum RAM setting is just for test purposes since min. 4 GB are required for Delivery
Optimization to work.
 Click Next.
 Assign the profile to the group T IN-Win10-ConfigProfiles.
 Click Next two times and finally Create.
Verify the Windows Update settings
 Sync the policies and verify that the profile was applied with Settings > Account > Access work
or school > Info.
Verify the Windows Update settings
 Go to Start > Settings > Update and Security.
 You should see the message Some settings are managed by your organization.
 Also verify the Delivery Optimization Settings.
Analyze Delivery Optimization environment
 Try some PowerShell cmdlets to get insights in your lab environment.
PowerShell
 Get-DeliveryOptimizationStatus
PowerShell
 Get-DeliveryOptimizationStatus | out-gridview
PowerShell
 Get-DeliveryOptimizationStatus -PeerInfo
 The output will vary according the state of your lab. You are lucky if you see BytesFromPeers in the
output.
 The activity monitor in the settings app will also get some insights.
Congratulations!
Module 08 - Monitoring, Logging and Reporting
Introduction
During this lab, you will learn how to monitor the assignments and how to get an overview with reports.
Estimated Time
45 minutes
Objectives
After completing this lab, you will be able to:
Get detailed device information about inventory and state
Report about app and profile assignment status
Analyze the Intune audit logs
Report compliance with the Endpoint Manager admin center
Prepare the Intune Data Warehouse and the preconfigured report app
Logon Information
Use the following credentials to sign into the Learn on Demand Virtual environment on MMWS_Host.
Username: T Admin
Table of Contents
Lab1: Live Monitoring
Exercise 1: Viewing details of a device
Exercise 2: Overview of all user assignments and state
Exercise 3: Monitoring assignment status
Exercise 4: Reviewing the App Protection and App Configuration logs and status
Exercise 5: Reviewing the Intune audit logs
Exercise 6: Reviewing Endpoint Analytics
Lab2: Reporting
Exercise 1: Reporting in the Intune portal
Exercise 2: Intune Data Warehouse
Lab3: Accessing Intune data through Graph Explorer
Exercise 1: Using Graph Explorer to retrieve data from your tenant
Exercise 2: Use Graph Explorer to create, modify, and delete a device category for a managed device
from the Intune portal
Lab1: Live Monitoring
During this lab, you will learn how to view hardware inventory and compliance of devices.
Exercise 1: Viewing details of a device
This exercise shows how to view hardware inventory data for mobile devices.
View data of a single device
 Connect to T https://endpoint.microsoft.com.
 Navigate to Devices > Devices > Windows devices and click on a specific device.
Review device data
 Review important device overview data, like Serial number, Ownership, Device Compliance, Last
check-in time and so on.
 Review the remaining categories like Hardware, Device configuration and so on.
 Notice the Intune and Azure Device IDs. They are different since each system is managing its
own ID for a device. Sometimes it is important during troubleshooting to clearly speak which ID
is meant.
Congratulations!
Exercise 2: Overview of all user assignments and state
This exercise shows how to get a quick overview about all assignments targeted to a specific user with
the troubleshoot tool.
Quickly get an overview of the user's status
 Navigate to Troubleshooting + support > Troubleshoot and click on Select user to identify your
test user.
 You get an overview for the most important user information like group memberships, licenses,
compliance, assignments, and devices.
 This is the place where troubleshooting in Intune may start.
Congratulations!
Exercise 3: Monitoring assignment status
This exercise shows how to dynamically evaluate the assignment status per device or user.
Explore the monitoring options
 Navigate to Devices > Monitor. Get an overview of the available monitoring sections and click on
Assignment status.
 Check the overall Assignment status.
 Click on one profile in the table to get into the profile overview with a detailed view of the
assignment status.
 Click on Device status to drill into the single devices or users view.
 The same process can be used to monitor the app assignment status.
Congratulations!
Exercise 4: Reviewing the App Protection and App Configuration

logs and status
This exercise shows how to get status information for the application of App Protection and App
Configuration policies.
Explore the App Protection monitoring options.
 Navigate to Apps > Monitor > App protection status.
 Download the app protection report for WIP via MDM and check the results in the csv file.
 Most reports focus on iOS and Android app protection policies. There is not much to report for
the Windows platform.
Congratulations!
Exercise 5: Reviewing the Intune audit logs
This exercise shows how to get deeper insights into administrative task in the Intune environment.
Review administrative operations with the audit log.
 Navigate to Tenant administration > Audit logs.
 Get an overview of all administrative tasks and details which happened in the tenant.
 Also try with the Filter and Export function.
Exercise 6: Reviewing Endpoint Analytics
This exercise introduces Endpoint analytics. The data collection has been enabled in module 2.
 Data collection and processing might take up to 24 hours.
Review endpoint analytics
 Navigate to Reporting > Endpoint analytics You should see the overview page showing the
Endpoint analytics score.
 Navigate back to Devices > Configuration profiles and review the Intune data collection policy
assignment which has been automatically created when enabling the service.
 Navigate to Reporting > Endpoint analytics > Startup performance . Check the different reports
like Model performance, Device performance and Startup processes.
 Navigate to Proactive remediations and assign a predefined script to a group. You may also
experiment on what does it take to create your own script package.
 Last review the Recommended software blade.
Congratulations!
Lab2: Reporting
Exercise 1: Reporting in the Intune portal
This exercise shows how to get insights into the compliance state with the Intune portal.
Analyze the overall compliance state
 Navigate to Reports > Device compliance > Summary and click on Refresh to prepare the
Device compliance report.
 Analyze the status of your enrolled devices.
 Drill into more details.
 Stay with Device compliance and switch to Reports.
 Click on Generate report/again depending on your state.
 Analyze your enrolled devices and try searching and filtering the device list.
Get historical information.
 Click on Reports and then on Device compliance trends to view the compliance status progress
in the infrastructure.
 View the historical compliance results.
 Further monitoring tasks require the integration of Azure Log Analytics.
Congratulations!
Exercise 2: Intune Data Warehouse
This exercise shows how to report with Power BI from the Intune Data Warehouse.
Integrate Power BI with Intune
 Navigate to the Reports > Data warehouse and click Get Power BI app.
 Start the installation process on your host machine with a click on Get it now.
 Click on Continue to sign in as administrator.
 Install the app in the Power BI environment.
 Click on the installed app.
 Connect to the data and sign in.
 Click Next and Sign in
 If asked, specify your reporting account (keep default)
 You will see demo data and need to refresh the data first. Click on the Compliance V1.0 report and
explore the different report pages.
 This is just the beginning of the Power BI report story. There is also the option to build extended
reports with the Power BI Desktop app.
Congratulations!
Lab3: Accessing Intune data through Graph Explorer
Exercise 1: Using Graph Explorer to retrieve data from your tenant
This exercise shows how to see your managed devices using Graph explorer and compare with what is
in the Intune portal.
See your managed applications from Intune portal by Using Microsoft

Graph Explorer.
 Open Graph Explorer from T https://developer.microsoft.com/en-us/graph/graph-explorer
Select Sign in to Graph Explorer using your global administrator account.
Username: T
admin@@lab.CloudCredential(SSGM3653sharpStakeholderJudDoran).TenantName
 Mark the check box and Accept when the Permission request pops up.
 Once signed in, you will notice an access token. Any call made against Microsoft Graph requires
an access token which can only be issued by Azure Active Directory, thus having a tenant is
mandatory.
 If you click on Settings > Select permissions, you will notice that some of them are already
marked. Microsoft Graph exposes granular permissions that control access to resources, like users,
groups, and devices. Grant the necessary permissions to the Graph Explorer application.
 In a new tab, navigate to Microsoft docs:  T https://docs.microsoft.com/en-

us/graph/api/intune-deviceconfig-devicecompliancepolicy-list?view=graph-rest-1.0 to get an idea
of the commands and URLs used in MS Graph.
 Copy the Request URL from there, go to Graph Explorer and paste the URL into the query line and
click Run Query.
 In the response preview, you will see a failure since we have no permissions to the app information.
 The response will tell us which scope we need access to. Click on Settings > Select permissions.
The permission windows will open on top.
 Select DeviceManagementConfiguration. ReadAll and DeviceManagementConfiguration.

ReadWriteAll.
 Click Consent.
 Then click the Checkbox to consent and Accept at the pop-up.
 Security is particularly important! When the permission is set correctly the query:
 /+https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies+/ shows the
expected output according to your configured compliance policies.:
 Those settings reflect the settings of your compliance polices.
Congratulations!
Exercise 2: Use Graph Explorer to create, modify, and delete a

device category for a managed device from the Intune portal
This exercise shows how to create, update, and delete a device category of a managed device using
Graph explorer and compare it with what is in the Intune portal.
Create a device category of a managed device from the Intune portal by

using Microsoft Graph Explorer.
 To create a device category, first check if there are any existing device categories. Navigate to
Devices > Device Categories.
 Go to the Graph API reference site  T https://docs.microsoft.com/en-us/graph/api/overview?

view=graph-rest-1.0 and search for the T device category.
 Open the graph Explorer and paste in  T

https://graph.microsoft.com/v1.0/deviceManagement/deviceCategories
 Again we need permissions.
 Give permissions to: DeviceManagementManagedDevices.Read.All,

DeviceManagementManagedDevices.ReadWrite.All
 Now that we have listed the available device categories, we will start creating two device categories
using Graph Explorer.
 To create device categories you will need to use the command from doc: T
https://docs.microsoft.com/en-us/graph/api/intune-shared-devicecategory-create?view=graph-
rest-1.0
 Copy the URL below and paste it into Graph Explorer and change the command to POST instead of
GET using the drop-down arrow.
T https://graph.microsoft.com/v1.0/deviceManagement/deviceCategories
 Paste the data below into the Request Body.
{ "@odata.type": "#microsoft.graph.deviceCategory", "displayName": "Restricted Devices",

"description": "Special Purpose devices" }
 Click on Run Query
 This is the expected output.
 Review the category in the Intune Portal.
Update a device category of a managed device from Intune portal

by Using Microsoft Graph Explorer.
In this task, we will update the device category we created earlier on called Restricted Devices using
Graph Explorer. To perform this test, we will first identify what is the API command that we need to
update.
 Lookup T https://docs.microsoft.com/en-us/graph/api/intune-shared-devicecategory-update?
view=graph-rest-1.0
 Retrieve the device category ID from a device you want to change category for using T
https://graph.microsoft.com/v1.0/deviceManagement/deviceCategories
 Note the device category ID.
 Copy the URL below and paste it into Graph explorer changing the command to PATCH instead of
POST.
 T https://graph.microsoft.com/v1.0/deviceManagement/deviceCategories/<categoryid>
 Paste the data below into the Request Body:
 {
"displayName": "Restricted Special Purpose Devices",
"description": " Special Purpose devices"
}
 You can go to the Endpoint Manager admin center to confirm that the category has changed.
Delete a device category for a managed device from the Intune

portal by Using Microsoft Graph Explorer.
To delete the device category, we will use the command as per doc:
 Lookup T https://docs.microsoft.com/en-us/graph/api/intune-shared-devicecategory-delete?
view=graph-rest-1.0
 Copy the URL below and paste it into Graph explorer changing the command to DELETE instead of
PATCH.
T https://graph.microsoft.com/v1.0/deviceManagement/deviceCategories/<categoryid>
 Go to the Endpoint Manager admin center to confirm the category has been removed.
Congratulations!
You have successfully completed this Module, to mark the lab as complete click End.
Congratulations!
Module 09 - Additional Labs - Optional Module
Introduction
During this lab, you will set up a new device using Windows AutoPilot incorporating all settings from
the workshop. We also give you some hints to use your creativity to achieve some more tasks.
Estimated Time
90+ minutes
Objectives
This lab will give you the opportunity to apply your knowledge and test out a few more scenarios. This
guide will only give you a few tips and minimal guidance. You trainer will help you if you have any
questions.
Logon information
Use the following credentials to login into the virtual environment
Username: T Admin
Table of Contents
Optional Lab 1: End to End Autopilot deployment
Exercise 1: Prepare for an End-to-End Autopilot deployment
Optional Lab 2: Autopilot Reset
Exercise 1: Create policy for Autopilot Reset
Exercise 2: Autopilot Reset in Action
Optional Lab 3: Autopilot deployment options using Graph API
Exercise 1: Install PowerShell modules
Exercise 2: Connect to Intune via Graph API and display existing registered devices
Exercise 3: Connect to Client 1 and extract the Autopilot Information
Exercise 4: Import Client1 in Autopilot using Graph API
Exercise 5: Export Intune device policies
Optional Lab 1: End to End Autopilot deployment
During this lab, you will learn how to gather information from the device needed to enroll it for
Autopilot. This lab will give you just guidance and an overview. If you need more detailed information
refer to the existing labs.
Exercise 1: Prepare for an End-to-End Autopilot deployment
This exercise enables you to prepare Intune for AutoPilot.
 Create a new user or choose an exisiting one.
 Don't forget to configure a usage location and check licensing.
 Assign the new user to the relevant Azure AD groups.

Use at least the IN-Software and IN-Win10-ConfigProfiles group.
 Alternatively, you might create a new group and assign the settings to this group.
 You may try other client settings than in the lab.
 Ideas might be:

Enrollment Status Page - Block device until required apps have been installed
 Create other device configurations (e.g. Lock Screen Picture and Lock Screen Toast Notification).
 Search the internet for a suitable background picture or use this

T https://www.bing.com/sa/simg/hpb/LaDigue_EN-CA1115245085_1366x768.jpg
 The lock screen image will be display blurred in the enhanced view. Disable the enhanced
view to see the clear picture. It will get blurred again if you select the user to log on.
 Terms of use (optional)
 Require the user to accept Terms of use before first logon. You find a conditional access policy
for this.
 Add additional Win32 Apps and dependencies (optional)
 Work with Group tags
 Rename Group tag in the console and assign a new profile to a new dynamic AAD Group.
 Assign a user to a device.
 AAD Query:
(device.devicePhysicalIds -any _ -eq "[OrderID]:GroupTag")
 Reset CLIENT3 with the Fresh Start feature and run an additional autopilot session using the new
user.
 This will take around 15 minutes on an actual computer hardware. It takes usually much
longer with a virtual machine.
 After provisioning you may run the following PowerShell script to review troubleshooting
information from your enrollment.
PowerShell
 Set-ExecutionPolicy bypass
Install-Script Get-AutopilotESPStatus
Get-AutopilotESPStatus
Congratulations!
Optional Lab 2: Autopilot Reset
During this lab, you will learn how do gather information from a device, needed to enroll it for
Autopilot. This lab will only give you guidance and an overview. If you need more detailed information
refer to the existing labs.
Exercise 1: Create policy for Autopilot Reset
This exercise shows how to use Autopilot Reset.
To enable Autopilot Reset, we need to create a new device profile and

assign it to the user group.
 Create a profile with the name T Autopilot Reset. Select Device restrictions as profile type and
choose General Category and Autopilot Reset.
 Assign the profile to the IN-Win10-ConfigProfiles AAD Group.
Congratulations!
Exercise 2: Autopilot Reset in Action
In this exercise you will experience Autopilot Reset.
 Use Client2
 Sync policies and sign out from the machine.
 Disable Hyper-V Enhanced Session
 Use the on-screen keyboard and press CTRL + + r.
 Login with T in-

admin1@@lab.CloudCredential(SSGM3653sharpStakeholderJudDoran).TenantName
 In-Admin1 is local Administrator on this machine based on the Azure AD additional

administrator settings in Module 2.
 You can start with the next lab while the PC is resetting.
 Sign in with another user from your Azure AD
 The device is now Azure AD joined.
Congratulations!
Optional Lab 3: Autopilot deployment options using Graph API
During this lab, you will learn how do gather information from device needed to enroll it for AutoPilot.
This lab will only give you guidance and an overview. If you need more detailed information refer to the
existing Labs.
Exercise 1: Install PowerShell modules
This exercise enables you to use Graph API to connect to Autopilot in Intune. We will use the MMWS as
management workstation running the PowerShell.
 Connect to your MMWS Workshop host and install the Azure AD and WindowsAutopilotIntune
PowerShell Module.
 Open Windows PowerShell in Administrator context.
PowerShell
 Install-Module AzureAD -force
Press Y if prompted.
PowerShell
 Install-Module WindowsAutoPilotIntune -force
Congratulations!
Exercise 2: Connect to Intune via Graph API and display existing

registered devices
This exercise shows how to connect using Graph API to Autopilot in Intune.
On MMWS Connect to Intune via Graph API
 Run in PowerShell:
PowerShell
 Connect-MSGraph
 Add the Admin credentials of your tenant.
 Accept the permissions.
Review registered Devices in Autopilot
 Run
PowerShell
 Get-AutoPilotDevice
Review Autopilot profiles
 Run
PowerShell
 Get-AutoPilotProfile
 Leave the PowerShell window open for exercise 4.
Congratulations!
Exercise 3: Connect to Client 1 and extract the Autopilot

Information
This exercise refreshes how to get the Autopilot Information.
Log on Virtual Machine Client1.
 Log on to Client1 with the local account ( T Admin / T Intune123!! ) - use the Hyper-V enhanced
Session.
Install-Script Get-WindowsAutoPilotInfo
 Run PowerShell.exe as Administrator. Run command:
PowerShell
 Set-ExecutionPolicy Bypass -force
 Then run command:
PowerShell
 Install-Script Get-WindowsAutoPilotInfo
 Answer "Y" to any prompts.
Gather hardware information via Get-WindowsAutoPilotInfo.ps1
 Execute command:
PowerShell
 Get-WindowsAutoPilotInfo.ps1 -OutputFile C:\Client1.csv
 and Exit from Windows PowerShell.exe.
 Copy Client1.csv to your host. You may use RDP clipboard copy if you have enabled enhanced
session in Hyper-V.
 Open the csv file and add the value ",Group Tag" at the end of the header line. At the end of the
second line add the value ",workshop" without quotation marks and save the file.
Congratulations!
Exercise 4: Import Client1 in Autopilot using Graph API
This exercise shows how to import a device using Graph API
 Use MMWS_Host for this
 Open a PowerShell command line in administrative mode.
 Import the Client1.csv via PowerShell into Intune.
 On MMWS_Host run in the PowerShell command window:
PowerShell
 Import-AutoPilotCSV -csvFile <link to CSV.csv>
 Wait until the device has been registered.
 Trigger an Autopilot sync.
PowerShell
 Invoke-AutopilotSync
 Verify the device in the console or/and via PowerShell:
PowerShell
 Get-AutoPilotDevice | Out-GridView
 Assign a user to the Autopilot Device.
 Apply the OOBE checkpoint on Client1 and run the Autopilot deployment.
Congratulations!
Exercise 5: Export Intune device policies
This exercise shows how to export Intune policies using Graph API.
 Use  MMWS_HOST for this exercise.

 Download the latest Device Configuration PowerShell from GitHub
T https://github.com/microsoftgraph/powershell-intune-samples
 There is also a copy in C:\LAB_SOURCE\Labs\Lab8_Powershell\Import_Export.
 Export the policies.
 Start PowerShell with administrative permissions.
 Set the execution policy:
PowerShell
 set-executionpolicy bypass -force
 Download the Azure AD PowerShell module:
PowerShell
 install-module AzureAD
 Switch to the extracted scripts directory .\powershell-intune-samples-

master\DeviceConfiguration
 Use DeviceConfiguration_Export.ps1
 Enter an output directory name.
 Delete and reimport
 Delete a policy in Intune and reimport them with the

DeviceConfiguration_Import_FromJSON.ps1
Congratulations!
You have successfully completed this Module, and Course. To mark the Course as complete and END
THIS LAB INSTANCE click End.

Managing Windows 10 With Intune and Autopilot v2011

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Managing Windows 10 With Intune and Autopilot v2011

Uploaded by

Copyright:

Available Formats

12/4/2020 v2011: Managing Windows 10 Devices with Microsoft Intune and Autopilot

#Managing Windows 10 Devices with Microsoft Intune and Autopilot

Module 01 - Overview and Lab Setup

At the end of this lab, you will be able to:

Complete the lab setup

Generate and install the required virtual machines

Log on to  MMWS_HOST by pressing Ctrl+Alt+Delete and typing in the following credentials:

Lab 1: Setup Windows Machines in your Lab on Demand Environment

Exercise 1: Host machine (MMWS_HOST) housekeeping

Exercise 2: Create virtual machines (Client1)

Exercise 3: Create Client 2

Exercise 4: Create Client 3

Lab 2: Verify Cloud Subscriptions for Modern PC Management

Exercise 1: Sign into your pre-created Office 365 subscription

Exercise 2: Sign into your pre-created Enterprise Mobility + Security E5 subscription

Lab 1: Setup Windows Machines in your Lab on Demand

Client 1 Client 2 Client 3

Work or School Azure AD Join

Azure AD registered Azure AD

Module 3 Autopilot deployment

Module 8 Autopilot reset

Exercise 1: Host machine (MMWS_HOST) housekeeping

Logon to your Host

Adjust keyboard layout

 Click on Time & Language.

 Click on Add a language.

 Search for the desired language and click Next.

 Remove all checkboxes and click Install.

 Select the desired keyboard layout.

 Close the settings app.

 Verify your configured layout in the taskbar.

 Check for pending updates

 Optional - set your corresponding timezone

Please reboot if needed.

Exercise 2: Create virtual machines (Client1)

Create the Windows 10 machines on your Hyper-V Host

 Log on to your  MMWS_HOST in your LOD Environment.

 Navigate to the scripts directory with T cd C:\LAB_SOURCE\VMCreation

 Set-ExecutionPolicy Unrestricted -force

 Select your region.

 Select the keyboard layout.

 Skip the second keyboard.

 Accept the Windows 10 Licence Agreement.

 Select Set up for personal use.

 Choose Offline Account.

 Select Limited Experience when asked to use a Microsoft Sign in instead.

 Type T Intune123!! as password.

 Answer the 3 security questions.

 Click Accept on the Choose privacy settings page.

Exercise 3: Create Client 2

 Select your region.

 Select the keyboard layout.

 Skip the second keyboard.

 Accept the Windows 10 License Agreement.

 Leave the Machine running at the sign in page.

Exercise 4: Create Client 3

 Select your region.

 Select the keyboard layout.

 Skip the second keyboard.

 Accept the Windows 10 Licence Agreement.

 Select Set up for personal use.

 Choose Offline Account.