lab guide - olympia.windows.com€¦ · web viewlab guide. windows insider lab for enterprise....

Windows Insider Lab for Enterprise

Date: May 15, 2023

NOTE: This guide is the authoritative source of delivery guidance for the Windows Insider Lab for Enterprise. Where content is absent from this guide, refer to the Windows Insider Lab for Enterprise – Setup Guide.

Lab Guide

Table of Contents

1 Introduction................................................................................................51.1 Lab Objectives...............................................................................................5

2 Prerequisites..............................................................................................72.1 On-Premises Environment.............................................................................72.2 Cloud Environment........................................................................................8

3 Lab Setup...................................................................................................93.1 On-Premises Environment.............................................................................93.2 Cloud Environment......................................................................................10

3.2.1........................................................................................Setup Azure and Office 365................................................................................................................................103.2.2......................................................................Setup Enterprise Mobility + Security................................................................................................................................123.2.3.....................................................................Enable and Configure Cloud Services................................................................................................................................12

3.3 On-Premises Environment Post Setup Manual Steps...................................143.3.1....Build a Windows 10 Developer Machine (for Deskop Bridges Scenario only).......................................................................................................................143.3.2...................................................Configure Azure AD Connect with Device Sync................................................................................................................................16

4 Deployment & Management....................................................................184.1 Modern Device Deployment.........................................................................18

4.1.1...........................................................................................................................AutoPilot................................................................................................................................18

4.2 Modern Device Management with Intune....................................................254.2.1..........................................Mobile Device Management using Microsoft Intune................................................................................................................................254.2.2...............................................................Dynamic Management with Windows 10................................................................................................................................294.2.3................Mobile App Management for Non-Managed Windows 10 Devices................................................................................................................................31

4.3 Co-Management..........................................................................................344.4 Modern Application Management with Intune..............................................38

4.4.1................Application Deployment and Management with Microsoft Intune................................................................................................................................384.4.2.............................Application Self-Service with Microsoft Store for Business................................................................................................................................40

4.5 Enterprise State Roaming............................................................................434.5.1...................................................................................................................Prerequisites................................................................................................................................434.5.2.......................................................................Configure Enterprise State Roaming................................................................................................................................43

5 Security....................................................................................................455.1 Windows Information Protection..................................................................45

5.1.1....................................................................................................Modern Management................................................................................................................................455.1.2.............................................................................................Traditional Management................................................................................................................................49

5.2 Windows Defender Advanced Threat Protection..........................................575.2.1...............................................................................Onboarding Windows 10 Device................................................................................................................................585.2.2.......................................................................................................Perform Simulation................................................................................................................................60

5.3 Windows Defender Application Guard..........................................................605.3.1....................................................................................................Modern Management................................................................................................................................615.3.2.............................................................................................Traditional Management................................................................................................................................64

5.4 Windows Defender Exploit Guard................................................................655.4.1....................................................................................................Modern Management................................................................................................................................655.4.2.............................................................................................Traditional Management................................................................................................................................67

5.5 Windows Hello.............................................................................................695.5.1....................................................................................................Modern Management................................................................................................................................695.5.2.............................................................................................Traditional Management................................................................................................................................70

5.6 Credential Guard..........................................................................................925.6.1..................................................................Check Credential Guard Requirements................................................................................................................................92

5.6.2....................................................................................................Modern Management................................................................................................................................935.6.3.............................................................................................Traditional Management................................................................................................................................95

5.7 Device Encryption (MBAM)...........................................................................975.7.1....................................................................................................Modern Management................................................................................................................................98

5.8 Device Guard – User Mode Code Integrity.................................................1005.8.1....................................................................................................Modern Management..............................................................................................................................1005.8.2.............................................................................................Traditional Management..............................................................................................................................101

6 Compatibility..........................................................................................1086.1 Windows Analytics Upgrade Readiness......................................................1086.2 Browser Compatibility................................................................................108

6.2.1...................................................................................................................Prerequisites..............................................................................................................................1096.2.2.............................................................................................................Enterprise Mode..............................................................................................................................1106.2.3........................................................................Browser Compatibility Remediation..............................................................................................................................113

6.3 Desktop Bridges.........................................................................................1236.3.1...Desktop Bridge – Convert a Win32 app Installer to a UWP Modern App (APPX)..................................................................................................................124

7 Additional Labs.......................................................................................1327.1.1.......................................................................................................MDM WINS over GP..............................................................................................................................1327.1.2...........................................................................................................................MAM FAQ..............................................................................................................................138

1 IntroductionThe Windows Insider Lab for Enterprise was designed for Windows Insiders who want to try new experimental and pre-release Enterprise Privacy and Security features. There are two versions of the lab:

Windows Insider Lab for Enterprise v1 – provides a client-side view of the latest Microsoft 365 enterprise features through access to Olympia Corp - a virtual corporation has been set up to reflect the IT infrastructure of real world business. Customers are invited to join Olympia Corp through our online survey. Qualified customers are then provided with a username and password to access the cloud-based lab.

Windows Insider Lab for Enterprise v2 – provides a complete Microsoft 365 deployment and management testing environment that can be run directly on your own machines. The lab features both client and administrative functionality, including System Center Configuration Manager Preview plus connectivity to Office 365 and Enterprise Mobility + Security evaluation trials. Customers can also add the latest Windows 10 Insider Preview Enterprise build to the lab.

This Windows Insider Lab for Enterprise v2 lab guide will guide you through Modern and Traditional Desktop scenarios to showcase the latest enterprise features and capabilities.

1.1 Lab ObjectivesThis guide is designed to provide step-by-step guidance in demonstrating the basic functionality of the feature. It is important that the Prerequisites (Section 2) and Lab Setup (Section 3) sections be performed before proceeding with the lab activities.

Lab Setupo On-Premises Environmento Cloud Environmento On-Premises Environment Post Setup Manual Steps

Servicingo Windows Analytics Update Compliance

Deployment & Managemento Modern Device Deploymento Modern Device Management with AutoPiloto Co-Managemento Modern Application Management with Intune

https://insidersurveys.windows.com/s3/Olympia-Windows-Insider-Lab-for-Enterprise

o Enterprise State Roaming Security

o Windows Information Protectiono Windows Defender Advanced Threat Protectiono Windows Defender Application Guardo Windows Defender Exploit Guardo Windows Helloo Credential Guardo Device Encryption (MBAM)o Device Guard – User Mode Code Integrity

Compatibilityo Windows Analytics Upgrade Readinesso Browser Compatibilityo Desktop Bridges

Additional Labso MDM WINS over GPo MAM FAQ

2 PrerequisitesThe following requirements for each environment are needed to support the labs.

2.1 On-Premises EnvironmentListed below are the requirements for the on-premises environment:

Complete

Task

☐ One (1) physical client or server to host the virtual lab environment. The requirements are listed below:

Operating System: Windows Server 2016, or 2012 R2, or Windows 10 with Hyper-V installed and fully updated. Administrative rights on the Hyper-V Host.

Memory: At least 32Gb or more. Disk Space: At least 300Gb or more. Disk Subsystem: High throughput/speed. Processor: Preferably a high-end processor for faster

processing. Ethernet: Two (2) or more Gb NICs. Network Connections: Internet connection and External

Virtual Switch in Hyper-V Host connecting to the external adapter of the Hyper-V Host for Internet connectivity.

☐ One (1) gigabit network lab switch with sufficient ports to connect physical client devices and lab environment.

☐ Download the latest available 64-bit Windows 10 Insider Preview Enterprise Build ISO image.https://www.microsoft.com/en-us/software-download/windowsinsiderpreviewadvanced

https://www.microsoft.com/en-us/software-download/windowsinsiderpreviewadvanced

https://www.microsoft.com/en-us/software-download/windowsinsiderpreviewadvanced

2.2 Cloud EnvironmentListed below are the requirements for the cloud environment:

Complete

Task

☐ Provide licensed subscriptions or sign-up for a trial subscription for the following Microsoft Cloud Services. A trial subscription will only be used if the customer has no existing subscription to these services.

Microsoft Azure: https://azure.microsoft.com/en-us/free/ Enterprise Mobility + Security: http://www.microsoft.com/en-

us/cloud-platform/enterprise-mobility-security-trial (configured as part of the Lab Setup)

Windows Defender Advanced Threat Protection: http://www.microsoft.com/en-us/WindowsForBusiness/windows-atp (configured as part of the Lab Setup)

Operations Management Suite: http://www.microsoft.com/en-us/cloud-platform/operations-management-suite-trial

Office 365 Enterprise E5: https://aka.ms/e5trial (configured as part of the Lab Setup)

Note : All trial tenants have an evaluation period. These subscriptions/tenants will expire unless they are extended or if the customer purchases the system.Note: It is possible to use an existing trial subscription if the engagement dates are within the evaluation period.

Note: An appropriate MSDN subscription could be used to activate the Azure Benefit for 30 days.

https://aka.ms/e5trial

http://www.microsoft.com/en-us/cloud-platform/operations-management-suite-trial

http://www.microsoft.com/en-us/cloud-platform/operations-management-suite-trial

http://www.microsoft.com/en-us/WindowsForBusiness/windows-atp

http://www.microsoft.com/en-us/WindowsForBusiness/windows-atp

http://www.microsoft.com/en-us/cloud-platform/enterprise-mobility-security-trial

http://www.microsoft.com/en-us/cloud-platform/enterprise-mobility-security-trial

https://azure.microsoft.com/en-us/free/

3 Lab Setup

3.1 Support If you have any questions/suggestions during the lab setup or execution of any

scenarios mentioned in the lab guide, please reach us at [email protected] Mention Olympia V2 in the subject line.

We add/update instructions for the features in Lab Guide as in when required. Visit https://olympia.windows.com to download latest lab guide.

3.2 On-Premises EnvironmentThe on-premises environment is configured by using the Windows Insider Lab for Enterprise v2. Follow the Windows Insider Lab for Enterprise – Setup Guide to provision the virtual machines on Hyper-V.When setup is complete, the following virtual machines are configured and the deployment lab system is available for use.

Server Name Roles & ProductsHYD -DC1 Active Directory Domain Controller, DNS, DHCP, Certificate Services

Windows Server 2016HYD-CM1 System Center Configuration Manager Technical Preview Branch –

Version 1808 (Note: Updated versions from the System Center Configuration Manager Technical Preview Branch are available via an In-Console Upgrade)Windows Deployment ServicesMicrosoft Deployment ToolkitWindows 10 ADKWindows Software Update ServicesMicrosoft SQL Server 2014Windows Server 2016

HYD-APP1 Microsoft BitLocker Administration and MonitoringMicrosoft SQL Server 2014Windows Server 2016

HYD-GW1 Remote Access for Internet ConnectivityWindows Server 2016

HYD –CLIENT1 (Optional)

If the Windows 10 Insider Preview ISO image is imported, this machine will be created with windows installed and will be Domain Joined

HYD –CLIENT2 (Optional)

If the Windows 10 Insider Preview ISO image is imported, this machine will be created with windows installed and will be Domain Joined

HYD –CLIENT3 If the Windows 10 Insider Preview ISO image is imported, this

https://olympia.windows.com/

mailto:[email protected]

Server Name Roles & Products(Optional) machine will be created with windows installed and will be on

WorkgroupHYD –CLIENT4 (Optional)

If the Windows 10 Insider Preview ISO image is imported, this machine will be created with windows installed and will be on Workgroup

The table below lists the credentials and access type available in the default implementation.

User Access Type User Name Password

Local Administrator Administrative Administrator P@ssw0rd

Domain Administrator Enterprise Administrator CORP\LabAdmin P@ssw0rd

3.3 Cloud EnvironmentCertain lab scenarios require the cloud environment. Follow the steps below to configure and prepare the required cloud services.

3.3.1 Setup Azure and Office 3653.3.1.1 New Trial Tent In this section, you will create an Azure AD and an Office 365 Trial Tenant used for the later lab environment. Note: if you have already received an Office 365 Trial tenant from the Olympia team, skip this section and proceed to the next Section 3.2.1.2.

Task Detailed Steps

Complete these steps from an Internet-connected Windows computer.

Create Azure AD

1. Open an InPrivate Browser session.2. Navigate to https://portal.azure.com3. Sign in with the email address associated with your Azure

subscription.4. On the left navigation bar, click Create a resource > Identity

> Azure Active Directory.5. In the Create directory pane fill in the following values:

ORGANIZATION NAME: <CompanyName>INITIAL DOMAIN NAME: <AzureDomainName>COUNTRY OR REGION: Choose a region

6. Click Create.Note: This may take a couple of minutes to complete.

https://portal.azure.com/

Task Detailed Steps

Create Azure AD Admin User

7. Sign out from Azure portal and sign back in again.8. Click your email address on the upper right corner and, and

click Switch Directory. Select <AzureDomainName>.onmicrosoft.com.

9. On the left navigation bar, click Azure Active Directory.10. Under Create, click User.11. In the User pane, fill in the following values:

NAME: <Admin Name>USER NAME: <LabAdmin> (Suggestion: LabAdmin@<AzureDomainName>.onmicrosoft.com)

12. Select Show Password and write down the temporary password <OldLabAdminPassword>.

13. Click on Directory role, select Global administrator then click Ok.

14. Click Create.

3. Resetting the Password

15. Logout from Azure Portal.16. Login to Azure Portal using LabAdmin account.17. Type in the <OldLabAdminPassword> that you wrote down.18. Type the new password: <NewLabAdminPassword>.Note: Use a strong password.19. Confirm the new password and sign in.

4. Create a Trial Office 365 Tenant

20. Close all browser windows.21. Start a new InPrivate Internet Explorer session.22.Using a web browser, navigate to https://aka.ms/e5trial.23. Click Sign in on the top right hand corner.24. Sign in using the LabAdmin account.25. Click Admin from the top left hand corner.26. Click Billing | Subscriptions and click + Add subscriptions.27. Select Office 365 Enterprise E5 without Audio

Conferencing and click Start free trial.28. Follow the usual procedure and click Place order. Note: You

might have to perform Steps 26-28 twice so that the subscription shows Active under Billing | Subscriptions.

5. Create Azure Test Users

29.Navigate to https://portal.azure.com.30. Sign in with the email address associated with your Azure

subscription if required.31. On the left navigation bar, click Azure Active Directory.32. On the right side of the page hit the User link under Create.33. In the User pane, fill in the following values:

NAME: Test User1USER NAME: TU1@<AzureDomainName>.onmicrosoft.com

34. Select Show Password and write down the temporary


https://aka.ms/e5trial

Task Detailed Steps

password.35. Click Create.36. Repeat Steps 29 – 35 for a second user as follows:


6. Set Password for your New Users using Office 365

37. Close all browser windows.38. Start Internet Explorer InPrivate mode.39.Navigate to https://login.microsoftonline.com.40. Login with the user account created

TU1@<AzureDomainName>.onmicrosoft.com41. Type in the temporary password that you wrote down.42. Type the New Password: <newuserpassword>43. Confirm the new Password: <newuserpassword>44. Click Sign in.45. Repeat Steps 37-44 for

TU2@<AzureDomainName>.onmicrosoft.com46. Close all browser windows.

3.3.1.2 Assigned Trial Tent In this section, you will set the Azure AD and an Office 365 Trial Tenant assigned to you by the Olympia team. Note: if you do have a pre-assigned trial tenant, refer to Section 3.2.1.1.

Task Detailed Steps


Resetting the Password

1. Logout from Azure Portal.2. Login to Azure Portal using LabAdmin account provided by the

Olympia team. 3. Type in the <OldLabAdminPassword> that you wrote down.4. Type the new password: <NewLabAdminPassword>.Note: Use a strong password.5. Confirm the new password and sign in.

Create Azure Test Users

6. Navigate to https://portal.azure.com.7. Sign in with the email address associated with the Azure

subscription provided by the Olympia team if required.8. On the left navigation bar, click Azure Active Directory.9. On the right side of the page hit the User link under Create.


https://login.microsoftonline.com/

Task Detailed Steps

10. In the User pane, fill in the following values:NAME: Test User1USER NAME: TU1@<AzureDomainName>.onmicrosoft.com

11. Select Show Password and write down the temporary password.

12. Click Create.13. Repeat Steps 29 – 35 for a second user as follows:


Set Password for your New Users using Office 365

14. Close all browser windows.15. Start Internet Explorer InPrivate mode.16.Navigate to https://login.microsoftonline.com.17. Login with the user account created

TU1@<AzureDomainName>.onmicrosoft.com18. Type in the temporary password that you wrote down.19. Type the New Password: <newuserpassword>20. Confirm the new Password: <newuserpassword>21. Click Sign in.22. Repeat Steps 37-44 for

TU2@<AzureDomainName>.onmicrosoft.com23. Close all browser windows.

3.3.2 Setup Enterprise Mobility + SecurityIn this section, you will create an Intune Trial Tenant that will be used later on in the lab. This tenant will be created using the Azure AD that you created in the previous lab. Note: If you have already received an EMS Trial from the Olympia team, skip this section and proceed to the next Section 3.2.3.

Task Detailed Steps


Sign Up for a Trial Microsoft Intune Subscription

1. Start a new Internet Explorer window in private mode.2. Navigate to

https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility-security-trial and click Sign-up for your free trial and then click Sign in.

3. Sign in with labadmin@<AzureDomainName>.onmicrosoft.com

https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility-security-trial

https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility-security-trial

https://login.microsoftonline.com/

Task Detailed Steps

4. Click Try now to confirm your order.5. Click Continue.6. On the left navigation bar, click Billing > Subscriptions and

verify that the Enterprise Mobility + Security E5 Trial is Active.

3.3.3 Enable and Configure Cloud ServicesIn the section, you will assign licenses and configure additional cloud services that will be used in the lab environment.

Task Detailed Steps

Complete these steps from an Internet-connected Windows 10 computer.

Assign Office 365 and EM+S Licenses

1. Close all browser windows.2. Start Internet Explorer InPrivate mode.3. Navigate to https://portal.office.com and Sign in with

labadmin@<AzureDomainName>.onmicrosoft.com. (Or the credentials for the trail account provided by the Olympia team.) Open the app launcher (top left corner and click Admin.

4. On the left navigation bar, click Users > Active users.5. Select all LabAdmin, Test User1 and Test User2 then click the

Edit product licenses action.6. Select Add to existing product license assignments then

click Next.7. Select the appropriate Location and then set the slider to On for

Enterprise Mobility + Security E5 and Office 365 Enterprise E5 without Audio Conferencing then click Add.

8. Click Close | Close. Note: Ensure that all the 3 users have both the product licenses assigned.

Enable Device Registration

9. Close all browser windows and open an InPrivate Browser session.

10.Navigate to https://portal.azure.com.11. Sign in with the email address associated with your Azure

subscription.12. Click your email address on the upper right corner and, and

click Switch Directory. Select <AzureDomainName>.onmicrosoft.com if required.

13. On the left navigation bar, click Azure Active Directory > Devices > Device settings.

14. In the Users may join devices to Azure AD setting, select All if not selected.

15. In the Additional local administrators on Azure AD joined


https://portal.office.com/

Task Detailed Steps

devices, select Selected.16. Click Add members and select LabAdmin then click Select.

Click OK.17. In the Users may register their devices with Azure AD

setting, select All if not selected.18. Click Save.

Enable Windows Defender ATP Trial

Note: A trial application should have been started before proceeding with the steps - https://www.microsoft.com/en-us/windowsforbusiness/windows-atp . It can take up to 7 business days for review of your free trial request. Trial subscriptions may not be available at the time of lab set up.

19. Open an InPrivate Browser session.20.Navigate to

https://www.microsoft.com/en-us/windowsforbusiness/windows-atp and click START FREE TRIAL.

21. Check the box next to I accept these terms and conditions and click Next.

22. On the Please enter your details below page, enter your details and click Submit.

23. You will get a message stating that the Windows Defender Advanced Threat Protection Team will review your application and contact you via email within 7 business days. Once your application is approved, you will then receive an invitation email with on-boarding instructions.

24. Within 7 business days, you will then receive an email to activate your trial and all the on-boarding instructions. Click Activate your trial now. Download the setup guide. The setup guide also contains instructions and links for the attack demo.

25. During activation, click Sign in.26. Sign in with

LabAdmin@<AzureDomainName>.onmicrosoft.com27. Click Try now.28. Click Continue.

3.4 On-Premises Environment Post Setup Manual Steps

Perform once the on-premises environment provisioning is complete.

https://www.microsoft.com/en-us/windowsforbusiness/windows-atp



3.4.1 Build a Windows 10 Developer Machine (for Desktop Bridges Scenario only)

In this activity, you will build Windows 10 client virtual machine with developer tools installed. This is required for the Desktop Bridges lab only, since the versions of the Windows Insider Preview – Desktop App Converter Base Images is not available for the version of the Windows 10 Insider Preview Enterprise ISO image. They both need to be same for the scenario to work. If you are not running the Desktop Bridges scenario, you can skip this step.

Task Detailed Steps

Complete these steps from the Hyper-V host machine above.

Download Developer VM (if not previously downloaded)

1. Open File Explorer and create the C:\VMs folder.2. Open Internet Explorer and browse to the URL below.

https://developer.microsoft.com/en-us/windows/downloads/virtual-machines

3. Under Windows 10 Enterprise Evaluation download, click Hyper-V.

4. Download WinDev1805Eval.HyperV.zip to C:\VMs.5. Once the download completes, browse to C:\VMs, right-click on

WinDev1805Eval.HyperV.zip and select Extract All.6. In the Select a Destination and Extract Files page, click

Extract.

Import VMs 7. Open File Explorer and create the C:\VMs\WIN10DEV folder.8. Open Hyper-V Manager.9. In the Actions pane, click Import Virtual Machine.10. In the Before You Begin page, click Next.11. In the Locate Folder page, browse to C:\VMs\

WinDev1805Eval.HyperV then click Next.12. In the Select Virtual Machine page, click Next.13. In the Choose Import Type page, select Copy the virtual

machine then click Next.14. In the Choose Destination page, select Store the virtual

machine in a different location, enter the path C:\VMs\WIN10DEV to all folders then click Next.

15. In the Choose Storage Folder page, enter the path C:\VMs\WIN10DEV then click Next.

16. In the Summary page, click Finish.17. In the Hyper-V Manager, right-click on WinDev1805Eval,

select Rename and enter WIN10DEV.

Complete these steps on the WIN10DEV virtual machine.

Configure Virtual Machine Settings

18. In the Hyper-V Manager, right-click on WIN10DEV and select Settings.

19. Configure the following then click OK.Memory: 8192Processor: 4 virtual processors



Task Detailed Steps

Network Adapter: HYD-Corpnet20. Start the WIN10DEV virtual machine.

Install Windows Updates

21. Go to Start and click Settings.22. In the Settings app, browse to Update & Security > Windows

Update.23. Click Check for updates.24. Install all missing updates (restart if needed) until the device is

up to date.Note: This may take at least an hour depending on the Internet speed.

Perform Defender Scan

25. In the Settings app, browse to Update & Security > Windows Security.

26. Click Open Windows Defender Security Center.27. Click Virus & threat protection.28. Click Scan now.29. Once complete, close Windows Defender Security Center

and the Settings app.

Create Checkpoint

30. Create a virtual machine checkpoint.

3.4.2 Configure Azure AD Connect with Device SyncIn this activity, you will configure Azure AD Connect on DC1.

Task Detailed Steps

Configure Azure AD Connect

Complete the following steps on the DC1.1. Download Azure AD Connect from

https://www.microsoft.com/en-us/download/details.aspx?id=47594

2. Install and Run Azure AD Connect and select I agree to the license terms and privacy notice and click Continue.

3. Select Use express settings.4. In the Connect to Azure AD prompt, sign in with

labadmin@<AzureDomainName>.onmicrosoft.com and click Next.

5. In the Connect to AD DS prompt, enter the below and click Next.USERNAME: CORP\LabAdminPASSWORD: P@ssw0rd

6. On the Azure AD sign-in configuration page, select Continue without any verified domains and click Next.

7. On the Ready to configure page, keep the check box checked next to Start the synchronization process when



Task Detailed Steps

configuration completes and click Install. Click Exit once done.

Configure Device Sync

8. Open Programs and Features and uninstall the Windows Azure Active Directory Module for Windows PowerShell.

9. Open PowerShell as an administrator.10. Run the below cmdlet and accept any prompts. Note: Create a

directory in C:\, example C:\MSOnline.Save-Script -Name MSOnline -Path <path>

11. Run the below cmdlet and accept any prompts.Install-Module -Name MSOnline

12. Locate the name of the AAD Connector Account by opening the Azure AD Connect and clicking Configure and selecting View current configuration and then clicking Next. Click Exit.

13. Run the below cmdlet and at the credential prompt, provide the Azure AD Admin credentials.Import-Module -Name “C:\Program Files\Microsoft Azure Active Directory Connect\ADPrep\ADSyncPrep.psm1”$aadadmincred = get-credential;Initialize-ADSyncDomainJoinedComputerSync -AdConnectorAccount <account name> -AzureADCredentials $aadAdminCred;

Confirm Devices are

Hybrid Azure AD Joined

14. Start Internet Explorer InPrivate mode.15.Navigate to https://portal.azure.com and sign in with

labadmin@<AzureDomainName>.onmicrosoft.com.16. On the left navigation bar, click Azure Active Directory.17. Select Devices > All devices.18. Confirm devices are registered to Azure AD.Note: In the virtualized lab, in case the devices do not show up, disjoin CLIENT1 and CLIENT2 from the domain and rejoin them back. After that, from Azure AD Connect, run Customize synchronization options and then Configure device options – Hybrid Azure AD join.


4 Deployment & ManagementIn this module, you will go through Windows 10 capabilities that could help organizations better deploy and manage Windows devices.Prerequisite Sections:

a) Windows Insider Lab for Enterprise – Setup Guideb) Section 3.2 - Cloud Environmentc) Section 3.3.2 - Configure Azure AD Connect with Device Sync

4.1 Modern Device DeploymentWith Windows 10, you can continue to use traditional OS deployment, but you can also “manage out of the box.” AutoPilot transforms new devices into fully-configured, fully-managed devices. For existing devices running Windows 7 or Windows 8.1, you can use the robust in-place upgrade process for a fast, reliable move to Windows 10 while automatically preserving all the existing apps, data, and settings.

4.1.1 AutoPilotWindows AutoPilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use.In this section, you will use the Microsoft Intune to configure AutoPilot for pre-configuring devices.

4.1.1.1 PrerequisitesPerform the following tasks before proceeding.

Task Detailed Steps

Create a Checkpoint in

Hyper-V (if not already

created)

Complete the following steps on the HYPER-V Host.1. Open Hyper-V Manager.2. Right click on HYD-CLIENT4 and select Checkpoint.

Capture Device ID

Complete the following steps on CLIENT4.3. Open PowerShell as an administrator.4. Run the below commands and press Y when prompted.

Install-Script –Name Get-WindowsAutoPilotInfo

Task Detailed Steps

Set-ExecutionPolicy Unrestricted5. Change the directory to C:\Program Files\

WindowsPowerShell\Scripts and run the below command..\Get-WindowsAutoPilotInfo.ps1 -ComputerName CLIENT4 –OutputFile C:\Users\Administrator\Desktop\MyComputers.csv

6. Copy the MyComputers.csv file to the computer that will be used for Microsoft Intune setup.

7. Open Command Prompt as an administrator.8. Run from C:\Windows\Systsem32\SYSPREP

SYSPREP\Sysprep.exe /OOBE /SHUTDOWN

4.1.1.2 Set Intune as Management AuthorityAfter you complete the following tasks, you are ready to manage mobile devices and computers.

Task Detailed Steps


Enable Device Management. Set Mobile Device Management Authority

Note: Before you can enroll mobile devices, you must prepare the Intune service by selecting the appropriate mobile device management authority setting on the Mobile Device Management page of the Administration workspace. The mobile device management authority setting determines whether you manage mobile devices with Intune or System Center Configuration Manager with Intune integration. This guidance assumes Intune is used without System Center Configuration Manager integration so the setting should be set to Microsoft Intune.

1. Close all browser windows.2. Start Internet Explorer InPrivate mode.3. Navigate to https://portal.azure.com and Sign in with

labadmin@<AzureDomainName>.onmicrosoft.com.4. On the left navigation bar, click All services > Intune.5. Select Device enrollment.6. Under Mobile Device Management Authority, select Intune

MDM Authority and click Choose.

Create Groups 7. Close all browser windows.8. Start Internet Explorer InPrivate mode.9. Navigate to https://portal.azure.com and Sign in with

labadmin@<AzureDomainName>.onmicrosoft.com.10. On the left navigation bar, click Azure Active Directory >

Groups > All groups.



Task Detailed Steps

11. Click New group.12. In the Group pane fill in the following values:

Group type: Office 365Group name: SalesMembership type: AssignedMembers: Test User1 and Test User2

13. Click Create.

Customize the Company Portal

14. On the left navigation bar, click All services > Intune.15. Select Mobile apps > Company Portal branding.16. Configure the following with settings you choose for your

lab: Company name IT department contact name IT department phone number IT department email address Additional information Company privacy statement URL Support website URL (not displayed) Website name (displayed to user) Customize the Theme color, Company logo

(max. dimension PNG/JPG I 400x100px) and background for Company Portal, it is recommended that you change the default color in your lab to make it easy to identify if the company portal has been updated.

17. Click Save.

Verify the Company Portal Configuration

18. Close all browser windows.19. Start Internet Explorer InPrivate mode.20.Navigate to https://portal.manage.microsoft.com and Sign

in with TU1@<AzureDomainName>.onmicrosoft.com.21. Review the company portal, browse to Helpdesk and

confirm that the customizations have been applied.

4.1.1.3 Enable Auto MDM EnrollmentIn this activity, you will configure automatic MDM enrollment to Intune upon joining Azure AD.

Task Detailed Steps


Configure Auto 1. Close all browser windows.

https://portal.manage.microsoft.com/

Task Detailed Steps

MDM Enrollment for Intune

2. Start Internet Explorer InPrivate mode.3. Navigate to https://portal.azure.com and Sign in with


Mobility (MDM and MAM) > Microsoft Intune.5. In the MDM User scope setting, select All.6. Click Save.

4.1.1.4 Add an AppIn this activity, you will add an app to Intune which will automatically download once the device is enrolled into MDM.

Task Detailed Steps


Add an App 1. Close all browser windows.2. Start Internet Explorer InPrivate mode.3. Navigate to https://portal.azure.com and Sign in with

labadmin@<AzureDomainName>.onmicrosoft.com.4. On the left navigation bar, click All services > Intune.5. Select Mobile apps > Apps.6. Click +Add.7. In the App type dropdown, select Line-of-business app.

Configure App 8. In the Add app pane, click App package file.9. On the App package file blade, choose the browse button, and

select a Windows installation file with the extension .msi, .appx, or .appxbundle.A sample msi file can be downloaded from: https://www.7-zip.org/download.html

10. Click OK.11. In the Add app pane, click App information.12. Enter the following information and click OK:

a. Name - Enter the name of the app as it is displayed in the company portal. Make sure all app names that you use are unique. If the same app name exists twice, only one of the apps will be displayed to users in the company portal.

b. Description - Enter a description for the app, which will be displayed to users in the company portal.

c. Publisher - Enter the name of the publisher of the app.d. Category - Select one or more of the built-in app

categories, or a category you created. Categorizing apps

https://www.7-zip.org/download.html




Task Detailed Steps

makes it easier for users to find the app when they browse the company portal.

e. Display this as a featured app in the Company Portal - Display the app prominently on the main page of the company portal to appear when users browse for apps.

f. Information URL - Optionally, enter the URL of a website that contains information about the app, which will be displayed to users in the company portal.

g. Privacy URL - Optionally, enter the URL of a website that contains privacy information for the app. The URL is displayed to users in the company portal.

h. Command-line arguments - Optionally, enter any command-line arguments that you want to apply to the .msi file when it runs, like /q.

i. Developer - Optionally, enter the name of the app developer.

j. Owner - Optionally, enter a name for the owner of this app, for example, HR department.

k. Notes - Enter any notes you would like to associate with this app.

l. Logo - Upload an icon that is associated with the app. The icon is displayed with the app when users browse the company portal.

13. In the Add app pane, click Add to upload the app to Intune.

Deploy App 14. In the <app name> overview pane, click Assignments.15. Click Add group.16. Select Required under Assignment type.17. Under Included Groups | Selected groups, select Sales.18. Click Select.19. Click OK.20. Click OK again.21. Click Save.

4.1.1.5 Configure AutoPilotIn this activity, you will configure automatic MDM enrollment to Intune upon joining Azure AD.

Task Detailed Steps


Configure 1. Close all browser windows.

Task Detailed Steps

AutoPilot 2. Start Internet Explorer InPrivate mode.3. Navigate to https://www.p ortal.azure. com/ and Sign in with

labadmin@<AzureDomainName>.onmicrosoft.com.4. On the left navigation bar, click All services > Intune.5. Click Device enrollment > Windows enrollment > Devices.6. Click Import, and select the MyComputers.csv file saved from

before and click Import.7. Once imported, to speed up the process, click Sync and then

click Refresh until you see the device.8. Under the Microsoft Intune pane, click Groups > + New

group.9. Select Group type – Security, Group name – AutoPilot

Devices and Membership type – Assigned.10. Click Members, select the machine where the name equals the

serial number of the device. Click Select.11. Click Create.12. On the Device enrollment > Windows enrollment pane, click

Deployment Profiles > + Create profile.13. In the Name box, type AutoPilot Test Profile.14. In the Join to Azure AD as dropdown, select Azure AD joined.15. Click Out-of-box experience (OOBE).16. Select Hide for the End user license agreement (EULA)

option.17. Select Hide for the Privacy Settings option.18. Select Standard for the User account type option.19. Click Save.20. Click Create.21. Click AutoPilot Test Profile, click Assignments, click +

Select groups, select the AutoPilot Devices group just created and click Select.

22. Click Save.23. Wait for some time for the device to be showing up in Assigned

devices under AutoPilot Test Profile. To speed up the process, click Sync and then click Refresh until you see the device there.

24. Click the Devices page by navigating to Device enrollment > Windows enrollment, and you should be able to see the PROFILE STATUS as Assigning and then further Assigned.

4.1.1.6 AutoPilotIn this activity, you will walk through the experience of self-service AutoPilot while in OOBE.

https://www.portal.azure.com/en-us/business-store

Task Detailed Steps

Complete these steps from the CLIENT4 virtual machine.

Perform Azure AD Join

1. Once OOBE has started, in the Let’s start with region pane, select United States then click Yes.

2. On the Is this the right keyboard layout? pane, select US then click Yes.

3. On the Want to add a second keyboard layout? pane, click Skip.

4. In case you get the Get the latest from Windows pane, click Skip for now.

5. On the Windows 10 License Agreement pane, click Accept.6. In the Sign in with Microsoft pane, sign in with

TU1@<AzureDomainName>.onmicrosoft.com then click Next.

7. In the Enter your password pane, enter the password then click Next.

8. On the Choose privacy settings for your device pane, click Accept.

9. Follow through the prompts for setting up a PIN for Windows Hello.

10. In the All set! pane, click OK.

Validate Azure AD Join and MDM Enrollment

11. Go to Start > Settings.12. In the Settings app, browse to Accounts > Access work or

school.13. Confirm that Connected to <CompanyName>’s Azure AD is

displayed.


Validate Azure AD and MDM Enrollment

14. Close all browser windows.15. Start Internet Explorer InPrivate mode.16.Navigate to https://portal.azure.com and Sign in with


Users > All users > Test User1.18. Click Devices.19. Confirm that the device is listed there and the following settings

are configured:JOIN TYPE: Azure AD joinedMDM: Microsoft Intune

Complete these steps from the HYPER-V Host.


Task Detailed Steps

Revert Virtual Machines

1. Revert HYD-CLIENT4 to the latest checkpoint.

4.2 Modern Device Management with IntuneUse of personal devices for work, as well as employees working outside the office, may be changing how your organization manages devices. Certain parts of your organization might require deep, granular control over devices, while other parts might seek lighter, scenario-based management that empowers the modern workforce. Windows 10 offers the flexibility to respond to these changing requirements, and can easily be deployed in a mixed environment. You can shift the percentage of Windows 10 devices gradually, following the normal upgrade schedules used in your organization.

4.2.1 Mobile Device Management using Microsoft IntuneIn this lab, you will enroll a Windows 10 Device with Microsoft Intune and manage it.

4.2.1.1 Enroll a Windows 10 DeviceThis section outlines how to enroll a Windows 10 device into Microsoft Intune for MDM.

Task Detailed Steps

Complete these steps on the CLIENT3 virtual machine.

Enroll a Windows 10 Device in Intune

1. Login to the virtual machine as Administrator and go to Start > Settings.

2. In the Settings app, browse to Accounts > Access work or school.

3. Click Enroll only in device management.4. The Setup a work or school account dialog box will show,

asking for your account to enroll the device.5. Provide the TU1@<AzureDomainName>.onmicrosoft.com

account and click Next.6. In the Microsoft Intune Enrollment page, enter the password

then click Sign in. Click Got it.7. In the Settings app, you should see that the device is now

connected to the corporate MDM.8. Select Connected to <CompanyName> MDM then click Info.9. Click Sync and confirm that the sync was successful.


Task Detailed Steps

Check Windows 10 Device Enrollment in Microsoft Intune

Note: In this example, we will look in Microsoft Intune to see the device details and we can see that it already recognizes Windows 10 as an operating system in Microsoft Intune.

10. Start Internet Explorer InPrivate mode.11.Navigate to https://portal.azure.com and Sign in with

labadmin@<AzureDomainName>.onmicrosoft.com.12. On the left navigation bar, click All services > Intune.13. Select Devices > All devices.14. Click on the Windows 10 device that you have enrolled

(CLIENT3). Observe the information that has been collected about the device in all the tabs. You might have to refresh the page for some time to get the details.

4.2.1.2 Configure Policy Settings and Policies based on OMA-URIThis section outlines how to configure Policies for Windows 10 in Intune available through the Intune Interface and a Policy through OMA-URI.Use the Microsoft Intune Windows Phone OMA-URI Policy to deploy OMA-URI (Open Mobile Alliance Uniform Resource Identifier) settings that can be used to control features on Windows Phone Devices. These are standard settings that many mobile device manufacturers use to control device features.This capability is intended to allow you to deploy Windows 10 Settings that are not configurable with an Intune Policy. For information about the Settings you can configure with these Policies, see Configure Security Policy for Mobile Devices in Microsoft Intune.For help creating OMA-URI Settings for Windows 10 Services, see Windows Phone 10 CSP Documentation - http://aka.ms/win10csp.

Task Detailed Steps


Create an OMA-URI Policy to Disable Cortana


labadmin@<AzureDomainName>.onmicrosoft.com.3. On the left navigation bar, click All services > Intune.4. Select Device configuration > Profiles > + Create profile.5. In the Name field, type Windows 10 – Disable Cortana.6. Under Platform, select Windows 10 and later.7. Under Profile type, select Custom.


http://aka.ms/win10csp


Task Detailed Steps

8. In the Custom OMA-URI Settings pane, click Add.9. In the Name field enter Windows 10 – Disable Cortana.10. In the OMA URI field enter (Case sensitive and starting with a

period):./Vendor/MSFT/Policy/Config/Experience/AllowCortana

11. For Data type select Integer.12. For Value enter 0 (0 means the setting is not allowed).13. Click OK | OK.14. Click Create.15. In the Windows 10 – Disable Cortana profile pane, select

Assignments.16. Click Select groups to include.17. In the Select field, type Sales and select it.18. Click Select.19. Click Save.


Confirm the URI Configurations are Applied



22. Select Connected to <CompanyName> MDM then click Info.23. Click Sync to force a policy update and confirm that the sync

was successful.24. Note that the Cortana icon in the task bar was replaced with a

Search icon.25. In the Settings app, note that the Cortana category was

replaced with Search.


Configure Windows Defender

26.Navigate to https://portal.azure.com and Sign in with labadmin@<AzureDomainName>.onmicrosoft.com.

27. On the left navigation bar, click All services > Intune.28. Select Device configuration > Profiles > + Create profile.29. In the Name field, type Allow Real Time Protection on Win

10 Desktops.30. Under Platform, select Windows 10 and later.31. Under Profile type, select Custom.32. In the Custom OMA-URI Settings pane, click Add.33. In the Name field type Allow Real Time Protection on Win 10

Desktops.34. Under OMA-URI Settings, click Add…35. In the Name field enter Allow Real Time Protection.36. In the OMA URI field enter (Case sensitive and starting with a


Task Detailed Steps

period): ./Vendor/MSFT/Policy/Config/Defender/AllowRealtimeMonitoring

37. For Data type select Integer.38. For Value enter 1 (1 means the setting is allowed).39. Click OK.40. Click OK.41. Click Create.42. In the Allow Real Time Protection on Win 10 Desktops

device configuration profile pane, select Assignments.43. Click Select groups to include.44. In the Select field, type Sales and select it.45. Click Select.46. Click Save.


Verify Configuration is Applied




was successful.51. In the Settings app, go back to Update & Security >

Windows Security and click Open Windows Defender Security Center.

52. In the Windows Defender Security Center app, navigate to Virus & threat protection and click Virus & threat protection settings.

53. Confirm that the Real-time protection setting is turned On and greyed out which shows enforcement of the policy.

4.2.2 Dynamic Management with Windows 10In this lab, you will setup and configure dynamic management policies for Windows 10. For a list of available dynamic management policies, visit: https://docs.microsoft.com/en-us/windows/client-management/mdm/dynamicmanagement-csp.

Task Detailed Steps


Configure 1. Close all browser windows.

https://docs.microsoft.com/en-us/windows/client-management/mdm/dynamicmanagement-csp

https://docs.microsoft.com/en-us/windows/client-management/mdm/dynamicmanagement-csp

Task Detailed Steps

Dynamic Management Policy


labadmin@<AzureDomainName>.onmicrosoft.com.4. On the left navigation bar, click All services > Intune.5. Select Device configuration > Profiles > + Create profile.6. In the Name field, type DisableCameraInCorporateNetwork.7. Under Platform, select Windows 10 and later.8. Under Profile type, select Custom.9. In the Custom OMA-URI Settings pane, click Add.10. In the Name field enter SettingsPack.11. In the OMA URI field enter (Case sensitive and starting with a

period):./Vendor/MSFT/DynamicManagement/Contexts/NetworkBased/SettingsPack

12. For Data type select String.For Value enter <SyncML>

<SyncBody><Replace>

<CmdID>1331</CmdID><Item>

<Target><LocURI>./Vendor/MSFT/Policy/Config/Camera/AllowCamera</LocURI>

</Target><Meta>

<Format xmlns="syncml:metinf">int</Format>

</Meta><Data>0</Data>

</Item></Replace><Final/>

</SyncBody></SyncML>

13. Click OK.14. In the Custom OMA-URI Settings pane, click Add.15. In the Name field enter SignalDefinition.16. In the OMA URI field enter (Case sensitive and starting with a

period):./Vendor/MSFT/DynamicManagement/Contexts/NetworkBased/SignalDefinition


Task Detailed Steps

17. For Data type select String.For Value enter <rule schemaVersion="1.0">

<signal type="ipConfig"><ipv4Gateway>10.0.0.254</ipv4Gateway>

</signal></rule>

18. Click OK.19. In the Custom OMA-URI Settings pane, click Add.20. In the Name field enter NotificationsEnabled2.21. In the OMA URI field enter (Case sensitive and starting with a

period):./Vendor/MSFT/DynamicManagement/NotificationsEnabled

22. For Data type select Boolean.For Value select True

23. Click OK | OK.24. Click Create.25. In the DisableCameraInCorporateNetwork device

configuration profile pane, select Assignments.26. Click Select groups to include.27. In the Select field, type Sales and select it.28. Click Select.29. Click Save.


Verify Policy is Applied




was successful.34. On the Hyper-V Host, from the Virtual Machine Connection,

right click the CLIENT3 VM, go to Settings.35. In the Settings window, under Network Adapter, disable the

Corpnet Virtual Switch.36. In the Settings on CLIENT3, go to Privacy > Camera.

Note: Camera is currently turned On and unmanaged because the machine is in the Internet network.

37. On the Hyper-V Host, from the Virtual Machine Connection window of CLIENT3 VM, go to File > Settings.

38. In the Settings window, under Network Adapter, disable the External Virtual Switch and enable the Corpnet Virtual

Task Detailed Steps

Switch.39. In the Settings app, refresh the Privacy > Camera view.40. Confirm *Some settings are hidden or managed by your

organization is shown.Note: Camera is turned Off and fully managed because the machine is in the corporate network.

4.2.3 Mobile App Management for Non-Managed Windows 10 Devices

The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP), starting in Windows 10, version 1803.In this lab, you will setup and configure Mobile App Management for an unmanaged Windows 10 device.

Task Detailed Steps


Configure MAM Service



Mobility (MDM and MAM) > Microsoft Intune.5. In the MAM User scope setting, select All.6. Click Save.

Configure MAM Policy

7. In the Microsoft Azure navigation bar, select All services > Intune App Protection > App protection policies.

8. Click Add a policy.9. In the Name field type Windows 10 MAM.10. In the Platform setting, select Windows 10.11. Click Protected apps then click Add apps.12. In the Add Apps pane, select Microsoft Edge, IE11 and

Notepad then click OK.13. In the Protected apps pane, confirm that the selected apps are

listed then click OK.14. Back in the Add a policy pane, click Required settings.15. Under Windows Information Protection mode, select Block

then click OK.


Task Detailed Steps

16. Click Advanced settings.17. In the Advanced settings pane, click Add network boundary.18. In the Add network boundary pane, enter the following then

click OK.BOUNDARY TYPE: Cloud resourcesNAME: SharePoint onlineVALUE: <AzureDomainName>.sharepoint.com

19. In the Advanced settings pane, under Show the enterprise data protection icon, click On.

20. Click OK.21. Click Create.

Deploy MAM Policy

22. Select Windows 10 MAM > Assignments.23. Click + Select groups to include.24. In the Select groups to include pane, enter Sales, select it

and then click Select.


Create test file 25. Login to the virtual machine as Administrator.26. Right-click on the desktop and select New > Text Document.27. Rename the file to Sample Document.28. Open Sample Document.txt.29. In the Notepad window, enter This is a sample corporate

file. then click Save.30. Close the file.31. Open an Internet Explorer and navigate to

https://<AzureDomainName>.sharepoint.com.32. Sign in as TU2@<AzureDomainName>.onmicrosoft.com.33. On the left navigation, click Documents.34. From the desktop, drag and drop the Sample Document.txt

file into the Documents library to upload the file.35. Once uploaded, delete the Sample Document.txt file from the

Desktop.36. Close all browsers windows.

Connect Corporate Account

37. Click to Start > Settings.38. In the Settings app, browse to Accounts > Access work or

school.39. Click Connect.40. In the Set up a work or school account pane, enter

TU2@<AzureDomainName>.onmicrosoft.com then click Next.

41. Enter the password then click Sign in.42. In the Help us protect your account pane, click Set it up

now then configure the verification requirements.

Task Detailed Steps

43. In the Create a PIN pane, click Create PIN then configure the Pin.

Note: If required, perform Steps 42 and 43 and on the basis of that additional verification may be required.

44. Click Next and verify your local administrator account password. Click OK.


46. Select Work or school account then click Info.47. Click Sync to force a policy update and confirm that the sync

was successful.

Verify MAM Policies

48. Open an Internet Explorer and navigate to https://<AzureDomainName>.sharepoint.com.

49. Sign in as TU2@<AzureDomainName>.onmicrosoft.com.Note: “.<AzureDomainName>.sharepoint.com” is protected and selected both IE11 and Microsoft Edge (they’re both enlightened apps) therefore a briefcase icon is shown in the address bar to indicate that it is protected. When the browser or another tab navigate away from this site, the briefcase will go away.

50. On the left navigation, click Documents.51. Select Sample Document.txt and click Download.52. Save the file to the Documents folder.

Note: The briefcase icon under File Name indicates that the file is protected.

53. In the taskbar, open File Explorer and browse to the Documents folder.

Note: The briefcase icon in the file icon and the <AzureDomainName> under the File ownership column indicates that the file is protected.

54. Open the Sample Document.txt file using Notepad. The file should open because Notepad is a managed app (policy).

Note: The briefcase icon beside the minimize button indicates that the file is protected.

55. Close Notepad.56. Open the Sample Document.txt file using WordPad. The file

will not open and a dialog box will show up to indicate that access to the file is denied.

Note: WordPad is not a managed app therefore will not be able to open protected files.

57. Close WordPad.

Task Detailed Steps

58. In the Documents folder, right-click on Sample Document.txt and select File ownership.

Note: The Personal option is currently disabled because the policy is configured to hide overrides. If the policy is configured to allow overrides, users can remove protection from the file by selecting Personal.

4.3 Co-ManagementStarting with Configuration Manager version 1802, co-management enables you to concurrently manage Windows 10, version 1803 (also known as the April 2018 Update) devices by using both Configuration Manager and Intune. It’s a solution that provides a bridge from traditional to modern management and gives you a path to make the transition using a phased approach.After you enable co-management, Configuration Manager continues to manage all workloads. When you decide that you are ready, you can have Intune start managing available workloads. You can have Intune manage the following workloads: Compliance policies, Windows Update for Business policies, Resource Access policies, and Endpoint Protection.


Task Detailed Steps

Configure Azure AD

Connect with Device Sync and Install

the ConfigMgr Client on CLIENT1

Complete the steps defined in Section 3.4.1.Also, install the ConfigMgr Client in CLIENT1 as per steps below:

1. On the CLIENT1 VM, disable the firewall mode.

Task Detailed Steps

2. On the CM1 VM, launch the Configuration Manager Console and navigate to Administration > Hierarchy Configuration > Discovery Methods.

3. Select Active Directory System Discovery and click Run Full Discovery Now. Click Yes on the prompt.

4. Navigate to Assets and Compliance > Devices and ensure that CLIENT1 is showing in the list of devices.

5. Right-click on CLIENT1 and click on Install Client.6. On the Install Configuration Manager Client wizard click on Next.7. Check the box next to Install the client software from a

specified site, select the respective Site and click on Next.8. Click Next again.9. Click on Close.10. After a few minutes, the CLIENT1 VM will have the client

installed and will indicate so in the Configuration Manager console.

4.3.1.2 Enable Co-Management for Automatic EnrollmentOnce Co-management is enabled, devices in the Pilot group can automatically enroll into Intune. This requires using a verified domain during the Setup Process of Azure AD Connect.

Task Detailed Steps

Complete these steps on the CM1 virtual machine.

Create a Device

1. Open the Configuration Manager Console, browse to Assets and Compliance workspace and select Device Collections.

Task Detailed Steps

Collection 2. Right click Device Collections and select Create Device Collection.

3. Input the following information:General

Name – Enter Co-managed DevicesLimiting collection – Select All Desktop and Server Clients and click Next.Select Use incremental updates for this collection.Click Next.Accept the Warning.

4. Summary – click Next, click Close.

Add a Device to the Collection

5. In the Assets & Compliance workspace, select Devices and right-click Client1.

6. Select Add Selected Items and then click Add Selected Items to Existing Device Collection.

7. Select Co-managed devices and click OK.8. Select Device Collections, right-click Co-managed devices,

and select Update Membership. Click Yes on the warning box to continue.

Enable Co-Management

9. Open the Configuration Manager Console, browse to Administration > Cloud Services > Co-management.

10. Right-click Co-management and select Configure co-management.

11. In the Co-management Configuration Wizard, Sign In to Intune using labadmin@<AzureDomainName>.onmicrosoft.com. Click Next.

12. Click Next on the Enablement page.13. Click Next on the Workloads page.14. Select Co-managed Devices device collection for the Intune

Pilot on the Staging page. Click Next.15. Click Next on the Summary page. Click Close.

4.3.1.3 Co-Manage Devices with the Configuration Manager ClientFor unverified domains, co-management can still be enabled by enrolling the domain-joined device into Intune.

Task Detailed Steps


Log in to Client1

1. Log in as CORP/LabAdmin with password [email protected]. Open the Settings app, and click Accounts > Access work or

school, and click on + Connect.3. Log in using TU1@<AzureDomainName>.onmicrosoft.com.


Check Windows 10 Device Enrollment in Microsoft Intune

Note: In this example, we will look in Microsoft Intune to see the device details and we can see that it already recognizes Windows 10 as an operating system in Microsoft Intune.


labadmin@<AzureDomainName>.onmicrosoft.com.6. On the left navigation bar, click All services > Intune.7. Select Devices > All devices.8. Click on the Windows 10 device that you have enrolled

(CLIENT1). Observe the information that has been collected about the device.


Check Co-Management Portal

9. Open the Configuration Manager Console, browse to Monitoring > Co-management.

10. Confirm 1 device is listed on the Co-managed devices graph. Note: This data will take some time to appear.

4.4 Modern Application Management with IntuneAs an IT admin, you are responsible for making sure that your end users have access to the apps they need to do their work. Intune offers a range of capabilities to help you get the apps you need, on the devices you want.

4.4.1 Application Deployment and Management with Microsoft Intune

Note: This section is applicable in case you have not done this in the previous lab.

4.4.1.1 Add Windows line-of-business (LOB) apps to Microsoft IntuneIntune supports Windows line-of-business apps (.msi files only).Note: The below steps have been performed in the previous scenarios as well.


Task Detailed Steps


Add Line-of-Business App


labadmin@<AzureDomainName>.onmicrosoft.com.4. On the left navigation bar, click All services > type Intune >

Intune.5. In the navigation pane select Mobile apps > Apps, and click +

Add.6. In the Add app pane, under App type, select Line-of-business

app.

Configure Line-of-Business App

7. In the Add app pane, click App package file.8. On the App package file blade, choose the browse button, and

select a Windows installation file with the extension .msi, .appx, or .appxbundle.A sample msi file can be downloaded from: https://www.7-zip.org/download.html

9. Click OK.10. In the Add app pane, click App information.11. Enter the following information and click OK:

a. Name - Enter the name of the app as it is displayed in the company portal. Make sure all app names that you use are unique. If the same app name exists twice, only one of the apps is displayed to users in the company portal.

b. Description - Enter a description for the app. The description is displayed to users in the company portal.

c. Publisher - Enter the name of the publisher of the app.d. Category - Select one or more of the built-in app

categories, or a category you created. Categorizing apps makes it easier for users to find the app when they browse the company portal.

e. Display this as a featured app in the Company Portal - Display the app prominently on the main page of the company portal when users browse for apps.

f. Information URL - Optionally, enter the URL of a website that contains information about the app. The URL is displayed to users in the company portal.

g. Privacy URL - Optionally, enter the URL of a website that contains privacy information for the app. The URL is displayed to users in the company portal.

h. Command-line arguments - Optionally, enter any command-line arguments that you want to apply to the .msi file when it runs, like /q.

i. Developer - Optionally, enter the name of the app




Task Detailed Steps

developer.j. Owner - Optionally, enter a name for the owner of this

app, for example, HR department.k. Notes - Enter any notes you would like to associate with

this app.l. Logo - Upload an icon that is associated with the app.

The icon is displayed with the app when users browse the company portal.

12. In the Add app pane, click Add to upload the app to Intune.13. Click Select.14. Click OK.15. Click OK again.16. Click Save.

4.4.1.2 Assign Apps to Groups with Microsoft IntuneIn the following section, you will assign the Line-of-business app to users and devices.

Task Detailed Steps


Locate App 1. Close all browser windows.2. Start Internet Explorer InPrivate mode.3. Navigate to https://portal.azure.com and Sign in with

labadmin@<AzureDomainName>.onmicrosoft.com.4. On the left navigation bar, click All services > type Intune >

Intune.5. In the navigation pane select Mobile apps > Apps.6. On the list of apps blade, click the app you want to assign.

Assign and Configure App Assignment

7. On the <app name> overview pane, click Assignments.8. Click Add group.9. Select Required under Assignment type.10. Under Included Groups | Selected Groups, select Sales.11. Click Select.12. Click OK.13. Click OK again.14. Click Save.


4.4.2 Application Self-Service with Microsoft Store for Business

This section will provide the guidance to setup and experience the Microsoft Store for Business. Applications that can be discovered, published and managed using the information contained at the links below.

Task Detailed Steps

Complete these steps from an Internet-connected Windows computer.Also, login to https://portal.azure.com and https://www.microsoft.com/en-us/business-store

Signup for the Microsoft Store for Business

1. Start a new Internet Explorer window in private mode.2. Click Sign in on the top right hand corner. On the Let’s check if

you have an account window, enter the credentials LabAdmin@<azuredomain>.onmicrosoft.com, which is a global administrator, created previously and click Next.

3. Once it detects and says You have an account with us. You’re using LabAdmin@<azuredomain>.onmicrosoft.com with a Microsoft service already. Sign in with your existing password, click Sign in.

4. Enter the password and click Sign in.5. On the Microsoft Store for Business and your data screen,

check the consent box and click Accept.6. You have completed the signup for the Microsoft Store for

Business.

Roles and Permissions

7. Click Manage and then click Permissions.8. Notice that LabAdmin is already assigned the Global Admin

Role. Click Assign roles.9. In the Assign roles to people window, review the various roles

available along with their permissions. In the text box above, type TU1 and click Test User1 in the search results. You can add multiple users in the text box.

10. Once Test User1 is added in the text box above, select the Role – Purchaser and click Save.

11. The user will then be added with the assigned permissions. At any point you want to remove the user from the list, select the user and click Remove. For now, do not remove.

Note: For more information, refer to https://technet.microsoft.com/library/mt621271(v=vs.85).aspx

Find and Acquire Applications

12. Click Settings. Under Shopping experience, enable Show offline apps: Show offline licensed apps to people shopping in the Microsoft Store.

13. Click Shop for my group and click an app of your choice,

https://technet.microsoft.com/library/mt621271(v=vs.85).aspx

https://www.microsoft.com/en-us/business-store

Task Detailed Steps

example OneNote.14. Review the 2 licensing type: Online and Offline. Select Offline

and click Get the app.15. If this is the first time you are using Microsoft Store for Business,

check the boxes for the license and click Accept.16. It will mention that the app has been purchased and added to

your inventory. Click Close. Offline apps can be distributed by using a provisioning package and include it as part of imaging a device using Deployment Image Servicing and Management (DISM) or Windows ICD and also can be distributed through a management tool or server.Note: You will then be on the page where it will ask you to manage or download the package for offline use. You do not have to download the package for offline use for this demo. Just go to the next step.

17. Under Shop for my group, select another app, example Microsoft Remote Desktop and select Online. Click Get the app. Click to agree to terms,

18. It will mention that the app has been purchased and added to your inventory. Click Close.

19. Click the “…” box and click Manage. It will then present with 2 methods of distribution by adding to the private store and Assigning to users. (Online apps can be distributed by assigning it to employees as well as adding it to your private store, allowing employees to download it through a management tool.)

20. If you select to add to the private store, it will start adding the app into your private store and could take upto twenty four hours before the app is available in the private store as a separate tab.

21. Under Shop for my group, select another app, example DocuSign and click Get the app. Click Close. If you select Assign Users and then in the text box, type a username, example TU1, click Test User1 in the search results and click Assign | Close, the app will be directly available to the user in the Store > My Library section. You can add multiple users in the text box. The user then can download and install the app from the store.

Note: For more information, refer to https://technet.microsoft.com/library/mt606944(v=vs.85).aspx

App Inventory Management

22. Click Manage and click Products & services and click Apps & software.

23. You can find an app from the Search apps & software text box.

24. You can also refine your search by selecting Refine results based on Product type, Application type, Source and


Task Detailed Steps

Private store.25. You will be able to see the list of apps with the following tabs –

Name, Available quantity, Usage/Total and Date.26. If you click the (…) for an Online-licensed app, you will see the

options – View license details, Assign to people, View private store details and View product details.

27. If you click the (…) for an Offline-licensed app, you will see the options – Download for offline use and View product details.

28. You can even manage app licenses by viewing, assigning and reclaiming licenses.

Note: You can remove an app from the Private Store. For more information, refer to https://technet.microsoft.com/library/mt633825(v=vs.85).aspx

Distribute Apps with a Management Tool

29. Click Manage, then click Settings and then click Distribute.30. You should be able to see the available MDM tools.31. Select the MDM tool you want to synchronize with Store for

Business, and then click Activate. Your MDM tool is ready to use with the Store for Business. Consult docs for your management tool to learn how to distribute apps from your synchronized inventory.

Note: For more information, refer to https://technet.microsoft.com/en-us/library/mt606939(v=vs.85).aspx

4.5 Enterprise State RoamingWith Windows 10, Azure Active Directory (Azure AD) users gain the ability to securely synchronize their user settings and application settings data to the cloud. Enterprise State Roaming provides users with a unified experience across their Windows devices and reduces the time needed for configuring a new device. Enterprise State Roaming operates similar to the standard consumer settings sync that was first introduced in Windows 8. Additionally, Enterprise State Roaming offers:

Separation of corporate and consumer data – Organizations are in control of their data, and there is no mixing of corporate data in a consumer cloud account or consumer data in an enterprise cloud account.

Enhanced security – Data is automatically encrypted before leaving the user’s Windows 10 device by using Azure Rights Management (Azure RMS), and data stays encrypted at rest in the cloud. All content stays encrypted at rest in the cloud, except for the namespaces, like settings names and Windows app names.

https://technet.microsoft.com/en-us/library/mt606939(v=vs.85).aspx

https://technet.microsoft.com/en-us/library/mt606939(v=vs.85).aspx


Better management and monitoring – Provides control and visibility over who syncs settings in your organization and on which devices through the Azure AD portal integration.

4.5.1 PrerequisitesPerform the following tasks before proceeding.

Task Detailed Steps

Prerequisite Lab

Ensure that both CLIENT3 and CLIENT4 virtual machines are Azure AD Domain Joined using TU1@<AzureDomainName>.onmicrosoft.com and both have been rebooted atleast once.

4.5.2 Configure Enterprise State RoamingIn this lab, you will setup and configure enterprise state roaming.

Task Detailed Steps

Complete these steps on the DC1 virtual machine.

Enable Enterprise State Roaming in the Azure Web Portal



Devices > Device settings.4. In the Users may sync settings and app data across

devices setting, select Selected.5. Click Selected below and click + Add members.6. Type TU1, select Test User1 and click Select.7. Click OK.8. Click Save.


Confirm that Setting Sync is Enabled for the User

9. Log in as TU1@<AzureDomainName>.onmicrosoft.com. If first time login, then go through the Windows Hello steps.

10. Click on Start > Settings > Accounts > Sync your settings.11. Verify that Sync your settings is on.12. Verify that the test account is listed in the description of the

settings page “Sync Windows settings to other devices using <testaccount>”.

Personalize Windows

13. Right-click on the taskbar and uncheck Lock the taskbar.14. Drag the taskbar so that it is positioned to the right of the


Task Detailed Steps

Settings on the First Machine

screen.


Verify that the Changes have Synced to the Second Machine

Note : It may take a few minutes for the sync on one machine to propagate to the other. If the sync does not complete. Try logging in and out of both devices or locking and unlocking the device.

15. Log in as TU1@<AzureDomainName>.onmicrosoft.com. If first time login, then go through the Windows Hello steps.

16. Verify that the position of the taskbar matches the position that was set on CLIENT3.

5 SecurityIn this module, you will go through Windows 10 capabilities that could help organizations be more secure. We will cover the follow scenarios:

Windows Information Protection Windows Defender Advanced Threat Protection Windows Defender Application Guard Windows Defender Exploit Guard Windows Hello Credential Guard Device Encryption (MBAM) Device Guard – User Mode Code Integrity

Prerequisite Sections:a) Windows Insider Lab for Enterprise – Setup Guideb) Section 3.2 - Cloud Environmentc) Section 5.3.1.1 – Prerequisites - Install the ConfigMgr Client on

CLIENT1.d) In the lab, CLIENT1 and CLIENT2 are mainly used for Traditional

Methods and CLIENT3 and CLIENT4 are mainly used for Modern Methods, therefore, you must enroll CLIENT3 and at least CLIENT4 to Microsoft Intune for the labs below. There are various labs in Section 5 (Deployment and Management), which explain how to enroll a machine to Microsoft Intune.In Section 5, it is recommended that you complete these steps on a physical machine with the required hardware capabilities.

5.1 Windows Information ProtectionWindows Information Protection (WIP), previously known as enterprise data protection (EDP), helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps.

5.1.1 Modern ManagementFollow the following sections for managing Windows Information Protection through modern management tools.

5.1.1.1 Configuring and Testing WIP using IntuneIn this section you will configure a WIP policy where Edge and Notepad are managed applications. You will test your policy by copy and pasting between managed and unmanaged applications.

Task Detailed Steps

Create Groups for use with WIP Demo


labadmin@<AzureDomainName>.onmicrosoft.com.4. On the left navigation bar, click Azure Active Directory > Groups

> All groups.5. Click + New group.6. In the Group pane fill in the following values and click Select:

GROUP TYPE: SecurityGROUP NAME: WIPDemoMEMBERSHIP TYPE: AssignedMEMBERS: TU1,TU2

7. Click Create.

Creating an Intune WIP Policy

8. Close all browser windows.

9. Start Internet Explorer InPrivate mode.


11. On the left navigation bar, click All services.

12. Enter “Intune” in search.13. Click on Intune.14. Click on “Mobile apps”.15. Click on “App protection

policies”.16. Click on “+ Add a

policy”.17. Fill in form:

Name: WIP DemoDescription: WIP DemoPlatform: Windows 10Enrollment state: With enrollmentProtected apps: Click Add



Task Detailed Steps

apps and click OK | OK:Select Microsoft EdgeSelect Notepad

Exempt apps: Do not configureConfigure required settings:

Allow Overrides and click OK

Advanced Settings: Show the enterprise data protection icon - “ON” and click OK

18. Select Create.19. Select WIP Demo.20. Select Assignments.21. Click Select groups to

include.22. Select WIPDemo.23. Click Select.

Complete these steps on the CLIENT3 virtual machine or a physical machine.

Verify the Policy has been Applied and Working

24. Login to the virtual machine as:

TU2@<AzureDomainName>.onmicrosoft.com

25. Start Notepad.26.Enter in the text field

www.bing.com.27. Select File > “Save As”.

Note: Notice next to where you enter the file name you see a lock icon.

28. Use the drop down and select “Work (<Domain name>)”.

29. Name the file “WipTest” and click Save.

Note: Notice the new briefcase icon on the title bar.

30. Close Notepad.31. Open File Explorer.32. Navigate to the

“Documents” folder.Note: Notice the new icon for

http://www.bing.com/

Task Detailed Steps

Wiptest. This shows it is managed by WIP.

33. Double click on WipTest and open it again in Notepad.

34.Copy the text www.bing.com.

35. Open up WordPad (NOT WIP managed).

36. Paste in the text.Note: Notice you are prompted because you are copying from a managed application to an unmanaged application.

37. Select No.38. Close WordPad.39. Open up Edge (WIP

managed).40. Paste in the text.

Note: Notice that this worked. Both Edge and Notepad are managed therefore, for copy and paste between them are allowed.

41. Close Edge.42. Open IE (NOT WIP

Managed).43. Past in the text.

Note: Notice you are prompted because you are copying from a managed application to an unmanaged application. Select No and close all the applications if any are opened.

Removing the Policy

44. Close all browser windows.

45. Start Internet Explorer InPrivate mode.


47. On the left navigation bar,



Task Detailed Steps

click All services.48. Enter “Intune” in search.49. Click on Intune.50. Click on “Mobile apps”.51. Click on “App protection

policies”.52. Select the policy and click

Delete policy | Yes.Note: We are deleting the policy in order to use the same application in other labs without this policy being enforced.

5.1.2 Traditional ManagementIn this section, you will learn how to configure and deploy WIP policies through System Center Configuration Manager and test different WIP scenarios.Note: This lab can only be performed if the System Center Configuration Manager environment is on Current Branch (1802) or higher.Follow the following sections for managing Windows Information Protection through traditional management tools.


Task Detailed Steps


Install Google Chrome

1. Open Internet Explorer and browse to the URL below.https://www.google.com/intl/en/chrome/browser/desktop/index.html

2. Click DOWNLOAD CHROME.3. On the Download Chrome for Windows popup window, click

ACCEPT AND INSTALL.4. Click Run to start the ChromeSetup.exe and accept the UAC

prompt if it appears.5. Once completed successfully, close all the windows.

Pin Applications

6. Pin the following applications to the Start:a. Internet Explorer

https://www.google.com/intl/en/chrome/browser/desktop/index.html

https://www.google.com/intl/en/chrome/browser/desktop/index.html

Task Detailed Steps

b. Google Chromec. Notepadd. WordPad


Create a Collection

7. Open the Configuration Manager Console from the Start Menu.

8. From the Configuration Manager Console, browse to Assets and Compliance.

9. Right-click on Device Collections and select Folder > Create Folder.

10. On the Configuration Manager window, under Folder name enter Windows Information Protection then click OK.

11. From the Configuration Manager Console, expand Device Collections and right-click on Windows Information Protection.

12. Select Create Device Collection.13. On the General page, enter the following then click Next.

Name: BlockLimiting Collection: All Desktop and Server Clients

14. On the Membership Rules page, click Next.15. On the warning dialog box, click OK.16. On the Summary page, click Next.17. On the Completion page, click Close.

5.1.2.2 Configure Data Recovery Agent (DRA) CertificateIn this activity, you will create and enroll for a Data Recovery Agent certificate which is a prerequisite in configuring WIP policies through System Center Configuration Manager.

Task Detailed Steps


Create a DRA Certificate Template

1. Open the Certification Authority from the Start Menu.2. On the Certification Authority console, expand corp-DC1-CA,

right-click on Certificate Templates and select Manage.3. On the Certificate Templates Console, right-click on EFS

Recovery Agent and select Duplicate Template.4. On the Properties of New Template window, go to the General

tab.5. On the General tab, under Template display name enter WIP

Task Detailed Steps

Recovery Agent, select Publish certificate in Active Directory, then go to the Request Handling tab.

6. On the Request Handling tab, verify that under Purpose Encryption is selected and Allow private key to be exported is selected then go to the Security tab.

7. On the Security tab, select LabAdmin and under Allow, select Enroll.

8. On the Properties of New Template window, click Apply then click OK.

9. Close the Certificate Templates Console.10. On the Certification Authority console, right-click on Certificate

Templates and select New > Certificate Template to Issue.11. On the Enable Certificate Templates window, select WIP

Recovery Agent then click OK.

Request a DRA Certificate

12. Right-click on Start and select Run.13. On the Run window, enter certmgr.msc then click OK.14. On the Certificates console, right-click on Personal and select

All Tasks > Request New Certificate….15. On the Before You Begin page, click Next.16. On the Select Certificate Enrollment Policy page, select Active

Directory Enrollment Policy then click Next.17. On the Request Certificates page, select WIP Recovery Agent

then click Enroll.18. Once enrolled successfully, click Finish.

Export the DRA Certificate

19. On the Certificates console, under Personal > Certificates, right-click on the certificate issued by corp-DC1-CA and select All Tasks > Export…

20. On the Welcome to the Certificate Export Wizard page, click Next.

21. On the Export Private Key page, select Yes, export the private key then click Next.

22. On the Export File Format page, click Next.23. On the Security page, select Password: enter P@ssw0rd under

Password: and Confirm password: then click Next.24. On the File to Export page, click Browse…25. On the Save As window, browse to the Desktop, click New

folder and rename the new folder to DRA.26. Double-click on the DRA folder.27. Under File name, enter WIP-DRA-key then click Save.28. On the File to Export page, click Next.29. Once complete, click Finish.30. Click OK on the export successful dialog window.31. On the Certificates console, under Personal > Certificates, right-

click on the certificate issued by corp-DC1-CA and select All

Task Detailed Steps

Tasks > Export…32. On the Welcome to the Certificate Export Wizard page, click

Next.33. On the Export Private Key page, select No, do not export the

private key then click Next.34. On the Export File Format page, select Base-64 encoded X.509

(.CER) then click Next.35. On the File to Export page, click Browse…36. On the Save As window, browse to the Desktop, under File

name, enter WIP-DRA then click Save.37. On the File to Export page, click Next.38. Once complete, click Finish.39. Click OK on the export successful dialog window.

Copy the Certificate

40. From the Desktop, copy the file WIP-DRA.cer to \\CM1\Packages$.

5.1.2.3 Windows Information Protection PoliciesIn this activity, you will create and deploy a WIP configuration item and baseline that will block inappropriate data sharing practices.

Task Detailed Steps


Create a Block WIP Configuration Baseline

1. Browse to Assets and Compliance > Compliance Settings > Configuration Baselines then click on Create Configuration Baseline from the ribbon bar.

2. On the Create Configuration Baseline window, under Name enter WIP - Block.

3. On the Create Configuration Baseline window, under Configuration data click Add > Configuration Items.

4. On the Add Configuration Items window, select WIP – Block, click Add then click OK.

5. On the Create Configuration Baseline window, click OK.

Deploy the WIP Policies

6. Browse to Assets and Compliance > Compliance Settings > Configuration Baselines.

7. Right-click on WIP – Block then select Deploy.8. On the Deploy Configuration Baselines window, select

Remediate noncompliant rules when supported and Allow remediation outside the maintenance window.

9. On the Deploy Configuration Baselines window, under Collection click Browse…

10. On the Select Collection window, browse to Device Collections > Windows Information Protection, select Block then click OK.

11. On the Deploy Configuration Baselines window, click OK.

5.1.2.4 Validate PoliciesIn this activity, you will perform various tests to test the enforcement of the WIP policies in different scenarios.

Task Detailed Steps


Add Device to Collection

1. From the Configuration Manager Console, browse to Assets and Compliance > Devices.

2. Right-click on the CLIENT1 virtual machine and select Add Selected Items > Add Selected Items to Existing Device Collection.

3. On the Select Collection window, browse to Device Collections > Windows Information Protection, select Block then click OK.


Refresh Configuration Manager Machine Policy

4. Logon as CORP\LabAdmin and open the Control Panel. Select the Configuration Manager icon.

5. On the Actions tab, select Machine Policy Retrieval & Evaluation Cycle and click Run Now to force the device to receive updated policy. This can take up to 5 minutes. Click OK.

6. On the Configuration Manager Properties window, go to the Configurations tab and confirm that the WIP – Block baseline is listed.

7. Select the WIP – Block baseline and click Evaluate.8. Click Refresh and confirm that the Compliance State has

changed to Compliant.9. On the Configuration Manager Properties window, click OK.

Encryption through File Explorer

10. Right-click on the Desktop and select New > Bitmap image.11. Rename the file to Picture1.bmp.12. Right-click on Picture1.bmp then select File ownership >

Work (Olympia.local).13. Right-click on Picture1.bmp then select Properties.

Task Detailed Steps

14. On the Picture1.bmp Properties window, click Advanced…15. On the Advanced Attributes window, click Details.16. On the Enterprise Control window, verify that Olympia.local is

listed and the status of the file is Protected.17. Click OK three times.

Note: The briefcase icon indicates that the file is protected.

Encryption through Save on an Enterprise Application

18. Click Start and open Notepad.19. On the Untitled file, enter This is a protected file.20. Click File > Save As…21. On the Save As window, browse to Desktop, under File name

select Work (Olympia.local), enter Protected File1 then click Save.

22. Right-click on Protected File1.txt then select Properties.23. On the Protected File1 Properties window, click Advanced…24. On the Advanced Attributes window, click Details.25. On the Enterprise Control window, verify that Olympia.local is



Automatic Encryption on Copy from Trusted Network Shares

27. Right-click on Start and select Run.28. On the Run window, enter \\CM1\Packages$ and click OK.29. Open WIN10X64-Settings and copy Unattend.xml to the

Desktop.Note: Before performing this step, in CM1, create a dummy folder called WIN10X64-Settings and within that create a blank dummy xml file called Unattend.xml. Also, the file should open by default only in notepad or Internet Explorer. For this example, notepad has been chosen as the default app.

30. Right-click on Unattend.xml then select Properties.31. On the Unattend Properties window, click Advanced…32. On the Advanced Attributes window, click Details.33. On the Enterprise Control window, verify that Olympia.local is



Open Encrypted Files on an Enterprise Application

35. On the Desktop, open the Unattend.xml file with Internet Explorer.

36. Close Internet Explorer.Note: The briefcase icon beside the refresh button indicates that the file is protected.

Task Detailed Steps

Open Encrypted Files on a Non-Enterprise Application

37. On the Desktop, open the Unattend.xml file with WordPad.38. Click OK on the access denied prompt.

Note: WordPad is not configured as an Enterprise Application in the Compliance Item policy created earlier.

Policy Enforcement for Copy-Paste

39. Click Start and open Google Chrome.40. From the Desktop, drag and drop the Unattend.xml file to

Google Chrome.41. Click OK on the Can’t use work content here prompt.42. On the Desktop, open Protected File1.txt with Notepad.43. Copy the text within the Protected File1.txt file.44. Click Start and open WordPad.45. On WordPad, click Paste.46. Click OK on the Can’t use work content here prompt.47. Close WordPad.48. Click Start and open Internet Explorer.49. On Internet Explorer, browse to www.bing.com.50. Right-click on the Bing search text field and select Paste.51. Click OK on the Can’t use work content here prompt.52. Close Internet Explorer.

Note: Bing is treated as separate application and is not configured as an Enterprise Application in the Compliance Item policy created earlier.

53. Right-click on Start and select Run.54. On the Run window, enter \\10.0.0.6\MDOP. Click OK.55. From the Desktop, copy the Unattend.xml file and paste in the

MDOP share.56. On the Interrupted Action window, click Cancel.

Note: Windows Information Protection blocks actions that are against the configured policies such as opening enterprise files on a non-enterprise application, and copying the contents of an enterprise file to a non-enterprise application, URL and network share.

Remove EncryptionComplete these steps on the CM1 and CLIENT1 virtual machine.

57.On CM1, in the Configuration Manager Console, navigate to Assets and Compliance | Compliance Settings | Configuration Items. Select WIP – Block and click Properties from the ribbon bar.

58. Click the Compliance Rules tab and double-click on WIP App Management Mode.

59. Scroll slight down and select Off: Turns off Windows Information Protection, click OK on the Edit Rules window.

60. Click Apply and OK on the WIP – Block Properties window.61. On the CLIENT1 virtual machine, open the Control Panel.

Select the Configuration Manager icon. On the Actions tab,

Task Detailed Steps

select Machine Policy Retrieval & Evaluation Cycle and click Run Now to force the device to receive updated policy. This can take upto 5 minutes. Click OK.

62. On the Configuration Manager Properties window, go to the Configurations tab, select the WIP – Block baseline and click Evaluate and Refresh. Click OK.

63. Right-click on Picture1.bmp then select Properties.Note: Note that the briefcase icon does not show any more on the file.

64. On the Picture1.bmp Properties window, click Advanced…65. On the Advanced Attributes window, verify that Encrypt

contents to secure data is not selected.66. Click OK two times.

5.2 Windows Defender Advanced Threat ProtectionWindows Defender Advanced Threat Protection (Windows Defender ATP) is a security service that enables enterprise customers to detect, investigate, and respond to advanced threats on their networks.Windows Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service:

Endpoint behavioral sensors: Embedded in Windows 10, these sensors collect and process behavioral signals from the operating system (for example, process, registry, file, and network communications) and sends this sensor data to your private, isolated, cloud instance of Windows Defender ATP.

Cloud security analytics: Leveraging big-data, machine-learning, and unique Microsoft optics across the Windows ecosystem (such as the Microsoft Malicious Software Removal Tool, enterprise cloud products (such as Office 365), and online assets (such as Bing and SmartScreen URL reputation), behavioral signals are translated into insights, detections, and recommended responses to advanced threats.

Threat intelligence: Generated by Microsoft hunters, security teams, and augmented by threat intelligence provided by partners, threat intelligence enables Windows Defender ATP to identify attacker tools, techniques, and procedures, and generate alerts when these are observed in collected sensor data.

In this section, you will learn how to configure and use Windows Defender ATP to detect and respond to threats.

Note: This lab can only be performed if the customer has already registered and approved for the Microsoft WDATP Preview/Trial program (Section 3.2.3).

5.2.1 Onboarding Windows 10 DeviceIn this activity, you onboard your first Windows 10 client to Windows Defender Advanced Threat Protection.

Task Detailed Steps


Download the Onboarding Package

1. Log in to the device.2. Navigate to https://securitycenter.windows.com/3. Sign in to the portal with

labadmin@<AzureDomainName>.onmicrosoft.com4. On the Getting started page, click Next.5. On the Set up your preferences page, select the appropriate data

storage location and click Next.6. Select the appropriate data retention policy and click Next.7. Select your appropriate organization size and click Next.8. Select your appropriate industry and click Next.9. Select the appropriate preview experience option and click Next.10. Click Continue to create a cloud instance. It will start creating

your Windows Defender ATP cloud instance.11. On the Endpoint onboarding page, under Select your

deployment tool dropdown, select Local Script (for up to 10 machines) and click Download package. Once downloaded, click Finish.

12. Click Save as and Save the package to C:\.

Execute the Onboarding Package

13. Navigate to C:\, right-click the package and click Extract All…14. Click Extract.15. Navigate to the extracted package, right-click on the script file

and click Edit.Note: Note the registry paths we are writing to. Note the log and the Event ID we are creating in case of successful events using eventcreate.

16. Close notepad.17. Right-click the script file and click Run as administrator. Press

Y to confirm and continue. Press any key to continue.18. After 5-10 minutes the device should start reporting to the

portal.

Configure the Sample Collection Setting

19. Click the Start menu and type regedit, right-click and choose Run as administrator.

20. Locate the following registry path: HKLM\SOFTWARE\Policies\

https://securitycenter.windows.com/

Task Detailed Steps

Microsoft\Windows Advanced Threat Protection.21. Create a DWORD value AllowSampleCollection and set it to 1.

Note: The machine will file sample collection through the portal for deeper investigation. No samples are collected automatically as this is done by the administrator.

Verify the Deployment Success

22. Check the SENSE service is running, by opening the Command Prompt and running: sc query sense. The STATE should be 4 and should be RUNNING.

23. Open the Event Viewer (Local) > Windows Logs > Application log and locate the Event ID 20 from the source WDATPOnboarding.

24. Open the Event Viewer (Local) > Application and Services Logs > Microsoft > Windows > SENSE > Operational log. Check for the Event ID 4 to make sure that the SENSE service is reporting successful server connection every 5 minutes. Connection frequency may vary depending on factors like battery state.

25. Go to https://securitycenter.windows.com/ portal, then choose Machines View, on the right locate your machine on the list, its Health State should be Active.

Install Office (If Not Installed)

26.Go to https://portal.office.com and Sign in as TU2@<AzureDomainName>.onmicrosoft.com

27. Click Install Office 2016.28. Click Run.

5.2.2 Perform SimulationIn this activity, you will go step-by-step through a typical attack sequence that you will run yourself.Note: The setup guide also contains instructions and links for the attack demo.

Task Detailed Steps


Follow the Demo Attack Simulation Guidance

1. Click the link to open the WinATP-Intro-Invoice.doc word document from the setup guide.

2. Since the device has Office 2016 installed, therefore click Yes and OK on the Office 2016 security prompts.

3. Enter the password to open the word document and click OK. The password is provided in the setup guide.

4. Click Enable Content on the opened word document.

https://portal.office.com/

https://securitycenter.windows.com/

Task Detailed Steps

5. Click OK on the prompt.6. A Backdoor will run in a command window. Press any key to

close.7. You will now be able to see that an Active alert has been

reported to the Windows Defender Advanced Threat Protection by the device. Navigate through the portal for further details on the attack and ways to remediate.

5.3 Windows Defender Application GuardDesigned for Windows 10 and Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. As an enterprise administrator, you define what is among trusted web sites, cloud resources, and internal networks. Everything not on your list is considered untrusted.If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated Hyper-V-enabled container, which is separate from the host operating system. This container isolation means that if the untrusted site turns out to be malicious, the host PC is protected, and the attacker can't get to your enterprise data.Note: Windows Defender Application Guard can only be enabled if the Hardware Requirements are met as stated in https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guardNote: The machine (Virtual or Physical) should have Hyper-V, TPM and Secure Boot Enabled.

5.3.1 Modern ManagementFollow the following sections for managing Windows Defender Application Guard through modern management tools.

5.3.1.1 Configure Windows Defender ApplicationIn the section below you will be configuring WDAG using modern management.

Task Detailed Steps

Create Groups for use



https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard

https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard

Task Detailed Steps

with WD Application Guard Demo


Groups > All groups.5. Click + New group.6. In the Group pane fill in the following values and click Select:

GROUP TYPE: SecurityGROUP NAME: WDAGDemoMEMBERSHIP TYPE: AssignedMEMBERS: TU1,TU2

7. Click Create.

Creating an Intune WDAG Policy


labadmin@<AzureDomainName>.onmicrosoft.com.4. On the left navigation bar, click All services.5. Enter “Intune” in search.6. Click on Intune.7. Click on “Device configuration”.8. Click on “Profiles”.9. Click on “+ Create profile”.10. Fill in form:

Name: WDAG DemoDescription: WDAG DemoPlatform: Windows 10 and laterProfile type: Endpoint protection

11. Select “Windows Defender Application Guard”.12. Fill out form:

Application Guard: Enabled for EdgeClipboard behavior: Block copy and paste between PC and browserExternal content on enterprise sites: Not configuredPrint from virtual browser: Allow

Printing types(s): PDFCollect logs: Not configuredRetain user-generated browser data: Not configuredGraphics acceleration: Not configuredDownload files to host file system: Not configured

13. Select OK.14. Select OK.15. Select Create.16. Select Assignments.17. Select “Select groups to include”.18. Select “WDAGDemo”. Click Select.19. Click on Save.


Task Detailed Steps

Configure trusted site list

20. Go back to Intune21. Click “Client Apps”22. Click “App Protection Policies”23. Click “Create Policy”24. Fill up the form

a. Name – WDAG Site Listb. Platform – Windows 10c. Enrollment State – With Enrollmentd. Click Advanced Settingse. Add network boundary

i. Boundary type – Cloud resourcesii. Name – ECRiii. Value – “provide list of cloud resources separated by ‘|’

(pipe) symbol. Ex: powerbi.com| .yammer.com|yammer.com|olympia.windows.com|/*AppCompat*/

iv. Click OKNote - Add /*AppCompat*/ to your list of cloud resources to enable TLS connections by personal apps that connect directly to a cloud resource through an IP address.

f. Add network boundaryi. Boundary type – Neutral resourcesii. Name – NeutralResourcesiii. Value – “provide list of websites separated by ‘,’. $ sign

is used as wildcard for websites. iv. Ex: $.o365.com,$.office.com,$.microsoft.comv. Click OK

25. Click Create26. Click on newly created policy27. Click Assignments28. Select “Select groups to include”.29. Select “WDAGDemo”. Click Select.30. Click on Save.

Complete these steps on a physical machine. (To connect a physical machine to the lab, see Section 3 of the Set Up Guide.)


31. Login to a machine as:TU2@<AzureDomainName>.onmicrosoft.com

32. Select Start.33. Select Settings.34. Select Accounts.35. Select Access work or school.36. Select Connected to <CompanyName> Azure AD.37. Click Info.

Task Detailed Steps

38. Click Sync to force a policy update and confirm that the sync was successful.

39. Close Settings. Reboot the machine once.40. Launch Edge.41. Press Alt-X.42. Select “New Application Guard window”.43. A new windows should appear.

Note: Notice that in the upper left hand corner of the window you should see Application Guard and a thin orange line at the top of the window. This indicates you are running in Application mode.

44. Enter the URL www.bing.com.45. Create a new tab.46.Copy the URL www.bing.com to the new tab.

Note: Notice that you can do this because it is inside of Application Guard.

47. Open IE.48. Try to copy the URL from WDAG Edge windows to IE.

Note: Notice that you cannot copy. This is because WDAG is configured to not allow copy and paste with the OS.

49. Enter the URL of www.msn.com in IE.50. Copy this URL from IE and try and paste it in WDAG Edge window.

Note: Notice that you cannot copy. This is because WDAG is configured to not allow coping from the OS to the WDAG Edge windows.

Verify trusted website behavior

Cloud resources will always open in Host Edge

51. Launch Edge.52. Press Alt-X.53. Select “New Application Guard window”.54. Navigate to Olympia.windows.com or yammer.com [As these sites are

configured as Cloud resources in step 24]55. Notice that the website renders in Edge on host OS.

Neutral Site list opens in browser where it is opened. 56. Launch Edge.57. Press Alt-X.58. Select “New Application Guard window”.59. Navigate to o365.com or office.com [As these sites are configured as

Neutral resources]


Task Detailed Steps

60. Notice that the website renders in WDAG.61. Launch Edge62. Navigate to o365.com or office.com [As these sites are configured as

Neutral resources]63. Notice that the website renders in Host Edge.

Non trusted sites open in WDAG64. Launch Edge65.Navigate to www.purple.com 66. Notice website will open in WDAG window as its not part of trusted site

list.

5.3.2 Traditional ManagementFollow the following sections for managing Windows Defender Application Guard through traditional management tools.

5.3.2.1 Prerequisites

Task Detailed Steps


Install the Feature

1. Open the Control Panel, click Programs, and then click Turn Windows features on or off.

2. Select the check box next to Windows Defender Application Guard and then click OK.

3. Restart the device.

5.3.2.2 Configure Group Policy Settings

Task Detailed Steps


Turn On Windows Defender Application Guard

1. In the Group Policy Management Console, edit the Default Domain Policy by going to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Defender Application Guard.

2. Double-click Turn on Windows Defender Application Guard in Enterprise Mode.

3. Select Enabled and click Apply and OK.

Set Up Network 4. Go to the Computer Configuration\Policies\Administrative

http://www.purple.com/

Task Detailed Steps

Isolation Templates\Network\Network Isolation\Enterprise resource domains hosted in the cloud.

5. Select Enabled and type .microsoft.com into the Enterprise cloud resources box. Click Apply and OK.

6. Go to the Computer Configuration\Policies\Administrative Templates\Network\Network Isolation\Domains categorized as both work and personal setting.

7. Select Enabled and type bing.com into the Neutral resources box. Click Apply and OK.

5.3.2.3 Validate Windows Defender Application Guard

Task Detailed Steps


Test Application Guard

1. Update the group policies by running gpupdate /force from the elevated command prompt. Accept the UAC prompt if required.

2. Start Microsoft Edge and type www.microsoft.com3. After you submit the URL, Application Guard determines the URL

is trusted because it uses the domain you’ve marked as trusted and shows the site directly on the host PC instead of in Application Guard.

4. In the same Microsoft Edge browser, type any URL that isn’t part of your trusted or neutral site lists, example www.msn.com

5. After you submit the URL, Application Guard determines the URL is untrusted and redirects the request to the hardware-isolated environment.

5.4 Windows Defender Exploit GuardWindows Defender Exploit Guard (Windows Defender EG) is a new set of host intrusion prevention capabilities for Windows 10, allowing you to manage and reduce the attack surface of apps used by your employees.

There are four features in Windows Defender EG: Exploit protection can apply exploit mitigation techniques to apps your

organization uses, both individually and to all apps. Attack surface reduction rules can reduce the attack surface of your

applications with intelligent rules that stop the vectors used by Office-, script- and mail-based malware.

Network protection extends the malware and social engineering protection offered by Windows Defender SmartScreen in Edge to cover network traffic and connectivity on your organization's devices.

http://www.msn.com/

http://www.microsoft.com/

Controlled folder access helps protect files in key system folders from changes made by malicious and suspicious apps, including file-encrypting ransomware malware.

5.4.1 Modern ManagementFollow the following sections for managing Windows Defender Exploit Guard through modern management tools.

5.4.1.1 Exploit Guard Controlled FoldersIn this section we are going to create a group that will be used to assign users a Exploit Guard controlled folder policy. In addition we will configure the policy and test that it works.

Task Detailed Steps

Create Groups


labadmin@<AzureDomainName>.onmicrosoft.com.4. On the left navigation bar, click Azure Active Directory > Groups >

All groups.5. Click + New group.6. In the Group pane fill in the following values and click Select:

GROUP TYPE: SecurityGROUP NAME: ExploitDemoMEMBERSHIP TYPE: AssignedMEMBERS: TU1,TU2

7. Click Create.

Configure Windows Defender Exploit Guard

8. On the left navigation bar, click All Services.

9. Enter “Intune” in search.10. Click on Intune.11. Under Manage Select

“Device configuration”.12. Under Manage Select

“Profiles”.13. Select “Create profile”.14. Name the new profile

“Exploit Protection Demo”.

15. For Platform select “Windows 10 and later”.

16. For Profile type select “Endpoint protection”.


Task Detailed Steps

17. Select “Windows Defender Exploit Guard”.

18. Select “Controlled folder access”.

19. Change Folder protection to “Enable”.

20. Select OK.21. Select OK.22. Select OK.23. Select Create.24. Select Assignments.25. Click Select groups to

include.26. Check the “ExploitDemo”

group.27. Select “Select”.28. Click Save.


Verify Configuration is Applied

29. Login to the virtual machine as

TU2@<AzureDomainName>.onmicrosoft.com30. Select Start.31. Select Settings.32. Select Accounts.33. Select Access work or

school.34. Select Connected to

<CompanyName> Azure AD.

35. Click Info.36. Click Sync to force a policy

update and confirm that the sync was successful.

37. Open up Notepad.exe.38. Create a simple document.39. Save it to “Documents”.

Note: Notice that it saved just fine.40. Open “Windows

PowerShell ISE”.41. Create a simple script “Get-

Task Detailed Steps

process”.42. Save it to “Documents”.

Note: Notice you cannot save to Documents because this is a protected folder. You will get a “File not found” message.43. Press OK.

Note: You may also notice a Message slide in from the right stating it was blocked by Controlled folder access.44. Click on the notification icon

to review this notification.

5.4.2 Traditional ManagementFollow the following sections for managing Windows Defender Exploit Guard through traditional management tools.

5.4.2.1 Exploit Protection

Task Detailed Steps


Configure Program-Level Mitigations

1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for Defender.

2. Click the App & browser control tile (or the app icon on the left menu bar) and then the Exploit protection settings at the bottom of the screen.

3. Go to the Program settings section and click Add program to customize.

4. Click on Add by program name and type notepad.exe. Click Add.

5. On the next window, scroll down and on Disable Win32k system calls, select Override system settings and choose On.

6. You will be notified if you need to restart the process or app, or if you need to restart Windows. Click Apply and accept the UAC prompt.

Task Detailed Steps

7. Try to open notepad.exe. Notice the error message. Click OK.

Create and Export a Configuration File

8. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for Defender.

9. Click the App & browser control tile (or the app icon on the left menu bar) and then the Exploit protection settings at the bottom of the screen.

10. At the bottom of the Exploit protection section, click Export settings and then save the configuration file under Documents.

11. Copy the file to DC1 in a shared folder with full permissions.


Distribute the Configuration File with Group Policy

12. On your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Objects and create a new GPO WDEG.

13. Right click the new Group Policy WDEG and click Edit.14. In the Group Policy Management Editor go to Computer

Configuration.15. Click Policies then Administrative Templates.16. Expand the tree to Windows Components > Windows

Defender Exploit Guard > Exploit Protection.17. Double-click the Use a common set of exploit protection

settings setting and set the option to Enabled.18. In the Options section, enter the location and filename of the

Exploit Protection Configuration File that you saved from the previous section in a UNC format including the name of the file and it’s extension and click Apply | OK.

5.4.2.2 Attack Surface Reduction

Task Detailed Steps


Distribute the Configuration File with Group Policy

1. On your Group Policy management machine, open the Group Policy Management Console, and right-click the Group Policy Object WDEG.

2. Click Edit.3. In the Group Policy Management Editor go to Computer

Configuration.4. Click Policies then Administrative Templates.5. Expand the tree to Windows Components > Windows

Task Detailed Steps

Defender Antivirus > Windows Defender Exploit Guard > Attack Surface Reduction.

6. Double-click the Configure Attack Surface Reduction rules setting and set the option to Enabled.Click Show... and enter the following rule ID in Value name:D3E037E1-3EB8-44C8-A917-57927947596D

7. Set the Value to 1 and click OK.[8.] Right-click the root domain, Cclick Link and Existing GPO,

select WDEG and click OK.Note: The above rule will block JavaScript or VBScript from launching downloaded executable content as well as block notepad.exe to launch. Do run a gpupdate /force on the CLIENT2 VM.

5.5 Windows HelloWindows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair.In this lab, you will find all the information to deploy Windows Hello for Business in a Certificate Trust Model in your on-premises environment.

5.5.1 Modern ManagementFollow the following sections for managing Windows Hello for Business through modern management tools.

5.5.1.1 Windows Hello for BusinessIn this lab we are going to setup Windows Hello for Business in the Cloud.

Task Detailed Steps

Complete these steps from a physical macian Internet-connected Windows computer.

Configuring Windows Hello for Business


labadmin@<AzureDomainName>.onmicrosoft.com.4. On the left navigation bar, click All services.5. Enter “Intune” in search.6. Click on Intune.


Task Detailed Steps

7. Select “Device enrollment”.8. Select “Windows enrollment”.9. Select “Windows Hello for Business”.10.Choose the Default settings.11. Select “Properties” and review.12. Select “Settings”.

13. Enable “Windows Hello for Business”.14. Review possible settings.15. Select Save.

Setting up your PIN for the First Time

5.5.2 Traditional ManagementFollow the following sections for managing Windows Hello for Business through traditional management tools.

5.5.2.1 Validate Active Directory PrerequisitesThe key registration process for the On-prem deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. The key-trust model receives the schema extension when the first Windows Server 2016 domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 schema. If you already have a Windows Server 2016 domain controller in your forest, you can skip the next step.

Task Detailed Steps


Create the KeyCredential Admins Security Global Group

1. Open Active Directory Users and Computers.2. Click View and click Advanced Features.3. Expand the domain node from the navigation pane.4. Right-click the Users container. Click New > Group.5. Type KeyCredential Admins in the Group name text box.6. Click OK.

Task Detailed Steps

Create the Windows Hello for Business Users Security Global Group

7. Right-click the Users container. Click New > Group.8. Type Windows Hello for Business Users in the Group name

text box.9. Click OK.

5.5.2.2 Validate and Configure PKIWindows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller. The certificate trust model extends certificate issuance to client computers. During Windows Hello for Business provisioning, the user receives a sign-in certificate.Note: The following instructions may be used to deploy simple public key infrastructure that is suitable for a lab environment.

Task Detailed Steps


Configure a Domain Controller Certificate

1. Open the Certification Authority management console.2. Right-click Certificate Templates and click Manage.3. In the Certificate Templates Console, right-click the Kerberos

Authentication template in the details pane and click Duplicate Template.

4. On the Compatibility tab, clear the Show resulting changes check box. Select Windows Server 2012 or Windows Server 2012 R2 from the Certification Authority list. Select Windows 8 / Windows Server 2012 or Windows 8.1 / Windows Server 2012 R2 from the Certificate recipient list.

5. On the General tab, type Domain Controller Authentication (Kerberos) in Template display name. Adjust the validity and renewal period to meet your enterprise’s needs.

Note: If you use different template names, you’ll need to remember and substitute these names in different portions of the lab.6. On the Subject Name tab, select the Build from this Active

Directory information button if it is not already selected. Select None from the Subject name format list. Select DNS name from the Include this information in alternate subject name. Clear all other items.

7. On the Cryptography tab, select Key Storage Provider from the Provider Category list. Select RSA from the Algorithm

Task Detailed Steps

name list. Type 2048 in the Minimum key size text box. Select SHA256 from the Request hash list. Click Apply and OK.

8. Close the console.

Configure an Internal Web Server Certificate Template

9. Right-click Certificate Templates and click Manage.10. In the Certificate Templates Console, right-click the Web Server

template in the details pane and click Duplicate Template.11. On the Compatibility tab, clear the Show resulting changes

check box. Select Windows Server 2012 or Windows Server 2012 R2 from the Certification Authority list. Select Windows 8 / Windows Server 2012 or Windows 8.1 / Windows Server 2012 R2 from the Certificate recipient list.

12. On the General tab, type Internal Web Server in Template display name. Adjust the validity and renewal period to meet your enterprise’s needs.

Note: If you use different template names, you’ll need to remember and substitute these names in different portions of the lab.13. On the Request Handling tab, select Allow private key to be

exported.14. On the Subject Name tab, select the Supply in the request

button if it is not already selected.15. On the Security tab, Click Add… Type Domain Computers in

the Enter the object names to select box. Click Check Names | OK. Select the Allow check box next to the Enroll permission.

16. On the Cryptography tab, select Key Storage Provider from the Provider Category list. Select RSA from the Algorithm name list. Type 2048 in the Minimum key size text box. Select SHA256 from the Request hash list. Click Apply and OK.


Unpublish Superseded Certificate Templates

18. Click Certificate Templates in the navigation pane.19. Right-click the Domain Controller certificate template in the

content pane and select Delete. Click Yes on the Disable certificate templates window.

20. Repeat Step 19 for the Domain Controller Authentication and Kerberos Authentication certificate templates.

Publish Certificate Templates to the Certification Authority

21. Click Certificate Templates in the navigation pane.22. Right-click the Certificate Templates node. Click New, and click

Certificate Template to Issue.23. In the Enable Certificate Templates window, select the Domain

Controller Authentication (Kerberos), and Internal Web Server templates you created in the previous steps. Click OK to publish the selected certificate templates to the certification authority.


Configure and Deploy the Domain Controller

25. Start the Group Policy Management Console (gpmc.msc).26. Expand the domain and select the Group Policy Objects node in

the navigation pane.27. Right-click Group Policy Objects and select New.28. Type Domain Controller Auto Certificate Enrollment in the

Task Detailed Steps

Auto Certificate Enrollment Group Policy Object

Name box and click OK.29. Right-click the Domain Controller Auto Certificate

Enrollment Group Policy object and click Edit.30. In the navigation pane, expand Policies under Computer

Configuration.31. Expand Windows Settings, Security Settings, and click Public

Key Policies.32. In the details pane, right-click Certificate Services Client –

Auto-Enrollment and select Properties.33. Select Enabled from the Configuration Model list.34. Select the Renew expired certificates, update pending

certificates, and remove revoked certificates check box.35. Select the Update certificates that use certificate templates

check box.36. Click Apply and OK. Close the Group Policy Management Editor.37. In the navigation pane, expand the domain and expand the node

that has your Active Directory domain name. Right-click the Domain Controllers organizational unit and click Link an Existing GPO…

38. In the Select GPO dialog box, select Domain Controller Auto Certificate Enrollment or the name of the domain controller certificate enrollment Group Policy object you previously created and click OK.

5.5.2.3 Prepare and Deploy Windows Server 2016 Active Directory Federation Services

Task Detailed Steps

Complete these steps on the APP1 virtual machine.

Internal Server Authentication Certificate Enrollment

1. Start the Local Computer Certificate Manager (certlm.msc). Accept the UAC prompt.

2. Expand the Personal node in the navigation pane.3. Right-click Personal. Select All Tasks and Request New

Certificate…4. Click Next on the Before You Begin page.5. Click Next on the Select Certificate Enrollment Policy page.6. On the Request Certificates page, select the Internal Web

Server check box.7. Click the More information is required to enroll for this

certificate. Click here to configure settings link.8. Under Subject name, select Common name from the Type list.

Type the FQDN of the computer hosting the Active Directory Federation Services role (app1.corp.olympia.local) and then

Task Detailed Steps

click Add. Under Alternative name, select DNS from the Type list. Type the FQDN of the name you will use for your federation services (fs.corp.olympia.local). The name you use here MUST match the name you use when configuring the Active Directory Federation Services server role. Click Add. Click Apply and OK when finished.

9. Click Enroll. Click Finish.10. A server authentication certificate should appear in the

computer’s Personal certificate store.

Deploy the Active Directory Federation Service Role

11. Start Server Manager. Click Local Server in the navigation pane.

12. Click Manage and then click Add Roles and Features.13. Click Next on the Before you begin page.14. On the Select installation type page, select Role-based or

feature-based installation and click Next.15. On the Select destination server page, choose Select a server

from the server pool. Select the federation server from the Server Pool list. Click Next.

16. On the Select server roles page, select Active Directory Federation Services. Click Next.

17. Click Next on the Select features page.18. Click Next on the Active Directory Federation Services (AD FS)

page.19. Click Install to start the role installation.20. Click Close.


Create KDS Root Key

21. Start an elevated Windows PowerShell console. Accept the UAC prompt if required.

22. Type and execute Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10).


Configure the Active Directory Federation Service Role

23. Start Server Manager.24. Click the notification flag in the upper right corner. Click

Configure the federation service on this server.25. On the Welcome page, click Create the first federation server

in a federation server farm and click Next.26. Click Next on the Connect to Active Directory Domain Services

Task Detailed Steps

page.27. On the Specify Service Properties page, select the recently

enrolled or imported certificate from the SSL Certificate (app1.corp.olympia.local) and Federation Service Name (fs.corp.olympia.local) list.

28. Type the Federation Service Display Name (Hello) in the text box. This is the name users see when signing in. Click Next.

29. On the Specify Service Account page, select Create a Group Managed Service Account. In the Account Name box, type adfssvc. Click Next.

30. On the Specify Configuration Database page, select Create a database on this server using Windows Internal Database and click Next.

31. On the Review Options page, click Next.32. On the Pre-requisite Checks page, click Configure.33. When the process completes, click Close.


Add the AD FS Service Account to the KeyCredential Admin Group and the WHfB Users Group

34. Open Active Directory Users and Computers.35. Click the Users container in the navigation pane.36. Right-click KeyCredential Admins in the details pane and click

Properties.37. Click the Members tab and click Add…38. In the Enter the object names to select text box, type adfssvc.

Click Check Names | OK.39. Click Apply and OK to return to Active Directory Users and

Computers.40. Right-click Windows Hello for Business Users group and click

Properties.41. Click the Members tab and click Add…42. In the Enter the object names to select text box, type adfssvc.

Click Check Names | OK.43. Click Apply and OK to return to Active Directory Users and

Computers.44. Change to server hosting the AD FS Role (APP1) and restart it.

Configure Permissions for Key Registration

45. Open Active Directory Users and Computers.46. Right-click your domain name from the navigation pane and click

Properties.47. Click Security (NOTE: If the Security tab is missing, turn on

Advanced Features from the View menu).48. Click Advanced. Click Add. Click Select a principal.49. The Select User, Computer, Service Account, or Group dialog box

appears. In the Enter the object name to select text box, type KeyCredential Admins. Click Check Names | OK.

50. In the Applies to list box, select Descendant User objects.

Task Detailed Steps

51. Using the scroll bar, scroll to the bottom of the page and click Clear all.

52. In the Properties section, select Read msDS-KeyCredentialLink and Write msDS-KeyCredentialLink.

53. Then Click OK three times to complete the task.


Configure the Device Registration Service

54. Open the AD FS Management console. Accept the UAC prompt.55. In the navigation pane, expand Service. Click Device

Registration.56. In the details pane, click Configure device registration.57. In the Configure Device Registration dialog, click OK.


Configure Registration Authority Template

58. Open the Certification Authority management console.59. Right-click Certificate Templates and click Manage.60. In the Certificate Templates Console, right click on the Exchange

Enrollment Agent (Offline request) template details pane and click Duplicate Template.

61. On the Compatibility tab, clear the Show resulting changes check box. Select Windows Server 2012 or Windows Server 2012 R2 from the Certification Authority list. Select Windows 8 / Windows Server 2012 or Windows 8.1 / Windows Server 2012 R2 from the Certification recipient list.

62. On the General tab, type WHFB Enrollment Agent in Template display name. Adjust the validity and renewal period to meet your enterprise’s needs.

63. On the Subject Name tab, select the Supply in the request button if it is not already selected.Note: The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate.

64. On the Cryptography tab, select Key Storage Provider from the Provider Category list. Select RSA from the Algorithm name list. Type 2048 in the Minimum key size text box. Select SHA256 from the Request hash list.

65. On the Security tab, click Add…66. Click Object Types… Select the Service Accounts check box

and click OK.67. Type adfssvc in the Enter the object names to select text box

and click Check Names | OK.68. Click the adfssvc from the Group or user names list. In the

Permissions for adfssvc section, select the Allow check box for the Enroll permission. Excluding the adfssvc user, clear the Allow check box for the Enroll and Autoenroll permissions for all other items in the Group or user names list if the

Task Detailed Steps

check boxes are not already cleared. Click Apply and OK.69. Close the console.

Configure the WHfB Authentication Certificate Template

70. Right-click Certificate Templates and click Manage.71. Right-click the Smartcard Logon template and choose

Duplicate Template.72. On the Compatibility tab, clear the Show resulting changes

check box. Select Windows Server 2012 or Windows Server 2012 R2 from the Certification Authority list. Select Windows 8 / Windows Server 2012 or Windows 8.1 / Windows Server 2012 R2 from the Certification recipient list.

73. On the General tab, type WHFB Authentication in Template display name. Adjust the validity and renewal period to meet your enterprise’s needs.Note: If you use different template names, you’ll need to remember and substitute these names in different portions of the deployment.

74. On the Cryptography tab, select Key Storage Provider from the Provider Category list. Select RSA from the Algorithm name list. Type 2048 in the Minimum key size text box. Select SHA256 from the Request hash list.

75. On the Extensions tab, verify the Application Policies extension includes Smart Card Logon.

76. On the Issuance Requirements tab, select the ‘This number of authorized signatures’ check box. Type ‘1’ in the text box. Select Application policy from the Policy type required in signature. Select Certificate Request Agent from the Application policy list. Select the Valid existing certificate option.

77. On the Subject Name tab, select the Build from this Active Directory information button if it is not already selected. Select Fully distinguished name from the Subject name format list if Fully distinguished name is not already selected. Select the User principal name (UPN) check box under Include this information in alternate subject name.

78. On the Request Handling tab, select the Renew with the same key check box.

79. On the Security tab, click Add… Type Windows Hello for Business Users in the Enter the object names to select text box and click Check Names | OK.

80. Click the Windows Hello for Business Users from the Group or user names list. In the Permissions for Windows Hello for Business Users section, select the Allow check box for the Enroll permission. Excluding the Windows Hello for Business Users group, clear the Allow check box for the Enroll and Autoenroll permissions for all other entries in the Group or user names section if the check boxes are not already cleared. Click Apply and OK.



Task Detailed Steps

Mark the Template as the Windows Hello Sign-In Template

82. Open an elevated command prompt. Accept the UAC prompt.83. Run

certutil –dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY


Publish Enrollment Agent and WHfB Authentication Templates to the Certification Authority

84. Open the Certification Authority management console.85. Expand the parent node from the navigation pane.86. Click Certificate Templates in the navigation pane.87. Right-click the Certificate Templates node. Click New, and click

Certificate Template to issue.88. In the Enable Certificate Templates window, select the WHFB

Enrollment Agent template you created in the previous steps. Click OK to publish the selected certificate templates to the certification authority.

89. Publish the WHFB Authentication certificate template using Step 88.



Configure the Registration Authority

91. Open an elevated Windows PowerShell prompt. Accept the UAC prompt.

92. Type and execute the following command Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication


Configure DNS for Device Registration

93. Open the DNS management console.94. In the navigation pane, expand the domain controller name node

and Forward Lookup Zones.95. In the navigation pane, select the node that has the name of your

internal Active Directory domain name.96. In the navigation pane, right-click the domain name node and

click New Host (A or AAAA)…97. In the Name box, type the name of the federation service (fs). In

Task Detailed Steps

the IP address box, type the IP address of your federation server (10.0.0.9). Click Add Host. Click OK | Done.

98. Close the DNS Management console.

Create an Intranet Zone Group Policy

99. Start the Group Policy Management Console (gpmc.msc).100. Expand the domain and select the Group Policy Objects node

in the navigation pane.101. Right-click Group Policy Objects and select New.102. Type Intranet Zone Settings in the name box and click OK.103. In the content pane, right-click the Intranet Zone Settings

Group Policy object and click Edit.104. In the navigation pane, expand Policies under Computer

Configuration.105. Expand Administrative Templates > Windows Components >

Internet Explorer > Internet Control Panel, and select Security Page.

106. In the content pane, double-click Site to Zone Assignment List. Click Enabled.

107. Click Show… In the Value name column, type the url of the federation service beginning with https (https://fs.corp.olympia.local). In the Value column, type the number 1. Click OK.

108. Click Apply | OK.109. Then close the Group Policy Management Editor.

Deploy the Intranet Zone Group Policy

110. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click Link an Existing GPO…

111. In the Select GPO dialog box, select Intranet Zone Settings or the name of the Windows Hello for Business Group Policy object you previously created and click OK.

5.5.2.4 Validate and Deploy Multifactor Authentication Services (MFA)

Task Detailed Steps


Download the MFA Server

1. Sign in to the Azure portal as an administrator.2. On the left, select Azure Active Directory.3. Select Users.4. Select All users.5. Select More | Multi-Factor Authentication.6. Under multi-factor authentication section, select service

Task Detailed Steps

settings.7. On the service settings page, at the bottom of the screen click Go

to the portal and a new page will open.8. Click Download and another new page will open.9. Click the Download link and save the installer.10. Keep all these pages open as we will refer to it after running the

installer.

Install and Configure the MFA Server

11. Double-click the executable and click Install to install the prerequisites. Follow the prompts until those are installed.

12. Select I Agree and click Next.13. On the Select Installation Folder screen, make sure that the folder

is correct and click Next. Accept the UAC prompt.14. Once the installation is complete, click Finish.15. Start the Multi-Factor Authentication Server and accept the

UAC prompt.16. Back on the page that you downloaded the server from, click the

Generate link. Copy this information into the Azure MFA Server in the boxes provided and click Activate. Cancel any prompts.

5.5.2.5 Configure and Deploy Multifactor Authentication ServicesStandalone MFA Server:The Azure MFA server uses a primary and secondary replication model for its configuration database. The primary Azure MFA server hosts the writeable partition of the configuration database. All secondary Azure MFA servers hosts read-only partitions of the configuration database. All production environment should deploy a minimum of two MFA Servers.For this lab, the primary MFA uses the name mf*a* or mfa.corp.olympia.local. All secondary servers use the name mfa*n* or mfan.corp.olympia.local, where n is the number of the deployed MFA server.The primary MFA server is also responsible for synchronizing from Active Directory, therefore, it should be domain joined and fully patched.

Task Detailed Steps


Enroll for Server Authentication



Task Detailed Steps



certificate. Click here to configure settings link.8. Under Subject name, select Common Name from the Type

list. Type the FQDN of the primary MFA server and then click Add (app1.corp.olympia.local). Click Apply and OK when finished.

9. Click Enroll.10. Click Finish.

Install the Web Server Role

11. Install the following services if they are already not installed: Common HTTP Features > Default Document. Common HTTP Features > Directory Browsing. Common HTTP Features > HTTP Errors. Common HTTP Features > Static Content. Health and Diagnostics > HTTP Logging. Performance > Static Content Compression. Security > Request Filtering. Security > Basic Authentication. Management Tools > IIS Management Console. Management Tools > IIS 6 Management

Compatibility. Application Development > ASP & ASP.NET

<AllVersions>.

Update the Server

12. Update the server using Windows Update until the server has no required or optional updates as the Azure MFA Server software may require one or more of these updates for the installation and software to correctly work. These procedures install additional components that may need to be updated.

Configure the IIS Server’s Certificate

13. Start the Internet Information Services (IIS) Manager console.

14. In the navigation pane, expand the node with the same name as the local computer. Expand Sites and select Default Web Site.

15. In the Actions pane, click Bindings…16. In the Site Bindings dialog, Click Add…17. In the Add Site Binding dialog, select https from the Type list. In

the SSL certificate list, select the certificate (app1.corp.olympia.local) with the name that matches the FQDN of the computer.

18. Click OK. Click Close. From the Actions pane, click Restart.

Task Detailed Steps


Create Phonefactor Admin Group

19. Open Active Directory Users and Computers.20. In the navigation pane, expand the node with the organization’s

Active Directory domain name. Right-click the Users container, select New, and select Group.

21. In the New Object – Group dialog box, type Phonefactor Admins in Group name.

22. Click OK.

Add Accounts to the Phonefactor Admins Group

23. In the navigation pane, expand the node with the organization’s Active Directory domain name. Select Users. In the content pane, right-click the Phonefactor Admins security group and select Properties.

24. Click the Members tab.25. Click Add… Click Object Types… In the Object Types dialog

box, select Computers and click OK. Enter the following user and/or computer accounts in the Enter the object names to select box and then click Check Names | OK | Apply | OK.

The computer account for the primary MFA Server (APP1).

Group or User account that will manage the User Portal Server (Domain Admins).

User Portal Server:The User Portal is an IIS Internet Information Server web site that allows users to enroll in Multi-Factor Authentication and maintain their accounts. A user may change their phone number, change their PIN, or bypass Multi-Factor Authentication during their next sign on. Users will log in to the User Portal using their normal username and password and will either complete a Multi-Factor Authentication call or answer security questions to complete their authentication. If user enrollment is allowed, a user will configure their phone number and PIN the first time they log in to the User Portal. User Portal Administrators may be set up and granted permission to add new users and update existing users.

Task Detailed Steps


Enroll for Server Authentication



Task Detailed Steps



certificate. Click here to configure settings link.8. Under Subject name, select Common name from the Type list.

Type the FQDN of the primary MFA server and then click Add (app1.corp.olympia.local).

9. Under Alternative name, select DNS from the Type list. Type the FQDN of the name you will use for your User Portal service and then click Add (mfaweb.corp.olympia.local).

10. Click Apply and OK when finished.11. Click Enroll.12. Click Finish.

Configure the IIS Server’s Certificate

13. Start the Internet Information Services (IIS) Manager console.

14. In the navigation pane, expand the node with the same name as the local computer. Expand Sites and select Default Web Site.

15. In the Actions pane, click Bindings…16. In the Site Bindings dialog, Click Add…17. In the Add Site Binding dialog, select https from the Type list,

select a different Port than 443, example 444. In the SSL certificate list, select the certificate (app1.corp.olympia.local) with the name that matches the FQDN of the computer.

18. Click OK. Click Close. From the Actions pane, click Restart.


Create WebServices SDK User Account

19. Open Active Directory Users and Computers.20. In the navigation pane, expand the node with the organization’s

Active Directory domain name. Right-click the Users container, select New, and select User.

21. In the New Object – User dialog box, type PFWSDK_ in the First name and User logon name boxes, which is the name of the primary MFA server running the Web Services SDK. Click Next.

22. Type a strong password and confirm it in the respective boxes. Clear User must change password at next logon. Click Next. Click Finish to create the user account.

Add the MFA SDK User Account to the Phonefactor

23. In the navigation pane, expand the node with the organization’s Active Directory domain name. Select Users. In the content pane, right-click the Phonefactor Admins security group and select

Task Detailed Steps

Admins Group Properties.24. Click the Members tab.25. Click Add… Type the PFWSDK_ user name in the Enter the object

names to select box and then click Check Names | OK | Apply | OK. Now it should show the following:The computer account for the primary MFA Server (APP1).The Webservices SDK user account (PFWSDK_).Group or User account that will manage the User Portal Server (Domain Admins).

5.5.2.6 Installing Standalone Azure MFA Server

When you install Azure Multi-Factor Authentication Server, you have the following options:

1. Install Azure Multi-Factor Authentication Server locally on the same server as AD FS (this option will be used for this LAB).

2. Install the Azure Multi-Factor Authentication adapter locally on the AD FS server, and then install Multi-Factor Authentication Server on a different computer (preferred deployment for production environments).

3.

Task Detailed Steps


Secure Windows Server AD FS with Azure Multi-Factor Authentication Server

1. In the Azure Multi-Factor Authentication Server management console, click the AD FS icon. Select the options Allow user enrollment and Allow users to select method.

2. Click Install AD FS Adapter…3. If the Active Directory window is displayed, that means two

things. Your computer is joined to a domain, and the Active Directory configuration for securing communication between the AD FS adapter and the Multi-Factor Authentication service is incomplete. Click Next to automatically complete this configuration, or select the Skip automatic Active Directory configuration and configure settings manually check box to proceed.

4. If the Local Group windows is displayed, that means two things. Your computer is not joined to a domain, and the local group configuration for securing communication between the AD FS adapter and the Multi-Factor Authentication service is incomplete. Click Next to automatically complete this configuration, or select the Skip automatic Local Group configuration and configure settings manually check box.

5. In the installation wizard, click Next. Azure Multi-Factor

Task Detailed Steps

Authentication Server creates the PhoneFactor Admins group and adds the AD FS service account to the PhoneFactor Admins group.

6. On the Launch Installer page, click Next.7. In the Multi-Factor Authentication AD FS Adapter installer, click

Next.8. Click Close when the installation is finished.9. When the adapter has been installed, you must register it with AD

FS. Open an elevated Windows PowerShell, accept the UAC prompt and run the following command:C:\Program Files\Multi-Factor Authentication Server\Register-MultiFactorAuthenticationAdfsAdapter.ps1

10. To use your newly registered adapter, edit the authentication method in AD FS. In the AD FS management console, go to the Authentication Methods node under Service. In the Multi-factor Authentication Methods section, click the Edit link. In the Edit Authentication Methods window, select Azure Multi-Factor Authentication Server as an additional authentication method, and then click Apply | OK. The adapter is registered as Azure Multi-Factor Authentication Server. Restart the AD FS service for the registration to take effect.

11. At this point, Multi-Factor Authentication Server is set up to be an additional authentication provider to use with AD FS.

Configure Company Settings

12. Start the Multi-Factor Authentication Server application. Accept the UAC prompt.

13. Click Company Settings.14. On the General Tab, select Fail Authentication from the When

Internet is not accessible list.15. In User defaults, select Phone call or Text message.16. Select Enable Global Services if you want to allow Multi-Factor

Authentications to be made to telephone numbers in rate zones that have an associated charge.

17. Clear the User can change phone check box to prevent users from changing their phone during the Multi-Factor Authentication call or in the User Portal. A consistent configuration is for users to change their phone numbers in Active Directory and let those changes synchronize to the multi-factor server using the Synchronization features in Directory Integration.

18. Select Fail Authentication from the When user is disabled list. Users should provision their account through the user portal.

19. Select the appropriate language from the Phone call language, Text message language, Mobile app language, and OATH token language lists.

20. Under Default PIN rules, select the User can change PIN checkbox to enable users to change their PIN during multi-factor

Task Detailed Steps

authentication and through the user portal.21. Configure the Minimum length for the PIN.22. Select the Prevent weak PINs check box to reject weak PINs. A

weak PIN is any PIN that could be easily guessed by a hacker are not allowed:

3 sequential digits. 3 repeating digits. Or any 4 digit subset of user phone number.If you clear this box, then there are no restrictions on PIN format. For example: User tries to reset PIN to 1235 and is rejected because it's a weak PIN. User will be prompted to enter a valid PIN.

23. Select the Expiration days check box if you want to expire PINs. If enabled, provide a numeric value representing the number of days the PIN is valid.

24. Select the PIN history check box if you want to remember previously used PINs for the user. PIN history stores old PINs for each user. Users are not allowed to reset their PIN to any value stored in their PIN History. When cleared, no PIN history is stored. The default value is 5 and range is 1 to 10.

Configure Directory Integration Settings and Synchronization

25. From the Multi-Factor Authentication Server window, click the Directory Integration icon.

26. Click the Settings tab.27. Select Use Active Directory.28. Select Include trusted domains to have the Multi-Factor

Authentication Server attempt to connect to domains trusted by the current domain, another domain in the forest, or domains involved in a forest trust. When not importing or synchronizing users from any of the trusted domains, clear the checkbox to improve performance.

Add Test User to WHfB GroupComplete these steps on the DC1 virtual machine.

29. Open Active Directory Users and Computers.30. Click the CORP | USERS OU in the navigation pane.31. Right-click TestUser1 and click Properties.32. Click the Telephones tab and enter a Mobile number including

the country code.33. Click the Member Of tab and click Add…34. In the Enter the object names to select text box, type Windows

Hello for Business Users. Click Check Names | OK.35. Click Apply | OK to return to Active Directory Users and

Computers.

Add a Synchronizatio

36. Click the Synchronization tab.

Task Detailed Steps

n ItemComplete these steps on the APP1 virtual machine.

37. On the Synchronization tab, click Add…38. In the Add Synchronization Item dialog, select Security Groups

from the View list.39. Select the group you are using for replication from the list of

groups (Windows Hello for Business Users).40. Select Selected Security Group – Recursive or, select

Security Group from the Import list if you do not plan to nest groups.

41. Select Add new users and Update existing users.42. Select the attributes appropriate for your environment for Import

phone and Backup.43. Select Enabled and select Only New Users with Phone

Number from the list.44. Click Add | OK | Close.45. Ensure that the following checkboxes are selected – Enable

synchronization with Active Directory, Synchronization interval: minute and Require administrator approval when disabled or removed users exceed threshold 5.

46. Click Synchronize Now. Click OK.

Install the Web Service SDK

47. From the Multi-Factor Authentication Server window, click the Web Service SDK icon and click Install Web Service SDK…

48. Select the Site as Default Web Site, Virtual directory as MultiFactorAuthWebServiceSdk and Application Pool as DefaultAppPool. Click Next.

49. Once installed, click Close.

Edit the MFA AD FS Adapter Config File

50. Copy the below 4 Files from C:\Program Files\Multi-Factor Authentication Server to C:\inetpub\wwwroot\MultiFactorAuthWebServiceSdk.MultiFactorAuthenticationAdfsAdapterSetup64.msiRegister-MultiFactorAuthenticationAdfsAdapter.ps1Unregister-MultiFactorAuthenticationAdfsAdapter.ps1MultiFactorAuthenticationAdfsAdapter.config

51. Browse to C:\inetpub\wwwroot\MultiFactorAuthWebServiceSdk (or appropriate directory based on the virtual directory name) and edit the MultiFactorAuthenticationAdfsAdapter.config file.

52. Locate the UseWebServiceSdk key and change the value from false to true.

53. Locate the WebServiceSdkUsername key and set the value to the username of the Web Service SDK account in the PhoneFactor Admins security group. Use a qualified username, like domain\username or machine\username (CORP\PFWSDK_).

54. Locate the WebServiceSdkPassword key and set the value to the password of the Web Service SDK account in the PhoneFactor Admins security group. (P@ssw0rd).

Task Detailed Steps

55.Locate the WebServiceSdkUrl key and set the value to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (https://app1.corp.olympia.local/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the Internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the MultiFactorAuthenticationAdfsAdapter.config file after changes have been made.

Edit the ADFS Adapter Windows PowerShell Cmdlet

56. Edit the Register-MultiFactorAuthenticationAdfsAdapter.ps1 script by adding -ConfigurationFilePath <path> to the end of the Register-AdfsAuthenticationProvider command which is the full path to the MultiFactorAuthenticationAdfsAdapter.config file - C:\inetpub\wwwroot\MultiFactorAuthWebServiceSdk\MultiFactorAuthenticationAdfsAdapter.config.

Run the ADFS Adapter Windows PowerShell Cmdlet

Note: At this stage, do not run the Register-MultiFactorAuthenticationAdfsAdapter.ps1 script in PowerShell to register the adapter because the adapter is already registered as WindowsAzureMultiFactorAuthentication.

57. Restart the ADFS service for the changes to take effect.

Test AD FS with the Multifactor Authentication Connector

58. In the Multi-Factor Authentication server, on the left, click Users.59. In the list of users, select a user (TestUser1) that is enabled and

has a valid phone number to which you have access.60. Click Test…61. In the Test User dialog, provide the user’s password to

authenticate the user to Active Directory and click Test.62. Enter the one-time passcode once received on the phone and

click OK.63. Click OK on the Authentication successful message and click

Close.

The Multi-Factor Authentication server communicates with the Azure MFA cloud service to perform a second factor authentication for the user. The Azure MFA cloud service contacts the phone number provided and asks for the user to perform the second factor authentication configured for the user. Successfully providing the second factor should result in the Multi-factor authentication server showing a success dialog.

https://app1.corp.olympia.local/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx

https://app1.corp.olympia.local/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx

5.5.2.7 Configure Windows Hello for Business Policy Settings

Task Detailed Steps


Create the WHfB GPO

1. Start the Group Policy Management Console (gpmc.msc).2. Expand the domain and select the Group Policy Objects node in

the navigation pane.3. Right-click Group Policy Objects and select New.4. Type Enable Windows Hello for Business in the Name box and

click OK.5. In the content pane, right-click the Enable Windows Hello for

Business Group Policy object and click Edit.6. In the navigation pane, expand Policies under User Configuration.7. Expand Administrative Templates > Windows Components, and

select Windows Hello for Business.8. In the content pane, double-click Use Windows Hello for

Business. Click Enabled and click Apply | OK.9. Double-click Use certificate for on-premises authentication.

Click Enabled and click Apply | OK.

Configure Automatic Certificate Enrollment

10. In the navigation pane, expand Policies under User Configuration.

11. Expand Windows Settings > Security Settings, and click Public Key Policies.

12. In the details pane, double-click Certificate Services Client – Auto-Enrollment.

13. Select Enabled from the Configuration Model list.14. Select the Renew expired certificates, update pending

certificates, and remove revoked certificates check box.15. Select the Update certificates that use certificate templates

check box.16. Click Apply | OK. Close the Group Policy Management Editor.

Configure Security in the WHfB GPO

17. Double-click the Enable Windows Hello for Business Group Policy object.

18. In the Security Filtering section of the content pane, click Add… Type Windows Hello for Business Users or the name of the security group you previously created and click Check Names | OK.

19. Click the Delegation tab. Select Authenticated Users and click Advanced…

20. In the Group or user names list, select Authenticated Users. In the Permissions for Authenticated Users list, clear the Allow check box for the Apply group policy permission. Click Apply | OK.

Task Detailed Steps

Deploy the WHfB GPO

21. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click Link an Existing GPO…

22. In the Select GPO dialog box, select Enable Windows Hello for Business or the name of the Windows Hello for Business Group Policy object you previously created and click OK.

Just to reassure, linking the Windows Hello for Business Group Policy object to the domain ensures the Group Policy object is in scope for all domain users. However, not all users will have the policy settings applied to them. Only users who are members of the Windows Hello for Business group receive the policy settings. All other users ignore the Group Policy object.

5.5.2.8 Validate Windows Hello

Task Detailed Steps


Validate Policies

1. Restart the machine. Even restart DC1 and APP1 and wait for some time.

2. Log in as TestUser1.

5.6 Credential GuardIn this lab, you will activate Credential Guard.Credential Guard provides an additional layer for protecting secrets, specifically domain user credentials by storing them in a container, secured by the Virtual Secure Mode (VSM), based on Virtualization Based Security (VBS).These types of containers are separated both from the kernel and the user mode, therefore increasing the difficulty for an attacker, even after compromising the system to steal the credentials directly from Local Security Authority Subsystem (LSASS), for example.Before working on this lab, you must have:

A Physical Computer with a Trusted Platform Module (TPM) chip (2.0 recommended), a CPU with VT-x and VT-d capabilities.

Windows 10 Enterprise running on the Host. Local Administrator Account. It is recommended that you use a Host for testing purposes. Please do not

use your personal machines. Also, the Host must not be domain joined into your company domain, so that there is no compliance or configuration/support issues.

Note: The machine (Virtual or Physical) should have Hyper-V, TPM and Secure Boot Enabled.

5.6.1 Check Credential Guard RequirementsIn this exercise, you will:

Check if the requirements for Credential Guard are fulfilled. Manually activate Credential Guard and its dependencies.

Task Detailed Steps


System Verification

1. Open MSINFO32.EXE (elevated) and check if: BIOS Mode = UEFI Secure Boot State = On

Note: Only TPM, Secure Boot and Hyper-V Roles are enabled and checked.

2. If any of the above values are not enabled, then boot into your BIOS/UEFI and activate them.

3. Note that if UEFI is in CSM (compatibility) mode, changing it to UEFI Native will require the partition layout to be GPT instead of MBR (requires formatting the hard drive).

TPM Verification

4. Open TPM.MSC and make sure that the TPM is turned on.5. If TPM is turned off/not visible, make sure that it exists physically

and it is enabled in BIOS/UEFI.6. If the TPM is turned on but not initialized:

a. Create the TPM owner password using Automatically create the password option.

b. In the Save your TPM owner password, click Save the password and select a location to save the password, and then click Save (file is saved as computer_name.tpm).

c. Click Initialize.d. After this, the TPM should be ready for use.

Note: The recommended version of TPM is 2.0. Windows might refuse to activate Credential Guard if the computer contains an older TPM

Task Detailed Steps

version/revision.

Enable Required Features

7. Go to Control Panel > Programs > Turn Windows features on or off.

8. Check Hyper-V.9. Click OK.10. Restart the computer.

Note : Hyper-V supplies the virtualization core.

5.6.2 Modern ManagementFollow the following sections for managing Credential Guard through modern management tools.

5.6.2.1 Configure Credential Guard using IntuneIn this section you will configure Credential Guard using Intune.

Task Detailed Steps

Complete these steps from a physical Internet-connected Windows computer to access the Azure and Intune Portal.

Create Groups for use with Credential Guard Lab



Groups > All groups.5. Click + New group.6. In the Group pane fill in the following values:

GROUP TYPE: SecurityGROUP NAME: CredGuardDemoMEMBERSHIP TYPE: AssignedMEMBERS: TU1,TU2

7. Click Select | Create.

Creating an Intune Credential Guard Policy


labadmin@<AzureDomainName>.onmicrosoft.com.11. On the left navigation bar, click All services.12. Enter “Intune” in search.13. Click on Intune.



Task Detailed Steps

14. Click on “Device configuration”.15. Click on “Profiles”.16. Click on “+ Create profile”.17. Fill out the form:

Name: Cred Guard DemoDescription: Cred Guard DemoPlatform: Windows 10 and laterProfile type: Endpoint Protection Settings: Windows Defender Credential Guard>Enable with EUFI lock

18. Select OK | OK.19. Select Create.20. Select Assignments.21. Select “Select groups to include”.22. Check and select “CredGuardDemo”.23. Click on Save.

Complete these steps on the physical machine above.



29. Select Start.30. Select Settings.31. Select Accounts.32. Select Access work or school.33. Select Connected to <CompanyName> Azure AD.34. Click Info.35. Click Sync to force a policy update and confirm that the sync was

successful.36. Close Settings.37. Reboot the machine.38. Log back in using the same credentials.39. Click Start.40. Type and click “System Information”.41. Verify that “Virtualization-based security is running”.Note: After the first boot it should be “Enabled but not running”42. Reboot the machine again.43. Click Start.44. Type and click “System Information” elevated.45. Verify that “Virtualization-based Security is running”.Note: It can take up to 3 reboots to see that it is running.

5.6.3 Traditional ManagementFollow the following sections for managing Credential Guard through traditional management tools.

5.6.3.1 Configure VBS and Credential GuardNow that the required features and components are in place, activate the Virtualization Based Security and Credential Guard.

Task Detailed Steps

Complete these steps on physical machine above.

System Configuration

1. Open gpedit.msc and accept the UAC prompt if required.2. Go to Computer Configuration > Administrative Templates

> System > Device Guard.3. Edit the Turn On Virtualization Based Security policy by

selecting Enabled.4. Select Secure Boot in the Select Platform Security Level.5. Select Enabled with UEFI lock in the Credential Guard

Configuration.6. Click Apply and OK.7. Restart the computer and check “System Information”

elevated and verify that “Virtualization-based Security is running”.

5.6.3.2 Troubleshoot Credential GuardAfter enabling all of the above features and settings, make sure that no errors were logged and all the components are properly configured.

Task Detailed Steps

Complete these steps on physical machine above..

Logging 1. Device Guard policies are logged in Event Viewer at Applications and Services Logs > Microsoft > Windows > DeviceGuard > Operational.

2. An event ID 7000 should be logged, which contains the selected settings within the policy (when successfully applied).

MSInfo32 3. Open MSINFO32.EXE (elevated) and confirm that the options are defined as in the following screenshot.

Task Detailed Steps

Registry 4. Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard.

5. Verify if EnableVirtualizationBasedSecurity is set to 1.6. Verify if RequirePlatformSecurityFeatures is set to 1 (Secure

Boot).7. Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\

Control\Lsa.8. Verify if the LsaCfgFlags is set to 1.

Process 9. Open Task Manager.10. Verify the presence of Lsalso.exe.

5.7 Device Encryption (MBAM)In this section we will walk you through setting up BitLocker using modern management.BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline.On computers that do not have a TPM version 1.2 or later, you can still use BitLocker to encrypt the Windows operating system drive. However, this implementation will require the user to insert a USB startup key to start the computer or resume from hibernation. Starting with Windows 8, you can use an operating system volume password to protect the operating system volume on a computer without TPM. Both options do not provide the pre-startup system integrity verification offered by BitLocker with a TPM.In addition to the TPM, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device, such as a USB flash drive, that contains a startup key. These additional security measures provide multifactor authentication and assurance that the

computer will not start or resume from hibernation until the correct PIN or startup key is presented.Note: The machine (Virtual or Physical) should have Hyper-V, TPM and Secure Boot Enabled.

5.7.1 Modern ManagementFollow the following sections for managing BitLocker through modern management tools.

5.7.1.1 Setup BitLocker with IntuneThe below section will walk you through setting up BitLocker with Intune.

Task Detailed Steps


Create Groups 1. Close all browser windows.2. Start Internet Explorer InPrivate mode.3. Navigate to https://portal.azure.com and Sign in with


Groups > All groups.5. Click + New group.6. In the Group pane fill in the following values and click Select:

GROUP TYPE: SecurityGROUP NAME: BitLockerDemoMEMBERSHIP TYPE: AssignedMEMBERS: TU1,TU2

7. Click Create.

Configure Windows Bitlocker

8. On the left navigation bar, click All Services.9. Enter “Intune” in search.10. Click on Intune.11. Under Manage select “Device configuration”.12. Under Manage select “Profiles”.13. Select “+ Create profile”.14. Name the new profile “Bitlocker Demo”.15. For Platform select “Windows 10 and later”.16. For Profile type select “Endpoint protection”.17. Select “Windows Encryption” under Settings.18. Fill out the form and click OK:

Encrypt devices: RequireEncrypt storage card: Not configuredWarning for other disk encryption: Not configuredConfigure encryption method: Enable


Task Detailed Steps

Encryption for operating system drives: XTS-AES 128-bitEncryption for fixed data-drives: XTS-AES 128-bitEncryption for removable data-drives: AES-CBC 128-bit

Additional authentication at startup: Not configuredNote: The rest is not going to be configured.

19. Click OK and click Create.20. Click Assignments and click Select groups to include.21. Check BitLockerDemo and click Select.22. Click Save.

Complete these steps on the physical machine above.




successful.31. You will notice that a notification appears Encryption needed,

asking you to start encryption.

5.8 Device Guard – User Mode Code Integrity5.8.1 Modern Management

Task Detailed Steps

Create Groups for use with WDAC Demo


labadmin@<AzureDomainName>.onmicrosoft.com.4. On the left navigation bar, click Azure Active Directory > Groups

> All groups.5. Click + New group.6. In the Group pane fill in the following values and click Select:

GROUP TYPE: SecurityGROUP NAME: WDACDemo


Task Detailed Steps

MEMBERSHIP TYPE: AssignedMEMBERS: TU1,TU2

7. Click Create.

Configuring WDAC with Intune


labadmin@<AzureDomainName>.onmicrosoft.com.11. On the left navigation bar, click All services.12. Enter “Intune” in search.13. Click on Intune.14. Click on “Device configuration”.15. Click on “Profiles”.16. Click on “+ Create profile”.17. Fill in form:

Name: WDAC DemoDescription: WDAC DemoPlatform: Windows 10 and laterProfile type: Endpoint protection

18. Click on “Windows Defender Application Control”.19. Fill in form:

Application control code integrity policies: EnforceTrust apps with good reputation: Enable

20. Select OK.21. Select OK.22. Select Create.23. Select Assignments.24. Select “Select groups to include”.25. Select “WDACDemo” and click Select.26. Click on Save.

Verify Configuration is AppliedComplete these steps on the

27. Login to the virtual machine as TU2@<AzureDomainName>.onmicrosoft.com


successful.35. Open up Edge.36.Navigate to https://www.7-zip.org/download.html.37. Download and install the latest version of the application.



Task Detailed Steps

CLIENT3 virtual machine or a physical machine.

38. Once installed run the application.Note: The application should run because it has a good reputation.To block remove the application and install an older version.

5.8.2 Traditional ManagementDevice Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications that you define in your code integrity policies. If the app isn’t trusted it can’t run, period. With hardware that meets basic requirements, it also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code. With appropriate hardware, Device Guard can use the new virtualization-based security in Windows 10 (available in Enterprise and Education desktop SKUs and in all Server SKUs) to isolate the Code Integrity service from the Microsoft Windows kernel itself. In this case, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container.In this section, you will learn how to Configure and Deploy Code Integrity Policies and Enable Device Guard in an enterprise.

5.8.2.1 PrerequisitesPerform the following tasks before proceeding to the succeeding sections.

Task Detailed Steps


Download VLC Media Player

1. Open Internet Explorer and browse to the URL below.http://www.videolan.org/vlc/

2. Click Download VLC and save vlc-3.0.3-win64.exe to C:\Packages.

Download CamStudio

3. Open Internet Explorer and browse to the URL below.http://camstudio.org/

http://camstudio.org/

http://www.videolan.org/vlc/

Task Detailed Steps

4. Click Download and save camstudio.exe to C:\Packages.

5.8.2.2 Create CI Policy from a Golden SystemIn this activity, you will go through the steps in creating your first Code Integrity (CI) policy from a “Golden” system.

Task Detailed Steps


Open PowerShell

1. Logon as a Domain Administrator (corp\labadmin) and from the Start Menu, start an elevated instance of PowerShell.

Create Shadow Copy of System Drive

2. From the PowerShell window, run the following commands:$s1 = (gwmi -List Win32_ShadowCopy).Create("C:\",

"ClientAccessible")$s2 = gwmi Win32_ShadowCopy | ? { $_.ID -eq

$s1.ShadowID }$d = $s2.DeviceObject + "\"cmd /c mklink /d C:\scpy "$d"

Generate a New Policy from Scan

3. From the PowerShell window, run the following commands:New-CIPolicy -level PcaCertificate -filepath C:\

PoCPolicy.xml –scanpath C:\scpy –uNote: It may take around 20-30 minutes and during the process a base policy will already be created and also if required, increase the memory of the virtual machine for this process to run efficiently. Ignore any errors received after command execution completes.

Explore Policy Configuration

4. Save the file PoCPolicy.xml to a network location, example: \\DC1\C$.

5. Open the file and review the content without making changes. Open the file C:\PoCPolicy.xml with Notepad.

6. Close the file.

5.8.2.3 Configurable Code Integrity – Audit ModeIn this activity, you will create a CI policy and deploy it in audit mode.

Task Detailed Steps


Convert from XML to Binary File

1. From the PowerShell window, run the following commands:ConvertFrom-CIPolicy C:\PoCPolicy.xml C:\PoCPolicy.bin

Install Complied Policy

2. From the PowerShell window, run the following commands:cp C:\PoCPolicy.bin c:\Windows\System32\CodeIntegrity\

SIPolicy.p7b3. Restart CLIENT1 and re-login with the same credentials.

Verify Audit Logs

4. Launch the installation package for VLC located at \\DC1\C$\Packages\vlc-3.0.3-win64.exe and install the package. The installation will be successful at this point.

5. Right-click on the Start button and click Run.6. Enter eventvwr.msc and click OK.7. In the Event Viewer MMC, browse to Event Viewer (Local) >

Applications and Services Logs > Microsoft > Windows > CodeIntegrity > Operational.

8. Browse through the log files especially Event ID 3076.

5.8.2.4 Creating CI Policy from Audit LogsIn this activity, you will go through the steps in creating a Code Integrity (CI) policy from audit log events.

Task Detailed Steps


Create a CI Policy from Audit Logs

67. From the Start Menu, start an elevated instance of PowerShell.68. From the PowerShell window, run the following commands:

New-CIPolicy -l PcaCertificate -f C:\AuditPoCPolicy.xml –a –u

Note: Ignore any errors received after command execution completes.69. Open the file C:\AuditPoCPolicy.xml with Notepad.70. Close the file.

Merge Golden Policy with Policy from Audit Logs

71. From the PowerShell window, run the following commands:Merge-CIPolicy –OutputFilePath C:\MergedPoCPolicy.xml –

PolicyPaths C:\AuditPoCPolicy.xml,C:\PoCPolicy.xml72. Open the file C:\MergedPoCPolicy.xml with Notepad.

Task Detailed Steps

73. Close the file.

5.8.2.5 Configurable Code Integrity – Enforce ModeIn this activity, you will deploy and enforce a CI policy to lock down the system.

Task Detailed Steps


Disable Audit Mode

1. From the PowerShell window, run the following commands:Set-RuleOption –option 3 -delete –FilePath C:\

MergedPoCPolicy.xml2. Open the file C:\MergedPoCPolicy.xml with Notepad.3. Close the file.

Convert from XML to Binary File

4. From the PowerShell window, run the following commands:ConvertFrom-CIPolicy C:\MergedPoCPolicy.xml C:\MergedPoCPolicy.bin

Install Compiled Policy

5. From the PowerShell window, run the following command:cp C:\MergedPoCPolicy.bin c:\Windows\System32\

CodeIntegrity\SIPolicy.p7b6. Restart CLIENT1 and re-login with the same credentials.

Install or Launch Your Application(s)

7. Launch the installation package for CamStudio located at \\DC1\C$\Packages\camstudio.exe. The application should not launch at this stage and throw errors, which means it is blocked by code integrity.

Verify Audit Logs

8. Right-click on the Start button and click Run.9. Enter eventvwr.msc and click OK.10. In the Event Viewer MMC, browse to Event Viewer (Local) >

Applications and Services Logs > Microsoft > Windows > CodeIntegrity > Operational.

11. Browse through the log files especially Event ID 3077.

5.8.2.6 Configure Group PoliciesIn this activity, you will learn how to configure and deploy group policies to enforce the configuration.

Task Detailed Steps

Complete these steps on the DC1 and the CLIENT2 virtual machines.

Create Device Guard GPO

1. Create a folder in the C: drive by the name CodeIntegrity and in this folder, copy the SIPolicy.p7b file created in the previous task from the CLIENT1 VM. The path of this file in the CLIENT1 VM is C:\Windows\System32\CodeIntegrity.

2. Navigate to C:\CodeIntegrity, right-click CodeIntegrity folder and click Properties.

3. Click the Sharing tab and click Advanced Sharing…4. Check the box next to Share this folder and click

Permissions.5. Ensure Everyone is in the list and has been granted Full

Control. Click Apply and click OK two times.6. Click the Security tab and ensure that Everyone is in the list

and has been granted Full Control.7. Click the Advanced button and again ensure that Everyone is

in the list and has been granted Full Control. Close all the windows.

8. Now navigate to C:\CodeIntegrity\SIPolicy.p7b that has been copied and right-click on the file and click Properties.

9. Click the Security tab and ensure that Everyone is in the list and has been granted Full Control.

10. Click the Advanced button and again ensure that Everyone is in the list and has been granted Full Control. Close all the windows.

Note: At any point if you see that Everyone has not been granted Full Control permissions, do the needful.

11. Back in the DC1 VM, in the Active Directory Users and Computers, create an OU called Devices and move the CLIENT2 VM to the Devices OU from the default Computers container.

12. Open the Group Policy Management Console.13. Right-click on Group Policy Management > Forest:

corp.olympia.local > Domains > corp.olympia.local > Group Policy Objects and select New.

14. Under Name, enter Device Guard Policies and then click OK.15. Right-click Devices OU, click Link an Existing GPO…16. Select Device Guard Policies and click OK.

Deploy Code Integrity Policy and Enable VBS for KCMI

17. Right-click Device Guard Policies and select Edit.18. Browse to Computer Configuration\Policies\Administrative

Templates\System\Device Guard.19. Double click on Deploy Windows Defender Application

Control.20. Select Enabled.21. Under Code Integrity Policy file path, enter \\DC1\

Task Detailed Steps

CodeIntegrity\SIPolicy.p7b.22. Click Apply and then OK.

Note: The below policy is just for informational purposes and cannot be demonstrated. It will need a Physical Windows 10 Enterprise hypervisor enabled machine with Secure Boot or Trusted Boot enabled and other dependencies like Virtualization Extensions and all Virtualization capabilities turned on, including Input/Output Memory Management Unit (IOMMU) support, compatible drivers and updated legacy drivers.

23. Double click on Turn On Virtualization Based Security.24. Select Enabled.25. Under Select Platform Security Level, select Secure Boot and

DMA Protection.26. Under Virtualization based Protection of Code Integrity, select

Enabled with UEFI lock.27. Click Apply and then OK.

Attempt to Run New Applications that have not installed on the System

28. Now on the CLIENT2 VM, run a gpupdate /force.29. Restart CLIENT2 and re-login with the same credentials.30. Verify that any new application installation or new executable is

blocked by the Code Integrity Policy, Example: CamStudio. The CamStudio package is located at \\DC1\C$\Packages\camstudio.exe.

Note: Before executing any labs after the Code Integrity Lab in which the CLIENT1 and CLIENT2 VMs are going to be used, ensure that they have been moved to the default Computers container from the Devices OU. Then in both the VMs, delete the SIPolicy.p7b file from c:\Windows\System32\CodeIntegrity. Run a gpupdate /force and reboot both the VMs. This is to ensure that no activity is blocked by Code Integrity.

5.9 Diagnostics LogsRequirements –

Windows Insider Build 18237+ Azure subscription to create Storage account

5.9.1 Modern ManagementFollow the following sections for enabling diagnostic logs CSP using modern management tools.

5.9.1.1 Configure diagnostic logs CSP using IntuneIn this section you will configure diagnostic logs CSP using Intune.

Task Detailed Steps

Complete these steps from a physical Internet-connected Windows computer to access the Azure and Intune Portal.

Create Groups for use with Diagnostic logs Lab



Groups > All groups.5. Click + New group.6. In the Group pane fill in the following values:

GROUP TYPE: SecurityGROUP NAME: DiagnosticsLogsDemoMEMBERSHIP TYPE: AssignedMEMBERS: TU1,TU2

7. Click Select | Create.

Create a storage account to store diagnostic logs


labadmin@<AzureDomainName>.onmicrosoft.com.11. On the left navigation bar, click All services.12. Enter “Storage accounts” in search.13. Click on Storage accounts.14. Click on “+Add”.15. Select valid Azure Subscription.16. Fill out the form:

Resource group (Create new if needed)Storage account nameLocation

Leave rest of the things unchanged.17. Click Review + create18. Click newly created storage account19. Click Storage Explorer(preview)20. Right Click BLOB CONTAINERS -> Create blob container21. Give Name22. Click OK23. Right click on new blob container -> Get Shared Access Signature

a. Update Expiry time to a month later than current date (Default is



Task Detailed Steps

1 day)b. Update Permissions to Read, Write and Listc. Click Create

24. Copy URL in Notepad – This will be needed in next step.

Create a diagnostic logs policy


labadmin@<AzureDomainName>.onmicrosoft.com.28. On the left navigation bar, click All services.29. Enter “Intune” in search.30. Click on Intune.31. Click on “Device configuration”.32. Click on “Profiles”.33. Click on “+ Create profile”.34. Fill in form

a. Name – Diagnostics CSPb. Platform – Windows 10 and laterc. Profile type – Custom

Click Settings -> On OMA-URI settings, Click Addi. Name– ArchieveDefinitionii. OMA-URI -

./Vendor/MSFT/DiagnosticLog/DiagnosticArchive/ArchiveDefinition

iii. Data Type – Stringiv. Value –

35. Select Create.

36. Select Assignments.37. Select “Select groups to include”.38. Select “DiagnosticsLogsDemo” and click Select.39. Click on Save.

<Collection><ID>New Guid</ID><SasUrl><![CDATA[URL Copied in Line Step 21]]></SasUrl><RegistryKey>HKLM\Software\Microsoft</RegistryKey><Command>%windir%\system32\mdmdiagnosticstool.exe -out %ProgramData%\temp\</Command><FoldersFiles>%ProgramData%\temp\*.*</FoldersFiles><FoldersFiles>%ProgramData%\Microsoft\DiagnosticLogCSP\Collectors\*.etl</FoldersFiles><Command>c:\windows\system32\ipconfig.exe /all</Command><Events>System</Events></Collection>


Task Detailed Steps

Complete these steps on the AAD joined physical machine/VM.




successful.53. Close Settings.54.Go to [OSDrive]\windows\temp\mdmdiagnostics55. Folder with name = GUID mentioned in 32.iv settings should be

available.On Any internet connected machine.


labadmin@<AzureDomainName>.onmicrosoft.com.59. Click Storage Accounts60. Click Storage Account created in step 17.61. Click Storage Explorer (Preview)62. Click BLOB Containers -> Container 63. Verify logs are getting uploaded.64. Download zip file. Look at the contents to ensure requested logs

are uploaded.


6 CompatibilityIn this module, you will go through configuring Upgrade Readiness and scenarios to mitigate web application compatibility with Internet Explorer 11.Prerequisite Sections:

a) Windows Insider Lab for Enterprise – Setup Guideb) Section 3.3.1 - Build a Windows 10 Developer Machine

6.1 Windows Analytics Upgrade ReadinessWith the release of Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With new Windows versions being released multiple times a year, ensuring application and driver compatibility on an ongoing basis is key to adopting new Windows versions as they are released. With Windows telemetry enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft.In this section, you will learn how to navigate Upgrade Readiness to understand how you might use it in your environment.The Operations Manager Suite Experience Center will be used to evaluate Windows Analytics Upgrade Readiness using read-only demo data and will not require devices to be configured to send telemetry to the Update Compliance service.

Note:

This lab guide is aimed at getting you familiar with the Upgrade Readiness workspace. It is not supposed to be a comprehensive guide to using the solution in your organization.

Error: Reference source not found has more details on configuring, deploying and reviewing Windows Analytics.

6.2 Browser CompatibilityFor web apps and sites in Windows 10, modern HTML5-based sites should have a high degree of compatibility and excellent performance through the new Microsoft Edge browser, while older web apps and sites can continue to use Internet Explorer

11 and the Enterprise Mode features that were first introduced in Windows 7 and Windows 8.1 and are still present in Windows 10.

6.2.1 PrerequisitesPerform the following tasks before proceeding.

Task Detailed Steps


Create a Shared Folder (EMEI) with Full Permissions

1. Open File Explorer and browse to C:\.2. Create a new folder named EMEI.3. Right-click on EMEI and select Properties.4. In the EMEI Properties window, go to the Sharing tab.5. On the Sharing tab, click Advanced Sharing.6. On the Advanced Sharing window, select Share this folder then

click on Permissions.7. On the Permissions for EMEI window, under Allow select Full

Control then click Apply and OK.8. On the Advanced Sharing window, click Apply and OK.9. On the EMEI Properties window, click Close.

Configure Test Website

10. On the taskbar, open File Explorer and browse to C:\Packages\Sources.

11. Copy the ContosoLearning folder to C:\inetpub\wwwroot.12. On the Start menu, open Internet Information Services (IIS)

Manager.13. Under the Connections pane, browse to APP1 (Corp\

LabAdmin) > Sites > Default Web Site > ContosoLearning.14. Right-click on ContosoLearning and select Convert to

Application.15. On the Add Application window, click OK.16. On ContosoLearning, under the Actions pane select

Advanced Settings.17. On the Advanced Settings window, select Application Pool and

click on the ellipses (…).18. On the Select Application Pool window, set the Application pool

to .NET v2.0 then click OK.19. On the Advanced Settings window, click OK.


Pin Internet Explorer on the Taskbar

20. On the Start Menu, search for Internet Explorer.21. Right-click on Internet Explorer and select Pin to taskbar.

Download Enterprise Mode Site List

22. Open Internet Explorer and browse to the URL below.http://www.microsoft.com/en-us/download/details.aspx?id=49974

23. From the website, click Download.

http://www.microsoft.com/en-us/download/details.aspx?id=49974

Task Detailed Steps

Manager 24. Save EMIESiteListManager.msi to the desktop.

6.2.2 Enterprise ModeEnterprise Mode, a compatibility mode that runs on Internet Explorer 11, allows websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.In this section, you will learn how to use and configure Enterprise Mode and the Enterprise Mode Site List Manager.

6.2.2.1 Manually Activate Enterprise Mode

Task Detailed Steps


Browse to the Test Site

1. On the taskbar, open Internet Explorer and browse to http://app1/ContosoLearning.

Note: Notice that the website says that the browser is not supported, only Internet Explorer is supported even if the browser is Internet Explorer.

Enable Enterprise Mode

2. Right-click on the Start button and select Run.3. In the Run window, enter regedit and then click OK.4. In the Registry Editor window, browse to

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft.5. Right-click on the Microsoft key and select New > Key.6. Enter Internet Explorer as the name of the new key.7. Right-click on the Internet Explorer key and select New >

Key.8. Enter Main as the name of the new key.9. Right-click on the Main key and select New > Key.10. Enter EnterpriseMode as the name of the new key.11. Right-click on the EnterpriseMode key and select New >

String Value.12. Enter Enable as the name of the string value.13. Right-click on the EnterpriseMode key and select New >

String Value.14. Enter SiteList as the name of the string value.

Note: Enterprise Mode can be enabled through Group Policy. For more information, go to https://technet.microsoft.com/en-us/itpro/Internet-

https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list

Task Detailed Steps

explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.

Enable Enterprise Mode on the Test Site

15. Close all open Internet Explorer browsers.16. On the taskbar, open Internet Explorer and browse to

http://app1/ContosoLearning.17. On the Internet Explorer toolbar, go to Tools and select

Enterprise Mode.Note: Enable the Menu bar.Note: Notice now that the website is not displaying the browser support issue due to the Enterprise Mode emulating Internet Explorer 8. Also, see the building icon on the left side of the URL which indicates that Enterprise Mode is enabled for this URL.

18. On the Internet Explorer toolbar, go to Tools and select Enterprise Mode to turn it off for the next labs.

19. Close all Internet Explorer browsers.

6.2.2.2 Enterprise Mode Site List Manager

Task Detailed Steps


Install Enterprise Mode Site List Manager

1. On the taskbar, open File Explorer and browse to the desktop.2. Double-click on EMIESiteListManager.msi.3. On the Welcome page, click Next.4. On the End-User License Agreement page, select I accept the

terms in the License Agreement and then click Next.5. On the Destination Folder page, click Next.6. On the Ready to Install page, click Install.7. Once complete, click Finish.

Create a Site List

8. From the desktop icon, open the Enterprise Mode Site List Manager.

9. On the Enterprise Mode Site List Manager for v.2 schema window, click Add.

10. On the Add new website window, under URL enter app1/ContosoLearning and then click Save.

11. Click on File > Save to XML.12. Save the file to \\APP1\EMEI as EMEISiteList.xml.


Enable Enterprise

13. From the Start Menu, open the Group Policy Management



Task Detailed Steps

Mode through GPO and Deploy the Site List

Console.14. On the Group Policy Management Console, expand to Forest:

corp.olympia.local > Domains > corp.olympia.local > Group Policy Objects.

15. Right-click on Group Policy Objects and select New.16. On the New GPO window, under Name enter Enable Enterprise

Mode and then click OK.17. Right-click on Enable Enterprise Mode and select Edit.18. On the Group Policy Management Editor window, browse to

Computer Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer.

19. On the Settings pane, double-click on Use the Enterprise Mode IE website list policy.

20. On the Use the Enterprise Mode IE website list window, select Enabled.

21. On the Options pane, enter \\APP1\EMEI\EMEISiteList.xml and then click Apply and OK.

22. Close the Group Policy Management Editor.23. On the Group Policy Management window, right-click on the

Devices OU and select Link an Existing GPO…Note: Create a Devices Organizational Unit and from Computers, move the CLIENT2 machine to this OU.

24. On the Select GPO window, select Enable Enterprise Mode and then click OK.


Validate that Enterprise Mode Policies are Applied

25. Open an Administrative Command Prompt and execute gpupdate /force.

26. On the taskbar, open Internet Explorer and browse to http://app1/ContosoLearning.

Note: Notice that the website is now automatically configured with Enterprise Mode.

6.2.3 Browser Compatibility RemediationThis section covers some of the common compatibility issues found while migrating existing web applications from IE8 to IE11. It demonstrates the tools and techniques to remediate these common issues. This lab is designed for developers and discusses ways to resolve the compatibility issues by updating the application code as it is the best long term solution to make your applications standards compliant and ensure compatibility with modern browsers.


Task Detailed Steps


Pin Internet Explorer on the Taskbar

1. On the Start Menu, search for Internet Explorer.2. Right-click on Internet Explorer and select Pin to taskbar.

6.2.3.2 User Agent String Detection IssueWeb developers used to check Navigator.AppName property to get the name of the web client. Until Internet Explorer 10, it is used to return “Microsoft Internet Explorer” but from IE 11 it returns “Netscape”. After completing this lab session, you will be able to use the IE Developer Toolbar to change the IE Browser mode.

Task Detailed Steps


View the Incompatibility

1. Use Internet Explorer to navigate to http://app1/contosolearning.

Note: Notice the incompatibility message at the bottom of the screen in red. **Your browser is not supported by ContosoLearning**. Only Internet Explorer is Supported

2. The error message indicates that a validation routine runs when the page loads. The routine checks the browser that is used.

Confirm the Incompatibility

3. Right-click on the page and select View source to open a new window with the page’s source code.

4. On line 145, note that the function checkVersion is called when the page loads. This is the function that results in the browser support message.

5. The issue arises since the version detection logic is checking for the browser name.

6. Close the source page.

Prove the Fix 7. To determine the possible fix, press F12 to open the Internet Explorer Developer tools.

8. Click the Emulation tab.9. From the Document mode drop-down, select 10 to use the IE

10 Document Mode.10. From the User agent string drop-down, select Internet

Task Detailed Steps

Explorer 10.11. The browser window will reload without the support warning.

Recommended Fix (OPTIONAL)

12. Modify the code for the default.aspx page to remove the browser detection routine.

13. Consider using feature detection to ensure that a specific feature is present for the application to continue to function.

6.2.3.3 Box ModelBox Model issue is caused by the difference in the browser rendering engine implementation of width and height properties of a container element including the padding, borders and margins.

Task Detailed Steps




2. Login to the application as corp\Administrator using [email protected]. Scroll to the right and bottom. Note that the menu intended for the

right side of the page has actually rendered below the content. In Internet Explorer 6, this page item would be rendered on the right-hand side of the My Upcoming Trainings panel.

Prove the Fix 4. Press F12 to launch the Developer Tools window.5. Below the DOM Explorer tab, click the Select element icon, or

press Ctrl+B.6. Move the mouse pointer exactly over the grey border surrounding

My Upcoming Trainings and click with the left mouse button. This will highlight the panel in the browser and move the DOM Explorer window to the corresponding HTML section - id=”middle”.

7. In the right pane of the DOM Explorer tab, click Styles.8. Note that there are two entries for #middle. One of these is

sourced from default.aspx which overrides the width entry from SiteStyles.css.

9. These are padding properties. Padding and border properties are considered outside the container to which they relate in Internet Explorer 11. In the Internet Explorer 5.5 model, padding and border properties were inside the box model.

10. Select the width property sourced from default.aspx.11. Reduce the value (in pixels) to determine a suitable value to render

the page correctly. Hint: A 100px change is way too much.

Task Detailed Steps

Recommended Fix (OPTIONAL)

12. Modify the source code for default.aspx on the hosting website with the correct width.

13. This issue can also be fixed by forcing the page to render in Quirks mode by adding an X-UA-Compatible meta tag as shown below to the head section of this page on the server.

<meta http-equiv="X-UA-Compatible" content="IE=IE5"/>

6.2.3.4 Popup BlockerThe Pop-Up Blocker is a feature that blocks pop-up (and pop-under) windows initiated automatically by a Web site. Windows Internet Explorer 10/9/8/7 block pop-up windows in the Internet and Restricted sites zones by default. However, Pop-up Blocker allows pop-up windows initiated by a user's actions. This feature can interfere with the functionality of older sites that use popup window on page load.

Task Detailed Steps


What could be the Incompatibility


2. Login to the application as corp\Administrator using P@ssword.

3. Navigate to Register for Training from the menu on the left side of the page.

4. Observe that the register button for each course is disabled (greyed out) and also observe that a pop-up window appears with the Terms and Conditions and once clicked OK, the Register button is enabled for the courses listed.

5. The incompatibility could be that the register button for each course is disabled (greyed out) and a message is displayed on the bottom which says the Pop-Up was blocked.

Local Fix 6. If the incompatibly appears, then in order to fix this issue launch the Pop-up Blocker Settings window by clicking on Tools > Internet options. Alternatively, click the gear icon at the top right of the Internet Explorer window and then select Internet options.Note: Enable the Menu bar.

7. Click the Privacy tab.8. Under Pop-up Blocker, click Settings.9. In the Pop-up Blocker Settings window type

http://app1/contosolearning in the Address of website to allow text box.

10. Click Add to add the entered site to the Allowed sites list.11. Click the Close button to close the current window and click OK

Task Detailed Steps

on the Internet Options window.12. Press F5 to refresh the page.13. Click Register for Training.14. A pop-up window appears with the Terms and Conditions.15. Click OK.16. The Register button is now enabled for the courses listed.

Enterprise Fix 17. Automatic popups are allowed by default in sites belonging to the Local Intranet sites zone. Pop-up blocking issues can be resolved for intranet applications by adding the site to the intranet sites collections.

18. In case of external trusted sites having this issue, add the sites to the Trusted sites collection and have the Use Pop-up Blocker section set to Disable.

19. Add the site to Group Policy Path i.e. Computer Configuration\Administrative Templates\Windows Components\Internet Explorer.

Note: For more details on Group Policy settings refer to the link: http://msdn.microsoft.com/en-us/library/dd565668(v=VS.85).aspx

6.2.3.5 className AttributeIE11 enables several enhancements to the setAttribute, getAttribute, and removeAttribute methods that are not available when pages are displayed in earlier document modes.To change the class attribute of an element the earlier versions of IE required us to use className as the attribute name. This has been fixed in the IE11 and applications targeting IE 11 Browser should use class instead of className for assigning class attribute.http://msdn.microsoft.com/en-us/library/ms536429(VS.85).aspx

Task Detailed Steps


Validate that the Test Site is not part of the Local Intranet Zone Site List

1. Click on Tools > Internet options in the Internet Explorer Window.

2. In Internet Options, go to the Security Tab.3. Click on Local intranet and then click on Sites.4. In the Local intranet window click on Advanced button which

would open up the Local Intranet Sites list.5. In the sites list verify that app1 is not present.6. If the site is present, then highlight the site and click on the

Remove button.7. Once you are finished, then click on Close button in the Local

http://msdn.microsoft.com/en-us/library/ms536429(VS.85).aspx

http://msdn.microsoft.com/en-us/library/dd565668(v=VS.85).aspx

Task Detailed Steps

Intranet Sites list window.8. Then click OK button in the Local intranet window and then click

OK button in the Internet options window to close them.


9. Navigate to the Events page by clicking on the Events link in the left menu. The URL for the page is: http://app1/ContosoLearning/Events.aspx. Re-login if required. Observe that the page is not displayed correctly.

10. Observe that no style is applied to the selected element.

Local Fix 11. Open the Developer Tools by pressing F12 and click the Emulation tab at the bottom.

12. Change the Document mode to 7 and User agent string to Internet Explorer 7.

13. Observe that the class attribute is being set on the selected element in IE7 Standards mode. This indicates an issue with the script dynamically assigning the class value at runtime.

14. Observe that the className attribute is being used to set the class property on the table. Also, notice that the id attribute is also being checked against the empty string. This check always fails in IE11 as the getAttribute API will return if id is not defined. To check this, click on the Debugger tab and set a breakpoint on Lines 43 and 44. You can set a breakpoint by clicking the Line numbers.

15. Refresh the page by pressing F5 key and notice that the code never hits the breakpoint confirming our understanding. To fix this issue we can use the Auto responder feature of Fiddler to test the updated script on the page.

16. In the Internet Explorer window go to File > Save as… Then give the webpage a name i.e. Events and Save it as html on the Desktop.

17. Then edit the saved page using Notepad and replace lines 43 to 44 with the code below:

if (tables[i] && tables[i].getAttribute("id") == null) { tables[i].setAttribute("class", "block");}

18. Download and install Fiddler from http://www.telerik.com/download/fiddler.

19. Once installed, start the Fiddler tool by clicking on Fiddler 4 on the Start Menu. Click Cancel on the prompt that appears.

20. Clear the Fiddler logging by pressing Ctrl+X. Then refresh the Events page.

21. In the Fiddler log you would see the Events.aspx captured.22. In the Fiddler window click on the AutoResponder tab on the

right-hand side.23. Check the boxes which say Enable rules and Unmatched

Task Detailed Steps

requests passthrough.24. Then highlight the Events.aspx and click on the Add Rule

button.25. Then in the Rule Editor section on the bottom right hand of the

Fiddler window, click on the drop-down arrow of the second box and choose the option Find a file… Then browse to the modified Events.html page and then click on the Save button.

26. Now go back to the Internet Explorer Window and refresh the Events page. Now Fiddler should catch the request and responder with the modified Events page and you should now see the correct style applied to the table elements.

Note: In order to fix the problem permanently, the script on the page would have to be changed on the Server which is hosting the website to reflect the correct width.Note: This issue can also be fixed by forcing the page to render in IE7 standards mode by adding an X-UA-Compatible meta tag as shown below to the head section of this page on the server.<meta http-equiv="X-UA-Compatible" content="IE=IE7"/>

6.2.3.6 GetElementByIDChanges in the getElementById API causes the webpage to break as it is case sensitive. To remediate this, we will have to modify the CSS of the webpage at the source. One would use Fiddler Auto Responder to change the code to onclick="LaunchVideo('overview');".

Task Detailed Steps



1. Keep logged in and navigate to the Training Video page by clicking on the Training Videos on the left menu. The URL for the page is: http://app1/ContosoLearning/TrainingVideos.aspx.

2. Click on the first video which is the Overview video. Observe that nothing happens and it doesn’t play the video.

Local Fix 3. In the Developer Tools window (activated with F12), select the Console tab and clear any errors (if any).

4. Click again on the first video, which is the Overview video. Once you click on the video, you would be taken to the section of source code which resulted in the error message. Click on the link and you would be taken to the Debugger tab with the line where the error is.

5. If you go little up in the code on Line 106 you would see the ID is

http://app1/ContosoLearning/TrainingVideos.aspx

Task Detailed Steps

“overview” in lowercase.6. In the Internet explorer window go to File > Save as… Then

give the webpage a name i.e. Training and Save it as html on the Desktop.

7. Then edit the saved page using Notepad and change the case of the word OVERVIEW from lower case to uppercase and then save the file.

8. Start Fiddler tool by clicking on Fiddler 4 on the Start menu.9. Clear the Fiddler logging by pressing Ctrl+X. Then refresh the

Contoso Learning Training page.10. In the Fiddler log you would see the TrainingVideos.aspx

captured.11. In the Fiddler window click on the AutoResponder tab on the

right-hand side.12. Check the boxes which say Enable rules and Unmatched

requests passthrough.13. Then highlight the TrainingVideos.aspx and click on the Add

Rule button.14. Then in the Rule Editor section on the bottom right hand of the

fiddler window, click on the drop-down arrow of the second box and choose the option Find a file… Then browse to the modified Training.html page and then click on the Save button.

15. Now go back to the Internet Explorer window and refresh the Training Videos page. Now the fiddler should catch the request and responder with the modified Training Videos page and you should be able to open up the Overview video.

Note: In order to fix the problem permanently, the source code of the page would have to be changed on the Server which is hosting the website to reflect the correct width.Note: This issue can also be fixed by changing the Document Mode to IE5 Quirks Mode in the Developer Toolbar.

6.2.3.7 Z Index Default ValueFor IE browser 5/6/7 the default value for Z-Index is 0 but for IE 8+ it is Auto.

Task Detailed Steps



1. Launch Internet Explorer 11 and navigate to the Contoso Learning Site by using the URL http://app1/ContosoLearning/OnlineResources.aspx. Re-login if required. This is an intranet site designed for IE6. Also, on

Task Detailed Steps

Mousing over Text you should see tool tips. On IE 6 it works absolutely fine but for IE 11 it doesn’t display any text.

2. Open the IE 11 Browser and browse to the site http://app1/ContosoLearning/OnlineResources.aspx. Mouse over on Menu Items and you should not see any tool tip.

3. To check the logic on the page, right-click and select the View source option. This will open the page source in the Developer Tools under Debugger.

4. Check for Onmouseover event of the image. There you can find that the logic is checking the default value of z-index and comparing whether that is “0” or not which is the default Z-Index value in IE 6.

5. To temporarily workaround this issue, change the document mode to the appropriate version using IE 11 developer toolbar, press F12 and the Internet Explorer Developer Toolbar will be opened if not opened already.

6. Click the Emulation tab.7. Select Document Mode as 5 and User agent string as

Internet Explorer 6.8. You can now observe a text is displayed.

Permanent Fix 9. To resolve this issue the javascript on the page should be updated to first assign a Z-index to the DOM object before comparing its value.

Note: This issue can also be fixed by forcing the page to render in IE5 Quirks mode by adding an X-UA-Compatible meta tag as shown below to the head section of this page on the server.<meta http-equiv="X-UA-Compatible" content="IE=IE5"/>

6.2.3.8 Content CenteringContent Centering using text align property is not supported in Internet Explorer 9+. This causes any site developed for IE6 to be left aligned on IE9+ standards mode if they are using text align property for centering. We would need to use the width and margin properties to center align the content.To remediate this, we will have to modify the CSS of the webpage at the source. In order to find the correct CSS values that need to be added to the source of the page on the server we can use the Developer Tools.

Task Detailed Steps


Task Detailed Steps


1. Navigate to the Blogs page by clicking on the Blogs link in the left menu. Re-login if required. Observe that the page is not displayed correctly. It is aligned to the left instead of being centered.

Local Fix 2. Press F12 to open the Developer Tools.3. Select the Body section under the DOM Explorer tab. Observe

that the text align property has been set for this element.4. This is the typical case where the content is being centered by

using the text align property which would render the page correctly in previous versions of IE.

5. Also, observe that the margin property has been set to 0px auto. This should cause the content to be centered in IE11.

6. Also, observe that there are two margin properties that are being applied to the Body element. One of the margin properties is defined inline in the Blogs.aspx page.

7. Observe that the margin property has !important added to the property value in the end. This is forcing the browser to override the original margin setting on the page.

8. Uncheck the second margin value. The first margin value will be automatically enabled.

9. You will find that the page is rendered correctly now.

Permanent Fix 10. To remediate the issue at the source, the developer would need to remove the margin style defined on the page which should fix the issue.

Note: This issue can also be fixed by forcing the page to render in Quirks mode by adding an X-UA-Compatible meta tag as shown below to the head section of this page on the server.<meta http-equiv="X-UA-Compatible" content="IE=IE5"/>

6.2.3.9 ActiveX ControlsMicrosoft ActiveX controls are reusable software components based on ActiveX technology. ActiveX controls add interactivity and additional functionality, such as animations or pop-up menus to a Web page, application, or software development tool. Internet Explorer 7+ and Microsoft Internet Explorer 6 for Windows XP Service Pack 2 (SP2) block controls that are unsigned, invalid, or explicitly distrusted by the user. In Internet Explorer 9+, users can allow controls to run on more than one Web site, or all Web sites, by responding to the Information Bar that drops down when a control is requested for use. These sites can also be edited through the Manage Add-ons interface.ActiveX Blocking can be remediated by one of the following techniques:

1. Ensure that the ActiveX control is signed. Please refer the below link for ActiveX Signing: http://msdn.microsoft.com/en-us/library/aa231196(VS.60).aspx

2. Ensure that the client side security certificate matches the server side security certificate.

3. Add the website to the list of local intranet sites.

Task Detailed Steps



1. Navigate to the Contoso Learning Website Obtain Licenses page. The URL for the page is: http://app1/ContosoLearning/ObtainLicenses.aspx. Re-login if required. Observe that a UAC prompt is displayed.

Install the Certificate

2. You will notice that there is a warning because the publisher cannot be verified – click on the link for Unknown Publisher.

3. Details of the digital certificate will be displayed – click on the View Certificate button.

4. The certificate will indicate that the certificate is not trusted – press the button to Install Certificate…

5. You will walk through the Certificate Import Wizard. On the first screen, select Local Machine and then click Next.

6. Select Place all certificates in the following store and click Browse…

7. Select the Trusted Root Certification Authorities and then click OK.

8. Click Next.9. Click Finish.10. Click OK once the import is successful.11. Click the OK button on the Certificate dialog.12. Click the OK button on the Digital Signature Details dialog.13. Click the OK button on the Security Warning dialog.

Signed ActiveX Control Installation

14. Press F5 to refresh the page now that you have the digital signature installed.

15. You will receive a UAC prompt again, this time indicating that it is a signed control. Click on Install.

16. Press F5 to refresh the page. Now you will not see any control. Close the Internet Explorer.

17. Open gpedit.msc and navigate to Computer Configuration – Administrative Templates – Windows Components – Internet Explorer. Double-click on Let users turn on and use Enterprise Mode from the Tools menu.

18. Click Enabled. Click Apply and OK.19. Open the Internet Explorer and navigate to the Contoso Learning

Website “Obtain Licenses” page. The URL for the page is:

http://msdn.microsoft.com/en-us/library/aa231196(VS.60).aspx

Task Detailed Steps

http://app1/ContosoLearning/ObtainLicenses.aspx. If required re-login.

20. Press F12 to open the Developer Tools. Click the Emulation tab and for the Browser profile, select Enterprise.

21. You will see that the browser has Enterprise mode enabled from the Tools menu.

22. You can see now that the Obtain Licenses button is visible.23. In case it is still not visible, go to Tools, select Manage add-

ons.24. Check whether ContosoLicenseControl.ObtainLicense is

enabled or not. If it is disabled, click on Enable and close the window by clicking Close and refresh the page.

25. Click on Obtain Licenses button.26. The ActiveX control should now be installed. Click OK.

6.3 Desktop BridgesThe Windows 10 Desktop Bridge provides consumer and enterprise developers a low friction path to migrate their Win32 apps to Windows 10 Universal Windows Platform (UWP). In doing so, developers can take advantage of Windows 10 features and app distribution not available to traditional Win32 apps. Win32 apps using the Desktop Bridge also provide a safer and cleaner virtualized runtime environment. For more information on the Desktop Bridge see: https://developer.microsoft.com/en-us/windows/bridges/desktopThis Lab provides a walkthrough of converting a Win32 app to a UWP using the Desktop App Converter.Prerequisite: Build a Windows 10 Developer Machine (Section 3.3.1) before proceeding with this lab.

6.3.1 Desktop Bridge – Convert a Win32 app Installer to a UWP Modern App (APPX)

In this activity, starting from a MSI installer, you’d be able to create an AppX package, keeping the best of both worlds: the flexibility of a Win32 app and the better security and distribution model of an AppX package.

Task Detailed Steps

Complete these steps on the WIN10DEV virtual machine.

Install the Desktop App

1. Make sure your computer is up-to-date with the latest Windows 10 version: Desktop App Converter. To make sure you’re on the

https://developer.microsoft.com/en-us/windows/bridges/desktop

Task Detailed Steps

Converter – Version Check

right version, just click on the Start button and choose Command Prompt: at the top, you’ll see the Windows 10 build number, which should be 10.0.17134.xx.

Install the ‘Desktop App Converter’

2. The Desktop App Converter tool itself, which can be downloaded directly from the Store at the URL https://www.microsoft.com/store/apps/9nblggh4skzw

3. Click ‘Get the app | Get’.

Download the Windows Base Image

4. The latest base Windows image, which is used as container to generate the appx package. Be aware that this file is quite big (approximately 3.5 GB). It can be downloaded from the following link: https://www.microsoft.com/en-us/software-download/dac#. Click Base Image - Build 17134 and save the file to C:\Windows\Temp.Note : The version of the base image much match the version of the OS. In this case, we are working with Windows 10 17134.

Launch the ‘Desktop App Converter’ as Administrator

5. Press ‘Start’, type ‘Desktop App Converter’.6. Right click on the ‘Desktop App Converter’ icon and choose

Run as administrator). Accept the UAC prompt. Under the hood, you will notice that it’s simply a Powershell command prompt, since it’s the technology that empowers the Desktop App Converter.

Install the Base Image

7. Install the base image, by executing the following PS commands in the folder where you have copied the file you’ve previously downloaded (or, alternatively, you can pass to the -BaseImage parameter the full path of the file).

a. Set-ExecutionPolicy Bypassb. DesktopAppConverter.exe -Setup -BaseImage C:\

Windows\Temp\Windows_BaseImage_DAC_17134.wim –Verbose

Note: The operation will take a while and, at some point, it may ask you to reboot the machine: the reason is that Desktop App Converter relies on a Windows 10 features (called Containers), which isn’t installed by default.

If you get an Error

8. If you get an error related to Containers, you can manually install the feature by right clicking on the Start button, clicking Run, entering appwiz.cpl, clicking OK and then Turn Windows features on or off. You will find one called Containers, enable it and click OK and then let the installation complete and also, if asked, reboot the computer.

https://www.microsoft.com/en-us/software-download/dac

https://www.microsoft.com/store/apps/9nblggh4skzw

Task Detailed Steps

Note: The Containers feature is available only on Windows 10 Pro or Enterprise.

9. Now you’re all set and you’re ready to convert your first application.

Start the Win32 to UWP Conversion Process

Note: You will convert the Win32 sample app ‘Hello Centennial’. Remember that the Desktop App Converter does not modify your application binaries. It monitors the file locations and registry entries created at install time. It uses this information to create the container your Win32 app will be in.

10.Download the ‘Hello Centennial’ sample Win32 app’s MSI file from here: https://github.com/qmatteoq/DesktopBridge/blob/master/1.%20Desktop%20App%20Converter/HelloCentennial.msi

11. Create a folder called C:\Installer and copy the file HelloCentennial.msi here.

12. Create another folder called C:\Output\HelloCentennial.

Launch the ‘Desktop App Converter’ as Administrator

13. Press ‘Start’, type ‘Desktop App Converter’.14. Right click on the ‘Desktop App Converter’ icon and choose

Run as administrator). Accept the UAC prompt.

Start the Desktop App Converter Process

Note: DesktopAppConverter flags: -Installer is the path to the setup file we need to convert. In this

case, it’s the HelloCentennial.msi file we’ve previously downloaded from GitHub.

-Destination is the folder where we want to store the output files created by the conversion process.

-PackageName is the name we want to give to the package. -Publisher is the publisher’s name of the application. If you

https://github.com/qmatteoq/DesktopBridge/blob/master/1.%20Desktop%20App%20Converter/HelloCentennial.msi

https://github.com/qmatteoq/DesktopBridge/blob/master/1.%20Desktop%20App%20Converter/HelloCentennial.msi

Task Detailed Stepshave some previous experience with UWP development, you’ll recall seeing this information in the manifest file of a UWP app. It’s univocally assigned by the Dev Center when you open a developer account. For the moment, for test purposes, you can just use the name you want, it’s just important that it starts with CN= and that it doesn’t contain spaces.

-Version is the version number of the app. -MakeAppx means that, other than generating the folder which

will contain all the files that needs to be packaged (like assets, the manifest, etc.), you want also to immediately generate the AppX package.

-Verbose is an optional parameter, which is useful because it will show you all the details of what’s going on during the conversion process.

-Sign is a parameter that allows to automatically generate the needed certificates to properly sign the AppX package. Without this digital signature, the package can’t be installed on a machine which doesn’t trust the generated certificate.

15.Download and install the Windows 10 1803 SDK: https://developer.microsoft.com/en-US/windows/downloads/windows-10-sdk

16. In PowerShell type the command:DesktopAppConverter.exe -Installer "C:\Installer\HelloCentennial.msi" -Destination "C:\Output\HelloCentennial" -PackageName "HelloCentennial" -Publisher "CN=Awesome-Apps-Inc" -Version "1.0.0.0" -MakeAppx -Verbose -Sign

17. Inspect the Output folder. At the end of the process, you will get a folder structure like the following one:

The real work done by the tool can be found inside the PackageFiles folder:

https://developer.microsoft.com/en-US/windows/downloads/windows-10-sdk

https://developer.microsoft.com/en-US/windows/downloads/windows-10-sdk

Task Detailed Steps

18. As you can see, this folder looks a bit like the one that Visual Studio creates when you start a new UWP project. You have an Assets folder, which contains the default images to be used for the tile, the Store, or the icon in the Start menu. You have also a manifest file, the one called AppxManifest.xml.

Open the AppxManifest.xml File

19. Notice that it’s like the manifest file of a UWP app. However, compared to a native UWP app, you’ll find a couple of differences:

You’ll find the following Capability, which allows the application to run in full trust. This option is available only for converted apps, a native UWP app will not have this kind of access.<Capabilities> <rescap:Capability Name="runFullTrust" /></Capabilities>

You’ll find an Application entry with all the info about the Win32 process that the UWP container will launch.<Application Id="HelloCentennial" Executable="HelloCentennial.exe" EntryPoint="Windows.FullTrustApplication">

Continue Inspecting Output: Registry.Dat, VFS Folder

20. You’ll find other files and folders that captured the MSI setup process. For example, the Registry.dat file contains all the changes applied to the registry. Or, if you explore the VFS folder, you will find all the files that are copied during the installation process. For instance, you’ll be able to find the main executable (the original Windows Forms app) following the path VFS\Users\ContainerAdministrator\AppData\Roaming\Matteo Pagani\Hello Centennial.

Attempt to Install the Converted App (APPX)

21. Double click on the file HelloCentennial.appx and you’ll be prompted with the following dialog.

Task Detailed Steps

However, if you press the Install button out of the box, you’ll see the following error.

Install Certificate to Resolve Error

Note: The reason is that, by default, a UWP package needs to be signed with a valid certificate to be installed and this certificate needs to be trusted by the computer. When we publish a UWP app on the Store, this process is completely transparent: it’s the Store that takes care of signing the AppX package with a valid certificate during the submission process. In this case, instead, we’re trying to sideload a package without using the Store, so we need to take care of signing it.If you remember, when we used the Desktop App Converter tool, we passed a parameter called -Sign, which already did the hard work for us. The package is already signed: the problem is that the certificate used for signing it, now, isn’t trusted by our computer, which leads to an

Task Detailed Steps

installation failure.22. To solve this problem, you’ll need to add the certificate in the

Trusted Root Certification Authority of the computer. You’ll find it in the folder generated by the tool (the one with the AppX package and the PackageFiles folder) and it’s called auto-generated.cer: simply double click on it, choose Install Certificate and, when you’re prompted where to install it, choose Local Machine and then the option Place all certificates in the following store. By pressing the Browse button, make sure to choose Trusted Root Certification Authorities and complete the process.

Retry Installing the Converted App (APPX)

23. Double click on the file HelloCentennial.appx. Uncheck Launch when ready. This time, after pressing the Install button, you will see a progress bar showing the installation status and, at the end, the window will become like the following one.

Task Detailed Steps

Find ‘HelloCentennial’ in the Start Menu

24. Press the Windows key. Type HelloCentennial.Note: Now you have a Win32 app that has been embedded into a UWP app! Notice the app will have a tile, you’ll be able to pin it to the Start menu and, if you want to uninstall it, just right click on it, and choose Uninstall.

Task Detailed Steps

Launch the Converted App: ‘HelloCentennial’

25. Select the app from the Start menu to launch it. You’ll notice that it’s still a Win32 app and it will be able to create a text file on the user’s desktop just fine, without requiring any extra dialog or permission.Note: You might have to download and install the prerequisites for the app to launch, which it will do automatically, which is .Net Framework 3.5 (includes 2.0 and 3.0).

7 Additional Labs7.1.1 MDM WINS over GP

Prerequisite Sections:a) Windows Insider Lab for Enterprise – Setup Guideb) Section 3.2 - Cloud Environment

https://blogs.technet.microsoft.com/cbernier/2018/04/02/windows-10-group-policy-vs-intune-mdm-policy-who-wins/Traditionally, configuration policies are managed by Group Policy, however Modern Management of Windows 10 with Microsoft Intune also has a set of policies, even policies that are duplicative of Group Policy (where applicable, not all Group Policies are available via MDM or CSP). In environments where Group Policies are deployed and managed by Intune there’s the question of which policy wins. The following describes which policy wins according to Windows 10 version.

Windows 10 versions 1709 and earlier Group Policy will override MDM policies, even if an identical policy is configured in MDM.

Windows 10 version 1803 and beyond there is a new Policy CSP setting called ControlPolicyConflict that includes the policy of MDMWinsOverGP, where the preference of which policy wins can be controlled, i.e. Microsoft Intune MDM policy.

For more details about the new ControlPolicyConfict setting please visit: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-controlpolicyconflict#controlpolicyconflict-mdmwinsovergp What happens to the policy if the device is unenrolled from Intune? If applicable, Group Policy will re-apply the policies in this scenario.Setting up a PolicyIn the link above, the “scope” of the policy is set for “device” so we’ll need to target the policy at the device scope.To learn more about user and device scopes please visit: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider#policy-scope Since the ControlPolicyConfict policy applies to the device, we’ll have to utilize the following string: ./Device/Vendor/MSFT/Policy/Config/AreaName/PolicyName to configure the policy.Next replace AreaName/PolicyName with ControlPolicyConflict/MDMWinsOverGPAfter the modification to the string, the policy should look like the following: ./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP

https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider#policy-scope

https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider#policy-scope

https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-controlpolicyconflict#controlpolicyconflict-mdmwinsovergp



https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider

https://blogs.technet.microsoft.com/cbernier/2018/04/02/windows-10-group-policy-vs-intune-mdm-policy-who-wins/

https://blogs.technet.microsoft.com/cbernier/2018/04/02/windows-10-group-policy-vs-intune-mdm-policy-who-wins/

Creating the PolicyLet’s create a new policy in Intune to control the GP vs. MDM winner.

1. Navigate to portal.azure.com and locate Intune.2. Select Device configuration | Profiles | Create profile.3. Under Platform select Windows 10 and later.4. Under Profile type select “custom” and “add”.5. Name the custom setting with something intuitive.6. For OMA-URI add the policy OMA-URI string:

./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP

7. For Data type select Integer and add the number 1.

Supported values for this policy are as follows:0 (default)1 - The MDM policy is used and the GP policy is blocked.

Let’s take a look how the Policy is Applied

1. On the Windows 10 device, select the Windows icon > Settings > Accounts > Access work or school and under the account name select Info.

2. Sync with Microsoft Intune by selecting “Sync”.3. Once the Sync is completed select “Create report”.

https://msdnshared.blob.core.windows.net/media/2018/04/image20.png


Once the report is completed a folder will open containing an .html file. Open the .html report and search for “MDMwins”.

GP Setting before the MDM policy takes place:

MDM setting after the policy is applied (Note: Windows 10 1803 is required to override the GP):

Let’s take a look at a report in Intune regarding the policy and if it was successfully applied. This is useful to make sure the policies are actually applying or not.



https://msdnshared.blob.core.windows.net/media/2018/04/clip_image007.png


LoggingBeing able to investigate modifications to a device is extremely important, especially when troubleshooting.In event viewer we can access the event where the policy was applied as shown below. However digging through events, especially across multiple devices, can be a difficult process. This is where Microsoft Operations Management Suite (OMS) comes in.

Logging with Microsoft Operations Management Suite (OMS)Within OMS there is the Log Analytics solution to manage logs from devices with the OMS agent installed. I won’t go into details about installing the OMS agent, however I will say it’s straight forward. Once the agent is installed (which I have it installed on all my devices so I can look at label changes with Azure Information Protection (see my previous post) and other aggregated information) we’ll need to grab the proper event log source name and populate that in Log Analytics.Find and copy the event log source or name: Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider.

https://blogs.technet.microsoft.com/cbernier/2016/10/21/azure-information-protection-a-log-journey/

https://docs.microsoft.com/en-us/azure/operations-management-suite/operations-management-suite-architecture#log-analytics



Paste the event log path in Log Analytics to “Windows Event Logs under Settings > Data > Windows Event Logs” as shown below:




Give the logs a few minutes to sync from the device to OMS, then run the query below in log analytics analyzer and look for the MDMWinsOverGP policy created above:

For more details about Windows 10 MDM logging please visit: https://docs.microsoft.com/en-us/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10Evaluating Existing Group Policies to determine Migration to MDMUse the MDM Migration Analysis Tool (MMAT) to evaluate which Group Policies have been set for a target user/computer and cross-reference against its built-in list of supported MDM policies.Download the MDM Migration Analysis Tool (MMAT): https://github.com/WindowsDeviceManagement/MMATFor Additional Details about Creating Custom ADMX Policies, please view the following Two Great Videos:Enable ADMX backed policies in Intune: https://www.microsoft.com/en-us/videoplayer/embed/bdc9b54b-11b0-4bdb-a022-c339d16e7121ADMX backed policy import example: https://www.microsoft.com/en-us/videoplayer/embed/a59888b1-429f-4a49-8570-c39a143d9a73Keep Up to Date with MDM Policies and other Features via What’s new in MDM Enrollment and Managementhttps://docs.microsoft.com/en-us/windows/client-management/mdm/new-in-windows-mdm-enrollment-management

https://docs.microsoft.com/en-us/windows/client-management/mdm/new-in-windows-mdm-enrollment-management

https://docs.microsoft.com/en-us/windows/client-management/mdm/new-in-windows-mdm-enrollment-management

https://www.microsoft.com/en-us/videoplayer/embed/a59888b1-429f-4a49-8570-c39a143d9a73

https://www.microsoft.com/en-us/videoplayer/embed/a59888b1-429f-4a49-8570-c39a143d9a73

https://www.microsoft.com/en-us/videoplayer/embed/bdc9b54b-11b0-4bdb-a022-c339d16e7121

https://www.microsoft.com/en-us/videoplayer/embed/bdc9b54b-11b0-4bdb-a022-c339d16e7121

https://github.com/WindowsDeviceManagement/MMAT

https://docs.microsoft.com/en-us/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10

https://docs.microsoft.com/en-us/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10


Tags: ADMX ControlPolicyConflict Courtenay Bernier Device Management EMS Enterprise Mobility Suite InTune MDM MDM Migration Analysis Tool MDMWinsOverGP Microsoft Azure Microsoft Intune MMAT Mobility SCCM System Center Configuration Manager Windows 10 Windows 10 Mobile

7.1.2 MAM FAQFor Frequently asked questions about MAM and app protection, refer to - https://docs.microsoft.com/en-us/intune/mam-faq

https://docs.microsoft.com/en-us/intune/mam-faq

https://blogs.technet.microsoft.com/cbernier/tag/windows-10-mobile/

https://blogs.technet.microsoft.com/cbernier/tag/windows-10/

https://blogs.technet.microsoft.com/cbernier/tag/system-center-configuration-manager/

https://blogs.technet.microsoft.com/cbernier/tag/system-center-configuration-manager/

https://blogs.technet.microsoft.com/cbernier/tag/sccm/

https://blogs.technet.microsoft.com/cbernier/tag/mobility/

https://blogs.technet.microsoft.com/cbernier/tag/mmat/

https://blogs.technet.microsoft.com/cbernier/tag/microsoft-intune/

https://blogs.technet.microsoft.com/cbernier/tag/microsoft-azure/

https://blogs.technet.microsoft.com/cbernier/tag/mdmwinsovergp/

https://blogs.technet.microsoft.com/cbernier/tag/mdm-migration-analysis-tool/

https://blogs.technet.microsoft.com/cbernier/tag/mdm/

https://blogs.technet.microsoft.com/cbernier/tag/intune/

https://blogs.technet.microsoft.com/cbernier/tag/enterprise-mobility-suite/

https://blogs.technet.microsoft.com/cbernier/tag/ems/

https://blogs.technet.microsoft.com/cbernier/tag/device-management/

https://blogs.technet.microsoft.com/cbernier/tag/courtenay-bernier/

https://blogs.technet.microsoft.com/cbernier/tag/controlpolicyconflict/

https://blogs.technet.microsoft.com/cbernier/tag/admx/