Practice Lab: Managing Identities in Entra ID (0101)
Workforce
Why does it say "Contoso - Microsoft Entra ID for Workforce" at the top of some of the pages? Because there are two types of tenant - Workforce (your employees and internal apps) and Customer (your customers and customer-facing apps).
https://learn.microsoft.com/en-us/azure/active-directory/external-identities/customers/concept-supported-features-customers
Licensing information in PowerShell
$user = Get-MgUser | Where-Object {$_.DisplayName -eq "Cody Godinez"}
Get-MgUserLicenseDetail -UserId $user.id
Get-MgUser -Property DisplayName, UserPrincipalName, AssignedLicenses, AssignedPlans, LicenseAssignmentStates, LicenseDetails | Where-Object AssignedLicenses -ne $null | Select-Object DisplayName, UserPrincipalName, AssignedLicenses, AssignedPlans, LicenseAssignmentStates, LicenseDetails
Practice Lab: Synchronizing Identities by using Microsoft Entra Connect (0102)
Practice Lab: Configuring and managing Entra Join (0201)
Ex 1, Task 2 - Join SEA-WS1 to Entra ID as JoniS.
Ex 1, Task 5 - Disconnect SEA-WS1 from Entra ID.
Ex 2, Task 4 - Join SEA-CL2 to Entra ID using Hybrid Join.
At the end of the lab there should be 1 device in Entra ID:
• SEA-CL2, Microsoft Entra hybrid joined
Local Administrators
In task 3, step 7 the two SIDS are for the Global Administrator role and the Microsoft Entra Joined Device Local Administrator role (FKA Azure AD Joined Device Local Administrator). Look at the assignments for that second role; you will see Allan Deyoung.
https://learn.microsoft.com/en-us/answers/questions/423013/find-account-or-group-from-sid-in-local-administra
Module: Execute device profiles
Scheduled Tasks, Synchronising from a script
https://oofhours.com/2019/09/28/forcing-an-mdm-sync-from-a-windows-10-client/
Practice Lab: Manage Entra ID device registration (0202)
Ex 1, Task 2 - Connect SEA-WS1 to Entra ID as JoniS.
Ex 1, Task 4 - Disconnect SEA-WS1 from Entra ID.
At the end of the lab there should be 1 device in Entra ID:
• SEA-CL2, Microsoft Entra hybrid joined
Practice Lab: Enrolling devices into Microsoft Intune (0204)
Task 1 - Join SEA-WS1 to Entra ID as Aaron (a synced account). This also enrolls it into Intune.
At the end of the lab there should be 2 devices in Entra ID:
• SEA-CL2, Microsoft Entra hybrid joined
• SEA-WS1, Microsoft Entra joined
And 1 device in Intune:
• SEA-WS1
Additional Lab Steps
Maybe enable Endpoint Analytics now?
https://learn.microsoft.com/en-us/mem/analytics/enroll-intune
Module: Execute device profiles
What is a scope tag? It is a way to provide admins with a filtered view of Intune objects.
https://learn.microsoft.com/en-us/mem/intune/fundamentals/scope-tags
Practice Lab: Using a Configuration Profile to configure Kiosk mode (0302)
Ex 1, Task 1 - Join SEA-WS2 to Entra ID as AllanD. This also enrolls it into Intune.
At the end of the lab there should be 3 devices in Entra ID:
• SEA-CL2, Microsoft Entra hybrid joined
• SEA-WS1, Microsoft Entra joined
• SEA-WS2, Microsoft Entra joined
And 2 devices in Intune:
• SEA-WS1
• SEA-WS2
Module: Maintain user profiles
Demo Hint: conflict using a device restrictions template, start menu, show video on start menu.
Module: Execute mobile application management
WIP Retirement
Note that Windows Information Protection is going to be has been retired in favour of Purview.
Module: Protect identities in Azure Active Directory
Per-User MFA
"To secure user sign-in events in Microsoft Entra ID, you can require Microsoft Entra multifactor authentication (MFA). The best way to protect users with Microsoft Entra MFA is to create a Conditional Access policy. Conditional Access is a Microsoft Entra ID P1 or P2 feature that lets you apply rules to require MFA as needed in certain scenarios."
https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
For Microsoft Entra ID Free tenants without Conditional Access, you can use security defaults to protect users.
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/security-defaults
SMS-based authentication
https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-sms-signin
Practice Lab: Configuring self-service password reset (0502)
Links
The direct URL for the password reset page is https://passwordreset.microsoftonline.com/
Module: Implement device compliance
The combination of Compliance Policies and Conditional Access Policies does include automatic remediation. For example, screen lock timeout.
https://learn.microsoft.com/en-us/mem/intune/protect/device-compliance-get-started#reference-for-non-compliance-and-conditional-access-on-the-different-platforms
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/conditional-access?view=o365-worldwide#understand-the-conditional-access-flow
Practice Lab: Configuring and validating device compliance (0503)
Exercise 2
What we are demonstrating is that users cannot connect to Exchange Online from SEA-WS3 because it is not enrolled and thus noncompliant.
The lab doesn't do a good job of explaining what we will see. On SEA-WS3, Microsoft Edge will just continually ask us to sign on. It will not give any "you can't get there from here" message.
Additional Lab Steps
At the end of exercise 2, task 2: Switch to the Microsoft Intune admin center. navigate to Users, Sign-in logs (in the top section), User sign-ins (interactive) tab. Select the Add filters link, choose Status. Select the Status link, select Failure. Select the log entries relevant to the conditional access policiy denied sign in.
Practice Lab: Configuring Disk Encryption Using Intune (0602)
https://www.reddit.com/r/Intune/comments/su26vw/cant_get_the_disk_encryption_profile_working/
https://learn.microsoft.com/en-us/mem/intune/protect/encrypt-devices#silently-enable-bitlocker-on-devices
Module: Assess deployment readiness
Microsoft Assessment and Planning Toolkit
https://www.microsoft.com/en-nz/download/details.aspx?id=7826
Practice Lab: Deploying Windows 11 using Microsoft Deployment Toolkit
"Windows 10"
Note that MDT names the Windows 11 operating system "Windows 10 Enterprise Evaluation in Windows 11 Enterprise x64 install.wim" (with a description of "Windows 10 Enterprise Evaluation").
Feel free to rename it if you want, it won't affect the lab.
I have no idea why it does this. I think it is an MDT issue. After all, MDT is getting old now (the current version, 8456, was released on 25th January 2019).
The install.wim on the Win11_21H2_Eval.iso is correctly labelled "Windows 11 Enterprise Evaluation" (shown by dism.exe /get-imageinfo).
Double-slashes
Several instructions have doubled-up backslashes (escape codes in the Markdown). Replce these with single blackslashes.
Task 2, Step 4: Replace "F:\\" with "F:\".
Task 3, Step 5: Replace "E:\\Labfiles\\Apps" with "E:\Labfiles\Apps".
Module: Deploy Devices using Windows Autopilot
Note that Autopilot will not work on a Home Edition machine.
https://learn.microsoft.com/en-us/autopilot/software-requirements#software-requirements
Module: Implement dynamic deployment methods
Provisioning Package, joining to Entra ID
Creating a BPRT token requires the existance of a particular service principal.
Connect-MgGraph -Scopes "Directory.ReadWrite.All,Application.ReadWrite.All"
New-MgServicePrincipal -AccountEnabled -AppId 00000014-0000-0000-c000-000000000000 -DisplayName Microsoft.Azure.SyncFabric -Tags {WindowsAzureActiveDirectoryIntegratedApp}
https://learn.microsoft.com/en-us/mem/intune/enrollment/windows-bulk-enroll
https://aadinternals.com/post/bprt/
Practice Lab: Deploying Windows with Autopilot (0801)
Important Note
The note in the lab is incorrect. This lab can be done (I've done it on SEA-WS3, SEA-WS4, and SEA-W10-CL3) - it is the next lab (the self-deploying option) that won't work with virtual machines.
Task 3, Step 6
You must wait for the machine to appear in the list (click Refresh every minute or so).
Task 3, Step 18
You must wait for the profile to show "Yes" in the Assigned column (click Refresh every minute or so).
Retrieving a list of Autopilot machines
After uploading the Autopilot csv file.
# Using the Microsoft.Graph PowerShell module:
Connect-Graph -Scopes "Device.Read.All"
Get-MgDevice | fl DisplayName, PhysicalIds
Get-MgDevice | sort DisplayName | % { $PSItem.DisplayName;
$PSItem | Select-Object -ExpandProperty PhysicalIds; "-----" }Delivery Suggestion
Preprovisioned deployment.
https://learn.microsoft.com/en-us/autopilot/pre-provision
Practice Lab: Refreshing Windows with Autopilot Reset and Self-Deploying mode (0802)
This lab can't be completed
"If you attempt a self-deploying mode deployment on a device that does not have support TPM 2.0 or on a virtual machine, the process will fail when verifying the device with an 0x800705B4 timeout error (Hyper-V virtual TPMs are not supported)."
From https://learn.microsoft.com/en-us/mem/autopilot/self-deploying
I have seen the lab appear to work fine on SEA-WS4 (the Hyper-V guest machine inside SEA-SVR2), but in those cases the machine actually deployed using the user-driven profile created in the previous lab.
Module: Plan a transition to modern endpoint management
Co-Management
https://docs.microsoft.com/en-us/mem/configmgr/comanage/overview
Module: Manage Windows 365
Microsoft Mechanics: https://www.youtube.com/watch?v=elLNBGEw_T4
John Savill's Deep Dive: https://www.youtube.com/watch?v=EHV9Z4it-c8
Module: Manage Azure Virtual Desktop
Demo Hint: Start a VM to warm up the NAT Gateway.
Azure Lighthouse
John Savill's Deep Dive: https://www.youtube.com/watch?v=IrqkHOPFktM