Practice Lab: Managing Identities in Azure AD (0101)
Workforce
Why does it say "Contoso - Microsoft Entra ID for Workforce" at the top of some of the pages? Because there are two types of tenant - Workforce (your employees and internal apps) and Customer (your customers and customer-facing apps).
https://learn.microsoft.com/en-us/azure/active-directory/external-identities/customers/concept-supported-features-customers
Licensing information in PowerShell
$user = Get-MgUser | Where-Object {$_.DisplayName -eq "Cody Godinez"}
Get-MgUserLicenseDetail -UserId $user.id
Get-MgUser -Property DisplayName, UserPrincipalName, AssignedLicenses, AssignedPlans, LicenseAssignmentStates, LicenseDetails | Select-Object DisplayName, UserPrincipalName, AssignedLicenses, AssignedPlans, LicenseAssignmentStates, LicenseDetails
Practice Lab: Synchronizing Identities by using Microsoft Entra Connect (0102)
Practice Lab: Configuring and managing Azure AD Join (0201)
Ex 1, Task 2 - Join SEA-WS1 to Azure AD as JoniS.
Ex 1, Task 5 - Disconnect SEA-WS1 from Azure AD.
Ex 2, Task 4 - Join SEA-CL2 to Azure AD using Hybrid Join.
At the end of the lab there should be 1 device in Azure AD:
• SEA-CL2, Hybrid Azure AD joined
Module: Execute device profiles
Scheduled Tasks, Synchronising from a script
https://oofhours.com/2019/09/28/forcing-an-mdm-sync-from-a-windows-10-client/
Practice Lab: Manage Azure AD device registration (0202)
Ex 1, Task 2 - Connect SEA-WS1 to Azure AD as JoniS.
Ex 1, Task 4 - Disconnect SEA-WS1 from Azure AD.
At the end of the lab there should be 1 device in Azure AD:
• SEA-CL2, Hybrid Azure AD joined
Practice Lab: Enrolling devices into Microsoft Intune (0204)
Task 1 - Join SEA-WS1 to Azure AD as Aaron (a synced account). This also enrolls it into Intune.
At the end of the lab there should be 2 devices in Azure AD:
• SEA-CL2, Hybrid Azure AD joined
• SEA-WS1, Azure AD joined
And 1 device in Intune:
• SEA-WS1
Additional Lab Steps
Maybe enable Endpoint Analytics now?
https://learn.microsoft.com/en-us/mem/analytics/enroll-intune
Module: Execute device profiles
What is a scope tag? It is a way to provide admins with a filtered view of Intune objects.
https://learn.microsoft.com/en-us/mem/intune/fundamentals/scope-tags
Practice Lab: Using a Configuration Profile to configure Kiosk mode (0302)
Ex 1, Task 1 - Join SEA-WS2 to Azure AD as AllanD. This also enrolls it into Intune.
At the end of the lab there should be 3 devices in Azure AD:
• SEA-CL2, Hybrid Azure AD joined
• SEA-WS1, Azure AD joined
• SEA-WS2, Azure AD joined
And 2 devices in Intune:
• SEA-WS1
• SEA-WS2
Module: Maintain user profiles
Demo Hint: conflict using a device restrictions template, start menu, show video on start menu.
Module: Execute mobile application management
WIP Retirement
Note that Windows Information Protection is going to be has been retired in favour of Purview.
Module: Protect identities in Azure Active Directory
Per-User MFA
"To secure user sign-in events in Azure AD, you can require multi-factor authentication (MFA). Enabling Azure AD Multi-Factor Authentication using Conditional Access policies is the recommended approach to protect users. Conditional Access is an Azure AD Premium P1 or P2 feature that lets you apply rules to require MFA as needed in certain scenarios."
https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
If you only have Azure AD Basic then you should use Security Defaults.
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/security-defaults
Practice Lab: Configuring Multi-factor Authentication
Given that the security defaults are on by default (see the previous section) you'll probably find that MFA is already enabled for Aaron, and we've been using it already for three days.
Practice Lab: Configuring self-service password reset (0502)
Links
The direct URL for the password reset page is https://passwordreset.microsoftonline.com/
Task 2, Step 14
Do not select the Write back passwords with Azure AD Connect cloud sync checkbox. The lab uses an ADConnect agent, not a sync agent.
Module: Implement device compliance
The combination of Compliance Policies and Conditional Access Policies does include automatic remediation. For example, screen lock timeout.
https://learn.microsoft.com/en-us/mem/intune/protect/device-compliance-get-started#reference-for-non-compliance-and-conditional-access-on-the-different-platforms
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/conditional-access?view=o365-worldwide#understand-the-conditional-access-flow
Practice Lab: Configuring and validating device compliance (0503)
Exercise 2
What we are demonstrating is that users cannot connect to Exchange Online from SEA-WS3 because it is not enrolled and thus noncompliant.
The lab doesn't do a good job of explaining what we will see. On SEA-WS3, Microsoft Edge will just continually ask us to sign on. It will not give any "you can't get there from here" message.
Additional Lab Steps
At the end of exercise 2, task 2: Switch to the Microsoft Intune admin center. navigate to Users, Sign-in logs (in the top section), User sign-ins (interactive) tab. Select the Add filters link, choose Status. Select the Status link, select Failure. Select the log entries relevant to the conditional access policiy denied sign in.
Practice Lab: Configuring Disk Encryption Using Intune (0602)
https://www.reddit.com/r/Intune/comments/su26vw/cant_get_the_disk_encryption_profile_working/
https://learn.microsoft.com/en-us/mem/intune/protect/encrypt-devices#silently-enable-bitlocker-on-devices
Module: Assess deployment readiness
Microsoft Assessment and Planning Toolkit
https://www.microsoft.com/en-nz/download/details.aspx?id=7826
Practice Lab: Deploying Windows 11 using Microsoft Deployment Toolkit
"Windows 10"
Note that MDT names the Windows 11 operating system "Windows 10 Enterprise Evaluation in Windows 11 Enterprise x64 install.wim" (with a description of "Windows 10 Enterprise Evaluation").
Feel free to rename it if you want, it won't affect the lab.
I have no idea why it does this. I think it is an MDT issue. After all, MDT is getting old now (the current version, 8456, was released on 25th January 2019).
The install.wim on the Win11_21H2_Eval.iso is correctly labelled "Windows 11 Enterprise Evaluation" (shown by dism.exe /get-imageinfo).
Double-slashes
Several instructions have doubled-up backslashes (escape codes in the Markdown). Replce these with single blackslashes.
Task 2, Step 4: Replace "F:\\" with "F:\".
Task 3, Step 5: Replace "E:\\Labfiles\\Apps" with "E:\Labfiles\Apps".
Deploy Devices using Windows Autopilot
Note that Autopilot will not work on a Home Edition machine.
https://learn.microsoft.com/en-us/autopilot/software-requirements#software-requirements
Practice Lab: Deploying Windows with Autopilot (0801)
Important Note
The note in the lab is incorrect. This lab can be done (I've done it on SEA-WS3, SEA-WS4, and SEA-W10-CL3) - it is the next lab (the self-deploying option) that won't work with virtual machines.
Task 3, Step 6
You must wait for the machine to appear in the list (click Refresh every minute or so).
Task 3, Step 18
You must wait for the profile to show "Yes" in the Assigned column (click Refresh every minute or so).
Retrieving a list of Autopilot machines
After uploading the Autopilot csv file.
# Using the Microsoft.Graph PowerShell module:
Connect-Graph -Scopes "Device.Read.All"
Get-MgDevice | fl DisplayName, PhysicalIds
Get-MgDevice | sort DisplayName | % { $PSItem.DisplayName;
$PSItem | Select-Object -ExpandProperty PhysicalIds; "`n" }
Practice Lab: Refreshing Windows with Autopilot Reset and Self-Deploying mode (0802)
This lab can't be completed
"If you attempt a self-deploying mode deployment on a device that does not have support TPM 2.0 or on a virtual machine, the process will fail when verifying the device with an 0x800705B4 timeout error (Hyper-V virtual TPMs are not supported)."
From https://learn.microsoft.com/en-us/mem/autopilot/self-deploying
I have seen the lab appear to work fine on SEA-WS4 (the Hyper-V guest machine inside SEA-SVR2), but in those cases the machine actually deployed using the user-driven profile created in the previous lab.
Module: Plan a transition to modern endpoint management
Co-Management
https://docs.microsoft.com/en-us/mem/configmgr/comanage/overview
Module: Manage Windows 365
Microsoft Mechanics: https://www.youtube.com/watch?v=elLNBGEw_T4
John Savill's Deep Dive: https://www.youtube.com/watch?v=EHV9Z4it-c8
Module: Manage Azure Virtual Desktop
"We're no longer updating the Remote Desktop app for Windows with new features and support for Azure Virtual Desktop will be removed in the future."
From https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/windows#add-a-remote-resource
Azure Lighthouse
John Savill's Deep Dive: https://www.youtube.com/watch?v=IrqkHOPFktM