BRK3266

Mirko Colemberg
Principal Consultant - baseVISION
com@basevision.ch

 Configuration Manager consultant also Azure EMS

 MVP Speaker, exam prep sessions for Windows 10, Azure,
and EMS
 Microsoft Certified Trainer since 2010
 Active in Devices and Mobility community
 From Switzerland
 Blog: http://configmgr.ch
 Interesting Fact: I Brew Beer 

mirkocolemberg@
 Alfred Ojukwu
Senior Consultant - Microsoft
alojukwu@microsoft.com

 Mobility Consultant with Microsoft Consulting Services

(MCS)
 Certified Trainer – MCT - Mobility
 20+ Years in IT Administration
 WW Community Lead, Devices and Mobility
 Extensive involvement with Internal and External Readiness
 Blog: http://thedevicepros.com
 Interesting Fact: Grew up in Hawaii

alojukwu@
Session Objectives And Takeaways
• Manage Identity (13%)
• Plan desktop and device deployment (13%)
• Plan and implement a Microsoft Intune device management solution
(11%)
• Configure networking (11%)
• Configure storage (10%)
• Manage data access and protection (11%)
• Manage remote access (10%)
• Manage apps (11%)
• Manage updates and recovery (10%)
https://www.youtube.com/watch?v=8Cw9l9
8ci1w
• AD supports two categories of
known devices: Evaluate & enforce compliance with
device management policies
• Company-owned device
• Domain joined Configure device Users on their devices
mgmt. policies
• Cloud Domain joined * Report device
compliance
• Personal device MDM
Conditional
• Work accounts (Windows 10) access control

• Workplace joined (Windows 7, 8.1) Cloud apps

Azure AD

• Known devices have an Configure

conditional AD Sync

identity and are: IT Admin

access policies
Conditional
access control

• represented in AD using device objects. On-prem. apps

Server AD & ADFS
• issued a unique AD assigned ‘device
identifier’ & device certificate.
• authenticated by AD, when used to
access AD-secured resources.
Add and Appx Package
Add-AppxProvisionedPackage -Online -FolderPath C:\Appx

Get all appx packages installed for all users:

Get-AppxPackage –AllUsers

Get all appx packages installed for a specific user:

Get-AppxPackage -User domain\username

Get the manifest, including the package ID of an app:

Get-AppxPackageManifest -Package Package1
Sideloading apps, there is
some new stuff in 1607
(sidenote)
 Not Joined Workplace Joined Domain Joined

User provided devices Registered devices are Domain joined

are “unknown” and IT “known” and device computers are under
has no control. Partial authentication allows IT the full control of IT
access may be to provide conditional and can be provided
provided to corporate access to corporate with complete access to
information. information corporate information

Browser-session SSO

Seamless 2F Auth

Enterprise app SSO

Desktop SSO
tpmvscmgr.exe create /name tpmvsc /pin default /adminkey random /generate
A.

B.

C.

D.
The USMT Process

Note: User must log on and log off to save changes.

Scanstate Syntax

\\migserver\usmt\store
Loadstate Syntax

\\migserver\usmt\store
 Private Virtual
Windows 10 machine
App App Virtual
machine
App

Internal Virtual
Virtual
Windows 10 Windows 10 machine
machine
App
Virtual
App Virtual App App
machine
machine ICS
App
App

External
Virtual
Windows 10 machine
- Physical network adapter App App Virtual
- Virtual network adapter IP IP machine
App
- Virtual switch No IP
IP
https://technet.microsoft.com/library/dn985838.aspx
Alfred Ojukwu
•
•
•
•
•
•
Users > Policies > Administrative Templates > Windows Components > Work Folders
 1. Client resolves a standard URL:
joe@contoso.com 1
https://workfolders.contoso.com

2 2. DNS returns a server address for

discovery (Sync1)
4
3. Client sends discovery request to
3
server
6
5 4. Server retrieves user property:
MSDS-SyncServerURL (Sync3)
5. Client receives and stores its sync
server URL for use in all future sync
sessions
6. Client syncs with designated server
https://portal.manage.microsoft.com
Windows Phone iOS Android
Managing Clients using Intune Policies
  Application Deployment is managed via the Microsoft Intune Software Publisher
Overview
 All applications that are deployed must be packaged and uploaded to Microsoft Intune

Software Installer
Use for:
 Installation via the Company Portal
Installation Types  Installation on mobile devices that
bypass the app store (sideloading)
 Applications deployed to devices
that run the Intune computer
client
External Link Managed iOS App from App Store
Use for: Use to:
 URL’s that let users  Manage and deploy iOS applications
download applications that are free of charge from the iOS app
from an online store store.
 Link to a web based
application that runs from
the web browser

Apps are deployed to User or Device Groups as required or available:

Deployment
 Required – Apps are targeted to users or devices
Types
 Available - Available Apps are deployed to the user in the Company Portal App
 Windows Phone Windows Windows
Windows Phone Company
Company Portal Company Portal Company Portal
Portal Available App
Required App Required App Available App
 Windows Phone 8.1: App appears
in Apps hub in Company portal
App appears in Apps
Side-loaded App appears in Apps hub in (Windows Phone 8 and Windows Pushed directly to
hub in Company
app (LOB) Company Portal. Phone 8.1 apps). device.
Portal.
 Windows Phone 8: Not
supported.

Unmanaged App appears in Apps

App appears in Apps hub in
App Store App Not supported
Company Portal.
Not supported hub in Company
(Deep-link) Portal.

Managed App Does not apply to Windows Does not exist for Windows Phone Doesn’t exist for Doesn’t exist for
Store App Phone apps. Apps Windows apps. Windows apps.

 Windows Phone 8.1: not

supported. Shortcut to Web app App appears in Apps
App appears in Apps hub in
Web App  Windows Phone 8: Web
Company Portal.
pushed directly to the hub in Company
app is launched within device. Portal.
the Company Portal
When an application wants to establish communications
with an application on a remote host, it creates a TCP or
UDP socket
TCP/IP Protocol Suite

HTTPS (443)

SNMP (161)
POP3 (110)
SMTP (25)
HTTP (80)

DNS (53)
FTP (21)
TCP UDP

IPv4 IPv6

Ethernet
More Commands
Ping
Ipconfig /all
Tracert
Netstat
Netsh
Nslookup
Using Windows PowerShell to Manage Network Settings

PowerShell cmdlet Command-line equivalent

Test-Connection ping
Get-NetIPConfiguration ipconfig
Get-NetRoute Route print
New_SmbMapping Net use
Get-NetTCPConnection Netstat
New-NetFirewallRule Netsh advfirewall
Get-NetIPAddress Get-NetIPv4Protocol
 What You Can Do:
• Connect to a wireless network
• Manage preferred wireless network
• Connect to suggested open Hotspot
• Share network settings with contacts
• Connect to paid service for Wifi

Steps to Managing a Preferred network 4. At the bottom of the page, beneath Manage
1. Open the Settings App. Known Networks, click the network you
2. Click Network & Internet, and then click Wi-Fi. want to manage.
3. On the Wi-Fi page, click Manage Wi-Fi Settings. 5. Click Share or Forget The Network
Key Points to Remember:
• Inbound\Outbound Rules
• Connection Security Rules
• Monitoring Rules
• Connection Security rules
are only rules.
Exam Tips
• Different Types of Wi-Fi
authentication.
advfirewall
firewall netshadvfirewall
__________firewall add rule name="My Application"
allow allow program="C:\MyApp\MyApp.exe" enable
dir=in action=_____ ______
=yes
configure
enable
• DFR-Namespaces (DFS-N)
• DFR-Replication (DFS-R)
• Remote Differential Compression
• Link
• Target
• Link Referral
• Root Referral
• Referral Caches

Significantly overhauled with Windows Server 2012

A.

B.

C.

D.

E.
VPN Protocols
• Point to Point (PTP)
• Layer 2 Tunneling Protocol (L2TP)
• Secure Socket Tunneling Protocol (SSTP)
• Internet Key Exchange (IKEv2)
Common Authentication Protocols
• EAP-MS-CHAPv2
• PAP
• CHAP
• MS-CHAP v2
Note: Know how to create a VPN Connection
Available Power Settings
Require a password on wakeup.
Choose what the power button does.
Choose what closing the lid does.
Create a power plan.
Change when the computer sleeps.

Review Power States

Standby
Hibernate
Hybrid Sleep
Fast Startup
• Scriptable command-line utility:
• DiskPart /s script to run a DiskPart script

• Run commands from the DiskPart command prompt:

• list disk displays the disks on a system
• select disk disknumber is used to select the disk to manage
• convert gpt converts the selected disk to GPT format

Cmdlets:
• Get-Disk selects a disk
• Initialize-Disk prepares a disk for use
• Set-Disk sets disk parameters, such as partition style
A.

B.

C.

D.

E.
Session-based Virtual Desktop RDS Azure
computing Infrastructure on IaaS RemoteApp

User

Access to pooled or personal Remote Desktop Session Windows Server session-

Session-based desktops Virtual Desktops running Host deployed on cloud based applications delivered
and RemoteApp Windows Client OS infrastructure services from the Azure Cloud
Cost-effective, easy to High performance, app Customizable with minimum Turnkey solution, scale
manage compatibility capital expenditure without large CAPEX

On-premises In cloud
 https://www.remoteapp.windowsazure.com/en/clients.aspx
• Publish Cloud Apps to Users
• Use group policy to control
access to signed packages.
• Supports iOS and Android
• Configure Remote Desktop Web
Access for Azure Distribution

Set up your backup

Select the Start button, then select Settings > Update &
security > Backup > Add a drive and choose an external
drive or network location for your backups.
 Server Share Desktop Server Share

Identify settings
• Settings Location Templates
• Windows Settings
• Desktop Applications
Windows Store App List
Template Catalog Location •
• Windows Store Apps
Apply settings
• Windows Settings
• Desktop Applications
Settings Storage Location
• Windows Store Apps

Capture settings UE-V

• Windows Settings Settings Packages Settings Packages
Settings Templates
• Registry
• Local Files
• Desktop Applications
• Registry
Synchronizes settings
• Local Files • Settings synchronized
• Windows S Apps on event triggers
• App setting folder
 Settings location templates
UE-V
client

UE-V agent

Registry

Local files

Settings packages Settings storage location

Scenario 1: Standard deployment – default templates and AD home
AgentSetup.exe /quiet

Scenario 2: Settings storage location – mandatory if AD home

directory isn’t set
AgentSetup.exe /quiet
SettingsStoragePath="\\Server\SettingsShare\%username%"

Scenario 3: VDI deployment

AgentSetup.exe /quiet SyncMethod="None"

Scenario 4: Per user enablement

AgentSetup.exe /quiet EnableSync="False“

Scenario 5: Defer Reboot

AgentSetup.exe /quiet /NoRestart
A.
B.

C.

D.
 • Introduced in Windows 8
• Builds History of changes
• Control frequency of backups
• Great solution for remote users.
• A better backup and restore
solution.

Set up your backup

Select the Start button, then select Settings > Update &
security > Backup > Add a drive and choose an external
drive or network location for your backups.
•

•
Update Settings and Windows Update Policies
• Current Branch
• New features available immediately after being published
• Minimum length of servicing lifetime is 4 months
• Supported on Windows 10 Home, Pro, Education, and Enterprise
SKUs
Current Branch for Business
New feature upgrades available approximately 4 months after
being published
Minimum length of servicing lifetime is 8 months
Supported on Windows 10 Pro, Education, and Enterprise SKU’s

Long-term Servicing Branch

New feature upgrades available immediately after being
published
Minimum length of servicing lifetime is 10 years
Supported on Windows Enterprise LTSB SKU only





 Current Branch (CB) Current Branch for Business (CBB) Long-Term Servicing Branch (LTSB)

New feature upgrades for installation

Immediately Deferred by ~ 4 months Not applicable
available
Windows 10 Home, Windows 10 Pro, Windows 10 Windows 10 Pro, Windows 10 Education, Windows
Windows 10 Enterprise LTSB
Features included Education, Windows 10 Enterprise 10 Enterprise

Optional month deferral ~ 4 months ~ 8 months 10 years

Ongoing installation of new feature upgrades

● ●
required to receive servicing updates

Supports Windows Server Update Services ●

● ●
for release deployment (excludes Home edition)
Configuration Manager/configuration management
Configuration Manager/configuration Configuration Manager/configuration
systems for release deployment
Supports management systems for release deployment management systems for release deployment
(excludes Home)

Microsoft Edge, Internet Explorer 11 included Microsoft Edge, Internet Explorer 11 included Internet Explorer 11 included
Browser

System apps removed: Microsoft Edge,

No Notable Windows system apps removed No Notable Windows system apps removed Windows Store Client, Cortana (limited search
System apps
available)

Universal apps removed: Outlook Mail/Calendar,

No notable Windows universal apps removed No notable Windows universal apps removed OneNote, Weather, News, Sports, Money, Photos,
Universal apps
Camera, Music, Clock
A.

B.

C.

D.
 GPO1

Local Computer Policy

GPO2

Site
GPO3

Domain
GPO4

OU
GPO5

OU OU
Free suite of tools that includes:
• Application Compatibility Toolkit (ACT)
• Deployment Image Servicing and Management
(DISM)
• Flashing tools
• User State Migration Tool (USMT)
• Volume Activation Management Tool (VAMT)
• Windows Assessment Toolkit
• Windows Imaging and Configuration Designer
(Windows ICD)
• Windows Preinstallation Environment (PE)
• Windows performance tools
• Windows System Image Manager (SIM)
New Windows 10 security features include:
• Device Guard, which blocks execution of
unauthorized applications
• Credential Guard, which stores credentials, such as
NTLM hashes and Kerberos tickets

Both technologies require

• UEFI 2.3.1
• Windows 10 Enterprise Edition
• Virtualization processor extensions and SLAT
In Review: Session Objectives And Takeaways
https://www.microsoftpressstore.com/store/exam-ref-70-697-configuring-windows-devices-9781509303014
http://myignite.microsoft.com

https://aka.ms/ignite.mobileapp