Microsoft Intune Cookbook: Over 75 recipes for configuring, managing, and automating your identities, apps, and endpoint devices
()
About this ebook
Microsoft Intune is a cloud-managed mobile device management (MDM) tool that empowers you to manage your end-user device estate across various platforms. While it is an excellent platform, the initial setup and configuration can be a daunting process, and mistakes made early on can be more challenging to resolve later. This book addresses these issues by guiding you through the end-to-end configuration of an Intune environment, incorporating best practices and utilizing the latest functionalities.
In addition to setting up your environment, you’ll delve into the Microsoft Graph platform to understand the underlying mechanisms behind the web GUI. This knowledge will enable you to automate a significant portion of your daily tasks using PowerShell.
By the end of this book, you’ll have established an Intune environment that supports Windows, Apple iOS, Apple macOS, and Android devices. You’ll possess the expertise to add new configurations, policies, and applications, tailoring an environment to your specific requirements. Additionally, you’ll have the ability to troubleshoot any issues that may arise and package and deploy your company applications. Overall, this book is an excellent resource for anyone who wants to learn how to use Microsoft Intune to manage their organization's end-user devices.
Andrew Taylor
Andrew Taylor is the author of a number of crime novels, including the ground-breaking Roth Trilogy, which was adapted into the acclaimed drama Fallen Angel, and the historical crime novels The Ashes of London, The Silent Boy, and The American Boy, a No.1 Sunday Times bestseller and a 2005 Richard & Judy Book Club Choice. He has won many awards, including the CWA Ellis Peters Historical Award (the only author to win it three times) and the CWA’s prestigious Diamond Dagger.
Read more from Andrew Taylor
The DIY Spud Fit Challenge: A How-To Guide To Tackling Food Addiction With The Humble Spud Rating: 4 out of 5 stars4/5The DIY Mega Foods Plan: Eat simply. Live fully. Rating: 0 out of 5 stars0 ratingsThomas Pynchon Rating: 0 out of 5 stars0 ratingsSpud Fit: A whole food, potato-based guide to eating and living. Rating: 5 out of 5 stars5/5The Pocket Guide to Poets & Poetry Rating: 3 out of 5 stars3/5Fireside Gothic Rating: 4 out of 5 stars4/5The World of Gerard Mercator: The Mapmaker Who Revolutionised Geography Rating: 3 out of 5 stars3/5Burning the Suit: Fighting Back Against the Aftershock of Redundancy Rating: 0 out of 5 stars0 ratingsRandom Acts of Kindness: Eccentric, Quirky and Occasionally Suicidal Examples of Selflessness and Courtesy Rating: 4 out of 5 stars4/5The Scent of Death Rating: 4 out of 5 stars4/5Bonar Law Rating: 4 out of 5 stars4/5Textual Situations: Three Medieval Manuscripts and Their Readers Rating: 0 out of 5 stars0 ratingsConcoction V2: A Mini Anthology of Shorts Rating: 0 out of 5 stars0 ratingsThe King & the Troublesome Sea Rating: 0 out of 5 stars0 ratings
Related to Microsoft Intune Cookbook
Related ebooks
Microsoft Azure Security Rating: 0 out of 5 stars0 ratingsThe Machine Learning Solutions Architect Handbook: Create machine learning platforms to run solutions in an enterprise setting Rating: 0 out of 5 stars0 ratingsMicrosoft System Center 2012 Endpoint Protection Cookbook: Install and manage System Center Endpoint Protection with total professionalism thanks to the 30 recipes in this highly focused Cookbook. From common tasks to automated reporting features, all the crucial techniques are here. Rating: 0 out of 5 stars0 ratingsDeep Learning with Azure: Building and Deploying Artificial Intelligence Solutions on the Microsoft AI Platform Rating: 0 out of 5 stars0 ratingsMicrosoft System Center Endpoint Protection Cookbook - Second Edition Rating: 0 out of 5 stars0 ratingsAzure IoT Development Cookbook Rating: 0 out of 5 stars0 ratingsSpring Security: Secure your web applications, RESTful services, and microservice architectures Rating: 0 out of 5 stars0 ratingsTensorFlow 2.0 Computer Vision Cookbook: Implement machine learning solutions to overcome various computer vision challenges Rating: 0 out of 5 stars0 ratingsLearning Windows Server Containers: Build and deploy high-quality portable apps faster Rating: 0 out of 5 stars0 ratingsMicrosoft System Center Orchestrator 2012 R2 Essentials Rating: 0 out of 5 stars0 ratingsEmbedded Programming with Modern C++ Cookbook: Practical recipes to help you build robust and secure embedded applications on Linux Rating: 0 out of 5 stars0 ratingsMastering Azure Virtual Desktop: The ultimate guide to the implementation and management of Azure Virtual Desktop Rating: 0 out of 5 stars0 ratingsBuilding Networks and Servers Using BeagleBone Rating: 0 out of 5 stars0 ratingsHands-On Machine Learning for Cybersecurity: Safeguard your system by making your machines intelligent using the Python ecosystem Rating: 0 out of 5 stars0 ratingsPractical Internet of Things Security: Design a security framework for an Internet connected ecosystem Rating: 0 out of 5 stars0 ratingsExpert Microsoft Teams Solutions: A guide to Teams architecture and integration for advanced end users and administrators Rating: 0 out of 5 stars0 ratingsMastering Cloud Development using Microsoft Azure Rating: 0 out of 5 stars0 ratingsAzure Security Cookbook: Practical recipes for securing Azure resources and operations Rating: 0 out of 5 stars0 ratingsImplementing Azure Solutions: Eliminate the pain point of implementation Rating: 0 out of 5 stars0 ratings
Computers For You
Elon Musk Rating: 4 out of 5 stars4/5CompTIA IT Fundamentals (ITF+) Study Guide: Exam FC0-U61 Rating: 0 out of 5 stars0 ratingsSQL QuickStart Guide: The Simplified Beginner's Guide to Managing, Analyzing, and Manipulating Data With SQL Rating: 4 out of 5 stars4/5The ChatGPT Millionaire Handbook: Make Money Online With the Power of AI Technology Rating: 4 out of 5 stars4/5Uncanny Valley: A Memoir Rating: 4 out of 5 stars4/5Deep Search: How to Explore the Internet More Effectively Rating: 5 out of 5 stars5/5The Innovators: How a Group of Hackers, Geniuses, and Geeks Created the Digital Revolution Rating: 4 out of 5 stars4/5Slenderman: Online Obsession, Mental Illness, and the Violent Crime of Two Midwestern Girls Rating: 4 out of 5 stars4/5Alan Turing: The Enigma: The Book That Inspired the Film The Imitation Game - Updated Edition Rating: 4 out of 5 stars4/5The Hacker Crackdown: Law and Disorder on the Electronic Frontier Rating: 4 out of 5 stars4/5The Invisible Rainbow: A History of Electricity and Life Rating: 5 out of 5 stars5/5Tor and the Dark Art of Anonymity Rating: 5 out of 5 stars5/5101 Awesome Builds: Minecraft® Secrets from the World's Greatest Crafters Rating: 4 out of 5 stars4/5Procreate for Beginners: Introduction to Procreate for Drawing and Illustrating on the iPad Rating: 0 out of 5 stars0 ratingsStandard Deviations: Flawed Assumptions, Tortured Data, and Other Ways to Lie with Statistics Rating: 4 out of 5 stars4/5Grokking Algorithms: An illustrated guide for programmers and other curious people Rating: 4 out of 5 stars4/5The Professional Voiceover Handbook: Voiceover training, #1 Rating: 5 out of 5 stars5/5Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Rating: 4 out of 5 stars4/5Mastering ChatGPT: 21 Prompts Templates for Effortless Writing Rating: 5 out of 5 stars5/5Dark Aeon: Transhumanism and the War Against Humanity Rating: 5 out of 5 stars5/5Python Machine Learning By Example Rating: 4 out of 5 stars4/5Remote/WebCam Notarization : Basic Understanding Rating: 3 out of 5 stars3/5CompTIA Security+ Get Certified Get Ahead: SY0-701 Study Guide Rating: 5 out of 5 stars5/5User Friendly: How the Hidden Rules of Design Are Changing the Way We Live, Work, and Play Rating: 4 out of 5 stars4/5
Reviews for Microsoft Intune Cookbook
0 ratings0 reviews
Book preview
Microsoft Intune Cookbook - Andrew Taylor
Microsoft Intune Cookbook
Copyright © 2023 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
Group Product Manager: Pavan Ramchandani
Publishing Product Manager: Prachi Rana
Book Project Manager: Ashwini Gowda
Senior Editor: Mohd Hammad
Technical Editor: Yash Bhanushali
Copy Editor: Safis Editing
Proofreader: Safis Editing
Indexer: Manju Arasan
Production Designer: Vijay Kamble
DevRel Marketing Coordinator: MaryLou De Mello
First published: December 2023
Production reference: 1221223
Published by Packt Publishing Ltd.
Grosvenor House
11 St Paul’s Square
Birmingham
B3 1RB, UK
ISBN 978-1-80512-654-6
www.packtpub.com
To my wonderful daughters, Lili and Poppy – the world is at your feet; you can do anything you want to do! This book is dedicated to you both with all of my love.
Contributors
About the author
Andrew Taylor has been working in the IT industry for over 20 years across a variety of roles and industries, always with a passion for end-user computing and automation. Now working as an EUC architect, primarily using Microsoft technologies (Intune, Windows 365, PowerShell, and Graph), he develops, creates, and deploys new technologies and environments to a variety of customers. He is also a keen blogger and shares many scripts with the community.
Living in the north-east of England with his wife and two children, Andrew is a two-time Microsoft MVP and holds many Microsoft certifications (13 at the time of writing). Outside of work and family time, he is a film fan and can often be found at the local cinema.
A special thanks to my wife, Julia, and my two daughters, Lili and Poppy, for their support and unending patience, and for putting up with me typing away at all hours of the night. Thanks also to everyone in the Intune community for showing an interest in my work.
About the reviewers
Niels Kok is a highly experienced cloud engineer with over 13 years of expertise in Microsoft Cloud products. He possesses a deep understanding of the intricacies of the Microsoft Cloud ecosystem and has a proven track record of success in delivering complex cloud solutions. Niels is an expert in scripting, with a strong background in PowerShell, Bicep, and YAML.
His expertise in these technologies enables him to write efficient, scalable, and easily maintainable scripts that automate cloud infrastructure deployments. Niels is a valuable asset to any organization seeking to leverage the power of the Microsoft Cloud to achieve their business goals.
Andrew Jones is a Microsoft MVP for Enterprise Mobility and has over 27 years’ experience in IT. After initially developing intranet web services for BT, he progressed his career, working across various technical teams and technologies and leading large infrastructure IT projects. For the last eight years, he has worked as a technical architect in a customer-facing consultant role, leading M365 Modern Desktop services within a Microsoft Cloud practice. During COVID, he launched himself into the technical online communities and co-founded his YouTube channel Cloud Management.Community. He also publishes Microsoft-focused blogs on his own site at and dedicates his time to creating a collaborative community for cloud professionals.
Jannik Reinhard is a 25-year-old senior solution architect who works in the internal IT department of the largest chemical company in the world. He is the technical lead of artificial intelligence for IT operations (AIOps) and specializes in modern device management. Jannik is a proud enterprise mobility Microsoft MVP, a contributor to the largest LinkedIn community, and owner of the largest Twitter Intune community.
In his free time, Jannik invests a lot of time in learning and trying out new things related to IT, which is not only his profession but also his hobby.
He loves to blog on and speak at events, sharing his knowledge with others and creating innovative solutions.
Nicklas Ahlberg is a trusted security advisor employed at Onevinn AB, a leading corporate entity specializing in providing cutting-edge security solutions. His primary objective revolves around assisting organizations in seamlessly navigating the complex terrain of Intune, ensuring they obtain an optimal and highly secure user experience.
At the core of his methodology lies a strong emphasis on automation, as he firmly believes it to be a cornerstone in achieving operational excellence. Nicklas actively showcases the power of automation through his dedicated blog, located at https://rockenroll.tech.
Table of Contents
Preface
1
Getting Started with Microsoft Intune
Technical requirements
Chapter materials
Creating a tenant
Getting ready
How to do it…
Creating a user
Getting ready
How to do it…
Automating it
Assigning Entra ID roles
How to do it…
Automating it
Configuring Entra ID Device settings
How to do it…
Automating it
Configuring Entra ID ESR
How to do it…
Automating it
Creating Entra ID static groups
Getting ready
How to do it…
Automating it
Creating Entra ID dynamic groups
Getting ready
How to do it…
Creating a dynamic Office user group
Creating a dynamic Autopilot device group
Automating it
Configuring Entra ID MDM/MAM scopes
How to do it…
Automating it
2
Configuring Your New Tenant for Windows Devices
Technical requirements
Chapter materials
Configuring a Settings catalog policy
How to do it…
Automating it
There’s more…
Configuring a custom policy
Getting ready
How to do it…
Automating it
Importing and ingesting an ADMX policy
Getting ready
How to do it…
Automating it
Group policy analytics
Getting ready
How to do it…
Automating it
3
Securing Your Windows Devices with Security Policies
Technical requirements
Chapter materials
Setting up a security baseline
How to do it…
Automating it
There’s more…
Configuring an antivirus policy
How to do it…
Automating it
Configuring Windows Security Experience
How to do it…
Automating it
Configuring your BitLocker policy
How to do it…
Automating it
Configuring Windows Firewall
How to do it…
Automating it
Deploying ASR rules
Getting ready
How to do it…
Automating it
There’s more…
Enrolling in Defender for Endpoint
Getting started
How to do it…
Deploying Windows LAPS
Getting started
How to do it…
Automating it
Configuring Application Control
How to do it…
Automating it
4
Setting Up Enrollment and Updates for Windows
Technical requirements
Building your update rings – including feature and quality updates
Getting ready
How to do it…
Automating it
There’s more…
Configuring driver updates
How to do it…
Automating it
There’s more…
Enrolling and using Autopatch
Getting ready
How to do it…
Automating it
There’s more…
Configuring Windows Hello for Business
How to do it…
Automating it
Setting up Windows Autopilot Enrollment Profiles
How to do it…
Automating it
Configuring an ESP
How to do it…
Automating it
There’s more…
Enrolling a Windows device
Getting ready
How to do it…
There’s more…
5
Android Device Management
Chapter materials
Technical requirements
Setting up a managed Google Play account
How to do it…
Configuring enrollment profiles
How to do it…
Automating it
Adding a Google Play application
How to do it…
Automating it
Configuring a device restrictions policy
How to do it…
Automating it
Configuring an OEM policy
Getting ready
How to do it…
Automating it
Configuring a Wi-Fi policy
Getting ready
How to do it…
Automating it
Adding an app protection policy
How to do it…
Automating it
There’s more…
Enrolling an Android device – managed device
Getting ready
How to do it…
Enrolling an Android device – BYOD
Getting ready…
How to do it…
6
iOS Device Management
Chapter materials
Important notes
Technical requirements
Configuring a connector between Apple and Intune
Getting started
How to do it…
Configuring an Apple VPP token
Getting started
How to do it…
Automating it
Adding enrollment profile tokens
How to do it…
Automating it
Configuring iOS policies using the settings catalog
How to do it…
Automating it
Configuring iOS policies using device restrictions
How to do it…
Automating it
Deploying applications via Apple VPP
Getting started
How to do it…
Automating it
Configuring iOS update settings
How to do it…
Automating it
Configuring an app protection policy
Getting started
How to do it…
Automating it
There’s more…
Enrolling your device – corporate
Getting started
How to do it…
There’s more
Enrolling your device – BYOD
Getting started
How to do it…
7
macOS Device Management
Chapter materials
Important notes
Technical requirements
Configuring a macOS Settings catalog policy
How to do it…
Automating it
Deploying shell scripts to macOS
Getting started
How to do it…
Automating it
Configuring update policies for macOS
How to do it…
Automating it
Deploying apps to macOS
Getting started
How to do it…
Automating it
Configuring a macOS enrollment profile
Getting started
How to do it…
Automating it
Enrolling your corporate device
Getting started
How to do it…
8
Setting Up Your Compliance Policies
Technical requirements
Chapter materials
Actions for noncompliance
Configuring notification templates
How to do it…
Automating it
Deploying a Windows compliance policy
Getting started
How to do it…
Automating it
Deploying an Android compliance policy
Getting started
How to do it…
Automating it
Deploying an iOS compliance policy
Getting started
How to do it…
Automating it
Deploying a macOS compliance policy
Getting started
How to do it…
Automating it
Deploying a Linux compliance policy
Getting started
How to do it…
Automating it
Configuring and deploying a Windows custom compliance policy
Getting started
How to do it…
Using conditional access to restrict access based on compliance
Getting started
How to do it...
Automating it
9
Monitoring Your New Environment
Technical requirements
Monitoring applications
Getting ready
How to do it...
Automating it
Monitoring device configuration
Getting ready
How to do it...
Automating it
Monitoring device compliance
Getting ready
How to do it...
Automating it
Monitoring device enrollment
Getting ready
How to do it...
Automating it
Monitoring updates across platforms
Getting ready
How to do it...
Automating it
Monitoring device actions
Getting ready
How to do it...
Automating it
Reviewing audit logs
Getting ready
How to do it...
Automating it
10
Looking at Reporting
Technical requirements
Checking device management reports
Getting ready
How to do it…
Automating reports
Reviewing endpoint security reports
How to do it…
Automating the reports
Reviewing endpoint analytics reports
Getting ready
How to do it…
Automating the reports
Using Intune Data Warehouse with Power BI
How to do it…
Checking Windows updates via reporting
Getting ready
How to do it…
Expanding Windows Update reporting
Getting ready
How to do it…
Exporting diagnostics to Azure
Getting ready
How to do it…
11
Packaging Your Windows Applications
Chapter materials
Assigning applications
Technical requirements
Using the Microsoft Store integration
How to do it…
Automating it
Packaging into MSIX
Getting started
How to do it…
Packaging Win32 applications
Getting started
How to do it…
Automating it
Managing app supersedence and dependencies
Application supersedence
Dependencies
Getting started
How to do it…
Deploying Office applications
Getting started
How to do it…
Updating Office applications
Getting started
How to do it...
Automating it
Windows app protection
Getting started
How to do it…
Automating it
12
PowerShell Scripting across Intune
Technical requirements
Deploying Platform scripts
Getting started
How to do it…
Automating it
Configuring Remediations
Getting started
How to do it…
Automating it
There’s more…
Using custom detection scripts in apps
How to do it…
Automating it
Using custom requirements scripts in apps
How to do it…
Automating it
13
Tenant Administration
Technical requirements
Reviewing your connectors
Getting ready
How to do it…
Automating it
Adding filters
How to do it…
Automating it
Configuring Intune roles
How to do it…
Automating it
Using scope tags
How to do it…
Automating it
Customizing the end user experience
How to do it…
Automating it
There’s more…
Deploying organizational messages
How to do it…
Automating it
There’s more…
Setting up terms and conditions
How to do it…
Automating it
Configuring multi-admin approvals
How to do it…
Automating it
Checking your tenant version
How to do it…
Using Intune’s troubleshooting tools
How to do it…
Enrollment notifications
How to do it…
Automating it
Configuring device restrictions
How to do it…
Configuring Quiet time policies
How to do it…
Automating it
14
Looking at Intune Suite
Technical requirements
Chapter materials
Deploying and using Remote help
Getting started
How to do it…
Automating it
Learning about Microsoft Tunnel for Mobile Application Management
Getting started
How to do it…
Reviewing device anomalies
How to do it…
Automating it
Configuring Endpoint Privilege Management
How to do it…
Automating it
Future developments
Advanced Application Management
Microsoft Cloud PKI
Index
Other Books You May Enjoy
Preface
Microsoft Intune is a market-leading Mobile Device Management (MDM) tool for securely managing your Apple iOS, macOS, Android, and Windows devices anywhere in the world.
With the rapid move to hybrid working and more employees now wanting flexibility, traditional device management tools such as Active Directory are limited for staff working outside of the office, without implementing complicated Always On VPN.
As Microsoft Intune is fully cloud-based, devices can be managed comprehensively from any location. This can be further improved by implementing Windows Autopilot for machine provisioning, and devices can be shipped directly to end users with no input required from the IT department.
Configuring your new environment to work reliably can be a daunting task with multiple options to configure settings, and this is where Microsoft Intune Cookbook can help, running through every stage, from purchasing your licenses to enrolling your devices in a working environment.
On top of this, automation is a key part of working with IT systems; automating a repeatable task reduces the risk of user error as well as significantly improving productivity. As well as demonstrating how to configure your environment in the web portal, this book will also show you how to leverage Microsoft PowerShell and Microsoft Graph to automate your daily tasks. For this purpose, several recipes have an Automating it section included.
Included at the following URL are links to some excellent community resources, which are worth reading and following as you embark on your Intune journey:
https://github.com/PacktPublishing/Microsoft-Intune-Cookbook/blob/main/blogs-links-communities.md
Note that during the writing of this book, Microsoft renamed Azure Active Directory to Microsoft Entra ID, so there may be occasions where the old Azure Active Directory naming is used, especially in screenshots where the portals had not been updated.
Who this book is for
This book is ideal for anyone either starting out on their Intune journey or existing Intune users who want to learn Microsoft Graph for automation.
This could be system administrators, end-user computer administrators, cloud administrators, or even support staff looking to take the next step up the ladder.
As it is a hands-on cookbook, while it touches on architectural considerations, the primary demographic is technical staff who are implementing a solution.
While the book does not cover the basics of PowerShell scripting, you should be able to follow the scripts with a limited knowledge of PowerShell commands.
What this book covers
Chapter 1, Getting Started with Microsoft Intune, is an introduction to Intune. It takes a look at licensing requirements and setting up the first tenant. It then moves onto Entra ID, covering MDM and Mobile Application Management (MAM) enrollment scopes, the creation of both static and dynamic groups, and then assigning roles and looking at device settings.
Chapter 2, Configuring Your New Tenant for Windows Devices, looks at the policy options available for Windows devices and how to use them to comprehensively manage your Windows fleet.
Chapter 3, Securing Your Windows Devices with Security Policies, covers all the important security policies available for Windows devices and how to best configure them for your environment.
Chapter 4, Setting Up Enrollment and Updates for Windows, looks at Windows Update and autopatch, configuring Windows Hello for Business, before finally looking at the enrollment of devices using Autopilot and the Enrollment Status Page (ESP).
Chapter 5, Android Device Management, covers the management of your Android devices using Google Play. It runs through the full end-to-end process of configuring your managed Google Play account, connecting it to Intune, and using it to deploy applications. After configuring the connections, the chapter will run through configuring your enrollment profiles for different use cases and then move on to the policies themselves, including looking at Original Equipment Manufacturer (OEM) specific policies. Finally, it will cover the use of app protection policies for Bring your Own Device (BYOD) scenarios.
Chapter 6, Apple iOS Device Management, looks at the management of both iOS and macOS devices from Apple, with devices managed by Apple Business Manager and Apple Volume Purchase Program for applications. After running through configuring Apple Business Manager, the chapter then demonstrates how to connect it to Intune, add the required certificates, and set up enrollment profile tokens. Once the basic environment is configured, it moves on to configuring policies and deploying (and protecting) applications from the app store for iOS.
Chapter 7, macOS Device Management, continues the Apple journey with macOS devices. It covers configuring your first policy and then deploying scripts and applications to your devices, before finally looking at keeping your macOS up to date.
Chapter 8, Setting Up Your Compliance Policies, explores the very important, but often overlooked, area of compliance. When tied to Conditional access, it is the best way to secure your environment against risky/infected machines. The chapter covers configuring compliance policies for all currently supported operating systems and the various settings available for each. For Windows devices, it also dives into the more complex but powerful custom compliance policies. Finally, it demonstrates how to link your compliance policies to a Conditional access policy.
Chapter 9, Monitoring Your New Environment, runs through the monitoring options available within Intune. It looks at monitoring your applications (both installed and detected) and your critical app protection policies and then moves on to the devices. In device monitoring, you can learn how to review the success of your configuration profiles, device compliance, and device enrollment successes and failures. The chapter will then look at checking your device update status and, finally, review any admin tasks within the portal itself, including device actions and audit logs for policy/app changes.
Chapter 10, Looking at Reporting, covers all of the available reports within Intune initially, including security and Endpoint analytics. It then moves beyond Intune, covering connecting PowerBI to the Intune Data Warehouse and deploying Windows Update for Business Reports within an Azure Log Analytics Workspace. Finally, it will cover how to export your diagnostics events to Azure for further alerting or management.
Chapter 11, Packaging Your Windows Applications, examines application packaging and deployment, which can be a blocker to many. The chapter runs through deploying all Windows applications, starting with your straightforward Microsoft Store apps and then covering packaging in the MSIX or Win32 format, using the official Microsoft tools. It also covers application dependencies and supersedence for Win32 applications.
Chapter 12, PowerShell Scripting across Intune, looks at all of the available scripts inside Intune, starting with the basic device scripts. It will then move on to the very useful proactive remediations before looking at how they can be used when deploying apps – in particular, during detection and requirement checking.
Chapter 13, Tenant Administration, runs through the options within the Tenant Administrative menu within Intune, including your day-to-day admin tasks (monitoring connectors, troubleshooting, and version checking). It also covers the more set-once options such as terms and conditions, setting roles, and customizing. Finally, it covers using filters to manage assignments, sending organizational messages, and looking at multi-admin approval.
Chapter 14, Looking at Intune Suite, looks at the additional licensed features currently included in the Intune Suite. We will look at Remote Help, Microsoft Tunnel for Android/iOS, device anomalies, and Endpoint Privilege Management.
To get the most out of this book
For the sections on automation, you will need a machine capable of running PowerShell; version 5 or version 7 will work fine. While you can simply download and run the scripts, using an editor will aid in following the steps.
If you are using the digital version of this book, we advise you to type the code yourself or access the code via the GitHub repository (link available in the next section). Doing so will help you avoid any potential errors related to the copying and pasting of code.
Download the example code files
You can download the example code files for this book from GitHub at https://github.com/PacktPublishing/Microsoft-Intune-Cookbook. If there’s an update to the code, it will be updated in the existing GitHub repository.
We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!
Conventions used
There are a number of text conventions used throughout this book.
Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: For these devices, remove them using Remove-MgDevice.
A block of code is set as follows:
$Headers = @{
Authorization
= Bearer
+ $resourceToken
Content-type
= application/json
X-Requested-With
= XMLHttpRequest
x-ms-client-request-id
= [guid]::NewGuid()
x-ms-correlation-id
= [guid]::NewGuid()
}
Any command-line input or output is written as follows:
((Invoke-MgGraphRequest -Method GET -Uri https://graph.microsoft.com/beta/deviceManagement/configurationSettings?&`$filter=categoryId eq '4a5e4714-00ac-4793-b0cc-5049041b0ed7'
-OutputType PSObject).value | select-object name, description, '@odata.type', rootDefinitionId, options, @{Name=Platform
; Expression={ $_.applicability | Select-Object platform}},@{Name=technologies
; Expression={ $_.applicability | Select-Object technologies}},valuedefinition, id) | out-gridview
Bold: Indicates a new term, an important word, or words that you see on screen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: Now that we have our licensing in place, we need to create a tenant
Tips or important notes
Appear like this.
Sections
In this book, you will find several headings that appear frequently (Getting ready, How to do it..., Automating it, There’s more..., and See also).
To give clear instructions on how to complete a recipe, use these sections as follows.
Getting ready
This section tells you what to expect in the recipe and describes how to set up any software or any preliminary settings required for the recipe.
How to do it…
This section contains the steps required to follow the recipe.
Automating it
This section shows you how to leverage Microsoft PowerShell and Microsoft Graph to automate your daily tasks.
There’s more…
This section consists of additional information about the recipe in order to make you more knowledgeable about it.
See also
This section provides helpful links to other useful information for the recipe.
Get in touch
Feedback from our readers is always welcome.
General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.
Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.
Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.
If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.
Share Your Thoughts
Once you’ve read Microsoft Intune Cookbook, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.
Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.
Download a free PDF copy of this book
Thanks for purchasing this book!
Do you like to read on the go but are unable to carry your print books everywhere?
Is your eBook purchase not compatible with the device of your choice?
Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.
Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.
The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily
Follow these simple steps to get the benefits:
Scan the QR code or visit the link below
https://packt.link/free-ebook/9781805126546
Submit your proof of purchase
That’s it! We’ll send your free PDF and other benefits to your email directly
1
Getting Started with Microsoft Intune
Microsoft Intune is the leader in the Gartner Magic Quadrant for unified endpoint management (UEM) and is an excellent tool for managing your end user devices, especially in the modern hybrid workforce. This book is your comprehensive guide to getting you started with using and configuring Microsoft Intune with only a basic understanding of end user compute management and PowerShell (for automation and scripting).
Intune is a cloud management software service that can fully manage your entire end user computing estate wherever you are. This includes Windows, iOS, iPadOS, macOS, Android, and Linux for both corporate and personally owned devices, as well as cloud computing with Windows 365 and Azure Virtual Desktop.
You can secure corporate data on any device, and Intune follows the zero-trust security model. As well as compliance and policy management, Intune will also handle your application deployment across devices.
Before digging into the finer points of using the platform, first, we need to look at the prerequisites and have a general look at Entra ID (previously Azure AD; you may find references to both in documentation and blog posts). While Microsoft Intune is part of the Microsoft 365 suite, it relies on Entra ID for groups, users, conditional access policies, and more, so an understanding of how these work will make your life significantly easier. In this chapter, we will look at how we can leverage Microsoft Entra to set the foundations for a successful Intune deployment.
This chapter will include the following recipes:
Creating a tenant
Creating a user
Assigning Entra ID roles
Configuring Entra ID Device settings
Configuring Entra ID ESR
Creating Entra ID static groups
Creating Entra ID dynamic groups
Configuring Entra ID MDM/MAM scopes
Technical requirements
For this chapter, you will need a modern web browser and a PowerShell code editor such as Visual Studio Code (VS Code) or the PowerShell ISE.
All of the scripts referenced in this chapter can be found here: https://github.com/PacktPublishing/Microsoft-Intune-Cookbook/tree/main/Chapter1.
Chapter materials
Microsoft licensing can be tricky at the best of times, so we will start there.
To use Intune, you will need an Intune license, which comes in three flavors:
Intune Plan 1: This includes your standard Intune functionality, including reporting and Endpoint analytics.
Intune Plan 2: This adds Microsoft Tunnel for iOS and Android application-level VPNs and support for specialty devices (such as VR headsets and large conference screens).
Intune Suite: This includes everything in Plans 1 and 2 plus Remote Help, Endpoint Privilege Management, and Advanced Endpoint Analytics (all of which will be covered in greater depth in Chapter 14). These can all be purchased individually on Plan 1, but it can work out to be more cost-effective to purchase the suite.
You can purchase your Intune licensing on a standalone plan or as part of the following Microsoft SKUs:
Microsoft 365 E3
Microsoft 365 E5
Microsoft 365 F1
Microsoft 365 F3
Microsoft 365 A3 (Education Only)
Microsoft 365 A5 (Education Only)
Microsoft Business Premium
Enterprise Mobility + Security E3
Enterprise Mobility + Security E5
If you are purchasing Intune on a standalone plan, you will also need to purchase an Entra ID license as well as a Defender for Endpoint license (if required).
These licenses are all per-user; however, Intune device-based licensing is available for some niche use cases, such as multi-user kiosk machines or manufacturing facilities with non-user-assigned devices.
On top of the Intune licensing, there are some additional Windows-only features that require a Windows Enterprise license over the standard Professional one.
This license is included in the M365 E3/E5/F3/F5/A3/A5 SKUs or can be added as an additional license.
Adding Windows Enterprise adds the following features:
Defender for Endpoint Plan 2
AppLocker
Credential Guard
Windows Autopatch
Windows Virtualization Rights
Remediations
A very useful site for referencing licensing SKUs and what each contains is https://m365maps.com/.
Creating a tenant
Now that we have our licensing in place, we need to create a tenant. This recipe will run you through the steps to create your new Microsoft 365/Intune/Azure tenant.
A tenant can be used across the full Microsoft platform, so it will apply to Microsoft 365, Azure, and Intune. If you have Active Directory set up currently, you can synchronize your users/groups/devices into Entra ID to give your users a hybrid identity (you need to ensure they do not have a .local suffix for this to succeed).
You can synchronize multiple Active Directory forests into a single Entra tenant, but you cannot synchronize one on-premises AD domain/forest into multiple Entra tenants.
A tenant can be configured with a custom domain name rather than the .onmicrosoft.com one, which is automatically configured when you create your new tenant. Within a tenant, you can have multiple Azure subscriptions but only one Intune configuration. There is also no built-in functionality to copy or migrate devices and settings between tenants using Intune.
Getting ready
If you would rather follow this book using a demo tenant, head over to the Microsoft 365 Developer Program, where you will be able to grab a free developer tenant with licenses to cover most aspects we will be covering here: https://developer.microsoft.com/en-us/microsoft-365/dev-program.
Important note
The licenses do not include Windows Enterprise, so you will not be able to test the chapters on Autopatch and Remediations.
How to do it…
To create your live tenant, first, you need to obtain your licenses. These can be purchased from any VAR or directly from Microsoft. If you are using a developer tenant, Steps 1 and 2 can be skipped:
For this book, we are going to grab a Microsoft 365 Business Premium trial license (Microsoft 365 E3 and E5 require an annual purchase); the screen will look as follows:
Figure 1.1 – Microsoft licensing pageFigure 1.1 – Microsoft licensing page
After clicking the Try free for 1 month button, enter an email address to use for the tenancy. If it does not exist, it will create it for you, so long as it is on a Microsoft domain (outlook.com, for example).
You will also be required to verify your identity, so make sure you enter a valid telephone number.
Once completed, you will be taken to the Microsoft 365 admin center, where you can double-check your licenses in the Licenses menu under Billing.
That is all we need to do within the Microsoft 365 admin center. Now, we must navigate to https://entra.microsoft.com and log in with the same account that was licensed when we set up the tenant.
Before moving on to the next recipe, from here on, we are going to include the PowerShell and JSON code (where possible) to complete the steps both in the GUI and from a command line.
Microsoft Graph is the technology that is used underneath most Microsoft products to handle all of the commands that are sent via the web interface. Fortunately, it includes a powerful API that we can use to automate these using PowerShell.
To use the command-line scripts, you will need to install the Microsoft Graph PowerShell module and connect to Graph (we are going to set up a connection with full access so that you can reuse the connection at all stages). For this, use your preferred code editor (VS Code is a good choice and is platform agnostic) or use the built-in PowerShell ISE on a Windows device:
First, load up the PowerShell console and install, then import, the module:
Install-Module -Name Microsoft.Graph.Authentication -Scope CurrentUser -Repository PSGallery -Force
Now, import the newly installed module:
import-module microsoft.graph.authentication
Finally, we need to connect:
Connect-MgGraph -Scopes RoleAssignmentSchedule.ReadWrite.Directory, Domain.Read.All, Domain.ReadWrite.All, Directory.Read.All, Policy.ReadWrite.ConditionalAccess, DeviceManagementApps.ReadWrite.All, DeviceManagementConfiguration.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All, openid, profile, email, offline_access, Policy.ReadWrite.PermissionGrant,RoleManagement.ReadWrite.Directory, Policy.ReadWrite.DeviceConfiguration, DeviceLocalCredential.Read.All, DeviceManagementManagedDevices.PrivilegedOperations.All, DeviceManagementServiceConfig.ReadWrite.All, Policy.Read.All, DeviceManagementRBAC.ReadWrite.All
After pressing Enter, you will be prompted to log in with your new credentials and then approve the permissions for your tenant by checking the Consent on behalf of your organization box and then clicking Accept.
We now have a working tenant and a Microsoft Graph connection that we can use in the following recipes and chapters.
Creating a user
Now that our tenant has been set up, we can create our first user. This recipe will run through how to create your first user and then look at what is happening in the Graph API underneath.
Getting ready
Navigate to the Microsoft Entra portal at https://entra.microsoft.com/#home.
Here, you will find an overview of your tenant, including your tenant ID, which you will find yourself needing when setting up policies such as OneDrive within Intune. You cannot display it within Intune directly, so you will have to navigate back to Entra ID to find it.
Within Entra ID, click on Users, then All users; you will see the user you set up when enrolling the tenant. This user will have Global Administrator access across the whole tenant, so we will create a new user to test role assignment, license assignment, and group membership.
How to do it…
Follow these steps to create an additional non-admin user in your tenant. The new user screen runs across a few pages, so we will concentrate on cropped screenshots of the appropriate areas:
Click on + New user and then Create new user.
Fill in the basic details. You will be prompted to change your password on your first login, but if you are auto-generating, click the eye icon to show the password so that you can use it to log in later:
Figure 1.2 – Entra user detailsFigure 1.2 – Entra user details
Leave Groups and Roles empty for now; we will run through those in the Creating Entra ID groups recipe.
Add a Usage location value on this screen; it will not let you assign a license without one set:
Figure 1.3 – Entra user license detailsFigure 1.3 – Entra user license details
Optionally, you can fill in Job Info, but this is not a requirement at this stage.
Finally, click Create.
With that, you have created your first account in your new tenant.
Automating it
Now, we can learn how to automate user creation.
You will need the PowerShell ISE or VS Code running for this, as we will be setting variables to send to Microsoft Graph.
Follow these steps in a new PowerShell script to create your user with Microsoft