Category: Exams of Microsoft

App Categories within Intune – Manage applications

An organization with many apps can become overwhelming for users. To help users find an app in the company portal, you can assign apps to one or more categories, such as Accounting apps or Marketing apps.
When adding apps, you can assign a category in Intune using the following procedure:

  1. Sign in to the Microsoft Intune admin center as a Global Administrator.
  2. Select Apps, then select App categories.
  3. The App categories pane displays a list of current categories.
  4. To add a category, select Add in the Create category pane, and then provide a name for the category.
  5. To edit a category, select the ellipsis (…) next to the category, and then select Pin to dashboard or Delete.
  6. Select Create.

Add Android store apps to Microsoft Intune
Use the following procedure to add an Android store app to Intune:

  1. Sign in to the Microsoft Intune admin center as a Global Administrator.
  2. Select Apps > All apps > Add.
  3. In the Select app type pane, under Store app, select Android store app.
  4. Click Select.
  5. To configure the app information for the Android app, you must provide the Google Play store’s app details. (The Google Play store is located at https://play.google.com.)
  6. In the App information page, add the app details, as shown in Figure 4-18:
    • Name
    • Description
    • Publisher
    • Appstore URL
    • Minimum operating system
    • Category (Optional)
    • Show this as a featured app in the Company Portal
    • Information URL (Optional)
    • Privacy URL (Optional)
    • Developer (Optional)
    • Owner (Optional)
    • Notes (Optional)
    • Logo (Optional)

FIGURE 4-18 Adding a Windows 10 Line-of-business app

  1. Select Next.
  2. On the Assignments page, select the group assignments for the append and select Next.
  3. On the Review + create page, review the values and settings you entered for the app and select Create to add the app to Intune.
  4. The app’s Overview blade is displayed.

Deploy Microsoft 365 Apps by using Intune – Manage applications

You can also use Intune to deploy Microsoft 365 Apps to your enrolled devices. To add a Microsoft 365 suite app to Windows 10 devices, use the following procedure:

  1. In the Microsoft Intune admin center, select Apps, and then under By Platform, select Windows.
  2. On the Windows apps blade, select Add.
  3. On the Select add type blade, in the App type list, under the Microsoft 365 Apps heading, select Windows 10 and later, as shown in Figure 4-9, and choose Select.

FIGURE 4-9 Adding Microsoft 365 apps to Windows 10 devices

  1. On the App suite information tab, most properties are preconfigured. However, you can feature the app in the Company Portal and add notes. Select Next.
  2. On the Configure app suite tab, in the Select Office apps list, select the components of Office you want to deploy: Access, Excel, OneNote, Outlook, PowerPoint, Publisher, Skype for Business, Teams, and Word. All are selected except Skype for Business.
  3. In the Select other Office apps (license required) list, select any additional Office products you want to deploy. For example, Project Online Desktop Client.
  4. Next, choose the architecture (32-bit or 64-bit), the Default file format Office will use, and the Update channel, as shown in Figure 4-10. You can also remove other software versions on targeted devices and select a specific version of Microsoft 365 apps. The default is the latest version available.

FIGURE 4-10 Configuring Microsoft 365 app suite properties

  1. There are several additional properties that you can configure, including supported languages. When you’re ready, select Next.
  2. On the Assignments tab displayed in Figure 4-11, you can assign the suite to a group, all users, or all devices. You can require the app suite or make it available for enrolled devices. If you make an app available, you can only assign it to user groups. The available app is displayed in the Company Portal app for assigned users to install.

FIGURE 4-11 Configuring Microsoft 365 app suite assignments

  1. Select Next, and review your choices on the Review + create tab. When you’re ready, select Create.
  2. After creating the app, you can use the monitoring options to view the installation status for both devices and users.
    The process for assigning Microsoft 365 apps to macOS varies in as much as you cannot control which components of Office you deploy, nor can you define app suite settings, such as Update and Architecture settings.

Configure policies for Office apps by using Intune – Manage applications

Intune is the mobile application management solution to configure and manage policies related to the software deployed within your organization. These policies are assigned to your users and devices and control how applications behave.

Just as you saw with Group Policy, Intune also provides policies specifically for controlling how Microsoft Office apps behave. Mobile app management policies within Intune allow cloud-based management of your Office apps that can be applied to groups of end users. In addition to configuring app features available to users, you can control how apps access Microsoft 365 services, control data sharing, and enforce security requirements.

Some examples of Office app policies are shown in Table 4-2.

TABLE 4-2 Examples Office app policies

Office appApp policy
Microsoft PowerPointTurn off Protected View for attachments opened from Outlook
Microsoft VisioBlock macros from running in Office files from the Internet
Microsoft WordTurn off Protected View for attachments opened from Outlook
Microsoft PublisherPublisher Automation Security Level
Microsoft ProjectAllow Trusted Locations on the network

Organizations can use the Microsoft 365 Apps admin center to configure the Cloud Policy service for Microsoft 365 (known as Cloud Policy). If you have an Intune subscription, you can use Cloud Policy directly in the Microsoft Intune admin center under Apps\Policy\Policies for Office apps. Both services include many of the same user-based policy settings available in Group Policy. Once defined, Cloud Policies are automatically enforced as users sign in and use Office.

Before you can use the Cloud Policy with Microsoft 365 Apps for enterprise, you need to meet the following requirements:

  • A supported version of Microsoft 365 Apps for enterprise.
  • User accounts created in or synchronized to Azure Active Directory (Azure AD). Users must be signed into Microsoft 365 Apps for enterprise with an Azure AD-based account.
  • Cloud Policy supports Microsoft 365 Groups and Azure AD Security Groups created in or synchronized to Azure AD. The group membership type can be either Dynamic or Assigned.
  • The required URLs and IP address ranges listed here must be properly configured on your network: https://learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide#microsoft-365-common-and-office-online.
  • Do not use authenticated proxies.
  • Only users who are members of one of the following roles in Azure AD can create a policy configuration:
    • Global Administrator
    • Security Administrator
    • Office Apps Admin

Note Click-To-Run Volume Licensed Versions of Office

You cannot apply policy configuration to volume-licensed versions of Office that use Click-to-Run, such as Office LTSC Professional Plus 2021 or Office Standard 2019.

Thought experiment answers – Manage, maintain, and protect devices

This section contains the solution to the thought experiment. Each answer explains why the answer choice is correct.

Scenario 1

  1. Microsoft Intune with Mobile Device Management enabled.
  2. Enable and configure Windows Autoenrollment.
  3. You require an Apple MDM Push Certificate for your organization.

Scenario 2

  1. You can monitor Threat Agent Status to determine the current status of Microsoft Defender on your users’ enrolled Windows devices.
  2. You can use the Microsoft Intune admin center to create an Endpoint Protection Profile that contains the necessary Microsoft Defender Application Guard settings and assign the profile to the appropriate group(s) of devices.
  3. In the Microsoft Intune admin center, create a Device Enrollment Restriction and define a Platform Restriction that prevents the enrollment of Android devices.

Scenario 3

  1. You should configure Delivery Optimization and select that updates are downloaded from Devices on my local network on all devices except one device which needs to receive the updates from the Microsoft update service.
  2. You can implement Delivery Optimization for the head office devices so that updates are received from other devices on the network. You can also configure bandwidth optimization measures that restrict the bandwidth consumed by updates during defined business hours.
  3. You should install Windows 11 Enterprise, version 22H2 (General Availability Channel), and then implement policy using Windows Update to defer Windows Feature Updates for the maximum allowed duration of 365 days.
  4. Enroll into the Windows Insider Program and install Windows 11 preview builds. Test these builds for compatibility issues. This should allow you to be ready to test the next General Availability Channel release and obtain compliance sign-off.

Scenario 4

1. You could implement Microsoft Tunnel for Intune. Microsoft Tunnel provides a VPN gateway for Android and iOS devices in your organization for access to on-premises resources.

  1. You must perform the following high-level steps:
    • Create a server configuration on Intune.
    • Create a site in Intune.
    • Install a Microsoft Tunnel Gateway on a Linux server in your on-premises environment (by using an Intune script).
    • Deploy the Microsoft Tunnel client app to your iOS and Android devices.
    • Create and deploy VPN profiles to your iOS and Android devices.

Setup and onboarding – Manage, maintain, and protect devices

To onboard your devices, use the following procedure:

  1. In the Microsoft Intune admin center, navigate to Endpoint security.
  2. Select Microsoft Defender for Endpoint.
  3. In the Details pane, click the link for Connect Microsoft Defender for Endpoint to Microsoft Intune in the Microsoft Defender Security Center.
  4. In Microsoft 365 Defender, select Settings > Endpoints >Advanced features.
  5. Turn on the Microsoft Intune connection.
  6. Click Save preferences.

After you’ve enabled the connection, Microsoft 365 Defender sends an onboarding configuration package to Intune. Deploy this package to your Windows devices. Alternatively, you can create and assign an Endpoint detection and response profile from Endpoint security in Intune. Use the following procedure:

  1. In the Microsoft Intune admin center, navigate to Endpoint security.
  2. Select Endpoint detection and response.
  3. In the details pane, click Create Policy.
  4. On the Create a profile page, in Platform, select Windows 10 and later.
  5. In the Profile, select Endpoint detection and response, and then select Create.
  6. On the Basics tab, enter a Name and Description and click Next.
  7. On the Configuration settings page, in the Microsoft Defender for Endpoint client configuration package type list, choose the appropriate file type, and then browse and select the onboarding file. Click Next.
  8. Configure scope tags and assignments, and then Create the profile.

Need More Review? Configure Microsoft Defender for Endpoint in Intune

To learn more about setup and onboarding, refer to the Microsoft website at https://learn.microsoft.com/mem/intune/protect/advanced-threat-protection-configure.

Implement automated response capabilities in Defender for Endpoint

Microsoft Defender for Endpoint provides numerous capabilities that can help you secure your endpoint devices. Table 3-19 describes some of these capabilities.

TABLE 3-19 Capabilities of Microsoft Defender for Endpoint

CapabilityDescription
Attack surface reductionImplementing several Windows Defender ATP features helps reduce the attack surface of a computer, its applications, and the data it consumes.
Endpoint detection and responseContinuously monitors your organization’s endpoints for possible attacks against devices or networks in your organization and provides the features you can use to mitigate and remediate threats.
Automated investigation and remediationOffers automatic investigation and remediation capabilities that help reduce the volume of alerts and actions an administrator needs to perform to fix breaches.
Secure scoreEnables you to assess the security posture of your organization and identify devices that might need attention, as well as recommendations for actions to improve your score
Management and APIsProvides a means for you to interact with the platform by providing APIs.

Need More Review? Overview of Microsoft Defender for Endpoint Capabilities

To learn more about the capabilities of Microsoft Defender for Endpoint, refer to the Microsoft website at https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint.

Thought experiment – Manage, maintain, and protect devices

In this thought experiment, demonstrate your skills and knowledge of the topics covered in this chapter. You can find the answers in the section that follows.

Scenario 1

Your organization has 500 employees and has implemented a bring-your-own-device (BYOD) strategy that enables users to use their personal mobile phones and tablets for corporate purposes as long as they comply with company policy regarding security and management features. After consulting an employee survey, you find that the users in your organization have iOS, Android, or Windows 11 devices.

  1. What technology should you use to manage the devices?
  2. You want to simplify enrollment for your Windows device users. What should you do?
  3. To support your iOS devices, what additional step is required to enable MDM?

Scenario 2

Like many large organizations, security is a big concern at Contoso. You decide to implement MDM with Intune to help to manage and secure your users’ devices.

  1. What feature of Intune could you use to verify the current status of Microsoft Defender on your users’ Windows 11 devices?
  2. You want to be able to configure Microsoft Defender Application Guard settings for enrolled Windows 11 devices. How can you achieve this in Intune?
  3. You don’t want users with Android devices to be able to enroll them. How could you enforce this restriction?

Scenario 3

Adatum Corporation uses Microsoft 365 and has implemented Windows 11 Enterprise for all devices. You configure Windows Update and deploy update rings using Microsoft Intune.

Answer the following questions for your manager:

  1. Two remote offices are in an area with poor Internet bandwidth, and the IT team is concerned that operational requirements might be difficult to maintain. What measure could you implement for the devices located at the remote locations to reduce bandwidth consumption from Windows updates?
  2. Windows updates received by the head office devices are consuming too much of the available bandwidth. Users are reporting that access to the Internet is slow. What settings can you configure within Microsoft Intune to help relieve congestion at the head office?
  3. Your Compliance Manager has received confirmation that your regulatory body has approved Windows 11 Enterprise, version 22H2 as being compliant. You need to ensure that all devices use only this version of Windows until the Compliance Manager confirms that a new version is compliant. How will you proceed?
  4. You need to work with the Compliance Manager to ensure that future versions of Windows 11 Enterprise obtain regulatory compliance before the deployed version of Windows 11 becomes unsupported. What will you do to ensure that you can proactively evaluate the compatibility of new versions of Windows 11?

Scenario 4

Your users use both Android and iOS devices. Lately, it’s been necessary for these users to access a database application that runs on an on-premises server. Intune manages your users’ devices.

Answer the following questions:

  1. How could you facilitate access for your users?
  2. What high-level steps are necessary to facilitate your solution?

Add a Microsoft Store app – Manage applications

To add a Microsoft Store app, use the following procedure:

  1. Open the Microsoft Intune admin center and select Apps in the navigation pane.
  2. Select All apps, and then select Add.
  3. On the Select add type blade displayed in Figure 4-2, in the App Type list, under the Store app heading, select Microsoft Store app (new) and click Select.
  4. On the Add App blade, select Search the Microsoft Store app (new).

On the Search the Microsoft Store app (new) blade, search for an app and then choose Select. as displayed in Figure 4-3.

FIGURE 4-3 Adding a Microsoft Store app

To obtain the URL, visit the Appstore using a web browser, locate the app you want, and then copy the URL for the app’s page.

  1. Select Next, and on the Assignments tab select the appropriate groups for assignment, or select Add all users as displayed in Figure 4-4. Then select Next.

FIGURE 4-4 Assigning a Microsoft Store app

    1. On the Review + create tab, select Create.

    After you create the app, you can use the Device install status and User install status options in the Monitor section to monitor the installation of the selected app.

    Note Installing IOS and Android Store Apps
    Installing store apps for iOS and Android is fairly similar to this process.
    Note ARM64 APPS
    Microsoft Store apps do not support any app with an ARM64 installer.

    Configure Microsoft 365 Apps deployment by using the Microsoft Office Deployment Tool or Office Customization Tool (OCT)

    You can configure Microsoft 365 Apps by using specialist tools that allow you to customize and configure the Office installation for your company’s needs. Two tools are available:

    • Office Deployment Toolkit (ODT)
    • Office Customization Tool

    Using the Microsoft Office Deployment Tool

    The ODT is a command-line utility that can deploy Microsoft 365 Apps to client devices. The ODT provides granular control over how to install Office installation. For example, you can configure the following:

    • Which products are installed
    • Language options
    • Office updates
    • Whether the install experience is displayed to users

    Note ODT Download

    You can download the ODT at www.microsoft.com/download/details.aspx?id=49117.

    The installer file will create the setup.exe and the following sample configuration files:

    • configuration-Office365-x64.xml
    • configuration-Office365-x86.xml
    • configuration-Office2019Enterprise.xml
    • configuration-Office2021Enterprise.xml

    The configuration-Office365-x64.xml sample configuration file looks like this:

    Click here to view code image

    How to apply the required security settings to your endpoints – Manage, maintain, and protect devices

    During this skill, you’ve learned about the various security features in Windows 11. You’ve also learned how to use either Endpoint security policies or a device configuration profile (using the Endpoint protection template) to enforce the required configurations.

    In fact, you can generally use either of these methods. An advantage of using the Endpoint security policies is that you can also implement security baselines to help keep those policies aligned with security improvements. By using Endpoint security policies, you can configure the following:

    • Antivirus Enables you to review Windows 11 unhealthy endpoints and devices with active malware. You also can use this option to create and assign antivirus profiles:
      • Microsoft Defender Antivirus exclusions
      • Microsoft Defender Antivirus
      • Windows Security Experience
    • Disk Encryption Enables you to create and configure BitLocker profiles for Windows 11 devices and macOS encryption settings.
    • Firewall Enables you to create and configure firewall profiles and firewall rules.
    • Endpoint Detection and Response Enables you to create profiles that provide advanced attack detections that are near real-time and actionable.
    • Attack Surface Reduction Enables you to create and configure the following profiles to help reduce the attack surface on your managed devices:
      • App and browser isolation
      • Device control
      • Attack surface reduction rules
      • Exploit protection
      • Web protection (for legacy Edge)
      • Application control
    • Account Protection Enables you to create profiles that help protect user credentials by using Windows Hello for Business and Credential Guard technology.
    • Device Compliance Enables you to create and manage device compliance settings. These include
      • Policies
      • Notifications
      • Retire Noncompliant devices
      • Locations
      • Compliance policy settings
    • Conditional access Enables you to create and configure conditional access policies. These policies enable you to enforce access requirements when specific conditions occur. For example, deny access to cloud apps for non-compliant devices.

    In fact, some elements can only be configured in these settings, such as Local user group membership and Local admin password solution (Windows LAPS).

    An advantage of using an Endpoint protection configuration profile is combining and configuring all your Microsoft Defender security settings in a single profile. These settings are

    • Microsoft Defender Application Guard
    • Windows Defender Firewall
    • Microsoft Defender SmartScreen
    • Windows Encryption
    • Microsoft Defender Exploit Guard
    • Microsoft Defender Application Control
    • Microsoft Defender Credential Guard
    • Microsoft Defender Security Center
    • Xbox services
    • User Rights

    Familiarize yourself with the available options in each of these methods for securing your endpoints.

    Attack Surface Reduction Rules – Manage, maintain, and protect devices

    Attack Surface Reduction rules can help prevent actions and apps often used by exploit-seeking malware from infecting your organization’s devices. Each rule is identified by a unique identity known as a GUID. Table 3-17 lists and describes the available Attack Surface Reduction rules and their respective GUIDs.

    TABLE 3-17 Attack Surface Reduction rules

    Rule and descriptionGUID
    Block executable content from email client and webmail.be9ba2d9-53ea-4cdc-84e5-9B1eeee46550
    Block all Office applications from creating child processes.d4f940ab-401b-4efc-aadc-ad5f3c50688a
    Block Office applications from creating executable content.3b576869-a4eC-4529-8536-b80a7769e899
    Block Office applications from injecting code into other processes.75668c1f-73b5-4Cf0-bb93-3ecf5cb7cc84
    Block JavaScript or VBScript from launching downloaded executable content.d3e037e1-3eb8-44c8-a917-57927947596d
    Block execution of potentially obfuscated scripts.5beb7efe-fd9A-4556-801d-275e5ffc04cc
    Block Win32 API calls from Office macro.92e97fa1-2edf-4476-bdd6-9dd0B4dddc7b
    Block executable files from running unless they meet a prevalence, age, or trusted list criteria.01443614-cd74-433a-b99e-2ecdc07bfc25
    Use advanced protection against ransomware.c1db55ab-c21a-4637-bb3f-a12568109d35
    Block credential stealing from the Windows local security authority subsystem (lsass.exe).9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
    Block process creations originating from PSExec and WMI commands.d1e49aac-8f56-4280-b9ba-993a6d77406c
    Block untrusted and unsigned processes that run from USB.b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
    Block Office communication applications from creating child processes.26190899-1602-49e8-8b27-eb1d0a1ce869
    Block Adobe Reader from creating child processes.7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c

    Need More Review? Enable Attack Surface Reduction Rules

    To review further details about configuring Attack Surface Reduction rules, refer to the Microsoft website at https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-worldwide.

    Network Protection

    Network Protection helps prevent your users from using apps to access Internet-based domains that might present a risk of malware, scams, or other malicious content. You can use GPOs, Microsoft Intune, or Windows PowerShell to enable network protection.

    Need More Review? Enable Network Protection

    To review further details about enabling and configuring Network Protection, refer to the Microsoft website at https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/network-protection.

    Controlled Folder Access

    You can use Controlled Folder Access to help prevent the spread of malicious software. Specifically, controlled folder access helps protect valuable data stored in specific folders. You can use Windows PowerShell, GPOs, or MDM to configure controlled folder access.

    Need More Review? Enable Controlled Folder Access

    To review further details about configuring folder access, refer to the Microsoft website at https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.

    Implement endpoint protection for all supported device platforms – Manage, maintain, and protect devices

    Windows 11 contains a number of built-in features that are part of the Microsoft Defender suite of security apps. It’s important that you are familiar with each of these, you can determine what they do, you know how they can help secure your organization’s devices, and you know how you can enable and configure these features. You must also understand how to implement, configure, and manage these security features by using Microsoft Intune.

    This skill covers how to:

    Create and manage configuration policies for Endpoint security

    In this section, you’ll learn how to secure your Windows 11 devices. You’ll also learn about the various security features in Windows 11.

    Implement enterprise-level disk encryption

    It’s important to be able to protect your computers against data loss and data leakage. One way in which you can do this is to enable disk encryption. Windows 11 supports BitLocker.

    BitLocker enables you to encrypt an entire hard disk, including the operating system drive. BitLocker is available in Windows 11 Pro, Enterprise, and Education editions.

    With BitLocker enabled, the drive is no longer susceptible to data theft. On a system that is not encrypted simply removing the drive from the PC and attaching it as a slave to another PC allows the data to be read, bypassing all NTFS security.

    Trusted Platform Modules

    Most modern computers contain a security component known as a Trusted Platform Module (TPM). This component securely stores cryptographic information, such as BitLocker’s encryption keys.

    BitLocker supports versions 1.2 and 2.0 of the TPM specification, and information contained on the TPM is more secure from external software attacks and physical theft.

    If a device has been tampered with, such as removing the hard drive from the original computer, BitLocker prevents the drive from being unlocked. BitLocker will seek remediation from the user by entering BitLocker recovery mode and requiring the user to enter a 48-digit recovery key.

    While a TPM is the most secure option, BitLocker can also be used on devices without a TPM. To enable this capability, you must configure the appropriate settings in Intune, and we’ll discuss those shortly.