Managing Modern Desktops (MD-101)

Managing devices in an enterprise environment23 H 43 M

Just you? Training a whole team? There's an ITProTV plan that fits.

Start Training Today
This course has a virtual lab
This course has a practice test
  • Plan and implement Windows 10 by using dynamic deployment
    • Windows Dynamic Deployment
    • Windows Dynamic Deployment Part 2
    • Windows Autopilot
    • Upgrade Windows 10
    • Windows Analytics
    • Windows Analytics Part 2
    • Windows Analytics Part 3
    • Migrate User Profiles
    • Migrate User Profiles Part 2
    • Manage Updates
    • Manage Updates Part 2
    • Manage Updates Part 3
    • Manage Authentication Policies
    • Manage Authentication Policies Part 2
    • Manage Authentication Policies Part 3
    • Manage Sign-on Options
    • Manage Sign-on Options Part 2
    • Perform Azure AD Join
  • Manage Policies and Profiles
    • Implement Co-Management
    • Implement Co-Management Part 2
    • Conditional Access
    • Conditional Access Part 2
    • Conditional Access Part 3
    • Configure Device Profiles
    • Configure Device Profiles Part 2
    • Manage User Profiles
    • Manage User Profiles Part 2
    • Manage User Profiles Part 3
  • Manage and Protect Devices
    • Windows Defender Application Guard
    • Windows Defender Credential Guard
    • Windows Defender Exploit Guard
    • Windows Defender Exploit Guard Part 2
    • Windows Defender Exploit Guard Part 3
    • Windows Defender Application Control
    • Windows Defender Application Control Part 2
    • Windows Defender Antivirus
    • Enable Device Enrollment
    • Intune Terms and Conditions
    • Intune Enrollment Restrictions
    • Intune Device Categories
    • Intune Corporate Identifiers
    • Device Enrollment Manager
    • Enroll Windows Devices
    • Enroll Apple Devices
    • Enroll Apple Devices Part 2
    • Enroll Android Devices
    • Device Inventory Reports
    • Monitor Device Health
    • Monitor Device Health Part 2
  • Manage Apps and Data
    • Deploy Microsoft Store Apps
    • Deploy Google Play Store Apps
    • Deploy Apple App Store Apps
    • Microsoft Store for Business
    • Deploy Office 365 ProPlus
    • Deploy Office 365 ProPlus to macOS
    • Sideloading Apps
    • Implement Assigned Access
    • Configure IE Enterprise Mode
    • Gather Office Readiness Data
    • Implement and Manage MAM Policies
    • Configure Windows Information Protection
    • Configure Azure Information Protection
    • Configure Azure Information Protection Part 2
    • Configure Azure Information Protection Part 3

Windows Dynamic Deployment

23 M

itprotv course thumbnailitprotv course thumbnailitprotv course thumbnail
  • Episode Description
  • Transcript

In this episode, Aubri and Mike begin their look at Windows Dynamic Deployment. They define dynamic deployment and evaluate different dynamic deployment options. They look at subscription activation as well as using Azure Active Directory and Intune.

Welcome to ITProTV. I'm your host Don Pezet. [CROSSTALK] [MUSIC] >> You're watching ITProTV. >> Hello and welcome to another empowering episode here at ITProTV. I'm your host, Aubri Spurgin, and this is managing modern desktops. We are preparing for the MD-101 exam, and in this episode we're gonna be taking a look at Windows Dynamic Deployment. That's a little bit of alliteration for you. And here we have the red shirt twins. How's it going, Mike? >> It's going great, and hopefully we both don't get zapped on our away mission or anything. >> Yeah. >> The whole red shirt. Hopefully we survive, but I'm doing great. Thanks for having me. Excited as always to be here. And good old Windows Dynamic Deployment is the topic of the day. It's the first objective as we start preparing for this MD-101 exam. And so when we talk about Windows Dynamic Deployment we're gonna talk about three methods that we can use to do dynamic deployment. But I wanna make sure we're all on the same page, and we talk about deploying Windows, right. We have our traditional deployment methods that we've always used, and we can still do. We have our imaging capabilities. And I can create an image, a thin image, a thick image. I can install from installation media. We can go and install applications after that, so we still have our traditional methods. But as we move into Windows as a subscription and as we move into our hybrid environments and our cloud only environments, those traditional methods aren't as, they're probably not the best way to go, right. And that's where these new dynamic deployment methods come into play. These are more modern, as we talked about modern desktop, right, these are our more modern ways of deploying our operating system. And really even though that's what we talked about it, deploying our operating system, we're not. We're not deploying an operating system, what we're doing is we're configuring a machine, right. Because we know that in today's environments, a lot of times our users already have devices, right. They've got that laptop that they just bought, the BYOD thing, right. Where they've already got Windows 10 installed, what I need to do is configure that device to work in our enterprise. I need to make sure that all of our corporate policies are being applied to it, that our security configurations are being applied to it, the appropriate software is being installed, whether we're encrypting things. All of that stuff has to be done. But the operating system is typically is already there. So it's unlike where we're deploying the OS and applications, for example, in a in a thick image or something like that. Here what we're doing is we're configuring that device to work in our enterprise. So almost want to say dynamic provisioning more than I do dynamic deployment, but it's dynamic deployment of configuration and settings and applications is really what we're doing. And that just falls right in line with Windows as a service, right. The operating system is gonna always be the latest and greatest version, that we don't deploy, that we just get, we reset. We've talked about in MD-100 how you just reset the operating system if something goes wrong, right. I don't have the installation media. I'm always gonna have the latest and greatest version. So that's where, again, where we're sitting at when we talk about dynamic deployment or really more accurately probably, dynamic provisioning. And the whole idea is take a machine out of the box, turn it on, and configure it and transform it into an enterprise device, right, with minimal time and effort. And half of these methods, I don't even, as IT, we don't even have to touch the device, right. We get everything set up, we get everything configured properly, we never even have to see the device, the user can do this from home. They can get that device shipped to them from that store, whoever they bought their device from or they can go down to the big box store, buy the device, take it home, plug it in, connect it to the Internet, and we can detect it and configure it without them ever even have to step foot in the office. Pretty cool, right. >> That is pretty cool. >> Yeah, makes it a whole lot easier on us. I don't have to maintain ten different images, right, that we used to do with WSUS. And an image for sales, and a different image for marketing, with different applications. I don't have to update those images with the latest Windows updates and update applications, none of that with this method. So that is the idea. The first one I wanna talk about, in our exam objectives they talk about dynamic deployment and just what that is in general. And then they say evaluate and select the appropriate deployment option, and they list three. They've got subscription activation, as your Active Directory combined with MDM or mobile device management, and then provisioning packages, right. And those are the three we're gonna talk about. So let's talk about the subscription activation. >> Sounds good. >> Yeah, and this is a pretty cool one. All this is is you are going to, most of the time when people buy their devices from say Dell or from Best Buy or something like that, they come with Windows 10 Professional, right. But when they join our enterprise, when we want them to use that as a corporate device, we want them to be running Windows 10 Enterprise. We want to be able to take advantage of those Enterprise level features that aren't available in Windows 10 Professional. So in the past that meant reinstalling the operating system, right, or doing an upgrade to try to upgrade it from, say, Windows 8 Pro to Windows 8 Enterprise or something, Windows 7 Pro to Windows 7 Enterprise or something like that. Now you can do it automatically. That's what subscription activation is about. And basically what you're gonna do is you go into Azure, and you gonna assign Windows 10 Enterprise licenses to your Azure account. So your users are going to have accounts in Azure Active Directory. You go into those accounts, and you assign a Windows 10 Enterprise license to that account. The next time that user logs in with their Azure credentials, it will automatically detect that they're running Windows 10 Pro and that they have been assigned a Windows 10 Enterprise license. And it will automatically upgrade that sku from Pro to Enterprise. No keys have to be inserted, no reboots required, IT didn't have to touch the machine. It's gonna automatically upgrade that machine to Enterprise behind the scenes, without any interaction from the user either. We have requirements. It does have to be Windows 10, 1703 or later. We have to have Azure Active Directory because that's how we're assigning the licenses to our users. And the devices have to Azure AD joined, they can be Active Directory on-premise joined, as long as we're synchronizing. If we're using AD Connect or Azure AD Connect to synchronize our on-premise Active Directory with Azure Active Directory, then we can do on-premises connected devices as well as Azure AD joined devices, all right. Benefit wise, again, licenses are gonna be checked based on the Azure credentials. The users will log on and trigger that update automatically, no keys, no reboots. And it gives us a way to transition away from KMS, or my key management servers, and get away from those multiple activation keys, or my MAKs. And use this as your subscription activation, sorry, brain cramp there. Now it does require, I can't demonstrate this for you because it does require Enterprise agreement or an EA with Microsoft, right. You have to go purchase your Enterprise licenses through your vendor or through the reseller, through Microsoft. You have to purchase your Enterprise licenses. And then I'll import those into my Azure subscription, and then I can assign those to my users, which I can do. But it's a pretty straight forward process. If you've assigned any licenses in Azure, you just go to the user account, you click licenses, and it's typically an on off type switch where I can assign those. You would have to, again, configure your Enterprise agreement with Microsoft to get that capability. >> I was wondering about that, cuz I was gonna ask you, are you going to show us how to do this, but that makes sense, yeah >> Unfortunately I can't, at some point we'll go out to Azure and I can show Show you where you might see that. But again, I don't have an EA with Microsoft. I don't have any enterprise licenses that I can use that way. >> Then I would recommend like watching this and doing it along with him talking. Because usually we do a demonstration. >> Yes. >> And then we follow along. >> Yep. >> But it's just like, listen, do it. Yeah. >> Yeah. >> That'd be good. >> Yeah. And in this case, you just, you really can't, right. Unless your company has an EA and then you can play around with that, you can't really practice those things of thing. >> Right. >> But again, for this exam, I wouldn't worry about that. I'll just understand the concept that we can do subscription activation. That I can assign a license not to the device. I assign license to the end user. Which brings me to another point, I'm glad you brought this up cuz, that's up to five devices, right. If I assign a enterprice liense to Aubri, every time she logs into her device using her Azure credentials her work credentials, it's going to upgrade that from pro to enterprise assuming it's 1703 or later Windows 10, right and we meet those requirements. Good luck with that. And up to five devices, so not just her one laptop but her desktop at home as well can be upgraded any kind of tablet as she's running Windows 10 on could be upgraded as well. So up to five. Other things we need to aware of for the exam is that when the user subscription expires or transferred, let's say Aubri leaves the organization, now we remove those licenses from her account. Her devices will automatically roll back to Windows 10 Pro, right? She's not left with Windows 10 Enterprise. It's gonna automatically roll back to Windows 10 Professional. There's a 90 day grace period there. It's not going to do it immediately but it will eventually rollback. So if you remove licenses from a user, or they fall out of that subscription it will roll it back. Or if that device is left off, it does have to check in every so often, similar to the way we did with KMS keys. It'll have to check in with Azure every so often to make sure we still have that license assigned to that user. If it doesnt', if it's unable to check in for an extended period of time, or if we've removed the license, it will automatically roll back to Windows 10 Professional. All right, so that is subscription activation. And again it's not so much noticed we even though it's called Windows deployment and dynamic deployment we didn't deploy the operating system. >> No. >> Right, all you did was take your device that you bought from that computer manufacturer. It's got Windowa 10 installed on already and you logged in with your credentials and it upgraded to enterprise. We didn't really deploy the operating system out there, right. And when it comes to the next one, Active Directory, Azure Active Directory and Mobile Device Management, same kind of concept here. The operating system's already gonna be installed. What I need to do is configure it to work in our Enterprise. I need to make sure that security policies are being applied. I need to make sure the software is getting installed and all of that. And sot hat's where, Azure Active Directory and in our case Microsoft Intune, or Intune now, I don't think they've removed Microsoft from the name at this point. Intune is gonna be my mobile device manager of choice. There's third party utilities or third party mobile device managers that you can use along with Azure Intune is not your only one. This is a Microsoft class, [LAUGH] and it's a Microsoft test, so we should be familiar with Microsoft's Intune. All right, so let's take a look at how we can do that. So, with Azure Active Directory and Mobile Device Management, I'm not gonna show you the Azure side of things as much because that's something we cover in other shows. But from the client perspective, all they're going to do and again, we're spending all this time and really all they do is log in. >> That sounds easy enough, right? [LAUGH] >> Right, there's not a lot to it. Let's take a look at my screen here. I've got a Windows 10 machine that I've gone through the installation process or I've started the installation process and I met that OOBE or the Out Of Box Experience. So this might be the first time that user's fired up that laptop that they just bought from the big box store and they've brought it home and they've opened it up and they've plugged it in, and this what you see, right? This is the out-of-box experience from Microsoft. And so they'll click yes to their region. And then they'll have to pick a keyboard layout and a language. I'm gonna say, US for me is correct, yes. I'm going to skip a second keyboard layout. And I'm going through these fast. This part is not important, as far as the exam goes. This is just a normal Windows 10 install. And now it's gonna go through it and it's gonna do some setup information. So we'll let this run. And I'll tell you what, we will give this a minute to run and once we, well, actually, I take that back. Well, let's see what's new for Windows. Sometimes it's fast, sometimes it's slow. It really depends on I don't know temperature? [LAUGH] >> [LAUGH] >> There's my Windows License Agreement. We'll go ahead and accept that. And then we'll watch those little spinning Cheerios go around and here we go. So here, Sign in with Microsoft. All right so again, this is a brand new install of a machine that's never touched my enterprise network. And this could be from anywhere. This could be at the hotel, this could be from home, anywhere with Internet access. I'm simply gonna sign in using my Azure credentials that work has given me. And I can't type and talk at the same time sometimes. So I have to think about what I'm typing. So I've typed in my credentials. I'm gonna click Next. It wants my password. All right, and you know what's cool is I can already see some things. Like notice the little ITPRO.TV logo popped up? >> Yeah. >> That's because of the configuration that I've done up in Azure. I've added graphics to customize log on screens and things like that. So even though this machine has never seen the corporate network, it's never been logged into before, it's already picking up settings from my Azure subscription, simply because I typed in my user's credentials. Now I'm authenticating, I put in my password, and assuming I typed in my password correctly, drum roll please. [LAUGH] Here we go that was a nice drum roll. We can see that it's setting it up. And here, I want to zoom in real quick before this goes away, because it is pretty quick. You can device preparation is already complete. Device setup is now identifying. So this is my intune policies being applied to the system. Again, to me this is really fascinating stuff because back in the day, this would be bringing that laptop into work. It means taking the time to apply one of those thick images that I've created, and then going through all my Windows updates and doing all of that, this is all happening automatically. It doesn't get any better than that. All right? So, there we go, device preparation is complete, device set up is complete. Waiting for previous step to finish, it must have just finished. And now we're back to the normal install, which I'll go ahead and click through pretty quickly here. I am going to put a default installation of Windows as far as my settings go and we'll give it just a minute to finish. I'll tell you what. While that's finishing up, let's jump up to Azure. Let's go take a look at what's going on. We are going to go to I'm going to log into my Azure account, last password is thinking about it.. Yeah,I love my password managers. Too many accounts remember. And here, I'm going to go into Azure Active Directory and let's see if I can't see that device yet. I'm gonna go into devices, and I'm looking foe one, and I'll zoom in here in just a second. So as I say, there we go right there. I know you can't tell but this is the name of that laptop and I can tell because the access time was two minutes ago at the time of this filming, right. So I can see that that device, right, that that user just bought, brought home, and has logged into for the first time, is already showing up in my Azure portal. I'm already able to remotely manage that device just like it was part of my corporate network. If I go over to Intune, And I take a look at, I don't know devices and Azure AD devices. Again, there is that device right there, that was just joined a couple minutes ago. It's behind my head, but is the same time stamp that we were looking at earlier, says 2:15, and today's date, so there is that desktop which means again the significance of that is that or my policies are already applying. So as an organization, if we were requiring BitLocker or certain security settings, all that is already been applied to the laptop, and IT hasn't touched the device. They haven't even seen the device, all right? They might not even know that the user bought the device, all right, that's what cool about this. I'm just gonna connect real quick. And I will authenticate, If I can remember my brand new password that I set up for this. There it is, I think, fingers crossed, there we go and so, there again, this is part of my company policy. Now, this is gonna fail, I'm actually having an issue with Azure and my PIN, what this is gonna do, this is gonna text me a code, all right? And so, I'm gonna pull out my phone, and this is set up on my Azure account, right? So Aubri's account is Azure has her phone number, so when she's setting up her laptop, she's gonna get texted this code to support multi-factor authentication, where for in this case, we're setting up a pin which is part of our company policy. So I'll go and enter in the code that Microsoft just sent me, 982805, verify that and I believe it's going to fail on me unfortunately, yeah, I had some issues setting up pin and that's just the configuration on my end up in Azure that I got to work with. But again, what we're trying to prove is that, our policy is kicking in, now I've got a mobile device management intune policy, I'm just clearing some of these dialog boxes. I've got an intune policy that says how normally when you go to your start menu, you see Documents and Pictures, well l created an intune policy, that's going to not display pictures, and display Downloads instead. I can't zoom in cuz this a brand new machine, so I don't have my zooming software built into this or installed, but you can see. There's Documents, and there's Downloads, right? In fact, here, you know what? I can show you that better if I do it this way. No, I can't, so, I can't zoom in any closer to that but you'll have to take my word that my policies are kicking in. So without IT ever seeing this device, without me having to bring it to the office, my mobile device management's working, my corporate policies are being applied, and what did the user have to do, Aubri? >> Just sign in, yeah, crazy. [LAUGH] >> This is the new way to deploy desktops, I like it. >> Yeah. >> All right, all right, now you might ask yourself, well, okay, that's great if they just bought that device or we just gave them a brand-new device and they've logged in for the first time, and they login with their work account and that's great. But I've got users that already have a device, right? That we hired them, but they've got their laptop that they've owned for a little while that they wanna use, what about that? Or what if we 're repurposing an existing laptop giving it to another user, right to use within the organization, how about those? It works the same way, all right? I'm gonna run over here, so here is a Windows 10 device again that's never seen the corporate network, it's a brand-new installed but I joined it I went ahead and finished, the OOBE and I used a local account, right? So it's not joined to domain, it's not joined in Azure directory, or pretending this is a laptop that maybe I've used for the last six months, now, I've got hired at this company, and I tell them I already have a laptop and they're like great, here's your credentials. So I go home and I'm going to go to my Start Menu and then Settings, and in Settings I'm gonna simply click Accounts, over here. And then I'm gonna choose Access work or school. And then I'm gonna I'm gonna click Connect, and it should open up a nice dialog box where I can type in my brand new work credentials, I'm so happy to have a job,, and I'll click Next and I'll enter them in my super secret password. >> If you can remember it >> If I can remember it, you know me too well, I click Sign In, and let's see if it works, hold on why we register this device with your company and apply policy, this may take a moment. That was a quick moment, I like it, you're all set, that granted my policies are, I have like one or two policies that are changing the Start Menu. In your organization, you might have policies of applying software and things like that, so it might take a little bit longer than that, but I click Done and right there I know, again, I can't zoom in cuz it's a brand new machine, that says it's attached to In fact, let's do this, let's go here, let's go System, and I'm gonna click About Now you can see my host name is a very default Windows name there, IK7UGRO, so it's like IK7UGRO yep, we can remember that. >> Yes, IK7UGRO. >> So I'm gonna go back over to our portal, I'm going to refresh, and I'm gonna make this a little bit wider And let's see, there it is right there, can you see that? >> IK7UGRO. >> IK7, exactly there it is, so again, there's the device, all we did was log in with our Azure credential, and it's automatically joined the MDM, my mobile device management is now applying policies I can remotely manage this device, I can wipe this device. All those things that we can do with our mobile device manager in Azure Active Directory are now possible, and I know I've said this probably five times now, but I never touched the device, right? As IT, all I did was configure everything up in Azure, and gave the user the credentials I want them to use to log in, and that was it, right? Their device is now a corporate device and I can manage it and wipe it or do whatever it is I need to do to that device, so that is the second method we were gonna talk about, dynamic deployment. We've taken a look at subscription activation, as well as the Azure Active directory and mobile device management, let's go take a look this should be finished now. Actually, it already was, same thing, if I go to my start menu, hopefully, you can see that, there is my Downloads icon instead of my Pictures icon, which is the default for Windows 10, which means my mobile device policies are kicking in. So everything is working, all right Aubri I tell you what that takes care two of the three, the third one is going to be provisioning packages. >> Yes. >> But we I see we're a little short on time, I don't think I could squeeze it in. So I'm gonna say maybe we should come back and do a part two for that third method. >> All right, this has been Windows Dynamic Deployment part one, there will be a part two, so be sure to come back and check that out, for now we're gonna head on out. Thank you so much Mike for joining us and thank you all out there for watching, signing off for ITProTV I've been your host Aubri Spurgin. >> And I'm Mike Rodrick. >> And we'll see you next time. [MUSIC] >> Thank you for watching ITProTV.