MDlab - Lab Guide - v2

Lab Guide
Microsoft 365 Modern Desktop Lab Guide
Date: August 3, 2020
Version: 1803
Table of Contents
1 Introduction............................................................................................................................................... 7
1.1 Lab Overview................................................................................................................................................ 12
2 Prerequisites............................................................................................................................................ 14
2.1 On-Premises Environment...................................................................................................................... 14
2.2 Cloud Environment.................................................................................................................................... 15
3 Lab Setup.................................................................................................................................................. 16
3.1 On-Premises Environment...................................................................................................................... 16
3.2 Cloud Environment.................................................................................................................................... 17

3.2.1 .................................................................................................. Setup Azure and Office 365
.....................................................................................................................................................................17
3.2.2 .................................................................................... Setup Enterprise Mobility + Security
.....................................................................................................................................................................19
3.2.3 ................................................................................... Enable and Configure Cloud Services
.....................................................................................................................................................................20
3.3 On-Premises Environment Post Setup Manual Steps...................................................................21

3.3.1 ......................................................................................... Servicing Configuration Manager
.....................................................................................................................................................................22
3.3.2 ................................................. Prepare Configuration Manager (if already not configured)
.....................................................................................................................................................................26
3.3.3 .................................................................................................................... Create Test VMs
.....................................................................................................................................................................28
3.3.4 .................................................................. Configure Azure AD Connect with Device Sync
.....................................................................................................................................................................33
4 Servicing.................................................................................................................................................... 36
4.1 Windows Analytics Update Compliance..................................................................................... 36
4.1.1 .......................................................................................................... Sign-Up and Overview
.....................................................................................................................................................................36
4.1.2 ..................................................................................................................... Need Attention!
.....................................................................................................................................................................39
4.1.3 .......................................................................................................... Security Update Status
.....................................................................................................................................................................43
4.1.4 ............................................................................................................ Feature Update Status
.....................................................................................................................................................................45
4.1.5 ............................................................................................... Windows Defender AV Status
.....................................................................................................................................................................47
4.2 Servicing Windows 10 with Configuration Manager....................................................................50

4.2.1 ......................................................................................... Configure Software Update Point
.....................................................................................................................................................................51
4.2.2 ...................................................................................................... Configure Servicing Plan
.....................................................................................................................................................................51
4.2.3 ....................................................................................... Service a Windows 10 1709 Client
.....................................................................................................................................................................55
4.3 Servicing Office 365 ProPlus with Configuration Manager........................................................57

4.3.1 ...........Enable Configuration Manager to receive Office 365 Client Package Notifications
.....................................................................................................................................................................57
4.3.2 ..................................... Enable Office COM Objects to Manage Office 365 Client Updates
.....................................................................................................................................................................58
4.3.3 ............................................................................................ Configure Office 365 Servicing
.....................................................................................................................................................................59
4.4 Known Folder File Migration.................................................................................................................. 62
5 Deployment & Management............................................................................................................64

5.1 Modern Device Deployment.................................................................................................................. 64
5.1.1 ............................................................................................................................... AutoPilot
.....................................................................................................................................................................64
5.1.2 ................................................................................................................... In-Place Upgrade
.....................................................................................................................................................................71
5.1.3 ........................................................................................................... Provisioning Packages
.....................................................................................................................................................................75
5.1.4 ................................................................................ Optimize Windows 10 Update Delivery
.....................................................................................................................................................................77
5.2 Modern Device Management................................................................................................................ 78

5.2.1 ............................................................ Mobile Device Management using Microsoft Intune
.....................................................................................................................................................................78
5.2.2 .............................................................................. Dynamic Management with Windows 10
.....................................................................................................................................................................84
5.2.3 ...................................... Mobile App Management for Non-Managed Windows 10 Devices
.....................................................................................................................................................................86
5.2.4 ..................................................................................................................... Co-Management
.....................................................................................................................................................................89
5.3 Office 365 ProPlus Deployment............................................................................................................ 92

5.3.1 ................................................................................................. Cloud Managed Deployment
.....................................................................................................................................................................93
5.3.2 ............................................................................................... Locally Managed Deployment
.....................................................................................................................................................................96
5.3.3 ..................Enterprise Managed Deployment using System Center Configuration Manager
...................................................................................................................................................................100
5.3.4 ..................................................... Enterprise Managed Deployment using Microsoft Intune
...................................................................................................................................................................106
5.4 BIOS to UEFI Conversion....................................................................................................................... 107

5.4.1 .......................................................................................................................... Prerequisites
...................................................................................................................................................................108
5.4.2 ....................................................................................... Conversion after In-Place Upgrade
...................................................................................................................................................................108
5.5 Modern Application Management.................................................................................................... 109

5.5.1 ....................................... Application Deployment and Management with Microsoft Intune
...................................................................................................................................................................109
5.5.2 ................................................ Application Self-Service with Microsoft Store for Business
...................................................................................................................................................................111
5.6 Enterprise State Roaming..................................................................................................................... 114

5.6.1 .......................................................................................................................... Prerequisites
...................................................................................................................................................................114
5.6.2 ..................................................................................... Configure Enterprise State Roaming
...................................................................................................................................................................115
5.7 Remote Access (VPN)............................................................................................................................. 116

5.7.1 .......................................................................................................................... Prerequisites
...................................................................................................................................................................116
5.7.2 ................................................................................................ Manually Create VPN Profile
...................................................................................................................................................................120
5.7.3 ............................................................................................................ Configure Always-On
...................................................................................................................................................................122
5.7.4 .................................................................................. Configure Trusted Network Detection
...................................................................................................................................................................123
5.7.5 ........................................................................................................ Configure App-Triggers
...................................................................................................................................................................124
5.7.6 ................................................................................................................. Add Traffic Filters
...................................................................................................................................................................125
5.7.7 ........................................................................ Configure Name-Based Connection Triggers
...................................................................................................................................................................126
6 Security................................................................................................................................................... 128
6.1 Credential Guard...................................................................................................................................... 128
6.1.1 ................................................................................. Check Credential Guard Requirements
...................................................................................................................................................................128
6.1.2 ............................................................................................................. Modern Management
...................................................................................................................................................................130
6.1.3 ........................................................................................................ Traditional Management
...................................................................................................................................................................132
6.2 BitLocker...................................................................................................................................................... 134

...................................................................................................................................................................134
...................................................................................................................................................................137
6.3 Windows Defender Advanced Threat Protection........................................................................142

6.3.1 ........................................................................................... Onboarding Windows 10 Device
...................................................................................................................................................................142
6.3.2 ............................................................................................................... Perform Simulation
...................................................................................................................................................................144
6.4 Windows Defender Antivirus............................................................................................................... 145

...................................................................................................................................................................145
...................................................................................................................................................................148
6.5 Windows Hello for Business................................................................................................................. 151

...................................................................................................................................................................151
...................................................................................................................................................................153
6.6 Windows Defender Exploit Guard..................................................................................................... 173

...................................................................................................................................................................173
...................................................................................................................................................................175
6.7 Windows Information Protection....................................................................................................... 177

...................................................................................................................................................................177
...................................................................................................................................................................181
6.8 Windows Defender Application Control......................................................................................... 193

...................................................................................................................................................................193
...................................................................................................................................................................194
6.9 Windows Defender Application Guard............................................................................................ 200
...................................................................................................................................................................201
...................................................................................................................................................................203
7 Compatibility........................................................................................................................................ 206
7.1 Windows Analytics Upgrade Readiness.......................................................................................... 206
7.1.1 .......................................................................................................... Sign-Up and Overview
...................................................................................................................................................................206
7.1.2 ......................................................................... Configure Upgrade Readiness (OPTIONAL)
...................................................................................................................................................................209
7.1.3 ............................................................................. Deploy Upgrade Readiness (OPTIONAL)
...................................................................................................................................................................211
7.1.4 .................................................................... Review Upgrade Readiness Data (OPTIONAL)
...................................................................................................................................................................211
7.2 Desktop Bridges....................................................................................................................................... 211

7.2.1 ..............Desktop Bridge – Convert a Win32 app Installer to a UWP Modern App (APPX)
...................................................................................................................................................................211
7.3 Browser Compatibility............................................................................................................................ 219

7.3.1 .......................................................................................................................... Prerequisites
...................................................................................................................................................................219
7.3.2 .................................................................................................................... Enterprise Mode
...................................................................................................................................................................221
7.3.3 ..................................................................................... Browser Compatibility Remediation
...................................................................................................................................................................223
7.4 Windows App Certification Kit............................................................................................................ 234

7.4.1 ..................................................................................................... Prepare Test Applications
...................................................................................................................................................................234
7.4.2 ......................................................................................................... Validate Universal App
...................................................................................................................................................................235
7.4.3 ........................................................................................................... Validate Desktop App
...................................................................................................................................................................237
8 Appendix – Upgrading to Configuration Manager Current Branch...............................238

8.1 Prerequisites............................................................................................................................................... 238
8.2 Upgrade Configuration Manager....................................................................................................... 239
9 Appendix – Configuring Windows Analytics............................................................................240

9.1.1 ............................................................................................... Configure Upgrade Readiness
...................................................................................................................................................................240
9.1.2 ............................................................................. Deploy Upgrade Readiness (OPTIONAL)
...................................................................................................................................................................241
9.1.3 .................................................................... Review Upgrade Readiness Data (OPTIONAL)
...................................................................................................................................................................243
10 Appendix - Wipe and Load.....................................................................................................244

10.1 Image Creation.......................................................................................................................................... 244
10.1.1 Prerequisites.........................................................................................................................244
10.1.2 Build and Capture a Reference System Image...............................................................245
10.2 Lite Touch Deployment.......................................................................................................................... 248

10.2.1 Prepare a Windows 10 Lite Touch Deployment............................................................248
10.2.2 Perform a Windows 10 Lite Touch Deployment............................................................249
10.3 Zero Touch Deployment....................................................................................................................... 250

10.3.1 Prerequisites.........................................................................................................................250
10.3.2 Create Task Sequence.........................................................................................................251
10.3.3 Deploy Windows on an Unknown Computer..................................................................255
11 Appendix - Application Virtualization................................................................................257

11.1 Prerequisites............................................................................................................................................... 257
11.2 Install the Sequencer.............................................................................................................................. 258
11.3 Application Sequencing......................................................................................................................... 259

11.3.1 Standard Application...........................................................................................................259
11.3.2 Add-On / Plug-In Application...........................................................................................261
11.4 Deploying App-V Packages.................................................................................................................. 262
12 Appendix – Troubleshooting the SCCM Client install..................................................269

1 Introduction
This lab provides you with a hands-on experience of Microsoft 365 modern desktop deployment
and management tools and processes. For reference and comparison, we also cover traditional
methodology.
Microsoft 365 comprises the best of Windows 10, Office 365 ProPlus and Enterprise Mobility +
Security giving you a direct path to a modern desktop.
A modern desktop is Windows 10 and Office 365, kept up to date. Making the shift to a modern
desktop helps you to foster a highly secure workspace, empowered by the latest productivity,
teamwork and collaboration experiences for your organization. As an IT Admin, making the shift
also removes much of the pain of keeping your desktop environment secure with built in end
point protection and easier access to the latest security updates, as well as improved
information protection and integrated identity and access management. Deploying new PCs or
getting PCs back to a business ready state gets easier and you can keep your user populations
happy and secure with the most up to date experiences.
This is best achieved through Microsoft 365, which brings together Office 365 with Windows 10
Enterprise, and Enterprise Mobility + Security, in a complete intelligent solution. The chart below
summarizes key steps required to make the shift.
The first step of your deployment is to create a high-level plan and get necessary approvals and
project sponsors. Next you can assemble your teams and assign areas of responsibility across
the following eight steps:
Note: Links will take you to related scenarios in the guide.
1. Device and App Readiness. Now with the broad plan in place, you can focus on
assessing your current devices. For that, we’ve built new tools with Windows Analytics:
Upgrade Readiness to help identify devices, OS versions, apps, add-ins, drivers and more
to assess those against compatibility information to help target your initial deployments.
Continue with this tool as you test and mitigate for app compatibility.
Where to start: Windows Analytics, ConfigMgr CB HW/SW inventory
2. Directory and Networking Readiness. This is the next step and is your plan for
implementing Azure Active Directory – if not currently in use – as well as getting your
network ready for moving system images, application packages and user files across
your network to support later deployment and migration activities.
Where to Start: Azure AD, Peer Cache, Branch Cache, C2R Binary Delta Compression,
EXO archive + OST limit
Where to Go Next: Delivery Optimization
3. Office and Line of Business App Delivery carries on from readiness planning and is the
process of collecting app packages, packaging applications, making necessary changes
to intranet or web-based apps to support modern browsers and determining how apps
will be delivered to users’ devices. Common delivery options include installation as part
of an installation sequence, preinstalling in captured images, installation via Business
Store or user self-installation from a Company Portal in Intune or Software Center in
System Center Configuration Manager (ConfigMgr).
Where to Start: Click-to-Run, MSI for LOB apps
Where to go next: MSIX/Desktop Bridge, Store
4. User Files and Settings Migration is necessary in PC replacement scenarios and can be
accomplished by implementing services like file sync in OneDrive for Business in advance
of PC replacement, using the User State Migration Tool as part of the ConfigMgr or MDT
installation sequence at deploy time or using custom solutions to copy files from the
source PCs typically to a network share and finally back on to new PCs. This step is often
a timing bottleneck for PC replacement, due to the physics involved in transferring
sometimes hundreds of GB per PC each direction. Leveraging cloud file sync with
OneDrive for Business and files on demand can help limit the amount of files delivered
back to the new PC.
Where to Start: User State Migration Tool (USMT), 3rd party, scripting, manual
Where to go Next: OneDrive Known Folder Move
5. Security & Compliance is the targeting of which new capabilities are implemented as
well as how to prepare for existing security and compliance tools. A common
consideration is how to deal with third party disk encryption for in-place PC refresh or
upgrade scenarios; these services can be challenging to disable in Windows 7 and re-
enable in Windows 10. Further considerations include anti-malware strategies and which
new capabilities to implement in Windows 10.
New capabilities in Windows 10 virtualization-based security can prevent credential theft,

protect against browser-based exploits and malicious code execution by isolating core
processes and secrets from the operating system. Office 365 Advanced Threat Protection
(ATP) protects against some of the most common threat vectors – malicious email
attachments in Outlook and protection against unsafe hyperlinks across Office apps.
Windows Defender ATP is a unified platform for preventative protection, post-breach
detection, automated investigation, and response. Additionally, security and compliance
policies should be considered for Group Policy or device policy when managed via
Microsoft Intune or other mobile device management.
Where to Start: MFA, GPO, BitLocker, Defender AV

Where to Go Next: Conditional Access, WD ATP, O365 ATP, Intune MDM policy,
S Mode, Password-less
6. OS Deployment and Feature Updates. The deployment and servicing functions here
are combined because Feature Updates use a process similar to in-place upgrades and
follow similar hardware and app validation processes. Prior to carrying out OS
Deployment, it’s important to plan how you phase the roll-out. The recommended
approach is to use deployment rings, where a representative set of hardware and apps is
targeted to early adopters in your organization. You can use Windows Analytics to target
PCs least likely to experience hardware or software issues and note which devices and
applications pass or fail post install. There are three primary deployment types when
moving to a new operating system:
 PC refresh – this is an upgrade to an existing computer that will remain with the
same user. It is accomplished via in-place upgrade or in-place wipe-and-reload.
In these cases, user state using either install option can remain on the local disk
and in the case of in-place upgrade, apps can also remain installed. You can
customize PC refresh by using an automated task sequence to update application
versions or remove unwanted files and apps.
 PC replacement – this is when a user’s existing PC is replaced with a new or

different PC. In most cases this involves copying user files and setting from the
existing PC to the new PC – typically via temporarily storing those files on a
network share and returning them to the new PC. OneDrive for Business can also
be used with known folders to sync files from the source PC to OneDrive, then
users can select which files sync back to the new PC.
 New PC – this is when a user is given a new PC without the expectation to move
files from another PC. This scenario is used for new users or cases where
important files are stored outside the local hard drive – such as desktop or app
virtualization – or cases when users are tasked with backing up and restoring
their local data
In addition to the tools and processes you may already be using to deploy Windows or
Office for these three deployment types – such as ConfigMgr or the Microsoft
Deployment Toolkit - For new PC scenarios, the new Windows Autopilot deployment
service allows you to work with select OEMs to configure devices before shipping to end
users and PCs can be customized as part of the setup process when users connect to the
Internet and sign in to the device. The process can continue by leveraging Microsoft
Intune to install apps – like Office 365 ProPlus – and configure policies over the web to
make the device business ready.
Where to Start: ConfigMgr CB, MDT

Where to Go Next: Autopilot w/Intune
7. User Communication and Training is critical to driving usage of new capabilities for
enhancing teamwork, communications and productivity. Before broad deployment is
targeted to users outside early adopter rings, User Communication and Training should
be planned to drive desired changes in how people use new capabilities in Office,
Windows or other line of business apps and services. If you’re deploying Office 365
ProPlus for the first time, this is when you can communicate the benefits of signing in to
Office apps and saving files to OneDrive or SharePoint locations to enable easier sharing,
reduce file branching and enable real-time co-authoring. Detailed training templates for
these and other local or browser-based apps, like Teams and Planner or in-app
capabilities like attaching to OneDrive in Outlook or PowerPoint Morph and Designer are
available. Windows 10 user capabilities like Windows Hello to log in securely with
biometrics, Start Menu updates to personalize your Windows experience, Timeline to
easily get back to what you were working on, Focus Assist to help minimize distractions,
Nearby Sharing Virtual Desktops, Cortana and more are great differentiators to inform
and prepare users to take advantage of. You can use Microsoft FastTrack services and
resources like the Productivity Library to help drive usage of new capabilities.
Additionally, the reporting and analytics are available via the Microsoft 365 and Office
365 admin portals as well as built-in and integrated Power BI usage dashboards. With
Windows 10 and Office 365 ProPlus, we made the shift to delivering both experiences as
a service, which introduces new ways for how we build, deploy and service Windows and
Office.
Where to Start: FastTrack service + Productivity library
8. Windows and Office as a Service. There are a couple of concepts core to Windows and
Office as a service. The first is semi-annual Feature Updates which deliver new
capabilities in the Fall and Spring. Second are monthly cumulative Quality Updates which
contain security, reliability and bug fixes. Office 365 ProPlus also has the option for a
Monthly Channel with feature updates that are fully-supported. Each semi-annual
Feature Update release will be serviced for 18 months from the initial date of release, so
you have the option of skipping semi-annual updates, while continuing to receive
monthly Quality Updates. To help ensure all of your devices are being kept up to date
with the latest updates, we’ve also added Update Compliance capabilities to Windows
Analytics. So for any Feature Update release there are usually three phases to consider
from the IT point of view – evaluation, piloting and broad production deployment. In
fact, the process follows a scaled down version of the desktop deployment process
highlighted here, so the skills and tools used will help you keep your desktops current
and up-to-date with the latest capabilities.
Where to Start: ConfigMgr CB TS + Phased Deployment

Where to go next: Intune, WUfB
Hopefully this gives you a better idea of how to plan your path to a modern desktop. While
there may be some up front learning to take advantage of new resources and updated
approaches, the value of making the shift should outweigh the initial investment. Microsoft’s
comprehensive guidance should also help you to move to Windows 10, Office, and take
advantage of modern management with Enterprise Mobility + Security, more efficiently.
1.1 Lab Overview

This guide is designed provide step-by-step guidance in demonstrating a wide range of desktop
deployment and management fundamentals. It is important that the Prerequisites (Section 2)
and Lab Setup (Section 3) sections be performed before proceeding with the lab activities.
 Lab Setup
o On-Premises Environment
o Cloud Environment
o On-Premises Environment Post Setup Manual Steps
 Servicing
o Windows Analytics Update Compliance
o Servicing Windows 10 with Configuration Manager
o Servicing Office 365 ProPlus with Configuration Manager
o Known Folder Migration
 Deployment & Management
o Modern Device Deployment
o Modern Device Management
o Office 365 ProPlus Deployment
o BIOS to UEFI Conversion
o Modern Application Management
o Enterprise State Roaming
o Remote Access (VPN)
 Security
o Credential Guard
o BitLocker
o Windows Defender Advanced Threat Protection
o Windows Defender Antivirus
o Windows Hello for Business
o Windows Defender Exploit Guard
o Windows Information Protection
o Windows Defender Application Control
o Windows Defender Application Guard
 Compatibility
o Windows Analytics Upgrade Readiness
o Desktop Bridges
o Browser Compatibility
o Windows App Certification Kit
 Appendix
o Upgrading to Configuration Manager Current Branch
o Configuring Windows Analytics
o Wipe and Load
o Application Virtualization
o Troubleshooting the SCCM Client Install
2 Prerequisites
The following requirements for each environment are needed to support the labs.
2.1 On-Premises Environment

Listed below are the requirements for the on-premises environment:
Complete Task
☐ The customer will provide a total of five (5) client devices.
 Three (3) devices that have a new or corporate image–based installation
of Windows 7 Release to Manufacturing (RTM) or later, running a sample
of customer applications. If possible, include at least one touch device.
These devices will be used for the labs on Windows 10 in-place upgrade
and BIOS to UEFI conversion.
 Two (2) devices of the same architecture (32-bit or 64-bit) that can be
formatted or do not have a corporate image installed that are compatible
with Windows 10 hardware specifications. These devices will be used for
the labs on Wipe and Load and Credential Guard.
☐ One (1) physical server or workstation to host the virtual lab environment. The
requirements are listed below:
 Operating System: Windows Server 2016, 2012 R2, or Windows 10 with
Hyper-V installed (recommended to use Windows Server OS) and fully
updated. Administrative rights on the host.
 Memory: At least 32Gb or more.
 Disk Space: At least 300Gb or more.
 Disk Subsystem: High throughput/speed.
 Ethernet: Two (2) or more Gb NICs.
 Network Connections: Internet connection and lab switch.
 Applications: Microsoft Azure PowerShell modules installed
(https://docs.microsoft.com/en-us/powershell/azure/install-azurerm-ps?
view=azurermps-4.0.0).
☐ One (1) gigabit network lab switch with sufficient ports to connect client devices
and lab environment.
☐ Download the Windows 10 Enterprise dev environment for Hyper-V.
https://developer.microsoft.com/en-us/windows/downloads/virtual-machines
☐ Download the latest Windows 10 from MSDN or VLSC that matches the
architecture of the current image installed on the client devices.
☐ Download the latest Windows 10 Assessment and Deployment Kit.
https://go.microsoft.com/fwlink/?linkid=873065
☐ [OPTIONAL] Provide the source of any security guidance that is being used with
HTML Reports and GPO Backups.
2.2 Cloud Environment

Listed below are the requirements for the cloud environment:
Complete Task
☐ Provide licensed subscriptions or sign-up for a trial subscription for the following
Microsoft Cloud Services. A trial subscription will only be used if the customer has
no existing subscription to these services.
 Microsoft Azure: https://azure.microsoft.com/en-us/free/
 Enterprise Mobility + Security: http://www.microsoft.com/en-us/cloud-
platform/enterprise-mobility-security-trial (configured as part of the Lab
Setup)
 Windows Defender Advanced Threat Protection:
http://www.microsoft.com/en-us/WindowsForBusiness/windows-atp
(configured as part of the Lab Setup)
 Operations Management Suite: http://www.microsoft.com/en-us/cloud-
platform/operations-management-suite-trial
 Office 365 Enterprise E5: https://aka.ms/e5trial (configured as part of the
Lab Setup)
Note: All trial tenants have an evaluation period. These

subscriptions/tenants will expire unless they are extended or if the
customer purchases the system.
Note: It is possible to use an existing trial subscription if the engagement
dates are within the evaluation period.
Note: An appropriate MSDN subscription could be used to activate the
Azure Benefit for 30 days.
3 Lab Setup
3.1 On-Premises Environment

The on-premises environment is configured by using the Microsoft 365 Powered Device Lab Kit,
which can be accessed here on Microsoft 365 Powered Device Lab Kit. It will take approximately
3 hours to setup a lab on server-grade hardware with fast spindle-based disks or SSD.
Follow the Microsoft 365 Powered Device Lab Kit – Setup Guide to provision the virtual
machines on Hyper-V.
When setup is complete, the following virtual machines are configured and the deployment lab
system is available for use.
Server Name Roles

Active Directory Domain Controller
DNS
HYD-DC1
DHCP
Certificate Services
Microsoft Deployment Toolkit
HYD-MDT1 Windows 10 1803 ADK
Windows Deployment Services
System Center Configuration Manager 1802
Windows Deployment Services
Microsoft Deployment Toolkit
HYD-CM1
Windows 10 1803 ADK
Windows Software Update Services
Microsoft SQL Server 2014
Microsoft BitLocker Administration and Monitoring
HYD-APP1
Microsoft SQL Server 2014
HYD-GW1 Remote Access for Internet Connectivity
HYD-VPN1 Remote Access for VPN
HYD-INET1 Simulated Internet
Windows 10 1803 Domain Joined
HYD-CLIENT1
HYD-CLIENT2 Windows 10 1803 Domain Joined

Office 365 ProPlus
HYD-CLIENT3
Windows 10 1803 Workgroup
HYD-CLIENT4
HYD-CLIENT5
Bare Metal Clients (No installs)
HYD-CLIENT6
Windows 7 Domain Joined
HYD-CLIENT7
Office Insider 365 Build 10828.2000
The table below lists the credentials and access type available in the default implementation.
User Access Type User Name Password

Local Administrator Administrative Administrator P@ssw0rd
Domain Administrator Enterprise Administrator CORP\LabAdmin P@ssw0rd
3.2 Cloud Environment

Certain lab scenarios require the cloud environment. Follow the steps below to configure and
prepare the required cloud services.
3.2.1 Setup Azure and Office 365

In this section, you will create an Azure AD and an Office 365 Trial Tenant used for the later lab
environment.
Task Detailed Steps

Complete these steps from an internet-connected Windows computer.
Create Azure AD 1. Open an InPrivate Browser session.
2. Navigate to https://portal.azure.com
3. Sign in with the email address associated with your Azure subscription.
4. On the left navigation bar, click Create a resource > Identity > Azure Active
Directory.
5. In the Create directory pane fill in the following values:
ORGANIZATION NAME: <CompanyName>
INITIAL DOMAIN NAME: <AzureDomainName>
COUNTRY OR REGION: Choose a region
6. Click Create.
Note: This may take a couple of minutes to complete.
Create Azure AD 7. Sign out from Azure portal and sign back in again.
Admin User 8. Click your email address on the upper right corner and, and click Switch
Directory. Select <AzureDomainName>.onmicrosoft.com.
9. On the left navigation bar, click Azure Active Directory.
10. Under Create, click User.
11. In the User pane, fill in the following values:
NAME: <Admin Name>
USER NAME: <LabAdmin> (Suggestion:
LabAdmin@<AzureDomainName>.onmicrosoft.com)
12. Select Show Password and write down the temporary password
<OldLabAdminPassword>.
13. Click on Directory role, select Global administrator then click Ok.
14. Click Create.
Resetting the 15. Logout from Azure Portal.
Password 16. Login to Azure Portal using LabAdmin account.
17. Type in the <OldLabAdminPassword> that you wrote down.
18. Type the new password: <NewLabAdminPassword>.
Note: Use a strong password.
19. Confirm the new password and sign in.
Create a Trial 20. Close all browser windows.
Office 365 Tenant 21. Start a new InPrivate Internet Explorer session.
22. Using a web browser, navigate to https://aka.ms/e5trial.
23. Click Sign in on the top right hand corner.
24. Sign in using the LabAdmin account.
25. Click Admin from the top left hand corner.
26. Click Billing | Subscriptions and click + Add subscriptions.
27. Select Office 365 Enterprise E5 without Audio Conferencing and click Start
free trial.
28. Follow the usual procedure and click Place order. Note: You might have to
perform Steps 26-28 twice so that the subscription shows Active under Billing |
Subscriptions.
Create Azure Test 29. Navigate to https://portal.azure.com.
Users 30. Sign in with the email address associated with your Azure subscription if
required.
31. On the left navigation bar, click Azure Active Directory.
32. On the right side of the page hit the User link under Create.
33. In the User pane, fill in the following values:
NAME: Test User1
USER NAME: TU1@<AzureDomainName>.onmicrosoft.com
34. Select Show Password and write down the temporary password.
35. Click Create.
36. Repeat Steps 29 – 35 for a second user as follows:
NAME: Test User2
USER NAME: TU2@<AzureDomainName>.onmicrosoft.com
Set Password for 37. Close all browser windows.
your New Users 38. Start Internet Explorer InPrivate mode.
using Office 365 39. Navigate to https://login.microsoftonline.com.
40. Login with the user account created
TU1@<AzureDomainName>.onmicrosoft.com
41. Type in the temporary password that you wrote down.
42. Type the New Password: <newuserpassword>
43. Confirm the new Password: <newuserpassword>
44. Click Sign in.
45. Repeat Steps 37-44 for TU2@<AzureDomainName>.onmicrosoft.com
46. Close all browser windows.
3.2.2 Setup Enterprise Mobility + Security
In this section, you will create an Intune Trial Tenant that will be used later on in the lab. This
tenant will be created using the Azure AD that you created in the previous lab.
Task Detailed Steps

Sign Up for a Trial 1. Start a new Internet Explorer window in private mode.
Microsoft Intune 2. Navigate to https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility-
Subscription security-trial and click Sign-up for your free trial and then click Sign in.
3. Sign in with labadmin@<AzureDomainName>.onmicrosoft.com
4. Click Try now to confirm your order.
5. Click Continue.
6. On the left navigation bar, click Billing > Subscriptions and verify that the
Enterprise Mobility + Security E5 Trial is Active.
3.2.3 Enable and Configure Cloud Services

In the section, you will assign licenses and configure additional cloud services that will be used
in the lab environment.
Task Detailed Steps

Assign Office 365 1. Close all browser windows.
and EM+S 2. Start Internet Explorer InPrivate mode.
Licenses 3. Navigate to https://portal.office.com and Sign in with
labadmin@<AzureDomainName>.onmicrosoft.com
4. On the left navigation bar, click Users > Active users.
5. Select all Admin Name, Test User1 and Test User2 then click the Edit product
licenses action.
6. Select Add to existing product license assignments then click Next.
7. Select the appropriate Location and then set the slider to On for Enterprise
Mobility + Security E5 and Office 365 Enterprise E5 without Audio
Conferencing then click Add.
8. Click Close | Close. Note: Ensure that all the 3 users have both the product
licenses assigned.
Enable Device 9. Open an InPrivate Browser session.
Registration 10. Navigate to https://portal.azure.com.
11. Sign in with the email address associated with your Azure subscription.
12. Click your email address on the upper right corner and, and click Switch
Directory. Select <AzureDomainName>.onmicrosoft.com.
13. On the left navigation bar, click Azure Active Directory > Devices > Device
Settings.
14. In the Users may join devices to Azure AD setting, select All if not selected.
15. In the Additional administrators on Azure AD joined devices, select Selected
then click No member selected.
16. Click Add members and select LabAdmin then click Select. Click OK.
17. In the Users may register their devices with Azure AD setting, select All.
18. Click Save.
Enable Windows Note: A trial application should have been started before proceeding with the steps -
Defender ATP https://www.microsoft.com/en-us/windowsforbusiness/windows-atp
Trial
19. Open an InPrivate Browser session.
20. Navigate to https://www.microsoft.com/en-us/windowsforbusiness/windows-atp
and click START FREE TRIAL.
21. Check the box next to I accept these terms and conditions and click Next.
22. On the Please enter your details below page, enter your details and click Submit.
23. You will get a message stating that the Windows Defender Advanced Threat
Protection Team will review your application and contact you via email within 7
business days. Once your application is approved, you will then receive an
invitation email with on-boarding instructions.
24. Within 7 business days, you will then receive an email to activate your trial and
all the on-boarding instructions. Click Activate your trial now. Download the
setup guide. The setup guide also contains instructions and links for the attack
demo.
25. During activation, click Sign in.
26. Sign in with LabAdmin@<AzureDomainName>.onmicrosoft.com
27. Click Try now.
28. Click Continue.
3.3 On-Premises Environment Post Setup Manual Steps

Perform once the on-premises environment provisioning is complete.
3.3.1 Servicing Configuration Manager

System Center Configuration Manager uses an in-console service method called Updates and
Servicing that makes it easy to locate and then install recommended updates for your
Configuration Manager infrastructure. This in-console servicing method is supplemented by out-
of-band updates such as hotfixes that are intended for customers who need to resolve issues
that might be specific to their environment. These in-console updates replace traditional update
delivery methods.
In this section, you will learn how to use the Configuration Manager console to locate and install
updates that provide fixes and new capabilities to your Configuration Manager infrastructure
and clients.
Note: This lab can only be performed if the System Center Configuration Manager environment
is on Current Branch.
3.3.1.1 Configure as Online Mode
In this activity, you will locate and install Configuration Manager updates from the internet
connected site server. Follow this activity if your environment has internet connection (if not,
move to the next activity 3.3.1.2).
Task Detailed Steps

Complete these steps on the CM1 virtual machine.
Enable Service 1. Open the Configuration Manager Console from the Start Menu.
Connection Point 2. In the Warning dialog box, click OK if it appears.
(if already not 3. Browse to Administration > Site Configuration > Servers and Site System
installed) Roles.
4. Right-click on \\CM1.corp.contoso.com and select Add Site System Roles.
5. In the General page, click Next.
6. In the Proxy page, click Next.
7. In the System Role Selection page, select Service connection point and click
Next.
8. In the Service Connection Mode page, select Online, persistent connection
(recommended) then click Next.
9. In the Summary page, click Next.
10. In the Completion page, click Close.
Install New Note: Perform the succeeding steps if there is a newer Configuration Manager build
Updates (if available after 1802. Otherwise, proceed to 3.3.2.
available)
Note: If the update installation is suspended at “Downloading” state for extended period
of time, restart the SMS_EXECUTIVE (smsexec) service.
11. In the Configuration Manager Console, browse to Administration > Updates
and Servicing.
Note: It will first download the update before it is made Available.
12. In the Updates and Servicing pane, select an Available update (Configuration
Manager 180x) and then click Install Update Pack.
14. In the Features page, select all available features then click Next.
15. In the Client Update Options page, click Next.
16. In the License Terms page, select I accept these License Terms and Privacy
Statement and click Next.
Note: The 180x upgrade installation may take up to an hour.
19. In the Updates and Servicing pane, confirm that the update (Configuration
Manager 180x) is Installed.
Upgrade the 20. In the Configuration Manager Console, browse to Administration > Site
Configuration Configuration > Sites.
Manager Console 21. Right-click on CHQ – Contoso Headquarters and select Properties.
and Validate 22. In the Warning window, click OK to upgrade the Configuration Manager
Version Number Console.
Note: At this stage, the Configuration Manager Console will close. The update will be
downloaded and installed and the Configuration Manager Console will be reopened.
23. After the upgrade, in the Configuration Manager Console, browse to
Administration > Site Configuration > Sites.
24. Right-click on CHQ – Contoso Headquarters and select Properties.
25. Validate that the Version or Build Number was updated (for Configuration
Manager 180x).
26. Reboot CM1 once.
3.3.1.2 Configure as Offline Mode (OPTIONAL)
In the activity, you will locate and install Configuration Manager updates from another computer
that has internet connection. Follow this section if your environment has no internet
connection.
Task Detailed Steps

Enable Service 1. Open the Configuration Manager Console from the Start Menu.
Connection Point 2. In the Warning dialog box, click OK if it appears.
(if already not 3. Browse to Administration > Site Configuration > Servers and Site System
installed) Roles.
4. Right-click on \\CM1.corp.contoso.com and select Add Site System Roles.
6. In the Proxy page, click Next.
7. In the System Role Selection page, select Service connection point and click
Next.
8. In the Service Connection Mode page, select Offline, on-demand connection
then click Next.
Prepare Usage 11. Download and extract the EXE from https://www.microsoft.com/en-
Data in/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-
protection and copy the folder ServiceConnectionTool from SMSSETUP\Tools
to C:\.
12. From the Start button, open an Administrative Command Prompt and enter
cd /d C:\ServiceConnectionTool.
13. Execute the following command:
serviceconnectiontool.exe -prepare -usagedatadest .\UsageData.cab
Upload Usage Data 14. Copy the folder C:\ServiceConnectionTool from CM1 to the root drive of the
and Download computer that has internet connection.
Updates from an 15. From the computer that has internet connection, open an Administrative
Internet Connected Command Prompt and browse to the copied ServiceConnectionTool folder.
Remote Computer 16. Execute the following command:
md .\UpdatePacks
Serviceconnectiontool.exe -connect -usagedatasrc .\UsageData.cab
updatepackdest .\UpdatePacks
Import Updates 18. From the computer that has internet connection, copy the UpdatePacks folder to
CM1 in the folder C:\ServiceConnectionTool.
19. From the Start button, open an Administrative Command Prompt and enter
cd /d C:\ServiceConnectionTool.
serviceconnectiontool.exe -import -updatepacksrc .\UpdatePacks
Force Refresh 21. In the Configuration Manager Console, browse to Monitoring > System Status
> Component Status.
22. In the ribbon, select Start > Configuration Manager Service Manager.
23. In the Configuration Manager Service Manager window, expand CHQ >
Components > SMS_EXECUTIVE.
24. On the right pane, right-click on SMS_EXECUTIVE and select Stop.
25. Right-click on SMS_EXECUTIVE and select Query.
26. Once the Status of SMS_EXECUTIVE changes to Stopped, right-click
SMS_EXECUTIVE and select Start.
Install New Note: Perform the succeeding steps if there is a newer Configuration Manager build
Updates (if available after 1802. Otherwise, proceed to section 3.3.2.
available)
27. In the Configuration Manager Console, browse to Administration > Updates
and Servicing.
28. In the Updates and Servicing pane, select the Configuration Manager 180x
update and then click Install Update Pack.
30. In the Features page, select all available features then click Next.
31. In the Client Update Options page, click Next.
32. In the License Terms page, select I accept these License Terms and Privacy
Statement and click Next.
35. Install all Available updates, if any.
Note: The 180x upgrade installation may take up to an hour.
36. In the Updates and Servicing pane, confirm that the update (Configuration
Manager 180x) is Installed.
Upgrade the 37. In the Configuration Manager Console, browse to Administration > Site
Configuration Configuration > Sites.
Manager Console 38. Right-click on CHQ – Contoso Headquarters and select Properties.
and Validate 39. In the Warning window, click OK to upgrade the Configuration Manager
Version Number Console.
Note: At this stage, the Configuration Manager Console will close. The update will be
downloaded and installed and the Configuration Manager Console will be reopened.
40. In the Configuration Manager Console, browse to Administration > Site
Configuration > Sites.
42. Validate that the Version or Build Number was updated (for Configuration
Manager 180x).
43. Reboot CM1 once.
3.3.2 Prepare Configuration Manager (if already not

configured)
Task Detailed Steps

Configure and 1. Open the Configuration Manager Console from the Start Menu.
Validate Discovery 2. Navigate to Administration > Hierarchy Configuration > Discovery Methods.
Methods 3. Right-click Active Directory Forest Discovery and click Properties.
4. Check the box next to Automatically create Active Directory site boundaries
when they are discovered and uncheck the box next to Automatically create IP
address range boundaries for IP subnets when they are discovered.
5. Click Apply and then click OK.
6. Click on Active Directory Forest Discovery and select Run Forest Discovery
Now from the ribbon bar.
7. Click Yes on the dialog box.
8. Right-click Active Directory Group Discovery and click Properties.
9. Double-click the discovery scope already present.
10. Select the option Specify an account and click Set… > New Account.
11. Enter the User name: CORP\LabAdmin, Password: P@ssw0rd and Confirm
password: P@ssw0rd, click Verify and test the connection to the Active
Directory Data source Path: LDAP://DC=corp,DC=contoso,DC=com, click OK
on the prompt once successful. Click OK. Click OK again.
12. Click the Options tab and select the check boxes next to Only discover
computers that have logged on to a domain in a given period of time, Only
discover computers that have updated their computer account password in a
given period of time and Discover the membership of distribution groups.
14. Click on Active Directory Group Discovery and select Run Full Discovery
16. Right-click Active Directory System Discovery and click Properties.
17. Double-click the active directory container already present.
18. Check the box next to Discover objects within Active Directory groups.
19. Select the option Specify an account, click Set… > Existing Account.
20. In the Select Account window, select corp\labadmin then click OK twice.
22. Click on Active Directory System Discovery and select Run Full Discovery
24. Right-click Active Directory User Discovery and click Properties.
25. Double-click the active directory container already present.
26. Check the box next to Discover objects within Active Directory groups.
27. Select the option Specify an account, click Set… > Existing Account.
28. In the Select Account window, select corp\labadmin then click OK twice.
30. Click on Active Directory User Discovery and select Run Full Discovery Now
from the ribbon bar.
32. Ensure that Heartbeat Discovery is already Enabled.
Configure and 33. Navigate to Administration > Hierarchy Configuration > Boundaries.
Validate 34. Ensure that the Default-First-Site-Name boundary is already created.
Boundaries 35. Navigate to Administration > Hierarchy Configuration > Boundary Groups.
36. Click Boundary Groups and ensure that the Corp Boundary Group is already
created.
Configure and 37. Navigate to Administration > Site Configuration > Sites, select the site and
Validate the click Settings > Configure Site Components > Software Distribution.
Network Access 38. Click the Network Access Account tab. You will see a network access account
Account already in the list. Select and click the cross button to delete it.
39. Click Yes on the prompt.
40. Click the star and click New Account.
41. Enter the User name: CORP\LabAdmin; Password and Confirm password:
P@ssw0rd; click Verify and in the Network share: enter \\cm1\SMS_CHQ; click
Test connection and click OK once successful. Click OK again.
Configure and 43. Navigate to Administration > Site Configuration > Sites.
Validate the Client 44. Right click on the CHQ site then select Client Installation Settings > Client
Push Installation Push Installation.
45. In the General tab, select Enable automatic site-wide client push installation.
Ensure that Servers and Workstations are checked and Never install the
Configuration Manager client on domain controllers unless specified in the
Client Push Installation Wizard is selected.
46. In the Accounts tab, Click the star button and click Existing Account.
47. In the Select Account window, select corp\labadmin then click OK.
48. Review the Installation Properties tab. Click Apply and then click OK.
3.3.3 Create Test VMs
3.3.3.1 Download MSDN ISOs
Task Detailed Steps

Complete these steps on the HYPER-V Host.
Download 1. Open Internet Explorer and browse to the URL below.
Windows 7 ISO https://msdn.microsoft.com/subscriptions/securedownloads/
2. From the website, Sign-in with your MSDN registered account.
3. On the Search field, enter Windows 7 Enterprise with Service Pack 1.
4. Search for Windows 7 Enterprise with Service Pack 1 (x64) – DVD (English)
and Download to C:\.
Windows 10 1709 https://msdn.microsoft.com/subscriptions/securedownloads/
ISO 6. From the website, Sign-in with your MSDN registered account.
7. On the Search field, enter Windows 10.
8. Search for Windows 10 (multi-edition) VL, Version 1709 (Updated Dec 2017)
(x64) – DVD (English) and Download to C:\.
Windows 10 1803 https://msdn.microsoft.com/subscriptions/securedownloads/
ISO 10. From the website, Sign-in with your MSDN registered account.
12. Search for Windows 10 (business editions), Version 1803 (Updated March
2018) (x64) – DVD (English) and Download to C:\.
3.3.3.2 Build a Windows 7 Client Machine
For this task, you will build, and domain-join a Windows 7 virtual machine that will be used to
perform the upgrade later.
Task Detailed Steps

Complete these steps on the HYPER-V Host and the New Generation 1 virtual machine.
Create the Virtual 1. Use the Hyper-V Manager to create a new Generation 1 virtual machine named
Machine WIN7.
2. Ensure that the virtual machine is connected to the CORPNET virtual switch and
is assigned a minimum of 2Gb RAM, 1 GHz processor speed and 5Gb of free disk
space is assigned.
3. Install Windows 7 into the virtual machine, naming the system and the virtual
machine WIN7 using the ISO downloaded from the Prerequisites section.
4. Join the system to the corp.contoso.com domain using the domain administrator
credentials (corp\labadmin).
5. Disable the firewall mode for Domain networks.
Install the 6. Once the system has joined the domain, log on to CM1 virtual machine.
Configuration 7. Launch the Configuration Manager Console and navigate to Administration >
Manager Client Hierarchy Configuration > Discovery Methods.
8. Select Active Directory System Discovery and click Run Full Discovery Now.
Click Yes on the prompt.
9. Navigate to Assets and Compliance > Devices and check if WIN7 is showing in
the list of devices.
10. Right-click on WIN7 and click on Install Client (hold Ctrl and select multiple
computers if you want to install on more than one computer).
11. On the Install Configuration Manager Client wizard click on Next.
12. Check the box next to Install the client software from a specified site, select the
Site CHQ-Contoso Headquarters and click on Next.
13. Click Next again.
14. Click on Close.
15. After a few minutes, the WIN7 client will have the client installed and will
indicate so in the Configuration Manager console.
Complete these steps on the WIN7 virtual machine.
Create Checkpoint 16. Create a virtual machine checkpoint.
3.3.3.3 Build a Windows 10 1709 Client Machine
In the activity, you will build Windows 10 1709 client virtual machine.
Task Detailed Steps

Complete these steps on the Hyper-V Host and the New Generation 2 virtual machine.
Machine WIN10-1709.
space is assigned.
3. Install Windows 10 into the virtual machine, naming the system and the virtual
machine WIN10-1709, using the ISO that was downloaded from the Prerequisites
section (Version 1709).
4. Join the system to the corp.contoso.com domain using the domain administrator
credentials (corp\labadmin).
5. Disable the firewall for Domain networks.
Install the 6. Once the system has joined the domain, log on to CM1 virtual machine.
Configuration 7. Launch the Configuration Manager Console and navigate to Administration >
Manager Client Hierarchy Configuration >| Discovery Methods.
8. Select Active Directory System Discovery and click Run Full Discovery Now.
Click Yes on the prompt.
9. Navigate to Assets and Compliance > Devices and check if WIN10-1709 is
showing in the list of devices.
10. Right-click on WIN10-1709 and click on Install Client (hold Ctrl and select
multiple computers if you want to install on more than one computer).
11. On the Install Configuration Manager Client wizard click on Next.
12. Check the box next to Install the client software from a specified site, select the
Site CHQ-Contoso Headquarters and click on Next.
13. Click Next again.
14. Click on Close.
15. After a few minutes, the WIN10-1709 client will have the client installed and will
indicate so in the Configuration Manager console.
Complete these steps on the WIN10-1709 virtual machine.
3.3.3.4 Build a Windows 10 1803 Client Machine
In the activity, you will build Windows 10 1803 client virtual machine.
Task Detailed Steps

Complete these steps on the Hyper-V Host and the New Generation 2 virtual machine.
Machine WIN10-1803.
space is assigned.
3. Install Windows 10 into the virtual machine, naming the virtual machine WIN10-
1803, using the ISO that was downloaded from the Prerequisites section (Version
1803).
4. Once you reach OOBE, stop and leave the virtual machine as is.
5. Create a virtual machine checkpoint.
3.3.3.5 Build a Windows 10 Developer Machine
In this activity, you will build Windows 10 client virtual machine with developer tools installed.
Task Detailed Steps

Complete these steps from an internet-connected Windows Server with Hyper-V enabled computer.
Download 1. Open File Explorer and create the C:\VMs folder.
Developer VM (if 2. Open Internet Explorer and browse to the URL below.
not previously https://developer.microsoft.com/en-us/windows/downloads/virtual-machines
downloaded) 3. Under Windows 10 Enterprise (Evaluation - Build 201805) 20 GB download,
click Hyper-V.
4. Download WinDev1805Eval.HyperV.zip to C:\VMs.
5. Once the download completes, browse to C:\VMs, right-click on
WinDev1805Eval.HyperV.zip and select Extract All.
6. In the Select a Destination and Extract Files page, click Extract.
Import VMs 7. Open File Explorer and create the C:\VMs\WIN10DEV folder.
8. Open Hyper-V Manager.
9. In the Actions pane, click Import Virtual Machine.
10. In the Before You Begin page, click Next.
11. In the Locate Folder page, browse to C:\VMs\WinDev1805Eval.HyperV then
click Next.
12. In the Select Virtual Machine page, click Next.
13. In the Choose Import Type page, select Copy the virtual machine then click
Next.
14. In the Choose Destination page, select Store the virtual machine in a different
location, enter the path C:\VMs\WIN10DEV to all folders then click Next.
15. In the Choose Storage Folder page, enter the path C:\VMs\WIN10DEV then
click Next.
16. In the Summary page, click Finish.
17. In the Hyper-V Manager, right-click on WinDev1805Eval, select Rename and
enter WIN10DEV.
Complete these steps on the WIN10DEV virtual machine.
Configure Virtual 18. In the Hyper-V Manager, right-click on WIN10DEV and select Settings.
Machine Settings 19. Configure the following then click OK.
Memory: 8192
Processor: 4 virtual processors
Network Adapter: HYD-Corpnet
20. Start the WIN10DEV virtual machine.
Install Windows 21. Go to Start and click Settings.
Updates 22. In the Settings app, browse to Update & Security > Windows Update.
23. Click Check for updates.
24. Install all missing updates (restart if needed) until the device is up to date.
Note: This may take at least an hour depending on the internet speed.
Perform Defender 25. In the Settings app, browse to Update & Security > Windows Security.
Scan 26. Click Open Windows Defender Security Center.
27. Click Virus & threat protection.
28. Click Scan now.
29. Once complete, close Windows Defender Security Center and the Settings app.
3.3.4 Configure Azure AD Connect with Device Sync

In this activity, you will configure Azure AD Connect on DC1.
Task Detailed Steps

Configure Azure Complete the following steps on the DC1.
AD Connect
1. Download Azure AD Connect from https://www.microsoft.com/en-
us/download/details.aspx?id=47594
2. Run Azure AD Connect and select I agree to the license terms and privacy
notice and click Continue.
3. Select Use express settings.
4. In the Connect to Azure AD prompt, sign in with
labadmin@<AzureDomainName>.onmicrosoft.com and click Next.
5. In the Connect to AD DS prompt and click Next.
USERNAME: CORP\LabAdmin
PASSWORD: P@ssw0rd
6. On the Azure AD sign-in configuration page, select Continue without any
verified domains and click Next.
7. On the Ready to configure page, keep the check box checked next to Start the
synchronization process when configuration completes and click Install. Click
Exit once done.
8. Open Programs and Features and uninstall the Windows Azure Active
Directory Module for Windows PowerShell.
9. Open PowerShell as an administrator.
10. Run the below cmdlet and accept any prompts. Note: Create a directory in C:\,
example C:\MSOnline.
Save-Script -Name MSOnline -Path <path>
11. Run the below cmdlet and accept any prompts.
Install-Module -Name MSOnline
Configure Device 12. Locate the name of the AAD Connector Account by opening the Azure AD
Sync Connect and clicking Configure and selecting View current configuration and
then clicking Next. Click Exit.
13. Run the below cmdlet and at the credential prompt, provide the Azure AD Admin
credentials.
Import-Module -Name “C:\Program Files\Microsoft Azure Active Directory
Connect\ADPrep\ADSyncPrep.psm1”
$aadadmincred = get-credential;
Initialize-ADSyncDomainJoinedComputerSync -AdConnectorAccount <account
name> -AzureADCredentials $aadAdminCred;
14. Start Internet Explorer InPrivate mode.
Confirm Devices 15. Navigate to https://portal.azure.com and sign in with
are Hybrid Azure labadmin@<AzureDomainName>.onmicrosoft.com.
AD Joined 16. On the left navigation bar, click Azure Active Directory.
17. Select Devices > All devices.
18. Confirm devices are registered to Azure AD.
4 Servicing
In this module, you will go through how to manage Windows as a Service (WaaS).
4.1 Windows Analytics Update Compliance

In this section you'll learn how to use Update Compliance to monitor your device's Windows
updates and Windows Defender Antivirus status.
Update Compliance:
 Uses telemetry gathered from user devices to form an all-up view of Windows 10 devices
in your organization.
 Enables you to maintain a high-level perspective on the progress and status of updates
across all devices.
 Provides a workflow that can be used to quickly identify which devices require attention.
 Enables you to track deployment compliance targets for updates.
 Summarizes Windows Defender Antivirus status for devices that use it.
The Operations Manager Suite Experience Center will be used to evaluate Windows Analytics
Update Compliance using read-only demo data and will not require devices to be configured to
send telemetry to the Update Compliance service.
Note:
This lab guide is aimed at getting you familiar with Update Compliance workspace. It is
not supposed to be a comprehensive guide to using the solution in your organization.
Appendix – Configuring Windows Analytics has more details on configuring Windows

Analytics.
4.1.1 Sign-Up and Overview
Task Detailed Steps

You can complete these steps on any web browser.
Sign-On **This feature is available only to Microsoft employees, to sign up go to https://idweb
and join the "asodemo" Security Group.
(Internal Only) 1. After you join the security group log into https://mms.microsoft.com and you will
have access to the “contosoretail-IT” workspace.
Open Update 2. In the Filter by name field enter Update Compliance.

Compliance 3. The Update Compliance tile will be shown and will show summary information of
the total devices sending data and the number of devices that need attention.
4. Click the Update Compliance tile which will open the Update Compliance
workspace.
General In Update Compliance, data is separated into vertically-sliced sections. Each section
Workspace is referred to as a blade. Within a blade, there may or may not be multiple tiles,
Information which serve to represent the data in different ways.
Blades are summarized by their title in the upper-left corner above it. Every number
displayed in OMS is the direct result of one or more queries. Clicking on data in
blades will often navigate you to the query view, with the query used to produce that
data.
Some of these queries have perspectives attached to them; when a perspective is
present, an additional tab will load in the query view.
These additional tabs provide blades containing more information relevant to the
results of the query.
Overview Blade 5. The Overview blade provides a summarization of all the data Update Compliance
focuses on. It functions as a hub from which different sections can be navigated to.
6. The total number of devices detected by Update Compliance are counted within the
title of this blade.
7. What follows is a distribution for all devices as to whether they are up to date on:
 Quality updates: A device is up to date on quality updates whenever it has the
latest applicable quality update installed. Quality updates are monthly
cumulative updates that are specific to a version of Windows 10.
 Feature updates: A device is up to date on feature updates whenever it has the
latest applicable feature update installed. Update Compliance considers
Servicing Channel when determining update applicability.
 AV Signature: A device is up to date on Antivirus Signature when the latest
Windows Defender Signatures have been downloaded. This distribution only
considers devices that are running Windows Defender Antivirus.
8. The blade also provides the time at which your Update Compliance workspace was
refreshed.
Example:
9. Below the “Last Updated” time, a list of the different sections follows that can be
clicked on to view more information, they are:
 Need Attention!: This section is the default section when arriving to your
Update Compliance workspace. It counts the number of devices which are
encountering issues and need immediate attention; clicking into this provides
blades that summarize the different issues that devices are encountering, and
provides a List of Queries that Microsoft finds useful.
 Security Update Status: This section lists the percentage of devices that are on
the latest security update released for the version of Windows 10 it is running.
Clicking into this section provides blades that summarize the overall status of
Quality updates across all devices; including deployment.
 Feature Update Status: This section lists the percentage of devices that are on
the latest feature update that is applicable to a given device. Clicking into this
section provides blades that summarize the overall feature update status across
all devices, with an emphasis on deployment progress.
 Windows Defender AV Status: This section lists the percentage of devices

running Windows Defender Antivirus that are not sufficiently protected.
Clicking into this section provides a summary of signature and threat status
across all devices that are running Windows Defender Antivirus. This section is
not applicable to devices not running Windows Defender Antivirus.
4.1.2 Need Attention!
This section provides a breakdown of all device issues detected by Update Compliance. The
summary tile for this section counts the number of devices that have issues, while the blades
within break down the issues encountered. Finally, a list of queries blade is shown within this
section that contains queries that provide values but do not fit within any other main section.
Task Detailed Steps

Device Issues 1. Need Attention! is open by default when you open Update Compliance.
2. Device Issues are broken up into two groups:
 Missing multiple security updates: This issue occurs when a device is behind
by two or more security updates. These devices may be more vulnerable and
should be investigated and updated.
 Out of support OS Version: This issue occurs when a device has fallen out of
support due to the version of Windows 10 it is running. When a device has fallen
out of support, it will no longer be serviced, and may be vulnerable. These
devices should be updated to a supported version of Windows 10.
3. Under Device issues click Out of support OS Version to take you to the Log Search
view for more information.
4. Click Table to get a table view of all devices on an unsupported OS.
5. Change the date range in the top left to 7 DAYS then click OK.
6. Edit the filter for the column FeatureDeferralDays to Is greater than 0 to look at
any devices that may not have been upgraded due to deferral.
7. Click the Home button and then navigate back to Update Compliance.
Update Issues 8. Update Issues are broken up into two groups:

 Failed: This issue occurs when an error halts the process of downloading and
applying an update on a device. Some of these errors may be transient, but
should be investigated further to be sure.
 Progress stalled: This issue occurs when an update is in progress, but has not
completed over a period of 10 days.
9. Click Failed to access the Log Search view for more information.
10. Click Table to get a table view of all failed updates.
11. Change the date range in the top left to 1 DAY then click OK.
12. In the left hand pane, scroll down to DEPLOYMENTERROR to view the types of
errors that are causing updates to fail.
13. Note log search query
WaaSDeploymentStatus | where DeploymentStatus=="Failed"
14. Click Disk Full then Apply to see all devices that are failing due to not enough free
disk space.
15. Note log search query
WaaSDeploymentStatus | where DeploymentStatus=="Failed" | where
( DeploymentError == "Disk Full" )
16. Remove | where ( DeploymentError == "Disk Full" ) from the end of the query
and click the Search button to return you to the original query.
List of Queries 18. This blade contains a list of queries with a description and a link to the query. These
queries contain important meta-information that did not fit within any specific
section or were listed to serve as a good starting point for modification into custom
queries.
19. Browse and modify queries at your own pace.
20. The OMS search query reference is available on docs.microsoft.com:
https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-search-reference
4.1.3 Security Update Status
The Security Update Status section provides information about quality updates across all
devices. The section tile within the Overview Blade lists the percentage of devices on the latest
security update to provide the most essential data without needing to navigate into the section.
Task Detailed Steps

Overall Quality 1. Click Security Update Status in the Update Compliance workspace.
Update Status
2. The Overall Quality Update Status provides a visualization of devices that are and
are not up-to-date on the latest quality updates (not just security updates). Below is
an example of the visualization showcasing all devices further broken down by OS
Version.
3. Click 1709 in the table below.
4. The Update Deployment Status perspective is shown by default.
5. Scroll down to DETAILED DEPLOYMENT STATUS and click Reboot Pending.

6. Click Table view to see devices that are pending a reboot.
7. Click the Home button and then navigate back to Update Compliance\Security
Update Status.
Latest Security 8. The Latest Security Update Status provides a visualization of the different
Update Status deployment states devices are in regarding the latest update for each build (or
and Previous version) of Windows 10. The Previous Security Update Status blade provides the
Security Update same information without the accompanying visualization.
Status 9. What follows is a breakdown of the different deployment states reported by devices:
 Installed devices are devices that have completed installation for the given
update.
 When a device is counted as “In Progress” or “Deferred”, it has either begun the
installation process for the given update or has been intentionally deferred or
paused using WU for Business Settings.
 Devices that have “Update Failed”, failed updating at some point during the
installation process of the given security update.
 If a device should be, in some way, progressing toward this security update, but
its status cannot be inferred, it will count as Status Unknown. Devices not using
Windows Update are the most likely devices to fall into this category.
10. Drill down as required.
4.1.4 Feature Update Status

The Feature Update Status section provides information about the status of feature updates
across all devices.
Task Detailed Steps

Overall Feature 1. Click Feature Update Status in the Update Compliance workspace.
Update Status
2. The Overall Feature Update Status blade breaks down how many devices are up-to-
date or not, with a special callout for how many devices are running a build that is
not supported. The table beneath the visualization breaks devices down by Servicing
Channel and OS Version, then defining whether this combination is up-to-date, not
up-to-date or out of support.
4. Click the Home button and then navigate back to Update Compliance\Feature
Update Status.
Deployment 5. To effectively track deployment, Deployment Status Blades are divided into each
Status by Servicing Channel chosen for the device. This is because Deployment for each
Servicing channel will happen at different periods in time and feature updates are targeted
Channel separately for each channel. Within each Deployment Status tile, devices are
aggregated on their feature update distribution, and the columns list the states each
device is in.
6. Refer to the following list for what each state means:

 Installed devices are devices that have completed installation for the given
update.
 When a device is counted as In Progress, it has begun the feature update
installation.
 Devices that are scheduled next 7 days are all devices that were deferred from
installing the Feature update using Windows Update for Business Settings and
are set to begin installation in the next 7 days.
 Devices that have failed the given feature update installation are counted as
Update failed.
 If a device should be, in some way, progressing toward this security update, but
its status cannot be inferred, it will count as Status Unknown. Devices not using
Windows Update are the most likely devices to fall into this category.
7. Drilling down will take you to the Update Deployment Status perspective which we
looked at under the Security Update Status section. However this time the results are
filtered on Feature updates rather than Quality updates.
4.1.5 Windows Defender AV Status

The Windows Defender AV Status section deals with data concerning signature and threat status
for devices that use Windows Defender Antivirus.
Task Detailed Steps

Protection 1. Click Windows Defender AV Status in the Update Compliance workspace.
Status
Here are some important terms when utilizing the Windows Defender AV Status
section of Update Compliance:
 Signature out of date devices are devices with signature older than 14 days.
 No real-time protection devices are devices who are using Windows Defender
AV but have turned off Real-time protection.
 Recently disappeared devices are devices that were previously seen by Windows
Defender AV and are no longer seen in the past 7 days.
 Remediation failed devices are devices where Windows Defender AV failed to
remediate the threat. This can be due to reason like disk full, network error,
operation aborted, etc. Manual intervention may be needed from IT team.
 Not assessed devices are devices where either a third-party AV solution is used
or it has been more than 7 days since the device recently disappeared.
2. The Protection Status blade gives a count for devices that have either out-of-date
signatures or real-time protection turned off.
3. Click Real-time protection is off.
4. Change the date range to 1 DAY then click OK.
5. On the left hand side scroll down to DETAILEDSTATUS and look at the reasons
why Real-time protection is off.
7. Click the Home button and then navigate back to Update Compliance\Windows
Defender AV Status.
Threat Status 8. The Threat Status blade provides a visualization of devices that have encountered
threats and how many were and were not remediated successfully.
9. Click Remediation failed.

10. Change date range to 1 DAY.
11. Change to table view.
12. On the table, filter the ThreatAlertLevel column to equal only Severe or High.
13. Drag the ThreatAlertLevel field onto the bar below the List and Table buttons to
group by ThreatAlertLevel.
14. Scroll back to the left of the table and you will see the query is grouped by
ThreatAlertLevel and you will be able to expand and collapse the groups. Unless
you change the number of items that are displayed per page, you may still need to
cycle through the pages to look at all the results.
15. Set the results to show 200 items per page.
16. Collapse ThreatAlertLevel: High and Expand ThreatAlertLevel: Severe.
17. Click on ThreatName to sort by ThreatName.

18. Expand a device that has had a known severe threat where remediation has failed and
scroll down to ThreatEncyclopediaLink then copy the link into another browser tab
to get more information on the threat.
19. Close Update Compliance.

4.2 Servicing Windows 10 with Configuration Manager
Windows 10 delivers a new model for organizations to deploy and upgrade Windows by
providing updates to features and capabilities through a continuous process. System Center
Configuration Manager provides a window of the state of Windows in your environment, create
servicing plans to form deployment rings and ensure that the Windows 10 machines are kept up
to date.
In this section, you will go through how to configure Configuration Manager to support the new
model of Windows as a Service.
4.2.1 Configure Software Update Point

In this activity, you will configure the Software Update Point to download Windows 10 Servicing
Feature Updates.
Task Detailed Steps

Configure 1. Open the Configuration Manager Console from the Start Menu.
Software Update 2. Browse to Administration > Site Configuration > Sites.
Point Site 3. Right-click on CHQ – Contoso Headquarters and select Configure Site
Component Components > Software Update Point.
4. On the Classifications tab, uncheck Services Packs and Update Rollups, and
then check Upgrades.
5. On the Windows 10 Servicing Prerequisite window, click OK.
6. On the Products tab, uncheck everything and only check Windows 10.
7. On the Languages tab, uncheck everything and only check English then click
Apply and OK.
Synchronize 8. From the Configuration Manager Console, browse to Software Library >
Software Update Software Updates > All Software Updates.
9. Click Synchronize Software Updates.
10. On the Configuration Manager dialog box, click Yes.
Note: The synchronization may take 30 minutes or more depending on the speed of the
internet connection.
4.2.2 Configure Servicing Plan

In this activity, you will configure Servicing Plans in Configuration Manager to form deployment
rings and ensure that Windows 10 systems are kept up to date when new builds are released.
Task Detailed Steps

Validate that 1. From the Configuration Manager Console, browse to Software Library >
Windows 10 Windows 10 Servicing > All Windows 10 Updates.
Feature Updates 2. On the Search bar, type Feature update to Windows 10 (business editions),
are Available version 1803, en-us then press Enter.
3. Validate that the feature update metadata for Windows 10 Enterprise, version
1803 is available and showing in a state of “Required”.
Note: It can take some time for the machine to be detected in Configuration
Manager for the “Required” update.
Create Servicing 4. From the Configuration Manager Console, browse to Assets and Compliance.
Collections 5. Right-click on Device Collections and select Folder > Create Folder.
6. On the Configuration Manager window, under Folder name enter Windows 10
Servicing then click OK.
7. From the Configuration Manager Console, expand Device Collections and
right-click on Windows 10 Servicing.
8. Select Create Device Collection.
9. On the General page, enter the following then click Next.
Name: Semi-Annual Channel (Targeted)
Limiting Collection: All Desktop and Server Clients
10. On the Membership Rules page, click Next.
11. On the warning dialog box, click OK.
12. On the Summary page, click Next.
13. On the Completion page, click Close.
14. Right-click on Windows 10 Servicing and select Create Device Collection
again.
Name: Semi-Annual Channel
Create a Servicing Note: Perform the following steps if Windows 10 1803 is not yet declared as ready for
Plan for Semi- business (SACT).
Annual Channel
20. From the Configuration Manager Console, browse to Software Library >
(Targeted)
Windows 10 Servicing > Servicing Plans.
Machines
21. On the ribbon, click Create Servicing Plan.
Name: Semi-Annual Channel (Targeted)
23. On the Servicing Plan page, enter the following then click Next.
Target Collection: Semi-Annual Channel (Targeted) (under Windows 10
Servicing folder)
24. On the Deployment Ring page, select Semi-Annual Channel (Targeted), and
then click Next.
25. On the Upgrades page, select Title and click text to find.
26. On the Search Text window, in the textbox enter “Feature update to Windows
10 (business editions), version 1803, en-us” (include the quotation marks) then
click Add.
27. On the Search Text window, click OK.
28. On the Upgrades page, click Preview.
29. On the Preview Updates window, verify that the 1803 feature update is listed
then click Close.
30. On the Upgrades page, click Next.
31. On the Deployment Schedule page, under Installation deadline select As soon
as possible then click Next.
32. On the User Experience page, under User notifications select Display in
Software Center and show all notifications, under Deadline behavior select
System restart (if necessary) and then click Next.
33. On the Deployment Package page, select Create a new deployment package,
enter the following then click Next.
Name: Semi-Annual Channel Targeted
Package source: \\CM1\Packages$\SAC-TPackage
34. On the Distribution Points page, click Add > Distribution Point.
35. On the Add Distribution Points window, select CM1.CORP.CONTOSO.COM
then click OK.
36. On the Distribution Points page, click Next.
37. On the Download Location page, click Next.
38. On the Language Selection page, click Next.
On the Completion page, click Close.
Create a Servicing Note: Perform the following steps if Windows 10 1803 is declared as ready for business
Plan for Semi- (SAC).
Annual Channel
40. From the Configuration Manager Console, browse to Software Library >
Machines
Windows 10 Servicing > Servicing Plans.
41. On the ribbon, click Create Servicing Plan.
Name: Semi-Annual Channel
43. On the Servicing Plan page, enter the following then click Next.
Target Collection: Semi-Annual Channel (under Windows 10 Servicing folder)
44. On the Deployment Ring page, select Semi-Annual Channel, and then click
Next.
45. On the Upgrades page, select Title and click text to find.
46. On the Search Text window, in the textbox enter “Feature update to Windows
10 Enterprise (business editions), version 1803, en-us” (include the quotation
marks) then click Add.
47. On the Search Text window, click OK.
48. On the Upgrades page, click Preview.
49. On the Preview Updates window, verify that the 1803 feature update is listed
then click Close.
50. On the Upgrades page, click Next.
51. On the Deployment Schedule page, under Installation deadline select As soon
as possible then click Next.
52. On the User Experience page, under User notifications select Display in
Software Center and show all notifications, under Deadline behavior select
System restart (if necessary) and then click Next.
53. On the Deployment Package page, select Create a new deployment package,
enter the following then click Next.
Name: Semi-Annual Channel Package
Package source: \\CM1\Packages$\SACPackage
54. On the Distribution Points page, click Add > Distribution Point.
55. On the Add Distribution Points window, select CM1.CORP.CONTOSO.COM
then click OK.
57. On the Download Location page, click Next.
58. On the Language Selection page, click Next.
4.2.3 Service a Windows 10 1709 Client

In this activity, you will test the servicing plan on a Windows 10 1709 virtual machine.
Task Detailed Steps

Move the Test Note: Perform the following steps if Windows 10 1803 is not yet declared as ready for
Device to Semi- business (Semi-Annual Channel (Targeted)).
Annual Channel
1. From the Configuration Manager Console, browse to Assets and Compliance
(Targeted)
> Devices.
Collection
2. Right-click on WIN10-1709 and select Add Selected Items > Add Selected
Items to Existing Device Collection.
3. On the Select Collection window, browse to and select Root > Windows 10
Servicing > Semi-Annual Channel (Targeted) then click OK.
4. On the Configuration Manager Console, browse to Assets and Compliance >
Device Collections > Windows 10 Servicing > Semi-Annual Channel
(Targeted).
5. On the ribbon, click Collection | Update Membership | Yes and press F5.
6. Verify that the WIN10-1709 machine is shown within the collection.
Move the Test Note: Perform the following steps if Windows 10 1803 is declared as ready for business
Device to Semi- (Semi-Annual Channel).
Annual Channel
7. From the Configuration Manager Console, browse to Assets and Compliance
Collection
> Devices.
8. Right-click on WIN10-1709 and select Add Selected Items > Add Selected
Items to Existing Device Collection.
9. On the Select Collection window, browse to and select Root > Windows 10
Servicing > Semi-Annual Channel then click OK.
10. On the Configuration Manager Console, browse to Assets and Compliance >
Device Collections > Windows 10 Servicing > Semi-Annual Channel.
11. On the ribbon, click Collection | Update Membership | Yes and press F5.
12. Verify that the WIN10-1709 machine is shown within the collection.
Force the Servicing 13. From the Configuration Manager Console, browse to Software Library >
Plans to Run Windows 10 Servicing > Servicing Plans.
14. Select Semi-Annual Channel (Targeted) and from the ribbon click Run Now.
15. On the dialog box, click OK.
16. Select Semi-Annual Channel and from the ribbon click Run Now.
Complete these steps on the WIN10-1709 virtual machine.
Refresh the 18. Logon to WIN10-1709 machine as corp\labadmin.
Client’s Policy 19. Open the Control Panel.
20. On the All Control Panel Items window, click on Configuration Manager.
21. On the Configuration Manager Properties window, go to the Actions tab.
22. On the Actions tab, select Machine Policy Retrieval & Evaluation Cycle then
click Run Now.
24. On the Actions tab, select Software Updates Scan Cycle then click Run Now.
26. On the Actions tab, select Software Updates Deployment Evaluation Cycle
then click Run Now.
28. On the Configuration Manager Properties window, click OK.
Note: There might be a mandatory update requiring a scheduled restart before the
installation of Windows 10 Version 1803. In order to forcefully restart, click
Start | Settings | UPDATE & SECURITY | Restart now.
Note: Ensure that in CM1, the option Download software updates from
distribution point and install is selected in all cases in the Servicing Plan
Properties under Download Settings as well as in the Software Update
Group’s, Deployment Properties under Download Settings.
29. After the restart, a notification will appear after which once the Software Center
is launched, under the Installation Status, the feature update will start
downloading and Installing automatically.
30. On the prompt, click RESTART and then click RESTART again.
31. The upgrade process will continue.
32. Once restarted and logged in, the version of windows will be Windows 10
Version 1803 (Build 17134.1).
4.3 Servicing Office 365 ProPlus with Configuration

Manager
In this section, you will go through how to configure Configuration Manager to support Office
365 Servicing.
4.3.1 Enable Configuration Manager to receive Office 365 Client

Package Notifications
To start, you need to configure Configuration Manager to receive notifications when Office 365
client update packages are available.
Task Detailed Steps

1. In the Configuration Manager console under the Administration node, choose
Site Configuration > Sites.
2. Right-click on CHQ – Contoso Headquarters and select Configure Site
Components > Software Update Point.
3. In the Software Update Point Component Properties dialog box, do the
following:
a. On the Products tab, under Office, select Office 365 Client.
b. On the Classifications tab, select Updates.
c. Click Apply and OK.
You can have other check boxes selected in the Products and Classifications tabs.
But, Office 365 Client and Updates need to be selected for Configuration
Manager to receive notifications when Office 365 client update packages are
available.
4. On the Software Library node, open Office 365 Client Management and right
click Office 365 Updates and select Synchronize Software Updates.
5. On the Configuration Manager dialog box, click Yes.
Note: The synchronization may take 30 minutes or more depending on the speed
of the internet connection.
4.3.2 Enable Office COM Objects to Manage Office 365 Client

Updates
For Configuration Manager to be able to manage Office 365 client updates, an Office COM
object needs to be enabled on the computer where Office is installed. The Office COM object
takes commands from Configuration Manager to download and install client updates.
You can enable the Office COM object by using either the Office Deployment Tool or Group
Policy.
This lab guide will use Group Policy to enable Office COM Objects. This does the same thing as
setting the OfficeMgmtCOM attribute to True in the configuration.xml file used by the Office
Deployment Tool. But, with Group Policy, you can apply this setting to multiple computers, an
organizational unit (OU), or a domain.
Task Detailed Steps

Complete these steps on the DC1 virtual machine.
Download ADMX 1. Download the Office 2016 Administrative Template files (ADMX/ADML)
Files https://www.microsoft.com/download/details.aspx?id=49030
Note: Download the appropriate version for the Office architecture you support.
In this lab download the x86 version.
Install ADMX 2. Install admintemplates_x86-<VersionNumber>_en-us.exe to temporary
Files location.
3. Copy contents of admx folder in temporary location to
C:\Windows\SYSVOL\sysvol\corp.contoso.com\Policies\PolicyDefinitions.
Note: If PolicyDefinitions folder doesn’t exist you will have to create it and also
copy in the latest Windows 10 ADMX files.
New Policies for Windows 10 (Will have a link to latest ADMX files).
Administrative Templates (.admx) for Windows 10 April 2018 Update (1803).
Note: Version number may change over time.
Enable Office 365 4. Open the Group Management Console.
Clients to receive 5. Create a policy called “Office 365 Client Management".
Updates from 6. Edit the “Policy”.
ConfigMgr 7. Enable the Computer Configuration\Policies\Administrative
Templates\Microsoft Office 2016 (Machine)\Updates\Office 365 Client
Management policy setting.
8. Link the GPO to the OU containing the client.
4.3.3 Configure Office 365 Servicing

Note: Before deploying Office 365 Updates to CLIENT1 or CLIENT2 VMs from Configuration
Manager, ensure that the SCCM Client is installed. These 2 clients have Microsoft Office 365
ProPlus, which falls in the Semi-Annual Channel. For versions released as per channels, refer to
https://docs.microsoft.com/en-us/officeupdates/update-history-office365-proplus-by-date
Task Detailed Steps

Validate that 1. From the Configuration Manager Console, browse to Software Library >
Office 365 Office 365 Client Management > Office 365 Updates.
ProPlus 2. Search for the latest SAC Version. You should be able to see the latest SAC
Updates are Version showing in a state of “Required”.
Available Note: It can take some time for the machine to be detected in Configuration
Manager for the “Required” update.
Create 3. From the Configuration Manager Console, browse to Assets and
Servicing Compliance.
Collections 4. Right-click on Device Collections and select Folder > Create Folder.
5. On the Configuration Manager window, under Folder name enter Office
365 ProPlus Servicing then click OK.
6. From the Configuration Manager Console, expand Device Collections and
right-click on Office 365 ProPlus Servicing.
Name: Office 365 ProPlus Semi-Annual Channel
Add Devices 13. Right click Office 365 ProPlus Semi-Annual Channel collection and click
to Collections Add Resources.
14. In the Add Resources to Collection enter CLIENT1 or CLIENT2 in the
Name string contains field then click Search.
15. In the Search results box, select CLIENT1 or CLIENT2 and click Add then
OK.
Create ADR 16. Browse to Software Library.
for Semi- 17. Click on the Office 365 Client Management and then click Create an ADR.
Annual
Task Detailed Steps
Channel General Page 18. Fill out as defined below and click Next:
Name: Office 365 ProPlus Updates – Semi-Annual Channel

Template: Office 365 Client Updates
Collection: Office 365 ProPlus Semi-Annual Channel
Deployment 19. Keep defaults and click Next.
Settings
Software 20. Fill out as defined below and click Next:
Updates
Product: Office 365 Client
Title: “Office 365 Client Update SAC”
Evaluation 21. Fill out as defined below and click Next:
Schedule
Run the rule on a schedule: Selected
Schedule: Occurs day 15 of every 1 month
Deployment 22. Fill out as defined below and click Next:
Schedule
Software available time: As soon as possible
Installation deadline: As soon as possible
User 23. Keep defaults and click Next.
Experience
Alerts 24. Keep defaults and click Next.
Download 25. Keep defaults and click Next.
Settings
Deployment 26. Fill out as defined below and click Next:
Package
Create a new deployment package: Selected
Name: Office 365 ProPlus Updates
Package Source:
\\CM1\Packages$\Office365ProPlusUpdates
Distribution 27. Fill out as defined below and click Next:
Point
Distribution Point Groups: Corp DPs
Download 28. Keep defaults and click Next.
Location
Language 29. Keep defaults and click Next.
Selection
Summary 30. Click Next
Completion 31. Click Close
Run ADRs 32. Open Software Updates\Automatic Deployment Rules.
33. Right click Office 365 ProPlus Updates – Semi-Annual Channel and click
Task Detailed Steps
Run Now. Click OK.
Complete these steps on the CLIENT1 or CLIENT2 virtual machine.
Apply 34. In the Configuration Manager Properties, Actions tab, select Machine
Updates Policy Retrieval & Evaluation Cycle and click Run Now. Click OK.
35. Select Software Updates Deployment Evaluation Cycle and click Run Now.
Click OK.
36. Select Software Updates Scan Cycle and click Run Now. Click OK.
37. The software update will start Downloading and Installing.
The installation of the package can be validated in the Programs and
Features.
Task Detailed Steps
4.4 Known Folder File Migration

User Files and Settings Migration is necessary in PC replacement scenarios and can be accomplished by
implementing services like file sync in OneDrive for Business in advance of PC replacement. Leveraging cloud
file sync with OneDrive for Business and files on demand can help limit the amount of files delivered back to the
new PC. In this scenario, we’ll use Group Policy to control OneDrive sync client settings.
Task Detailed Steps
Complete these steps on the HYD-CLIENT7 virtual machine.
Copy .adml and 1. Create an Office 365 trial subscription and test account per Section 3.2.1 if you
.admx files haven’t already
2. On CLIENT& Install the Windows version of the new OneDrive sync client.
3. Under Programs, select Microsoft OneDrive for Business to open app.
4. When OneDrive Setup starts, enter your test account, or your work or school
account, and then select Sign in.
5. Open the OneDrive app and sign in using a test account per Section 3.2.1.
(USER NAME: TU1@<AzureDomainName>.onmicrosoft.com, etc.)
Complete these steps on the HYD-DC1 virtual machine.
Paste .adml and 6. In File Explorer, go to \\CLIENT7\c$. Browse to the folder above and copy the
.admx files in .adml and .admx OneDrive files.
Central Store
7. Go to
C:\SYSVOL\sysvol\corp.contoso.com\Policies\PolicyDefinitions to
your domain's Central Store.
8. Paste the .admx file in your domain's Central Store and the .adml file in
the appropriate language subfolder (such as en-us). Note: If you get an
“Access Denied” alert when pasting the files, right click the Policy
Definitions folder, and then click Properties>Security>Advanced. Click
Task Detailed Steps
the Permissions tab, click “Select principal” and add “Labadmin” with
full permissions.
9. Go to Server Manager>Tools>Active Directory Users and
Computers and right-click CORP, then click Organizational Unit.
10. Create an Organizational under CORP and add CLIENT7.
Complete these steps on the HYD-CM1 virtual machine.

Configure Group 8. In the Group Policy Management Console, open
Policy Object Domains>corp.contoso.com>CORP.
9. Right-click the Organizational Unit created above and click Create a

GPO in this domain and link it here.
10. Right-click the new GPO and click edit.
11. Go to Computer Configuration\Policies\Administrative

Templates\OneDrive and enable the following Known Folder Move policy:
Silently redirect Windows known folders to OneDrive
12. Click Apply. For info, see Link Group Policy objects to Active Directory
containers
Optional: Add tenant ID to Known Folder Move Policy: To find

Tenant ID, log in to Microsoft Azure as an administrator. In the
Microsoft Azure portal, click Azure Active Directory. Under Manage, click
Properties. The tenant ID is shown in the Directory ID box.
Complete these steps on the CLIENT7 AND CLIENT2 virtual machines.

Confirm automatic 12. Restart CLIENT7 to initiate Group Policy and file transfer.
file transfer
13. Open CLIENT2 and log into the OneDrive for Business app using the
same test account as CLIENT7.
5 Deployment & Management
In this module, you will go through Windows 10 capabilities that could help organizations better
deploy and manage Windows devices.
5.1 Modern Device Deployment

With Windows 10, you can continue to use traditional OS deployment, but you can also
“manage out of the box.” AutoPilot transforms new devices into fully-configured, fully-managed
devices. For existing devices running Windows 7 or Windows 8.1, you can use the robust in-
place upgrade process for a fast, reliable move to Windows 10 while automatically preserving all
the existing apps, data, and settings.
5.1.1 AutoPilot
Windows AutoPilot is a collection of technologies used to set up and pre-configure new devices,
getting them ready for productive use.
In this section, you will use the Microsoft Intune to configure AutoPilot for pre-configuring
devices.
5.1.1.1 Prerequisites
Perform the following tasks before proceeding.
Task Detailed Steps

Create a Complete the following steps on the HYPER-V Host.
Checkpoint in
Hyper-V (if not 1. Open Hyper-V Manager.
already created) 2. Right click on HYD-CLIENT4 and select Checkpoint.
Capture Device Complete the following steps on CLIENT4.

ID
3. Open PowerShell as an administrator.
4. Run the below commands and press Y when prompted.
Install-Script –Name Get-WindowsAutoPilotInfo
Set-ExecutionPolicy Unrestricted
5. Change the directory to C:\Program Files\WindowsPowerShell\Scripts and run
the below command.
.\Get-WindowsAutoPilotInfo.ps1 -ComputerName CLIENT4 –OutputFile
C:\Users\Administrator\Desktop\MyComputers.csv
6. Copy the MyComputers.csv file to the computer that will be used for Microsoft
Intune setup.
7. Open Command Prompt as an administrator.
8. Run
SYSPREP\Sysprep.exe /OOBE /SHUTDOWN
5.1.1.2 Set Intune as Management Authority
After you complete the following tasks, you are ready to manage mobile devices and computers.
Task Detailed Steps

Enable Device Note: Before you can enroll mobile devices, you must prepare the Intune service by
Management. Set selecting the appropriate mobile device management authority setting on the Mobile
Mobile Device Device Management page of the Administration workspace. The mobile device
Management Authority management authority setting determines whether you manage mobile devices with
Intune or System Center Configuration Manager with Intune integration. This
guidance assumes Intune is used without System Center Configuration Manager
integration so the setting should be set to Microsoft Intune.
3. Navigate to https://portal.azure.com and Sign in with
labadmin@<AzureDomainName>.onmicrosoft.com.
4. On the left navigation bar, click All services > Intune.
5. Select Device enrollment.
6. Under Mobile Device Management Authority, select Intune MDM
Authority and click Choose.
Create Groups 7. Close all browser windows.
10. On the left navigation bar, click Azure Active Directory > Groups > All
groups.
11. Click New group.
12. In the Group pane fill in the following values:
Group type: Office 365
Group name: Sales
Membership type: Assigned
Members: Test User1 and Test User2
13. Click Create.
Customize the 14. On the left navigation bar, click All services > Intune.
Company Portal 15. Select Mobile apps > Company Portal branding.
16. Configure the following with settings you choose for your lab:
 Company name
 IT department contact name
 IT department phone number
 IT department email address
 Additional information
 Company privacy statement URL
 Support website URL (not displayed)
 Website name (displayed to user)
 Customize the Theme color, Company logo (max. dimension
PNG/JPG I 400x100px) and background for Company Portal,
it is recommended that you change the default color in your lab to
make it easy to identify if the company portal has been updated.
17. Click Save.
Verify the Company 18. Close all browser windows.
Portal Configuration 19. Start Internet Explorer InPrivate mode.
20. Navigate to https://portal.manage.microsoft.com and Sign in with
TU1@<AzureDomainName>.onmicrosoft.com.
21. Review the company portal, browse to Helpdesk and confirm that the
customizations have been applied.
5.1.1.3 Enable Auto MDM Enrollment
In this activity, you will configure automatic MDM enrollment to Intune upon joining Azure AD.
Task Detailed Steps

Configure Auto 1. Close all browser windows.
MDM Enrollment 2. Start Internet Explorer InPrivate mode.
for Intune 3. Navigate to https://portal.azure.com and Sign in with
4. On the left navigation bar, click Azure Active Directory > Mobility (MDM and
MAM) > Microsoft Intune.
5. In the MDM User scope setting, select All.
6. Click Save.
5.1.1.4 Add an App
In this activity, you will add an app to Intune which will automatically download once the device
is enrolled into MDM.
Task Detailed Steps

Add an App 1. Close all browser windows.
5. Select Mobile apps > Apps.
6. Click +Add.
7. In the App type dropdown, select Line-of-business app.
Configure App 8. In the Add app pane, click App package file.
9. On the App package file blade, choose the browse button, and select a Windows
installation file with the extension .msi, .appx, or .appxbundle.
A sample msi file can be downloaded from: https://www.7-zip.org/download.html
10. Click OK.
11. In the Add app pane, click App information.
12. Enter the following information and click OK:
a. Name - Enter the name of the app as it is displayed in the company
portal. Make sure all app names that you use are unique. If the same app
name exists twice, only one of the apps will be displayed to users in the
company portal.
b. Description - Enter a description for the app, which will be displayed to
users in the company portal.
c. Publisher - Enter the name of the publisher of the app.
d. Category - Select one or more of the built-in app categories, or a
category you created. Categorizing apps makes it easier for users to find
the app when they browse the company portal.
e. Display this as a featured app in the Company Portal - Display the
app prominently on the main page of the company portal to appear when
users browse for apps.
f. Information URL - Optionally, enter the URL of a website that contains
information about the app, which will be displayed to users in the
company portal.
g. Privacy URL - Optionally, enter the URL of a website that contains
privacy information for the app. The URL is displayed to users in the
company portal.
h. Command-line arguments - Optionally, enter any command-line
arguments that you want to apply to the .msi file when it runs, like /q.
i. Developer - Optionally, enter the name of the app developer.
j. Owner - Optionally, enter a name for the owner of this app, for example,
HR department.
k. Notes - Enter any notes you would like to associate with this app.
l. Logo - Upload an icon that is associated with the app. The icon is
displayed with the app when users browse the company portal.
13. In the Add app pane, click Add to upload the app to Intune.
Deploy App 14. In the <app name> overview pane, click Assignments.
15. Click Add group.
16. Select Required under Assignment type.
17. Under Included Groups | Selected groups, select Sales.
18. Click Select.
19. Click OK.
20. Click OK again.
21. Click Save.
5.1.1.5 Configure AutoPilot
In this activity, you will configure automatic MDM enrollment to Intune upon joining Azure AD.
Task Detailed Steps

Configure 1. Close all browser windows.
AutoPilot 2. Start Internet Explorer InPrivate mode.
3. Navigate to https://www.portal.azure.com/ and Sign in with
5. Click Device enrollment > Windows enrollment > Devices.
6. Click Import, and select the MyComputers.csv file saved from before and click
Import.
7. Once imported, to speed up the process, click Sync and then click Refresh until
you see the device.
8. Under the Microsoft Intune pane, click Groups > + New group.
9. Select Group type – Security, Group name – AutoPilot Devices and
Membership type – Assigned.
10. Click Members, select the machine where the name equals the serial number of
the device. Click Select.
11. Click Create.
12. On the Device enrollment > Windows enrollment pane, click Deployment
Profiles > + Create profile.
13. In the Name box, type AutoPilot Test Profile.
14. In the Join to Azure AD as dropdown, select Azure AD joined.
15. Click Out-of-box experience (OOBE).
16. Select Hide for the End user license agreement (EULA) option.
17. Select Hide for the Privacy Settings option.
18. Select Standard for the User account type option.
19. Click Save.
20. Click Create.
21. Click AutoPilot Test Profile, click Assignments, click + Select groups, select
the AutoPilot Devices group just created and click Select.
22. Click Save.
23. Wait for some time for the device to be showing up in Assigned devices under
AutoPilot Test Profile. To speed up the process, click Sync and then click
Refresh until you see the device there.
24. Click the Devices page, and you should be able to see the PROFILE STATUS as
Assigning and then further Assigned.
5.1.1.6 AutoPilot
In this activity, you will walk through the experience of self-service AutoPilot while in OOBE.
Task Detailed Steps

Complete these steps from the CLIENT4 virtual machine.
Perform Azure AD 1. Once OOBE has started, in the Let’s start with region pane, select United States
Join then click Yes.
2. On the Is this the right keyboard layout? pane, select US then click Yes.
3. On the Want to add a second keyboard layout? pane, click Skip.
4. In the Sign in with Microsoft pane, sign in with
TU1@<AzureDomainName>.onmicrosoft.com then click Next.
5. In the Enter your password pane, enter the password then click Next.
6. On the Choose privacy settings for your device pane, click Accept.
7. Follow through the prompts for setting up a PIN for Windows Hello.
8. In the All set! pane, click OK.
Validate Azure AD 9. Go to Start > Settings.
Join and MDM 10. In the Settings app, browse to Accounts > Access work or school.
Enrollment 11. Confirm that Connected to <CompanyName>’s Azure AD is displayed.
Validate Azure AD 12. Close all browser windows.
and MDM 13. Start Internet Explorer InPrivate mode.
Enrollment 14. Navigate to https://portal.azure.com and Sign in with
15. On the left navigation bar, click Azure Active Directory > Users > All users >
Test User1.
16. Click Devices.
17. Confirm that the device is listed there and the following settings are configured:
JOIN TYPE: Azure AD joined
MDM: Microsoft Intune
Complete these steps from the HYPER-V Host.
Revert Virtual 1. Revert HYD-CLIENT4 to the latest checkpoint.
Machines
5.1.2 In-Place Upgrade

For existing computers running Windows 7, Windows 8, or Windows 8.1, the recommended path
for deploying Windows 10 leverages the Windows installation program (Setup.exe) to perform
an in-place upgrade, which automatically preserves all data, settings, applications, and drivers
from the existing operating system version. This requires the least effort, because there is no
need for any complex deployment infrastructure.
In this section, you will go through the process of automating the upgrade process through
System Center Configuration Manager for enterprise wide deployments or, optionally,
performing manual upgrade for very small scale scenarios. At the end of the section, the device
will be upgraded to Windows 10.
Note: The Trial Download of the Windows 10 Enterprise Media does not allow an In-Place
Upgrade to be performed. To complete this lab, Windows 10 Enterprise Media must be sourced
from either MSDN Subscriber Downloads or from the Volume Licensing Site of the customer.
Task Detailed Steps

Download the 1. Open File Explorer then browse to C:\Packages.
Latest MSDN 2. On the Packages folder, create a folder named Windows 10 MSDN.
Version of 3. Open Internet Explorer and browse to the URL below.
Windows 10 https://msdn.microsoft.com/subscriptions/securedownloads/
Enterprise 4. From the website, Sign-in with your MSDN registered account.
2018) (x64) – DVD (English) and Download to C:\Packages\Windows 10
MSDN.
5.1.2.2 Perform an In-Place Upgrade of Windows 7 Using System Center
Configuration Manager (Current Branch)
This activity will perform an in-place upgrade of the Windows 7 device to Windows 10 using
System Center Configuration Manager (current branch).
Note: Only perform this activity if the System Center Configuration Manager deployed is version
1802 or newer. If not, skip this and perform the next section.
Task Detailed Steps

Import the 1. Navigate to C:\Packages\Windows 10 MSDN and mount the ISO.
Windows 10 2. Navigate to C:\Packages folder and create a folder named Windows10Media.
Upgrade Package 3. Copy the contents of the mounted ISO to C:\Package\Windows10Media.
4. Eject the ISO and delete the C:\Packages\Windows 10 MSDN folder.
5. Open the Configuration Manager Console, browse to Software Library >
Operating Systems > Operating System Upgrade Packages.
6. Click Add Operating System Upgrade Package.
7. On the Data Source page, under Path enter
\\CM1\Packages$\Windows10Media then click Next.
8. On the General page, under Name enter Windows 10 1803 x64 then click Next.
10. Once complete, click Close.
Create an Upgrade 11. On the Configuration Manager Console, switch to the Software Library
Task Sequence workspace, expand Operating Systems, right-click Task Sequences, and select
Create Task Sequence.
12. On the Create a new task sequence page, select Upgrade an operating system
from an upgrade package then click Next.
13. On the Specify task sequence information, under Task sequence name enter
Upgrade to Windows 10 then click Next.
14. On the Select an operating system upgrade package page, click Browse.
15. On the Select an Operating System Upgrade Package window, select Windows
10 1803 x64 en-US then click OK.
16. For Specify the edition index and licensing information for this upgrade
package, if required, select 3 – Windows 10 Enterprise from the dropdown.
17. On the Select an operating system upgrade package page, click Next.
18. On the Include software updates page, click Next.
19. On the Install Applications page, click Next.
21. Once complete, click Close.
Distribute Content 22. On the Configuration Manager Console, switch to the Software Library
to DPs workspace, expand Operating Systems > Task Sequences, right-click Upgrade
to Windows 10 and select Distribute Content.
23. Enter the following information:
General – Click Next.
Content –Click Next.
Content Destination – Click Add > Distribution Point.
Select CM1.CORP.CONTOSO.COM and click OK and then click Next.
Summary – Click Next, click Close. Ensure that the content is distributed from
the Monitoring > Distribution Status > Content Status.
Create a Collection 24. Select the Assets and Compliance workspace and select Device Collections.
to Deploy the Task 25. Right click Device Collections and select Create Device Collection.
Sequence 26. Input the following information:
General
Name – Enter In-Place Upgrade.
Limiting collection – Select All Desktop and Server Clients and click Next.
Select Use incremental updates for this collection.
Click Next.
Accept the Warning.
Summary – click Next, click Close.
Add the Windows 27. In the Assets & Compliance workspace, select Devices and right-click WIN7.
7 Device to the 28. Select Add Selected Items and then click Add Selected Items to Existing
Collection Device Collection.
29. Select In-Place Upgrade and click OK.
30. Select Device Collections, right-click In-Place Upgrade, and select Update
Membership. Click Yes on the warning box to continue.
Deploy the Task 31. Select Software Library > Operating Systems > Task Sequences.
Sequence 32. Right-click the Upgrade to Windows 10 task sequence and select Deploy.
General – Collection – select Browse… click OK on the warning and select In-
Place Upgrade collection. Click OK and then click Next.
34. On the Deployment Settings page, specify the following information:
Purpose: Choose Required.
Then click Next.
35. On the Scheduling page, specify the following information:
Click New (next to Assignment schedule) and select Assign immediately after
this event. Accept the defaults, click OK.
Rerun behavior: Set to Rerun if failed previous attempt.
Then click Next.
36. On the User Experience Page, keep the default settings and click Next.
37. On the Alerts Page, keep the default settings and click Next.
38. On the Distribution Points page, specify the following information:
Deployment options: Choose Download content locally when needed by the
running task sequence.
39. Click Next, click Next again and then click Close to finish the deployment
Wizard.
Complete these steps on the WIN7 virtual machine.
Refresh Policy on 40. On the Windows 7 device, logon as corp\labadmin and open the Control Panel.
the Windows 7 Select the Configuration Manager icon.
Device 41. On the Actions tab, select Machine Policy Retrieval & Evaluation Cycle and
click Run Now to force the device to receive updated policy. This can take up to
5 minutes.
Note: As soon as the deployment is available, it will then retry to start the installation after
few minutes. The In-Place Upgrade Task sequence will now initiate and upgrade the
Windows 7 device to Windows 10 without further user intervention.
5.1.2.3 Manual Upgrade
In this section, you will perform a manual in-place upgrade to Windows 10 on a Customer-
Provided device. The requirements are as follows:
 Customer Provided Devices (Reference Devices) with a Corporate Image pre-installed.

 The pre-installed Corporate Image must be Windows 7 or later.
 Windows 10 Installation Files.
Task Detailed Steps

Complete these steps on the Device provided by the Customer.
Extract Windows 1. Extract the files from Windows 10 ISO to a USB drive. The ISO is the
10 Media downloaded April 2018 Update or Version 1803 or Build 17134 of the Windows
10 (business editions), Version 1803 (Updated March 2018) (x64) – DVD
(English) from MSDN.
Perform Manual 2. Insert the USB drive into the reference device that will be upgraded.
In-Place Upgrade 3. Navigate to the drive using Windows Explorer.
4. Start setup.exe with elevated rights from the USB drive and accept the UAC
prompt.
5. Review any options and compatibility information that is provided.
6. Complete the upgrade.
7. Evaluate the system to ensure that migrated applications and data are retained.
8. Investigate applications that were installed in the corporate image and note any
incompatibilities.
5.1.3 Provisioning Packages

In this activity, you will create a provisioning package that will be used to perform AAD Join for
onboarding new devices.
Note: Download and Install the latest Windows 10 Assessment and Deployment Kit.
https://go.microsoft.com/fwlink/?linkid=873065 on CLIENT1.
Task Detailed Steps

Complete these steps on the CLIENT1 virtual machine.
Create Device 1. Click Start and browse to Windows Kits > Windows Imaging and
Onboarding Configuration Designer.
Provisioning 2. Click Provision desktop devices.
Package 3. In the Name field, type OnboardingDevices then click Finish.
4. In the Set up device tab, enter the following settings then click Next:
DEVICE NAME: Contoso-%SERIAL%
REMOVE PRE-INSTALLED SOFTWARE: No
1. In the Set up network tab, under Connect devices to a Wi-Fi network select
Off. Click Next.
5. In the Account management tab, select Enroll in Azure AD, enter the following
settings then click Next:
BULK TOKEN EXPIRY: Current date
BULK AAD TOKEN: Click and following options below:
a. In the Let’s get you signed in pane, sign in using
TU2@<AzureDomainName>.onmicrosoft.com and click Next.
b. In the Enter password pane, enter the password and click Sign in.
c. In the Allow Windows Configuration Designer (WCD) to access your
account? pane, click Accept.
d. In the Add this account to Windows pane, click Skip for now.
USERNAME: LabAdmin
PASSWORD: P@ssw0rd
6. In the Add applications tab, click Next.
7. In the Add certificates tab, click Next.
8. In the Finish tab, click Create and click on the link for the location of the
package.
9. Close the Windows Configuration Designer.
2. Copy the OnboardingDevices folder to \\DC1\c$\Packages.
Apply Provisioning 3. Copy OnboardingDevices.ppkg package to the Desktop from
Package \\DC1\C$\Packages\OnboardingDevices.
4. Double-click the OnboardingDevices.ppkg package to run it. Accept the
prompts.
Validate 5. In the Log in screen, click Other user and log in using the
Onboarding TU2@<AzureDomainName>.onmicrosoft.com account.
6. In the Your organization requires Windows Hello setting, click Set up PIN
then configure the Pin.
Note: Additional verification may be required.
7. In the All set! pane, click OK.
8. Go to Start > Settings.
9. In the Settings app, browse to Accounts > Access work or school.
10. Confirm that under Access work or school, Connected to <CompanyName>’s
Azure AD is displayed.
Validate Azure AD 9. Close all browser windows.
and MDM 10. Start Internet Explorer InPrivate mode.
Enrollment 11. Navigate to https://portal.azure.com and Sign in with
12. On the left navigation bar, click Azure Active Directory > Users > All users >
package_GUID.
13. Click Devices.
14. Confirm that the device is listed there and the following settings are configured:
JOIN TYPE: Azure AD joined
MDM: Microsoft Intune
Complete these steps from the HYPER-V Host.
Revert Virtual 15. Revert HYD-CLIENT4 to the latest checkpoint.
Machines
5.1.4 Optimize Windows 10 Update Delivery
When considering your content distribution strategy for Windows 10, think about enabling a form of
peer-to-peer content sharing to reduce bandwidth issues during updates. Windows 10 offers two peer-to-
peer options for update content distribution: Delivery Optimization and BranchCache. These technologies
can be used with several of the servicing tools for Windows 10. Two methods of peer-to-peer content
distribution are available in Windows 10.
 Delivery Optimization is a new peer-to-peer distribution method in Windows 10. Windows 10

clients can source content from other devices on their local network that have already downloaded
the updates or from peers over the internet. Using the settings available for Delivery Optimization,
clients can be configured into groups, allowing organizations to identify devices that are possibly
the best candidates to fulfil peer-to-peer requests. Windows Update, Windows Update for Business,
and Windows Server Update Services (WSUS) can use Delivery Optimization. Delivery Optimization
can significantly reduce the amount of network traffic to external Windows Update sources as well
as the time it takes for clients to retrieve the updates.
 BranchCache is a bandwidth optimization technology that is included in some editions of

Windows Server 2016 and Windows 10 operating systems, as well as in some editions of Windows
Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, and
Windows 7.
 Note: System Center Configuration Manager has an additional feature called Client Peer Cache
that allows peer-to-peer content sharing between clients you use System Center Configuration
Manager to manage, in the same Configuration Manager boundary Group. For more information,
see Client Peer Cache.
Task Detailed Steps

Complete these steps on the HYD-CM1 virtual machine.
Configure Delivery 8. In the Group Policy Management Console, open
Optimization Domains>corp.contoso.com>CORP.
9. Right-click the Organizational Unit created above and click Create a GPO
in this domain and link it here.
11. Go to Configuration\Policies\Administrative Templates\Windows

Components\Delivery Optimization to configure Delivery Optimization
settings.
12. Click Apply. For info, see Configure Delivery Optimization for Windows 10
updates.
Enable Branch 13. In the Group Policy Management Console, open

Cache on Client Domains>corp.contoso.com>CORP.
Computers
14. Right-click the Organizational Unit created above and click Create a GPO
in this domain and link it here.
16. Go to Configuration\Policies\Administrative Templates\ Policy definitions

(ADMX files) retrieved from the local machine, Network, and then click
BranchCache
17. Click Apply.
18. For info, see Branch Cache Client Configuration.
5.2 Modern Device Management

Use of personal devices for work, as well as employees working outside the office, may be
changing how your organization manages devices. Certain parts of your organization might
require deep, granular control over devices, while other parts might seek lighter, scenario-based
management that empowers the modern workforce. Windows 10 offers the flexibility to respond
to these changing requirements, and can easily be deployed in a mixed environment. You can
shift the percentage of Windows 10 devices gradually, following the normal upgrade schedules
used in your organization.
5.2.1 Mobile Device Management using Microsoft Intune

In this lab, you will setup and configure Windows 10 Mobile Device Management (MDM) with
Microsoft Intune.
5.2.1.1 Enable Base Device Management for Intune Standalone
After you complete the following tasks, you are ready to manage mobile devices and computers.
Task Detailed Steps

Enable Device Note: Before you can enroll mobile devices, you must prepare the Intune service by
Management. Set selecting the appropriate mobile device management authority setting on the Mobile
Mobile Device Device Management page of the Administration workspace. The mobile device
Management Authority management authority setting determines whether you manage mobile devices with
Intune or System Center Configuration Manager with Intune integration. This
guidance assumes Intune is used without System Center Configuration Manager
integration so the setting should be set to Microsoft Intune.
5. Select Device enrollment.
6. Under Mobile Device Management Authority, select Intune MDM
Authority and click Choose.
groups.
11. Click New group.
12. In the Group pane fill in the following values:
Group Type: Office 365
Group Name: Sales
Membership Type: Assigned
Members: Test User1 and Test User2
13. Click Create.
Customize the 14. On the left navigation bar, click All services > Intune.
Company Portal 15. Select Mobile apps > Company Portal branding.
16. Configure the following with settings you choose for your lab:
 Company name
 IT department contact name
 IT department phone number
 IT department email address
 Additional information
 Company privacy statement URL
 Support website URL (not displayed)
 Website name (displayed to user)
 Customize the Theme color, Company logo (max. dimension
PNG/JPG I 400x100px) and background for Company Portal,
it is recommended that you change the default color in your lab to
make it easy to identify if the company portal has been updated.
17. Click Save.
Verify the Company 18. Close all browser windows.
Portal Configuration 19. Start Internet Explorer InPrivate mode.
20. Navigate to https://portal.manage.microsoft.com and Sign in with
TU1@<AzureDomainName>.onmicrosoft.com.
21. Review the company portal, browse to Helpdesk and confirm that the
customizations have been applied.
5.2.1.2 Enroll a Windows 10 Device
This section outlines how to enroll a Windows 10 device into Microsoft Intune for MDM.
Task Detailed Steps

Enroll a Windows 1. Login to the virtual machine as LabAdmin and go to Start > Settings.
10 Device in 2. In the Settings app, browse to Accounts > Access work or school.
Intune 3. Click Enroll only in device management.
4. The Setup a work or school account dialog box will show, asking for your
account to enroll the device.
5. Provide the TU1@<AzureDomainName>.onmicrosoft.com account and click
Next.
6. In the Microsoft Intune Enrollment page, enter the password then click Sign in.
Click Got it.
7. In the Settings app, you should see that the device is now connected to the
corporate MDM.
8. Select Connected to <CompanyName> MDM then click Info.
9. Click Sync and confirm that the sync was successful.
Check Windows 10 Note: In this example, we will look in Microsoft Intune to see the device details and we
Device Enrollment can see that it already recognizes Windows 10 as an operating system in Microsoft Intune.
in Microsoft Intune
14. Click on the Windows 10 device that you have enrolled (CLIENT3). Observe the
information that has been collected about the device in all the tabs.
5.2.1.3 Configure Policy Settings and Policies based on OMA-URI
This section outlines how to configure Policies for Windows 10 in Intune available through the
Intune Interface and a Policy through OMA-URI.
Use the Microsoft Intune Windows Phone OMA-URI Policy to deploy OMA-URI (Open Mobile
Alliance Uniform Resource Identifier) settings that can be used to control features on Windows
Phone Devices. These are standard settings that many mobile device manufacturers use to
control device features.
This capability is intended to allow you to deploy Windows 10 Settings that are not configurable
with an Intune Policy. For information about the Settings you can configure with these Policies,
see Configure Security Policy for Mobile Devices in Microsoft Intune.
For help creating OMA-URI Settings for Windows 10 Services, see Windows Phone 10 CSP
Documentation - http://aka.ms/win10csp.
Task Detailed Steps

Create an OMA- 1. Start Internet Explorer InPrivate mode.
URI Policy to 2. Navigate to https://portal.azure.com and Sign in with
Disable Cortana labadmin@<AzureDomainName>.onmicrosoft.com.
4. Select Device configuration > Profiles > + Create profile.
5. In the Name field, type Windows 10 – Disable Cortana.
6. Under Platform, select Windows 10 and later.
7. Under Profile type, select Custom.
8. In the Custom OMA-URI Settings pane, click Add.
9. In the Name field enter Windows 10 – Disable Cortana.
10. In the OMA URI field enter (Case sensitive and starting with a period):
./Vendor/MSFT/Policy/Config/Experience/AllowCortana
11. For Data type select Integer.
12. For Value enter 0 (0 means the setting is not allowed).
13. Click OK | OK.
14. Click Create.
15. In the Windows 10 – Disable Cortana profile pane, select Assignments.
16. Click Select groups to include.
17. In the Select field, type Sales and select it.
18. Click Select.
19. Click Save.
Confirm the URI 20. Login to the virtual machine as LabAdmin and go to Start > Settings.
Configurations are 21. In the Settings app, browse to Accounts > Access work or school.
Applied 22. Select Connected to <CompanyName> MDM then click Info.
23. Click Sync to force a policy update and confirm that the sync was successful.
24. Note that the Cortana icon in the task bar was replaced with a Search icon.
25. In the Settings app, note that the Cortana category was replace with Search.
Configure 26. Navigate to https://portal.azure.com and Sign in with
Windows Defender labadmin@<AzureDomainName>.onmicrosoft.com.
29. In the Name field, type Allow Real Time Protection on Win 10 Desktops.
33. In the Name field type Allow Real Time Protection on Win 10 Desktops.
34. Under OMA-URI Settings, click Add…
35. In the Name field enter Allow Real Time Protection.
./Vendor/MSFT/Policy/Config/Defender/AllowRealtimeMonitoring
37. For Data type select Integer.
38. For Value enter 1 (1 means the setting is allowed).
39. Click OK.
40. Click OK.
41. Click Create.
42. In the Allow Real Time Protection on Win 10 Desktops device configuration
profile pane, select Assignments.
45. Click Select.
46. Click Save.
Verify 47. Login to the virtual machine as LabAdmin and go to Start > Settings.
Configuration is 48. In the Settings app, browse to Accounts > Access work or school.
Applied 49. Select Connected to <CompanyName> MDM then click Info.
51. In the Settings app, go back to Update & Security > Windows Security and
click Open Windows Defender Security Center.
52. In the Windows Defender Security Center app, navigate to Virus & threat
protection and click Virus & threat protection settings.
53. Confirm that the Real-time protection setting is turned On and greyed out
which shows enforcement of the policy.
5.2.2 Dynamic Management with Windows 10

In this lab, you will setup and configure dynamic management policies for Windows 10. For a list
of available dynamic management policies, visit: https://docs.microsoft.com/en-
us/windows/client-management/mdm/dynamicmanagement-csp.
Task Detailed Steps

Configure 1. Close all browser windows.
Dynamic 2. Start Internet Explorer InPrivate mode.
Management 3. Navigate to https://portal.azure.com and Sign in with
Policy labadmin@<AzureDomainName>.onmicrosoft.com.
6. In the Name field, type DisableCameraInCorporateNetwork.
10. In the Name field enter SettingsPack.
./Vendor/MSFT/DynamicManagement/Contexts/NetworkBased/SettingsPa
ck
12. For Data type select String.
For Value enter
<SyncML>
<SyncBody>
<Replace>
<CmdID>1331</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/Policy/Config/Camera/
AllowCamera</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>0</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
13. Click OK.
15. In the Name field enter SignalDefinition.
./Vendor/MSFT/DynamicManagement/Contexts/NetworkBased/SignalDefi
nition
17. For Data type select String.
For Value enter
<rule schemaVersion="1.0">
<signal type="ipConfig">
<ipv4Gateway>10.0.0.254</ipv4Gateway>
</signal>
</rule>
18. Click OK.
20. In the Name field enter NotificationsEnabled2.
./Vendor/MSFT/DynamicManagement/NotificationsEnabled
22. For Data type select Boolean.
For Value select
True
23. Click OK | OK.
24. Click Create.
25. In the DisableCameraInCorporateNetwork device configuration profile pane,
select Assignments.
28. Click Select.
29. Click Save.
Verify Policy is 30. Login to the virtual machine as LabAdmin and go to Start > Settings.
Applied 31. In the Settings app, browse to Accounts > Access work or school.
32. Select Connected to <CompanyName> MDM then click Info.
34. From the Virtual Machine Connection window, got to File > Settings.
35. In the Settings window, under Network Adapter, disable the Corpnet Virtual
Switch.
36. In the Settings app, go back to Privacy > Camera.
Note: Camera is currently turned On and unmanaged because the machine is in the internet
network.
37. From the Virtual Machine Connection window, got to File > Settings.
38. In the Settings window, under Network Adapter, disable the External Virtual
Switch and enable the Corpnet Virtual Switch.
39. In the Settings app, refresh the Privacy > Camera view.
40. Confirm *Some settings are hidden or managed by your organization is
shown.
Note: Camera is turned Off and fully managed because the machine is in the corporate
network.
5.2.3 Mobile App Management for Non-Managed Windows 10
Devices
The Windows version of mobile application management (MAM) is a lightweight solution for
managing company data access and security on personal devices. MAM support is built into
Windows on top of Windows Information Protection (WIP), starting in Windows 10, version
1803.
In this lab, you will setup and configure Mobile App Management for an unmanaged Windows
10 device.
Task Detailed Steps

Configure MAM 1. Close all browser windows.
Service 2. Start Internet Explorer InPrivate mode.
4. On the left navigation bar, click Azure Active Directory > Mobility (MDM and
MAM) > Microsoft Intune.
5. In the MAM User scope setting, select All.
6. Click Save.
Configure MAM 7. In the Microsoft Azure navigation bar, select All services > Intune App
Policy Protection > App protection policies.
8. Click Add a policy.
9. In the Name field type Windows 10 MAM.
10. In the Platform setting, select Windows 10.
11. Click Protected apps then click Add apps.
12. In the Add Apps pane, select Microsoft Edge, IE11 and Notepad then click OK.
13. In the Protected apps pane, confirm that the selected apps are listed then click
OK.
14. Click Required settings.
15. Under Windows Information Protection mode, select Block then click OK.
16. Click Advanced settings.
17. In the Advanced settings pane, click Add network boundary.
18. In the Add network boundary pane, enter the following then click OK.
BOUNDARY TYPE: Cloud resources
NAME: SharePoint online
VALUE: <AzureDomainName>.sharepoint.com
19. In the Advanced settings pane, under Show the enterprise data protection
icon, click On.
20. Click OK.
21. Click Create.
Deploy MAM 22. Select Windows 10 MAM > Assignments.
Policy 23. Click + Select groups to include.
24. In the Select groups to include pane, enter Sales, select it and then click Select.
Create test file 25. Login to the virtual machine as LabAdmin.
26. Right-click on the desktop and select New > Text Document.
27. Rename the file to Sample Document.
28. Open Sample Document.txt.
29. In the Notepad window, enter This is a sample corporate file. then click Save.
30. Close the file.
31. Open an Internet Explorer and navigate to
https://<AzureDomainName>.sharepoint.com.
32. Sign in as TU2@<AzureDomainName>.onmicrosoft.com.
33. On the left navigation, click Documents.
34. From the desktop, drag and drop the Sample Document.txt file into the
Documents library to upload the file.
35. Once uploaded, delete the Sample Document.txt file from the Desktop.
36. Close all browsers windows.
Connect Corporate 37. Click to Start > Settings.
Account 38. In the Settings app, browse to Accounts > Access work or school.
39. Click Connect.
40. In the Set up a work or school account pane, enter
TU2@<AzureDomainName>.onmicrosoft.com then click Next.
41. Enter the password then click Sign in.
42. In the Help us protect your account pane, click Set it up now then configure the
verification requirements.
43. In the Create a PIN pane, click Create PIN then configure the Pin.
Note: Additional verification may be required.
44. Click Next.
45. In the Settings app, browse to Accounts > Access work or school.
46. Select Work or school account then click Info.
Verify MAM 48. Open an Internet Explorer and navigate to
Policies https://<AzureDomainName>.sharepoint.com.
49. Sign in as TU2@<AzureDomainName>.onmicrosoft.com.
Note: “.<AzureDomainName>.sharepoint.com” is protected and selected both IE11 and
Microsoft Edge (they’re both enlightened apps) therefore a briefcase icon is shown in the
address bar to indicate that it is protected. When the browser or another tab navigate away
from this site, the briefcase will go away.
50. On the left navigation, click Documents.
51. Select Sample Document.txt and click Download.
52. Save the file to the Documents folder.
Note: The briefcase icon under File Name indicates that the file is protected.
53. In the taskbar, open File Explorer and browse to the Documents folder.
Note: The briefcase icon in the file icon and the <AzureDomainName> under the File
ownership column indicates that the file is protected.
54. Open the Sample Document.txt file using Notepad. The file should open
because Notepad is a managed app (policy).
Note: The briefcase icon beside the minimize button indicates that the file is protected.
55. Close Notepad.
56. Open the Sample Document.txt file using WordPad. The file will not open and
a dialog box will show up to indicate that access to the file is denied.
Note: WordPad is not a managed app therefore will not be able to open protected files.
57. Close WordPad.
58. In the Documents folder, right-click on Sample Document.txt and select File
ownership.
Note: The Personal option is currently disabled because the policy is configured to hide
overrides. If the policy is configured to allow overrides, users can remove protection from
the file by selecting Personal.
5.2.4 Co-Management
Starting with Configuration Manager version 1802, co-management enables you to concurrently
manage Windows 10, version 1803 (also known as the April 2018 Update) devices by using both
Configuration Manager and Intune. It’s a solution that provides a bridge from traditional to
modern management and gives you a path to make the transition using a phased approach.
After you enable co-management, Configuration Manager continues to manage all workloads.
When you decide that you are ready, you can have Intune start managing available workloads.
You can have Intune manage the following workloads: Compliance policies, Windows Update for
Business policies, Resource Access policies, and Endpoint Protection.
Task Detailed Steps

Configure Azure
AD Connect with Complete the steps defined in Section 3.3.4
Device Sync
5.2.4.2 Enable Co-Management for Automatic Enrollment
Once Co-management is enabled, devices in the Pilot group can automatically enroll into
Intune. This requires using a verified domain during the Setup Process of Azure AD Connect.
Task Detailed Steps

Create a Device 1. Open the Configuration Manager Console, browse to Assets and Compliance
Collection workspace and select Device Collections.
2. Right click Device Collections and select Create Device Collection.
3. Input the following information:
General
Name – Enter Co-managed Devices
Limiting collection – Select All Desktop and Server Clients and click Next.
Select Use incremental updates for this collection.
Click Next.
Accept the Warning.
4. Summary – click Next, click Close.
Add a Device to 5. In the Assets & Compliance workspace, select Devices and right-click Client1.
the Collection 6. Select Add Selected Items and then click Add Selected Items to Existing
Device Collection.
7. Select Co-managed devices and click OK.
8. Select Device Collections, right-click Co-managed devices, and select Update
Membership. Click Yes on the warning box to continue.
Enable Co- 9. Open the Configuration Manager Console, browse to Administration > Cloud
Management Services > Co-management.
10. Click Configure co-management.
11. In the Co-management Configuration Wizard, Sign In to Intune using
labadmin@<AzureDomainName>.onmicrosoft.com. Click Next.
12. Click Next on the Enablement page.
13. Click Next on the Configure Workloads page.
14. Select Co-managed Devices device collection for the Intune Pilot. Click Next.
15. Click Next on the Summary page. Click Close.
5.2.4.3 Co-Manage Devices with the Configuration Manager Client
For unverified domains, co-management can still be enabled by enrolling the domain-joined
device into Intune.
Task Detailed Steps

Log in to Client 1 1. Log in as CORP/LabAdmin with password P@ssw0rd.
2. Open the Settings app, and click Accounts > Access work or school, and click
on + Connect.
3. Log in using TU1@<AzureDomainName>.onmicrosoft.com. Click Got it.
Check Windows 10 Note: In this example, we will look in Microsoft Intune to see the device details and we
Device Enrollment can see that it already recognizes Windows 10 as an operating system in Microsoft Intune.
in Microsoft Intune
8. Click on the Windows 10 device that you have enrolled (CLIENT1). Observe the
information that has been collected about the device.
Check Co- 9. Open the Configuration Manager Console, browse to Monitoring > Co-
Management Portal management.
10. Confirm 1 device is listed on the Co-managed devices graph. Note: This data
will take some time to appear.
5.3 Office 365 ProPlus Deployment
Office365 ProPlus is the modern client suite with Office365. The suite is like other versions of
Office but there are differences:
 Licensing
 Deployment
 Updates (Channel Management)
Further information on the similar and differences are in the About Office 365 ProPlus in the
enterprise
Office365 ProPlus can be deployed in 3 scenarios:
 Enterprise Managed
 Locally Managed
 Cloud Managed
Further information on the 3 scenarios are in the Best practices: Recommended deployment
scenarios
Office365 ProPlus is updated leveraging Channels. The 3 channels are:
 Monthly
 Semi-Annual (Targeted)
 Semi-Annual
Further information on Office365 ProPlus Channels are in Overview of update channels for
Office 365 ProPlus
Note: The URL http://officedev.github.io/Office-IT-Pro-Deployment-Scripts/XmlEditor.html is

broke at the moment. Sample configuration files can be copied from
https://docs.microsoft.com/en-us/DeployOffice/configuration-options-for-the-office-2016-
deployment-tool?redirectSourcePath=%252fen-us%252farticle%252fd3879f0d-766c-469c-9440-
0a9a2a905ca8
5.3.1 Cloud Managed Deployment

In this activity, deploy Office365 ProPlus from the Content Delivery Network (CDN) using the
Office Deployment Tool (ODT), configuration XML, setting Semi-Annual as the update channel,
update Office365 ProPlus, remove an application and add a language from an already deployed
installation, and remove Office365 ProPlus.
Task Detailed Steps

Download Office 1. Logon as a corp\labadmin.
Deployment Tool 2. Remove the existing installation of Office 365 ProPlus and if required reboot.
3. On the taskbar, open File Explorer and browse to C:\ and create a folder named
ODT.
4. Open Internet Explorer and browse to the URL below.
https://www.microsoft.com/en-us/download/details.aspx?id=49117
5. From the website, click Download.
6. Save the installer to C:\ODT.
Extract ODT 7. Double-Click to start the extraction of the ODT and accept the UAC prompt.
8. Accept the License Terms and click Continue.
9. Navigate to C:\ODT and click OK.
10. Click OK after successful Extraction.
Create Installation 11. The Sample Download File with all Office Applications – Semi-Annual Channel
XML from the Best practices: Sample configuration files for downloading Office 365
ProPlus will be used.
https://technet.microsoft.com/en-us/library/mt592918.aspx
13. In the Semi-Annual Channel Column, record the version number of the previous
month.
http://officedev.github.io/Office-IT-Pro-Deployment-Scripts/XmlEditor.html
15. Click Close at the first dialog.
16. Select Semi-Annual Channel under Channel.
17. Click Add Product.
Note: The UpdatePath is left blank. When the update path is blank, Office365
ProPlus will update from the CDN.
18. Select the Version that was recorded earlier under Version.
19. Select the Build that was recorded earlier under Build.
20. Click Save.
21. Click Export.
22. Save the file as newconfiguration.xml to C:\ODT.
Deploy Office365 23. Type CMD in the “Type here to search”.
ProPlus 24. Right click Command Prompt.
25. Select Run as Administrator. Accept the UAC prompt.
26. Change directory to C:\ODT.
27. Type setup.exe /configure newconfiguration.xml.
28. Press Enter.
29. Office will begin the installation.
30. Click Close.
Update Office365 31. Click Start.
ProPlus 32. Select Word 2016.
33. Click the X in Activate Office.
34. Click File.
35. Click Account.
36. Click Update Options.
37. Click Update Now.
Note: Office365 ProPlus will download the updates and apply the updates from the
CDN.
38. Click Continue when prompted to close the applications requiring updates.
Note: Office365 ProPlus only requires the applications being updated to be closed.
39. Click the X in Activate Office.
41. In the Semi-Annual Channel Column record the version number of the current
month.
42. Click File.
43. Click Account.
44. Compare the Office Updates Version and Build Number to the version
recorded of the current month.
45. Close Word 2016.
Remove an 46. Open Internet Explorer and browse to the URL below.
Application from http://officedev.github.io/Office-IT-Pro-Deployment-Scripts/XmlEditor.html
Office365 ProPlus 47. Click Close at the first dialog.
50. Select the Version and Build that is currently installed.
51. Click Exclude Programs.
52. Select Access.
53. Click Save.
54. Click Export.
55. Save the file as removeaccess.xml.
56. Save the file to C:\ODT.
57. Back in CMD, type setup.exe /configure removeaccess.xml.
58. Press Enter.
60. Click Close.
Note: The Microsoft Access icon will not be displayed during the installation.
Add a Language to 61. Open Internet Explorer and browse to the URL below.
Office365 ProPlus http://officedev.github.io/Office-IT-Pro-Deployment-Scripts/XmlEditor.html
Note: If creating a Language, set the first language to the client’s culture language. If
the first language does not match the client’s culture set, then the chosen language will
be the Shell UI language.
64. Select Spanish (es-es) under Language.
67. Click Save.
68. Click Export.
69. Save the file as addspanish.xml.
71. Back in CMD, type setup.exe /configure addspanish.xml.
72. Press Enter.
74. Click Close.
75. Type Control Panel in the “Type here to search” and press Enter.
76. Click on Programs.
77. Click on Programs and Features.
78. Microsoft Office 365 ProPlus - en-us and Microsoft Office 365 ProPlus - es-es
will be displayed.
Remove Office365 79. Open Internet Explorer and browse to the URL below.
ProPlus https://github.com/OfficeDev/Office-IT-Pro-Deployment-
Scripts/blob/master/Office-ProPlus-Deployment/Remove-
PreviousOfficeInstalls/OffScrubc2r.vbs
80. Right-click on the Raw button and select Save target as…
82. Click the X on “The publisher of Offscrubc2r.vbs couldn’t be verified”.
83. Back in CMD, type cscript OffScrubc2r.vbs.
84. Click OK.
85. Reboot the workstation.
5.3.2 Locally Managed Deployment

In this activity, you will deploy Office365 ProPlus from a local file share using the Office
Deployment Tool (ODT), configuration XML, setting Semi-Annual as the update channel, update
Office365 ProPlus, remove an application and add a language from an already deployed
installation, and remove Office365 ProPlus.
Task Detailed Steps

Create a File Share 1. Logon as a corp\labadmin.
for Office365 2. On the taskbar, open File Explorer and browse to C:\Packages and create a folder
ProPlus named DC.
3. Right-Click on the DC folder and select Give access to.
4. Select “Specific people…”.
5. Select Everyone.
6. Click Add.
7. Set the Permission Level for Everyone to Read/Write.
8. Click Share.
9. Record the Share Path.
10. Click Done.
Download Office 11. Open Internet Explorer and browse to the URL below.
Deployment Tool https://www.microsoft.com/en-us/download/details.aspx?id=49117
12. From the website, click Download.
13. Save the installer to C:\Packages\DC.
Extract ODT 14. Double-Click to start the extraction of the ODT and accept the UAC prompt.
15. Accept the License Terms and click Continue.
16. Navigate to C:\Packages\DC and click OK.
17. Click OK after successful Extraction.
Create Installation 18. The Sample Download File with all Office Applications – Semi-Annual Channel
XML from the Best practices: Sample configuration files for downloading Office 365
ProPlus will be used.
20. In the Semi-Annual Channel Column, record the version number of the previous
month.
25. Select the Version that was recorded earlier under Version.
26. Select the Build that was recorded earlier under Build.
27. Click Save.
28. Click Additional Options.
29. Type the Path that was recorded earlier under SourcePath.
Note: Indicates the location where Office365 ProPlus will download content during
installation.
30. Click Save.
31. Click Updates.
32. Click Enable Updates.
33. Type the Path that was recorded earlier under UpdatePath.
Note: The UpdatePath will be populated unlike CloudManaged that uses the CDN.
34. Remove the value in the TargetVersion.
35. Click Save.
36. Click Export.
37. Save the file as newconfiguration.xml to C:\Packages\DC.
Download 38. Type CMD in the “Type here to search”.
Office365 ProPlus 39. Right click Command Prompt.
40. Select Run as Administrator. Accept the UAC prompt.
41. Change directory to C:\Packages\DC.
42. Type setup.exe /download newconfiguration.xml.
43. Press Enter. Office will begin the download.
Note: Change the Virtual Switch of the VM from HYD-CorpNet to Not connected
as well as External 2 to Not connected.
Deploy Office365 44. Back in CMD, type setup.exe /configure newconfiguration.xml.
ProPlus (Offline 45. Press Enter.
from a Local 46. Office will begin the installation.
Share) 47. Click Close.
Note: Change the Virtual Switch of the VM from Not connected to HYD-CorpNet
as well as well as Not connected to External 2.
Update Office365 48. Open Internet Explorer and browse to the URL below.
ProPlus (Offline https://technet.microsoft.com/en-us/library/mt592918.aspx
from a Local 49. In the Semi-Annual Channel Column, record the version number of the current
Share) month.
Note: Unlike Cloud Managed, each month the monthly build of Office365 ProPlus
needs to be downloaded to the local file share.
52. Click Import.
53. Select the newconfiguration.xml in the C:\Packages\DC. Click Open.
56. Select the Version and Build that is recorded for the current month.
57. Click Save.
58. Click Export.
59. Save the file as update.xml in C:\Packages\DC.
60. Back in CMD, type setup.exe /download update.xml.
62. Back in CMD, type setup.exe /configure update.xml.
63. Press Enter.
65. Click Close.
as well as Not connected to External 2.

67. In the Semi-Annual Channel Column, record the version number of the current
month.
68. In Word 2016, File | Account, compare the Office Updates Version and Build
Number to the version recorded of the current month.
69. Close Word 2016.
Remove an 70. Open Internet Explorer and browse to the URL below.
Application from http://officedev.github.io/Office-IT-Pro-Deployment-Scripts/XmlEditor.html
Office365 ProPlus 71. Click Close at the first dialog.
72. Click Import.
73. Select the update.xml in the C:\Packages\DC. Click Open.
74. Click Exclude Programs.
75. Select Access.
76. Click Save.
77. Click Export.
78. Save the file as removeaccess.xml.
79. Save the file to C:\Packages\DC.
80. Back in CMD, type setup.exe /configure removeaccess.xml.
81. Press Enter.
83. Click Close.
Note: The Microsoft Access icon will not be displayed during the installation.
Add a Language to 84. Open Internet Explorer and browse to the URL below.
Office365 ProPlus http://officedev.github.io/Office-IT-Pro-Deployment-Scripts/XmlEditor.html
(Offline from a 85. Click Close at the first dialog.
Local Share)
Note: If creating a Language, set the first language to the client’s culture language. If
the first language does not match the client’s culture set, then the chosen language will
be the Shell UI language.
86. Click Import.
87. Select the removeaccess.xml in the C:\Packages\DC. Click Open.
89. Select Spanish (es-es) under Language.
92. Click Save.
94. Click Export.
95. Save the file as addspanish.xml.
96. Save the file to C:\Packages\DC.
97. Back in CMD, type setup.exe /download addspanish.xml.
99. Back in CMD, type setup.exe /configure addspanish.xml.
100.Office will begin the installation.
101.Click Close.
102.Type Control Panel in the “Type here to search” and press Enter.
103.Click on Programs.
104.Click on Programs and Features.
105.Microsoft Office 365 ProPlus - en-us and Microsoft Office 365 ProPlus - es-es
will be displayed.
as well as Not connected to External 2.
Remove Office365 106. Open Internet Explorer and browse to the URL below.
ProPlus https://github.com/OfficeDev/Office-IT-Pro-Deployment-
Scripts/blob/master/Office-ProPlus-Deployment/Remove-
PreviousOfficeInstalls/OffScrubc2r.vbs
107.Right-click on the Raw button and select Save target as…
108.Save the file to C:\Packages\DC.
109.Click the X on “The publisher of Offscrubc2r.vbs couldn’t be verified”.
110.Back in CMD, type cscript OffScrubc2r.vbs.
111.Click OK.
112.Reboot the workstation.
5.3.3 Enterprise Managed Deployment using System Center

Configuration Manager
In this activity, you will deploy Office365 ProPlus using System Center Configuration Manager
and configure updating for Office365 ProPlus.
Task Detailed Steps

Complete these
steps on the CM1
virtual machine.
Create a Share for 1. Open Internet Explorer and browse to the URL below.
Office365 ProPlus https://technet.microsoft.com/en-us/library/mt592918.aspx
Package and 2. In the Semi-Annual Channel Column, record the version number of the current
Updates and previous month.
3. Logon to CM1 as (corp\labadmin).
4. On the taskbar, open File Explorer and browse to C:\Packages and create two
folders named OfficeConfigMan and OfficeConfigManUpdates.
Enable 5. In the Configuration Manager Console, browse to Administration | Client
Management of Settings.
Office365 ProPlus 6. Double-click on Default Client Settings.
Client Agent 7. Select Software Updates.
8. For Enable management of the Office 365 Client Agent, from the drop-down
box select Yes.
9. Click OK.
Enable and 10. Select Administration.
Configure 11. Expand Site Configuration.
Office365 ProPlus 12. Select Sites.
Software Updates 13. Click Settings | Configure Site Components | Software Update Point.
14. Under the Classifications tab, uncheck all options and only select Updates.
15. Under the Products tab, uncheck all options and only select Office 365 Client.
Note: If Office 365 Client is not listed, execute a full synchronization of updates and
repeat above steps.
16. Under the Languages tab, uncheck all options and only select English.
17. Click Apply | OK.
18. Browse to Software Library.
19. Expand Office 365 Client Management.
20. Click Office 365 Updates.
21. Click Synchronize Software Updates. Click Yes.
Note: Please be patient for the sync to complete, which will take some time.
Create a Folder 22. Browse to Assets and Compliance | Device Collections. Right-click Device
and a Collection Collections and click Folder | Create Folder.
23. Enter a name Office 365 ProPlus and click OK.
24. Expand Device Collections, right-click Office 365 ProPlus folder and click
Create Device Collection.
25. Enter a name Office 365 ProPlus SAC. Click Browse.
26. Under Device Collections, select Root, select All Systems and click OK.
27. On the General page, click Next.
28. On the Membership Rules page, click Next. Click OK on the Configuration
Manager prompt.
31. Browse to Assets and Compliance | Devices, right-click on the CLIENT2 virtual
machine, click Add Selected Items and then click Add Selected Items to Existing
Device Collection.
32. Under Device Collections, select Office 365 ProPlus, select Office 365 ProPlus
SAC and click OK.
33. Under Device Collections | Office 365 ProPlus, right-click on Office 365 ProPlus
SAC and click Update Membership | Yes and then refresh once to ensure that the
CLIENT2 virtual machine is a member of this collection.
Create and Deploy 34. Click Software Library.
an Office365 35. Click Office 365 Client Management and click Office 365 Installer.
ProPlus Package 36. Specify the following on the Application Settings Page, and click Next.
Name: Office 365 ProPlus SAC
Content Location: \\CM1\Packages$\OfficeConfigMan
37. On the Import Client Settings page, select Manually specify the Office 365 client
settings and click Next.
38. On the Client Products page, specify the following and click Next.
Suite: Office 365 ProPlus
Select the O365 Applications to include: All Selected
Additional Office Products: None Selected for both
39. In the Client Settings page, specify the following and click Next.
Architecture: 32-bit
Channel: Semi-Annual Channel
Version: Oldest Version, maybe more than 6 months
Languages: English (United States) default
Properties: Only Pin Icons to Taskbar (Win 7/8.x only) selected
40. On the Deployment page, select Yes and click Next.
41. On the General page, click Browse… next to Collection.
42. Under Device Collections | Office 365 ProPlus, select Office 365 ProPlus SAC
and click OK.
43. Select Automatically distribute content for dependencies and click Next.
44. On the Content page, click Add | Distribution Point.
45. Select CM1.CORP.CONTOSO.COM and click OK.
46. Click Next.
47. On the Deployment Settings page, specify the following and click Next.
Action: Install
Purpose: Required
Other 3 Checkboxes: Unchecked
48. On the Scheduling page, check the box next to Schedule the application to be
available at and select As soon as possible after the available time and click
Next. No other checkboxes to be selected.
49. On the User Experience page, select Display in Software Center and show all
notifications, check all the 3 check boxes below and click Next.
50. On the Alerts page, click Next. No checkboxes to be selected.
52. On the Completion page, click Close. This will download the content to the share
specified, create the required Application, Deployment Type and Deployment as
well as distribute the content to the Distribution Point.
User Experience 53. In the Configuration Manager Properties, Actions tab, select Machine Policy
with the Retrieval & Evaluation Cycle and click Run Now. Click OK.
Download and 54. Select Application Deployment Evaluation Cycle and click Run Now. Click
Installation of OK.
Office365 ProPlus 55. The package will start downloading and installing. Click Close once the
Package on the installation is successful.
Client Side 56. The installation of the package can be validated in the Programs and Features.
Complete these
steps on the
CLIENT2 virtual
machine. (Note:
Uninstall any
existing versions
of Office 365
ProPlus before
performing this
lab)
Create and Deploy 57. Once the sync is complete, browse to Software Library | Office 365 Client
an Office365 Management | Office 365 Updates. Search for Current Month Version of
ProPlus Software Semi-Annual Channel, select and right-click the update and click Create
Update Software Update Group.
58. Enter a name Office 365 ProPlus SAC Updates and click Create.
Complete these
59. Browse to Software Library | Software Updates | Software Update Groups.
steps on the CM1
Select Office 365 ProPlus SAC Updates and click Deploy.
virtual machine.
60. For the Collection, click Browse…
61. Under Device Collections | Office 365 ProPlus, select Office 365 ProPlus SAC
and click OK.
62. On the General page, click Next.
63. On the Deployment Settings page, specify the following and click Next.
Type of deployment: Required
Detail level: Only success and error messages
No other checkbox to be selected
64. On the Scheduling page, specify the following and click Next.
Time based on: Client local time
Software available time: As soon as possible
Installation deadline: As soon as possible
No other checkbox to be selected
65. On the User Experience page, specify the following and click Next.
User notifications: Display in Software Center and show all notifications
Check the 3 check boxes and keep the rest unchecked
66. On the Alerts page, click Next. No checkboxes to be selected.
67. On the Download Settings page, specify the following and click Next.
Deployment options: Download software updates from distribution point
and install as well as Download and install software updates from the
distribution points in site default boundary group
68. On the Deployment Package page, select Create a new deployment package and
specify the following and click Next.
Name: Office 365 ProPlus SAC Updates
Package source: \\CM1\Packages$\OfficeConfigManUpdates
Keep the checkbox unchecked
69. On the Distribution Points page, click Add | Distribution Point.
70. Select CM1.CORP.CONTOSO.COM and click OK.
72. On the Download Location page, select Download software updates from the
Internet and click Next.
73. On the Language Selection page, select English and click Next.
75. On the Completion page, click Close. This will download the content to the share
specified, create the required Deployment Package and Deployment as well as
distribute the content to the Distribution Point.
User Experience 76. In the Configuration Manager Properties, Actions tab, select Machine Policy
with the Retrieval & Evaluation Cycle and click Run Now. Click OK.
Download and 77. Select Software Updates Deployment Evaluation Cycle and click Run Now.
Installation of Click OK.
Office365 ProPlus 78. Select Software Updates Scan Cycle and click Run Now. Click OK.
Software Update 79. The software update will start downloading and installing.
on the Client Side
Note: It can take some time for the machine to be detected in Configuration Manager
Complete these for the “Required” update.
steps on the
80. The installation of the package can be validated in the Programs and Features.
CLIENT2 virtual
machine.
5.3.4 Enterprise Managed Deployment using Microsoft Intune

In this activity, you will deploy Office365 ProPlus using Microsoft Intune and configure updating
for Office365 ProPlus.
Task Detailed Steps

Complete these
steps from an
Internet-
Connected
Windows
computer.
Add Office365 1. Close all browser windows.
ProPlus 2. Start Internet Explorer InPrivate mode.
3. Navigate to https://portal.azure.com and sign in with
labadmin@<AzureDomainName>.onmicrosoft.com
4. On the left navigation bar, click All services > Intune > Intune.
5. In the navigation pane select Mobile apps > Apps, and click + Add.
6. In the Add app pane, under App type, select Office 365 Suite | Windows 10.
Configure and 7. In the Add app pane, click Configure App Suite.
Deploy Office 365 8. Select Excel, OneDrive Desktop, OneNote, Outlook, PowerPoint, Skype for
ProPlus Business, and Word, then click OK.
9. In the Add app pane, click App Suite Information.
10. Type a Suite Name, Suite Description, and click OK.
11. In the Add app pane, click App Suite Settings.
12. For Office version, select 32-bit.
13. For Update channel, select Semi-Annual.
14. Click Yes for Automatically accept the app end user license agreement.
15. Click OK.
16. In the Add app pane, click Add.
17. In the Office 365 ProPlus – Assignments pane, click Assignments.
18. Click Add group, in the Assignment type, select Required, click Included
Groups, click Select groups to include, type Sales, select it and click Select.
Click OK | OK and finally click Save.
User Experience Note: Ensure that in the CLIENT3 virtual machine is enrolled into MDM and Office 365
with the ProPlus is uninstalled if it is already installed.
Download and
19. Click Start | Settings.
Installation of
20. Click Accounts | Access work or school | Connected to <Azure Domain> MDM
Office365 ProPlus
| Info.
Package on the
21. Click Sync.
Client Side
22. The Office 365 ProPlus will download and install automatically in the background.
Complete these
steps on the
CLIENT3 virtual
machine.
5.4 BIOS to UEFI Conversion

MBR2GPT.EXE converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT)
partition style without modifying or deleting data on the disk. The tool is designed to be run
from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be
run from the full Windows 10 operating system (OS).
You can use MBR2GPT to perform the following:
 [Within the Windows PE environment]: Convert any attached MBR-formatted disk to GPT,
including the system disk.
 [From within the currently running OS]: Convert any attached MBR-formatted disk to
GPT, including the system disk.
Note: MBR2GPT is available in Windows 10 version 1803, also known as Windows 10 April 2018
Update, and later versions. The tool is available in both the full OS environment and Windows
PE.
5.4.1 Prerequisites
Task Detailed Steps

Prerequisite Lab Complete Section 5.1.2.3 Manual Upgrade
5.4.2 Conversion after In-Place Upgrade

Note: This will only work if upgrade is done to Windows 10 1803 or later.
Task Detailed Steps

Validate System 1. Right-click the Start button and select Disk Management.
Readiness 2. Right-click on Disk 0 and select Properties.
3. In the Properties window, go to the Volumes tab.
4. Validate that the Partition style is configured as Master Boot Record (MBR).
5. From the Start button, open an Administrative Command Prompt and browse
to C:\Windows\System32.
6. Enter the following command:
mbr2gpt /validate /allowFullOS
7. Verify that the result has no errors.
Execute 8. Enter the following command:
MBR2GPT mbr2gpt /convert /allowFullOS
Command 9. Verify that the result has no errors.
Reconfigure 10. Reboot the device and reconfigure the firmware to boot in UEFI mode, enable
Firmware Secure Boot, and disable CSM by:
 Changing the relevant settings in the firmware menu, or
 Running a tool provided by the PC or firmware manufacturer
11. Save the configuration and reboot the device and login to Windows.
Validate 12. Right-click the Start button and select Disk Management.
Conversion 13. Right-click on Disk 0 and select Properties.
14. In the Properties window, go to the Volumes tab.
15. Validate that the Partition style is configured as GUID Partition Table (GPT).
16. Right-click the Start button and select Run.
17. Enter msinfo32 then click OK.
18. In the System Information window, under System Summary, confirm that the
BIOS Mode item has the UEFI value and Secure Boot State item has the On
value.
5.5 Modern Application Management
As an IT admin, you are responsible for making sure that your end users have access to the apps
they need to do their work. Intune offers a range of capabilities to help you get the apps you
need, on the devices you want.
5.5.1 Application Deployment and Management with Microsoft

Intune
5.5.1.1 Add Windows line-of-business (LOB) apps to Microsoft Intune
Intune supports Windows line-of-business apps (.msi files only).
Task Detailed Steps

Complete these steps from an Internet-Connected Windows computer.
Add Line-of- 1. Close all browser windows.
Business App 2. Start Internet Explorer InPrivate mode.
4. On the left navigation bar, click All services > type Intune > Intune.
5. In the navigation pane select Mobile apps > Apps, and click + Add.
6. In the Add app pane, under App type, select Line-of-business app.
Configure Line-of- 7. In the Add app pane, click App package file.
Business App 8. On the App package file blade, choose the browse button, and select a Windows
installation file with the extension .msi, .appx, or .appxbundle.
A sample msi file can be downloaded from: https://www.7-zip.org/download.html
9. Click OK.
10. In the Add app pane, click App information.
11. Enter the following information and click OK:
a. Name - Enter the name of the app as it is displayed in the company
portal. Make sure all app names that you use are unique. If the same app
name exists twice, only one of the apps is displayed to users in the
company portal.
b. Description - Enter a description for the app. The description is
displayed to users in the company portal.
c. Publisher - Enter the name of the publisher of the app.
d. Category - Select one or more of the built-in app categories, or a
category you created. Categorizing apps makes it easier for users to find
the app when they browse the company portal.
e. Display this as a featured app in the Company Portal - Display the
app prominently on the main page of the company portal when users
browse for apps.
f. Information URL - Optionally, enter the URL of a website that contains
information about the app. The URL is displayed to users in the
company portal.
g. Privacy URL - Optionally, enter the URL of a website that contains
privacy information for the app. The URL is displayed to users in the
company portal.
h. Command-line arguments - Optionally, enter any command-line
arguments that you want to apply to the .msi file when it runs, like /q.
i. Developer - Optionally, enter the name of the app developer.
j. Owner - Optionally, enter a name for the owner of this app, for example,
HR department.
k. Notes - Enter any notes you would like to associate with this app.
l. Logo - Upload an icon that is associated with the app. The icon is
displayed with the app when users browse the company portal.
12. In the Add app pane, click Add to upload the app to Intune.
13. Click Select.
14. Click OK.
15. Click OK again.
16. Click Save.
5.5.1.2 Assign Apps to Groups with Microsoft Intune
In the following section, you will assign the Line-of-business app to users and devices.
Task Detailed Steps

Locate App 1. Close all browser windows.
4. On the left navigation bar, click All services > type Intune > Intune.
5. In the navigation pane select Mobile apps > Apps.
6. On the list of apps blade, click the app you want to assign.
Assign and 7. On the <app name> overview pane, click Assignments.
Configure App 8. Click Add group.
Assignment 9. Select Required under Assignment type.
10. Under Included Groups | Selected Groups, select Sales.
11. Click Select.
12. Click OK.
13. Click OK again.
14. Click Save.
5.5.2 Application Self-Service with Microsoft Store for Business

This section will provide the guidance to setup and experience the Microsoft Store for Business.
Applications that can be discovered, published and managed using the information contained at
the links below.
Task Detailed Steps

Also, login to https://portal.azure.com and https://www.microsoft.com/en-us/business-store
Signup for the 1. Start a new Internet Explorer window in private mode.
Microsoft Store for 2. Click Sign in on the top right hand corner. On the Let’s check if you have an
Business account window, enter the credentials
LabAdmin@<azuredomain>.onmicrosoft.com, which is a global administrator,
created previously and click Next.
3. Once it detects and says You have an account with us. You’re using
LabAdmin@<azuredomain>.onmicrosoft.com with a Microsoft service already.
Sign in with your existing password, click Sign in.
4. Enter the password and click Sign in.
5. On the Microsoft Store for Business and your data screen, check the consent
box and click Accept.
6. You have completed the signup for the Microsoft Store for Business.
Roles and 7. Click Manage and then click Permissions.
Permissions 8. Notice that Admin is already assigned the Global Admin Role. Click Assign
roles.
9. In the Assign roles to people window, review the various roles available along
with their permissions. In the text box above, type TU1 and click Test User1 in
the search results. You can add multiple users in the text box.
10. Once Test User1 is added in the text box above, select the Role – Purchaser and
click Save.
11. The user will then be added with the assigned permissions. At any point you want
to remove the user from the list, select the user and click Remove. For now, do
not remove.
Note: For more information, refer to
https://technet.microsoft.com/library/mt621271(v=vs.85).aspx
Find and Acquire 12. Click Settings. Under Shopping experience, enable Show offline apps: Show
Applications offline licensed apps to people shopping in the Microsoft Store.
13. Click Shop for my group and click an app of your choice, example OneNote.
14. Review the 2 licensing type: Online and Offline. Select Offline and click Get the
app.
15. If this is the first time you are using Microsoft Store for Business, check the box
for the license and click Accept.
16. It will mention that the app has been purchased and added to your inventory.
Click Close. Offline apps can be distributed by using a provisioning package and
include it as part of imaging a device using Deployment Image Servicing and
Management (DISM) or Windows ICD and also can be distributed through a
management tool or server.
Note: You will then be on the page where it will ask you to manage or download
the package for offline use. You do not have to download the package for offline
use for this demo. Just go to the next step.
17. Under Shop for my group, select another app, example Microsoft Remote
Desktop and select Online. Click Get the app.
18. It will mention that the app has been purchased and added to your inventory.
Click Close. It will then present with 2 methods of distribution: By adding to the
private store by clicking on the (… | Manage | Private Store Collections | enable
“In collection” for <azuredomain> | Add | Done) and Assign Users. Online
apps can be distributed by assigning it to employees as well as adding it to your
private store, allowing employees to download it through a management tool.
19. If you select to add to the private store, it will start adding the app into your
private store and could take upto twenty four hours before the app is available in
the private store as a separate tab.
20. Under Shop for my group, select another app, example DocuSign and click Get
the app. Click Close. If you select Assign Users and then in the text box, type a
username, example TU1, click Test User1 in the search results and click Assign |
Close, the app will be directly available to the user in the Store > My Library
section. You can add multiple users in the text box. The user then can download
and install the app from the store.
Note: For more information, refer to
App Inventory 21. Click Manage and click Products & services and click Apps & software.
Management 22. You can find an app from the Search apps & software text box.
23. You can also refine your search by selecting Refine results based on Product
type, Application type, Subscription type, Source and Private store.
24. You will be able to see the list of apps with the following tabs – Name, Available
quantity, Usage/Total and Date.
25. If you click the (…) for an Online-licensed app, you will see the options – View
license details, Assign to people, View private store details and View product
details.
26. If you click the (…) for an Offline-licensed app, you will see the options –
Download for offline use and View product details.
27. You can even manage app licenses by viewing, assigning and reclaiming
licenses.
Note: You can remove an app from the Private Store. For more information, refer to
Distribute Apps 28. Click Manage, then click Settings and then click Distribute.
with a 29. You should be able to see the available MDM tools.
Management Tool 30. Select the MDM tool you want to synchronize with Store for Business, and then
click Activate. Your MDM tool is ready to use with the Store for Business.
Consult docs for your management tool to learn how to distribute apps from your
synchronized inventory.
Note: For more information, refer to https://technet.microsoft.com/en-
us/library/mt606939(v=vs.85).aspx
5.6 Enterprise State Roaming

With Windows 10, Azure Active Directory (Azure AD) users gain the ability to securely
synchronize their user settings and application settings data to the cloud. Enterprise State
Roaming provides users with a unified experience across their Windows devices and reduces the
time needed for configuring a new device. Enterprise State Roaming operates similar to the
standard consumer settings sync that was first introduced in Windows 8. Additionally, Enterprise
State Roaming offers:
 Separation of corporate and consumer data – Organizations are in control of their data,
and there is no mixing of corporate data in a consumer cloud account or consumer data
in an enterprise cloud account.
 Enhanced security – Data is automatically encrypted before leaving the user’s Windows
10 device by using Azure Rights Management (Azure RMS), and data stays encrypted at
rest in the cloud. All content stays encrypted at rest in the cloud, except for the
namespaces, like settings names and Windows app names.
 Better management and monitoring – Provides control and visibility over who syncs
settings in your organization and on which devices through the Azure AD portal
integration.
5.6.1 Prerequisites
Task Detailed Steps

Ensure that both CLIENT3 and CLIENT4 virtual machines are Azure AD Domain
Prerequisite Lab Joined using TU1@<AzureDomainName>.onmicrosoft.com and both have been
rebooted atleast once.
5.6.2 Configure Enterprise State Roaming

In this lab, you will setup and configure enterprise state roaming.
Task Detailed Steps

Enable Enterprise 1. Start Internet Explorer InPrivate mode.
State Roaming in 2. Navigate to https://portal.azure.com and Sign in with
the Azure Web labadmin@<AzureDomainName>.onmicrosoft.com.
Portal 3. On the left navigation bar, click Azure Active Directory > Devices > Device
settings.
4. In the Users may sync settings and app data across devices setting, select
Selected.
5. Click Selected below and click + Add members.
6. Type TU1, select Test User1 and click Select.
7. Click OK.
8. Click Save.
Confirm that 9. Log in as TU1@<AzureDomainName>.onmicrosoft.com.
Setting Sync is 10. Click on Start > Settings > Accounts > Sync your settings.
Enabled for the 11. Verify that Sync your settings is on.
User 12. Verify that the test account is listed in the description of the settings page “Sync
Windows settings to other devices using <testaccount>”.
Personalize 13. Right-click on the taskbar and uncheck Lock the taskbar.
Windows Settings 14. Drag the taskbar so that it is positioned to the right of the screen.
on the First
Machine
Verify that the Note: It may take a few minutes for the sync on one machine to propagate to the other. If
Changes have the sync does not complete. Try logging in and out of both devices or locking and
Synced to the unlocking the device.
Second Machine
15. Log in as TU1@<AzureDomainName>.onmicrosoft.com.
16. Verify that the position of the taskbar matches the position that was set on
CLIENT3.
5.7 Remote Access (VPN)
Virtual private networks (VPNs) give your users secure remote access to your company network.
Devices use a VPN connection profile to initiate a connection with the VPN server. In this
section, you will go through how to manage and deploy VPN on Windows 10.
5.7.1 Prerequisites
Task Detailed Steps

Complete these steps on the INET1 virtual machine.
Configure Internet 1. Click the Start button and browse to Windows Administrative Tools > DNS.
DNS 2. In the DNS Manager window, browse to INET1 > Forward Lookup Zones >
contoso.com.
3. Right-click on contoso.com and select New Host (A or AAAA).
4. In the New Host window, under Name enter vpn1, under IP address enter
131.107.0.2 then click Add Host.
5. Click OK | Done.
Add VPN1 Server 6. Click the Start button and browse to Windows Administrative Tools > Active
to RAS and IAS Directory Users and Computers.
Server AD Group 7. Browse to corp.contoso.com > Users.
8. Right-click on the RAS and IAS Servers group and select Properties.
9. Go to the Members tab and ensure that VPN1 is present.
10. In the RAS and IAS Server Properties window, click OK.
Create VPN 11. Click the Start button and browse to Windows Administrative Tools >
Certificate Certification Authority.
Template 12. Browse to corp-DC1-CA > Certificate Templates.
13. Right-click on Certificate Templates and select Manage.
14. Right-click on the IPSec template and select Duplicate Template.
15. In the Properties of New Template window, go to the General tab.
16. Under Template display name, enter VPN Server then go to the Request
Handling tab.
17. Select Allow private key to be exported then go to the Subject Name tab.
18. Select Supply on the request, click OK in the dialog box then go to the
Extensions tab.
19. Under Extensions included in this template, select Application Policies then
click Edit.
20. In the Edit Application Policies Extension window, click Add.
21. In the Add Application Policy window, select Server Authentication then click
OK.
22. In the Edit Application Policies Extension, click OK.
23. In the Properties of New Template window, click Apply | OK.
24. Close the Certificate Templates Console and go back to the Certification
Authority MMC.
25. Right-click on Certificate Templates and select New > Certificate Template to
Issue.
26. In the Enable Certificate Templates window, select VPN Server then click OK.
Create Workstation 27. Click the Start button and browse to Windows Administrative Tools >
Certificate Certificate Authority.
30. Right-click on the Workstation Authentication template and select Duplicate
Template.
32. Under Template display name, enter Contoso PC then go to the Request
Handling tab.
33. Select Allow private key to be exported then, go to the Subject Name tab.
34. Under Subject name format, select Common name then, go to the Security tab.
35. Select Domain Computers (CORP\Domain Computers) and select Read and
Autoenroll. Click Apply | OK.
Authority MMC.
Issue.
38. In the Enable Certificate Templates window, select Contoso PC then click OK.
39. Click the Start button and browse to Windows Administrative Tools > Group
Policy Management.
40. Expand Forest: corp.contoso.com | Domains | corp.contoso.com.
41. Right-click corp.contoso.com and click Create a GPO in this domain, and
Link it here.
42. Under Name, type Client Authentication Certificate Autoenrollment and click
OK.
43. Right-click Client Authentication Certificate Autoenrollment and click Edit.
44. Browse to Computer Configuration | Policies | Windows Settings | Security
Settings | Public Key Policies.
45. Double-click Certificate Services Client – Auto-Enrollment. Select Enabled
for Configuration Model and check the boxes next to Renew expired
certificates, update pending certificates, and remove revoked certificates and
Update certificates that use certificate templates. Click Apply | OK.
Create User 46. Click the Start button and browse to Windows Administrative Tools >
Certificate Certificate Authority.
49. Right-click on the User template and select Duplicate Template.
51. Under Template display name, enter Contoso User then go to the Request
Handling tab.
52. Select Allow private key to be exported then, go to the Subject Name tab.
53. Under Build from this Active Directory information, configure the following
then click Apply | OK.
Subject name format: Fully distinguished name
Include e-mail name in subject name: Deselect
E-mail name: Deselect
User principal name (UPN): Selected
Authority MMC.
Issue.
56. In the Enable Certificate Templates window, select Contoso User then click
OK.
Complete these steps on the VPN1 virtual machine.
Request VPN 57. Reboot VPN1 once.
Certificate 58. Right-click on the Start button and select Run.
59. In the Run window, enter certlm.msc then click OK. Accept the UAC prompt.
60. Right-click on Personal and select All Tasks > Request New Certificate.
62. In the Select Certificate Enrollment Policy page, click Next.
63. In the Request Certificates page, select VPN Server then click More
information is required to enroll for this certificate. Click here to configure
settings.
64. Under Subject name, select the Type as Common name, under Value enter
VPN1.corp.contoso.com then click Add.
65. Under Alternative name, select the Type as DNS, under Value enter
VPN1.contoso.com then click Add.
66. In the Certificate Properties window, click Apply | OK.
67. In the Request Certificates page, click Enroll.
68. In the Certificate Installation Results page, click Finish.
Configure IKEv2 69. Click the Start button and browse to Windows Administrative Tools > Routing
Machine and Remote Access.
Authentication 70. Right-click on VPN1 then select Properties.
71. In the VPN1 (local) Properties window, go to the Security tab.
72. Click Authentication Methods.
73. In the Authentication Methods window, ensure that Allow machine certificate
authentication for IKEv2 is selected, then click OK.
74. In the VPN1 (local) Properties window, click Cancel.
Request Client 75. Reboot CLIENT2 once.
Certificates 76. Right-click on the Start button and select Run.
77. In the Run window, enter mmc then click OK. Accept the UAC prompt.
78. In the MMC window, click File > Add/Remove Snap-in.
79. In the Add or Remove Snap-ins window, select Certificates and click Add.
80. In the Certificates snap-in window, select Computer account then click Next.
81. In the Select Computer window, click Finish.
82. In the Add or Remove Snap-ins window, click OK.
83. Expand Certificates (Local Computer) | Personal | Certificates. You should be
able to see the certificate.
Request User 84. In the MMC window, click File > Add/Remove Snap-in.
Certificates 85. In the Add or Remove Snap-ins window, select Certificates and click Add.
86. In the Certificates snap-in window, select My user account then click Finish.
87. In the Add or Remove Snap-ins window, click OK.
88. Right-click on Personal and select All Tasks > Request New Certificate.
90. In the Select Certificate Enrollment Policy page, click Next.
91. In the Request Certificates page, select Contoso User then click Enroll.
92. Once complete, click Finish.
Copy VPN Scripts 93. Right-click on the Start button and select Run.
94. In the Run window, enter \\VPN1\c$ then click OK.
95. Open the packages folder.
96. Copy the Scripts folder to the root C: drive.
5.7.2 Manually Create VPN Profile
In this activity, you will configure VPN profiles manually on Windows 10.
5.7.2.1 Settings App
In this activity, you will configure VPN profiles through the Settings app.
Task Detailed Steps

Create VPN Profile 1. Click on the Start button and select Settings (gear icon).
2. In the Settings app, browse to Network & Internet > VPN.
3. Click Add a VPN connection.
4. In the Add a VPN connection pane, configure the following and click Save.
VPN provider: Windows (built-in)
Connection name: ContosoVPN
Server name or address: vpn1.contoso.com
VPN type: IKEv2
Type of sign-in info: Certificate
5. Under Related settings, click Change adapter options.
6. In the Network Connections window, right-click on ContosoVPN and select
Properties.
7. In the ContosoVPN Properties window, go to the Security tab.
8. Under Authentication, select Use machine certificates then click OK.
Connect to VPN 9. In the CLIENT2 Virtual Machine Settings, change the network from Corpnet
vSwitch to Internet vSwitch.
10. In the Settings app, select ContosoVPN then click Connect.
11. Open a command prompt and ping DC1.corp.contoso.com.
Note: Ping should get a reply to confirm VPN connection.
Delete VPN Profile 12. In the Settings app, select ContosoVPN then click Disconnect.
13. In the Settings app, select ContosoVPN, then click Remove | Remove.
5.7.2.2 PowerShell and ProfileXML
In this activity, you will configure VPN profiles through PowerShell and ProfileXML.
Task Detailed Steps

Create VPN Profile 1. Click the Start button and type PowerShell. Right-click Windows PowerShell
ISE and select Run as administrator.
2. In the User Account Control window, click Yes.
3. In the Windows PowerShell ISE window, click File > Open and browse to
C:\Scripts folder.
4. Select the VPN_Base.ps1 file and click Open.
5. Review elements in the script.
6. In the PowerShell Console pane, execute the following command:
Set-ExecutionPolicy -ExecutionPolicy Unrestricted
7. Select Yes to All.
8. In the Windows PowerShell ISE, select the Play icon (Run Script) to execute the
script.
Connect to VPN 9. In the Settings app, select ContosoVPN then click Connect.
10. Open a command prompt and ping DC1.corp.contoso.com.
5.7.3 Configure Always-On

In this activity, you will configure VPN to be Always-On.
Task Detailed Steps

Configure Always- 1. In the Windows PowerShell ISE for VPN_Base.ps1, modify the script by adding
On the tag below after the <DnsSuffix> tag.
<AlwaysOn>true</AlwaysOn>
script.
3. Click OK in the dialog box.
Verify Always-On 4. Get-WmiInstance output is displayed in the PowerShell Console pane. Scroll
Configuration up the screen and review the AlwaysOn property to make sure it is set to true.
Test the Auto- 5. Open a command prompt and ping DC1.corp.contoso.com –t.
Connection during 6. In the CLIENT2 Virtual Machine Settings, change the network from Internet
a Network Change vSwitch to Corpnet vSwitch.
Event
Note: Wait for a couple of seconds to 1 minute before proceeding to the next step.
7. In the CLIENT2 Virtual Machine Settings, change the network from Corpnet
vSwitch to Internet vSwitch.
8. View the command prompt and confirm VPN connection.
9. In the Settings app, confirm that ContosoVPN is Connected.
Test the Auto- 10. Close all applications and sign-out.
Connection during 11. Open a command prompt and ping DC1.corp.contoso.com.
a User Logon
5.7.4 Configure Trusted Network Detection

In this activity, you will walkthrough how to configure trusted network definition for VPN.
Task Detailed Steps

Configure Trusted 1. Click the Start button and type PowerShell. Right-click Windows PowerShell
Network Detection ISE and select Run as administrator.
C:\Scripts folder.
4. Select the VPN_Base.ps1 file and click Open.
5. In the Windows PowerShell ISE for VPN_Base.ps1, modify the script by adding
the tag below after the <AlwaysOn> tag.
<TrustedNetworkDetection>contoso.com</TrustedNetworkDetection>
script.
Verify Trusted 8. Get-WmiInstance output is displayed in the PowerShell Console pane. Scroll
Network Detection up the screen and review the TrustedNetworkDetection property to make sure it
Configuration is set to contoso.com.
Test the Trusted 9. Open the Settings app and browse to Network & Internet > VPN.
Network Detection 10. In the CLIENT2 Virtual Machine Settings, change the network from Internet
Configuration vSwitch to Not connected.
11. In the CLIENT2 Virtual Machine Settings, change the network from Not
connected to Internet vSwitch.
12. In the Settings app, confirm that ContosoVPN is Connected as expected.
13. In the CLIENT2 Virtual Machine Settings, change the network from Internet
vSwitch to Corpnet vSwitch.
14. In the Settings app, confirm that ContosoVPN is Connecting or Not Connected.
Delete VPN Profile 15. In the Settings app, select ContosoVPN, then click Remove | Remove.
5.7.5 Configure App-Triggers

In this activity, you will walkthrough how to configure VPN application triggers.
Task Detailed Steps

Configure 1. Click the Start button and type PowerShell. Right-click Windows PowerShell
Application ISE and select Run as administrator.
Trigger 2. In the User Account Control window, click Yes.
C:\Scripts folder.
4. Select the VPN_Base2.ps1 file and click Open.
5. In the Windows PowerShell ISE for VPN_Base2.ps1, modify the script by
adding the tags below after the </NativeProfile> tag.
<AppTrigger>
<App>
<Id>C:\Windows\System32\mstsc.exe</Id>
</App>
</AppTrigger>
script.
Test the 8. In the CLIENT2 Virtual Machine Settings, change the network from Corpnet
Application vSwitch to Internet vSwitch.
Trigger
Configuration
9. In the Settings app, confirm that ContosoVPN is Not Connected.
Note: AlwaysOn tag was removed therefore the ContosoVPN profile did not automatically
connect.
10. Right-click on the Start button and select Run.
11. In the Run window, enter mstsc then click OK.
12. In the Remote Desktop Connection window, connect to the
DC1.corp.contoso.com server.
13. In the Enter your credentials window, login as corp\LabAdmin.
Note: Launching the Remote Desktop application will trigger the ContosoVPN connection
and will remain connected while the application is running.
Test Traffic across 15. Right-click on the Start button and select Run.
the VPN 16. In the Run window, enter \\DC1 then click OK.
Connection
Note: You will be able to connect to DC1 via SMB through the VPN connection. The VPN
connection is not limited to RDP traffic.
17. Close the SMB and RDC connection to DC1.
5.7.6 Add Traffic Filters

In this activity, you will walkthrough how to configure VPN traffic filters.
Task Detailed Steps

Configure Traffic 1. Click the Start button and type PowerShell. Right-click Windows PowerShell
Filters ISE and select Run as administrator.
C:\Scripts folder.
adding the tags below after the </AppTrigger> tag.
<TrafficFilter>
<App>
<Id>C:\Windows\System32\mstsc.exe</Id>
</App>
</TrafficFilter>
script.
Test the Traffic Note: Make sure the TEST VM is connected to the Internet vSwitch.
Filter
Configuration
connect.
10. In the Run window, enter mstsc then click OK.
11. In the Remote Desktop Connection window, connect to the
DC1.corp.contoso.com server.
12. In the Enter your credentials window, login as corp\LabAdmin.
Note: Launching the Remote Desktop application will trigger the ContosoVPN connection
and will remain connected while the application is running.
15. In the Run window, enter \\DC1 then click OK.
Note: You will not be able to connect to DC1 via SMB through the VPN connection. Only
RDP traffic is allowed through the VPN connection.
Delete VPN Profile 16. Close the RDC connection to DC1.
17. In the Settings app, select ContosoVPN then click Disconnect.
5.7.7 Configure Name-Based Connection Triggers

In this activity, you will walkthrough how to configure name based connection triggers for VPN.
Task Detailed Steps

Configure Name- 1. Click the Start button and type PowerShell. Right-click Windows PowerShell
Based Connection ISE and select Run as administrator.
Trigger 2. In the User Account Control window, click Yes.
C:\Scripts folder.
adding the tags below after the </NativeProfile> tag.
<DomainNameInformation>
<DomainName>.</DomainName>
</DomainNameInformation>
<DomainNameInformation>
<DomainName>.corp.contoso.com</DomainName>
<DnsServers>10.0.0.6</DnsServers>
<AutoTrigger>true</AutoTrigger>
</DomainNameInformation>
script.
Test the Name- Note: Make sure the TEST VM is connected to the Internet vSwitch.
Based Trigger
Configuration
connect.
9. Open the Microsoft Edge browser from the task bar.
10. In the Microsoft Edge window address bar, enter http://DC1.corp.contoso.com
Note: You might have to install IIS in DC1 if it is not already installed.
Note: The IIS default page for DC1 will load. The ContosoVPN connection was initiated
because there was a DNS query for *.corp.contoso.com.
Delete VPN Profile 12. Close the Microsoft Edge browser.
13. In the Settings app, select ContosoVPN then click Disconnect.
6 Security
In this module, you will go through Windows 10 capabilities that could help organizations be
more secure. We will cover the follow scenarios:
 Credential Guard
 BitLocker
 Windows Defender Advanced Threat Protection
 Windows Defender Anti-Virus
 Windows Hello for Business
 Windows Defender Exploit Guard
 Windows Information Protection
 Windows Defender Application Control
 Windows Defender Application Guard
1.1 Credential Guard

In this lab, you will activate Credential Guard.
Credential Guard provides an additional layer for protecting secrets, specifically domain user
credentials by storing them in a container, secured by the Virtual Secure Mode (VSM), based on
Virtualization Based Security (VBS).
These types of containers are separated both from the kernel and the user mode, therefore
increasing the difficulty for an attacker, even after compromising the system to steal the
credentials directly from Local Security Authority Subsystem (LSASS), for example.
Before working on this lab, you must have:
 A Physical Computer with a Trusted Platform Module (TPM) chip (2.0 recommended), a
CPU with VT-x and VT-d capabilities.
 Windows 10 Enterprise running on the Host.
 Local Administrator Account.
 It is recommended that you use a Host for testing purposes. Please do not use your
personal machines. Also, the Host must not be domain joined into your company
domain, so that there is no compliance or configuration/support issues.
1.1.1 Check Credential Guard Requirements

In this exercise, you will:
 Check if the requirements for Credential Guard are fulfilled.
 Manually activate Credential Guard and its dependencies.
Task Detailed Steps

Complete this activity on the Reference Device provided by the Customer.
System 1. Open MSINFO32.EXE (elevated) and check if:
Verification  BIOS Mode = UEFI
 Secure Boot State = On
 Hyper-V – Second Level Address Translation Extensions = Yes
 Hyper-V – Virtualization Enabled in Firmware = Yes
 Hyper-V – Data Execution Protection = Yes
2. If any of the above values are not enabled, then boot into your BIOS/UEFI and
activate them.
3. Note that if UEFI is in CSM (compatibility) mode, changing it to UEFI Native
will require the partition layout to be GPT instead of MBR (requires formatting
the hard drive).
TPM Verification 4. Open TPM.MSC and make sure that the TPM is turned on.
5. If TPM is turned off/not visible, make sure that it exists physically and it is
enabled in BIOS/UEFI.
6. If the TPM is turned on but not initialized:
a. Create the TPM owner password using Automatically create the
password option.
b. In the Save your TPM owner password, click Save the password and
select a location to save the password, and then click Save (file is saved
as computer_name.tpm).
c. Click Initialize.
d. After this, the TPM should be ready for use.
Note: The recommended version of TPM is 2.0. Windows might refuse to activate
Credential Guard if the computer contains an older TPM version/revision.
Enable Required 7. Go to Control Panel > Programs > Turn Windows features on or off.
Features 8. Check Hyper-V.
9. Click OK.
10. Restart the computer.
Note: Hyper-V supplies the virtualization core.
1.1.2 Modern Management

Follow the following sections for managing Credential Guard through modern management
tools.
1.1.2.1 Configure Credential Guard using Intune
In this section you will configure Credential Guard using Intune.
Task Detailed Steps

Create 1. Close all browser windows.
Groups 2. Start Internet Explorer InPrivate mode.
for use 3. Navigate to https://portal.azure.com and Sign in with
with labadmin@<AzureDomainName>.onmicrosoft.com.
Credentia 4. On the left navigation bar, click Azure Active Directory > Groups > All groups.
l Guard 5. Click + New group.
Lab 6. In the Group pane fill in the following values:
GROUP TYPE: Security
GROUP NAME: CredGuardDemo
MEMBERSHIP TYPE: Assigned
MEMBERS: TU1,TU2
7. Click Select | Create.
Creating 8. Close all browser windows.
an Intune 9. Start Internet Explorer InPrivate mode.
Credentia 10. Navigate to https://portal.azure.com and Sign in with
l Guard labadmin@<AzureDomainName>.onmicrosoft.com.
Policy 11. On the left navigation bar, click All services.
12. Enter “Intune” in search.
13. Click on Intune.
14. Click on “Device configuration”.
15. Click on “Profiles”.
16. Click on “+ Create Profile”.
17. Fill out the form:
Name: Cred Guard Demo
Description: Cred Guard Demo
Platform: Windows 10 and later
Profile type: Custom
18. Select “Add” to add a OMA-URI Setting.
19. Fill out the form and click OK:
Name: Enable VBS
Description: Enable VBS
OMA-URI:
./Vendor/MSFT/Policy/Config/DeviceGuard/EnableVirtualizationBasedSecurity
Date type: Integer
Value: 1
20. Click Add and fill out the form and click OK:
Name: Enable Configure LsaCfgFlags
Description: Enable Configure LsaCfgFlags
OMA-URI: ./Vendor/MSFT/Policy/Config/DeviceGuard/LsaCfgFlags
Date type: Integer
Value: 1
21. Click Add and fill out the form:
Name: Enable Configure Require Platform Security Features
Description: Enable Configure Require Platform Security Features
OMA-URI:
./Vendor/MSFT/Policy/Config/DeviceGuard/RequirePlatformSecuri
tyFeatures
Date type: Integer
Value: 1
22. Select OK | OK.
23. Select Create.
24. Select Assignments.
25. Select “Select groups to include”.
26. Check and select “CredGuardDemo”.
27. Click on Save.
Complete these steps on the CLIENT3 virtual machine or a physical machine if your environment does not
support nested virtualization.
Verify 28. Login to a machine as:
the TU2@<AzureDomainName>.onmicrosoft.com
Policy 29. Select Start.
has been 30. Select Settings.
Applied 31. Select Accounts.
and 32. Select Access work or school.
Working 33. Select Connected to <CompanyName> Azure AD.
34. Click Info.
36. Close Settings.
37. Reboot the machine.
38. Log back in using the same credentials.
39. Click Start.
40. Type and click “System Information”.
41. Verify that “Virtualization-based security is running”
Note: After the first boot it should be “Enabled but not running”
42. Reboot the machine again.
43. Click Start.
44. Type and click “System Information”.
45. Verify that “Virtualization-based Security is running”.
Note: It can take up to 3 reboots to see that it is running.
1.1.3 Traditional Management

Follow the following sections for managing Credential Guard through traditional management
tools.
1.1.3.1 Configure VBS and Credential Guard
Now that the required features and components are in place, activate the Virtualization Based
Security and Credential Guard.
Task Detailed Steps

System 1. Open gpedit.msc and accept the UAC prompt if required.
Configuration 2. Go to Computer Configuration > Administrative Templates > System >
Device Guard.
3. Edit the Turn On Virtualization Based Security policy by selecting Enabled.
4. Select Secure Boot in the Select Platform Security Level.
5. Select Enabled with UEFI lock in the Credential Guard Configuration.
6. Click Apply and OK.
7. Restart the computer and check “System Information” and verify that
“Virtualization-based Security is running”.
1.1.3.2 Troubleshoot Credential Guard
After enabling all of the above features and settings, make sure that no errors were logged and
all the components are properly configured.
Task Detailed Steps

Logging 1. Device Guard policies are logged in Event Viewer at Applications and Services Logs >
Microsoft > Windows > DeviceGuard > Operational.
2. An event ID 7000 should be logged, which contains the selected settings within the
policy (when successfully applied).
MSInfo32 3. Open MSINFO32.EXE (elevated) and confirm that the options are defined as in the
following screenshot.
Registry 4. Browse to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard.
5. Verify if EnableVirtualizationBasedSecurity is set to 1.
6. Verify if RequirePlatformSecurityFeatures is set to 1 (Secure Boot).
7. Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.
8. Verify if the LsaCfgFlags is set to 1.
Process 9. Open Task Manager.
10. Verify the presence of Lsalso.exe.
1.2 BitLocker
In this section we will walk you through setting up BitLocker using modern and traditional
management.
BitLocker Drive Encryption is a data protection feature that integrates with the operating system
and addresses the threats of data theft or exposure from lost, stolen, or inappropriately
decommissioned computers.
BitLocker provides the most protection when used with a Trusted Platform Module (TPM)
version 1.2 or later. The TPM is a hardware component installed in many newer computers by
the computer manufacturers. It works with BitLocker to help protect user data and to ensure
that a computer has not been tampered with while the system was offline.
On computers that do not have a TPM version 1.2 or later, you can still use BitLocker to encrypt
the Windows operating system drive. However, this implementation will require the user to
insert a USB startup key to start the computer or resume from hibernation. Starting with
Windows 8, you can use an operating system volume password to protect the operating system
volume on a computer without TPM. Both options do not provide the pre-startup system
integrity verification offered by BitLocker with a TPM.
In addition to the TPM, BitLocker offers the option to lock the normal startup process until the
user supplies a personal identification number (PIN) or inserts a removable device, such as a USB
flash drive, that contains a startup key. These additional security measures provide multifactor
authentication and assurance that the computer will not start or resume from hibernation until
the correct PIN or startup key is presented.

Follow the following sections for managing BitLocker through modern management tools.
1.2.1.1 Setup BitLocker with Intune
The below section will walk you through setting up BitLocker with Intune.
Task Detailed Steps

4. On the left navigation bar, click Azure Active Directory > Groups > All groups.
5. Click + New group.
6. In the Group pane fill in the following values and click Select:
GROUP NAME: BitLockerDemo
MEMBERS: TU1,TU2
7. Click Create.
Configure 8. On the left navigation bar, click All Services.
Windows Bitlocker 9. Enter “Intune” in search.
11. Under Manage select “Device configuration”.
12. Under Manage select “Profiles”.
13. Select “+ Create profile”.
14. Name the new profile “Bitlocker Demo”.
15. For Platform select “Windows 10 and later”.
16. For Profile type select “Endpoint protection”.
17. Select “Windows Encryption” under Settings.
18. Fill out the form and click OK:
Encrypt devices: Require
Encrypt storage card: Not configured
Warning for other disk encryption: Not configured
Configure encryption method: Enable
Encryption for operation system drives: XTS-AES 128-bit
Encryption for fixed data-drives: XTS-AES 128-bit
Encryption for removable data-drives: AES-CBC 128-bit
Additional authentication at startup: Not configured
Note: The rest is not going to be configured.
19. Click OK and click Create.
20. Click Assignments and click Select groups to include.
21. Check BitLockerDemo and click Select.
22. Click Save.
Verify the Policy 23. Login to a machine as:
has been Applied TU2@<AzureDomainName>.onmicrosoft.com
and Working 24. Select Start.
25. Select Settings.
26. Select Accounts.
27. Select Access work or school.
28. Select Connected to <CompanyName> Azure AD.
29. Click Info.
31. You will notice that a notification appears Encryption needed, asking you to start
encryption.

This section describes how to install and configure MBAM server and client components. The
server components can be installed using two possible topologies:
 Stand Alone
 Configuration Manager
Both of these installations include the following components: Self-Service Portal, Key Database,
Reports Database, Reports, Administration Monitoring Server, Group Policy Template.
To configure MBAM the following tasks need to be performed:
1. Create a GPO to apply MBAM settings to client devices.

2. Test the configuration on a client device.
3. Connect to the Self-Service Portal.
4. Connect to the Helpdesk Portal.
Task Detailed Steps

Download MDOP 1. Open Internet Explorer and browse to the URL below.
Group Policy https://www.microsoft.com/en-us/download/details.aspx?id=55531
Templates 2. Click Download and save the MDOP_ADMX_Templates.cab file to
C:\packages.
3. On the taskbar, open File Explorer and browse to C:\packages and create a
folder named MDOPGPO.
1.2.2.2 Create and Deploy MBAM Settings
This activity will guide you through creating and deploying a group policy object that will
enforce the configuration of MBAM and BitLocker on the targeted devices.
Task Detailed Steps

Create and 1. Right-click on the Start button and select Command Prompt (Admin).
Deploy 2. On the Command Prompt window, change the working directory to C:\packages.
MBAM 3. On the Command Prompt window, enter the following command.
Policies
expand MDOP_ADMX_Templates.cab -F:* C:\packages\MDOPGPO
4. Copy all the contents of C:\packages\MDOPGPO\MBAM2.5SP1 to the Policy
Central Store
C:\Windows\SYSVOL\sysvol\corp.contoso.com\Policies\PolicyDefinitions.
5. Open the Group Policy Management console.
6. Navigate to Group Policy Management / Forest: corp.contoso.com / Domains /
corp.contoso.com.
7. Right-click corp.contoso.com, then click Create a GPO in this domain, and Link
it here…
8. In the Name field type MBAM Client Configuration, click OK.
9. Expand corp.contoso.com, right-click on MBAM Client Configuration and select
Edit…
10. Navigate to Computer Configuration / Policies / Administrative Templates /
Windows Components / MDOP MBAM (BitLocker Management).
11. Configure the suggested default settings as outlined in the Planning for MBAM 2.0
Group Policy Requirements Guide - http://technet.microsoft.com/en-
us/library/dn186164.aspx. Refer to the screenshot below for the settings.
Note: To utilize MBAM on a virtual machine, ensure that Allow BitLocker without a
compatible TPM is checked. Ensure that group policies are updated in the CLIENT2 virtual
machine.
1.2.2.3 Test MBAM Configuration
This activity will guide you through the client experience of MBAM assuming control of
BitLocker management.
Task Detailed Steps

Install 1. Install MBAM client from \\APP1\C$\packages\Sources\MBAM 2.5
MBA SP1\x64\MBAMClientSetup.exe.
M 2. Click Yes on the UAC prompt.
Agent 3. Click I accept and click Next and complete the installation.
Reduce 4. From the Start screen, find and start Regedit. Accept the UAC prompt if required.
the 5. Navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\MBAM.
MBA 6. Create a DWORD key named NoStartupDelay.
M 7. Set the value of NoStartupDelay to 1.
Client 8. Navigate to
Startup HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE\MDOPBitLockerManage
Delay ment.
9. Update the value of ClientWakeupFrequency to 1.
10. Update the value of StatusReportingFrequency to 1.
MBA 11. Open an Administrative Command Prompt and execute gpupdate /force.
M 12. Restart TEST to force a full group policy update and Start the BitLocker Management
Client Client Service from the Services MMC Console.
13. You will notice that a window appears asking you to start encryption.
1.2.2.4 Connect to Self-Service Portal
The following activity may be used to demonstrate the access and use of the Self-Service portal
provided by MBAM.
Task Detailed Steps

Access the MBAM 1. In Internet Explorer enter the following URL
Self-Service Portal http://app1.corp.contoso.com/selfservice, where app1.corp.contoso.com is the
path to the MBAM server.
2. When prompted enter user credentials corp\labadmin and P@ssw0rd and click
OK.
3. Review the portal. Check the box next to I have read and understand the above
notice and click Continue and then review the next page.
1.2.2.5 Connect to the Helpdesk Portal
The following activity may be used to demonstrate the access and use of the Helpdesk portal
provided by MBAM.
Task Detailed Steps

Access the MBAM 1. In Internet Explorer enter the following URL
Helpdesk Portal http://app1.corp.contoso.com/helpdesk, where app1.corp.contoso.com is the
path to the MBAM server.
2. When prompted enter user credentials corp\labadmin and P@ssw0rd and click
OK.
3. Review the portal. Click System Overview, Reports, Drive Recovery and
Manage TPM.
1.3 Windows Defender Advanced Threat Protection

Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service
that enables enterprise customers to detect, investigate, and respond to advanced threats on
their networks.
Windows Defender ATP uses the following combination of technology built into Windows 10
and Microsoft's robust cloud service:
 Endpoint behavioral sensors: Embedded in Windows 10, these sensors collect and
process behavioral signals from the operating system (for example, process, registry, file,
and network communications) and sends this sensor data to your private, isolated, cloud
instance of Windows Defender ATP.
 Cloud security analytics: Leveraging big-data, machine-learning, and unique Microsoft
optics across the Windows ecosystem (such as the Microsoft Malicious Software Removal
Tool, enterprise cloud products (such as Office 365), and online assets (such as Bing and
SmartScreen URL reputation), behavioral signals are translated into insights, detections,
and recommended responses to advanced threats.
 Threat intelligence: Generated by Microsoft hunters, security teams, and augmented by
threat intelligence provided by partners, threat intelligence enables Windows Defender
ATP to identify attacker tools, techniques, and procedures, and generate alerts when
these are observed in collected sensor data.
In this section, you will learn how to configure and use Windows Defender ATP to detect and
respond to threats.
Note: This lab can only be performed if the customer has already registered and approved for
the Microsoft WDATP Preview/Trial program (Section 3.2.3).
1.3.1 Onboarding Windows 10 Device

In this activity, you onboard your first Windows 10 client to Windows Defender Advanced Threat
Protection.
Task Detailed Steps

Download the 1. Log in to the device.
Onboarding 2. Navigate to https://securitycenter.windows.com/
Package 3. Sign in to the portal with labadmin@<AzureDomainName>.onmicrosoft.com
4. On the Getting started page, click Next.
5. On the Set up your preferences page, select the appropriate data storage location
and click Next.
6. Select the appropriate data retention policy and click Next.
7. Select your appropriate organization size and click Next.
8. Select your appropriate industry and click Next.
9. Select the appropriate preview experience option and click Next.
10. Click Continue to create a cloud instance. It will start creating your Windows
Defender ATP cloud instance.
11. On the Endpoint onboarding page, under Select your deployment tool dropdown,
select Local Script (for up to 10 machines) and click Download package. Once
downloaded, click Finish.
12. Click Save as and Save the package to C:\.
Execute the 13. Navigate to C:\, right-click the package and click Extract All…
Onboarding 14. Click Extract.
Package 15. Navigate to the extracted package, right-click on the script file and click Edit.
Note: Note the registry paths we are writing to. Note the log and the Event ID we are
creating in case of successful events using eventcreate.
16. Close notepad.
17. Right-click the script file and click Run as administrator. Press Y to confirm
and continue. Press any key to continue.
18. After 5-10 minutes the device should start reporting to the portal.
Configure the 19. Click the Start menu and type regedit, right-click and choose Run as
Sample Collection administrator.
Setting 20. Locate the following registry path:
HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat
Protection.
21. Create a DWORD value AllowSampleCollection and set it to 1.
Note: The machine will file sample collection through the portal for deeper investigation.
No samples are collected automatically as this is done by the administrator.
Verify the 22. Check the SENSE service is running, by opening the Command Prompt and
Deployment running: sc query sense. The STATE should be 4 and should be RUNNING.
Success 23. Open the Event Viewer (Local) > Windows Logs > Application log and locate
the Event ID 20 from the source WDATPOnboarding.
24. Open the Event Viewer (Local) > Application and Services Logs > Microsoft >
Windows > SENSE > Operational log. Check for the Event ID 4 to make sure
that the SENSE service is reporting successful server connection every 5 minutes.
Connection frequency may vary depending on factors like battery state.
25. Go to https://securitycenter.windows.com/ portal, then choose Machines View,
on the right locate your machine on the list, its Health State should be Active.
Install Office (If 26. Go to https://portal.office.com and Sign in as
Not Installed) TU2@<AzureDomainName>.onmicrosoft.com
27. Click Install Office 2016.
28. Click Run.
1.3.2 Perform Simulation

In this activity, you will go step-by-step through a typical attack sequence that you will run
yourself.
Note: The setup guide also contains instructions and links for the attack demo.
Task Detailed Steps

Follow the Demo 1. Click the link to open the WinATP-Intro-Invoice.doc word document from the
Attack Simulation setup guide.
Guidance 2. Since the device has Office 2016 installed, therefore click Yes and OK on the
Office 2016 security prompts.
3. Enter the password to open the word document and click OK. The password is
provided in the setup guide.
4. Click Enable Content on the opened word document.
5. Click OK on the prompt.
6. A Backdoor will run in a command window. Press any key to close.
7. You will now be able to see that an Active alert has been reported to the Windows
Defender Advanced Threat Protection by the device. Navigate through the portal
for further details on the attack and ways to remediate.
1.4 Windows Defender Antivirus
Windows Defender Antivirus keeps your PC safe with trusted antivirus protection built-in to
Windows 10. Windows Defender Antivirus delivers comprehensive, ongoing and real-time
protection against software threats like viruses, malware and spyware across email, apps, the
cloud and the web.
In this section you can use modern or traditional management to configure WDAV.

Follow the following sections for managing Windows Defender Antivirus through modern
management tools.
1.4.1.1 Configuring Windows Defender using Intune
In this section you are going to configure Windows defender using intune.
Task Detailed Steps

Create Groups for 1. Close all browser windows.
use with Windows 2. Start Internet Explorer InPrivate mode.
Defender Anti- 3. Navigate to https://portal.azure.com and Sign in with
Virus Lab labadmin@<AzureDomainName>.onmicrosoft.com.
groups.
GROUP NAME: WDAVDemo
MEMBERS: TU1,TU2
7. Click Create.
Creating an Intune 8. Close all browser windows.
Windows Defender 9. Start Internet Explorer InPrivate mode.
Antivirus Policy 10. Navigate to https://portal.azure.com and Sign in with
11. On the left navigation bar, click All services.
16. Click + Create profile.
17. In the Name, enter WDAV Demo.
18. In the Platform, select Windows 10 and later.
19. In the Profile type, select “Device restrictions”.
20. Select Configure.
21. Select Windows Defender Antivirus.
22. Fill in form:
Real-time monitoring: Enable
Behavior monitoring: Enable
Network Inspection System (NIS): Enable
Scan all downloads: Enable
Scan scripts loaded in Microsoft web browsers: Enable
End-user access to Defender: Block
Signature update interval (in hours): 2
Monitor file and program activity: Monitor incoming files only
Days before deleting quarantined malware: 90
CPU usage limit during a scan: 10
Scan archive files: Enable
Scan incoming mail messages: Enable
Scan removable drives during a full scan: Enable
Scan mapped network drives during a full scan: Not configured
Scan files opened from network folders: Enable
Cloud-delivered protection: Enable
File Blocking Level: Not configured
Time extension for file scanning by the cloud: 50
Prompt users before sample submission: Prompt before sending personal data
Time to perform a daily quick scan: Not configured
Type of system scan to perform: Not configured
Detect potentially unwanted applications: Block
Actions on detected malware threats: Enable
Low severity: Quarantine
Moderate severity: Quarantine
High severity: Quarantine
Severe severity: Quarantine
Note: No exclusions will be configured
23. Select OK.
24. Select OK.
25. Select Create.
28. Check and select “WDAVDemo”.
29. Click on Save.
Verify the Policy 30. Login to a machine as:
has been Applied TU2@<AzureDomainName>.onmicrosoft.com
and Working 31. Select Start.
36. Click Info.
37. Click Sync to force a policy update and confirm that the sync was
successful.
38. Close Settings.
39. Reboot the machine.
40. Log back in with the same credentials.
41. Click Start.
42. Type and click “Windows Defender Settings”.
43. Click on “Virus & threat protection”.
Note: Notice that the page is not available because of our policy. Click OK.

Follow the following sections for managing Windows Defender Antivirus through traditional
management tools.
1.4.2.1 WDAV
In this section you will configure SCCM to manage WDAV on clients.
Task Detailed Steps

Add “Endpoint 1. Open the Configuration Manager Console from the Start Menu.
Protection Role” to 2. From the Configuration Manager Console, browse to Administration.
your Site 3. Expand Site Configuration.
4. Click on Servers and Site System Roles.
5. Right Click on CM1.corp.contoso.com.
6. Select Add Site System Roles.
7. Click Next on the Add Site System Roles Wizard.
8. Click Next on the Specify Internet proxy server.
9. Check Endpoint Protection Point.
10. Click OK.
11. Click Next.
12. Check box to Accept License.
13. Click Next.
14. Click Next.
15. Click Next.
16. Click Close.
Enable SCCM to 17. Click Administration.
Manage Client 18. Click on Client Settings.
Endpoint 19. Right click on Default Client Settings.
Protection 20. Click on Properties.
21. Click on Endpoint Protection.
22. Change Manage Endpoint Protection client on client computer to Yes.
23. Click on OK.
Create a Collection 24. Open the Configuration Manager Console from the Start Menu.
25. From the Configuration Manager Console, browse to Assets and Compliance.
26. Click on Devices.
27. Right click on CLIENT1.
28. Click on Add Selected Items.
29. Select Add Selected Items to New Device Collection.
30. Enter WDAV Client1 for the collection name.
31. Limit collection to All Desktop and Server Clients.
32. Select Next.
33. Select Next.
34. Select Next.
35. Select Close.
Creating a Custom 36. Open the Configuration Manager Console from the Start Menu.
Antimalware 37. From the Configuration Manager Console, browse to Assets and Compliance.
Policy 38. Expand on Endpoint Protection.
39. Click on Antimalware Policies.
40. Click on Create Antimalware Policy.
41. Fill out the form:
Name: WDAV Demo Policy
Description: WDAV Demo Policy
Check the following boxes:
Schedule scans
Scan settings
Default actions
Real-time protection
Exclusion settings
Advanced
Threat overrides
Cloud Protection Service
Definition updates
42. Click on OK.
43. Right Click on WDAV Demo Policy.
44. Click Deploy.
45. In the right hand, click on WDAV CLIENT1.
46. Click OK.
Check Policy 47. Open Control Panel.
Configuration 48. Search for Configuration Manager.
49. Open Configuration Manager.
50. Click on the Actions Tab.
51. Click on Machine Policy Retrieval & Evaluation Cycle .
52. Click on Run Now. Click OK.
53. Wait 3 to 5 minutes then continue.
54. Click Start.
55. Type Windows Defender Security Center.
56. Open Windows Defender Security Center.
57. Click on Virus and threat protection.
58. Click on Virus and threat protection settings.
59. Notice that the These settings are managed by your administrator.
1.5 Windows Hello for Business

Windows Hello for Business replaces username and password sign-in to Windows with strong
user authentication based on asymmetric key pair.
In this lab, you will find all the information to deploy Windows Hello for Business in a Certificate
Trust Model in your on-premises environment.
Follow the following sections for managing Windows Hello for Business through modern
management tools.
1.5.1.1 Windows Hello for Business
In this lab we are going to setup Windows Hello for Business in the Cloud.
Task Detailed Steps

Configuring 1. Close all browser windows.
Windows Hello for 2. Start Internet Explorer InPrivate mode.
Business 3. Navigate to https://portal.azure.com and Sign in with
6. Click on Intune.
7. Select “Device enrollment”.
8. Select “Windows enrollment”.
9. Select “Windows Hello for Business”.
10. Choose the Default settings.
11. Select “Properties” and review.
12. Select “Settings”.
13. Enable “Windows Hello for Business”.
14. Review possible settings.
15. Select Save.
Setting up your 16. Login for the first time to the virtual machine as:
PIN for the First TU2@<AzureDomainName>.onmicrosoft.com, assuming it is already Azure AD
Time Joined and Autoenrolled into Intune.
17. Click “Set up PIN”.
18. Click “Set it up now”
19. Select a verification method “Text message”.
20. Select a region that is correct for your cell phone.
21. Enter your phone number.
22. Select Next.
23. Retrieve security code from your phone and enter it.
24. Select Next.
25. Enter a new PIN “2143” (or a PIN of your choice, just don’t forget it 😊 ).
26. Confirm your PIN “2143” and click OK. Click OK again. Now you will test your
new PIN.
27. Sign out.
28. Sign back in using your PIN.
Follow the following sections for managing Windows Hello for Business through traditional
management tools.
1.5.2.1 Validate Active Directory Prerequisites
The key registration process for the On-prem deployment of Windows Hello for Business needs
the Windows Server 2016 Active Directory schema. The key-trust model receives the schema
extension when the first Windows Server 2016 domain controller is added to the forest. The
certificate trust model requires manually updating the current schema to the Windows Server
2016 schema. If you already have a Windows Server 2016 domain controller in your forest, you
can skip the next step.
Task Detailed Steps

Complete these
steps on the DC1
virtual machine.
Create the 1. Open Active Directory Users and Computers.
KeyCredential 2. Click View and click Advanced Features.
Admins Security 3. Expand the domain node from the navigation pane.
Global Group 4. Right-click the Users container. Click New > Group.
5. Type KeyCredential Admins in the Group name text box.
6. Click OK.
Create the 7. Right-click the Users container. Click New > Group.
Windows Hello 8. Type Windows Hello for Business Users in the Group name text box.
for Business Users 9. Click OK.
Security Global
Group
1.5.2.2 Validate and Configure PKI
Windows Hello for Business must have a public key infrastructure regardless of the deployment
or trust model. All trust models depend on the domain controllers having a certificate. The
certificate serves as a root of trust for clients to ensure they are not communicating with a rogue
domain controller. The certificate trust model extends certificate issuance to client computers.
During Windows Hello for Business provisioning, the user receives a sign-in certificate.
Note: The following instructions may be used to deploy simple public key infrastructure that is
suitable for a lab environment.
Task Detailed Steps

Complete these
steps on the DC1
virtual machine.
Configure a 1. Open the Certification Authority management console.
Domain 2. Right-click Certificate Templates and click Manage.
Controller 3. In the Certificate Templates Console, right-click the Kerberos Authentication
Certificate template in the details pane and click Duplicate Template.
4. On the Compatibility tab, clear the Show resulting changes check box. Select
Windows Server 2012 or Windows Server 2012 R2 from the Certification
Authority list. Select Windows 8 / Windows Server 2012 or Windows 8.1 /
Windows Server 2012 R2 from the Certificate recipient list.
5. On the General tab, type Domain Controller Authentication (Kerberos) in
Template display name. Adjust the validity and renewal period to meet your
enterprise’s needs.
Note: If you use different template names, you’ll need to remember and substitute these
names in different portions of the lab.
6. On the Subject Name tab, select the Build from this Active Directory
information button if it is not already selected. Select None from the Subject
name format list. Select DNS name from the Include this information in
alternate subject name. Clear all other items.
7. On the Cryptography tab, select Key Storage Provider from the Provider
Category list. Select RSA from the Algorithm name list. Type 2048 in the
Minimum key size text box. Select SHA256 from the Request hash list. Click
Apply and OK.
8. Close the console.
Configure an 9. Right-click Certificate Templates and click Manage.

Internal Web 10. In the Certificate Templates Console, right-click the Web Server template in the
Server Certificate details pane and click Duplicate Template.
Template 11. On the Compatibility tab, clear the Show resulting changes check box. Select
Windows Server 2012 R2 from the Certificate recipient list.
12. On the General tab, type Internal Web Server in Template display name. Adjust
the validity and renewal period to meet your enterprise’s needs.
Note: If you use different template names, you’ll need to remember and substitute these
names in different portions of the lab.
13. On the Request Handling tab, select Allow private key to be exported.
14. On the Subject Name tab, select the Supply in the request button if it is not
already selected.
15. On the Security tab, Click Add… Type Domain Computers in the Enter the
object names to select box. Click Check Names | OK. Select the Allow check box
next to the Enroll permission.
Minimum key size text box. Select SHA256 from the Request hash list. Click
Apply and OK.
Unpublish 18. Click Certificate Templates in the navigation pane.

Superseded 19. Right-click the Domain Controller certificate template in the content pane and
Certificate select Delete. Click Yes on the Disable certificate templates window.
Templates 20. Repeat Step 19 for the Domain Controller Authentication and Kerberos
Authentication certificate templates.
Publish Certificate 21. Click Certificate Templates in the navigation pane.

Templates to the 22. Right-click the Certificate Templates node. Click New, and click Certificate
Certification Template to Issue.
Authority 23. In the Enable Certificate Templates window, select the Domain Controller
Authentication (Kerberos), and Internal Web Server templates you created in
the previous steps. Click OK to publish the selected certificate templates to the
certification authority.
Configure and 25. Start the Group Policy Management Console (gpmc.msc).
Deploy the 26. Expand the domain and select the Group Policy Objects node in the navigation
Domain pane.
Controller Auto 27. Right-click Group Policy Objects and select New.
Certificate 28. Type Domain Controller Auto Certificate Enrollment in the Name box and
Enrollment Group click OK.
Policy Object 29. Right-click the Domain Controller Auto Certificate Enrollment Group Policy
object and click Edit.
30. In the navigation pane, expand Policies under Computer Configuration.
31. Expand Windows Settings, Security Settings, and click Public Key Policies.
32. In the details pane, right-click Certificate Services Client – Auto-Enrollment and
select Properties.
33. Select Enabled from the Configuration Model list.
34. Select the Renew expired certificates, update pending certificates, and remove
revoked certificates check box.
35. Select the Update certificates that use certificate templates check box.
36. Click Apply and OK. Close the Group Policy Management Editor.
37. In the navigation pane, expand the domain and expand the node that has your
Active Directory domain name. Right-click the Domain Controllers
organizational unit and click Link an Existing GPO…
38. In the Select GPO dialog box, select Domain Controller Auto Certificate
Enrollment or the name of the domain controller certificate enrollment Group
Policy object you previously created and click OK.
1.5.2.3 Prepare and Deploy Windows Server 2016 Active Directory Federation
Services
Task Detailed Steps

Complete these
steps on the
APP1 virtual
machine.
Internal Server 1. Start the Local Computer Certificate Manager (certlm.msc). Accept the UAC
Authentication prompt.
Certificate 2. Expand the Personal node in the navigation pane.
Enrollment 3. Right-click Personal. Select All Tasks and Request New Certificate…
4. Click Next on the Before You Begin page.
5. Click Next on the Select Certificate Enrollment Policy page.
6. On the Request Certificates page, select the Internal Web Server check box.
7. Click the More information is required to enroll for this certificate. Click
here to configure settings link.
8. Under Subject name, select Common name from the Type list. Type the
FQDN of the computer hosting the Active Directory Federation Services role
(app1.corp.contoso.com) and then click Add. Under Alternative name, select
DNS from the Type list. Type the FQDN of the name you will use for your
federation services (fs.corp.contoso.com). The name you use here MUST match
the name you use when configuring the Active Directory Federation Services
server role. Click Add. Click Apply and OK when finished.
9. Click Enroll. Click Finish.
10. A server authentication certificate should appear in the computer’s Personal
certificate store.
Deploy the 11. Start Server Manager. Click Local Server in the navigation pane.
Active Directory 12. Click Manage and then click Add Roles and Features.
Federation 13. Click Next on the Before you begin page.
Service Role 14. On the Select installation type page, select Role-based or feature-based
installation and click Next.
15. On the Select destination server page, choose Select a server from the server
pool. Select the federation server from the Server Pool list. Click Next.
16. On the Select server roles page, select Active Directory Federation Services.
Click Next.
17. Click Next on the Select features page.
18. Click Next on the Active Directory Federation Services (AD FS) page.
19. Click Install to start the role installation.
20. Click Close.
Create KDS Root 21. Start an elevated Windows PowerShell console. Accept the UAC prompt if
Key required.
22. Type and execute Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-
10).
Complete these steps on the APP1 virtual machine.
Configure the 23. Start Server Manager.

Active Directory 24. Click the notification flag in the upper right corner. Click Configure the
Federation federation service on this server.
Service Role 25. On the Welcome page, click Create the first federation server in a federation
server farm and click Next.
26. Click Next on the Connect to Active Directory Domain Services page.
27. On the Specify Service Properties page, select the recently enrolled or imported
certificate from the SSL Certificate (app1.corp.contoso.com) and Federation
Service Name (fs.corp.contoso.com) list.
28. Type the Federation Service Display Name (Hello) in the text box. This is the
name users see when signing in. Click Next.
29. On the Specify Service Account page, select Create a Group Managed Service
Account. In the Account Name box, type adfssvc. Click Next.
30. On the Specify Configuration Database page, select Create a database on this
server using Windows Internal Database and click Next.
31. On the Review Options page, click Next.
32. On the Pre-requisite Checks page, click Configure.
33. When the process completes, click Close.
Add the AD FS 34. Open Active Directory Users and Computers.

Service Account 35. Click the Users container in the navigation pane.
to the 36. Right-click KeyCredential Admins in the details pane and click Properties.
KeyCredential 37. Click the Members tab and click Add…
Admin Group and 38. In the Enter the object names to select text box, type adfssvc. Click Check
the WHfB Users Names | OK.
Group 39. Click Apply and OK to return to Active Directory Users and Computers.
40. Right-click Windows Hello for Business Users group and click Properties.
41. Click the Members tab and click Add…
42. In the Enter the object names to select text box, type adfssvc. Click Check
Names | OK.
43. Click Apply and OK to return to Active Directory Users and Computers.
44. Change to server hosting the AD FS Role (APP1) and restart it.
Configure 45. Open Active Directory Users and Computers.

Permissions for 46. Right-click your domain name from the navigation pane and click Properties.
Key Registration 47. Click Security (if the Security tab is missing, turn on Advanced Features from
the View menu).
48. Click Advanced. Click Add. Click Select a principal.
49. The Select User, Computer, Service Account, or Group dialog box appears. In
the Enter the object name to select text box, type KeyCredential Admins. Click
Check Names | OK.
50. In the Applies to list box, select Descendant User objects.
51. Using the scroll bar, scroll to the bottom of the page and click Clear all.
52. In the Properties section, select Read msDS-KeyCredentialLink and Write
msDS-KeyCredentialLink.
53. Then Click OK three times to complete the task.
Configure the 54. Open the AD FS Management console. Accept the UAC prompt.
Device 55. In the navigation pane, expand Service. Click Device Registration.
Registration 56. In the details pane, click Configure device registration.
Service 57. In the Configure Device Registration dialog, click OK.
Configure 58. Open the Certification Authority Management console.

Registration 59. Right-click Certificate Templates and click Manage.
Authority 60. In the Certificate Templates Console, right click on the Exchange Enrollment
Template Agent (Offline request) template details pane and click Duplicate Template.
61. On the Compatibility tab, clear the Show resulting changes check box. Select
Windows Server 2012 R2 from the Certification recipient list.
62. On the General tab, type WHFB Enrollment Agent in Template display name.
Adjust the validity and renewal period to meet your enterprise’s needs.
63. On the Subject Name tab, select the Supply in the request button if it is not
already selected.
Note: The preceding step is very important. Group Managed Service Accounts
(GMSA) do not support the Build from this Active Directory information option
and will result in the AD FS server failing to enroll the enrollment agent
certificate. You must configure the certificate template with Supply in the
request to ensure that AD FS servers can perform the automatic enrollment and
renewal of the enrollment agent certificate.
Minimum key size text box. Select SHA256 from the Request hash list.
65. On the Security tab, click Add…
66. Click Object Types… Select the Service Accounts check box and click OK.
67. Type adfssvc in the Enter the object names to select text box and click Check
Names | OK.
68. Click the adfssvc from the Group or users names list. In the Permissions for
adfssvc section, select the Allow check box for the Enroll permission.
Excluding the adfssvc user, clear the Allow check box for the Enroll and
Autoenroll permissions for all other items in the Group or users names list
if the check boxes are not already cleared. Click Apply and OK.
Configure the 70. Right-click Certificate Templates and click Manage.

WHfB 71. Right-click the Smartcard Logon template and choose Duplicate Template.
Authentication 72. On the Compatibility tab, clear the Show resulting changes check box. Select
Certificate Windows Server 2012 or Windows Server 2012 R2 from the Certification
Template Authority list. Select Windows 8 / Windows Server 2012 or Windows 8.1 /
Windows Server 2012 R2 from the Certification recipient list.
73. On the General tab, type WHFB Authentication in Template display name.
Adjust the validity and renewal period to meet your enterprise’s needs.
Note: If you use different template names, you’ll need to remember and
substitute these names in different portions of the deployment.
Minimum key size text box. Select SHA256 from the Request hash list.
75. On the Extensions tab, verify the Application Policies extension includes
Smart Card Logon.
76. On the Issuance Requirements tab, select the ‘This number of authorized
signatures’ check box. Type ‘1’ in the text box. Select Application policy from
the Policy type required in signature. Select Certificate Request Agent from
the Application policy list. Select the Valid existing certificate option.
77. On the Subject Name tab, select the Build from this Active Directory
information button if it is not already selected. Select Fully distinguished
name from the Subject name format list if Fully distinguished name is not
already selected. Select the User principal name (UPN) check box under
Include this information in alternate subject name.
78. On the Request Handling tab, select the Renew with the same key check box.
79. On the Security tab, click Add… Type Windows Hello for Business Users in
the Enter the object names to select text box and click Check Names | OK.
80. Click the Windows Hello for Business Users from the Group or user names list.
In the Permissions for Windows Hello for Business Users section, select the
Allow check box for the Enroll permission. Excluding the Windows Hello for
Business Users group, clear the Allow check box for the Enroll and
Autoenroll permissions for all other entries in the Group or user names
section if the check boxes are not already cleared. Click Apply and OK.
Mark the 82. Open an elevated command prompt. Accept the UAC prompt.
Template as the 83. Run
Windows Hello certutil –dsTemplate WHFBAuthentication msPKI-Private-Key-
Sign-In Template Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY
Publish 84. Open the Certification Authority management console.

Enrollment Agent 85. Expand the parent node from the navigation pane.
and WHfB 86. Click Certificate Templates in the navigation pane.
Authentication 87. Right-click the Certificate Templates node. Click New, and click Certificate
Templates to the Template to issue.
Certification 88. In the Enable Certificate Templates window, select the WHFB Enrollment
Authority Agent template you created in the previous steps. Click OK to publish the
selected certificate templates to the certification authority.
89. Publish the WHFB Authentication certificate template using Step 88.
Configure the 91. Open an elevated Windows PowerShell prompt. Accept the UAC prompt.
Registration 92. Type and execute the following command Set-AdfsCertificateAuthority
Authority -EnrollmentAgent -EnrollmentAgentCertificateTemplate
WHFBEnrollmentAgent -WindowsHelloCertificateTemplate
WHFBAuthentication
Configure DNS 93. Open the DNS Management console.

for Device 94. In the navigation pane, expand the domain controller name node and Forward
Registration Lookup Zones.
95. In the navigation pane, select the node that has the name of your internal Active
Directory domain name.
96. In the navigation pane, right-click the domain name node and click New Host (A
or AAAA)…
97. In the Name box, type the name of the federation service (fs). In the IP address
box, type the IP address of your federation server (10.0.0.9). Click Add Host.
Click OK | Done.
98. Close the DNS Management console.
Create an Intranet 99. Start the Group Policy Management Console (gpmc.msc).
Zone Group 100.Expand the domain and select the Group Policy Objects node in the navigation
Policy pane.
101.Right-click Group Policy Objects and select New.
102.Type Intranet Zone Settings in the name box and click OK.
103.In the content pane, right-click the Intranet Zone Settings Group Policy object
and click Edit.
104.In the navigation pane, expand Policies under Computer Configuration.
105.Expand Administrative Templates > Windows Components > Internet
Explorer > Internet Control Panel, and select Security Page.
106.In the content pane, double-click Site to Zone Assignment List. Click Enabled.
107.Click Show… In the Value name column, type the url of the federation service
beginning with https (https://fs.corp.contoso.com). In the Value column, type
the number 1. Click OK.
108.Click Apply | OK.
109.Then close the Group Policy Management Editor.
Deploy the 110.In the navigation pane, expand the domain and right-click the node that has your
Intranet Zone Active Directory domain name and click Link an Existing GPO…
Group Policy 111.In the Select GPO dialog box, select Intranet Zone Settings or the name of the
Windows Hello for Business Group Policy object you previously created and
click OK.
1.5.2.4 Validate and Deploy Multifactor Authentication Services (MFA)
Task Detailed Steps

Download the 1. Sign in to the Azure portal as an administrator.
MFA Server 2. On the left, select Azure Active Directory.
3. Select Users.
4. Select All users.
5. Select More | Multi-Factor Authentication.
6. Under multi-factor authentication section, select service settings.
7. On the service settings page, at the bottom of the screen click Go to the portal and
a new page will open.
8. Click Download and another new page will open.
9. Click the Download link and save the installer.
10. Keep all these pages open as we will refer to it after running the installer.
Install and 11. Double-click the executable and click Install to install the prerequisites. Follow the
Configure the prompts until those are installed.
MFA Server 12. Select I Agree and click Next.
13. On the Select Installation Folder screen, make sure that the folder is correct and
click Next. Accept the UAC prompt.
14. Once the installation is complete, click Finish.
15. Start the Multi-Factor Authentication Server and accept the UAC prompt.
16. Back on the page that you downloaded the server from, click the Generate link.
Copy this information into the Azure MFA Server in the boxes provided and click
Activate. Cancel any prompts.
1.5.2.5 Configure and Deploy Multifactor Authentication Services
Standalone MFA Server:
The Azure MFA server uses a primary and secondary replication model for its configuration
database. The primary Azure MFA server hosts the writeable partition of the configuration
database. All secondary Azure MFA servers hosts read-only partitions of the configuration
database. All production environment should deploy a minimum of two MFA Servers.
For this lab, the primary MFA uses the name mf*a* or mfa.corp.contoso.com. All secondary
servers use the name mfa*n* or mfan.corp.contoso.com, where n is the number of the
deployed MFA server.
The primary MFA server is also responsible for synchronizing from Active Directory, therefore, it
should be domain joined and fully patched.
Task Detailed Steps

Enroll for Server 1. Start the Local Computer Certificate Manager (certlm.msc). Accept the UAC
2. Expand the Personal node in the navigation pane.
3. Right-click Personal. Select All Tasks and Request New Certificate…
7. Click the More information is required to enroll for this certificate. Click
here to configure settings link.
8. Under Subject name, select Common Name from the Type list. Type the FQDN
of the primary MFA server and then click Add (app1.corp.contoso.com). Click
Apply and OK when finished.
9. Click Enroll.
10. Click Finish.
Install the Web 11. Install the following services if they are already not installed:
Server Role  Common HTTP Features > Default Document.
 Common HTTP Features > Directory Browsing.
 Common HTTP Features > HTTP Errors.
 Common HTTP Features > Static Content.
 Health and Diagnostics > HTTP Logging.
 Performance > Static Content Compression.
 Security > Request Filtering.
 Security > Basic Authentication.
 Management Tools > IIS Management Console.
 Management Tools > IIS 6 Management Compatibility.
 Application Development > ASP & ASP.NET <AllVersions>.
Update the Server 12. Update the server using Windows Update until the server has no required or
optional updates as the Azure MFA Server software may require one or more of
these updates for the installation and software to correctly work. These procedures
install additional components that may need to be updated.
Configure the IIS 13. Start the Internet Information Services (IIS) Manager console.
Server’s Certificate 14. In the navigation pane, expand the node with the same name as the local
computer. Expand Sites and select Default Web Site.
15. In the Actions pane, click Bindings…
16. In the Site Bindings dialog, Click Add…
17. In the Add Site Binding dialog, select https from the Type list. In the SSL
certificate list, select the certificate (app1.corp.contoso.com) with the name that
matches the FQDN of the computer.
18. Click OK. Click Close. From the Actions pane, click Restart.
Create Phonefactor 19. Open Active Directory Users and Computers.

Admin Group 20. In the navigation pane, expand the node with the organization’s Active Directory
domain name. Right-click the Users container, select New, and select Group.
21. In the New Object – Group dialog box, type Phonefactor Admins in Group
name.
22. Click OK.
Add Accounts to 23. In the navigation pane, expand the node with the organization’s Active Directory
the Phonefactor domain name. Select Users. In the content pane, right-click the Phonefactor
Admins Group Admins security group and select Properties.
24. Click the Members tab.
25. Click Add… Click Object Types… In the Object Types dialog box, select
Computers and click OK. Enter the following user and/or computer accounts in
the Enter the object names to select box and then click Check Names | OK |
Apply | OK.
 The computer account for the primary MFA Server (APP1).
 Group or User account that will manage the User Portal Server (Domain
Admins).
User Portal Server:
The User Portal is an IIS Internet Information Server web site that allows users to enroll in Multi-
Factor Authentication and maintain their accounts. A user may change their phone number,
change their PIN, or bypass Multi-Factor Authentication during their next sign on. Users will log
in to the User Portal using their normal username and password and will either complete a
Multi-Factor Authentication call or answer security questions to complete their authentication. If
user enrollment is allowed, a user will configure their phone number and PIN the first time they
log in to the User Portal. User Portal Administrators may be set up and granted permission to
add new users and update existing users.
Task Detailed Steps

Enroll for Server 1. Start the Local Computer Certificate Manager (certlm.msc). Accept the UAC
2. Expand the Personal node in the navigation pane.
3. Right-click Personal. Select All Tasks and Request New Certificate…
7. Click the More information is required to enroll for this certificate. Click here
to configure settings link.
8. Under Subject name, select Common name from the Type list. Type the FQDN
of the primary MFA server and then click Add (app1.corp.contoso.com).
9. Under Alternative name, select DNS from the Type list. Type the FQDN of the
name you will use for your User Portal service and then click Add
(mfaweb.corp.contoso.com).
10. Click Apply and OK when finished.
11. Click Enroll.
12. Click Finish.
Configure the IIS 13. Start the Internet Information Services (IIS) Manager console.
Server’s 14. In the navigation pane, expand the node with the same name as the local computer.
Certificate Expand Sites and select Default Web Site.
15. In the Actions pane, click Bindings…
16. In the Site Bindings dialog, Click Add…
17. In the Add Site Binding dialog, select https from the Type list, select a different
Port than 443, example 444. In the SSL certificate list, select the certificate
(app1.corp.contoso.com) with the name that matches the FQDN of the computer.
18. Click OK. Click Close. From the Actions pane, click Restart.
Create 19. Open Active Directory Users and Computers.

WebServices SDK 20. In the navigation pane, expand the node with the organization’s Active Directory
User Account domain name. Right-click the Users container, select New, and select User.
21. In the New Object – User dialog box, type PFWSDK_ in the First name and User
logon name boxes, which is the name of the primary MFA server running the Web
Services SDK. Click Next.
22. Type a strong password and confirm it in the respective boxes. Clear User must
change password at next logon. Click Next. Click Finish to create the user
account.
Add the MFA 23. In the navigation pane, expand the node with the organization’s Active Directory
SDK User domain name. Select Users. In the content pane, right-click the Phonefactor
Account to the Admins security group and select Properties.
Phonefactor 24. Click the Members tab.
Admins Group 25. Click Add… Type the PFWSDK_ user name in the Enter the object names to
select box and then click Check Names | OK | Apply | OK. Now it should show
the following:
The computer account for the primary MFA Server (APP1).
The Webservices SDK user account (PFWSDK_).
Group or User account that will manage the User Portal Server (Domain Admins).
1.5.2.6 Installing Standalone Azure MFA Server
When you install Azure Multi-Factor Authentication Server, you have the following options:
1. Install Azure Multi-Factor Authentication Server locally on the same server as AD FS (this
option will be used for this LAB).
2. Install the Azure Multi-Factor Authentication adapter locally on the AD FS server, and
then install Multi-Factor Authentication Server on a different computer (preferred
deployment for production environments).
Task Detailed Steps

Secure Windows 1. In the Azure Multi-Factor Authentication Server management console, click the
Server AD FS AD FS icon. Select the options Allow user enrollment and Allow users to select
with Azure Multi- method.
Factor 2. Click Install AD FS Adapter…
Authentication 3. If the Active Directory window is displayed, that means two things. Your computer
Server is joined to a domain, and the Active Directory configuration for securing
communication between the AD FS adapter and the Multi-Factor Authentication
service is incomplete. Click Next to automatically complete this configuration, or
select the Skip automatic Active Directory configuration and configure settings
manually check box.
4. If the Local Group windows is displayed, that means two things. Your computer is
not joined to a domain, and the local group configuration for securing
communication between the AD FS adapter and the Multi-Factor Authentication
service is incomplete. Click Next to automatically complete this configuration, or
select the Skip automatic Local Group configuration and configure settings
manually check box.
5. In the installation wizard, click Next. Azure Multi-Factor Authentication Server
creates the PhoneFactor Admins group and adds the AD FS service account to the
PhoneFactor Admins group.
6. On the Launch Installer page, click Next.
7. In the Multi-Factor Authentication AD FS Adapter installer, click Next.
8. Click Close when the installation is finished.
9. When the adapter has been installed, you must register it with AD FS. Open an
elevated Windows PowerShell, accept the UAC prompt and run the following
command:
C:\Program Files\Multi-Factor Authentication Server\Register-
MultiFactorAuthenticationAdfsAdapter.ps1
10. To use your newly registered adapter, edit the authentication method in AD FS. In
the AD FS management console, go to the Authentication Methods node under
Service. In the Multi-factor Authentication Methods section, click the Edit link.
In the Edit Authentication Methods window, select Azure Multi-Factor
Authentication Server as an additional authentication method, and then click
Apply | OK. The adapter is registered as Azure Multi-Factor Authentication
Server. Restart the AD FS service for the registration to take effect.
11. At this point, Multi-Factor Authentication Server is set up to be an additional
authentication provider to use with AD FS.
Configure 12. Start the Multi-Factor Authentication Server application. Accept the UAC
Company Settings prompt.
13. Click Company Settings.
14. On the General Tab, select Fail Authentication from the When internet is not
accessible list.
15. In User defaults, select Phone call or Text message.
16. Select Enable Global Services if you want to allow Multi-Factor Authentications
to be made to telephone numbers in rate zones that have an associated charge.
17. Clear the User can change phone check box to prevent users from changing their
phone during the Multi-Factor Authentication call or in the User Portal. A
consistent configuration is for users to change their phone numbers in Active
Directory and let those changes synchronize to the multi-factor server using the
Synchronization features in Directory Integration.
18. Select Fail Authentication from the When user is disabled list. Users should
provision their account through the user portal.
19. Select the appropriate language from the Phone call language, Text message
language, Mobile app language, and OATH token language lists.
20. Under Default PIN rules, select the User can change PIN checkbox to enable
users to change their PIN during multi-factor authentication and through the user
portal.
21. Configure the Minimum length for the PIN.
22. Select the Prevent weak PINs check box to reject weak PINs. A weak PIN is any
PIN that could be easily guessed by a hacker are not allowed:
 3 sequential digits.
 3 repeating digits.
 Or any 4 digit subset of user phone number.
If you clear this box, then there are no restrictions on PIN format. For
example: User tries to reset PIN to 1235 and is rejected because it's a weak
PIN. User will be prompted to enter a valid PIN.
23. Select the Expiration days check box if you want to expire PINs. If enabled,
provide a numeric value representing the number of days the PIN is valid.
24. Select the PIN history check box if you want to remember previously used PINs
for the user. PIN history stores old PINs for each user. Users are not allowed to
reset their PIN to any value stored in their PIN History. When cleared, no PIN
history is stored. The default value is 5 and range is 1 to 10.
Configure 25. From the Multi-Factor Authentication Server window, click the Directory
Directory Integration icon.
Integration 26. Click the Settings tab.
Settings and 27. Select Use Active Directory.
Synchronization 28. Select Include trusted domains to have the Multi-Factor Authentication Server
attempt to connect to domains trusted by the current domain, another domain in the
forest, or domains involved in a forest trust. When not importing or synchronizing
users from any of the trusted domains, clear the checkbox to improve performance.
Add Test User to 29. Open Active Directory Users and Computers.
WHfB Group 30. Click the CORP | USERS OU in the navigation pane.
31. Right-click TestUser1 and click Properties.
Complete these
32. Click the Telephones tab and enter a Mobile number including the country code.
steps on the DC1
33. Click the Member Of tab and click Add…
virtual machine.
34. In the Enter the object names to select text box, type Windows Hello for Business
Users. Click Check Names | OK.
35. Click Apply | OK to return to Active Directory Users and Computers.
Add a 36. Click the Synchronization tab.

Synchronization 37. On the Synchronization tab, click Add…
Item 38. In the Add Synchronization Item dialog, select Security Groups from the View
list.
Complete these
39. Select the group you are using for replication from the list of groups (Windows
steps on the
Hello for Business Users).
APP1 virtual
40. Select Selected Security Group – Recursive or, select Security Group from the
machine.
Import list if you do not plan to nest groups.
41. Select Add new users and Update existing users.
42. Select the attributes appropriate for your environment for Import phone and
Backup.
43. Select Enabled and select Only New Users with Phone Number from the list.
44. Click Add | OK | Close.
45. Ensure that the following checkboxes are selected – Enable synchronization with
Active Directory, Synchronization interval: minute and Require administrator
approval when disabled or removed users exceed threshold 5.
46. Click Synchronize Now. Click OK.
Install the Web 47. From the Multi-Factor Authentication Server window, click the Web Service SDK
Service SDK icon and click Install Web Service SDK…
48. Select the Site as Default Web Site, Virtual directory as
MultiFactorAuthWebServiceSdk and Application Pool as DefaultAppPool.
Click Next.
49. Once installed, click Close.
Edit the MFA AD 50. Copy the below 4 Files from C:\Program Files\Multi-Factor Authentication
FS Adapter Server to C:\inetpub\wwwroot\MultiFactorAuthWebServiceSdk.
Config File MultiFactorAuthenticationAdfsAdapterSetup64.msi
Register-MultiFactorAuthenticationAdfsAdapter.ps1
Unregister-MultiFactorAuthenticationAdfsAdapter.ps1
MultiFactorAuthenticationAdfsAdapter.config
51. Browse to C:\inetpub\wwwroot\MultiFactorAuthWebServiceSdk (or
appropriate directory based on the virtual directory name) and edit the
MultiFactorAuthenticationAdfsAdapter.config file.
52. Locate the UseWebServiceSdk key and change the value from false to true.
53. Locate the WebServiceSdkUsername key and set the value to the username of the
Web Service SDK account in the PhoneFactor Admins security group. Use a
qualified username, like domain\username or machine\username
(CORP\PFWSDK_).
54. Locate the WebServiceSdkPassword key and set the value to the password of the
Web Service SDK account in the PhoneFactor Admins security group.
(P@ssw0rd).
55. Locate the WebServiceSdkUrl key and set the value to the URL of the Web
Service SDK that is running on the Azure Multi-Factor Authentication Server
(https://app1.corp.contoso.com/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx).
Since SSL is used for this connection, refer to the Web Service SDK by server
name, not IP address, since the SSL certificate was issued for the server name. If
the server name does not resolve to an IP address from the internet-facing server,
add an entry to the hosts file on that server to map the name of the Azure Multi-
Factor Authentication Server to its IP address. Save the
MultiFactorAuthenticationAdfsAdapter.config file after changes have been
made.
Edit the ADFS 56. Edit the Register-MultiFactorAuthenticationAdfsAdapter.ps1 script by adding

Adapter Windows -ConfigurationFilePath <path> to the end of the Register-
PowerShell
AdfsAuthenticationProvider command which is the full path to the
Cmdlet
MultiFactorAuthenticationAdfsAdapter.config file -
C:\inetpub\wwwroot\MultiFactorAuthWebServiceSdk\
MultiFactorAuthenticationAdfsAdapter.config.
Run the ADFS Note: At this stage, do not run the Register-
Adapter Windows MultiFactorAuthenticationAdfsAdapter.ps1 script in PowerShell to register the
PowerShell adapter because the adapter is already registered as
Cmdlet WindowsAzureMultiFactorAuthentication.
57. Restart the ADFS service for the changes to take effect.
Test AD FS with 58. In the Multi-Factor Authentication server, on the left, click Users.
the Multifactor 59. In the list of users, select a user (TestUser1) that is enabled and has a valid phone
Authentication number to which you have access.
Connector 60. Click Test…
61. In the Test User dialog, provide the user’s password to authenticate the user to
Active Directory and click Test.
62. Enter the one-time passcode once received on the phone and click OK.
63. Click OK on the Authentication successful message and click Close.
The Multi-Factor Authentication server communicates with the Azure MFA cloud service to
perform a second factor authentication for the user. The Azure MFA cloud service contacts the
phone number provided and asks for the user to perform the second factor authentication
configured for the user. Successfully providing the second factor should result in the Multi-
factor authentication server showing a success dialog.
1.5.2.7 Configure Windows Hello for Business Policy Settings
Task Detailed Steps

Create the WHfB 1. Start the Group Policy Management Console (gpmc.msc).
GPO 2. Expand the domain and select the Group Policy Objects node in the navigation
pane.
3. Right-click Group Policy Objects and select New.
4. Type Enable Windows Hello for Business in the Name box and click OK.
5. In the content pane, right-click the Enable Windows Hello for Business Group
Policy object and click Edit.
6. In the navigation pane, expand Policies under User Configuration.
7. Expand Administrative Templates > Windows Components, and select Windows
Hello for Business.
8. In the content pane, double-click Use Windows Hello for Business. Click
Enabled and click Apply | OK.
9. Double-click Use certificate for on-premises authentication. Click Enabled and
click Apply | OK.
Configure 10. In the navigation pane, expand Policies under User Configuration.
Automatic 11. Expand Windows Settings > Security Settings, and click Public Key Policies.
Certificate 12. In the details pane, double-click Certificate Services Client – Auto-Enrollment.
Enrollment 13. Select Enabled from the Configuration Model list.
14. Select the Renew expired certificates, update pending certificates, and remove
revoked certificates check box.
15. Select the Update certificates that use certificate templates check box.
16. Click Apply | OK. Close the Group Policy Management Editor.
Configure 17. Double-click the Enable Windows Hello for Business Group Policy object.
Security in the 18. In the Security Filtering section of the content pane, click Add… Type Windows
WHfB GPO Hello for Business Users or the name of the security group you previously created
and click Check Names | OK.
19. Click the Delegation tab. Select Authenticated Users and click Advanced…
20. In the Group or user names list, select Authenticated Users. In the Permissions for
Authenticated Users list, clear the Allow check box for the Apply group policy
permission. Click Apply | OK.
Deploy the WHfB 21. In the navigation pane, expand the domain and right-click the node that has your
GPO Active Directory domain name and click Link an Existing GPO…
22. In the Select GPO dialog box, select Enable Windows Hello for Business or the
name of the Windows Hello for Business Group Policy object you previously
created and click OK.
Just to reassure, linking the Windows Hello for Business Group Policy object to the domain
ensures the Group Policy object is in scope for all domain users. However, not all users will have
the policy settings applied to them. Only users who are members of the Windows Hello for
Business group receive the policy settings. All others users ignore the Group Policy object.
1.5.2.8 Validate Windows Hello
Task Detailed Steps

Validate Policies 1. Restart the machine. Even restart DC1 and APP1 and wait for some time.
2. Log in as TestUser1.
3. You should be able to see the Windows Hello for Business screen.
1.6 Windows Defender Exploit Guard

Windows Defender Exploit Guard (Windows Defender EG) is a new set of host intrusion prevention
capabilities for Windows 10, allowing you to manage and reduce the attack surface of apps used by your
employees.
There are four features in Windows Defender EG:

 Exploit protection can apply exploit mitigation techniques to apps your organization uses, both
individually and to all apps.
 Attack surface reduction rules can reduce the attack surface of your applications with intelligent
rules that stop the vectors used by Office-, script- and mail-based malware.
 Network protection extends the malware and social engineering protection offered by Windows
Defender SmartScreen in Edge to cover network traffic and connectivity on your organization's
devices.
 Controlled folder access helps protect files in key system folders from changes made by malicious
and suspicious apps, including file-encrypting ransomware malware.

Follow the following sections for managing Windows Defender Exploit Guard through modern
management tools.
1.6.1.1 Exploit Guard Controlled Folders
In this section we are going to create a group that will be used to assign users a Exploit Guard
controlled folder policy. In addition we will configure the policy and test that it works.
Task Detailed Steps

Creat 1. Close all browser windows.
e 2. Start Internet Explorer InPrivate mode.
Grou 3. Navigate to https://portal.azure.com and Sign in with
ps labadmin@<AzureDomainName>.onmicrosoft.com.
4. On the left navigation bar, click Azure Active Directory > Groups > All groups.
GROUP NAME: ExploitDemo
MEMBERS: TU1,TU2
7. Click Create.
Configur 8. On the left navigation bar, click All
e Services.
Windows 9. Enter “Intune” in search.
Defender 10. Click on Intune.
Exploit 11. Under Manage Select “Device
Guard configuration”.
12. Under Manage Select “Profiles”.
13. Select “Create profile”.
14. Name the new profile “Exploit
Protection Demo”.
15. For Platform select “Windows 10
and later”.
16. For Profile type select “Endpoint
protection”.
17. Select “Windows Defender
Exploit Guard”.
18. Select “Controlled folder access”.
19. Change Folder protection to
“Enable”.
20. Select OK.
21. Select OK.
22. Select OK.
23. Select Create.
26. Check the “ExploitDemo” group.
27. Select “Select”.
28. Click Save.
Complete these steps on the CLIENT3 virtual machine or a
physical machine if your environment does not support
nested virtualization.
Verify 29. Login to the virtual machine as
Configur TU2@<AzureDomainName>.onmicros
ation is oft.com
Applied 30. Select Start.
34. Select Connected to
<CompanyName> Azure AD.
35. Click Info.
36. Click Sync to force a policy update
and confirm that the sync was
successful.
37. Open up Notepad.exe.
38. Create a simple document.
39. Save it to “Documents”.
Note: Notice that it saved just fine.
40. Open “Windows PowerShell ISE”.
41. Create a simple script “Get-
process”.
42. Save it to “Documents”.
Note: Notice you cannot save to
Documents because this is a protected
folder. You will get a “File not found”
message.
43. Press OK.
Note: You may also notice a Message
slide in from the right stating it was
blocked by Controlled folder access.
44. Click on the notification icon
to review this notification.

Follow the following sections for managing Windows Defender Exploit Guard through traditional
management tools.
1.6.2.1 Exploit Protection
Task Detailed Steps

Configure 1. Open the Windows Defender Security Center by clicking the shield icon in the
Program-Level task bar or searching the start menu for Defender.
Mitigations 2. Click the App & browser control tile (or the app icon on the left menu bar) and
then the Exploit protection settings at the bottom of the screen.
3. Go to the Program settings section and click Add program to customize.
4. Click on Add by program name and type notepad.exe. Click Add.
5. On the next window, scroll down and on Disable Win32k system calls, select
Override system settings and choose On.
6. You will be notified if you need to restart the process or app, or if you need to
restart Windows. Click Apply and accept the UAC prompt.
7. Try to open notepad.exe. Notice the error message. Click OK.
Create and Export 8. Open the Windows Defender Security Center by clicking the shield icon in the
a Configuration task bar or searching the start menu for Defender.
File 9. Click the App & browser control tile (or the app icon on the left menu bar) and
then the Exploit protection settings at the bottom of the screen.
10. At the bottom of the Exploit protection section, click Export settings and then
save the configuration file under Documents.
11. Copy the file to DC1 in a shared folder with full permissions.
Distribute the 12. On your Group Policy management machine, open the Group Policy
Configuration File Management Console, right-click the Group Policy Objects and create a new
with Group Policy GPO WDEG.
13. Right click the new Group Policy WDEG and click Edit.
14. In the Group Policy Management Editor go to Computer Configuration.
15. Click Policies then Administrative Templates.
16. Expand the tree to Windows Components > Windows Defender Exploit Guard
> Exploit Protection.
17. Double-click the Use a common set of exploit protection settings setting and set
the option to Enabled.
18. In the Options section, enter the location and filename of the Exploit Protection
Configuration File that you saved from the previous section in a UNC format
including the name of the file and it’s extension and click Apply | OK.
1.6.2.2 Attack Surface Reduction
Task Detailed Steps

Distribute the 1. On your Group Policy management machine, open the Group Policy
Configuration File Management Console, and right-click the Group Policy Object WDEG.
with Group Policy 2. Click Edit.
3. In the Group Policy Management Editor go to Computer Configuration.
4. Click Policies then Administrative Templates.
5. Expand the tree to Windows Components > Windows Defender Antivirus >
Windows Defender Exploit Guard > Attack Surface Reduction.
6. Double-click the Configure Attack Surface Reduction rules setting and set the
option to Enabled.
Click Show... and enter the following rule ID in Value name:
D3E037E1-3EB8-44C8-A917-57927947596D
7. Set the Value to 1 and click OK.
8. Link the GPO WDEG to the root domain.
Note: The above rule will block JavaScript or VBScript from launching downloaded
executable content as well as block notepad.exe to launch. Do run a gpupdate /force
on the CLIENT2 VM.
1.7 Windows Information Protection

Windows Information Protection (WIP), previously known as enterprise data protection (EDP),
helps to protect against this potential data leakage without otherwise interfering with the
employee experience. WIP also helps to protect enterprise apps and data against accidental
data leak on enterprise-owned devices and personal devices that employees bring to work
without requiring changes to your environment or other apps.
Follow the following sections for managing Windows Information Protection through modern
management tools.
1.7.1.1 Configuring and Testing WIP using Intune
In this section you will configure a WIP policy where Edge and Notepad are managed
applications. You will test your policy by copy and pasting between managed and unmanaged
applications.
Task Detailed Steps

WIP 4. On the left navigation bar, click Azure Active Directory > Groups > All groups.
Demo 5. Click + New group.
GROUP NAME: WIPDemo
MEMBERS: TU1,TU2
7. Click Create.
Creating 8.Close all browser windows.
an Intune 9.Start Internet Explorer InPrivate
WIP mode.
Policy 10. Navigate to
https://portal.azure.com and Sign
in with
labadmin@<AzureDomainNa
me>.onmicrosoft.com.
11. On the left navigation bar, click
All services.
14. Click on “Mobile apps”.
15. Click on “App protection
policies”.
16. Click on “+ Add a policy”.
17. Fill in form:
Name: WIP Demo
Description: WIP Demo
Platform: Windows 10
Enrollment state: With enrollment
Protected apps: Click Add apps and
click OK | OK:
Select Microsoft Edge
Select Notepad
Exempt apps: Do not configure
Configure required settings:
Allow Overrides and click OK
Advanced Settings:
Show the enterprise data
protection icon - “ON” and click
OK
18. Select Create.
19. Select WIP Demo.
22. Select WIPDemo.
23. Click Select.
Complete these steps on the CLIENT3 virtual machine or
a physical machine if your environment does not support
nested virtualization.
Verify 24. Login to the virtual machine as:
the TU2@<AzureDomainName>.onmicros
Policy oft.com
has been 25. Start Notepad.
Applied 26. Enter in the text field
and www.bing.com.
Working 27. Select File > “Save As”.
Note: Notice next to where you enter
the file name you see a lock icon.
28. Use the drop down and select
“Work (<Domain name>)”.
29. Name the file “WipTest” and
click Save.
Note: Notice the new briefcase icon on
the title bar.
30. Close Notepad.
31. Open File Explorer.
32. Navigate to the “Documents”
folder.
Note: Notice the new icon for Wiptest.
This shows it is managed by WIP.
33. Double click on WipTest and
open it again in Notepad.
34. Copy the text www.bing.com.
35. Open up WordPad (NOT WIP
managed).
36. Paste in the text.
Note: Notice you are prompted because
you are copying from a managed
application to an unmanaged
application.
37. Select No.
38. Close WordPad.
39. Open up Edge (WIP managed).
40. Paste in the text.
Note: Notice that this worked. Both
Edge and Notepad are managed
therefore, for copy and paste between
them are allowed.
41. Close Edge.
42. Open IE (NOT WIP Managed).
43. Past in the text.
Note: Notice you are prompted because
you are copying from a managed
application to an unmanaged
application. Select No and close all the
applications if any are opened.
Removin 44. Close all browser windows.
g the 45. Start Internet Explorer InPrivate
Policy mode.
46. Navigate to
https://portal.azure.com and Sign
in with
labadmin@<AzureDomainNa
me>.onmicrosoft.com.
47. On the left navigation bar, click
All services.
48. Enter “Intune” in search
50. Click on “Mobile apps”.
51. Click on “App protection
policies”.
52. Select the policy and click
Delete policy | Yes.
Note: We are deleting the policy in
order to use the same application in
other labs without this policy being
enforced.

In this section, you will learn how to configure and deploy WIP policies through System Center
Configuration Manager and test different WIP scenarios.
is on Current Branch (1802) or higher.
Follow the following sections for managing Windows Information Protection through traditional
management tools.
Task Detailed Steps

Install Google 1. Open Internet Explorer and browse to the URL below.
Chrome https://www.google.com/intl/en/chrome/browser/desktop/index.html
2. Click DOWNLOAD CHROME.
3. On the Download Chrome for Windows popup window, click ACCEPT AND
INSTALL.
4. Click Run to start the ChromeSetup.exe and accept the UAC prompt.
5. Once completed successfully, close all the windows.
Pin Applications 6. Pin the following applications to the Start:
a. Internet Explorer
b. Google Chrome
c. Notepad
d. WordPad
Create a Collection 7. Open the Configuration Manager Console from the Start Menu.
8. From the Configuration Manager Console, browse to Assets and Compliance.
9. Right-click on Device Collections and select Folder > Create Folder.
10. On the Configuration Manager window, under Folder name enter Windows
Information Protection then click OK.
11. From the Configuration Manager Console, expand Device Collections and right-
click on Windows Information Protection.
Name: Block
1.7.2.2 Configure Data Recovery Agent (DRA) Certificate
In this activity, you will create and enroll for a Data Recovery Agent certificate which is a
prerequisite in configuring WIP policies through System Center Configuration Manager.
Task Detailed Steps

Create a DRA 1. Open the Certification Authority from the Start Menu.
Certificate 2. On the Certification Authority console, expand corp-DC1-CA, right-click on
Template Certificate Templates and select Manage.
3. On the Certificate Templates Console, right-click on EFS Recovery Agent and
select Duplicate Template.
4. On the Properties of New Template window, go to the General tab.
5. On the General tab, under Template display name enter WIP Recovery Agent,
select Publish certificate in Active Directory, then go to the Request Handling
tab.
6. On the Request Handling tab, verify that under Purpose Encryption is selected
and Allow private key to be exported is selected then go to the Security tab.
7. On the Security tab, select LabAdmin and under Allow, select Enroll.
8. On the Properties of New Template window, click Apply then click OK.
9. Close the Certificate Templates Console.
10. On the Certification Authority console, right-click on Certificate Templates and
select New > Certificate Template to Issue.
11. On the Enable Certificate Templates window, select WIP Recovery Agent then
click OK.
Request a DRA 12. Right-click on Start and select Run.
Certificate 13. On the Run window, enter certmgr.msc then click OK.
14. On the Certificates console, right-click on Personal and select All Tasks >
Request New Certificate….
15. On the Before You Begin page, click Next.
16. On the Select Certificate Enrollment Policy page, select Active Directory
Enrollment Policy then click Next.
17. On the Request Certificates page, select WIP Recovery Agent then click Enroll.
18. Once enrolled successfully, click Finish.
Export the DRA 19. On the Certificates console, under Personal > Certificates, right-click on the
Certificate certificate issued by corp-DC1-CA and select All Tasks > Export…
20. On the Welcome to the Certificate Export Wizard page, click Next.
21. On the Export Private Key page, select Yes, export the private key then click
Next.
22. On the Export File Format page, click Next.
23. On the Security page, select Password: enter P@ssw0rd under Password: and
Confirm password: then click Next.
24. On the File to Export page, click Browse…
25. On the Save As window, browse to the Desktop, click New folder and rename
the new folder to DRA.
26. Double-click on the DRA folder.
27. Under File name, enter WIP-DRA-key then click Save.
28. On the File to Export page, click Next.
30. Click OK on the export successful dialog window.
31. On the Certificates console, under Personal > Certificates, right-click on the
certificate issued by corp-DC1-CA and select All Tasks > Export…
32. On the Welcome to the Certificate Export Wizard page, click Next.
33. On the Export Private Key page, select No, do not export the private key then
click Next.
34. On the Export File Format page, select Base-64 encoded X.509 (.CER) then
click Next.
35. On the File to Export page, click Browse…
36. On the Save As window, browse to the Desktop, under File name, enter WIP-
DRA then click Save.
37. On the File to Export page, click Next.
39. Click OK on the export successful dialog window.
Copy the 40. From the Desktop, copy the file WIP-DRA.cer to \\CM1\Packages$.
Certificate
1.7.2.3 Windows Information Protection Policies
In this activity, you will create and deploy a WIP configuration item and baseline that will block
inappropriate data sharing practices.
Task Detailed Steps

Create a Block 1. From the Configuration Manager Console, browse to Assets and Compliance >
WIP Configuration Compliance Settings > Configuration Items then click on Create
Item Configuration Item from the ribbon bar.
2. On the General page, under Name enter WIP – Block, under Settings for devices
managed with the Configuration Manager client, select Windows 10 then click
Next.
3. On the Supported Platforms page, click Next.
4. On the Device Settings page, select Windows Information Protection then click
Next.
5. On the Windows Information Protection page, under App Rules click Add…
6. On the Add app rule window, enter the following then click OK.
Rule name: Internet Explorer
Windows Information Protection mode: Allow
Rule template: Desktop App
Publisher: O=MICROSOFT CORPORATION, L=REDMOND,
S=WASHINGTON, C=US
Product name: [selected] *
Binary name: [selected] iexplore.exe
7. On the Windows Information Protection page, under App Rules click Add…
8. On the Add app rule window, enter the following then click OK.
Rule name: Notepad
Windows Information Protection mode: Allow
Rule template: Desktop App
Publisher: O=MICROSOFT CORPORATION, L=REDMOND,
S=WASHINGTON, C=US
Product name: [selected] *
Binary name: [selected] notepad.exe
Note: More information on enlightened Microsoft apps here
https://technet.microsoft.com/en-us/itpro/windows/keep-secure/enlightened-microsoft-
apps-and-wip
9. On the Windows Information Protection page, under Specify the paste/drop/share
restriction mode for apps that meet the app criteria defined in the “App rules”
section select Block.
10. On the Windows Information Protection page, under Corporate identity (required)
enter contoso.com.
11. On the Windows Information Protection page, under Corporate network definition
click Add…
12. On the Add or Edit corporate network definition window, enter the following then
click OK.
Name: Intranet Domain Names
Network element: Enterprise Network Domain Names *
Enterprise Network Domain Names definition: corp.contoso.com
13. On the Windows Information Protection page, under Corporate network definition
click Add…
14. On the Add or Edit corporate network definition window, enter the following then
click OK.
Name: Intranet IPv4 Ranges
Network element: Enterprise IPv4 Ranges *
IPv4 Address range definition: 10.0.0.7-10.0.0.254
15. On the Windows Information Protection page, under Enterprise IP Ranges list is
authoritative (do not auto-detect) select Yes.
16. On the Windows Information Protection page, under Show the Windows
Information Protection icon overlay on your allowed apps that are WIP-unaware
in the Windows Start menu, and on corporate file icons in the File Explorer select
Yes.
17. On the Windows Information Protection page, under Upload a DRA (Data
Recovery Agent) certificate to allow recovery of encrypted data (required) click
Browse…
18. On the Open Recovery Certificate window, browse to \\CM1\Packages$, select
WIP-DRA.cer then click Open.
19. On the Windows Information Protection page, under Allow Windows Search to
search encrypted corporate data and Store apps select No.
20. On the Windows Information Protection page, click Next.
21. On the Platform Applicability page, click Next.
Create a Block 24. Browse to Assets and Compliance > Compliance Settings > Configuration
WIP Configuration Baselines then click on Create Configuration Baseline from the ribbon bar.
Baseline 25. On the Create Configuration Baseline window, under Name enter WIP - Block.
26. On the Create Configuration Baseline window, under Configuration data click
Add > Configuration Items.
27. On the Add Configuration Items window, select WIP – Block, click Add then
click OK.
28. On the Create Configuration Baseline window, click OK.
Deploy the WIP 29. Browse to Assets and Compliance > Compliance Settings > Configuration
Policies Baselines.
30. Right-click on WIP – Block then select Deploy.
31. On the Deploy Configuration Baselines window, select Remediate
noncompliant rules when supported and Allow remediation outside the
maintenance window.
32. On the Deploy Configuration Baselines window, under Collection click
Browse…
33. On the Select Collection window, browse to Device Collections > Windows
Information Protection, select Block then click OK.
34. On the Deploy Configuration Baselines window, click OK.
1.7.2.4 Validate Policies
In this activity, you will perform various tests to test the enforcement of the WIP policies in
different scenarios.
Task Detailed Steps

Add Device to 1. From the Configuration Manager Console, browse to Assets and Compliance >
Collection Devices.
2. Right-click on the CLIENT1 virtual machine and select Add Selected Items >
Add Selected Items to Existing Device Collection.
3. On the Select Collection window, browse to Device Collections > Windows
Information Protection, select Block then click OK.
Refresh 4. Logon as CORP\LabAdmin and open the Control Panel. Select the
Configuration Configuration Manager icon.
Manager Machine 5. On the Actions tab, select Machine Policy Retrieval & Evaluation Cycle and
Policy click Run Now to force the device to receive updated policy. This can take up to
5 minutes. Click OK.
6. On the Configuration Manager Properties window, go to the Configurations tab
and confirm that the WIP – Block baseline is listed.
7. Select the WIP – Block baseline and click Evaluate.
8. Click Refresh and confirm that the Compliance State has changed to Compliant.
9. On the Configuration Manager Properties window, click OK.
Encryption through 10. Right-click on the Desktop and select New > Bitmap image.
File Explorer 11. Rename the file to Picture1.bmp.
12. Right-click on Picture1.bmp then select File ownership > Work (contoso.com).
13. Right-click on Picture1.bmp then select Properties.
14. On the Picture1.bmp Properties window, click Advanced…
15. On the Advanced Attributes window, click Details.
16. On the Enterprise Control window, verify that contoso.com is listed and the status
of the file is Protected.
17. Click OK three times.
Note: The briefcase icon indicates that the file is protected.
Encryption through 18. Click Start and open Notepad.
Save on an 19. On the Untitled file, enter This is a protected file.
Enterprise 20. Click File > Save As…
Application 21. On the Save As window, browse to Desktop, under File name select Work
(contoso.com), enter Protected File1 then click Save.
22. Right-click on Protected File1.txt then select Properties.
23. On the Protected File1 Properties window, click Advanced…
Automatic 27. Right-click on Start and select Run.
Encryption on 28. On the Run window, enter \\CM1\Packages$ and click OK.
Copy from Trusted 29. Open WIN10X64-Settings and copy Unattend.xml to the Desktop.
Network Shares Note: Before performing this step, in CM1, create a dummy folder called
WIN10X64-Settings and within that create a blank dummy xml file called
Unattend.xml. Also, the file should open by default only in notepad or Internet
Explorer. For this example, notepad has been chosen as the default app.
30. Right-click on Unattend.xml then select Properties.
31. On the Unattend Properties window, click Advanced…
Open Encrypted 35. On the Desktop, open the Unattend.xml file with Internet Explorer.
Files on an 36. Close Internet Explorer.
Enterprise
Note: The briefcase icon beside the refresh button indicates that the file is protected.
Application
Open Encrypted 37. On the Desktop, open the Unattend.xml file with WordPad.
Files on a Non- 38. Click OK on the access denied prompt.
Enterprise
Note: WordPad is not configured as an Enterprise Application in the Compliance Item
Application
policy created earlier.
Policy 39. Click Start and open Google Chrome.
Enforcement for 40. From the Desktop, drag and drop the Unattend.xml file to Google Chrome.
Copy-Paste 41. Click OK on the Can’t use work content here prompt.
42. On the Desktop, open Protected File1.txt with Notepad.
43. Copy the text within the Protected File1.txt file.
44. Click Start and open WordPad.
45. On WordPad, click Paste.
46. Click OK on the Can’t use work content here prompt.
47. Close WordPad.
48. Click Start and open Internet Explorer.
49. On Internet Explorer, browse to www.bing.com.
50. Right-click on the Bing search text field and select Paste.
51. Click OK on the Can’t use work content here prompt.
52. Close Internet Explorer.
Note: Bing is treated as separate application and is not configured as an
Enterprise Application in the Compliance Item policy created earlier.
53. Right-click on Start and select Run.
54. On the Run window, enter \\10.0.0.6\MDOP. Click OK.
55. From the Desktop, copy the Unattend.xml file and paste in the MDOP share.
56. On the Interrupted Action window, click Cancel.
Note: Windows Information Protection blocks actions that are against the configured
policies such as opening enterprise files on a non-enterprise application, and copying the
contents of an enterprise file to a non-enterprise application, URL and network share.
Remove 57. On CM1, in the Configuration Manager Console, navigate to Assets and
Encryption Compliance | Compliance Settings | Configuration Items. Select WIP – Block
Complete these and click Properties from the ribbon bar.
steps on the CM1 58. Click the Compliance Rules tab and double-click on WIP App Management
and CLIENT1 Mode.
virtual machine. 59. Scroll slight down and select Off: Turns off Windows Information Protection,
click OK on the Edit Rules window.
60. Click Apply and OK on the WIP – Block Properties window.
61. On the CLIENT1 virtual machine, open the Control Panel. Select the
Configuration Manager icon. On the Actions tab, select Machine Policy
Retrieval & Evaluation Cycle and click Run Now to force the device to receive
updated policy. This can take upto 5 minutes. Click OK.
62. On the Configuration Manager Properties window, go to the Configurations tab,
select the WIP – Block baseline and click Evaluate and Refresh. Click OK.
63. Right-click on Picture1.bmp then select Properties.
Note: Note that the briefcase icon does not show any more on the file.
64. On the Picture1.bmp Properties window, click Advanced…
65. On the Advanced Attributes window, verify that Encrypt contents to secure
data is not selected.
66. Click OK two times.
1.8 Windows Defender Application Control

Task Detailed Steps

WDAC 4. On the left navigation bar, click Azure Active Directory > Groups > All groups.
Demo 5. Click + New group.
GROUP NAME: WDACDemo
MEMBERS: TU1,TU2
7. Click Create.
Config 8. Close all browser windows.
uring 9. Start Internet Explorer InPrivate mode.
WDAC 10. Navigate to https://portal.azure.com and Sign in with
Intune 11. On the left navigation bar, click All services.
16. Click on “+ Create profile”.
17. Fill in form:
Name: WDAC Demo
Description: WDAC Demo
Profile type: Endpoint protection
18. Click on “Windows Defender Application Control”.
19. Fill in form:
Application control code integrity policies: Enable
Trust apps with good reputation: Enable
20. Select OK.
21. Select OK.
22. Select Create.
25. Select “WDACDemo” and click Select.
26. Click on Save.
Verify 27. Login to the virtual machine as
Config TU2@<AzureDomainName>.onmicrosoft.com
uration 28. Select Start.
is 29. Select Settings.
Applie 30. Select Accounts.
d 31. Select Access work or school.
Compl
33. Click Info.
ete
these
35. Open up Edge.
steps
on the 36. Navigate to https://www.7-zip.org/download.html.
CLIE 37. Download and install the latest version of the application.
NT3 38. Once installed run the application.
virtual Note: The application should run because it has a good reputation.
machi To blocked remove the application and install an older version.
ne or a
physic
al
machi
ne if
your
enviro
nment
does
not
suppor
t
nested
virtual
ization
.

Device Guard is a combination of enterprise-related hardware and software security features
that, when configured together, will lock a device down so that it can only run trusted
applications that you define in your code integrity policies. If the app isn’t trusted it can’t run,
period. With hardware that meets basic requirements, it also means that even if an attacker
manages to get control of the Windows kernel, he or she will be much less likely to be able to
run malicious executable code. With appropriate hardware, Device Guard can use the new
virtualization-based security in Windows 10 (available in Enterprise and Education desktop SKUs
and in all Server SKUs) to isolate the Code Integrity service from the Microsoft Windows kernel
itself. In this case, the Code Integrity service runs alongside the kernel in a Windows hypervisor-
protected container.
In this section, you will learn how to Configure and Deploy Code Integrity Policies and Enable
Device Guard in an enterprise.
Perform the following tasks before proceeding to the succeeding sections.

Task Detailed Steps
Download VLC 1. Open Internet Explorer and browse to the URL below.
Media Player http://www.videolan.org/vlc/
2. Click Download VLC and save vlc-3.0.3-win64.exe to C:\Packages.
CamStudio http://camstudio.org/
4. Click Download and save camstudio.exe to C:\Packages.
1.8.2.2 Create CI Policy from a Golden System
In this activity, you will go through the steps in creating your first Code Integrity (CI) policy from
a “Golden” system.
Task Detailed Steps

Open PowerShell 1. Logon as a Domain Administrator (corp\labadmin) and from the Start Menu, start
an elevated instance of PowerShell.
Create Shadow 2. From the PowerShell window, run the following commands:
Copy of System
$s1 = (gwmi -List Win32_ShadowCopy).Create("C:\", "ClientAccessible")
Drive
$s2 = gwmi Win32_ShadowCopy | ? { $_.ID -eq $s1.ShadowID }
$d = $s2.DeviceObject + "\"
cmd /c mklink /d C:\scpy "$d"
Generate a New 3. From the PowerShell window, run the following commands:
Policy from Scan
New-CIPolicy -level PcaCertificate -filepath C:\PoCPolicy.xml –scanpath
C:\scpy –u
Note: It may take around 20-30 minutes and during the process a base policy will
already be created and also if required, increase the memory of the virtual
machine for this process to run efficiently. Ignore any errors received after
command execution completes.
Explore Policy 4. Save the file PoCPolicy.xml to a network location, example: \\DC1\C$.
Configuration 5. Open the file and review the content without making changes. Open the file
C:\PoCPolicy.xml with Notepad.
6. Close the file.
1.8.2.3 Configurable Code Integrity – Audit Mode
In this activity, you will create a CI policy and deploy it in audit mode.
Task Detailed Steps

Convert from XML 1. From the PowerShell window, run the following commands:
to Binary File ConvertFrom-CIPolicy C:\PoCPolicy.xml C:\PoCPolicy.bin
Install Complied 2. From the PowerShell window, run the following commands:
Policy
cp C:\PoCPolicy.bin c:\Windows\System32\CodeIntegrity\SIPolicy.p7b
3. Restart CLIENT1 and re-login with the same credentials.
Verify Audit Logs 4. Launch the installation package for VLC located at \\DC1\C$\Packages\vlc-
3.0.3-win64.exe and install the package. The installation will be successful at this
point.
5. Right-click on the Start button and click Run.
6. Enter eventvwr.msc and click OK.
7. In the Event Viewer MMC, browse to Event Viewer (Local) > Applications and
Services Logs > Microsoft > Windows > CodeIntegrity > Operational.
8. Browse through the log files especially Event ID 3076.
1.8.2.4 Creating CI Policy from Audit Logs
In this activity, you will go through the steps in creating a Code Integrity (CI) policy from audit
log events.
Task Detailed Steps

Create a CI Policy 1. From the Start Menu, start an elevated instance of PowerShell.
from Audit Logs 2. From the PowerShell window, run the following commands:
New-CIPolicy -l PcaCertificate -f C:\AuditPoCPolicy.xml –a –u
Note: Ignore any errors received after command execution completes.
3. Open the file C:\AuditPoCPolicy.xml with Notepad.
4. Close the file.
Merge Golden 5. From the PowerShell window, run the following commands:
Policy with Policy
Merge-CIPolicy –OutputFilePath C:\MergedPoCPolicy.xml –PolicyPaths
from Audit Logs
C:\AuditPoCPolicy.xml,C:\PoCPolicy.xml
6. Open the file C:\MergedPoCPolicy.xml with Notepad.
7. Close the file.
1.8.2.5 Configurable Code Integrity – Enforce Mode
In this activity, you will deploy and enforce a CI policy to lock down the system.
Task Detailed Steps

Disable Audit 1. From the PowerShell window, run the following commands:
Mode
Set-RuleOption –option 3 -delete –FilePath C:\MergedPoCPolicy.xml
2. Open the file C:\MergedPoCPolicy.xml with Notepad.
3. Close the file.
Convert from XML 4. From the PowerShell window, run the following commands:
to Binary File ConvertFrom-CIPolicy C:\MergedPoCPolicy.xml C:\MergedPoCPolicy.bin
Install Compiled 5. From the PowerShell window, run the following command:
Policy
cp C:\MergedPoCPolicy.bin
c:\Windows\System32\CodeIntegrity\SIPolicy.p7b
6. Restart CLIENT1 and re-login with the same credentials.
Install or Launch 7. Launch the installation package for CamStudio located at
Your \\DC1\C$\Packages\camstudio.exe. The application should not launch at this
Application(s) stage and throw errors, which means it is blocked by code integrity.
Verify Audit Logs 8. Right-click on the Start button and click Run.
9. Enter eventvwr.msc and click OK.
10. In the Event Viewer MMC, browse to Event Viewer (Local) > Applications and
Services Logs > Microsoft > Windows > CodeIntegrity > Operational.
11. Browse through the log files especially Event ID 3077.
1.8.2.6 Configure Group Policies
In this activity, you will learn how to configure and deploy group policies to enforce the
configuration.
Task Detailed Steps

Complete these steps on the DC1 and the CLIENT2 virtual machines.
Create Device 1. Create a folder in the C: drive by the name CodeIntegrity and in this folder, copy
Guard GPO the SIPolicy.p7b file created in the previous task from the CLIENT1 VM. The
path of this file in the CLIENT1 VM is C:\Windows\System32\CodeIntegrity.
2. Navigate to C:\CodeIntegrity, right-click CodeIntegrity folder and click
Properties.
3. Click the Sharing tab and click Advanced Sharing…
4. Check the box next to Share this folder and click Permissions.
5. Ensure Everyone is in the list and has been granted Full Control. Click Apply
and click OK two times.
6. Click the Security tab and ensure that Everyone is in the list and has been
granted Full Control.
7. Click the Advanced button and again ensure that Everyone is in the list and has
been granted Full Control. Close all the windows.
8. Now navigate to C:\CodeIntegrity\SIPolicy.p7b that has been copied and right-
click on the file and click Properties.
9. Click the Security tab and ensure that Everyone is in the list and has been
granted Full Control.
10. Click the Advanced button and again ensure that Everyone is in the list and has
been granted Full Control. Close all the windows.
Note: At any point if you see that Everyone has not been granted Full Control permissions,
do the needful.
11. Back in the DC1 VM, in the Active Directory Users and Computers, create an OU
called Devices and move the CLIENT2 VM to the Devices OU from the default
Computers container.
12. Open the Group Policy Management Console.
13. Right-click on Group Policy Management > Forest: corp.contoso.com >
Domains > corp.contoso.com > Group Policy Objects and select New.
14. Under Name, enter Device Guard Policies and then click OK.
15. Right-click Devices OU, click Link an Existing GPO…
16. Select Device Guard Policies and click OK.
Deploy Code 17. Right-click Device Guard Policies and select Edit.
Integrity Policy 18. Browse to Computer Configuration\Policies\Administrative
and Enable VBS Templates\System\Device Guard.
for KCMI 19. Double click on Deploy Windows Defender Application Control.
20. Select Enabled.
21. Under Code Integrity Policy file path, enter \\DC1\CodeIntegrity\SIPolicy.p7b.
22. Click Apply and then OK.
Note: The below policy is just for informational purposes and cannot be demonstrated. It
will need a Physical Windows 10 Enterprise hypervisor enabled machine with Secure Boot
or Trusted Boot enabled and other dependencies like Virtualization Extensions and all
Virtualization capabilities turned on, including Input/Output Memory Management Unit
(IOMMU) support, compatible drivers and updated legacy drivers.
23. Double click on Turn On Virtualization Based Security.
24. Select Enabled.
25. Under Select Platform Security Level, select Secure Boot and DMA Protection.
26. Under Virtualization based Protection of Code Integrity, select Enable with
UEFI lock.
Attempt to Run 28. Now on the CLIENT2 VM, run a gpupdate /force.
New Applications 29. Restart CLIENT2 and re-login with the same credentials.
that have not 30. Verify that any new application installation or new executable is blocked by the
installed on the Code Integrity Policy, Example: CamStudio. The CamStudio package is located
System at \\DC1\C$\Packages\camstudio.exe.
Note: Before executing any labs after the Code Integrity Lab in which the CLIENT1
and CLIENT2 VMs are going to be used, ensure that they have been moved to the
default Computers container from the Devices OU. Then in both the VMs, delete the
SIPolicy.p7b file from c:\Windows\System32\CodeIntegrity. Run a gpupdate
/force and reboot both the VMs. This is to ensure that no activity is blocked by Code
Integrity.
1.9 Windows Defender Application Guard

Designed for Windows 10 and Microsoft Edge, Application Guard helps to isolate enterprise-
defined untrusted sites, protecting your company while your employees browse the Internet. As
an enterprise administrator, you define what is among trusted web sites, cloud resources, and
internal networks. Everything not on your list is considered untrusted.
If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer,
Microsoft Edge opens the site in an isolated Hyper-V-enabled container, which is separate from
the host operating system. This container isolation means that if the untrusted site turns out to
be malicious, the host PC is protected, and the attacker can't get to your enterprise data.
Note: Windows Defender Application Guard can only be enabled if the Hardware Requirements
are met as stated in https://docs.microsoft.com/en-us/windows/threat-protection/windows-
defender-application-guard/reqs-wd-app-guard
Follow the following sections for managing Windows Defender Application Guard through
modern management tools.
1.9.1.1 Configure Windows Defender Application
In the section below you will be configuring WDAG using modern management.
Task Detailed Steps

Groups for 2. Start Internet Explorer InPrivate mode.
use with 3. Navigate to https://portal.azure.com and Sign in with
WD labadmin@<AzureDomainName>.onmicrosoft.com.
Application 4. On the left navigation bar, click Azure Active Directory > Groups > All groups.
Guard 5. Click + New group.
Demo 6. In the Group pane fill in the following values and click Select:
GROUP NAME: WDAGDemo
MEMBERS: TU1,TU2
7. Click Create.
Creating an 8. Close all browser windows.
Intune 9. Start Internet Explorer InPrivate mode.
WDAG 10. Navigate to https://portal.azure.com and Sign in with
Policy labadmin@<AzureDomainName>.onmicrosoft.com.
16. Click on “+ Create profile”.
17. Fill in form:
Name: WDAG Demo
Description: WDAG Demo
Profile type: Endpoint protection
18. Select “Windows Defender Application Guard”.
19. Fill out form:
Application Guard: Enable
Clipboard behavior: Block copy and paste between PC and browser
External content on enterprise sites: Not configured
Print from virtual browser: Allow
Printing types(s): PDF
Collect logs: Not configured
Retain user-generated browser data: Not configured
Graphics acceleration: Not configured
Download files to host file system: Not configured
20. Select OK.
21. Select OK.
22. Select Create.
25. Select “WDAGDemo”. Click Select.
26. Click on Save.
Verify the 27. Login to a machine as:
Policy has TU2@<AzureDomainName>.onmicrosoft.com
been 28. Select Start.
Applied 29. Select Settings.
and 30. Select Accounts.
Working 31. Select Access work or school.
33. Click Info.
35. Close Settings. Reboot the machine once.
36. Launch Edge.
37. Press Alt-X.
38. Select “New Application Guard window”.
39. A new windows should appear.
Note: Notice that in the upper left hand corner of the windows you should see
Application Guard and a thin orange line at the top of the windows. This indicates you
are running in Application mode.
40. Enter the URL www.bing.com.

41. Create a new tab.
42. Copy the URL www.bing.com to the new tab.
Note: Notice that you can do this because it is inside of Application Guard.
43. Open IE.
44. Try to copy the URL from WDAG Edge windows to IE.
Note: Notice that you cannot copy. This is because WDAG is configured to not allow
copy and paste with the OS.
45. Enter the URL of www.msn.com in IE.
46. Copy this URL from IE and try and paste it in WDAG Edge window.
Note: Notice that you cannot copy. This is because WDAG is configured to not allow
coping from the OS to the WDAG Edge windows.

Follow the following sections for managing Windows Defender Application Guard through
traditional management tools.
Task Detailed Steps

Install the Feature 1. Open the Control Panel, click Programs, and then click Turn Windows
features on or off.
2. Select the check box next to Windows Defender Application Guard and then
click OK.
3. Restart the device.
1.9.2.2 Configure Group Policy Settings
Task Detailed Steps

Turn On Windows 1. In the Group Policy Management Console, edit the Default Domain Policy by
Defender going to Computer Configuration\Policies\Administrative
Application Guard Templates\Windows Components\Windows Defender Application Guard.
2. Double-click Turn on Windows Defender Application Guard in Enterprise
Mode.
3. Select Enabled and click Apply and OK.
Set Up Network 4. Go to the Computer Configuration\Policies\Administrative
Isolation Templates\Network\Network Isolation\Enterprise resource domains hosted
in the cloud.
5. Select Enabled and type .microsoft.com into the Enterprise cloud resources
box. Click Apply and OK.
6. Go to the Computer Configuration\Policies\Administrative
Templates\Network\Network Isolation\Domains categorized as both work
and personal setting.
7. Select Enabled and type bing.com into the Neutral resources box. Click Apply
and OK.
1.9.2.3 Validate Windows Defender Application Guard
Task Detailed Steps

Test Application 1. Update the group policies by running gpupdate /force from the elevated
Guard command prompt. Accept the UAC prompt if required.
2. Start Microsoft Edge and type www.microsoft.com
3. After you submit the URL, Application Guard determines the URL is trusted
because it uses the domain you’ve marked as trusted and shows the site directly
on the host PC instead of in Application Guard.
4. In the same Microsoft Edge browser, type any URL that isn’t part of your trusted
or neutral site lists, example www.msn.com
5. After you submit the URL, Application Guard determines the URL is untrusted
and redirects the request to the hardware-isolated environment.
7 Compatibility
In this module, you will go through configuring Upgrade Readiness and scenarios to mitigate
web application compatibility with Internet Explorer 11.
7.1 Windows Analytics Upgrade Readiness

With the release of Upgrade Readiness, enterprises now have the tools to plan and manage the
upgrade process end to end, allowing them to adopt new Windows releases more quickly. With
new Windows versions being released multiple times a year, ensuring application and driver
compatibility on an ongoing basis is key to adopting new Windows versions as they are
released. With Windows telemetry enabled, Upgrade Readiness collects system, application, and
driver data for analysis. We then identify compatibility issues that can block an upgrade and
suggest fixes when they are known to Microsoft.
In this section, you will learn how to navigate Upgrade Readiness to understand how you might
use it in your environment.
The Operations Manager Suite Experience Center will be used to evaluate Windows Analytics
Upgrade Readiness using read-only demo data and will not require devices to be configured to
send telemetry to the Update Compliance service.
Note:
This lab guide is aimed at getting you familiar with the Upgrade Readiness workspace. It
is not supposed to be a comprehensive guide to using the solution in your organization.
Appendix – Configuring Windows Analytics has more details on configuring, deploying and
reviewing Windows Analytics.
7.1.1 Sign-Up and Overview
Task Detailed Steps

You can complete these steps on any web browser.
Sign-On **This feature is available only to Microsoft employees, to sign up go to https://idweb
(INTERNAL and join the "asodemo" Security Group.
ONLY)
1. After you join the security group log into https://mms.microsoft.com and you will
Open Upgrade 2. In the Filter by name field enter Upgrade Readiness.

Readiness 3. The Upgrade Readiness tile will be shown and will show summary information of
the total devices where a review is in progress but also the number of devices that are
ready to upgrade or won’t upgrade.
4. Click the Upgrade Readiness tile which will open the Upgrade Readiness
workspace.
Upgrade 5. The Upgrade Overview blade provides a summarization of all the data Upgrade
Overview Blade Readiness focuses on.
6. This blade displays the total count of computers sharing data with Microsoft, and the
count of computers upgraded.
7. The upgrade overview blade displays data refresh status, including the date and time
of the most recent data update. The refresh status is color coded:
 No delay in processing device inventory data = Green
 Delay processing device inventory data = Amber
8. The Upgrade Overview blade also shows:

 Total Computers: total number of devices reporting to Windows Analytics.
 Computers upgraded: total number of devices that have been upgraded to a
build of Windows 10. This could be any version of Windows 10 not the latest
version.
 Total Applications: A list of applications discovered on user computers.
 Computers with incomplete data: Computers may not have the latest KBs,
may not have reported back yet or is not reporting back properly. This field is
color coded:
 Less than 4% = Green
 4% - 10% = Amber
 Greater than 10% = Red
 Computers with outdated KB: Devices don’t have the latest KBs installed.
The appraiser.dll required for Upgrade Readiness gets updated on a regular basis
and KBs for older operating systems get updated and the update gets added to
the latest Windows 10 cumulative update . This field is color coded:
 Less than 10% = Green
 10% - 30% = Amber
 Greater than 30% = Red
 User Changes: XXXX. This field is color coded:
 Pending user changes = Amber
 No pending user changes = Green
 Target Version: This field is color coded:
 If the current value matches the recommended value, the version is
displayed in green.
 If the current value is an older OS version than the recommended value,
but not deprecated, the version is displayed in amber.
 If the current value is a deprecated OS version, the version is displayed
in red.
9. Click on Total Computers.

10. Change the time range (top left corner) to 7 DAYS then click OK.
11. Edit the search query to (Type=UAComputer OR Type=UAUpgradedComputer) |
measure count() by TimeGenerated | sort TimeGenerated asc
12. Observe how the number of computers changes every day.
7.1.2 Configure Upgrade Readiness (OPTIONAL)

In this activity, you will subscribe to Upgrade Readiness and configure the prerequisites before
deploying to clients.
Task Detailed Steps

Add Upgrade **This feature is available only to Microsoft employees, to sign up go to https://idweb
Readiness to and join the "asodemo" Security Group.
Operations
Management Suite 1. After you join the security group log into https://mms.microsoft.com and you will
2. Click Solutions Gallery, select the Upgrade Readiness tile in the gallery and then
click Add on the solution’s details page. The solution is now visible on your
workspace.
3. Click Upgrade Readiness which is visible on your workspace and click the Solution
Settings tile to configure the solution. The Upgrade Readiness Settings Dashboard
opens.
Generate 4. On the Upgrade Readiness Settings Dashboard, copy and save the Commercial ID
Commercial ID Key. You’ll need to insert this key into the Upgrade Readiness deployment script later
Key so it can be deployed to user computers.
5. Select the Target version to be evaluated, example: Windows 10 Version 1803.
Note: Regenerate a commercial ID key only if your original ID key can no longer be used.
Regenerating a commercial ID key resets the data in your workspace for all solutions that
use the ID. Additionally, you’ll need to deploy the new commercial ID key to user
computers again.
Whitelist 6. To enable data sharing, whitelist the following endpoints.
Endpoints
Note: that you may need to get approval from your security group to do this.
Note: The compatibility update KB runs under the computer’s system account and does
not support user authenticated proxies.
Endpoint Function
https://v10.vortex-win.data.microsoft.com/collect/v1 Connected User Experience and
Telemetry component endpoint.
User computers send data to
Microsoft through this endpoint.
https://settings-win.data.microsoft.com/settings Enables the compatibility update
KB to send data to Microsoft.
http://go.microsoft.com/fwlink/?LinkID=544713 This service provides driver
information about whether there
https://compatexchange1.trafficmanager.net/CompatibilityExchan will be a driver available post-
geService.svc/extended upgrade for the hardware on the
system.
https://vortex.data.microsoft.com/health/keepalive These endpoints are used to
validate that user computers are
https://settings.data.microsoft.com/qos sharing data with Microsoft.
https://compatexchange1.trafficmanager.net/CompatibilityExchan
geService.svc
7.1.3 Deploy Upgrade Readiness (OPTIONAL)

In this activity, you will deploy and enable Upgrade Readiness to test devices.
7.1.4 Review Upgrade Readiness Data (OPTIONAL)

In this activity, you will review the data collected by Upgrade Readiness.
Task Detailed Steps
Open 1. Open Internet Explorer and browse to the URL below.
Upgrade https://mms.microsoft.com
Readiness 2. Logon to the site using the same email address used in configuring Upgrade Readiness as
Dashboard per Sections 7.1.1 and 7.1.2.
3. Select the contosoretail-IT that was created in Sections 7.1.1 and 7.1.2.
4. On the OMS dashboard, click on the Upgrade Readiness tile.
5. Review the collected data.
Note: For more information, go to https://docs.microsoft.com/en-
us/windows/deployment/upgrade/upgrade-readiness-get-started
7.2 Desktop Bridges

The Windows 10 Desktop Bridge provides consumer and enterprise developers a low friction
path to migrate their Win32 apps to Windows 10 Universal Windows Platform (UWP). In doing
so, developers can take advantage of Windows 10 features and app distribution not available to
traditional Win32 apps. Win32 apps using the Desktop Bridge also provide a safer and cleaner
virtualized runtime environment. For more information on the Desktop Bridge see:
https://developer.microsoft.com/en-us/windows/bridges/desktop
This Lab provides a walkthrough of converting a Win32 app to a UWP using the Desktop App
Converter.
7.2.1 Desktop Bridge – Convert a Win32 app Installer to a UWP

Modern App (APPX)
In this activity, starting from a MSI installer, you’d be able to create an AppX package, keeping
the best of both worlds: the flexibility of a Win32 app and the better security and distribution
model of an AppX package.
Task Detailed Steps

Install the Desktop 1. Make sure your computer is up-to-date with the latest Windows 10 version:
App Converter – Desktop App Converter. To make sure you’re on the right version, just click on
Version Check the Start button and choose Command Prompt: at the top, you’ll see the
Windows 10 build number, which should be 10.0.17134.81.
Install the ‘Desktop 2. The Desktop App Converter tool itself, which can be downloaded directly from
App Converter’ the Store at the URL https://www.microsoft.com/store/apps/9nblggh4skzw
3. Click ‘Get’.
Download the 4. The latest base Windows image, which is used as container to generate the appx
Windows Base package. Be aware that this file is quite big (approximately 3.2 GB). It can be
Image downloaded from the following link: https://www.microsoft.com/en-us/software-
download/dac#. Click Base Image - Build 17134 and save the file to
C:\Windows\Temp.
Note: The version of the base image much match the version of the OS. In this
case, we are working with Windows 10 17134.
Launch the 5. Press ‘Start’, type ‘Desktop App Converter’.
‘Desktop App 6. Right click on the ‘Desktop App Converter’ icon and choose Run as
Converter’ as administrator). Accept the UAC prompt. Under the hood, you will notice that
Administrator it’s simply a Powershell command prompt, since it’s the technology that
empowers the Desktop App Converter.
Install the Base 7. Install the base image, by executing the following PS commands in the folder
Image where you have copied the file you’ve previously downloaded (or, alternatively,
you can pass to the -BaseImage parameter the full path of the file).
a. Set-ExecutionPolicy Bypass
b. DesktopAppConverter.exe -Setup -BaseImage
C:\Windows\Temp\Windows_BaseImage_DAC_17134.wim –
Verbose
Note: The operation will take a while and, at some point, it may ask you to reboot
the machine: the reason is that Desktop App Converter relies on a Windows 10
features (called Containers), which isn’t installed by default.
If you get an Error 8. If you get an error related to Containers, you can manually install the feature by
right clicking on the Start button, clicking Run, entering appwiz.cpl, clicking
OK and then Turn Windows features on or off. You will find one called
Containers, enable it and click OK and then let the installation complete and
also, if asked, reboot the computer.
Note: The Containers feature is available only on Windows 10 Pro or

Enterprise.
9. Now you’re all set and you’re ready to convert your first application.
Start the Win32 to Note: You will convert the Win32 sample app ‘Hello Centennial’. Remember that the
UWP Conversion Desktop App Converter does not modify your application binaries. It monitors the file
Process locations and registry entries created at install time. It uses this information to create the
container your Win32 app will be in.
10. Download the ‘Hello Centennial’ sample Win32 app’s MSI file from here:
https://github.com/qmatteoq/DesktopBridge/blob/master/1.%20Desktop%20App
%20Converter/HelloCentennial.msi
11. Create a folder called C:\Installer and copy the file HelloCentennial.msi here.
12. Create another folder called C:\Output\HelloCentennial.
Launch the 13. Press ‘Start’, type ‘Desktop App Converter’.
‘Desktop App 14. Right click on the ‘Desktop App Converter’ icon and choose Run as
Converter’ as administrator). Accept the UAC prompt.
Administrator
Start the Desktop Note: DesktopAppConverter flags:
App Converter  -Installer is the path to the setup file we need to convert. In this case, it’s the
Process HelloCentennial.msi file we’ve previously downloaded from GitHub.
 -Destination is the folder where we want to store the output files created by the
conversion process.
 -PackageName is the name we want to give to the package.
 -Publisher is the publisher’s name of the application. If you have some previous
experience with UWP development, you’ll recall seeing this information in the
manifest file of a UWP app. It’s univocally assigned by the Dev Center when you
open a developer account. For the moment, for test purposes, you can just use the
name you want, it’s just important that it starts with CN= and that it doesn’t
contain spaces.
 -Version is the version number of the app.
 -MakeAppx means that, other than generating the folder which will contain all
the files that needs to be packaged (like assets, the manifest, etc.), you want also
to immediately generate the AppX package.
 -Verbose is an optional parameter, which is useful because it will show you all
the details of what’s going on during the conversion process.
 -Sign is a parameter that allows to automatically generate the needed certificates
to properly sign the AppX package. Without this digital signature, the package
can’t be installed on a machine which doesn’t trust the generated certificate.
15. Download the Windows 10 1803 SDK: https://developer.microsoft.com/en-
US/windows/downloads/windows-10-sdk
16. In PowerShell type the command:
DesktopAppConverter.exe -Installer "C:\Installer\HelloCentennial.msi"
-Destination "C:\Output\HelloCentennial" -PackageName
"HelloCentennial" -Publisher "CN=Awesome-Apps-Inc" -Version "1.0.0.0"
-MakeAppx -Verbose -Sign
17. Inspect the Output folder. At the end of the process, you will get a folder
structure like the following one:
The real work done by the tool can be found inside the PackageFiles folder:
18. As you can see, this folder looks a bit like the one that Visual Studio creates when
you start a new UWP project. You have an Assets folder, which contains the
default images to be used for the tile, the Store, or the icon in the Start menu. You
have also a manifest file, the one called AppxManifest.xml.
Open the 19. Notice that it’s like the manifest file of a UWP app. However, compared to a
AppxManifest.xml native UWP app, you’ll find a couple of differences:
File  You’ll find the following Capability, which allows the application to run in full
trust. This option is available only for converted apps, a native UWP app will not
have this kind of access.
<Capabilities>
<rescap:Capability Name="runFullTrust" />
</Capabilities>
 You’ll find an Application entry with all the info about the Win32 process that
the UWP container will launch.
<Application Id="HelloCentennial" Executable="HelloCentennial.exe"
EntryPoint="Windows.FullTrustApplication">
Continue 20. You’ll find other files and folders that captured the MSI setup process. For
Inspecting Output: example, the Registry.dat file contains all the changes applied to the registry. Or,
Registry.Dat, VFS if you explore the VFS folder, you will find all the files that are copied during the
Folder installation process. For instance, you’ll be able to find the main executable (the
original Windows Forms app) following the path
VFS\Users\ContainerAdministrator\AppData\Roaming\Matteo Pagani\Hello
Centennial.
Attempt to Install 21. Double click on the file HelloCentennial.appx and you’ll be prompted with the
the Converted App following dialog.
(APPX)
However, if you press the Install button out of the box, you’ll see the following error.
Install Certificate Note: The reason is that, by default, a UWP package needs to be signed with a valid
to Resolve Error certificate to be installed and this certificate needs to be trusted by the computer. When we
publish a UWP app on the Store, this process is completely transparent: it’s the Store that
takes care of signing the AppX package with a valid certificate during the submission
process. In this case, instead, we’re trying to sideload a package without using the Store, so
we need to take care of signing it.
If you remember, when we used the Desktop App Converter tool, we passed a parameter
called -Sign, which already did the hard work for us. The package is already signed: the
problem is that the certificate used for signing it, now, isn’t trusted by our computer, which
leads to an installation failure.
22. To solve this problem, you’ll need to add the certificate in the Trusted Root
Certification Authority of the computer. You’ll find it in the folder generated by
the tool (the one with the AppX package and the PackageFiles folder) and it’s
called auto-generated.cer: simply double click on it, choose Install Certificate
and, when you’re prompted where to install it, choose Local Machine and then
the option Place all certificates in the following store. By pressing the Browse
button, make sure to choose Trusted Root Certification Authorities and
complete the process.
Retry Installing the 23. Double click on the file HelloCentennial.appx. Uncheck Launch when ready.
Converted App This time, after pressing the Install button, you will see a progress bar showing
(APPX) the installation status and, at the end, the window will become like the following
one.
Find 24. Press the Windows key. Type HelloCentennial.

‘HelloCentennial’
Note: Now you have a Win32 app that has been embedded into a UWP app! Notice
in the Start Menu
the app will have a tile, you’ll be able to pin it to the Start menu and, if you want to
uninstall it, just right click on it, and choose Uninstall.
Launch the 25. Select the app from the Start menu to launch it. You’ll notice that it’s still a
Converted App: Win32 app and it will be able to create a text file on the user’s desktop just fine,
‘HelloCentennial’ without requiring any extra dialog or permission.
Note: You might have to download and install the prerequisites for the app to
launch, which it will do automatically, which is .Net Framework 3.5 (includes 2.0
and 3.0).
7.3 Browser Compatibility

For web apps and sites in Windows 10, modern HTML5-based sites should have a high degree
of compatibility and excellent performance through the new Microsoft Edge browser, while
older web apps and sites can continue to use Internet Explorer 11 and the Enterprise Mode
features that were first introduced in Windows 7 and Windows 8.1 and are still present in
Windows 10.
7.3.1 Prerequisites
Task Detailed Steps

Create a Shared 1. Open File Explorer and browse to C:\.
Folder (EMEI) 2. Create a new folder named EMEI.
with Full 3. Right-click on EMEI and select Properties.
Permissions 4. In the EMEI Properties window, go to the Sharing tab.
5. On the Sharing tab, click Advanced Sharing.
6. On the Advanced Sharing window, select Share this folder then click on
Permissions.
7. On the Permissions for EMEI window, under Allow select Full Control then
click Apply and OK.
8. On the Advanced Sharing window, click Apply and OK.
9. On the EMEI Properties window, click Close.
Configure Test 10. On the taskbar, open File Explorer and browse to C:\Packages\Sources.
Website 11. Copy the ContosoLearning folder to C:\inetpub\wwwroot.
12. On the Start menu, open Internet Information Services (IIS) Manager.
13. Under the Connections pane, browse to APP1 (Corp\LabAdmin) > Sites >
Default Web Site > ContosoLearning.
14. Right-click on ContosoLearning and select Convert to Application.
15. On the Add Application window, click OK.
16. On ContosoLearning, under the Actions pane select Advanced Settings.
17. On the Advanced Settings window, select Application Pool and click on the
ellipses (…).
18. On the Select Application Pool window, set the Application pool to .NET v2.0
then click OK.
19. On the Advanced Settings window, click OK.
Pin Internet 20. On the Start Menu, search for Internet Explorer.
Explorer on the 21. Right-click on Internet Explorer and select Pin to taskbar.
Taskbar
Enterprise Mode http://www.microsoft.com/en-us/download/details.aspx?id=49974
Site List Manager 23. From the website, click Download.
24. Save EMIESiteListManager.msi to C:\Packages.
7.3.2 Enterprise Mode

Enterprise Mode, a compatibility mode that runs on Internet Explorer 11, allows websites render
using a modified browser configuration that’s designed to emulate either Windows Internet
Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems
associated with web apps written and tested on older versions of Internet Explorer.
In this section, you will learn how to use and configure Enterprise Mode and the Enterprise
Mode Site List Manager.
7.3.2.1 Manually Activate Enterprise Mode
Task Detailed Steps

Browse to the Test 1. On the taskbar, open Internet Explorer and browse to
Site http://app1/ContosoLearning.
Note: Notice that the website says that the browser is not supported, only Internet Explorer
is supported even if the browser is Internet Explorer.
Enable Enterprise 2. Right-click on the Start button and select Run.
Mode 3. In the Run window, enter regedit and then click OK.
4. In the Registry Editor window, browse to
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft.
5. Right-click on the Microsoft key and select New > Key.
6. Enter Internet Explorer as the name of the new key.
7. Right-click on the Internet Explorer key and select New > Key.
8. Enter Main as the name of the new key.
9. Right-click on the Main key and select New > Key.
10. Enter EnterpriseMode as the name of the new key.
11. Right-click on the EnterpriseMode key and select New > String Value.
12. Enter Enable as the name of the string value.
13. Right-click on the EnterpriseMode key and select New > String Value.
14. Enter SiteList as the name of the string value.
Note: Enterprise Mode can be enabled through Group Policy. For more information, go to
https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-deploy-guide/turn-on-
enterprise-mode-and-use-a-site-list.
Enable Enterprise 15. Close all open Internet Explorer browsers.
Mode on the Test 16. On the taskbar, open Internet Explorer and browse to
Site http://app1/ContosoLearning.
17. On the Internet Explorer toolbar, go to Tools and select Enterprise Mode.
Note: Enable the Menu bar.
Note: Notice now that the website is not displaying the browser support issue due to the
Enterprise Mode emulating Internet Explorer 8. Also, see the building icon on the left side
of the URL which indicates that Enterprise Mode is enabled for this URL.
18. On the Internet Explorer toolbar, go to Tools and select Enterprise Mode to turn
it off for the next labs.
19. Close all Internet Explorer browsers.
7.3.2.2 Enterprise Mode Site List Manager
Task Detailed Steps

Install Enterprise 1. On the taskbar, open File Explorer and browse to C:\Packages.
Mode Site List 2. Double-click on EMIESiteListManager.msi.
Manager 3. On the Welcome page, click Next.
4. On the End-User License Agreement page, select I accept the terms in the
License Agreement and then click Next.
5. On the Destination Folder page, click Next.
6. On the Ready to Install page, click Install.
Create a Site List 8. From the desktop icon, open the Enterprise Mode Site List Manager.
9. On the Enterprise Mode Site List Manager for v.2 schema window, click Add.
10. On the Add new website window, under URL enter app1/ContosoLearning and
then click Save.
11. Click on File > Save to XML.
12. Save the file to \\APP1\EMEI as EMEISiteList.xml.
Enable Enterprise 13. From the Start Menu, open the Group Policy Management Console.
Mode through 14. On the Group Policy Management Console, expand to Forest: corp.contoso.com
GPO and Deploy > Domains > corp.contoso.com > Group Policy Objects.
the Site List 15. Right-click on Group Policy Objects and select New.
16. On the New GPO window, under Name enter Enable Enterprise Mode and then
click OK.
17. Right-click on Enable Enterprise Mode and select Edit.
18. On the Group Policy Management Editor window, browse to Computer
Configuration > Policies > Administrative Templates > Windows
Components > Internet Explorer.
19. On the Settings pane, double-click on Use the Enterprise Mode IE website list
policy.
20. On the Use the Enterprise Mode IE website list window, select Enabled.
21. On the Options pane, enter \\APP1\EMEI\EMEISiteList.xml and then click
Apply and OK.
22. Close the Group Policy Management Editor.
23. On the Group Policy Management window, right-click on the Devices OU and
select Link an Existing GPO…
Note: Create a Devices OU and move the CLIENT2 machine there.
24. On the Select GPO window, select Enable Enterprise Mode and then click OK.
Validate that 25. Open an Administrative Command Prompt and execute gpupdate /force.
Enterprise Mode 26. On the taskbar, open Internet Explorer and browse to
Policies are http://app1/ContosoLearning.
Applied
Note: Notice that the website is now automatically configured with Enterprise Mode.
7.3.3 Browser Compatibility Remediation

This section covers some of the common compatibility issues found while migrating existing
web applications from IE8 to IE11. It demonstrates the tools and techniques to remediate these
common issues. This lab is designed for developers and discusses ways to resolve the
compatibility issues by updating the application code as it is the best long term solution to
make your applications standards compliant and ensure compatibility with modern browsers.
Task Detailed Steps

Pin Internet 1. On the Start Menu, search for Internet Explorer.
Explorer on the 2. Right-click on Internet Explorer and select Pin to taskbar.
Taskbar
7.3.3.2 User Agent String Detection Issue
Web developers used to check Navigator.AppName property to get the name of the web client.
Until Internet Explorer 10, it is used to return “Microsoft Internet Explorer” but from IE 11 it
returns “Netscape”. After completing this lab session, you will be able to use the IE Developer
Toolbar to change the IE Browser mode.
Task Detailed Steps

View the 1. Use Internet Explorer to navigate to http://app1/contosolearning.
Incompatibility
Note: Notice the incompatibility message at the bottom of the screen in red. **Your
browser is not supported by ContosoLearning**. Only Internet Explorer is Supported
2. The error message indicates that a validation routine runs when the page loads.
The routine checks the browser that is used.
Confirm the 3. Right-click on the page and select View source to open a new window with the
Incompatibility page’s source code.
4. On line 145, note that the function checkVersion is called when the page loads.
This is the function that results in the browser support message.
5. The issue arises since the version detection logic is checking for the browser
name.
6. Close the source page.
Prove the Fix 7. To determine the possible fix, press F12 to open the Internet Explorer Developer
tools.
8. Click the Emulation tab.
9. From the Document mode drop-down, select 10 to use the IE 10 Document
Mode.
10. From the User agent string drop-down, select Internet Explorer 10.
11. The browser window will reload without the support warning.
Recommended Fix 12. Modify the code for the default.aspx page to remove the browser detection
(OPTIONAL) routine.
13. Consider using feature detection to ensure that a specific feature is present for the
application to continue to function.
7.3.3.3 Box Model
Box Model issue is caused by the difference in the browser rendering engine implementation of
width and height properties of a container element including the padding, borders and margins.
Task Detailed Steps

View the 1. Use Internet Explorer to navigate to http://app1/contosolearning.
Incompatibility 2. Login to the application as corp\Administrator using P@ssword.
3. Scroll to the right and bottom. Note that the menu intended for the right side of the
page has actually rendered below the content. In Internet Explorer 6, this page item
would be rendered on the right-hand side of the My Upcoming Trainings panel.
Prove the Fix 4. Press F12 to launch the Developer Tools window.
5. Below the DOM Explorer tab, click the Select element icon, or press Ctrl+B.
6. Move the mouse pointer exactly over the grey border surrounding My Upcoming
Trainings and click with the left mouse button. This will highlight the panel in the
browser and move the DOM Explorer window to the corresponding HTML section -
id=”middle”.
7. In the right pane of the DOM Explorer tab, click Styles.
8. Note that there are two entries for #middle. One of these is sourced from default.aspx
which overrides the width entry from SiteStyles.css.
9. These are padding properties. Padding and border properties are considered outside
the container to which they relate in Internet Explorer 11. In the Internet Explorer 5.5
model, padding and border properties were inside the box model.
10. Select the width property sourced from default.aspx.
11. Reduce the value (in pixels) to determine a suitable value to render the page
correctly. Hint: A 100px change is way too much.
Recommended Fix 12. Modify the source code for default.aspx on the hosting website with the correct
(OPTIONAL) width.
13. This issue can also be fixed by forcing the page to render in Quirks mode by adding
an X-UA-Compatible meta tag as shown below to the head section of this page on the
server.
<meta http-equiv="X-UA-Compatible" content="IE=IE5"/>
7.3.3.4 Popup Blocker
The Pop-Up Blocker is a feature that blocks pop-up (and pop-under) windows initiated
automatically by a Web site. Windows Internet Explorer 10/9/8/7 block pop-up windows in the
Internet and Restricted sites zones by default. However, Pop-up Blocker allows pop-up windows
initiated by a user's actions. This feature can interfere with the functionality of older sites that
use popup window on page load.
Task Detailed Steps

What could be the 1. Use Internet Explorer to navigate to http://app1/contosolearning.
Incompatibility 2. Login to the application as corp\Administrator using P@ssword.
3. Navigate to Register for Training from the menu on the left side of the page.
4. Observe that the register button for each course is disabled (greyed out) and also
observe that a pop-up window appears with the Terms and Conditions and once
clicked OK, the Register button is enabled for the courses listed.
5. The incompatibility could be that the register button for each course is disabled
(greyed out) and a message is displayed on the bottom which says the Pop-Up
was blocked.
Local Fix 6. If the incompatibly appears, then in order to fix this issue launch the Pop-up
Blocker Settings window by clicking on Tools > Internet options. Alternatively,
click the gear icon at the top right of the Internet Explorer window and then
select Internet options.
Note: Enable the Menu bar.
7. Click the Privacy tab.
8. Under Pop-up Blocker, click Settings.
9. In the Pop-up Blocker Settings window type http://app1/contosolearning in the
Address of website to allow text box.
10. Click Add to add the entered site to the Allowed sites list.
11. Click the Close button to close the current window and click OK on the Internet
Options window.
12. Press F5 to refresh the page.
13. Click Register for Training.
14. A pop-up window appears with the Terms and Conditions.
15. Click OK.
16. The Register button is now enabled for the courses listed.
Enterprise Fix 17. Automatic popups are allowed by default in sites belonging to the Local Intranet
sites zone. Pop-up blocking issues can be resolved for intranet applications by
adding the site to the intranet sites collections.
18. In case of external trusted sites having this issue, add the sites to the Trusted sites
collection and have the Use Pop-up Blocker section set to Disable.
19. Add the site to Group Policy Path i.e. Computer Configuration\Administrative
Templates\Windows Components\Internet Explorer.
Note: For more details on Group Policy settings refer to the link:
http://msdn.microsoft.com/en-us/library/dd565668(v=VS.85).aspx
7.3.3.5 className Attribute
IE11 enables several enhancements to the setAttribute, getAttribute, and removeAttribute

methods that are not available when pages are displayed in earlier document modes.
To change the class attribute of an element the earlier versions of IE required us to use
className as the attribute name. This has been fixed in the IE11 and applications targeting IE 11
Browser should use class instead of className for assigning class attribute.
http://msdn.microsoft.com/en-us/library/ms536429(VS.85).aspx
Task Detailed Steps

Validate that the 1. Click on Tools > Internet options in the Internet Explorer Window.
Test Site is not part 2. In Internet Options, go to the Security Tab.
of the Local 3. Click on Local intranet and then click on Sites.
Intranet Zone Site 4. In the Local intranet window click on Advanced button which would open up the
List Local Intranet Sites list.
5. In the sites list verify that app1 is not present.
6. If the site is present, then highlight the site and click on the Remove button.
7. Once you are finished, then click on Close button in the Local Intranet Sites list
window.
8. Then click OK button in the Local intranet window and then click OK button in
the Internet options window to close them.
View the 9. Navigate to the Events page by clicking on the Events link in the left menu. The
Incompatibility URL for the page is: http://app1/ContosoLearning/Events.aspx. Re-login if
required. Observe that the page is not displayed correctly.
10. Observe that no style is applied to the selected element.
Local Fix 11. Open the Developer Tools by pressing F12 and click the Emulation tab at the
bottom.
12. Change the Document mode to 7 and User agent string to Internet Explorer 7.
13. Observe that the class attribute is being set on the selected element in IE7
Standards mode. This indicates an issue with the script dynamically assigning the
class value at runtime.
14. Observe that the className attribute is being used to set the class property on the
table. Also, notice that the id attribute is also being checked against the empty
string. This check always fails in IE11 as the getAttribute API will return if id is
not defined. To check this, click on the Debugger tab and set a breakpoint on
Lines 43 and 44. You can set a breakpoint by clicking the Line numbers.
15. Refresh the page by pressing F5 key and notice that the code never hits the
breakpoint confirming our understanding. To fix this issue we can use the Auto
responder feature of Fiddler to test the updated script on the page.
16. In the Internet Explorer window go to File > Save as… Then give the webpage a
name i.e. Events and Save it as html on the Desktop.
17. Then edit the saved page using Notepad and replace lines 43 to 44 with the code
below:
if (tables[i] && tables[i].getAttribute("id") == null) {
tables[i].setAttribute("class", "block");
}
18. Download and install Fiddler from http://www.telerik.com/download/fiddler.
19. Once installed, start the Fiddler tool by clicking on Fiddler 4 on the Start Menu.
Click Cancel on the prompt that appears.
20. Clear the Fiddler logging by pressing Ctrl+X. Then refresh the Events page.
21. In the Fiddler log you would see the Events.aspx captured.
22. In the Fiddler window click on the AutoResponder tab on the right-hand side.
23. Check the boxes which say Enable rules and Unmatched requests passthrough.
24. Then highlight the Events.aspx and click on the Add Rule button.
25. Then in the Rule Editor section on the bottom right hand of the Fiddler window,
click on the drop-down arrow of the second box and choose the option Find a
file… Then browse to the modified Events.html page and then click on the Save
button.
26. Now go back to the Internet Explorer Window and refresh the Events page. Now
Fiddler should catch the request and responder with the modified Events page and
you should now see the correct style applied to the table elements.
Note: In order to fix the problem permanently, the script on the page would have to be changed
on the Server which is hosting the website to reflect the correct width.
Note: This issue can also be fixed by forcing the page to render in IE7 standards mode by
adding an X-UA-Compatible meta tag as shown below to the head section of this page on the
server.
7.3.3.6 GetElementByID
Changes in the getElementById API causes the webpage to break as it is case sensitive. To
remediate this, we will have to modify the CSS of the webpage at the source. One would use
Fiddler Auto Responder to change the code to onclick="LaunchVideo('overview');".
Task Detailed Steps

View the 1. Keep logged in and navigate to the Training Video page by clicking on the
Incompatibility Training Videos on the left menu. The URL for the page is:
http://app1/ContosoLearning/TrainingVideos.aspx.
2. Click on the first video which is the Overview video. Observe that nothing
happens and it doesn’t play the video.
Local Fix 3. In the Developer Tools window (activated with F12), select the Console tab and
clear any errors (if any).
4. Click again on the first video, which is the Overview video. Once you click on
the video, you would be taken to the section of source code which resulted in the
error message. Click on the link and you would be taken to the Debugger tab with
the line where the error is.
5. If you go little up in the code on Line 106 you would see the ID is “overview” in
lowercase.
6. In the internet explorer window go to File > Save as… Then give the webpage a
name i.e. Training and Save it as html on the Desktop.
7. Then edit the saved page using Notepad and change the case of the word
OVERVIEW from lower case to uppercase and then save the file.
8. Start Fiddler tool by clicking on Fiddler 4 on the Start menu.
9. Clear the Fiddler logging by pressing Ctrl+X. Then refresh the Contoso Learning
Training page.
10. In the Fiddler log you would see the TrainingVideos.aspx captured.
11. In the Fiddler window click on the AutoResponder tab on the right-hand side.
12. Check the boxes which say Enable rules and Unmatched requests passthrough.
13. Then highlight the TrainingVideos.aspx and click on the Add Rule button.
14. Then in the Rule Editor section on the bottom right hand of the fiddler window,
click on the drop-down arrow of the second box and choose the option Find a
file… Then browse to the modified Training.html page and then click on the
Save button.
15. Now go back to the Internet Explorer window and refresh the Training Videos
page. Now the fiddler should catch the request and responder with the modified
Training Videos page and you should be able to open up the Overview video.
Note: In order to fix the problem permanently, the source code of the page would have to be
changed on the Server which is hosting the website to reflect the correct width.
Note: This issue can also be fixed by changing the Document Mode to IE5 Quirks Mode in the
Developer Toolbar.
7.3.3.7 Z Index Default Value
For IE browser 5/6/7 the default value for Z-Index is 0 but for IE 8+ it is Auto.
Task Detailed Steps

View the 1. Launch Internet Explorer 11 and navigate to the Contoso Learning Site by using
Incompatibility the URL http://app1/ContosoLearning/OnlineResources.aspx. Re-login if
required. This is an intranet site designed for IE6. Also, on Mousing over Text
you should see tool tips. On IE 6 it works absolutely fine but for IE 11 it doesn’t
display any text.
2. Open the IE 11 Browser and browse to the site
http://app1/ContosoLearning/OnlineResources.aspx. Mouse over on Menu
Items and you should not see any tool tip.
3. To check the logic on the page, right-click and select the View source option.
This will open the page source in the Developer Tools under Debugger.
4. Check for Onmouseover event of the image. There you can find that the logic is
checking the default value of z-index and comparing whether that is “0” or not
which is the default Z-Index value in IE 6.
5. To temporarily workaround this issue, change the document mode to the
appropriate version using IE 11 developer toolbar, press F12 and the Internet
Explorer Developer Toolbar will be opened if not opened already.
6. Click the Emulation tab.
7. Select Document Mode as 5 and User agent string as Internet Explorer 6.
8. You can now observe a text is displayed.
Permanent Fix 9. To resolve this issue the javascript on the page should be updated to first assign a
Z-index to the DOM object before comparing its value.
Note: This issue can also be fixed by forcing the page to render in IE5 Quirks mode by adding
an X-UA-Compatible meta tag as shown below to the head section of this page on the server.
7.3.3.8 Content Centering
Content Centering using text align property is not supported in Internet Explorer 9+. This causes
any site developed for IE6 to be left aligned on IE9+ standards mode if they are using text align
property for centering. We would need to use the width and margin properties to center align
the content.
To remediate this, we will have to modify the CSS of the webpage at the source. In order to find
the correct CSS values that need to be added to the source of the page on the server we can use
the Developer Tools.
Task Detailed Steps

View the 1. Navigate to the Blogs page by clicking on the Blogs link in the left menu. Re-
Incompatibility login if required. Observe that the page is not displayed correctly. It is aligned to
the left instead of being centered.
Local Fix 2. Press F12 to open the Developer Tools.
3. Select the Body section under the DOM Explorer tab. Observe that the text align
property has been set for this element.
4. This is the typical case where the content is being centered by using the text align
property which would render the page correctly in previous versions of IE.
5. Also, observe that the margin property has been set to 0px auto. This should
cause the content to be centered in IE11.
6. Also, observe that there are two margin properties that are being applied to the
Body element. One of the margin properties is defined inline in the Blogs.aspx
page.
7. Observe that the margin property has !important added to the property value in
the end. This is forcing the browser to override the original margin setting on the
page.
8. Uncheck the second margin value. The first margin value will be automatically
enabled.
9. You will find that the page is rendered correctly now.
Permanent Fix 10. To remediate the issue at the source, the developer would need to remove the
margin style defined on the page which should fix the issue.
Note: This issue can also be fixed by forcing the page to render in Quirks mode by adding an X-
UA-Compatible meta tag as shown below to the head section of this page on the server.
7.3.3.9 ActiveX Controls
Microsoft ActiveX controls are reusable software components based on ActiveX technology.
ActiveX controls add interactivity and additional functionality, such as animations or pop-up
menus to a Web page, application, or software development tool. Internet Explorer 7+ and
Microsoft Internet Explorer 6 for Windows XP Service Pack 2 (SP2) block controls that are
unsigned, invalid, or explicitly distrusted by the user. In Internet Explorer 9+, users can allow
controls to run on more than one Web site, or all Web sites, by responding to the Information
Bar that drops down when a control is requested for use. These sites can also be edited through
the Manage Add-ons interface.
ActiveX Blocking can be remediated by one of the following techniques:
1. Ensure that the ActiveX control is signed. Please refer the below link for ActiveX Signing:
http://msdn.microsoft.com/en-us/library/aa231196(VS.60).aspx
2. Ensure that the client side security certificate matches the server side security certificate.
3. Add the website to the list of local intranet sites.
Task Detailed Steps

View the 1. Navigate to the Contoso Learning Website Obtain Licenses page. The URL for
Incompatibility the page is: http://app1/ContosoLearning/ObtainLicenses.aspx. Re-login if
required. Observe that a UAC prompt is displayed.
Install the 2. Click on Yes to install the ActiveX control.
Certificate 3. User Account Control will prompt you to install this control – approve the UAC
prompt. Afterwards, you will notice that there is a warning because the publisher
cannot be verified – click on the link for Unknown Publisher.
4. Details of the digital certificate will be displayed – click on the View Certificate
button.
5. The certificate will indicate that the certificate is not trusted – press the button to
Install Certificate…
6. You will walk through the Certificate Import Wizard. On the first screen, select
Local Machine and then click Next.
7. Select Place all certificates in the following store and click Browse…
8. Select the Trusted Root Certification Authorities and then click OK.
9. Click Next.
10. Click Finish.
11. Click OK once the import is successful.
12. Click the OK button on the Certificate dialog.
13. Click the OK button on the Digital Signature Details dialog.
14. Click the OK button on the Security Warning dialog.
Signed ActiveX 15. Press F5 to refresh the page now that you have the digital signature installed.
Control Installation 16. You will receive a UAC prompt again, this time indicating that it is a signed
control. Click on Yes.
17. Press F5 to refresh the page. Now you will not see any control. Close the Internet
Explorer.
18. Open gpedit.msc and navigate to Computer Configuration – Administrative
Templates – Windows Components – Internet Explorer. Double-click on Let
users turn on and use Enterprise Mode from the Tools menu.
19. Click Enabled. Click Apply and OK.
20. Open the Internet Explorer and navigate to the Contoso Learning Website
“Obtain Licenses” page. The URL for the page is:
http://app1/ContosoLearning/ObtainLicenses.aspx. If required re-login.
21. Press F12 to open the Developer Tools. Click the Emulation tab and for the
Browser profile, select Enterprise.
22. You will see that the browser has Enterprise mode enabled from the Tools
menu.
23. You can see now that the Obtain Licenses button is visible.
24. In case it is still not visible, go to Tools, select Manage add-ons.
25. Check whether ContosoLicenseControl.ObtainLicense is enabled or not. If it is
disabled, click on Enable and close the window by clicking Close and refresh the
page.
26. Click on Obtain Licenses button.
27. The ActiveX control should now be installed. Click OK.
7.4 Windows App Certification Kit

The Windows App Certification Kit can be used to test applications for the Windows Store (for
Windows 10, Windows 8.1, and Windows 8), and for the Windows 10, Windows 8.1, Windows 8,
and Windows 7 Windows Certification program for desktop applications.
7.4.1 Prepare Test Applications

Task Detailed Steps

Sample Universal Note: Perform this task if the customer has no in-house built Universal App.
App
1. Open File Explorer and browse to C:
2. Create a new folder named Temp.
https://github.com/Microsoft/Windows-appsample-coloringbook
4. Click Clone or download and select Download ZIP.
5. Save the file to C:\Temp.
6. Once complete, browse to C:\Temp and extract the ZIP file in the same location.
Sample Desktop 7. Open Internet Explorer and browse to the URL below.
App https://notepad-plus-plus.org/download/v3.0.html
8. Click Download and save the npp.3.0.Installer.exe file to C:\Temp.
7.4.2 Validate Universal App

This activity will perform validation of a Universal Windows Application.
Task Detailed Steps

Validate as Part of Note: Perform the tasks below on the customer’s in-house built Universal App if available.
the Visual Studio
1. Click Start and open Visual Studio 2017.
Build Process
2. In the Visual Studio window, Sign in with your Microsoft Account (MSA) if
asked.
3. Click File > Open > Project/Solution.
4. In the Open Project window, browse to C:\Temp\Windows-appsample-
coloringbook-master\Windows-appsample-coloringbook-master\
5. Select ColoringBook.sln then click Open.
6. In the Security Warning for ColoringBook window, click OK whenever it
appears.
7. In the Review Solution Actions window, for the Target version, ensure
Windows 10, version 1803 (10.0; Build 17134) is selected and the two boxes are
checked as well and click OK.
8. In the Solution Explorer pane, right-click on ColoringBook (Universal
Windows) then select Store > Create App Packages.
9. In the Create Your Packages pane, select I want to create packages for
sideloading then click Next.
10. In the Select and Configure Packages pane, under Generate app bundle, select
Never.
11. Under Select the packages to create and the solution configuration mappings
perform the following then click Create.
 Under x86, select Release (x86)
 Uncheck x64
 Uncheck ARM
Note: The build process will take around 5 minutes to complete.
12. In the Package Creation Completed pane, click Launch Windows App
Certification Kit.
14. In the Select Tests pane, click Next.
Note: The test will take around 10 minutes to complete and the app may launch multiple
times. Do not interact with the app until the validation process is complete.
15. In the View Final Report pane, click Click here to view the results.
16. Browse and review the tests performed on the Universal App.
17. Once finished, close the Validation Results page.
18. In the View Final Report pane, click Finish.
Validate Post App Note: Perform the tasks below on the customer’s in-house built Universal App if available.
Build
19. Click Start and open Windows App Cert Kit.
21. In the Select the validation to perform pane, click Validate Store App.
22. In the Select an app to validate pane, click Browse.
23. In the Open window, browse to C:\Temp\Windows-appsample-coloringbook-
master\Windows-appsample-coloringbook-
master\ColoringBook\AppPackages\ColoringBook_1.x.x.x_x86_Test, select
ColoringBook_1.x.x.x_x86.appx then click Open.
24. In the Select an app to validate pane, click Next.
25. In the Select Tests pane, click Next.
times. Do not interact with the app until the validation process is complete.
26. In the Save As window, browse to Desktop and save the result as
WACK_UniversalApp_Result.xml.
27. In the View Final Report pane, click Click here to view the results.
28. Browse and review the tests performed on the Universal App.
7.4.3 Validate Desktop App

This activity will perform validation of a Desktop Application.
Task Detailed Steps

Validate the App Note: Perform the tasks below on the customer’s in-house built desktop application if
available.
1. Click Start and open Windows App Cert Kit.
3. In the Select the validation to perform pane, click Validate Desktop App.
4. In the Select the app to validate pane, under Setup file browse to
C:\Temp\npp.3.0.Installer, under Command line enter /S, under Application
Usage Type, select Per Machine then click Next.
times. If the app needs to install or uninstall several components or external dependencies,
carefully select the option for your app.
5. In the Save As window, browse to Desktop and save the result as
WACK_DesktopApp_Result.xml.
6. In the View Final Report pane, click Click Here to view the results.
7. Browse and review the tests performed on the Desktop App.
8 Appendix – Upgrading to Configuration Manager
Current Branch
In this section, you will learn how to in-place upgrade System Center Configuration Manager
2012 R2 to System Center Configuration Manager 1802. There is no direct in-console upgrade
path from System Center Configuration Manager 2012 R2 to System Center Configuration
Manager 1802.
Note: This lab can only be performed if your lab is on the System Center Configuration Manager
Version 2012 R2.
8.1 Prerequisites
Task Detailed Steps

Create CMUpdates 1. Open File Explorer and browse to C:\Packages.
Folder 2. Create a folder named CMUpdates.
Configuration https://www.microsoft.com/en-us/evalcenter/evaluate-system-center-
Manager 1802 configuration-manager-and-endpoint-protection
Evaluation 4. From the website, Sign-In with your Microsoft account (MSA).
5. Once signed-in, under System Center Configuration Manager and Endpoint
Protection (current branch – version 1802), click Register to continue.
6. Fill-out the form then click Continue.
7. Click Download.
8. Save the SC_Configmgr_SCEP_1802.exe file to C:\Packages.
Unzip Installation 9. Open File Explorer and browse to C:\Packages.
Package 10. Double-click on SC_Configmgr_SCEP_1802.exe and click Unzip.
11. Once the extraction completes, click OK | Close.
8.2 Upgrade Configuration Manager

In this activity, you will upgrade Configuration Manager 2012 R2 to Configuration Manager
1802.
Task Detailed Steps

Upgrade SCCM 1. Open File Explorer and browse to C:\SC_Configmgr_SCEP_1802.
2012 2. Double-click on splash.hta and choose Microsoft ® HTML Application Host.
Click OK.
3. Click Install. Accept the UAC prompt.
4. On the Before You Begin page, click Next.
5. On the Getting Started page, select Upgrade this Configuration Manager site
then click Next.
6. On the Product Key page, click Next.
7. On the Product License Terms page, check all the boxes then click Next.
8. On the Prerequisite Downloads page, select Download required files, under
Path enter \\CM1\Packages$\CMUpdates then click Next.
9. On the Server Language Selection page, click Next.
10. On the Client Language Selection page, click Next.
11. On the Diagnostic and Usage Data page, click Next.
12. On the Service Connection Point Setup page, select Skip this for now then
click Next.
13. On the Settings Summary page, click Next.
14. On the Prerequisite Check page, click Begin Install.
Note: Before starting the installation ensure that SQL Server Agent and SQL Server
Browser services are Automatic and Running.
Note: The upgrade may take 30 minutes to an hour.
15. Once the Upgrade is complete, click Close.
16. On the Install window, click Exit.
17. Restart CM1 and login as corp\LabAdmin.
Validate Version 18. Open the Configuration Manager Console, click OK on the dialog box, browse
Number to Administration > Site Configuration > Sites.
20. Validate that the Version or Build number was updated (5.00.8634.1000 or 8634
for Configuration Manager 1802).
9 Appendix – Configuring Windows Analytics
9.1.1 Configure Upgrade Readiness

In this activity, you will subscribe to Upgrade Readiness and configure the prerequisites before
deploying to clients.
Task Detailed Steps

Complete these steps from an Internet-Connected Windows computer. Also, login to
https://mms.microsoft.com
Add 1. Open Internet Explorer (InPrivate Browsing), go to the URL https://mms.microsoft.com, and
Upgrade sign in using an Azure AD account associated with an Azure Subscription.
Readiness to 2. Click OK to create a new Microsoft Operations Management Suite workspace.
Operations 3. To create a new OMS Workspace, enter the Workspace Name, select the Workspace
Management Region, enter the First Name and Last Name, enter the Email, enter the Phone Number,
Suite enter the Company, select the Country and check the boxes below. Click CREATE.
4. Select Azure directory, click APPLY, Select Azure Subscription and click LINK.
5. Click Solutions Gallery, select the Upgrade Readiness tile in the gallery and then click
Add on the solution’s details page. The solution is now visible on your workspace.
6. Click Upgrade Readiness which is visible on your workspace and click the Solution
Settings tile to configure the solution. The Upgrade Readiness Settings Dashboard opens.
Generate 7. On the Upgrade Readiness Settings Dashboard, copy and save the Commercial ID Key.
Commercial You’ll need to insert this key into the Upgrade Readiness deployment script later so it can be
ID Key deployed to user computers.
8. Select the Target version to be evaluated, example: Windows 10 Version 1803.
Note: Regenerate a commercial ID key only if your original ID key can no longer be used.
Regenerating a commercial ID key resets the data in your workspace for all solutions that use the
ID. Additionally, you’ll need to deploy the new commercial ID key to user computers again.
Whitelist 9. To enable data sharing, whitelist the following endpoints.
Endpoints
Note: that you may need to get approval from your security group to do this.
Note: The compatibility update KB runs under the computer’s system account and does not
support user authenticated proxies.
Endpoint Function
https://v10.vortex-win.data.microsoft.com/collect/v1 Connected User Experience and
Telemetry component endpoint.
User computers send data to
Microsoft through this endpoint.
https://settings-win.data.microsoft.com/settings Enables the compatibility update
KB to send data to Microsoft.
http://go.microsoft.com/fwlink/?LinkID=544713 This service provides driver
information about whether there
https://compatexchange1.trafficmanager.net/CompatibilityExchan will be a driver available post-
geService.svc/extended upgrade for the hardware on the
system.
https://vortex.data.microsoft.com/health/keepalive These endpoints are used to
https://settings.data.microsoft.com/qos validate that user computers are
sharing data with Microsoft.
https://compatexchange1.trafficmanager.net/CompatibilityExchan
geService.svc
Property Value Description
logpath
9.1.2%systemdrive%\UADiagnostics
Deploy Upgrade Readiness (OPTIONAL)
Storage location for log
information. This folder must
already be existing.
In this activity,
commercialIDValue you willIDdeploy
Commercial obtainedand
from enable
the OMS Upgrade Readiness
Map information fromto
usertest devices.
site. (From Section 10.1.1) computers to your OMS
Task workspace.
Detailed Steps
Deploy the 1. Download and install the appropriate updates below.
Required KB
Operating System KB Description
Windows 7 SP1 KB2952664 Performs diagnostics on the Windows 7 SP1 systems
that participate in the Windows Customer Experience
Improvement Program. These diagnostics help
determine whether compatibility issues may be
encountered when the latest Windows operating
system is installed.
KB3150513 Provides updated configuration and definitions for
compatibility diagnostics performed on the system.
Windows 8.1 KB2976978 Performs diagnostics on the Windows 8.1 systems that
participate in the Windows Customer Experience
Improvement Program. These diagnostics help
determine whether compatibility issues may be
encountered when the latest Windows operating
system is installed.
KB3150513 Provides updated configuration and definitions for
compatibility diagnostics performed on the system.
2. Restart the machine.
Execute 3. Open Internet Explorer and browse to the URL below.
Deployment https://www.microsoft.com/en-us/download/details.aspx?id=53327
Script 4. Download the Upgrade Readiness deployment script and extract
UpgradeReadiness05102018.zip.
Note: The files in the Diagnostics folder are necessary only if you plan to run the script in
troubleshooting mode.
5. Edit the RunConfig.bat file in the Pilot folder and modify the following properties.
6. Run the RunConfig.bat script from the command prompt with elevated rights.
Note: After data is sent from computers to Microsoft, it generally takes 48 hours for the data to
populate in Upgrade Readiness.
Note: For more information, go to https://technet.microsoft.com/itpro/windows/deploy/upgrade-
analytics-get-started
9.1.3 Review Upgrade Readiness Data (OPTIONAL)

In this activity, you will review the data collected by Upgrade Readiness.
Task Detailed Steps
Open 1. Open Internet Explorer and browse to the URL below.
Upgrade https://mms.microsoft.com
Readiness 2. Logon to the site using the same email address used in configuring Upgrade Readiness as
Dashboard per Section 10.1.1.
3. Select the workspace that was created in Section 10.1.1.
4. On the OMS dashboard, click on the Upgrade Readiness tile.
5. Review the collected data.
Note: For more information, go to https://docs.microsoft.com/en-
us/windows/deployment/upgrade/upgrade-readiness-get-started
10 Appendix - Wipe and Load
Organizations have traditionally been deploying new versions of Windows through the wipe and
load approach using a standard image, Windows Assessment and Deployment Kit, Windows
Deployment Services, Microsoft Deployment Toolkit and System Center Configuration Manager.
In this section, you will go through the process of creating a Windows 10 image and deploying
the image through Lite Touch Installation (LTI) and Zero Touch Installation (ZTI) wipe and load
deployment.
Notes: Create New GEN1 HYD-CLIENT5 and HYD-CLIENT6 Blank VMs, with Legacy Network
Adapter as the first boot device and connected to the Corp Network. Create checkpoints for
both.
10.1 Image Creation

This section describes how to create a Windows 10 image using Microsoft Deployment Toolkit.
10.1.1 Prerequisites
Task Detailed Steps

Complete these steps on the MDT1 virtual machine.
Download the Note: Steps 1 - 5 are only required if the customer wants to use MSDN Media. These steps
Latest MSDN are NOT required if the Evaluation Media will be used.
Version of
Note: The customer also can choose to use their own licensed media. Download the source
Windows 10
files from the Volume Licensing Service Center (VLSC) site.
Enterprise
1. On the Packages folder, create a folder named Windows 10 MSDN.
https://msdn.microsoft.com/subscriptions/securedownloads/
3. From the website, Sign-in with your MSDN registered account.
2018) (x64) – DVD (English) and Download to C:\Packages\Windows 10
MSDN.
Download XML 6. On the Packages folder, create a folder named XML Notepad.
Notepad 7. Open Internet Explorer and browse to the URL below.
http://www.microsoft.com/en-us/download/details.aspx?id=7973
8. Download XMLNotepad.msi to C:\Packages\XML Notepad.
10.1.2 Build and Capture a Reference System Image
This activity will initiate and complete the process of building and capturing a reference
Windows image. At the end of the activity, a WIM file is created on the Microsoft Deployment
Toolkit server.
Task Detailed Steps

Add Task Note: Steps 1 - 5 are only required if the Evaluation Media will be replaced with the
Sequence MSDN/VLSC Media. These tasks are NOT required if the Evaluation Media will be used.
Components
1. Navigate to C:\Packages\Windows 10 MSDN and Mount the ISO.
2. Open the MDT Deployment Workbench from the Start Menu and click Yes on
the UAC prompt.
3. An MDT Image Creation Share has been pre-prepared for this activity. Under
Deployment Shares > Image Creation (\\MDT1\Create$), select Operating
Systems > Operating System Installation Files > Windows 10 and click
Import Operating System from the Actions pane.
OS Type – Select Full set of source files and click Next.
Source – Browse to the virtual DVD drive and click Next.
Destination directory name – Windows 10 1803 Enterprise x64 MSDN (or VLSC)
and click Next.
Summary – click Next.
5. The Operating System source files will now be imported into the task sequence.
When complete, click Finish.
Create a Task Note: Steps 6-7 will only be performed if Steps 1-5 (Add Task Sequence
Sequence Components) were performed.
6. Under the Image Creation (\\MDT1\Create$), select Task Sequences and click
New Task Sequence.
7. Enter the following information into the wizard:
General Settings
Task sequence ID: ICS002.
Task sequence name: Windows 10 Image Creation.
Click Next.
Select Template - Select Standard Client Task Sequence and click Next.
Select OS - Select Windows 10 Enterprise in Windows 10 1803 Enterprise x64
MSDN (or VLSC) install.wim. Click Next.
Specify Product Key - Select Do not specify a product key at this time. Click Next.
OS Settings - For Organization, enter Customer Name. Accept remaining defaults
and click Next.
Admin Password - Enter <provided by the customer> two times and click Next.
Summary - Click Next.
Confirmation – Click Finish.
Import an 8. On the Deployment Workbench, under the Image Creation (\\MDT1\Create$),
Application select Applications > Apps and then select New Application from the Actions
pane.
Application Type – Select Application with source files and click Next.
Details – Enter the following information:
Publisher: Microsoft.
Application Name: XML Notepad.
Accept defaults and click Next.
Source –Enter Source Directory as C:\Packages\XML Notepad and click Next.
Destination - Accept defaults and click Next.
Command Details –Enter the following into the Command line text box without the
quotes: “msiexec.exe /i XmlNotepad.msi /qb /norestart” Accept defaults and click
Next.
Summary – Click Next. The application will now be imported into the Deployment
Share. Click Finish when the process completes.
Add the 10. On the Deployment Workbench, under the Image Creation (\\MDT1\Create$),
Application to the select Task Sequences, right click the Windows 10 Image Creation task
Task Sequence sequence and select Properties.
11. Select the Task Sequence tab and under the State Restore folder, select Install
Applications, edit the properties of the Install Applications task to ensure Install
a single application is selected. Click Browse…
12. Select Applications > Apps > Microsoft XML Notepad and click OK.
13. Select Apply and then OK.
Update the Note: Steps 14 – 17 will only be performed if Steps 1 – 5 (Add Task Sequence
Deployment Share Components) were performed.
14. Right click the Image Creation (\\MDT1\Create$) and select Properties.
15. In the Platforms Supported section, verify that x86 is unchecked, click Apply and
click OK.
16. Right click the Image Creation (\\MDT1\Create$) and select Update
Deployment Share.
Options – Accept defaults and click Next.
Summary – Click Next.
The wizard will now generate a new boot image to be used for image creation.
Click Finish.
Configure WDS Note: Steps 18 – 23 will only be performed if Steps 1 – 5 (Add Task Sequence
Components) were performed.
18. Open Windows Deployment Services from the Start Menu, expand Servers,
expand MDT1.corp.contoso.com and select Boot Images.
19. Right click on Create – X64 and select Replace Image.
20. In the Image File window, browse… to C:\DS-Create\Boot and select
LiteTouchPE_x64.wim. Click Open and then click Next.
21. In the Available Images window, click Next.
22. On the Image Metadata page, change the Image name and Image description
to Create – X64 and click Next.
23. On the Summary page, accept defaults and click Next. The boot image will now
be added to WDS. Click Finish when the process is complete.
24. Ensure that the Windows Deployment Services Server is Running.
Complete these steps on the Hyper-V Host and the CLIENT5 virtual machine.
Boot from the 25. Power on the CLIENT5 virtual machine.
Network (PXE) 26. If prompted, press F12 for network service boot.
27. At the Windows Boot Manager screen, select Create – X64. Press Enter.
Initiate a Build and 28. Enter the following information:
Capture
Task Sequence - Select Windows 10 Image Creation and click Next.
Computer Details – Accept defaults and click Next.
If prompted for an administrator password, enter <provided by the
customer> two times and click Next.
Capture Image – Verify Capture an image of this reference computer is
selected with default options and click Next.
29. Select Begin to initiate the image creation process. The system will now
commence the installation and configuration of a reference system. Once
complete, a reference system image WIM file ICS002.wim will be stored in
MDT1 at C:\DS-Create\Captures\WIN10REF but the application XML
Notepad 2007 will not be captured.
30. Once done, click Finish and the virtual machine will automatically reboot.
10.2 Lite Touch Deployment

This section describes how to configure Microsoft Deployment Toolkit for Lite Touch Operating
System Deployment.
10.2.1 Prepare a Windows 10 Lite Touch Deployment

This activity will import the reference Windows system image and configure a Lite Touch
Installation (LTI) task sequence.
Task Detailed Steps

Add the Reference Note: Steps 1 – 10 are only required if a new image was created from Section 11.1.
Image to the
1. Open the MDT Deployment Workbench from the Start Menu and click Yes on
Deployment Share
the UAC prompt.
2. Expand Image Deployment (\\MDT1\Deploy$).
3. Expand Operating Systems.
4. Expand Custom Image Files and then select Windows 10.
5. In the Actions Pane on the right, click Import Operating System.
6. In the OS Type pane, select Custom image file. Click Next.
7. In the Image pane, click Browse… Navigate to C:\DS-
Create\Captures\WIN10REF.
8. Select the ICS002.wim created in the previous activity. Click Open. Click Next.
9. Complete the Wizard with the default options.
1. The custom image is now imported into the Workbench.
Update the Task 10. In the Deployment Workbench, select Task Sequences.
Sequence to use 11. Select Corporate x64 Windows 10 Enterprise. Right-click and select
the New Image Properties.
12. Click the Task Sequence tab.
13. Expand the Install task sequence group.
14. Select Install Operating System.
15. Click Browse…
16. Expand the nodes Operating Systems > Custom Image Files > Windows 10 to
locate and select the custom image imported in the previous task. Click OK.
17. Now, navigate to State Restore > Custom Tasks and select Office 2013 C2R, on
the right, click the Options tab and check the box next to Disable this step. The
reason is that the kit does not contain source files for Office 2013 applications and
the deployment at the end will show errors regarding it.
18. Click Apply. Click OK to commit the change.
2. The task sequence is now ready for use to deploy to the reference system image.
10.2.2 Perform a Windows 10 Lite Touch Deployment

This activity will initiate and complete the process to deploy the reference Windows system
image through Lite Touch Installation (LTI) task sequence.
Task Detailed Steps

Boot from the 1. Power on the CLIENT6 virtual machine.
Network (PXE) 2. If prompted, press F12 for network service boot.
3. At the Windows Boot Manager screen, select Deploy - X64. Press Enter.
4. The device will now perform a PXE boot in to Windows PE.
Initiate the 5. At the Task Sequence pane, select Corporate x64 Windows 10 Enterprise and
Deployment of the click Next.
Reference Image 6. On the Computer Details page, change the User Name to LabAdmin, under
Password enter <provided by the customer> and then click Next.
7. Keep the default setting for the Product Key and click Next.
8. Keep the default setting for Locale and Time and click Next.
9. For the Applications, ensure that none of the Office 2013 applications are selected
and click Next. The reason is that the kit does not contain source files for Office
2013 applications and the deployment at the end will show errors regarding it.
10. When it asks for Administrator Password, enter <provided by the customer> two
times and click Next.
11. In the BitLocker page, click Next.
12. At the Ready pane, click Begin.
13. The system will now commence the deployment of the reference Windows
system image, but the application XML Notepad 2007 will not be deployed as
part of the image as it is not captured initially. Once done, click Finish, and the
virtual machine will automatically reboot.
10.3 Zero Touch Deployment

This section describes how to configure System Center Configuration Manager for Zero Touch
Installation (ZTI) Operating System Deployment.
10.3.1 Prerequisites
Task Detailed Steps

Prerequisite Lab Complete Section 10.1 Image Creation.
Revert Virtual
On CLIENT5, revert to the latest checkpoint.
Machines
Disable Windows 1. Right-click on the Start button and click Run.
Deployment 2. Enter services.msc and then click OK.
Services 3. On the Services MMC, look for Windows Deployment Services Server, right-
click on it and select Properties.
4. Under Startup type, select Disabled.
5. Click Stop.
Create Devices OU 7. Logon to DC1 as a domain administrator (CORP\LabAdmin).
8. On the Start screen, open the Active Directory Users and Computers MMC.
9. Right-click on corp.contoso.com and select New > Organizational Unit. You
might have to expand corp.contoso.com.
10. Under Name, enter Devices and then click OK.
Create Folders 11. Open File Explorer and browse to C:\Packages.
12. Create the folders with the following names:
 MDTBootx64
 MDTFiles
 WIN10X64
 WIN10X64-Settings
10.3.2 Create Task Sequence

In this activity, you will configure a MDT-based task sequence in Configuration Manager to
deploy the reference image created earlier.
Task Detailed Steps

Configure 1. On the Start screen, click Configure ConfigMgr Integration and click Yes on
Configuration the UAC prompt.
Manager 2. Ensure that Install the MDT extensions for Configuration Manager is selected
Integration and within that Install the MDT console extensions for System Center
Configuration Manager is selected and Add the MDT task sequence actions to
a System Center Configuration Manager server is selected as well.
3. Ensure that the Site server name: shows CM1.corp.contoso.com.
4. Enter the Site code: CHQ if required and click Next.
5. Click Finish.
Create the 6. On CM1, switch to the Configuration Manager Console by launching it with
Deployment Task elevated rights. Click Yes on the UAC prompt if required.
Sequence, Boot 7. In the console, click Software Library.
Image and Related 8. Click Operating Systems > Task Sequences.
Packages 9. On the ribbon click Create MDT Task Sequence.
10. In the Create MDT Task Sequence dialog, on the Choose Template page, select
Client Task Sequence and click Next.
11. On the General page, type a Task sequence name of Deploy Windows 10 X64
and click Next.
12. On the Details page, click to select the Join a domain radio button and configure
the following values:
Domain: Corp.contoso.com.
13. Next to Account, click Set…
User name: Corp\LabAdmin.
Password/Confirm password: <provided by the customer>.
14. Click OK.
User name: Windows User
Organization name: Customer name.
15. Click Next.
16. On the Capture Settings page, ensure that This task sequence will never be used
to capture an image is selected and click Next.
17. On the Boot Image page, click to select the Create a new boot image package
radio button.
18. In Package source folder to be created field, type
\\CM1\Packages$\MDTBootx64 and click Next.
19. On the General Settings page, enter a Name of MDT Boot Image (x64) and click
Next.
20. On the Options page, select x64 and click Next.
21. On the Components page, leave the default feature packs and click Next.
22. On the Customization page, leave the default customizations and click Next.
23. On the MDT Package page, click to select the Create a new Microsoft
Deployment Toolkit Files package radio button.
24. In Package source folder to be created field, type \\CM1\Packages$\MDTFiles
and click Next.
25. On the MDT Details page, enter a Name of MDT Files and click Next.
26. On the OS Image page, select Create a new OS image and configure the
following values and click Next:
OS image file (WIM) location:
\\MDT1\Create$\Captures\WIN10REF\ICS002.wim.
Package source folder to be created: \\CM1\Packages$\WIN10X64.
27. On the Image Details page, enter a Name of Windows 10 - x64 and click Next.
28. On the Deployment Method page, ensure that Perform a “Zero Touch
Installation” OS deployment, with no user interaction is selected and then
click Next.
29. On the Client Package page, click Browse… for the option Specify an existing
ConfigMgr client package.
30. In the Select a Package dialog, select Microsoft Corporation Configuration
Manager Client Package and click OK.
31. Click Next.
32. On the USMT Package page, click Browse… for the option Specify an existing
USMT package.
33. In the Select a Package dialog, select Microsoft Corporation User State
Migration Tool for Windows 10.0.17134.1 and click OK. Click Next.
34. On the Settings Package page, click to select the Create a new settings package
radio button.
35. In the Package source folder to be created field, type
\\CM1\Packages$\WIN10X64-Settings and click Next.
36. On the Settings Details page, enter a Name of Windows 10 X64 Settings and
click Next.
37. On the Sysprep Package page, ensure that No Sysprep package is required radio
button is selected and click Next.
38. Review the Summary details and click Next.
Note: It can take up to five minutes for the boot image to be created.
39. On the Confirmation page, confirm that the wizard completed successfully and
click Finish.
Distribute the Task 40. In the results pane, select Deploy Windows 10 X64 task sequence.
Sequence Package 41. On the ribbon, click Distribute Content.
to the Distribution 42. On the General page, click Next.
Point 43. On the Content page, click Next.
44. On the Content Destination page, click Add > Distribution Point.
45. On the Add Distribution Points dialog, click to select the
\\CM1.CORP.CONTOSO.COM checkbox and click OK.
46. Click Next.
48. On the Completion page, confirm that the wizard completed successfully and
click Close. Ensure that all the content has been distributed to the distribution
point from the Monitoring > Distribution Status > Content Status.
Deploy the Task 49. In the results page, select the Deploy Windows 10 X64 task sequence.
Sequence to the 50. On the ribbon click Deploy.
Unknown 51. On the General page, next to Collection, click Browse… Click OK on the
Computers notification that appears.
Collection 52. In the Select Collection dialog, click the All Unknown Computers collection and
click OK.
53. Click Next.
54. On the Deployment Settings page, in the Make available to the following: drop
down list select Configuration Manager clients, media and PXE.
55. Click Next.
56. On the Scheduling page, click Next.
57. On the User Experience page, click Next.
58. On the Alerts page, click Next.
61. On the Completion page, confirm that the wizard completed successfully and
click Close.
Add the Boot 62. In the Software Library pane, expand Operating Systems and click Boot
Image to the Images.
Distribution Point 63. In the results pane, click MDT Boot Image (x64).
64. On the ribbon click Properties.
65. In the properties dialog, click the Data Source tab.
66. Click to select the Deploy this boot image from the PXE-enabled distribution
point check box.
Edit the Task 68. In the Software Library pane, expand Operating Systems and click Task
Sequence – Sequences.
Administrator 69. Select Deploy Windows 10 X64 and click Edit from the ribbon bar.
Password 70. Navigate to Post Install > Apply Windows Settings.
71. Select the option, Enable the account and specify the local administrator
password, enter the password <provided by the customer> in the Password and
Confirm password fields.
Edit the Task 72. Navigate to Post Install > Apply Network Settings.
Sequence – 73. Click Browse… for the Domain OU field and select the Devices OU for
Machine Object deployments and click OK. Click Apply and OK.
OU
Configure the 74. Navigate to Administration > Distribution Points.
Distribution Point 75. Right-click CM1.CORP.CONTOSO.COM and click Properties.
with PXE and 76. Click the PXE tab, check the box next to Enable PXE support for clients, click
Multicast Option Yes on the prompt, and check the boxes next to Allow this distribution point to
respond to incoming PXE requests and Enable unknown computer support,
click OK on the prompt again. Uncheck the box next to Require a password
when computers use PXE.
77. Click the Multicast tab and check the box next to Enable multicast to
simultaneously send data to multiple clients.
10.3.3 Deploy Windows on an Unknown Computer

This activity will initiate and complete the process to deploy the reference Windows system
image through Zero Touch Deployment. At the end of the activity, CLIENT5 will be installed with
the reference system image.
Task Detailed Steps

PXE Boot and 1. Power on the CLIENT5 virtual machine and when prompted, press F12 for
Commence OSD network service boot to boot from the boot image available from the PXE
distribution point.
Note: Restart the Windows Deployment Services Server on CM1 if the PXE Boot fails.
2. On the Welcome to the Task Sequence Wizard page, click Next.
3. On the Select a task sequence to run page, ensure that Deploy Windows 10 X64
is selected and click Next.
4. The system will now complete the installation of Windows on the virtual machine
but the application XML Notepad 2007 will not be deployed as part of the image
as it is not captured initially. Also, once the deployment is finished, ensure that
the deployment status in SCCM shows Successful from Monitoring >
Deployments as well as the machine has a correct status in SCCM from Assets
and Compliance > Devices. Additionally, reboot the client machine once, after
the deployment so that the SCCM Client shows all the tabs and the Action
Tasks is fully initialized, and the Software Center is there as well.
Note: The system will be named with a MININT-<random number>.
11 Appendix - Application Virtualization
Microsoft Application Virtualization (App-V) provides businesses access to any application
without having the applications installed directly on their computers.
In this section, you will learn how to sequence applications with Microsoft Application
Virtualization (App-V) and deploying these packages with Configuration Manager.
11.1 Prerequisites
Task Detailed Steps

Revert Virtual
On CLIENT3, revert to the latest checkpoint.
Machines
Download 7Zip 1. On the taskbar, open File Explorer and browse to C:\Packages and create two
folders named 7Zip and 7Zip-AppV.
http://7-zip.org/download.html
1. From the website, Download 7-Zip 18.05 (2018-04-30) for Windows 64-bit x64
(.exe) (or newer) and save to C:\Packages\7Zip.
Download 3. On the Packages folder, create two folders named Notepad++ and Notepad++-
Notepad++ AppV.
https://notepad-plus-plus.org/download/v6.9.html
2. Click Download and save npp.6.9.Installer.exe to C:\Packages\Notepad++.
Download Visio 5. On the Packages folder, create two folders named Visio Viewer and Visio
Viewer Viewer-AppV.
http://www.microsoft.com/en-us/download/details.aspx?id=51188
7. Click Download.
8. Select visioviewer_4339-1001_x64_en-us.exe (or newer) then click Next.
3. Save to C:\Packages\Visio Viewer.
11.2 Install the Sequencer

In this activity, you will go through how to install and prepare the App-V Sequencer.
Task Detailed Steps

Install the App-V 1. Open Internet Explorer and browse to the URL below.
Sequencer (if not https://go.microsoft.com/fwlink/?linkid=873065
yet installed) 2. Click Run.
3. On the “The features installed on this computer are up to date” page, select
Change and click Continue.
4. On the Select the features you want to change page, select Microsoft Application
Virtualization (App-V) Sequencer and click Change. Accept the UAC prompt.
5. Once the setup completes successfully, click Close.
Disable Windows 6. Right-click on the Start button and select Run.
Search 7. On the Run window, type services.msc then press Enter.
8. On the Services window, locate and right-click on Windows Search and select
Properties.
9. On the Windows Search Properties window, under Startup type, select Disabled.
10. On the Windows Search Properties window, under Service status, click Stop
then click Apply and OK.
11. Reboot the CLIENT3 virtual machine.
12. After reboot, re-login with the same credentials.
Disable Windows 13. Click on the Start button and select Settings.
Defender 14. On the Settings app, browse to Update & Security > Windows Security. Click
Open Windows Defender Security Center.
15. Click Virus & threat protection.
16. Click Virus & threat protection settings.
17. Under Real-time protection, Cloud-delivered protection and Automatic
sample submission, configure the slider to Off. Under Notifications, click
Change notification settings. Under Virus & threat protection notifications,
Account protection notifications and Windows Defender Firewall
notification, configure the slider to Off.
Note: During turning the slider off, click Yes on the UAC prompt.
18. Also, turn off the Windows Defender Firewall mode.
19. Close all windows.
Note: Do remember to Disable Secure Boot for the CLIENT3 VM.
Create VM 20. On the Virtual Machine window toolbar, click Action > Checkpoint…
Checkpoint 21. On the Checkpoint Name window, enter APPV then click Yes.
11.3 Application Sequencing

In this section, you will sequence different types of application. For more information about
sequencing best practices, see this guide
http://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-
4102C05A6D44/App-V%205.0%20Sequencing%20Guide.docx.
11.3.1 Standard Application

In this activity, you will sequence a standard desktop application.
Task Detailed Steps

Sequence 7Zip 1. From the Start Screen, find and click on Microsoft Application Virtualization
(App-V) Sequencer Tool. Accept the UAC prompt.
2. In the Sequencer, select Create a New Virtual Application Package.
3. In the Packaging Method page, select Create Package (default), and then click
Next.
4. On the Prepare Computer page, click Next.
5. On the Type of Application page, click the Standard Application (default)
option, and then click Next.
6. On the Select Installer page, click Browse… and specify the installation file for
7Zip (C:\Packages\7Zip\7z1805-x64.exe), and then click Next.
7. On the Package Name page, enter 7Zip 1805 and click Next.
8. On the Installation page, the 7Zip installer will automatically launch.
9. On the 7Zip 18.05 (x64) Setup window, click Install.
10. Once completed, click Close.
11. On the Installation page, select I am finished installing then click Next.
12. On the Configure Software page, select 7-Zip File Manager then click Run
Selected.
13. On the 7Zip toolbar, go to Tools > Options…
14. On the Options window, select the following file types and click the ‘+’ icon
under All users then click Apply and OK.
 7z
 rar
 wim
 xar
15. Close the 7Zip application.
16. On the Configure Software page, click Next.
17. On the Installation Report page, click Next.
18. On the Customize page, select Stop now then click Next.
19. On the Create Package page, select Continue to modify package without saving
using the package editor then click Next.
21. On the Sequencer, go to the Advanced tab.
22. Select all the checkboxes.
23. On the Sequencer, click File > Save.
24. On the Save As window, browse to C:\Packages\7Zip-AppV then click Save.
25. Copy the C:\Packages\7Zip-AppV folder to \\CM1\Packages$ and use
corp\LabAdmin for the credentials.
Revert the CLIENT3 Virtual Machine to the previous checkpoint (APPV).
Sequence 26. From the Start Screen, find and click on Microsoft Application Virtualization
Notepad++ (App-V) Sequencer Tool. Accept the UAC prompt.
27. On the Sequencer, select Create a New Virtual Application Package.
28. On the Packaging Method page, select Create Package (default), and then click
Next.
30. On the Type of Application page, click the Standard Application (default)
option, and then click Next.
Notepad++ (C:\Packages\Notepad++\npp.6.9.Installer.exe), and then click
Next.
32. On the Package Name page, enter Notepad++ 6.9 and click Next.
33. On the Installation page, the Notepad++ installer will automatically launch.
34. On the Installer Language window, click OK.
35. On the Welcome page, click Next.
36. On the License Agreement page, click I Agree.
37. On the Install Location page, click Next.
38. On the Choose Components page, uncheck Auto-Updater then click Next.
39. On the Choose Components page, click Install.
40. On the Completing page, uncheck Run Notepad++ v6.9 then click Finish.
42. On the Configure Software page, select Notepad++ then click Run Selected.
43. Browse to Plugins > Plugin Manager > Show Plugin Manager. Cancel the
Notepad++ Plugin Manager when it appears.
44. On the Plugin Manager window, click Settings.
45. On the Plugin Manager Settings window, uncheck Notify of plugin updates at
startup then click OK.
46. On the Plugin Manager window, click Close.
47. Close the Notepad++ window.
48. On the Configure Software page, click Next.
53. In the Sequencer, go to the Advanced tab.
54. Select Allow virtual applications full write permissions to the virtual file
system.
56. On the Save As window, browse to C:\Packages\Notepad++-AppV then click
Save.
57. Copy the C:\Packages\Notepad++-AppV folder to \\CM1\Packages$ and use
11.3.2 Add-On / Plug-In Application

In this activity, you will sequence an add-on application.
Task Detailed Steps

Sequence Visio 1. From the Start Screen, find and click on Microsoft Application Virtualization
Viewer (App-V) Sequencer Tool. Accept the UAC prompt.
2. In the Sequencer, select Create a New Virtual Application Package.
3. In the Packaging Method page, select Create Package (default), and then click
Next.
5. On the Type of Application page, click the Add-on or Plug-in option, and then
click Next.
Visio Viewer (C:\Packages\Visio Viewer\visioviewer_4339-1001_x64_en-
us.exe), and then click Next.
7. On the Install Primary page, select I have installed the primary parent
program then click Next.
8. On the Package Name page, enter Visio Viewer 2016 and click Next.
9. On the Installation page, the Visio Viewer installer will automatically launch.
10. On the Microsoft Software License Terms page, select Click here to accept the
Microsoft Software License Terms then click Continue.
11. On the Microsoft Visio Viewer 2016 dialog box, click OK.
18. On the Save As window, browse to C:\Packages\Visio Viewer-AppV then click
Save.
19. Copy the C:\Packages\Visio Viewer-AppV folder to \\CM1\Packages$ and use
11.4 Deploying App-V Packages

In this activity, you will deploy the App-V packages using Configuration Manager.
Task Detailed Steps

Import 7Zip App-V 1. Open the Configuration Manager Console.
Package 2. In the Assets and Compliance workspace, expand Device Collections and right
click the ‘Applications’ folder.
Note: Create an Applications folder under the Device Collections if it does not
exist already.
General
Name: App-V 7Zip
Limiting Collection: Browse… to All Desktop and Server Clients. Click OK
and then Next.
Membership Rules
Click Next and accept the warning by clicking OK.
Click Next and Close to exit the wizard.
5. Select Devices and find CLIENT2.
6. Right click CLIENT2 and select Add Selected Items – Add Selected Items to
Existing Device Collection.
7. Highlight the Applications folder and select the App-V 7Zip collection. Click
OK.
Note: Ensure that the App-V 7Zip Device Collection has the CLIENT2
computer in it.
8. In the Software Library workspace, expand Application Management, right-
click Applications and select Create Application.
9. On the General tab, enter the following information:
Type: Microsoft Application Virtualization 5
Location: \\CM1\Packages$\7Zip-AppV\7Zip 1805.appv
Click Next.
Import Information – Click Next.
General Information – Click Next.
10. When complete, click Close.
11. In the Software Library workspace, highlight Applications, right-click 7Zip
1805 and select Deploy.
12. General - Enter the following information:
Collection:
Click Browse…, select Device Collections, select Applications, select App-V
7Zip, and click OK.
Click Next.
Content:
Click Add – Distribution Point – Select CM1.CORP.CONTOSO.COM. Click
OK.
Click Next.
Deployment Settings:
Action: Install.
Purpose: Required.
Click Next.
Scheduling:
Click Next.
User Experience:
Click Next.
Alerts:
Click Next.
Summary:
Click Next.
13. Click Close when the wizard is complete.
Import Notepad++ 14. In the Assets and Compliance workspace, expand Device Collections and right
App-V Package click the ‘Applications’ folder.
Note: An Applications folder has been created under the Device Collections
above.
General
Name: App-V Notepad++
and then Next.
Membership Rules
19. Highlight the Applications folder and select the App-V Notepad++ collection.
Click OK.
Note: Ensure that the App-V Notepad++ Device Collection has the CLIENT2
computer in it.
Location: \\CM1\Packages$\Notepad++-AppV\Notepad++ 6.9.appv
Click Next.
23. In the Software Library workspace, highlight Applications, right-click
Notepad++ 6.9 and select Deploy.
Collection:
Notepad++, and click OK.
Click Next.
Content:
OK.
Click Next.
Action: Install.
Purpose: Required.
Click Next.
Scheduling:
Click Next.
User Experience:
Click Next.
Alerts:
Click Next.
Summary:
Click Next.
Import Visio 26. In the Assets and Compliance workspace, expand Device Collections and right
Viewer App-V click the ‘Applications’ folder.
Package
Note: An Applications folder has been created under the Device Collections
above.
General
Name: App-V Visio Viewer
and then Next.
Membership Rules
31. Highlight the Applications folder and select the App-V Visio Viewer collection.
Click OK.
Note: Ensure that the App-V Visio Viewer Device Collection has the CLIENT2
computer in it.
Location: \\CM1\Packages$\Visio Viewer-AppV\Visio Viewer 2016.appv
Click Next.
35. In the Software Library workspace, highlight Applications, right-click Visio
Viewer 2016 and select Deploy.
Collection:
Visio Viewer, and click OK.
Click Next.
Content:
OK.
Click Next.
Action: Install.
Purpose: Required.
Click Next.
Scheduling:
Click Next.
User Experience:
Click Next.
Alerts:
Click Next.
Summary:
Click Next.
Enable App-V 38. Logon as a domain Administrator (corp\labadmin).
Client 39. Open an elevated Windows PowerShell window.
40. Enter the following command:
Enable-AppV
41. Once enabled successfully, restart the CLIENT2 virtual machine.
Note: App-V can also be enabled through Group Policy. More information here
https://technet.microsoft.com/en-us/itpro/windows/manage/appv-enable-the-app-v-
desktop-client
Refresh Machine 42. On the device, open the Control Panel. Select the Configuration Manager icon.
Policy to Validate 43. On the Actions tab, select Machine Policy Retrieval & Evaluation Cycle and
App-V Package click Run Now to force the device to receive updated policy. This can take up to
Installation 5 minutes. Click OK.
44. The App-V sequenced applications will install automatically.
45. Open Software Center, go to Installation status and validate that the App-V
packages have been installed.
46. Right-click on the Start button and select Programs and Features. Validate that
the App-V packages are not listed here.
12 Appendix – Troubleshooting the SCCM Client
install
Troubleshooting the SCCM client install in the Lab.
Issue: You try to install the SCCM client to a workstation from the SCCM console and the client
never gets installed.
The most probable cause of this is that the workstation’s firewall is blocking “Remote
Management” and “WMI”.
How to resolve this at the client:
1) Log into the client as Corp\Administrator.

2) Select Start.
3) Type “Firewall & network protection”.
4) Select “Firewall & network protection”.
5) Select “Allow an app through firewall”.
6) Select “Change settings”.
7) Enable “Windows Management Instrumentation (WMI)”:
a. For Domain, Private, and Public network.
8) Enable “Windows Remote Management”:
a. For Domain, Private, and Public network.
9) Resend the client setup from the SCCM server.
It can take 5 to 10 minutes for the client to complete its install.
You can monitor the SCCM server-side log at:
C:\Program Files\Microsoft Configuration Manager\Logs\CCM.Log.
You can monitor the client-side log at:
C:\Windows\ccmsetup\logs\ccmsetup.log.
If you cannot find the client-side log look into the server-side logs to determine why the
server is not communicating with the client.
The best tool for monitoring the logs is cmtrace.exe and it can be found on the SCCM server at:
C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe.

MDlab - Lab Guide - v2

Uploaded by

Copyright:

Available Formats

MDlab - Lab Guide - v2

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

MDlab - Lab Guide - v2

Uploaded by

Copyright:

Available Formats

Lab Guide

Microsoft 365 Modern Desktop Lab Guide

Date: August 3, 2020

2.2 Cloud Environment.................................................................................................................................... 15

3.2 Cloud Environment.................................................................................................................................... 17

3.3 On-Premises Environment Post Setup Manual Steps...................................................................21

4.2 Servicing Windows 10 with Configuration Manager....................................................................50

4.3 Servicing Office 365 ProPlus with Configuration Manager........................................................57

4.4 Known Folder File Migration.................................................................................................................. 62

5 Deployment & Management............................................................................................................64

5.2 Modern Device Management................................................................................................................ 78

5.3 Office 365 ProPlus Deployment............................................................................................................ 92

5.4 BIOS to UEFI Conversion....................................................................................................................... 107

5.5 Modern Application Management.................................................................................................... 109

5.6 Enterprise State Roaming..................................................................................................................... 114

5.7 Remote Access (VPN)............................................................................................................................. 116

6.2 BitLocker...................................................................................................................................................... 134

6.3 Windows Defender Advanced Threat Protection........................................................................142

6.4 Windows Defender Antivirus............................................................................................................... 145

6.5 Windows Hello for Business................................................................................................................. 151

6.6 Windows Defender Exploit Guard..................................................................................................... 173

6.7 Windows Information Protection....................................................................................................... 177

6.8 Windows Defender Application Control......................................................................................... 193

7.2 Desktop Bridges....................................................................................................................................... 211

7.3 Browser Compatibility............................................................................................................................ 219

7.4 Windows App Certification Kit............................................................................................................ 234

8 Appendix – Upgrading to Configuration Manager Current Branch...............................238

8.2 Upgrade Configuration Manager....................................................................................................... 239

9 Appendix – Configuring Windows Analytics............................................................................240

10 Appendix - Wipe and Load.....................................................................................................244

10.2 Lite Touch Deployment.......................................................................................................................... 248

10.3 Zero Touch Deployment....................................................................................................................... 250

11 Appendix - Application Virtualization................................................................................257

11.2 Install the Sequencer.............................................................................................................................. 258

11.3 Application Sequencing......................................................................................................................... 259

11.4 Deploying App-V Packages.................................................................................................................. 262

12 Appendix – Troubleshooting the SCCM Client install..................................................269

Note: Links will take you to related scenarios in the guide.

New capabilities in Windows 10 virtualization-based security can prevent credential theft,

Where to Start: MFA, GPO, BitLocker, Defender AV

 PC replacement – this is when a user’s existing PC is replaced with a new or

Where to Start: ConfigMgr CB, MDT

Where to Start: FastTrack service + Productivity library

Where to Start: ConfigMgr CB TS + Phased Deployment

1.1 Lab Overview

2.1 On-Premises Environment

2.2 Cloud Environment

Note: All trial tenants have an evaluation period. These

3.1 On-Premises Environment

Server Name Roles

HYD-CLIENT2 Windows 10 1803 Domain Joined

User Access Type User Name Password

3.2 Cloud Environment

3.2.1 Setup Azure and Office 365

Task Detailed Steps

Task Detailed Steps

3.2.3 Enable and Configure Cloud Services

Task Detailed Steps

3.3 On-Premises Environment Post Setup Manual Steps