MD-101 Managing Modern Desktops – Configuring device profiles

1. Understanding and planning device configuration profiles

I now want to spend some time going over one of the extremely powerful capabilities we have with Intune through the Endpoint Manager, okay? And this is called device profiles. Okay? So you might have heard me say previously that we don’t have group policies in Intune with MDM, but we have something very similar. And what it is, is this thing called device configuration profiles. Device Configuration profiles allow me to control the different settings that are on people’s devices, whether they’re Windows, whether they’re Mac, whether they’re Apple iOS, whether it’s Android. I can control those settings with the help of these things called configuration profiles. Device configuration profiles. So let’s go and take a look at these.

Now I’m going to go ahead and open this up. I’m going to click Devices, okay? And then scroll down here. Again, I’m an Endpoint Manager in point Microsoft. com, but scroll down. Here it is right here. Configuration Profiles. Don’t worry because I am going to explain conditional access policies as well as compliance policies coming up here in just a bit. But we have configuration profiles. First we’re going to click on that, all right? And then from there we’re going to click to create one of these. And we have different options here. So as you can see, Android, iOS, Mac, and then we got Windows ten or later. I’ll start with that, select the profile. So just kind of running through some of your options here that you’ve got. You’ve got Administrative Templates and these are very similar to what we have in Group Policies.

These are going to let us control some of our different settings and options. If I click to create that, give it a name. All right, go to configuration settings here. It’s very similar to what we had in Group Policies. So if you’ve ever worked with Administrative Templates and Group Policies, you’ll see the different options that you’ve got, your control panel and all that. Very similar again to dealing with Group Policy. And it’s got sort of the same format in a way, different folder options and all that, that you can do. Okay? So that’s what administrative templates are. Let’s take a look at we got Custom. This is kind of neat. With custom, you can actually go out and you can download what are known as custom XMLs.

You can link to these custom XML files and it will allow you to enable and disable features that maybe Microsoft has not included in Intune yet. So for example, let’s say you had a newer Android phone. Maybe you’re using Samsung. NOx. Technology. And there’s a new feature under the security feature known as the Knox feature that Intune doesn’t support yet. They can provide an XML file out there on the Internet that can turn this feature on or off. You can link to that, it’ll import that in. And at that point you can turn that feature on and off using a custom profile delivery optimization that’s the peer to peer option that we’ve talked about. You can update people’s firmware device restrictions. This is probably one of the most important ones. We’ll get into that one here, coming up. Okay, device restrictions is really going to let you lock things down here’s.

Domain join. I can do an addition upgrade.I can manage your email, change your email settings. I can do endpoint protection. This is going to manage your virus protection on your machine. I can do identity protection, where it’s going to control who gets to log on and how they get to log on. Kiosks, that’s great. If you’ve got a Windows computer that’s a Kiosk computer, you can control the different settings for that. So if you had somebody that’s just walking up anonymously using a computer, you can really lock that down. Okay, you have the ATP advanced threat Protection. We’ll talk more about this towards the end of this course. But that gets into all the different security features.

Firewall, Windows, Defender, antivirus Spyware protection, and there’s a lot of other little features there it’s going to involve such as looking for email spyware and things like that. You have network boundary. This lets me control where a person is logging on from and having different policies based on where they’re logging on. These right here are all certificate related. So you have PKcs. That’s public key cryptographic services. That’s what both of these are. This will let you install a certificate on somebody’s machine, on somebody’s device if you wanted. Now if it’s a desktop computer, you would use one of these two. If it was a mobile device like a phone or a tablet, you would use Skept.

That’s simple. Certificate enrollment protocol is what that stands for and it allows a mobile phone, tablet, something like that to actually have a certificate imported. Here you got security assessment. They tell you this is for the education system. It’s to do security assessments in the education system. Basically checking vulnerabilities on a machine. You have shared multi user device. This is when you got multiple users using the same device. This is going to let you set some settings on there that involve which objects or items users can share between themselves and which settings can be shared between them, which apps can be shared between them. Here’s. Trusted certificate. This is going to add a digital certificate to the trusted certificate store of your computer.

So if your company was using a custom certificate, then at that point you could import that in and the certificate would be trusted by that computer. You can configure people’s VPN settings, just like we learned that you could do using provisioning packages earlier in the course. You can actually deploy VPN settings out to people’s machines and then the VPN will be set up. You can also do WiFi settings. So this is great. If you had like a device that’s jumping around all over the place, the different offices and all that, you could go ahead and configure the WiFi settings on those devices. Okay, so here’s the other thing to understand.

When you click on one of these, there is actually a tremendous amount of settings involved that you can configure. Once you create this profile, you’re going to go in and there are all sorts of things you can configure on somebody’s device if they’re being managed through intune. Keep in mind this is an MDM solution. So the device must be enrolled in MDM in order for these settings to apply to it. Okay? So coming up in this next little lesson, I’m going to actually go through the process. We’re going to create one of these and we’re going to look at some of the options that we’ve got available.

2. Implementing device profiles

Okay, so now that we know what a device configuration profile is, I want to go through the process of actually create one for you. So we’ll start from the beginning here. We’re on endpoint Microsoft. com. Okay. We’re going to click devices. Okay? We’re going to go down to configuration profiles and we are going to create a config profile. We’re going to select Windows ten. And later course, the exam you’re taking is going to be more focused on Windows Ten than anything else. So I think this is a good one for us to go with. Then we’re going to go to the profile and probably again, one of the most important ones to sort of focus on test wise is going to be Device Restrictions. I’m going to select Device Restrictions and I’m going to click to Create.

All right, I’m going to give this a name. I’m just going to call this Windows ten personalization settings. Maybe I’m going to deploy some Personalization settings. Okay, so I’m going to click next. All right, and here we go. Once this shows up, you’re going to see there’s a lot of little drop downs here that can be configured, all sorts of things. Now I want to encourage you guys to if you can come in here to Endpoint Manager and just look through this. There are so many things you could probably spend hours just going over the individual things you can do. There’s lots and lots of things here from the App Store, being able to manage the settings on People’s App Store on Windows Ten, cellular connectivity options that you can configure.

Cloud and storage settings. Maybe I want to block certain things. There cloud printer settings that I can define if I’m going to allow cloud Printing Control Panel settings, okay? I mean, heck, I could disable the settings app if I wanted. If I didn’t want somebody personalizing their Windows Ten device, maybe it’s a kiosk or something, I could block that. And that’s what I’m going to do because I called this the personalization settings. So I’m going to block that. Maybe block time and language settings as well. Okay? So I could configure some of those settings I want. Don’t allow them to mess with update and security. All right, remember I wanted to block personalization.

I’m going to do that through control panel and settings. That’s something I’d recommend knowing for the test if you’re taking it. Okay, so then display settings. This does GDI scaling apps. This involves just basically apps that are scaling your resolution, affecting your resolution, general settings. A lot of things here I can do disabling cameras and cortana and all of that stuff if I want. Lock screen settings, messaging settings for email and text messaging, edge web browser. I can configure those settings through this configure network proxy. I can configure your password settings if I want. I can require you to have a certain size password.

You got another personalization area. This would let you set the background. If I wanted to have a background, I could have a background stored on a server, like one NYC server, one wallpapers, put a backslash wallpaperscompanylow logo, jpg maybe. I want your background to be the company logo that’s going to be your wallpaper. So then I’ve got printer settings, privacy settings, I mean, all sorts of stuff here you can do. There’s just so many things that you can look at here. Disable Windows Spotlight, which is what shows the maybe I’m going to turn that off. That’s going to show the different wallpapers as you go to log on to Windows. And it does take up some bandwidth so you can disable it. You can configure their Windows defender antivirus here through here.

Okay. So I could say enable real time monitoring on your antivirus. All right. And then power settings can be managed here as well involving the sleep settings and all that on your computer. So again, there’s a lot here. We can spend probably hours going over those things. So I’m going to click next. Scope tags. Not going to spend a lot of time on this right now. Scope tags involve your admins. What you can do is you can tag these policies and you can give rights over certain administrators. Scope tags are more for admins than they are users. It’s going to allow me to tag this and allow a certain group of admins to be able to manage this profile if I wanted. So that’s going to involve management of profiles.

So I could specify a particular scope tag if I wanted to. Right here. Okay. I wanted to give it a name. Just going to select default and then I’m going to click Next assignment. This is how I assign this profile. So if I want to sign it to a particular set of users, I could remember we talked about inclusions and exclusions. You can add inclusion group if you add an exclusion group. Exclusion groups will always override inclusion groups. Okay, so if I want, I could say all users, I could specify particular users. I want this to be attached to or for now, if I don’t want to assign it to anybody, I don’t have to.

So then I’ll click next. I can also set some conditions on assigning it to I can add if statements assign profile if there is a certain addition or version on your machine or version. All right? And that way it’s only going to apply to you if those conditions are met. So you can actually add more than one condition here if you want. Okay, so then I’m going to click Next and it’s going to officially confirm it. And I’m going to click to Create, which is going to officially create it. And it’s now going to be configured. All right? So at that point, it’s now officially set it up.

3. Managing device profiles

Now that we’ve created a device configuration profile, I want to talk a little bit about managing and checking to make sure that it’s been assigned and if it hasn’t been assigned, how we can assign it. So we’re starting here on Endpoint Microsoft. com. I’m going to go to devices. We’ll go down to configuration profiles, and you’ll notice that I have a configuration configuration profile. Notice that it has not been assigned yet. So I’m going to go ahead and click that. All right. Now first off, notice this right here. This is the graph API I was telling you guys about earlier, which shows you if it’s actually been applied to anybody yet. As you can see, this policy profile has not been applied to anybody as of yet. Okay, so what I can do, I can click Properties and I can go to assignment.

The reason this has not been assigned to anybody is because I didn’t actually specify a group for It to be assigned to. So to do that, I got to come down here to where it says assignments, select who I want to assign this to. Maybe I want to assign it to a specific group. I’m going to assign it to the sales group and the marketing group. Okay? So I’ll assign it to both of those and then I’m going to click select, all right? And then at that point those would be assigned. Also if I want don’t forget I can add an exclusion group. I’m going to exclude the It group. So if any users happen to, for whatever reason, be in It as well as sales and Marketing, which would be weird, but if there were, this would just guarantee your It people would not be affected by it.

So then I’m going to click Review and Save, and then I’m going to click to Save It. Okay? At that point it’s now officially going to be assigned. Now I want to warn you that when you first do this, this takes some time. So when you actually look at the policy, sometimes it may take a minute or two before it says assigned. I was lucky. It actually did it very quickly. So the load on Azure’s Environment right now must be light, but sometimes it can take a few minutes before that will say assigned. Okay. And then from there I can go to Device status and see any of my devices that got it. So far none of my devices have checked in to get it yet.

But eventually if my Windows Ten machine, my user was a salesperson using it, it would link in here so the device would get it. User status would show the users that have gotten it. And then you can look at the Per settings option as well. That involves anytime the profile has been deployed, it’ll show you every setting that’s been configured on somebody’s machine. Okay? All right, so hopefully that gives you a good understanding. Now of managing these profiles as well as making sure and viewing to see who’s actually been assigned to get the profile.