Lab Guide - Windows Insider Lab for Enterprise - Get windows server 2016 free

-4667251518285Lab GuideLab Guide5486400-46164500right-52387500Windows Insider Lab for EnterpriseDate: DATE \@ "MMMM d, yyyy" July 8, 2020NOTE: This guide is the authoritative source of delivery guidance for the Windows Insider Lab for Enterprise. Where content is absent from this guide, refer to the Windows Insider Lab for Enterprise – Setup Guide. Table of Contents TOC \o "1-3" \h \z \u 1Introduction PAGEREF _Toc525025095 \h 51.1Lab Objectives PAGEREF _Toc525025096 \h 52Prerequisites PAGEREF _Toc525025097 \h 72.1On-Premises Environment PAGEREF _Toc525025098 \h 72.2Cloud Environment PAGEREF _Toc525025099 \h 83Lab Setup PAGEREF _Toc525025100 \h 93.1On-Premises Environment PAGEREF _Toc525025101 \h 93.2Cloud Environment PAGEREF _Toc525025102 \h 103.2.1Setup Azure and Office 365 PAGEREF _Toc525025103 \h 103.2.2Setup Enterprise Mobility + Security PAGEREF _Toc525025104 \h 123.2.3Enable and Configure Cloud Services PAGEREF _Toc525025105 \h 123.3On-Premises Environment Post Setup Manual Steps PAGEREF _Toc525025106 \h 143.3.1Build a Windows 10 Developer Machine (for Deskop Bridges Scenario only) PAGEREF _Toc525025107 \h 143.3.2Configure Azure AD Connect with Device Sync PAGEREF _Toc525025108 \h 164Deployment & Management PAGEREF _Toc525025109 \h 184.1Modern Device Deployment PAGEREF _Toc525025110 \h 184.1.1AutoPilot PAGEREF _Toc525025111 \h 184.2Modern Device Management with Intune PAGEREF _Toc525025112 \h 254.2.1Mobile Device Management using Microsoft Intune PAGEREF _Toc525025113 \h 254.2.2Dynamic Management with Windows 10 PAGEREF _Toc525025114 \h 294.2.3Mobile App Management for Non-Managed Windows 10 Devices PAGEREF _Toc525025115 \h 314.3Co-Management PAGEREF _Toc525025116 \h 344.4Modern Application Management with Intune PAGEREF _Toc525025117 \h 384.4.1Application Deployment and Management with Microsoft Intune PAGEREF _Toc525025118 \h 384.4.2Application Self-Service with Microsoft Store for Business PAGEREF _Toc525025119 \h 404.5Enterprise State Roaming PAGEREF _Toc525025120 \h 434.5.1Prerequisites PAGEREF _Toc525025121 \h 434.5.2Configure Enterprise State Roaming PAGEREF _Toc525025122 \h 435Security PAGEREF _Toc525025123 \h 455.1Windows Information Protection PAGEREF _Toc525025124 \h 455.1.1Modern Management PAGEREF _Toc525025125 \h 455.1.2Traditional Management PAGEREF _Toc525025126 \h 495.2Windows Defender Advanced Threat Protection PAGEREF _Toc525025127 \h 575.2.1Onboarding Windows 10 Device PAGEREF _Toc525025128 \h 585.2.2Perform Simulation PAGEREF _Toc525025129 \h 605.3Windows Defender Application Guard PAGEREF _Toc525025130 \h 605.3.1Modern Management PAGEREF _Toc525025131 \h 615.3.2Traditional Management PAGEREF _Toc525025132 \h 645.4Windows Defender Exploit Guard PAGEREF _Toc525025133 \h 655.4.1Modern Management PAGEREF _Toc525025134 \h 655.4.2Traditional Management PAGEREF _Toc525025135 \h 675.5Windows Hello PAGEREF _Toc525025136 \h 695.5.1Modern Management PAGEREF _Toc525025137 \h 695.5.2Traditional Management PAGEREF _Toc525025138 \h 705.6Credential Guard PAGEREF _Toc525025139 \h 925.6.1Check Credential Guard Requirements PAGEREF _Toc525025140 \h 925.6.2Modern Management PAGEREF _Toc525025141 \h 935.6.3Traditional Management PAGEREF _Toc525025142 \h 955.7Device Encryption (MBAM) PAGEREF _Toc525025143 \h 975.7.1Modern Management PAGEREF _Toc525025144 \h 985.8Device Guard – User Mode Code Integrity PAGEREF _Toc525025145 \h 1005.8.1Modern Management PAGEREF _Toc525025146 \h 1005.8.2Traditional Management PAGEREF _Toc525025147 \h 1016Compatibility PAGEREF _Toc525025148 \h 1086.1Windows Analytics Upgrade Readiness PAGEREF _Toc525025149 \h 1086.2Browser Compatibility PAGEREF _Toc525025150 \h 1086.2.1Prerequisites PAGEREF _Toc525025151 \h 1096.2.2Enterprise Mode PAGEREF _Toc525025152 \h 1106.2.3Browser Compatibility Remediation PAGEREF _Toc525025153 \h 1136.3Desktop Bridges PAGEREF _Toc525025154 \h 1236.3.1Desktop Bridge – Convert a Win32 app Installer to a UWP Modern App (APPX) PAGEREF _Toc525025155 \h 1247Additional Labs PAGEREF _Toc525025156 \h 1327.1.1MDM WINS over GP PAGEREF _Toc525025157 \h 1327.1.2MAM FAQ PAGEREF _Toc525025158 \h 138IntroductionThe Windows Insider Lab for Enterprise was designed for Windows Insiders who want to try new experimental and pre-release Enterprise Privacy and Security features. There are two versions of the lab: Windows Insider Lab for Enterprise v1 – provides a client-side view of the latest Microsoft 365 enterprise features through access to Olympia Corp - a virtual corporation has been set up to reflect the IT infrastructure of real world business. Customers are invited to join Olympia Corp through our online survey. Qualified customers are then provided with a username and password to access the cloud-based lab. Windows Insider Lab for Enterprise v2 – provides a complete Microsoft 365 deployment and management testing environment that can be run directly on your own machines. The lab features both client and administrative functionality, including System Center Configuration Manager Preview plus connectivity to Office 365 and Enterprise Mobility + Security evaluation trials. Customers can also add the latest Windows 10 Insider Preview Enterprise build to the lab. This Windows Insider Lab for Enterprise v2 lab guide will guide you through Modern and Traditional Desktop scenarios to showcase the latest enterprise features and capabilities.Lab ObjectivesThis guide is designed to provide step-by-step guidance in demonstrating the basic functionality of the feature. It is important that the Prerequisites (Section 2) and Lab Setup (Section 3) sections be performed before proceeding with the lab activities.Lab SetupOn-Premises EnvironmentCloud EnvironmentOn-Premises Environment Post Setup Manual StepsServicingWindows Analytics Update ComplianceDeployment & ManagementModern Device DeploymentModern Device Management with AutoPilotCo-ManagementModern Application Management with IntuneEnterprise State RoamingSecurityWindows Information ProtectionWindows Defender Advanced Threat ProtectionWindows Defender Application GuardWindows Defender Exploit GuardWindows HelloCredential GuardDevice Encryption (MBAM)Device Guard – User Mode Code IntegrityCompatibilityWindows Analytics Upgrade ReadinessBrowser CompatibilityDesktop BridgesAdditional LabsMDM WINS over GPMAM FAQPrerequisitesThe following requirements for each environment are needed to support the labs.On-Premises EnvironmentListed below are the requirements for the on-premises environment:CompleteTask?One (1) physical client or server to host the virtual lab environment. The requirements are listed below:Operating System: Windows Server 2016, or 2012 R2, or Windows 10 with Hyper-V installed and fully updated. Administrative rights on the Hyper-V Host.Memory: At least 32Gb or more.Disk Space: At least 300Gb or more.Disk Subsystem: High throughput/speed.Processor: Preferably a high-end processor for faster processing.Ethernet: Two (2) or more Gb work Connections: Internet connection and External Virtual Switch in Hyper-V Host connecting to the external adapter of the Hyper-V Host for Internet connectivity.?One (1) gigabit network lab switch with sufficient ports to connect physical client devices and lab environment.?Download the latest available 64-bit Windows 10 Insider Preview Enterprise Build ISO image. EnvironmentListed below are the requirements for the cloud environment:CompleteTask?Provide licensed subscriptions or sign-up for a trial subscription for the following Microsoft Cloud Services. A trial subscription will only be used if the customer has no existing subscription to these services.Microsoft Azure: Mobility + Security: (configured as part of the Lab Setup)Windows Defender Advanced Threat Protection: (configured as part of the Lab Setup)Operations Management Suite: 365 Enterprise E5: (configured as part of the Lab Setup)Note: All trial tenants have an evaluation period. These subscriptions/tenants will expire unless they are extended or if the customer purchases the system.Note: It is possible to use an existing trial subscription if the engagement dates are within the evaluation period.Note: An appropriate MSDN subscription could be used to activate the Azure Benefit for 30 days.Lab SetupSupport If you have any questions/suggestions during the lab setup or execution of any scenarios mentioned in the lab guide, please reach us at Olympia@ Mention Olympia V2 in the subject line.We add/update instructions for the features in Lab Guide as in when required. Visit to download latest lab guide. On-Premises EnvironmentThe on-premises environment is configured by using the Windows Insider Lab for Enterprise v2. Follow the Windows Insider Lab for Enterprise – Setup Guide to provision the virtual machines on Hyper-V.When setup is complete, the following virtual machines are configured and the deployment lab system is available for use.Server NameRoles & ProductsHYD -DC1Active Directory Domain Controller, DNS, DHCP, Certificate ServicesWindows Server 2019HYD-CM1System Center Configuration Manager Technical Preview Branch – Version 1910 (Note: Updated versions from the System Center Configuration Manager Technical Preview Branch are available via an In-Console Upgrade)Windows Deployment ServicesMicrosoft Deployment ToolkitWindows 10 ADKWindows Software Update ServicesMicrosoft SQL Server 2017Windows Server 2019HYD-APP1Windows Server 2019HYD-GW1Remote Access for Internet ConnectivityWindows Server 2019HYD –CLIENT1 (Optional)If the Windows 10 Insider Preview ISO image is imported, this machine will be created with windows installed and will be Domain JoinedHYD –CLIENT2 (Optional)If the Windows 10 Insider Preview ISO image is imported, this machine will be created with windows installed and will be Domain JoinedHYD –CLIENT3 (Optional)If the Windows 10 Insider Preview ISO image is imported, this machine will be created with windows installed and will be on WorkgroupHYD –CLIENT4 (Optional)If the Windows 10 Insider Preview ISO image is imported, this machine will be created with windows installed and will be on WorkgroupThe table below lists the credentials and access type available in the default implementation.UserAccess TypeUser NamePasswordLocal AdministratorAdministrativeAdministratorP@ssw0rdDomain AdministratorEnterprise AdministratorCORP\LabAdminP@ssw0rdCloud EnvironmentCertain lab scenarios require the cloud environment. Follow the steps below to configure and prepare the required cloud services.Setup Azure and Office 365New Trial Tent In this section, you will create an Azure AD and an Office 365 Trial Tenant used for the later lab environment. Note: if you have already received an Office 365 Trial tenant from the Olympia team, skip this section and proceed to the next Section 3.2.1.2. TaskDetailed StepsComplete these steps from an Internet-connected Windows computer.Create Azure ADOpen an InPrivate Browser session.Navigate to in with the email address associated with your Azure subscription.On the left navigation bar, click Create a resource > Identity > Azure Active Directory.In the Create directory pane fill in the following values:ORGANIZATION NAME: <CompanyName>INITIAL DOMAIN NAME: <AzureDomainName>COUNTRY OR REGION: Choose a regionClick Create.Note: This may take a couple of minutes to complete.Create Azure AD Admin UserSign out from Azure portal and sign back in again.Click your email address on the upper right corner and, and click Switch Directory. Select <AzureDomainName>..On the left navigation bar, click Azure Active Directory.Under Create, click User.In the User pane, fill in the following values:NAME: <Admin Name>USER NAME: <LabAdmin> (Suggestion: LabAdmin@<AzureDomainName>.)Select Show Password and write down the temporary password <OldLabAdminPassword>.Click on Directory role, select Global administrator then click Ok.Click Create.3. Resetting the PasswordLogout from Azure Portal.Login to Azure Portal using LabAdmin account.Type in the <OldLabAdminPassword> that you wrote down.Type the new password: <NewLabAdminPassword>.Note: Use a strong password.Confirm the new password and sign in.4. Create a Trial Office 365 TenantClose all browser windows.Start a new InPrivate Internet Explorer session.Using a web browser, navigate to Sign in on the top right hand corner.Sign in using the LabAdmin account.Click Admin from the top left hand corner.Click Billing | Subscriptions and click + Add subscriptions.Select Office 365 Enterprise E5 without Audio Conferencing and click Start free trial.Follow the usual procedure and click Place order. Note: You might have to perform Steps 26-28 twice so that the subscription shows Active under Billing | Subscriptions.5. Create Azure Test UsersNavigate to in with the email address associated with your Azure subscription if required.On the left navigation bar, click Azure Active Directory.On the right side of the page hit the User link under Create.In the User pane, fill in the following values:NAME: Test User1USER NAME: TU1@<AzureDomainName>.Select Show Password and write down the temporary password.Click Create.Repeat Steps 29 – 35 for a second user as follows:NAME: Test User2USER NAME: TU2@<AzureDomainName>.6. Set Password for your New Users using Office 365Close all browser windows.Start Internet Explorer InPrivate mode.Navigate to with the user account created TU1@<AzureDomainName>.Type in the temporary password that you wrote down.Type the New Password: <newuserpassword>Confirm the new Password: <newuserpassword>Click Sign in.Repeat Steps 37-44 for TU2@<AzureDomainName>.Close all browser windows.Assigned Trial Tent In this section, you will set the Azure AD and an Office 365 Trial Tenant assigned to you by the Olympia team. Note: if you do have a pre-assigned trial tenant, refer to Section 3.2.1.1.TaskDetailed StepsComplete these steps from an Internet-connected Windows computer.Resetting the PasswordLogout from Azure Portal.Login to Azure Portal using LabAdmin account provided by the Olympia team. Type in the <OldLabAdminPassword> that you wrote down.Type the new password: <NewLabAdminPassword>.Note: Use a strong password.Confirm the new password and sign in. Create Azure Test UsersNavigate to in with the email address associated with the Azure subscription provided by the Olympia team if required.On the left navigation bar, click Azure Active Directory.On the right side of the page hit the User link under Create.In the User pane, fill in the following values:NAME: Test User1USER NAME: TU1@<AzureDomainName>.Select Show Password and write down the temporary password.Click Create.Repeat Steps 29 – 35 for a second user as follows:NAME: Test User2USER NAME: TU2@<AzureDomainName>.Set Password for your New Users using Office 365Close all browser windows.Start Internet Explorer InPrivate mode.Navigate to with the user account created TU1@<AzureDomainName>.Type in the temporary password that you wrote down.Type the New Password: <newuserpassword>Confirm the new Password: <newuserpassword>Click Sign in.Repeat Steps 37-44 for TU2@<AzureDomainName>.Close all browser windows.Setup Enterprise Mobility + SecurityIn this section, you will create an Intune Trial Tenant that will be used later on in the lab. This tenant will be created using the Azure AD that you created in the previous lab. Note: If you have already received an EMS Trial from the Olympia team, skip this section and proceed to the next Section 3.2.3. TaskDetailed StepsComplete these steps from an Internet-connected Windows computer.Sign Up for a Trial Microsoft Intune SubscriptionStart a new Internet Explorer window in private mode.Navigate to and click Sign-up for your free trial and then click Sign in.Sign in with labadmin@<AzureDomainName>.Click Try now to confirm your order.Click Continue.On the left navigation bar, click Billing > Subscriptions and verify that the Enterprise Mobility + Security E5 Trial is Active.Enable and Configure Cloud ServicesIn the section, you will assign licenses and configure additional cloud services that will be used in the lab environment.TaskDetailed StepsComplete these steps from an Internet-connected Windows 10 computer.Assign Office 365 and EM+S LicensesClose all browser windows.Start Internet Explorer InPrivate mode.Navigate to and Sign in with labadmin@<AzureDomainName>.. (Or the credentials for the trail account provided by the Olympia team.) Open the app launcher (top left corner and click Admin.On the left navigation bar, click Users > Active users.Select all LabAdmin, Test User1 and Test User2 then click the Edit product licenses action.Select Add to existing product license assignments then click Next.Select the appropriate Location and then set the slider to On for Enterprise Mobility + Security E5 and Office 365 Enterprise E5 without Audio Conferencing then click Add.Click Close | Close. Note: Ensure that all the 3 users have both the product licenses assigned.Enable Device RegistrationClose all browser windows and open an InPrivate Browser session.Navigate to in with the email address associated with your Azure subscription.Click your email address on the upper right corner and, and click Switch Directory. Select <AzureDomainName>. if required.On the left navigation bar, click Azure Active Directory > Devices > Device settings.In the Users may join devices to Azure AD setting, select All if not selected.In the Additional local administrators on Azure AD joined devices, select Selected.Click Add members and select LabAdmin then click Select. Click OK.In the Users may register their devices with Azure AD setting, select All if not selected.Click Save.Enable Windows Defender ATP TrialNote: A trial application should have been started before proceeding with the steps - . It can take up to 7 business days for review of your free trial request. Trial subscriptions may not be available at the time of lab set up. Open an InPrivate Browser session.Navigate to and click START FREE TRIAL.Check the box next to I accept these terms and conditions and click Next.On the Please enter your details below page, enter your details and click Submit.You will get a message stating that the Windows Defender Advanced Threat Protection Team will review your application and contact you via email within 7 business days. Once your application is approved, you will then receive an invitation email with on-boarding instructions.Within 7 business days, you will then receive an email to activate your trial and all the on-boarding instructions. Click Activate your trial now. Download the setup guide. The setup guide also contains instructions and links for the attack demo.During activation, click Sign in.Sign in with LabAdmin@<AzureDomainName>.Click Try now.Click Continue.On-Premises Environment Post Setup Manual StepsPerform once the on-premises environment provisioning is complete.Build a Windows 10 Developer Machine (for Desktop Bridges Scenario only)In this activity, you will build Windows 10 client virtual machine with developer tools installed. This is required for the Desktop Bridges lab only, since the versions of the Windows Insider Preview – Desktop App Converter Base Images is not available for the version of the Windows 10 Insider Preview Enterprise ISO image. They both need to be same for the scenario to work. If you are not running the Desktop Bridges scenario, you can skip this step.TaskDetailed StepsComplete these steps from the Hyper-V host machine above. Download Developer VM (if not previously downloaded)Open File Explorer and create the C:\VMs folder.Open Internet Explorer and browse to the URL below. Windows?10 Enterprise Evaluation download, click Hyper-V.Download WinDev1805Eval.HyperV.zip to C:\VMs.Once the download completes, browse to C:\VMs, right-click on WinDev1805Eval.HyperV.zip and select Extract All.In the Select a Destination and Extract Files page, click Extract.Import VMsOpen File Explorer and create the C:\VMs\WIN10DEV folder.Open Hyper-V Manager.In the Actions pane, click Import Virtual Machine.In the Before You Begin page, click Next.In the Locate Folder page, browse to C:\VMs\WinDev1805Eval.HyperV then click Next.In the Select Virtual Machine page, click Next.In the Choose Import Type page, select Copy the virtual machine then click Next.In the Choose Destination page, select Store the virtual machine in a different location, enter the path C:\VMs\WIN10DEV to all folders then click Next.In the Choose Storage Folder page, enter the path C:\VMs\WIN10DEV then click Next.In the Summary page, click Finish.In the Hyper-V Manager, right-click on WinDev1805Eval, select Rename and enter plete these steps on the WIN10DEV virtual machine.Configure Virtual Machine SettingsIn the Hyper-V Manager, right-click on WIN10DEV and select Settings.Configure the following then click OK.Memory: 8192Processor: 4 virtual processorsNetwork Adapter: HYD-CorpnetStart the WIN10DEV virtual machine.Install Windows UpdatesGo to Start and click Settings.In the Settings app, browse to Update & Security > Windows Update.Click Check for updates.Install all missing updates (restart if needed) until the device is up to date.Note: This may take at least an hour depending on the Internet speed.Perform Defender ScanIn the Settings app, browse to Update & Security > Windows Security.Click Open Windows Defender Security Center.Click Virus & threat protection.Click Scan now.Once complete, close Windows Defender Security Center and the Settings app.Create CheckpointCreate a virtual machine checkpoint.Configure Azure AD Connect with Device SyncIn this activity, you will configure Azure AD Connect on DC1.TaskDetailed StepsConfigure Azure AD ConnectComplete the following steps on the DC1.Download Azure AD Connect from and Run Azure AD Connect and select I agree to the license terms and privacy notice and click Continue.Select Use express settings.In the Connect to Azure AD prompt, sign in with labadmin@<AzureDomainName>. and click Next.In the Connect to AD DS prompt, enter the below and click Next.USERNAME: CORP\LabAdminPASSWORD: P@ssw0rdOn the Azure AD sign-in configuration page, select Continue without any verified domains and click Next.On the Ready to configure page, keep the check box checked next to Start the synchronization process when configuration completes and click Install. Click Exit once done.Configure Device SyncOpen Programs and Features and uninstall the Windows Azure Active Directory Module for Windows PowerShell.Open PowerShell as an administrator.Run the below cmdlet and accept any prompts. Note: Create a directory in C:\, example C:\MSOnline.Save-Script -Name MSOnline -Path <path>Run the below cmdlet and accept any prompts.Install-Module -Name MSOnlineLocate the name of the AAD Connector Account by opening the Azure AD Connect and clicking Configure and selecting View current configuration and then clicking Next. Click Exit.Run the below cmdlet and at the credential prompt, provide the Azure AD Admin credentials.Import-Module -Name “C:\Program Files\Microsoft Azure Active Directory Connect\ADPrep\ADSyncPrep.psm1”$aadadmincred = get-credential;Initialize-ADSyncDomainJoinedComputerSync -AdConnectorAccount <account name> -AzureADCredentials $aadAdminCred;Confirm Devices are Hybrid Azure AD JoinedStart Internet Explorer InPrivate mode.Navigate to and sign in with labadmin@<AzureDomainName>..On the left navigation bar, click Azure Active Directory.Select Devices > All devices.Confirm devices are registered to Azure AD.Note: In the virtualized lab, in case the devices do not show up, disjoin CLIENT1 and CLIENT2 from the domain and rejoin them back. After that, from Azure AD Connect, run Customize synchronization options and then Configure device options – Hybrid Azure AD join.Deployment & ManagementIn this module, you will go through Windows 10 capabilities that could help organizations better deploy and manage Windows devices.Prerequisite Sections:Windows Insider Lab for Enterprise – Setup GuideSection 3.2 - Cloud EnvironmentSection 3.3.2 - Configure Azure AD Connect with Device SyncModern Device DeploymentWith Windows 10, you can continue to use traditional OS deployment, but you can also “manage out of the box.” AutoPilot transforms new devices into fully-configured, fully-managed devices. For existing devices running Windows 7 or Windows 8.1, you can use the robust in-place upgrade process for a fast, reliable move to Windows 10 while automatically preserving all the existing apps, data, and settings.AutoPilotWindows AutoPilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use.In this section, you will use the Microsoft Intune to configure AutoPilot for pre-configuring devices.PrerequisitesPerform the following tasks before proceeding.TaskDetailed StepsCreate a Checkpoint in Hyper-V (if not already created)Complete the following steps on the HYPER-V Host.Open Hyper-V Manager.Right click on HYD-CLIENT4 and select Checkpoint.Capture Device IDComplete the following steps on CLIENT4.Open PowerShell as an administrator.Run the below commands and press Y when prompted.Install-Script –Name Get-WindowsAutoPilotInfoSet-ExecutionPolicy UnrestrictedChange the directory to C:\Program Files\WindowsPowerShell\Scripts and run the below command..\Get-WindowsAutoPilotInfo.ps1 -ComputerName CLIENT4 –OutputFile C:\Users\Administrator\Desktop\MyComputers.csvCopy the MyComputers.csv file to the computer that will be used for Microsoft Intune setup.Open Command Prompt as an administrator.Run from C:\Windows\Systsem32\SYSPREPSYSPREP\Sysprep.exe /OOBE /SHUTDOWNSet Intune as Management AuthorityAfter you complete the following tasks, you are ready to manage mobile devices and computers.TaskDetailed StepsComplete these steps from an Internet-connected Windows computer.Enable Device Management. Set Mobile Device Management AuthorityNote: Before you can enroll mobile devices, you must prepare the Intune service by selecting the appropriate mobile device management authority setting on the Mobile Device Management page of the Administration workspace. The mobile device management authority setting determines whether you manage mobile devices with Intune or System Center Configuration Manager with Intune integration. This guidance assumes Intune is used without System Center Configuration Manager integration so the setting should be set to Microsoft Intune.Close all browser windows.Start Internet Explorer InPrivate mode.Navigate to and Sign in with labadmin@<AzureDomainName>..On the left navigation bar, click All services > Intune.Select Device enrollment.Under Mobile Device Management Authority, select Intune MDM Authority and click Choose.Create GroupsClose all browser windows.Start Internet Explorer InPrivate mode.Navigate to and Sign in with labadmin@<AzureDomainName>..On the left navigation bar, click Azure Active Directory > Groups > All groups.Click New group.In the Group pane fill in the following values:Group type: Office 365Group name: SalesMembership type: AssignedMembers: Test User1 and Test User2Click Create.Customize the Company PortalOn the left navigation bar, click All services > Intune.Select Mobile apps > Company Portal branding.Configure the following with settings you choose for your lab:Company nameIT department contact nameIT department phone numberIT department email addressAdditional informationCompany privacy statement URLSupport website URL (not displayed)Website name (displayed to user)Customize the Theme color, Company logo (max. dimension PNG/JPG I 400x100px) and background for Company Portal, it is recommended that you change the default color in your lab to make it easy to identify if the company portal has been updated.Click Save.Verify the Company Portal ConfigurationClose all browser windows.Start Internet Explorer InPrivate mode.Navigate to and Sign in with TU1@<AzureDomainName>..Review the company portal, browse to Helpdesk and confirm that the customizations have been applied.Enable Auto MDM EnrollmentIn this activity, you will configure automatic MDM enrollment to Intune upon joining Azure AD.TaskDetailed StepsComplete these steps from an Internet-connected Windows computer.Configure Auto MDM Enrollment for IntuneClose all browser windows.Start Internet Explorer InPrivate mode.Navigate to and Sign in with labadmin@<AzureDomainName>..On the left navigation bar, click Azure Active Directory > Mobility (MDM and MAM) > Microsoft Intune.In the MDM User scope setting, select All.Click Save.Add an AppIn this activity, you will add an app to Intune which will automatically download once the device is enrolled into MDM.TaskDetailed StepsComplete these steps from an Internet-connected Windows computer.Add an AppClose all browser windows.Start Internet Explorer InPrivate mode.Navigate to and Sign in with labadmin@<AzureDomainName>..On the left navigation bar, click All services > Intune.Select Mobile apps > Apps.Click +Add.In the App type dropdown, select Line-of-business app.Configure AppIn the Add app pane, click App package file.On the App package file blade, choose the browse button, and select a Windows installation file with the extension .msi, .appx, or .appxbundle.A sample msi file can be downloaded from: OK.In the Add app pane, click App information.Enter the following information and click OK:Name - Enter the name of the app as it is displayed in the company portal. Make sure all app names that you use are unique. If the same app name exists twice, only one of the apps will be displayed to users in the company portal.Description - Enter a description for the app, which will be displayed to users in the company portal.Publisher - Enter the name of the publisher of the app.Category - Select one or more of the built-in app categories, or a category you created. Categorizing apps makes it easier for users to find the app when they browse the company portal.Display this as a featured app in the Company Portal - Display the app prominently on the main page of the company portal to appear when users browse for rmation URL - Optionally, enter the URL of a website that contains information about the app, which will be displayed to users in the company portal.Privacy URL - Optionally, enter the URL of a website that contains privacy information for the app. The URL is displayed to users in the company mand-line arguments - Optionally, enter any command-line arguments that you want to apply to the .msi file when it runs, like /q.Developer - Optionally, enter the name of the app developer.Owner - Optionally, enter a name for the owner of this app, for example, HR department.Notes - Enter any notes you would like to associate with this app.Logo - Upload an icon that is associated with the app. The icon is displayed with the app when users browse the company portal.In the Add app pane, click Add to upload the app to Intune.Deploy AppIn the <app name> overview pane, click Assignments.Click Add group.Select Required under Assignment type.Under Included Groups | Selected groups, select Sales.Click Select.Click OK.Click OK again.Click Save.Configure AutoPilotIn this activity, you will configure automatic MDM enrollment to Intune upon joining Azure AD.TaskDetailed StepsComplete these steps from an Internet-connected Windows computer.Configure AutoPilotClose all browser windows.Start Internet Explorer InPrivate mode.Navigate to and Sign in with labadmin@<AzureDomainName>..On the left navigation bar, click All services > Intune.Click Device enrollment > Windows enrollment > Devices.Click Import, and select the MyComputers.csv file saved from before and click Import.Once imported, to speed up the process, click Sync and then click Refresh until you see the device.Under the Microsoft Intune pane, click Groups > + New group.Select Group type – Security, Group name – AutoPilot Devices and Membership type – Assigned.Click Members, select the machine where the name equals the serial number of the device. Click Select.Click Create.On the Device enrollment > Windows enrollment pane, click Deployment Profiles > + Create profile.In the Name box, type AutoPilot Test Profile.In the Join to Azure AD as dropdown, select Azure AD joined.Click Out-of-box experience (OOBE).Select Hide for the End user license agreement (EULA) option.Select Hide for the Privacy Settings option.Select Standard for the User account type option.Click Save.Click Create.Click AutoPilot Test Profile, click Assignments, click + Select groups, select the AutoPilot Devices group just created and click Select.Click Save.Wait for some time for the device to be showing up in Assigned devices under AutoPilot Test Profile. To speed up the process, click Sync and then click Refresh until you see the device there.Click the Devices page by navigating to Device enrollment > Windows enrollment, and you should be able to see the PROFILE STATUS as Assigning and then further Assigned.AutoPilotIn this activity, you will walk through the experience of self-service AutoPilot while in OOBE.TaskDetailed StepsComplete these steps from the CLIENT4 virtual machine.Perform Azure AD JoinOnce OOBE has started, in the Let’s start with region pane, select United States then click Yes.On the Is this the right keyboard layout? pane, select US then click Yes.On the Want to add a second keyboard layout? pane, click Skip.In case you get the Get the latest from Windows pane, click Skip for now.On the Windows 10 License Agreement pane, click Accept.In the Sign in with Microsoft pane, sign in with TU1@<AzureDomainName>. then click Next.In the Enter your password pane, enter the password then click Next.On the Choose privacy settings for your device pane, click Accept.Follow through the prompts for setting up a PIN for Windows Hello.In the All set! pane, click OK.Validate Azure AD Join and MDM EnrollmentGo to Start > Settings.In the Settings app, browse to Accounts > Access work or school.Confirm that Connected to <CompanyName>’s Azure AD is plete these steps from an Internet-connected Windows computer.Validate Azure AD and MDM EnrollmentClose all browser windows.Start Internet Explorer InPrivate mode.Navigate to and Sign in with labadmin@<AzureDomainName>..On the left navigation bar, click Azure Active Directory > Users > All users > Test User1.Click Devices.Confirm that the device is listed there and the following settings are configured:JOIN TYPE: Azure AD joinedMDM: Microsoft IntuneComplete these steps from the HYPER-V Host.Revert Virtual MachinesRevert HYD-CLIENT4 to the latest checkpoint.Modern Device Management with IntuneUse of personal devices for work, as well as employees working outside the office, may be changing how your organization manages devices. Certain parts of your organization might require deep, granular control over devices, while other parts might seek lighter, scenario-based management that empowers the modern workforce. Windows 10 offers the flexibility to respond to these changing requirements, and can easily be deployed in a mixed environment. You can shift the percentage of Windows 10 devices gradually, following the normal upgrade schedules used in your organization.Mobile Device Management using Microsoft IntuneIn this lab, you will enroll a Windows 10 Device with Microsoft Intune and manage it.Enroll a Windows 10 DeviceThis section outlines how to enroll a Windows 10 device into Microsoft Intune for MDM.TaskDetailed StepsComplete these steps on the CLIENT3 virtual machine.Enroll a Windows 10 Device in IntuneLogin to the virtual machine as Administrator and go to Start > Settings.In the Settings app, browse to Accounts > Access work or school.Click Enroll only in device management.The Setup a work or school account dialog box will show, asking for your account to enroll the device.Provide the TU1@<AzureDomainName>. account and click Next.In the Microsoft Intune Enrollment page, enter the password then click Sign in. Click Got it.In the Settings app, you should see that the device is now connected to the corporate MDM.Select Connected to <CompanyName> MDM then click Info.Click Sync and confirm that the sync was plete these steps from an Internet-connected Windows computer.Check Windows 10 Device Enrollment in Microsoft IntuneNote: In this example, we will look in Microsoft Intune to see the device details and we can see that it already recognizes Windows 10 as an operating system in Microsoft Intune.Start Internet Explorer InPrivate mode.Navigate to and Sign in with labadmin@<AzureDomainName>..On the left navigation bar, click All services > Intune.Select Devices > All devices.Click on the Windows 10 device that you have enrolled (CLIENT3). Observe the information that has been collected about the device in all the tabs. You might have to refresh the page for some time to get the details.Configure Policy Settings and Policies based on OMA-URIThis section outlines how to configure Policies for Windows 10 in Intune available through the Intune Interface and a Policy through OMA-URI.Use the Microsoft Intune Windows Phone OMA-URI Policy to deploy OMA-URI (Open Mobile Alliance Uniform Resource Identifier) settings that can be used to control features on Windows Phone Devices. These are standard settings that many mobile device manufacturers use to control device features.This capability is intended to allow you to deploy Windows 10 Settings that are not configurable with an Intune Policy. For information about the Settings you can configure with these Policies, see Configure Security Policy for Mobile Devices in Microsoft Intune.For help creating OMA-URI Settings for Windows 10 Services, see Windows Phone 10 CSP Documentation - StepsComplete these steps from an Internet-connected Windows computer.Create an OMA-URI Policy to Disable CortanaStart Internet Explorer InPrivate mode.Navigate to and Sign in with labadmin@<AzureDomainName>..On the left navigation bar, click All services > Intune.Select Device configuration > Profiles > + Create profile.In the Name field, type Windows 10 – Disable Cortana.Under Platform, select Windows 10 and later.Under Profile type, select Custom.In the Custom OMA-URI Settings pane, click Add.In the Name field enter Windows 10 – Disable Cortana.In the OMA URI field enter (Case sensitive and starting with a period):./Vendor/MSFT/Policy/Config/Experience/AllowCortanaFor Data type select Integer.For Value enter 0 (0 means the setting is not allowed).Click OK | OK.Click Create.In the Windows 10 – Disable Cortana profile pane, select Assignments.Click Select groups to include.In the Select field, type Sales and select it.Click Select.Click plete these steps on the CLIENT3 virtual machine.Confirm the URI Configurations are AppliedLogin to the virtual machine as Administrator and go to Start > Settings.In the Settings app, browse to Accounts > Access work or school.Select Connected to <CompanyName> MDM then click Info.Click Sync to force a policy update and confirm that the sync was successful.Note that the Cortana icon in the task bar was replaced with a Search icon.In the Settings app, note that the Cortana category was replaced with plete these steps from an Internet-connected Windows computer.Configure Windows DefenderNavigate to and Sign in with labadmin@<AzureDomainName>..On the left navigation bar, click All services > Intune.Select Device configuration > Profiles > + Create profile.In the Name field, type Allow Real Time Protection on Win 10 Desktops.Under Platform, select Windows 10 and later.Under Profile type, select Custom.In the Custom OMA-URI Settings pane, click Add.In the Name field type Allow Real Time Protection on Win 10 Desktops.Under OMA-URI Settings, click Add…In the Name field enter Allow Real Time Protection.In the OMA URI field enter (Case sensitive and starting with a period): ./Vendor/MSFT/Policy/Config/Defender/AllowRealtimeMonitoringFor Data type select Integer.For Value enter 1 (1 means the setting is allowed).Click OK.Click OK.Click Create.In the Allow Real Time Protection on Win 10 Desktops device configuration profile pane, select Assignments.Click Select groups to include.In the Select field, type Sales and select it.Click Select.Click plete these steps on the CLIENT3 virtual machine.Verify Configuration is AppliedLogin to the virtual machine as Administrator and go to Start > Settings.In the Settings app, browse to Accounts > Access work or school.Select Connected to <CompanyName> MDM then click Info.Click Sync to force a policy update and confirm that the sync was successful.In the Settings app, go back to Update & Security > Windows Security and click Open Windows Defender Security Center.In the Windows Defender Security Center app, navigate to Virus & threat protection and click Virus & threat protection settings.Confirm that the Real-time protection setting is turned On and greyed out which shows enforcement of the policy.Dynamic Management with Windows 10In this lab, you will setup and configure dynamic management policies for Windows 10. For a list of available dynamic management policies, visit: StepsComplete these steps from an Internet-connected Windows computer.Configure Dynamic Management PolicyClose all browser windows.Start Internet Explorer InPrivate mode.Navigate to and Sign in with labadmin@<AzureDomainName>..On the left navigation bar, click All services > Intune.Select Device configuration > Profiles > + Create profile.In the Name field, type DisableCameraInCorporateNetwork.Under Platform, select Windows 10 and later.Under Profile type, select Custom.In the Custom OMA-URI Settings pane, click Add.In the Name field enter SettingsPack.In the OMA URI field enter (Case sensitive and starting with a period):./Vendor/MSFT/DynamicManagement/Contexts/NetworkBased/SettingsPackFor Data type select String.For Value enter <SyncML><SyncBody><Replace><CmdID>1331</CmdID><Item><Target><LocURI>./Vendor/MSFT/Policy/Config/Camera/AllowCamera</LocURI></Target><Meta><Format xmlns="syncml:metinf">int</Format></Meta><Data>0</Data></Item></Replace><Final/></SyncBody></SyncML>Click OK.In the Custom OMA-URI Settings pane, click Add.In the Name field enter SignalDefinition.In the OMA URI field enter (Case sensitive and starting with a period):./Vendor/MSFT/DynamicManagement/Contexts/NetworkBased/SignalDefinitionFor Data type select String.For Value enter <rule schemaVersion="1.0"><signal type="ipConfig"><ipv4Gateway>10.0.0.254</ipv4Gateway></signal></rule>Click OK.In the Custom OMA-URI Settings pane, click Add.In the Name field enter NotificationsEnabled2.In the OMA URI field enter (Case sensitive and starting with a period):./Vendor/MSFT/DynamicManagement/NotificationsEnabledFor Data type select Boolean.For Value select TrueClick OK | OK.Click Create.In the DisableCameraInCorporateNetwork device configuration profile pane, select Assignments.Click Select groups to include.In the Select field, type Sales and select it.Click Select.Click plete these steps on the CLIENT3 virtual machine.Verify Policy is AppliedLogin to the virtual machine as Administrator and go to Start > Settings.In the Settings app, browse to Accounts > Access work or school.Select Connected to <CompanyName> MDM then click Info.Click Sync to force a policy update and confirm that the sync was successful.On the Hyper-V Host, from the Virtual Machine Connection, right click the CLIENT3 VM, go to Settings.In the Settings window, under Network Adapter, disable the Corpnet Virtual Switch.In the Settings on CLIENT3, go to Privacy > Camera.Note: Camera is currently turned On and unmanaged because the machine is in the Internet network.On the Hyper-V Host, from the Virtual Machine Connection window of CLIENT3 VM, go to File > Settings.In the Settings window, under Network Adapter, disable the External Virtual Switch and enable the Corpnet Virtual Switch.In the Settings app, refresh the Privacy > Camera view.Confirm *Some settings are hidden or managed by your organization is shown.Note: Camera is turned Off and fully managed because the machine is in the corporate network.Mobile App Management for Non-Managed Windows 10 DevicesThe Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP), starting in Windows 10, version 1803.In this lab, you will setup and configure Mobile App Management for an unmanaged Windows 10 device.TaskDetailed StepsComplete these steps from an Internet-connected Windows computer.Configure MAM ServiceClose all browser windows.Start Internet Explorer InPrivate mode.Navigate to and Sign in with labadmin@<AzureDomainName>..On the left navigation bar, click Azure Active Directory > Mobility (MDM and MAM) > Microsoft Intune.In the MAM User scope setting, select All.Click Save.Configure MAM PolicyIn the Microsoft Azure navigation bar, select All services > Intune App Protection > App protection policies.Click Add a policy.In the Name field type Windows 10 MAM.In the Platform setting, select Windows 10.Click Protected apps then click Add apps.In the Add Apps pane, select Microsoft Edge, IE11 and Notepad then click OK.In the Protected apps pane, confirm that the selected apps are listed then click OK.Back in the Add a policy pane, click Required settings.Under Windows Information Protection mode, select Block then click OK.Click Advanced settings.In the Advanced settings pane, click Add network boundary.In the Add network boundary pane, enter the following then click OK.BOUNDARY TYPE: Cloud resourcesNAME: SharePoint onlineVALUE: <AzureDomainName>.In the Advanced settings pane, under Show the enterprise data protection icon, click On.Click OK.Click Create.Deploy MAM PolicySelect Windows 10 MAM > Assignments.Click + Select groups to include.In the Select groups to include pane, enter Sales, select it and then click plete these steps on the CLIENT4 virtual machine.Create test fileLogin to the virtual machine as Administrator.Right-click on the desktop and select New > Text Document.Rename the file to Sample Document.Open Sample Document.txt.In the Notepad window, enter This is a sample corporate file. then click Save.Close the file.Open an Internet Explorer and navigate to in as TU2@<AzureDomainName>..On the left navigation, click Documents.From the desktop, drag and drop the Sample Document.txt file into the Documents library to upload the file.Once uploaded, delete the Sample Document.txt file from the Desktop.Close all browsers windows.Connect Corporate AccountClick to Start > Settings.In the Settings app, browse to Accounts > Access work or school.Click Connect.In the Set up a work or school account pane, enter TU2@<AzureDomainName>. then click Next.Enter the password then click Sign in.In the Help us protect your account pane, click Set it up now then configure the verification requirements.In the Create a PIN pane, click Create PIN then configure the Pin.Note: If required, perform Steps 42 and 43 and on the basis of that additional verification may be required.Click Next and verify your local administrator account password. Click OK.In the Settings app, browse to Accounts > Access work or school.Select Work or school account then click Info.Click Sync to force a policy update and confirm that the sync was successful.Verify MAM PoliciesOpen an Internet Explorer and navigate to in as TU2@<AzureDomainName>..Note: “.<AzureDomainName>.” is protected and selected both IE11 and Microsoft Edge (they’re both enlightened apps) therefore a briefcase icon is shown in the address bar to indicate that it is protected. When the browser or another tab navigate away from this site, the briefcase will go away.On the left navigation, click Documents.Select Sample Document.txt and click Download.Save the file to the Documents folder.Note: The briefcase icon under File Name indicates that the file is protected.In the taskbar, open File Explorer and browse to the Documents folder.Note: The briefcase icon in the file icon and the <AzureDomainName> under the File ownership column indicates that the file is protected.Open the Sample Document.txt file using Notepad. The file should open because Notepad is a managed app (policy).Note: The briefcase icon beside the minimize button indicates that the file is protected.Close Notepad.Open the Sample Document.txt file using WordPad. The file will not open and a dialog box will show up to indicate that access to the file is denied.Note: WordPad is not a managed app therefore will not be able to open protected files.Close WordPad.In the Documents folder, right-click on Sample Document.txt and select File ownership.Note: The Personal option is currently disabled because the policy is configured to hide overrides. If the policy is configured to allow overrides, users can remove protection from the file by selecting Personal.Co-ManagementStarting with Configuration Manager version 1802, co-management enables you to concurrently manage Windows 10, version 1803 (also known as the April 2018 Update) devices by using both Configuration Manager and Intune. It’s a solution that provides a bridge from traditional to modern management and gives you a path to make the transition using a phased approach.After you enable co-management, Configuration Manager continues to manage all workloads. When you decide that you are ready, you can have Intune start managing available workloads. You can have Intune manage the following workloads: Compliance policies, Windows Update for Business policies, Resource Access policies, and Endpoint Protection.PrerequisitesPerform the following tasks before proceeding.TaskDetailed StepsConfigure Azure AD Connect with Device Sync and Install the ConfigMgr Client on CLIENT1Complete the steps defined in Section REF _Ref514144766 \r \h 3.3.1.Also, install the ConfigMgr Client in CLIENT1 as per steps below:On the CLIENT1 VM, disable the firewall mode.On the CM1 VM, launch the Configuration Manager Console and navigate to Administration > Hierarchy Configuration > Discovery Methods.Select Active Directory System Discovery and click Run Full Discovery Now. Click Yes on the prompt.Navigate to Assets and Compliance > Devices and ensure that CLIENT1 is showing in the list of devices.Right-click on CLIENT1 and click on Install Client.On the Install Configuration Manager Client wizard click on Next.Check the box next to Install the client software from a specified site, select the respective Site and click on Next.Click Next again.Click on Close.After a few minutes, the CLIENT1 VM will have the client installed and will indicate so in the Configuration Manager console.Enable Co-Management for Automatic EnrollmentOnce Co-management is enabled, devices in the Pilot group can automatically enroll into Intune. This requires using a verified domain during the Setup Process of Azure AD Connect.TaskDetailed StepsComplete these steps on the CM1 virtual machine.Create a Device CollectionOpen the Configuration Manager Console, browse to Assets and Compliance workspace and select Device Collections.Right click Device Collections and select Create Device Collection.Input the following information:GeneralName – Enter Co-managed DevicesLimiting collection – Select All Desktop and Server Clients and click Next.Select Use incremental updates for this collection.Click Next.Accept the Warning.Summary – click Next, click Close.Add a Device to the CollectionIn the Assets & Compliance workspace, select Devices and right-click Client1.Select Add Selected Items and then click Add Selected Items to Existing Device Collection.Select Co-managed devices and click OK.Select Device Collections, right-click Co-managed devices, and select Update Membership. Click Yes on the warning box to continue.Enable Co-ManagementOpen the Configuration Manager Console, browse to Administration > Cloud Services > Co-management.Right-click Co-management and select Configure co-management.In the Co-management Configuration Wizard, Sign In to Intune using labadmin@<AzureDomainName>.. Click Next.Click Next on the Enablement page.Click Next on the Workloads page.Select Co-managed Devices device collection for the Intune Pilot on the Staging page. Click Next.Click Next on the Summary page. Click Close.Co-Manage Devices with the Configuration Manager ClientFor unverified domains, co-management can still be enabled by enrolling the domain-joined device into Intune.TaskDetailed StepsComplete these steps on the CLIENT1 virtual machine.Log in to Client1Log in as CORP/LabAdmin with password P@ssw0rd.Open the Settings app, and click Accounts > Access work or school, and click on + Connect.Log in using TU1@<AzureDomainName>.. Complete these steps from an Internet-connected Windows computer.Check Windows 10 Device Enrollment in Microsoft IntuneNote: In this example, we will look in Microsoft Intune to see the device details and we can see that it already recognizes Windows 10 as an operating system in Microsoft Intune.Start Internet Explorer InPrivate mode.Navigate to and Sign in with labadmin@<AzureDomainName>..On the left navigation bar, click All services > Intune.Select Devices > All devices.Click on the Windows 10 device that you have enrolled (CLIENT1). Observe the information that has been collected about the plete these steps on the CM1 virtual machine.Check Co-Management PortalOpen the Configuration Manager Console, browse to Monitoring > Co-management.Confirm 1 device is listed on the Co-managed devices graph. Note: This data will take some time to appear.Modern Application Management with IntuneAs an IT admin, you are responsible for making sure that your end users have access to the apps they need to do their work. Intune offers a range of capabilities to help you get the apps you need, on the devices you want.Application Deployment and Management with Microsoft IntuneNote: This section is applicable in case you have not done this in the previous lab.Add Windows line-of-business (LOB) apps to Microsoft IntuneIntune supports Windows line-of-business apps (.msi files only).Note: The below steps have been performed in the previous scenarios as well.TaskDetailed StepsComplete these steps from an Internet-connected Windows computer.Add Line-of-Business AppClose all browser windows.Start Internet Explorer InPrivate mode.Navigate to and Sign in with labadmin@<AzureDomainName>..On the left navigation bar, click All services > type Intune > Intune.In the navigation pane select Mobile apps > Apps, and click + Add.In the Add app pane, under App type, select Line-of-business app.Configure Line-of-Business AppIn the Add app pane, click App package file.On the App package file blade, choose the browse button, and select a Windows installation file with the extension .msi, .appx, or .appxbundle.A sample msi file can be downloaded from: OK.In the Add app pane, click App information.Enter the following information and click OK:Name - Enter the name of the app as it is displayed in the company portal. Make sure all app names that you use are unique. If the same app name exists twice, only one of the apps is displayed to users in the company portal.Description - Enter a description for the app. The description is displayed to users in the company portal.Publisher - Enter the name of the publisher of the app.Category - Select one or more of the built-in app categories, or a category you created. Categorizing apps makes it easier for users to find the app when they browse the company portal.Display this as a featured app in the Company Portal - Display the app prominently on the main page of the company portal when users browse for rmation URL - Optionally, enter the URL of a website that contains information about the app. The URL is displayed to users in the company portal.Privacy URL - Optionally, enter the URL of a website that contains privacy information for the app. The URL is displayed to users in the company mand-line arguments - Optionally, enter any command-line arguments that you want to apply to the .msi file when it runs, like /q.Developer - Optionally, enter the name of the app developer.Owner - Optionally, enter a name for the owner of this app, for example, HR department.Notes - Enter any notes you would like to associate with this app.Logo - Upload an icon that is associated with the app. The icon is displayed with the app when users browse the company portal.In the Add app pane, click Add to upload the app to Intune.Click Select.Click OK.Click OK again.Click Save.Assign Apps to Groups with Microsoft IntuneIn the following section, you will assign the Line-of-business app to users and devices.TaskDetailed StepsComplete these steps from an Internet-connected Windows computer.Locate AppClose all browser windows.Start Internet Explorer InPrivate mode.Navigate to and Sign in with labadmin@<AzureDomainName>..On the left navigation bar, click All services > type Intune > Intune.In the navigation pane select Mobile apps > Apps.On the list of apps blade, click the app you want to assign.Assign and Configure App AssignmentOn the <app name> overview pane, click Assignments.Click Add group.Select Required under Assignment type.Under Included Groups | Selected Groups, select Sales.Click Select.Click OK.Click OK again.Click Save.Application Self-Service with Microsoft Store for BusinessThis section will provide the guidance to setup and experience the Microsoft Store for Business. Applications that can be discovered, published and managed using the information contained at the links below.TaskDetailed StepsComplete these steps from an Internet-connected Windows computer.Also, login to and for the Microsoft Store for BusinessStart a new Internet Explorer window in private mode.Click Sign in on the top right hand corner. On the Let’s check if you have an account window, enter the credentials LabAdmin@<azuredomain>., which is a global administrator, created previously and click Next.Once it detects and says You have an account with us. You’re using LabAdmin@<azuredomain>. with a Microsoft service already. Sign in with your existing password, click Sign in.Enter the password and click Sign in.On the Microsoft Store for Business and your data screen, check the consent box and click Accept.You have completed the signup for the Microsoft Store for Business.Roles and PermissionsClick Manage and then click Permissions.Notice that LabAdmin is already assigned the Global Admin Role. Click Assign roles.In the Assign roles to people window, review the various roles available along with their permissions. In the text box above, type TU1 and click Test User1 in the search results. You can add multiple users in the text box.Once Test User1 is added in the text box above, select the Role – Purchaser and click Save.The user will then be added with the assigned permissions. At any point you want to remove the user from the list, select the user and click Remove. For now, do not remove.Note: For more information, refer to (v=vs.85).aspxFind and Acquire ApplicationsClick Settings. Under Shopping experience, enable Show offline apps: Show offline licensed apps to people shopping in the Microsoft Store.Click Shop for my group and click an app of your choice, example OneNote.Review the 2 licensing type: Online and Offline. Select Offline and click Get the app.If this is the first time you are using Microsoft Store for Business, check the boxes for the license and click Accept.It will mention that the app has been purchased and added to your inventory. Click Close. Offline apps can be distributed by using a provisioning package and include it as part of imaging a device using Deployment Image Servicing and Management (DISM) or Windows ICD and also can be distributed through a management tool or server.Note: You will then be on the page where it will ask you to manage or download the package for offline use. You do not have to download the package for offline use for this demo. Just go to the next step.Under Shop for my group, select another app, example Microsoft Remote Desktop and select Online. Click Get the app. Click to agree to terms, It will mention that the app has been purchased and added to your inventory. Click Close. Click the “…” box and click Manage. It will then present with 2 methods of distribution by adding to the private store and Assigning to users. (Online apps can be distributed by assigning it to employees as well as adding it to your private store, allowing employees to download it through a management tool.) If you select to add to the private store, it will start adding the app into your private store and could take upto twenty four hours before the app is available in the private store as a separate tab.Under Shop for my group, select another app, example DocuSign and click Get the app. Click Close. If you select Assign Users and then in the text box, type a username, example TU1, click Test User1 in the search results and click Assign | Close, the app will be directly available to the user in the Store > My Library section. You can add multiple users in the text box. The user then can download and install the app from the store.Note: For more information, refer to (v=vs.85).aspxApp Inventory ManagementClick Manage and click Products & services and click Apps & software.You can find an app from the Search apps & software text box.You can also refine your search by selecting Refine results based on Product type, Application type, Source and Private store.You will be able to see the list of apps with the following tabs – Name, Available quantity, Usage/Total and Date.If you click the (…) for an Online-licensed app, you will see the options – View license details, Assign to people, View private store details and View product details.If you click the (…) for an Offline-licensed app, you will see the options – Download for offline use and View product details.You can even manage app licenses by viewing, assigning and reclaiming licenses.Note: You can remove an app from the Private Store. For more information, refer to (v=vs.85).aspxDistribute Apps with a Management ToolClick Manage, then click Settings and then click Distribute.You should be able to see the available MDM tools.Select the MDM tool you want to synchronize with Store for Business, and then click Activate. Your MDM tool is ready to use with the Store for Business. Consult docs for your management tool to learn how to distribute apps from your synchronized inventory.Note: For more information, refer to (v=vs.85).aspxEnterprise State RoamingWith Windows 10, Azure Active Directory (Azure AD) users gain the ability to securely synchronize their user settings and application settings data to the cloud. Enterprise State Roaming provides users with a unified experience across their Windows devices and reduces the time needed for configuring a new device. Enterprise State Roaming operates similar to the standard consumer settings sync that was first introduced in Windows 8. Additionally, Enterprise State Roaming offers:Separation of corporate and consumer data – Organizations are in control of their data, and there is no mixing of corporate data in a consumer cloud account or consumer data in an enterprise cloud account.Enhanced security – Data is automatically encrypted before leaving the user’s Windows 10 device by using Azure Rights Management (Azure RMS), and data stays encrypted at rest in the cloud. All content stays encrypted at rest in the cloud, except for the namespaces, like settings names and Windows app names.Better management and monitoring – Provides control and visibility over who syncs settings in your organization and on which devices through the Azure AD portal integration.PrerequisitesPerform the following tasks before proceeding.TaskDetailed StepsPrerequisite Lab Ensure that both CLIENT3 and CLIENT4 virtual machines are Azure AD Domain Joined using TU1@<AzureDomainName>. and both have been rebooted atleast once.Configure Enterprise State RoamingIn this lab, you will setup and configure enterprise state roaming.TaskDetailed StepsComplete these steps on the DC1 virtual machine.Enable Enterprise State Roaming in the Azure Web PortalStart Internet Explorer InPrivate mode.Navigate to and Sign in with labadmin@<AzureDomainName>..On the left navigation bar, click Azure Active Directory > Devices > Device settings.In the Users may sync settings and app data across devices setting, select Selected.Click Selected below and click + Add members.Type TU1, select Test User1 and click Select.Click OK.Click plete these steps on the CLIENT3 virtual machine.Confirm that Setting Sync is Enabled for the UserLog in as TU1@<AzureDomainName>.. If first time login, then go through the Windows Hello steps.Click on Start > Settings > Accounts > Sync your settings.Verify that Sync your settings is on.Verify that the test account is listed in the description of the settings page “Sync Windows settings to other devices using <testaccount>”.Personalize Windows Settings on the First MachineRight-click on the taskbar and uncheck Lock the taskbar.Drag the taskbar so that it is positioned to the right of the plete these steps on the CLIENT4 virtual machine.Verify that the Changes have Synced to the Second MachineNote: It may take a few minutes for the sync on one machine to propagate to the other. If the sync does not complete. Try logging in and out of both devices or locking and unlocking the device.Log in as TU1@<AzureDomainName>.. If first time login, then go through the Windows Hello steps.Verify that the position of the taskbar matches the position that was set on CLIENT3.SecurityIn this module, you will go through Windows 10 capabilities that could help organizations be more secure. We will cover the follow scenarios:Windows Information ProtectionWindows Defender Advanced Threat ProtectionWindows Defender Application GuardWindows Defender Exploit GuardWindows HelloCredential GuardDevice Encryption (MBAM)Device Guard – User Mode Code IntegrityPrerequisite Sections:Windows Insider Lab for Enterprise – Setup GuideSection 3.2 - Cloud EnvironmentSection 5.3.1.1 – Prerequisites - Install the ConfigMgr Client on CLIENT1.In the lab, CLIENT1 and CLIENT2 are mainly used for Traditional Methods and CLIENT3 and CLIENT4 are mainly used for Modern Methods, therefore, you must enroll CLIENT3 and at least CLIENT4 to Microsoft Intune for the labs below. There are various labs in Section 5 (Deployment and Management), which explain how to enroll a machine to Microsoft Intune.In Section 5, it is recommended that you complete these steps on a physical machine with the required hardware capabilities. Windows Information ProtectionWindows Information Protection (WIP), previously known as enterprise data protection (EDP), helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps.Modern ManagementFollow the following sections for managing Windows Information Protection through modern management tools.Configuring and Testing WIP using IntuneIn this section you will configure a WIP policy where Edge and Notepad are managed applications. You will test your policy by copy and pasting between managed and unmanaged applications.TaskDetailed StepsCreate Groups for use with WIP DemoClose all browser windows.Start Internet Explorer InPrivate mode.Navigate to and Sign in with labadmin@<AzureDomainName>..On the left navigation bar, click Azure Active Directory > Groups > All groups.Click + New group.In the Group pane fill in the following values and click Select:GROUP TYPE: SecurityGROUP NAME: WIPDemoMEMBERSHIP TYPE: AssignedMEMBERS: TU1,TU2 Click Create.Creating an Intune WIP PolicyClose all browser windows.Start Internet Explorer InPrivate mode.Navigate to and Sign in with labadmin@<AzureDomainName>..On the left navigation bar, click All services.Enter “Intune” in search.Click on Intune.Click on “Mobile apps”.Click on “App protection policies”.Click on “+ Add a policy”.Fill in form:Name: WIP DemoDescription: WIP DemoPlatform: Windows 10Enrollment state: With enrollmentProtected apps: Click Add apps and click OK | OK:Select Microsoft EdgeSelect NotepadExempt apps: Do not configureConfigure required settings:Allow Overrides and click OKAdvanced Settings: Show the enterprise data protection icon - “ON” and click OKSelect Create.Select WIP Demo.Select Assignments.Click Select groups to include.Select WIPDemo.Click plete these steps on the CLIENT3 virtual machine or a physical machine.Verify the Policy has been Applied and WorkingLogin to the virtual machine as:TU2@<AzureDomainName>.Start Notepad.Enter in the text field .Select File > “Save As”.Note: Notice next to where you enter the file name you see a lock icon.Use the drop down and select “Work (<Domain name>)”.Name the file “WipTest” and click Save.Note: Notice the new briefcase icon on the title bar.Close Notepad.Open File Explorer.Navigate to the “Documents” folder.Note: Notice the new icon for Wiptest. This shows it is managed by WIP.Double click on WipTest and open it again in Notepad.Copy the text .Open up WordPad (NOT WIP managed).Paste in the text.Note: Notice you are prompted because you are copying from a managed application to an unmanaged application. Select No.Close WordPad.Open up Edge (WIP managed).Paste in the text.Note: Notice that this worked. Both Edge and Notepad are managed therefore, for copy and paste between them are allowed.Close Edge.Open IE (NOT WIP Managed).Past in the text.Note: Notice you are prompted because you are copying from a managed application to an unmanaged application. Select No and close all the applications if any are opened.Removing the PolicyClose all browser windows.Start Internet Explorer InPrivate mode.Navigate to and Sign in with labadmin@<AzureDomainName>..On the left navigation bar, click All services.Enter “Intune” in search.Click on Intune.Click on “Mobile apps”.Click on “App protection policies”.Select the policy and click Delete policy | Yes.Note: We are deleting the policy in order to use the same application in other labs without this policy being enforced.Traditional ManagementIn this section, you will learn how to configure and deploy WIP policies through System Center Configuration Manager and test different WIP scenarios.Note: This lab can only be performed if the System Center Configuration Manager environment is on Current Branch (1802) or higher.Follow the following sections for managing Windows Information Protection through traditional management tools.PrerequisitesPerform the following tasks before proceeding.TaskDetailed StepsComplete these steps on the CLIENT1 virtual machine.Install Google ChromeOpen Internet Explorer and browse to the URL below. DOWNLOAD CHROME.On the Download Chrome for Windows popup window, click ACCEPT AND INSTALL.Click Run to start the ChromeSetup.exe and accept the UAC prompt if it appears.Once completed successfully, close all the windows.Pin ApplicationsPin the following applications to the Start:Internet ExplorerGoogle ChromeNotepadWordPadComplete these steps on the CM1 virtual machine.Create a CollectionOpen the Configuration Manager Console from the Start Menu.From the Configuration Manager Console, browse to Assets and Compliance.Right-click on Device Collections and select Folder > Create Folder.On the Configuration Manager window, under Folder name enter Windows Information Protection then click OK.From the Configuration Manager Console, expand Device Collections and right-click on Windows Information Protection.Select Create Device Collection.On the General page, enter the following then click Next.Name: BlockLimiting Collection: All Desktop and Server ClientsOn the Membership Rules page, click Next.On the warning dialog box, click OK.On the Summary page, click Next.On the Completion page, click Close.Configure Data Recovery Agent (DRA) CertificateIn this activity, you will create and enroll for a Data Recovery Agent certificate which is a prerequisite in configuring WIP policies through System Center Configuration Manager.TaskDetailed StepsComplete these steps on the DC1 virtual machine.Create a DRA Certificate TemplateOpen the Certification Authority from the Start Menu.On the Certification Authority console, expand corp-DC1-CA, right-click on Certificate Templates and select Manage.On the Certificate Templates Console, right-click on EFS Recovery Agent and select Duplicate Template.On the Properties of New Template window, go to the General tab.On the General tab, under Template display name enter WIP Recovery Agent, select Publish certificate in Active Directory, then go to the Request Handling tab.On the Request Handling tab, verify that under Purpose Encryption is selected and Allow private key to be exported is selected then go to the Security tab.On the Security tab, select LabAdmin and under Allow, select Enroll.On the Properties of New Template window, click Apply then click OK.Close the Certificate Templates Console.On the Certification Authority console, right-click on Certificate Templates and select New > Certificate Template to Issue.On the Enable Certificate Templates window, select WIP Recovery Agent then click OK.Request a DRA CertificateRight-click on Start and select Run.On the Run window, enter certmgr.msc then click OK.On the Certificates console, right-click on Personal and select All Tasks > Request New Certificate….On the Before You Begin page, click Next.On the Select Certificate Enrollment Policy page, select Active Directory Enrollment Policy then click Next.On the Request Certificates page, select WIP Recovery Agent then click Enroll.Once enrolled successfully, click Finish.Export the DRA CertificateOn the Certificates console, under Personal > Certificates, right-click on the certificate issued by corp-DC1-CA and select All Tasks > Export…On the Welcome to the Certificate Export Wizard page, click Next.On the Export Private Key page, select Yes, export the private key then click Next.On the Export File Format page, click Next.On the Security page, select Password: enter P@ssw0rd under Password: and Confirm password: then click Next.On the File to Export page, click Browse…On the Save As window, browse to the Desktop, click New folder and rename the new folder to DRA.Double-click on the DRA folder.Under File name, enter WIP-DRA-key then click Save.On the File to Export page, click Next.Once complete, click Finish.Click OK on the export successful dialog window.On the Certificates console, under Personal > Certificates, right-click on the certificate issued by corp-DC1-CA and select All Tasks > Export…On the Welcome to the Certificate Export Wizard page, click Next.On the Export Private Key page, select No, do not export the private key then click Next.On the Export File Format page, select Base-64 encoded X.509 (.CER) then click Next.On the File to Export page, click Browse…On the Save As window, browse to the Desktop, under File name, enter WIP-DRA then click Save.On the File to Export page, click Next.Once complete, click Finish.Click OK on the export successful dialog window.Copy the CertificateFrom the Desktop, copy the file WIP-DRA.cer to \\CM1\Packages$.Windows Information Protection PoliciesIn this activity, you will create and deploy a WIP configuration item and baseline that will block inappropriate data sharing practices.TaskDetailed StepsComplete these steps on the CM1 virtual machine.Create a Block WIP Configuration BaselineBrowse to Assets and Compliance > Compliance Settings > Configuration Baselines then click on Create Configuration Baseline from the ribbon bar.On the Create Configuration Baseline window, under Name enter WIP - Block.On the Create Configuration Baseline window, under Configuration data click Add > Configuration Items.On the Add Configuration Items window, select WIP – Block, click Add then click OK.On the Create Configuration Baseline window, click OK.Deploy the WIP PoliciesBrowse to Assets and Compliance > Compliance Settings > Configuration Baselines.Right-click on WIP – Block then select Deploy.On the Deploy Configuration Baselines window, select Remediate noncompliant rules when supported and Allow remediation outside the maintenance window.On the Deploy Configuration Baselines window, under Collection click Browse…On the Select Collection window, browse to Device Collections > Windows Information Protection, select Block then click OK.On the Deploy Configuration Baselines window, click OK.Validate PoliciesIn this activity, you will perform various tests to test the enforcement of the WIP policies in different scenarios.TaskDetailed StepsComplete these steps on the CM1 virtual machine.Add Device to CollectionFrom the Configuration Manager Console, browse to Assets and Compliance > Devices.Right-click on the CLIENT1 virtual machine and select Add Selected Items > Add Selected Items to Existing Device Collection.On the Select Collection window, browse to Device Collections > Windows Information Protection, select Block then click plete these steps on the CLIENT1 virtual machine.Refresh Configuration Manager Machine PolicyLogon as CORP\LabAdmin and open the Control Panel. Select the Configuration Manager icon.On the Actions tab, select Machine Policy Retrieval & Evaluation Cycle and click Run Now to force the device to receive updated policy. This can take up to 5 minutes. Click OK.On the Configuration Manager Properties window, go to the Configurations tab and confirm that the WIP – Block baseline is listed.Select the WIP – Block baseline and click Evaluate.Click Refresh and confirm that the Compliance State has changed to Compliant.On the Configuration Manager Properties window, click OK.Encryption through File ExplorerRight-click on the Desktop and select New > Bitmap image.Rename the file to Picture1.bmp.Right-click on Picture1.bmp then select File ownership > Work (Olympia.local).Right-click on Picture1.bmp then select Properties.On the Picture1.bmp Properties window, click Advanced…On the Advanced Attributes window, click Details.On the Enterprise Control window, verify that Olympia.local is listed and the status of the file is Protected.Click OK three times.Note: The briefcase icon indicates that the file is protected.Encryption through Save on an Enterprise ApplicationClick Start and open Notepad.On the Untitled file, enter This is a protected file.Click File > Save As…On the Save As window, browse to Desktop, under File name select Work (Olympia.local), enter Protected File1 then click Save.Right-click on Protected File1.txt then select Properties.On the Protected File1 Properties window, click Advanced…On the Advanced Attributes window, click Details.On the Enterprise Control window, verify that Olympia.local is listed and the status of the file is Protected.Click OK three times.Note: The briefcase icon indicates that the file is protected.Automatic Encryption on Copy from Trusted Network SharesRight-click on Start and select Run.On the Run window, enter \\CM1\Packages$ and click OK.Open WIN10X64-Settings and copy Unattend.xml to the Desktop.Note: Before performing this step, in CM1, create a dummy folder called WIN10X64-Settings and within that create a blank dummy xml file called Unattend.xml. Also, the file should open by default only in notepad or Internet Explorer. For this example, notepad has been chosen as the default app.Right-click on Unattend.xml then select Properties.On the Unattend Properties window, click Advanced…On the Advanced Attributes window, click Details.On the Enterprise Control window, verify that Olympia.local is listed and the status of the file is Protected.Click OK three times.Note: The briefcase icon indicates that the file is protected.Open Encrypted Files on an Enterprise ApplicationOn the Desktop, open the Unattend.xml file with Internet Explorer.Close Internet Explorer.Note: The briefcase icon beside the refresh button indicates that the file is protected.Open Encrypted Files on a Non-Enterprise ApplicationOn the Desktop, open the Unattend.xml file with WordPad.Click OK on the access denied prompt.Note: WordPad is not configured as an Enterprise Application in the Compliance Item policy created earlier.Policy Enforcement for Copy-PasteClick Start and open Google Chrome.From the Desktop, drag and drop the Unattend.xml file to Google Chrome.Click OK on the Can’t use work content here prompt.On the Desktop, open Protected File1.txt with Notepad.Copy the text within the Protected File1.txt file.Click Start and open WordPad.On WordPad, click Paste.Click OK on the Can’t use work content here prompt.Close WordPad.Click Start and open Internet Explorer.On Internet Explorer, browse to .Right-click on the Bing search text field and select Paste.Click OK on the Can’t use work content here prompt.Close Internet Explorer.Note: Bing is treated as separate application and is not configured as an Enterprise Application in the Compliance Item policy created earlier.Right-click on Start and select Run.On the Run window, enter \\10.0.0.6\MDOP. Click OK.From the Desktop, copy the Unattend.xml file and paste in the MDOP share.On the Interrupted Action window, click Cancel.Note: Windows Information Protection blocks actions that are against the configured policies such as opening enterprise files on a non-enterprise application, and copying the contents of an enterprise file to a non-enterprise application, URL and network share.Remove EncryptionComplete these steps on the CM1 and CLIENT1 virtual machine.On CM1, in the Configuration Manager Console, navigate to Assets and Compliance | Compliance Settings | Configuration Items. Select WIP – Block and click Properties from the ribbon bar.Click the Compliance Rules tab and double-click on WIP App Management Mode.Scroll slight down and select Off: Turns off Windows Information Protection, click OK on the Edit Rules window.Click Apply and OK on the WIP – Block Properties window.On the CLIENT1 virtual machine, open the Control Panel. Select the Configuration Manager icon. On the Actions tab, select Machine Policy Retrieval & Evaluation Cycle and click Run Now to force the device to receive updated policy. This can take upto 5 minutes. Click OK.On the Configuration Manager Properties window, go to the Configurations tab, select the WIP – Block baseline and click Evaluate and Refresh. Click OK.Right-click on Picture1.bmp then select Properties.Note: Note that the briefcase icon does not show any more on the file.On the Picture1.bmp Properties window, click Advanced…On the Advanced Attributes window, verify that Encrypt contents to secure data is not selected.Click OK two times.Windows Defender Advanced Threat ProtectionWindows Defender Advanced Threat Protection (Windows Defender ATP) is a security service that enables enterprise customers to detect, investigate, and respond to advanced threats on their networks.Windows Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service:Endpoint behavioral sensors: Embedded in Windows 10, these sensors collect and process behavioral signals from the operating system (for example, process, registry, file, and network communications) and sends this sensor data to your private, isolated, cloud instance of Windows Defender ATP.Cloud security analytics: Leveraging big-data, machine-learning, and unique Microsoft optics across the Windows ecosystem (such as the Microsoft Malicious Software Removal Tool, enterprise cloud products (such as Office 365), and online assets (such as Bing and SmartScreen URL reputation), behavioral signals are translated into insights, detections, and recommended responses to advanced threats.Threat intelligence: Generated by Microsoft hunters, security teams, and augmented by threat intelligence provided by partners, threat intelligence enables Windows Defender ATP to identify attacker tools, techniques, and procedures, and generate alerts when these are observed in collected sensor data.In this section, you will learn how to configure and use Windows Defender ATP to detect and respond to threats.Note: This lab can only be performed if the customer has already registered and approved for the Microsoft WDATP Preview/Trial program (Section 3.2.3).Onboarding Windows 10 DeviceIn this activity, you onboard your first Windows 10 client to Windows Defender Advanced Threat Protection.TaskDetailed StepsComplete these steps on the CLIENT2 virtual machine.Download the Onboarding PackageLog in to the device.Navigate to in to the portal with labadmin@<AzureDomainName>.On the Getting started page, click Next.On the Set up your preferences page, select the appropriate data storage location and click Next.Select the appropriate data retention policy and click Next.Select your appropriate organization size and click Next.Select your appropriate industry and click Next.Select the appropriate preview experience option and click Next.Click Continue to create a cloud instance. It will start creating your Windows Defender ATP cloud instance.On the Endpoint onboarding page, under Select your deployment tool dropdown, select Local Script (for up to 10 machines) and click Download package. Once downloaded, click Finish.Click Save as and Save the package to C:\.Execute the Onboarding PackageNavigate to C:\, right-click the package and click Extract All…Click Extract.Navigate to the extracted package, right-click on the script file and click Edit.Note: Note the registry paths we are writing to. Note the log and the Event ID we are creating in case of successful events using eventcreate.Close notepad.Right-click the script file and click Run as administrator. Press Y to confirm and continue. Press any key to continue.After 5-10 minutes the device should start reporting to the portal.Configure the Sample Collection SettingClick the Start menu and type regedit, right-click and choose Run as administrator.Locate the following registry path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection.Create a DWORD value AllowSampleCollection and set it to 1.Note: The machine will file sample collection through the portal for deeper investigation. No samples are collected automatically as this is done by the administrator.Verify the Deployment SuccessCheck the SENSE service is running, by opening the Command Prompt and running: sc query sense. The STATE should be 4 and should be RUNNING. Open the Event Viewer (Local) > Windows Logs > Application log and locate the Event ID 20 from the source WDATPOnboarding. Open the Event Viewer (Local) > Application and Services Logs > Microsoft > Windows > SENSE > Operational log. Check for the Event ID 4 to make sure that the SENSE service is reporting successful server connection every 5 minutes. Connection frequency may vary depending on factors like battery state. Go to portal, then choose Machines View, on the right locate your machine on the list, its Health State should be Active.Install Office (If Not Installed)Go to and Sign in as TU2@<AzureDomainName>.Click Install Office 2016.Click Run.Perform SimulationIn this activity, you will go step-by-step through a typical attack sequence that you will run yourself.Note: The setup guide also contains instructions and links for the attack demo.TaskDetailed StepsComplete these steps on the CLIENT2 virtual machine.Follow the Demo Attack Simulation GuidanceClick the link to open the WinATP-Intro-Invoice.doc word document from the setup guide.Since the device has Office 2016 installed, therefore click Yes and OK on the Office 2016 security prompts.Enter the password to open the word document and click OK. The password is provided in the setup guide.Click Enable Content on the opened word document.Click OK on the prompt.A Backdoor will run in a command window. Press any key to close.You will now be able to see that an Active alert has been reported to the Windows Defender Advanced Threat Protection by the device. Navigate through the portal for further details on the attack and ways to remediate.Windows Defender Application GuardDesigned for Windows 10 and Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. As an enterprise administrator, you define what is among trusted web sites, cloud resources, and internal networks. Everything not on your list is considered untrusted.If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated Hyper-V-enabled container, which is separate from the host operating system. This container isolation means that if the untrusted site turns out to be malicious, the host PC is protected, and the attacker can't get to your enterprise data.Note: Windows Defender Application Guard can only be enabled if the Hardware Requirements are met as stated in : The machine (Virtual or Physical) should have Hyper-V, TPM and Secure Boot Enabled.Modern ManagementFollow the following sections for managing Windows Defender Application Guard through modern management tools.Configure Windows Defender ApplicationIn the section below you will be configuring WDAG using modern management.TaskDetailed StepsCreate Groups for use with WD Application Guard DemoClose all browser windows.Start Internet Explorer InPrivate mode.Navigate to and Sign in with labadmin@<AzureDomainName>..On the left navigation bar, click Azure Active Directory > Groups > All groups.Click + New group.In the Group pane fill in the following values and click Select:GROUP TYPE: SecurityGROUP NAME: WDAGDemoMEMBERSHIP TYPE: AssignedMEMBERS: TU1,TU2 7. Click Create.Creating an Intune WDAG PolicyClose all browser windows.Start Internet Explorer InPrivate mode.Navigate to and Sign in with labadmin@<AzureDomainName>..On the left navigation bar, click All services.Enter “Intune” in search.Click on Intune.Click on “Device configuration”.Click on “Profiles”.Click on “+ Create profile”.Fill in form:Name: WDAG DemoDescription: WDAG DemoPlatform: Windows 10 and laterProfile type: Endpoint protectionSelect “Windows Defender Application Guard”.Fill out form:Application Guard: Enabled for EdgeClipboard behavior: Block copy and paste between PC and browserExternal content on enterprise sites: Not configuredPrint from virtual browser: AllowPrinting types(s): PDFCollect logs: Not configuredRetain user-generated browser data: Not configuredGraphics acceleration: Not configuredDownload files to host file system: Not configuredSelect OK.Select OK.Select Create.Select Assignments.Select “Select groups to include”.Select “WDAGDemo”. Click Select.Click on Save.Configure trusted site listGo back to IntuneClick “Client Apps”Click “App Protection Policies”Click “Create Policy”Fill up the formName – WDAG Site ListPlatform – Windows 10Enrollment State – With EnrollmentClick Advanced SettingsAdd network boundaryBoundary type – Cloud resourcesName – ECRValue – “provide list of cloud resources separated by ‘|’ (pipe) symbol. Ex: | .||olympia.|/*AppCompat*/Click OKNote - Add /*AppCompat*/ to your list of cloud resources to enable TLS connections by personal apps that connect directly to a cloud resource through an IP address.Add network boundaryBoundary type – Neutral resourcesName – NeutralResourcesValue – “provide list of websites separated by ‘,’. $ sign is used as wildcard for websites. Ex: $.,$.,$.Click OKClick CreateClick on newly created policyClick AssignmentsSelect “Select groups to include”.Select “WDAGDemo”. Click Select.Click on plete these steps on a physical machine. (To connect a physical machine to the lab, see Section 3 of the Set Up Guide.)Verify the Policy has been Applied and WorkingLogin to a machine as:TU2@<AzureDomainName>.Select Start.Select Settings.Select Accounts.Select Access work or school.Select Connected to <CompanyName> Azure AD.Click Info.Click Sync to force a policy update and confirm that the sync was successful.Close Settings. Reboot the machine once.Launch Edge.Press Alt-X.Select “New Application Guard window”.A new windows should appear.Note: Notice that in the upper left hand corner of the window you should see Application Guard and a thin orange line at the top of the window. This indicates you are running in Application mode.Enter the URL .Create a new tab.Copy the URL to the new tab.Note: Notice that you can do this because it is inside of Application Guard.Open IE.Try to copy the URL from WDAG Edge windows to IE.Note: Notice that you cannot copy. This is because WDAG is configured to not allow copy and paste with the OS.Enter the URL of in IE.Copy this URL from IE and try and paste it in WDAG Edge window.Note: Notice that you cannot copy. This is because WDAG is configured to not allow coping from the OS to the WDAG Edge windows.Verify trusted website behaviorCloud resources will always open in Host EdgeLaunch Edge.Press Alt-X.Select “New Application Guard window”.Navigate to Olympia. or [As these sites are configured as Cloud resources in step 24]Notice that the website renders in Edge on host OS.Neutral Site list opens in browser where it is opened. Launch Edge.Press Alt-X.Select “New Application Guard window”.Navigate to or [As these sites are configured as Neutral resources]Notice that the website renders in WDAG.Launch EdgeNavigate to or [As these sites are configured as Neutral resources]Notice that the website renders in Host Edge.Non trusted sites open in WDAGLaunch EdgeNavigate to Notice website will open in WDAG window as its not part of trusted site list.Traditional ManagementFollow the following sections for managing Windows Defender Application Guard through traditional management tools.PrerequisitesTaskDetailed StepsComplete these steps on the CLIENT1 virtual machine.Install the FeatureOpen the Control Panel, click Programs, and then click Turn Windows features on or off.Select the check box next to Windows Defender Application Guard and then click OK.Restart the device.Configure Group Policy SettingsTaskDetailed StepsComplete these steps on the DC1 virtual machine.Turn On Windows Defender Application GuardIn the Group Policy Management Console, edit the Default Domain Policy by going to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Defender Application Guard.Double-click Turn on Windows Defender Application Guard in Enterprise Mode.Select Enabled and click Apply and OK.Set Up Network IsolationGo to the Computer Configuration\Policies\Administrative Templates\Network\Network Isolation\Enterprise resource domains hosted in the cloud.Select Enabled and type . into the Enterprise cloud resources box. Click Apply and OK.Go to the Computer Configuration\Policies\Administrative Templates\Network\Network Isolation\Domains categorized as both work and personal setting.Select Enabled and type into the Neutral resources box. Click Apply and OK.Validate Windows Defender Application GuardTaskDetailed StepsComplete these steps on the CLIENT1 virtual machine.Test Application GuardUpdate the group policies by running gpupdate /force from the elevated command prompt. Accept the UAC prompt if required.Start Microsoft Edge and type After you submit the URL, Application Guard determines the URL is trusted because it uses the domain you’ve marked as trusted and shows the site directly on the host PC instead of in Application Guard.In the same Microsoft Edge browser, type any URL that isn’t part of your trusted or neutral site lists, example After you submit the URL, Application Guard determines the URL is untrusted and redirects the request to the hardware-isolated environment.Windows Defender Exploit GuardWindows Defender Exploit Guard (Windows Defender EG) is a new set of host intrusion prevention capabilities for Windows 10, allowing you to manage and reduce the attack surface of apps used by your employees.There are four features in Windows Defender EG:Exploit protection can apply exploit mitigation techniques to apps your organization uses, both individually and to all apps.Attack surface reduction rules can reduce the attack surface of your applications with intelligent rules that stop the vectors used by Office-, script- and mail-based work protection extends the malware and social engineering protection offered by Windows Defender SmartScreen in Edge to cover network traffic and connectivity on your organization's devices.Controlled folder access helps protect files in key system folders from changes made by malicious and suspicious apps, including file-encrypting ransomware malware.Modern ManagementFollow the following sections for managing Windows Defender Exploit Guard through modern management tools.Exploit Guard Controlled FoldersIn this section we are going to create a group that will be used to assign users a Exploit Guard controlled folder policy. In addition we will configure the policy and test that it works.TaskDetailed StepsCreate GroupsClose all browser windows.Start Internet Explorer InPrivate mode.Navigate to and Sign in with labadmin@<AzureDomainName>..On the left navigation bar, click Azure Active Directory > Groups > All groups.Click + New group.In the Group pane fill in the following values and click Select:GROUP TYPE: SecurityGROUP NAME: ExploitDemoMEMBERSHIP TYPE: AssignedMEMBERS: TU1,TU2Click Create.Configure Windows Defender Exploit GuardOn the left navigation bar, click All Services.Enter “Intune” in search.Click on Intune.Under Manage Select “Device configuration”.Under Manage Select “Profiles”.Select “Create profile”.Name the new profile “Exploit Protection Demo”.For Platform select “Windows 10 and later”.For Profile type select “Endpoint protection”.Select “Windows Defender Exploit Guard”.Select “Controlled folder access”.Change Folder protection to “Enable”.Select OK.Select OK.Select OK.Select Create.Select Assignments.Click Select groups to include.Check the “ExploitDemo” group.Select “Select”.Click plete these steps on the CLIENT3 virtual machine or a physical machine.Verify Configuration is AppliedLogin to the virtual machine as TU2@<AzureDomainName>.Select Start.Select Settings.Select Accounts.Select Access work or school.Select Connected to <CompanyName> Azure AD.Click Info.Click Sync to force a policy update and confirm that the sync was successful.Open up Notepad.exe.Create a simple document.Save it to “Documents”.Note: Notice that it saved just fine.Open “Windows PowerShell ISE”.Create a simple script “Get-process”.Save it to “Documents”.Note: Notice you cannot save to Documents because this is a protected folder. You will get a “File not found” message.Press OK.Note: You may also notice a Message slide in from the right stating it was blocked by Controlled folder access.Click on the notification icon to review this notification.Traditional ManagementFollow the following sections for managing Windows Defender Exploit Guard through traditional management tools.Exploit ProtectionTaskDetailed StepsComplete these steps on the CLIENT1 virtual machine.Configure Program-Level MitigationsOpen the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for Defender.Click the App & browser control tile (or the app icon on the left menu bar) and then the Exploit protection settings at the bottom of the screen.Go to the Program settings section and click Add program to customize.Click on Add by program name and type notepad.exe. Click Add.On the next window, scroll down and on Disable Win32k system calls, select Override system settings and choose On.You will be notified if you need to restart the process or app, or if you need to restart Windows. Click Apply and accept the UAC prompt.Try to open notepad.exe. Notice the error message. Click OK.Create and Export a Configuration FileOpen the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for Defender.Click the App & browser control tile (or the app icon on the left menu bar) and then the Exploit protection settings at the bottom of the screen.At the bottom of the Exploit protection section, click Export settings and then save the configuration file under Documents.Copy the file to DC1 in a shared folder with full plete these steps on the DC1 virtual machine.Distribute the Configuration File with Group PolicyOn your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Objects and create a new GPO WDEG.Right click the new Group Policy WDEG and click Edit.In the Group Policy Management Editor go to Computer Configuration.Click Policies then Administrative Templates.Expand the tree to Windows Components > Windows Defender Exploit Guard > Exploit Protection.Double-click the Use a common set of exploit protection settings setting and set the option to Enabled.In the Options section, enter the location and filename of the Exploit Protection Configuration File that you saved from the previous section in a UNC format including the name of the file and it’s extension and click Apply | OK.Attack Surface ReductionTaskDetailed StepsComplete these steps on the DC1 virtual machine.Distribute the Configuration File with Group PolicyOn your Group Policy management machine, open the Group Policy Management Console, and right-click the Group Policy Object WDEG.Click Edit.In the Group Policy Management Editor go to Computer Configuration.Click Policies then Administrative Templates.Expand the tree to Windows Components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack Surface Reduction.Double-click the Configure Attack Surface Reduction rules setting and set the option to Enabled.Click Show... and enter the following rule ID in Value name:D3E037E1-3EB8-44C8-A917-57927947596DSet the Value to 1 and click OK.Right-click the root domain, Cclick Link and Existing GPO, select WDEG and click OK.Note: The above rule will block JavaScript or VBScript from launching downloaded executable content as well as block notepad.exe to launch. Do run a gpupdate /force on the CLIENT2 VM.Windows HelloWindows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair.In this lab, you will find all the information to deploy Windows Hello for Business in a Certificate Trust Model in your on-premises environment.Modern ManagementFollow the following sections for managing Windows Hello for Business through modern management tools.Windows Hello for BusinessIn this lab we are going to setup Windows Hello for Business in the Cloud.TaskDetailed StepsComplete these steps from a physical macian Internet-connected Windows computer.Configuring Windows Hello for BusinessClose all browser windows.Start Internet Explorer InPrivate mode.Navigate to and Sign in with labadmin@<AzureDomainName>..On the left navigation bar, click All services.Enter “Intune” in search.Click on Intune.Select “Device enrollment”.Select “Windows enrollment”.Select “Windows Hello for Business”.Choose the Default settings.Select “Properties” and review.Select “Settings”.Enable “Windows Hello for Business”.Review possible settings.Select Save.Traditional ManagementFollow the following sections for managing Windows Hello for Business through traditional management tools.Validate Active Directory PrerequisitesThe key registration process for the On-prem deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. The key-trust model receives the schema extension when the first Windows Server 2016 domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 schema. If you already have a Windows Server 2016 domain controller in your forest, you can skip the next step.TaskDetailed StepsComplete these steps on the DC1 virtual machine.Create the KeyCredential Admins Security Global GroupOpen Active Directory Users and Computers.Click View and click Advanced Features.Expand the domain node from the navigation pane.Right-click the Users container. Click New > Group.Type KeyCredential Admins in the Group name text box.Click OK.Create the Windows Hello for Business Users Security Global GroupRight-click the Users container. Click New > Group.Type Windows Hello for Business Users in the Group name text box.Click OK.Validate and Configure PKIWindows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller. The certificate trust model extends certificate issuance to client computers. During Windows Hello for Business provisioning, the user receives a sign-in certificate.Note: The following instructions may be used to deploy simple public key infrastructure that is suitable for a lab environment.TaskDetailed StepsComplete these steps on the DC1 virtual machine.Configure a Domain Controller CertificateOpen the Certification Authority management console.Right-click Certificate Templates and click Manage.In the Certificate Templates Console, right-click the Kerberos Authentication template in the details pane and click Duplicate Template.On the Compatibility tab, clear the Show resulting changes check box. Select Windows Server 2012 or Windows Server 2012 R2 from the Certification Authority list. Select Windows 8 / Windows Server 2012 or Windows 8.1 / Windows Server 2012 R2 from the Certificate recipient list.On the General tab, type Domain Controller Authentication (Kerberos) in Template display name. Adjust the validity and renewal period to meet your enterprise’s needs.Note: If you use different template names, you’ll need to remember and substitute these names in different portions of the lab.On the Subject Name tab, select the Build from this Active Directory information button if it is not already selected. Select None from the Subject name format list. Select DNS name from the Include this information in alternate subject name. Clear all other items.On the Cryptography tab, select Key Storage Provider from the Provider Category list. Select RSA from the Algorithm name list. Type 2048 in the Minimum key size text box. Select SHA256 from the Request hash list. Click Apply and OK.Close the console.Configure an Internal Web Server Certificate TemplateRight-click Certificate Templates and click Manage.In the Certificate Templates Console, right-click the Web Server template in the details pane and click Duplicate Template.On the Compatibility tab, clear the Show resulting changes check box. Select Windows Server 2012 or Windows Server 2012 R2 from the Certification Authority list. Select Windows 8 / Windows Server 2012 or Windows 8.1 / Windows Server 2012 R2 from the Certificate recipient list.On the General tab, type Internal Web Server in Template display name. Adjust the validity and renewal period to meet your enterprise’s needs.Note: If you use different template names, you’ll need to remember and substitute these names in different portions of the lab.On the Request Handling tab, select Allow private key to be exported.On the Subject Name tab, select the Supply in the request button if it is not already selected.On the Security tab, Click Add… Type Domain Computers in the Enter the object names to select box. Click Check Names | OK. Select the Allow check box next to the Enroll permission.On the Cryptography tab, select Key Storage Provider from the Provider Category list. Select RSA from the Algorithm name list. Type 2048 in the Minimum key size text box. Select SHA256 from the Request hash list. Click Apply and OK.Close the console.Unpublish Superseded Certificate TemplatesClick Certificate Templates in the navigation pane.Right-click the Domain Controller certificate template in the content pane and select Delete. Click Yes on the Disable certificate templates window.Repeat Step 19 for the Domain Controller Authentication and Kerberos Authentication certificate templates.Publish Certificate Templates to the Certification AuthorityClick Certificate Templates in the navigation pane.Right-click the Certificate Templates node. Click New, and click Certificate Template to Issue.In the Enable Certificate Templates window, select the Domain Controller Authentication (Kerberos), and Internal Web Server templates you created in the previous steps. Click OK to publish the selected certificate templates to the certification authority.Close the console.Configure and Deploy the Domain Controller Auto Certificate Enrollment Group Policy ObjectStart the Group Policy Management Console (gpmc.msc).Expand the domain and select the Group Policy Objects node in the navigation pane.Right-click Group Policy Objects and select New.Type Domain Controller Auto Certificate Enrollment in the Name box and click OK.Right-click the Domain Controller Auto Certificate Enrollment Group Policy object and click Edit.In the navigation pane, expand Policies under Computer Configuration.Expand Windows Settings, Security Settings, and click Public Key Policies.In the details pane, right-click Certificate Services Client – Auto-Enrollment and select Properties.Select Enabled from the Configuration Model list.Select the Renew expired certificates, update pending certificates, and remove revoked certificates check box.Select the Update certificates that use certificate templates check box.Click Apply and OK. Close the Group Policy Management Editor.In the navigation pane, expand the domain and expand the node that has your Active Directory domain name. Right-click the Domain Controllers organizational unit and click Link an Existing GPO…In the Select GPO dialog box, select Domain Controller Auto Certificate Enrollment or the name of the domain controller certificate enrollment Group Policy object you previously created and click OK.Prepare and Deploy Windows Server 2016 Active Directory Federation ServicesTaskDetailed StepsComplete these steps on the APP1 virtual machine.Internal Server Authentication Certificate EnrollmentStart the Local Computer Certificate Manager (certlm.msc). Accept the UAC prompt.Expand the Personal node in the navigation pane.Right-click Personal. Select All Tasks and Request New Certificate…Click Next on the Before You Begin page.Click Next on the Select Certificate Enrollment Policy page.On the Request Certificates page, select the Internal Web Server check box.Click the More information is required to enroll for this certificate. Click here to configure settings link.Under Subject name, select Common name from the Type list. Type the FQDN of the computer hosting the Active Directory Federation Services role (app1.corp.olympia.local) and then click Add. Under Alternative name, select DNS from the Type list. Type the FQDN of the name you will use for your federation services (fs.corp.olympia.local). The name you use here MUST match the name you use when configuring the Active Directory Federation Services server role. Click Add. Click Apply and OK when finished.Click Enroll. Click Finish.A server authentication certificate should appear in the computer’s Personal certificate store.Deploy the Active Directory Federation Service RoleStart Server Manager. Click Local Server in the navigation pane.Click Manage and then click Add Roles and Features.Click Next on the Before you begin page.On the Select installation type page, select Role-based or feature-based installation and click Next.On the Select destination server page, choose Select a server from the server pool. Select the federation server from the Server Pool list. Click Next.On the Select server roles page, select Active Directory Federation Services. Click Next.Click Next on the Select features page.Click Next on the Active Directory Federation Services (AD FS) page.Click Install to start the role installation.Click plete these steps on the DC1 virtual machine.Create KDS Root KeyStart an elevated Windows PowerShell console. Accept the UAC prompt if required.Type and execute Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10).Complete these steps on the APP1 virtual machine.Configure the Active Directory Federation Service RoleStart Server Manager.Click the notification flag in the upper right corner. Click Configure the federation service on this server.On the Welcome page, click Create the first federation server in a federation server farm and click Next.Click Next on the Connect to Active Directory Domain Services page.On the Specify Service Properties page, select the recently enrolled or imported certificate from the SSL Certificate (app1.corp.olympia.local) and Federation Service Name (fs.corp.olympia.local) list.Type the Federation Service Display Name (Hello) in the text box. This is the name users see when signing in. Click Next.On the Specify Service Account page, select Create a Group Managed Service Account. In the Account Name box, type adfssvc. Click Next.On the Specify Configuration Database page, select Create a database on this server using Windows Internal Database and click Next.On the Review Options page, click Next.On the Pre-requisite Checks page, click Configure.When the process completes, click plete these steps on the DC1 virtual machine.Add the AD FS Service Account to the KeyCredential Admin Group and the WHfB Users GroupOpen Active Directory Users and Computers.Click the Users container in the navigation pane.Right-click KeyCredential Admins in the details pane and click Properties.Click the Members tab and click Add…In the Enter the object names to select text box, type adfssvc. Click Check Names | OK.Click Apply and OK to return to Active Directory Users and Computers.Right-click Windows Hello for Business Users group and click Properties.Click the Members tab and click Add…In the Enter the object names to select text box, type adfssvc. Click Check Names | OK.Click Apply and OK to return to Active Directory Users and Computers.Change to server hosting the AD FS Role (APP1) and restart it.Configure Permissions for Key RegistrationOpen Active Directory Users and Computers.Right-click your domain name from the navigation pane and click Properties.Click Security (NOTE: If the Security tab is missing, turn on Advanced Features from the View menu).Click Advanced. Click Add. Click Select a principal.The Select User, Computer, Service Account, or Group dialog box appears. In the Enter the object name to select text box, type KeyCredential Admins. Click Check Names | OK.In the Applies to list box, select Descendant User objects.Using the scroll bar, scroll to the bottom of the page and click Clear all.In the Properties section, select Read msDS-KeyCredentialLink and Write msDS-KeyCredentialLink.Then Click OK three times to complete the plete these steps on the APP1 virtual machine.Configure the Device Registration ServiceOpen the AD FS Management console. Accept the UAC prompt.In the navigation pane, expand Service. Click Device Registration.In the details pane, click Configure device registration.In the Configure Device Registration dialog, click plete these steps on the DC1 virtual machine.Configure Registration Authority TemplateOpen the Certification Authority management console.Right-click Certificate Templates and click Manage.In the Certificate Templates Console, right click on the Exchange Enrollment Agent (Offline request) template details pane and click Duplicate Template.On the Compatibility tab, clear the Show resulting changes check box. Select Windows Server 2012 or Windows Server 2012 R2 from the Certification Authority list. Select Windows 8 / Windows Server 2012 or Windows 8.1 / Windows Server 2012 R2 from the Certification recipient list.On the General tab, type WHFB Enrollment Agent in Template display name. Adjust the validity and renewal period to meet your enterprise’s needs.On the Subject Name tab, select the Supply in the request button if it is not already selected.Note: The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate.On the Cryptography tab, select Key Storage Provider from the Provider Category list. Select RSA from the Algorithm name list. Type 2048 in the Minimum key size text box. Select SHA256 from the Request hash list.On the Security tab, click Add…Click Object Types… Select the Service Accounts check box and click OK.Type adfssvc in the Enter the object names to select text box and click Check Names | OK.Click the adfssvc from the Group or user names list. In the Permissions for adfssvc section, select the Allow check box for the Enroll permission. Excluding the adfssvc user, clear the Allow check box for the Enroll and Autoenroll permissions for all other items in the Group or user names list if the check boxes are not already cleared. Click Apply and OK.Close the console.Configure the WHfB Authentication Certificate TemplateRight-click Certificate Templates and click Manage.Right-click the Smartcard Logon template and choose Duplicate Template.On the Compatibility tab, clear the Show resulting changes check box. Select Windows Server 2012 or Windows Server 2012 R2 from the Certification Authority list. Select Windows 8 / Windows Server 2012 or Windows 8.1 / Windows Server 2012 R2 from the Certification recipient list.On the General tab, type WHFB Authentication in Template display name. Adjust the validity and renewal period to meet your enterprise’s needs.Note: If you use different template names, you’ll need to remember and substitute these names in different portions of the deployment.On the Cryptography tab, select Key Storage Provider from the Provider Category list. Select RSA from the Algorithm name list. Type 2048 in the Minimum key size text box. Select SHA256 from the Request hash list.On the Extensions tab, verify the Application Policies extension includes Smart Card Logon.On the Issuance Requirements tab, select the ‘This number of authorized signatures’ check box. Type ‘1’ in the text box. Select Application policy from the Policy type required in signature. Select Certificate Request Agent from the Application policy list. Select the Valid existing certificate option.On the Subject Name tab, select the Build from this Active Directory information button if it is not already selected. Select Fully distinguished name from the Subject name format list if Fully distinguished name is not already selected. Select the User principal name (UPN) check box under Include this information in alternate subject name.On the Request Handling tab, select the Renew with the same key check box.On the Security tab, click Add… Type Windows Hello for Business Users in the Enter the object names to select text box and click Check Names | OK.Click the Windows Hello for Business Users from the Group or user names list. In the Permissions for Windows Hello for Business Users section, select the Allow check box for the Enroll permission. Excluding the Windows Hello for Business Users group, clear the Allow check box for the Enroll and Autoenroll permissions for all other entries in the Group or user names section if the check boxes are not already cleared. Click Apply and OK.Close the plete these steps on the APP1 virtual machine.Mark the Template as the Windows Hello Sign-In TemplateOpen an elevated command prompt. Accept the UAC prompt.Run certutil –dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEYComplete these steps on the DC1 virtual machine.Publish Enrollment Agent and WHfB Authentication Templates to the Certification AuthorityOpen the Certification Authority management console.Expand the parent node from the navigation pane.Click Certificate Templates in the navigation pane.Right-click the Certificate Templates node. Click New, and click Certificate Template to issue.In the Enable Certificate Templates window, select the WHFB Enrollment Agent template you created in the previous steps. Click OK to publish the selected certificate templates to the certification authority.Publish the WHFB Authentication certificate template using Step 88.Close the plete these steps on the APP1 virtual machine.Configure the Registration AuthorityOpen an elevated Windows PowerShell prompt. Accept the UAC prompt.Type and execute the following command Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthenticationComplete these steps on the DC1 virtual machine.Configure DNS for Device RegistrationOpen the DNS management console.In the navigation pane, expand the domain controller name node and Forward Lookup Zones.In the navigation pane, select the node that has the name of your internal Active Directory domain name.In the navigation pane, right-click the domain name node and click New Host (A or AAAA)…In the Name box, type the name of the federation service (fs). In the IP address box, type the IP address of your federation server (10.0.0.9). Click Add Host. Click OK | Done.Close the DNS Management console.Create an Intranet Zone Group PolicyStart the Group Policy Management Console (gpmc.msc).Expand the domain and select the Group Policy Objects node in the navigation pane.Right-click Group Policy Objects and select New.Type Intranet Zone Settings in the name box and click OK.In the content pane, right-click the Intranet Zone Settings Group Policy object and click Edit.In the navigation pane, expand Policies under Computer Configuration.Expand Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel, and select Security Page.In the content pane, double-click Site to Zone Assignment List. Click Enabled.Click Show… In the Value name column, type the url of the federation service beginning with https (). In the Value column, type the number 1. Click OK.Click Apply | OK.Then close the Group Policy Management Editor.Deploy the Intranet Zone Group PolicyIn the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click Link an Existing GPO…In the Select GPO dialog box, select Intranet Zone Settings or the name of the Windows Hello for Business Group Policy object you previously created and click OK.Validate and Deploy Multifactor Authentication Services (MFA)TaskDetailed StepsComplete these steps on the APP1 virtual machine.Download the MFA ServerSign in to the Azure portal as an administrator.On the left, select Azure Active Directory.Select Users.Select All users.Select More | Multi-Factor Authentication.Under multi-factor authentication section, select service settings.On the service settings page, at the bottom of the screen click Go to the portal and a new page will open.Click Download and another new page will open.Click the Download link and save the installer.Keep all these pages open as we will refer to it after running the installer.Install and Configure the MFA ServerDouble-click the executable and click Install to install the prerequisites. Follow the prompts until those are installed.Select I Agree and click Next.On the Select Installation Folder screen, make sure that the folder is correct and click Next. Accept the UAC prompt.Once the installation is complete, click Finish.Start the Multi-Factor Authentication Server and accept the UAC prompt.Back on the page that you downloaded the server from, click the Generate link. Copy this information into the Azure MFA Server in the boxes provided and click Activate. Cancel any prompts.Configure and Deploy Multifactor Authentication ServicesStandalone MFA Server:The Azure MFA server uses a primary and secondary replication model for its configuration database. The primary Azure MFA server hosts the writeable partition of the configuration database. All secondary Azure MFA servers hosts read-only partitions of the configuration database. All production environment should deploy a minimum of two MFA Servers.For this lab, the primary MFA uses the name mf*a* or mfa.corp.olympia.local. All secondary servers use the name mfa*n* or mfan.corp.olympia.local, where n is the number of the deployed MFA server.The primary MFA server is also responsible for synchronizing from Active Directory, therefore, it should be domain joined and fully patched.TaskDetailed StepsComplete these steps on the APP1 virtual machine.Enroll for Server AuthenticationStart the Local Computer Certificate Manager (certlm.msc). Accept the UAC prompt.Expand the Personal node in the navigation pane.Right-click Personal. Select All Tasks and Request New Certificate…Click Next on the Before You Begin page.Click Next on the Select Certificate Enrollment Policy page.On the Request Certificates page, select the Internal Web Server check box.Click the More information is required to enroll for this certificate. Click here to configure settings link.Under Subject name, select Common Name from the Type list. Type the FQDN of the primary MFA server and then click Add (app1.corp.olympia.local). Click Apply and OK when finished.Click Enroll.Click Finish.Install the Web Server RoleInstall the following services if they are already not installed:Common HTTP Features > Default mon HTTP Features > Directory mon HTTP Features > HTTP mon HTTP Features > Static Content.Health and Diagnostics > HTTP Logging.Performance > Static Content Compression.Security > Request Filtering.Security > Basic Authentication.Management Tools > IIS Management Console.Management Tools > IIS 6 Management Compatibility.Application Development > ASP & <AllVersions>.Update the ServerUpdate the server using Windows Update until the server has no required or optional updates as the Azure MFA Server software may require one or more of these updates for the installation and software to correctly work. These procedures install additional components that may need to be updated.Configure the IIS Server’s CertificateStart the Internet Information Services (IIS) Manager console.In the navigation pane, expand the node with the same name as the local computer. Expand Sites and select Default Web Site.In the Actions pane, click Bindings…In the Site Bindings dialog, Click Add…In the Add Site Binding dialog, select https from the Type list. In the SSL certificate list, select the certificate (app1.corp.olympia.local) with the name that matches the FQDN of the computer.Click OK. Click Close. From the Actions pane, click plete these steps on the DC1 virtual machine.Create Phonefactor Admin GroupOpen Active Directory Users and Computers.In the navigation pane, expand the node with the organization’s Active Directory domain name. Right-click the Users container, select New, and select Group.In the New Object – Group dialog box, type Phonefactor Admins in Group name.Click OK.Add Accounts to the Phonefactor Admins GroupIn the navigation pane, expand the node with the organization’s Active Directory domain name. Select Users. In the content pane, right-click the Phonefactor Admins security group and select Properties.Click the Members tab.Click Add… Click Object Types… In the Object Types dialog box, select Computers and click OK. Enter the following user and/or computer accounts in the Enter the object names to select box and then click Check Names | OK | Apply | OK.The computer account for the primary MFA Server (APP1).Group or User account that will manage the User Portal Server (Domain Admins).User Portal Server:The User Portal is an IIS Internet Information Server web site that allows users to enroll in Multi-Factor Authentication and maintain their accounts. A user may change their phone number, change their PIN, or bypass Multi-Factor Authentication during their next sign on. Users will log in to the User Portal using their normal username and password and will either complete a Multi-Factor Authentication call or answer security questions to complete their authentication. If user enrollment is allowed, a user will configure their phone number and PIN the first time they log in to the User Portal. User Portal Administrators may be set up and granted permission to add new users and update existing users.TaskDetailed StepsComplete these steps on the APP1 virtual machine.Enroll for Server AuthenticationStart the Local Computer Certificate Manager (certlm.msc). Accept the UAC prompt.Expand the Personal node in the navigation pane.Right-click Personal. Select All Tasks and Request New Certificate…Click Next on the Before You Begin page.Click Next on the Select Certificate Enrollment Policy page.On the Request Certificates page, select the Internal Web Server check box.Click the More information is required to enroll for this certificate. Click here to configure settings link.Under Subject name, select Common name from the Type list. Type the FQDN of the primary MFA server and then click Add (app1.corp.olympia.local).Under Alternative name, select DNS from the Type list. Type the FQDN of the name you will use for your User Portal service and then click Add (mfaweb.corp.olympia.local).Click Apply and OK when finished.Click Enroll.Click Finish.Configure the IIS Server’s CertificateStart the Internet Information Services (IIS) Manager console.In the navigation pane, expand the node with the same name as the local computer. Expand Sites and select Default Web Site.In the Actions pane, click Bindings…In the Site Bindings dialog, Click Add…In the Add Site Binding dialog, select https from the Type list, select a different Port than 443, example 444. In the SSL certificate list, select the certificate (app1.corp.olympia.local) with the name that matches the FQDN of the computer.Click OK. Click Close. From the Actions pane, click plete these steps on the DC1 virtual machine.Create WebServices SDK User AccountOpen Active Directory Users and Computers.In the navigation pane, expand the node with the organization’s Active Directory domain name. Right-click the Users container, select New, and select User.In the New Object – User dialog box, type PFWSDK_ in the First name and User logon name boxes, which is the name of the primary MFA server running the Web Services SDK. Click Next.Type a strong password and confirm it in the respective boxes. Clear User must change password at next logon. Click Next. Click Finish to create the user account.Add the MFA SDK User Account to the Phonefactor Admins GroupIn the navigation pane, expand the node with the organization’s Active Directory domain name. Select Users. In the content pane, right-click the Phonefactor Admins security group and select Properties.Click the Members tab.Click Add… Type the PFWSDK_ user name in the Enter the object names to select box and then click Check Names | OK | Apply | OK. Now it should show the following:The computer account for the primary MFA Server (APP1).The Webservices SDK user account (PFWSDK_).Group or User account that will manage the User Portal Server (Domain Admins).Installing Standalone Azure MFA ServerWhen you install Azure Multi-Factor Authentication Server, you have the following options:Install Azure Multi-Factor Authentication Server locally on the same server as AD FS (this option will be used for this LAB).Install the Azure Multi-Factor Authentication adapter locally on the AD FS server, and then install Multi-Factor Authentication Server on a different computer (preferred deployment for production environments).TaskDetailed StepsComplete these steps on the APP1 virtual machine.Secure Windows Server AD FS with Azure Multi-Factor Authentication ServerIn the Azure Multi-Factor Authentication Server management console, click the AD FS icon. Select the options Allow user enrollment and Allow users to select method.Click Install AD FS Adapter…If the Active Directory window is displayed, that means two things. Your computer is joined to a domain, and the Active Directory configuration for securing communication between the AD FS adapter and the Multi-Factor Authentication service is incomplete. Click Next to automatically complete this configuration, or select the Skip automatic Active Directory configuration and configure settings manually check box to proceed.If the Local Group windows is displayed, that means two things. Your computer is not joined to a domain, and the local group configuration for securing communication between the AD FS adapter and the Multi-Factor Authentication service is incomplete. Click Next to automatically complete this configuration, or select the Skip automatic Local Group configuration and configure settings manually check box.In the installation wizard, click Next. Azure Multi-Factor Authentication Server creates the PhoneFactor Admins group and adds the AD FS service account to the PhoneFactor Admins group.On the Launch Installer page, click Next.In the Multi-Factor Authentication AD FS Adapter installer, click Next.Click Close when the installation is finished.When the adapter has been installed, you must register it with AD FS. Open an elevated Windows PowerShell, accept the UAC prompt and run the following command:C:\Program Files\Multi-Factor Authentication Server\Register-MultiFactorAuthenticationAdfsAdapter.ps1To use your newly registered adapter, edit the authentication method in AD FS. In the AD FS management console, go to the Authentication Methods node under Service. In the Multi-factor Authentication Methods section, click the Edit link. In the Edit Authentication Methods window, select Azure Multi-Factor Authentication Server as an additional authentication method, and then click Apply | OK. The adapter is registered as Azure Multi-Factor Authentication Server. Restart the AD FS service for the registration to take effect.At this point, Multi-Factor Authentication Server is set up to be an additional authentication provider to use with AD FS.Configure Company SettingsStart the Multi-Factor Authentication Server application. Accept the UAC prompt.Click Company Settings.On the General Tab, select Fail Authentication from the When Internet is not accessible list.In User defaults, select Phone call or Text message.Select Enable Global Services if you want to allow Multi-Factor Authentications to be made to telephone numbers in rate zones that have an associated charge.Clear the User can change phone check box to prevent users from changing their phone during the Multi-Factor Authentication call or in the User Portal. A consistent configuration is for users to change their phone numbers in Active Directory and let those changes synchronize to the multi-factor server using the Synchronization features in Directory Integration.Select Fail Authentication from the When user is disabled list. Users should provision their account through the user portal.Select the appropriate language from the Phone call language, Text message language, Mobile app language, and OATH token language lists.Under Default PIN rules, select the User can change PIN checkbox to enable users to change their PIN during multi-factor authentication and through the user portal.Configure the Minimum length for the PIN.Select the Prevent weak PINs check box to reject weak PINs. A weak PIN is any PIN that could be easily guessed by a hacker are not allowed:3 sequential digits.3 repeating digits.Or any 4 digit subset of user phone number.If you clear this box, then there are no restrictions on PIN format. For example: User tries to reset PIN to 1235 and is rejected because it's a weak PIN. User will be prompted to enter a valid PIN.Select the Expiration days check box if you want to expire PINs. If enabled, provide a numeric value representing the number of days the PIN is valid.Select the PIN history check box if you want to remember previously used PINs for the user. PIN history stores old PINs for each user. Users are not allowed to reset their PIN to any value stored in their PIN History. When cleared, no PIN history is stored. The default value is 5 and range is 1 to 10.Configure Directory Integration Settings and SynchronizationFrom the Multi-Factor Authentication Server window, click the Directory Integration icon.Click the Settings tab.Select Use Active Directory.Select Include trusted domains to have the Multi-Factor Authentication Server attempt to connect to domains trusted by the current domain, another domain in the forest, or domains involved in a forest trust. When not importing or synchronizing users from any of the trusted domains, clear the checkbox to improve performance.Add Test User to WHfB GroupComplete these steps on the DC1 virtual machine.Open Active Directory Users and Computers.Click the CORP | USERS OU in the navigation pane.Right-click TestUser1 and click Properties.Click the Telephones tab and enter a Mobile number including the country code.Click the Member Of tab and click Add…In the Enter the object names to select text box, type Windows Hello for Business Users. Click Check Names | OK.Click Apply | OK to return to Active Directory Users and Computers.Add a Synchronization ItemComplete these steps on the APP1 virtual machine.Click the Synchronization tab.On the Synchronization tab, click Add…In the Add Synchronization Item dialog, select Security Groups from the View list.Select the group you are using for replication from the list of groups (Windows Hello for Business Users).Select Selected Security Group – Recursive or, select Security Group from the Import list if you do not plan to nest groups.Select Add new users and Update existing users.Select the attributes appropriate for your environment for Import phone and Backup.Select Enabled and select Only New Users with Phone Number from the list.Click Add | OK | Close.Ensure that the following checkboxes are selected – Enable synchronization with Active Directory, Synchronization interval: minute and Require administrator approval when disabled or removed users exceed threshold 5.Click Synchronize Now. Click OK.Install the Web Service SDKFrom the Multi-Factor Authentication Server window, click the Web Service SDK icon and click Install Web Service SDK…Select the Site as Default Web Site, Virtual directory as MultiFactorAuthWebServiceSdk and Application Pool as DefaultAppPool. Click Next.Once installed, click Close.Edit the MFA AD FS Adapter Config FileCopy the below 4 Files from C:\Program Files\Multi-Factor Authentication Server to C:\inetpub\wwwroot\MultiFactorAuthWebServiceSdk.MultiFactorAuthenticationAdfsAdapterSetup64.msiRegister-MultiFactorAuthenticationAdfsAdapter.ps1Unregister-MultiFactorAuthenticationAdfsAdapter.ps1MultiFactorAuthenticationAdfsAdapter.configBrowse to C:\inetpub\wwwroot\MultiFactorAuthWebServiceSdk (or appropriate directory based on the virtual directory name) and edit the MultiFactorAuthenticationAdfsAdapter.config file.Locate the UseWebServiceSdk key and change the value from false to true.Locate the WebServiceSdkUsername key and set the value to the username of the Web Service SDK account in the PhoneFactor Admins security group. Use a qualified username, like domain\username or machine\username (CORP\PFWSDK_).Locate the WebServiceSdkPassword key and set the value to the password of the Web Service SDK account in the PhoneFactor Admins security group. (P@ssw0rd).Locate the WebServiceSdkUrl key and set the value to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the Internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the MultiFactorAuthenticationAdfsAdapter.config file after changes have been made.Edit the ADFS Adapter Windows PowerShell CmdletEdit the Register-MultiFactorAuthenticationAdfsAdapter.ps1 script by adding -ConfigurationFilePath <path> to the end of the Register-AdfsAuthenticationProvider command which is the full path to the MultiFactorAuthenticationAdfsAdapter.config file - C:\inetpub\wwwroot\MultiFactorAuthWebServiceSdk\MultiFactorAuthenticationAdfsAdapter.config.Run the ADFS Adapter Windows PowerShell CmdletNote: At this stage, do not run the Register-MultiFactorAuthenticationAdfsAdapter.ps1 script in PowerShell to register the adapter because the adapter is already registered as WindowsAzureMultiFactorAuthentication.Restart the ADFS service for the changes to take effect.Test AD FS with the Multifactor Authentication ConnectorIn the Multi-Factor Authentication server, on the left, click Users.In the list of users, select a user (TestUser1) that is enabled and has a valid phone number to which you have access.Click Test…In the Test User dialog, provide the user’s password to authenticate the user to Active Directory and click Test.Enter the one-time passcode once received on the phone and click OK.Click OK on the Authentication successful message and click Close.The Multi-Factor Authentication server communicates with the Azure MFA cloud service to perform a second factor authentication for the user. The Azure MFA cloud service contacts the phone number provided and asks for the user to perform the second factor authentication configured for the user. Successfully providing the second factor should result in the Multi-factor authentication server showing a success dialog.Configure Windows Hello for Business Policy SettingsTaskDetailed StepsComplete these steps on the DC1 virtual machine.Create the WHfB GPOStart the Group Policy Management Console (gpmc.msc).Expand the domain and select the Group Policy Objects node in the navigation pane.Right-click Group Policy Objects and select New.Type Enable Windows Hello for Business in the Name box and click OK.In the content pane, right-click the Enable Windows Hello for Business Group Policy object and click Edit.In the navigation pane, expand Policies under User Configuration.Expand Administrative Templates > Windows Components, and select Windows Hello for Business.In the content pane, double-click Use Windows Hello for Business. Click Enabled and click Apply | OK.Double-click Use certificate for on-premises authentication. Click Enabled and click Apply | OK.Configure Automatic Certificate EnrollmentIn the navigation pane, expand Policies under User Configuration.Expand Windows Settings > Security Settings, and click Public Key Policies.In the details pane, double-click Certificate Services Client – Auto-Enrollment.Select Enabled from the Configuration Model list.Select the Renew expired certificates, update pending certificates, and remove revoked certificates check box.Select the Update certificates that use certificate templates check box.Click Apply | OK. Close the Group Policy Management Editor.Configure Security in the WHfB GPODouble-click the Enable Windows Hello for Business Group Policy object.In the Security Filtering section of the content pane, click Add… Type Windows Hello for Business Users or the name of the security group you previously created and click Check Names | OK.Click the Delegation tab. Select Authenticated Users and click Advanced…In the Group or user names list, select Authenticated Users. In the Permissions for Authenticated Users list, clear the Allow check box for the Apply group policy permission. Click Apply | OK.Deploy the WHfB GPOIn the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click Link an Existing GPO…In the Select GPO dialog box, select Enable Windows Hello for Business or the name of the Windows Hello for Business Group Policy object you previously created and click OK.Just to reassure, linking the Windows Hello for Business Group Policy object to the domain ensures the Group Policy object is in scope for all domain users. However, not all users will have the policy settings applied to them. Only users who are members of the Windows Hello for Business group receive the policy settings. All other users ignore the Group Policy object.Validate Windows HelloTaskDetailed StepsComplete these steps on the CLIENT1 virtual machine.Validate PoliciesRestart the machine. Even restart DC1 and APP1 and wait for some time.Log in as TestUser1.Credential GuardIn this lab, you will activate Credential Guard.Credential Guard provides an additional layer for protecting secrets, specifically domain user credentials by storing them in a container, secured by the Virtual Secure Mode (VSM), based on Virtualization Based Security (VBS).These types of containers are separated both from the kernel and the user mode, therefore increasing the difficulty for an attacker, even after compromising the system to steal the credentials directly from Local Security Authority Subsystem (LSASS), for example.Before working on this lab, you must have:A Physical Computer with a Trusted Platform Module (TPM) chip (2.0 recommended), a CPU with VT-x and VT-d capabilities.Windows 10 Enterprise running on the Host.Local Administrator Account.It is recommended that you use a Host for testing purposes. Please do not use your personal machines. Also, the Host must not be domain joined into your company domain, so that there is no compliance or configuration/support issues.Note: The machine (Virtual or Physical) should have Hyper-V, TPM and Secure Boot Enabled.Check Credential Guard RequirementsIn this exercise, you will:Check if the requirements for Credential Guard are fulfilled.Manually activate Credential Guard and its dependencies.TaskDetailed StepsComplete these steps on the CLIENT3 virtual machine or a physical machine.System VerificationOpen MSINFO32.EXE (elevated) and check if:BIOS Mode = UEFISecure Boot State = OnNote: Only TPM, Secure Boot and Hyper-V Roles are enabled and checked.If any of the above values are not enabled, then boot into your BIOS/UEFI and activate them.Note that if UEFI is in CSM (compatibility) mode, changing it to UEFI Native will require the partition layout to be GPT instead of MBR (requires formatting the hard drive).TPM VerificationOpen TPM.MSC and make sure that the TPM is turned on. If TPM is turned off/not visible, make sure that it exists physically and it is enabled in BIOS/UEFI.If the TPM is turned on but not initialized:Create the TPM owner password using Automatically create the password option.In the Save your TPM owner password, click Save the password and select a location to save the password, and then click Save (file is saved as computer_name.tpm).Click Initialize.After this, the TPM should be ready for use.Note: The recommended version of TPM is 2.0. Windows might refuse to activate Credential Guard if the computer contains an older TPM version/revision.Enable Required FeaturesGo to Control Panel > Programs > Turn Windows features on or off.Check Hyper-V.Click OK.Restart the computer.Note: Hyper-V supplies the virtualization core.Modern ManagementFollow the following sections for managing Credential Guard through modern management tools.Configure Credential Guard using IntuneIn this section you will configure Credential Guard using Intune.TaskDetailed StepsComplete these steps from a physical Internet-connected Windows computer to access the Azure and Intune Portal.Create Groups for use with Credential Guard LabClose all browser windows.Start Internet Explorer InPrivate mode.Navigate to and Sign in with labadmin@<AzureDomainName>..On the left navigation bar, click Azure Active Directory > Groups > All groups.Click + New group.In the Group pane fill in the following values:GROUP TYPE: SecurityGROUP NAME: CredGuardDemoMEMBERSHIP TYPE: AssignedMEMBERS: TU1,TU2 7. Click Select | Create.Creating an Intune Credential Guard PolicyClose all browser windows.Start Internet Explorer InPrivate mode.Navigate to and Sign in with labadmin@<AzureDomainName>..On the left navigation bar, click All services.Enter “Intune” in search.Click on Intune.Click on “Device configuration”.Click on “Profiles”.Click on “+ Create profile”.Fill out the form:Name: Cred Guard DemoDescription: Cred Guard DemoPlatform: Windows 10 and laterProfile type: Endpoint Protection Settings: Windows Defender Credential Guard>Enable with EUFI lock Select OK | OK.Select Create.Select Assignments.Select “Select groups to include”.Check and select “CredGuardDemo”.Click on plete these steps on the physical machine above. Verify the Policy has been Applied and WorkingLogin to a machine as:TU2@<AzureDomainName>.Select Start.Select Settings.Select Accounts.Select Access work or school.Select Connected to <CompanyName> Azure AD.Click Info.Click Sync to force a policy update and confirm that the sync was successful.Close Settings.Reboot the machine.Log back in using the same credentials.Click Start.Type and click “System Information”.Verify that “Virtualization-based security is running”.Note: After the first boot it should be “Enabled but not running”Reboot the machine again.Click Start.Type and click “System Information” elevated.Verify that “Virtualization-based Security is running”.Note: It can take up to 3 reboots to see that it is running.Traditional ManagementFollow the following sections for managing Credential Guard through traditional management tools.Configure VBS and Credential GuardNow that the required features and components are in place, activate the Virtualization Based Security and Credential Guard.TaskDetailed StepsComplete these steps on physical machine above.System ConfigurationOpen gpedit.msc and accept the UAC prompt if required.Go to Computer Configuration > Administrative Templates > System > Device Guard.Edit the Turn On Virtualization Based Security policy by selecting Enabled.Select Secure Boot in the Select Platform Security Level.Select Enabled with UEFI lock in the Credential Guard Configuration.Click Apply and OK.Restart the computer and check “System Information” elevated and verify that “Virtualization-based Security is running”.Troubleshoot Credential GuardAfter enabling all of the above features and settings, make sure that no errors were logged and all the components are properly configured.TaskDetailed StepsComplete these steps on physical machine above..LoggingDevice Guard policies are logged in Event Viewer at Applications and Services Logs > Microsoft > Windows > DeviceGuard > Operational.An event ID 7000 should be logged, which contains the selected settings within the policy (when successfully applied).MSInfo32Open MSINFO32.EXE (elevated) and confirm that the options are defined as in the following screenshot.RegistryBrowse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard.Verify if EnableVirtualizationBasedSecurity is set to 1.Verify if RequirePlatformSecurityFeatures is set to 1 (Secure Boot).Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.Verify if the LsaCfgFlags is set to 1.ProcessOpen Task Manager.Verify the presence of Lsalso.exe.Device Encryption (MBAM)In this section we will walk you through setting up BitLocker using modern management.BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline.On computers that do not have a TPM version 1.2 or later, you can still use BitLocker to encrypt the Windows operating system drive. However, this implementation will require the user to insert a USB startup key to start the computer or resume from hibernation. Starting with Windows 8, you can use an operating system volume password to protect the operating system volume on a computer without TPM. Both options do not provide the pre-startup system integrity verification offered by BitLocker with a TPM.In addition to the TPM, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device, such as a USB flash drive, that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer will not start or resume from hibernation until the correct PIN or startup key is presented.Note: The machine (Virtual or Physical) should have Hyper-V, TPM and Secure Boot Enabled.Modern ManagementFollow the following sections for managing BitLocker through modern management tools.Setup BitLocker with IntuneThe below section will walk you through setting up BitLocker with Intune.TaskDetailed StepsComplete these steps from an Internet-connected Windows computer.Create GroupsClose all browser windows.Start Internet Explorer InPrivate mode.Navigate to and Sign in with labadmin@<AzureDomainName>..On the left navigation bar, click Azure Active Directory > Groups > All groups.Click + New group.In the Group pane fill in the following values and click Select:GROUP TYPE: SecurityGROUP NAME: BitLockerDemoMEMBERSHIP TYPE: AssignedMEMBERS: TU1,TU2Click Create.Configure Windows BitlockerOn the left navigation bar, click All Services.Enter “Intune” in search.Click on Intune.Under Manage select “Device configuration”.Under Manage select “Profiles”.Select “+ Create profile”.Name the new profile “Bitlocker Demo”.For Platform select “Windows 10 and later”.For Profile type select “Endpoint protection”.Select “Windows Encryption” under Settings.Fill out the form and click OK:Encrypt devices: RequireEncrypt storage card: Not configuredWarning for other disk encryption: Not configuredConfigure encryption method: EnableEncryption for operating system drives: XTS-AES 128-bitEncryption for fixed data-drives: XTS-AES 128-bitEncryption for removable data-drives: AES-CBC 128-bitAdditional authentication at startup: Not configuredNote: The rest is not going to be configured.Click OK and click Create.Click Assignments and click Select groups to include.Check BitLockerDemo and click Select.Click plete these steps on the physical machine above.Verify the Policy has been Applied and WorkingLogin to a machine as:TU2@<AzureDomainName>.Select Start.Select Settings.Select Accounts.Select Access work or school.Select Connected to <CompanyName> Azure AD.Click Info.Click Sync to force a policy update and confirm that the sync was successful.You will notice that a notification appears Encryption needed, asking you to start encryption.Device Guard – User Mode Code IntegrityModern ManagementTaskDetailed StepsCreate Groups for use with WDAC DemoClose all browser windows.Start Internet Explorer InPrivate mode.Navigate to and Sign in with labadmin@<AzureDomainName>..On the left navigation bar, click Azure Active Directory > Groups > All groups.Click + New group.In the Group pane fill in the following values and click Select:GROUP TYPE: SecurityGROUP NAME: WDACDemoMEMBERSHIP TYPE: AssignedMEMBERS: TU1,TU2 Click Create.Configuring WDAC with IntuneClose all browser windows.Start Internet Explorer InPrivate mode.Navigate to and Sign in with labadmin@<AzureDomainName>..On the left navigation bar, click All services.Enter “Intune” in search.Click on Intune.Click on “Device configuration”.Click on “Profiles”.Click on “+ Create profile”.Fill in form:Name: WDAC DemoDescription: WDAC DemoPlatform: Windows 10 and laterProfile type: Endpoint protectionClick on “Windows Defender Application Control”.Fill in form:Application control code integrity policies: EnforceTrust apps with good reputation: EnableSelect OK.Select OK.Select Create.Select Assignments.Select “Select groups to include”.Select “WDACDemo” and click Select.Click on Save.Verify Configuration is AppliedComplete these steps on the CLIENT3 virtual machine or a physical machine.Login to the virtual machine as TU2@<AzureDomainName>.Select Start.Select Settings.Select Accounts.Select Access work or school.Select Connected to <CompanyName> Azure AD.Click Info.Click Sync to force a policy update and confirm that the sync was successful.Open up Edge.Navigate to and install the latest version of the application.Once installed run the application.Note: The application should run because it has a good reputation.To block remove the application and install an older version.Traditional ManagementDevice Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications that you define in your code integrity policies. If the app isn’t trusted it can’t run, period. With hardware that meets basic requirements, it also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code. With appropriate hardware, Device Guard can use the new virtualization-based security in Windows 10 (available in Enterprise and Education desktop SKUs and in all Server SKUs) to isolate the Code Integrity service from the Microsoft Windows kernel itself. In this case, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container.In this section, you will learn how to Configure and Deploy Code Integrity Policies and Enable Device Guard in an enterprise.PrerequisitesPerform the following tasks before proceeding to the succeeding sections.TaskDetailed StepsComplete these steps on the DC1 virtual machine.Download VLC Media PlayerOpen Internet Explorer and browse to the URL below. Download VLC and save vlc-3.0.3-win64.exe to C:\Packages.Download CamStudioOpen Internet Explorer and browse to the URL below. Download and save camstudio.exe to C:\Packages.Create CI Policy from a Golden SystemIn this activity, you will go through the steps in creating your first Code Integrity (CI) policy from a “Golden” system.TaskDetailed StepsComplete these steps on the CLIENT1 virtual machine.Open PowerShellLogon as a Domain Administrator (corp\labadmin) and from the Start Menu, start an elevated instance of PowerShell.Create Shadow Copy of System DriveFrom the PowerShell window, run the following commands:$s1 = (gwmi -List Win32_ShadowCopy).Create("C:\", "ClientAccessible")$s2 = gwmi Win32_ShadowCopy | ? { $_.ID -eq $s1.ShadowID }$d = $s2.DeviceObject + "\"cmd /c mklink /d C:\scpy "$d"Generate a New Policy from ScanFrom the PowerShell window, run the following commands:New-CIPolicy -level PcaCertificate -filepath C:\PoCPolicy.xml –scanpath C:\scpy –uNote: It may take around 20-30 minutes and during the process a base policy will already be created and also if required, increase the memory of the virtual machine for this process to run efficiently. Ignore any errors received after command execution completes.Explore Policy ConfigurationSave the file PoCPolicy.xml to a network location, example: \\DC1\C$.Open the file and review the content without making changes. Open the file C:\PoCPolicy.xml with Notepad.Close the file.Configurable Code Integrity – Audit ModeIn this activity, you will create a CI policy and deploy it in audit mode.TaskDetailed StepsComplete these steps on the CLIENT1 virtual machine.Convert from XML to Binary FileFrom the PowerShell window, run the following commands:ConvertFrom-CIPolicy C:\PoCPolicy.xml C:\PoCPolicy.binInstall Complied PolicyFrom the PowerShell window, run the following commands:cp C:\PoCPolicy.bin c:\Windows\System32\CodeIntegrity\SIPolicy.p7bRestart CLIENT1 and re-login with the same credentials.Verify Audit LogsLaunch the installation package for VLC located at \\DC1\C$\Packages\vlc-3.0.3-win64.exe and install the package. The installation will be successful at this point.Right-click on the Start button and click Run.Enter eventvwr.msc and click OK.In the Event Viewer MMC, browse to Event Viewer (Local) > Applications and Services Logs > Microsoft > Windows > CodeIntegrity > Operational.Browse through the log files especially Event ID 3076.Creating CI Policy from Audit LogsIn this activity, you will go through the steps in creating a Code Integrity (CI) policy from audit log events.TaskDetailed StepsComplete these steps on the CLIENT1 virtual machine.Create a CI Policy from Audit LogsFrom the Start Menu, start an elevated instance of PowerShell.From the PowerShell window, run the following commands:New-CIPolicy -l PcaCertificate -f C:\AuditPoCPolicy.xml –a –uNote: Ignore any errors received after command execution completes.Open the file C:\AuditPoCPolicy.xml with Notepad.Close the file.Merge Golden Policy with Policy from Audit LogsFrom the PowerShell window, run the following commands:Merge-CIPolicy –OutputFilePath C:\MergedPoCPolicy.xml –PolicyPaths C:\AuditPoCPolicy.xml,C:\PoCPolicy.xmlOpen the file C:\MergedPoCPolicy.xml with Notepad.Close the file.Configurable Code Integrity – Enforce ModeIn this activity, you will deploy and enforce a CI policy to lock down the system.TaskDetailed StepsComplete these steps on the CLIENT1 virtual machine.Disable Audit ModeFrom the PowerShell window, run the following commands:Set-RuleOption –option 3 -delete –FilePath C:\MergedPoCPolicy.xmlOpen the file C:\MergedPoCPolicy.xml with Notepad.Close the file.Convert from XML to Binary FileFrom the PowerShell window, run the following commands:ConvertFrom-CIPolicy C:\MergedPoCPolicy.xml C:\MergedPoCPolicy.binInstall Compiled PolicyFrom the PowerShell window, run the following command:cp C:\MergedPoCPolicy.bin c:\Windows\System32\CodeIntegrity\SIPolicy.p7bRestart CLIENT1 and re-login with the same credentials.Install or Launch Your Application(s)Launch the installation package for CamStudio located at \\DC1\C$\Packages\camstudio.exe. The application should not launch at this stage and throw errors, which means it is blocked by code integrity.Verify Audit LogsRight-click on the Start button and click Run.Enter eventvwr.msc and click OK.In the Event Viewer MMC, browse to Event Viewer (Local) > Applications and Services Logs > Microsoft > Windows > CodeIntegrity > Operational.Browse through the log files especially Event ID 3077.Configure Group PoliciesIn this activity, you will learn how to configure and deploy group policies to enforce the configuration.TaskDetailed StepsComplete these steps on the DC1 and the CLIENT2 virtual machines.Create Device Guard GPOCreate a folder in the C: drive by the name CodeIntegrity and in this folder, copy the SIPolicy.p7b file created in the previous task from the CLIENT1 VM. The path of this file in the CLIENT1 VM is C:\Windows\System32\CodeIntegrity.Navigate to C:\CodeIntegrity, right-click CodeIntegrity folder and click Properties.Click the Sharing tab and click Advanced Sharing…Check the box next to Share this folder and click Permissions.Ensure Everyone is in the list and has been granted Full Control. Click Apply and click OK two times.Click the Security tab and ensure that Everyone is in the list and has been granted Full Control.Click the Advanced button and again ensure that Everyone is in the list and has been granted Full Control. Close all the windows.Now navigate to C:\CodeIntegrity\SIPolicy.p7b that has been copied and right-click on the file and click Properties.Click the Security tab and ensure that Everyone is in the list and has been granted Full Control.Click the Advanced button and again ensure that Everyone is in the list and has been granted Full Control. Close all the windows.Note: At any point if you see that Everyone has not been granted Full Control permissions, do the needful.Back in the DC1 VM, in the Active Directory Users and Computers, create an OU called Devices and move the CLIENT2 VM to the Devices OU from the default Computers container.Open the Group Policy Management Console.Right-click on Group Policy Management > Forest: corp.olympia.local > Domains > corp.olympia.local > Group Policy Objects and select New.Under Name, enter Device Guard Policies and then click OK.Right-click Devices OU, click Link an Existing GPO…Select Device Guard Policies and click OK.Deploy Code Integrity Policy and Enable VBS for KCMIRight-click Device Guard Policies and select Edit.Browse to Computer Configuration\Policies\Administrative Templates\System\Device Guard.Double click on Deploy Windows Defender Application Control.Select Enabled.Under Code Integrity Policy file path, enter \\DC1\CodeIntegrity\SIPolicy.p7b.Click Apply and then OK.Note: The below policy is just for informational purposes and cannot be demonstrated. It will need a Physical Windows 10 Enterprise hypervisor enabled machine with Secure Boot or Trusted Boot enabled and other dependencies like Virtualization Extensions and all Virtualization capabilities turned on, including Input/Output Memory Management Unit (IOMMU) support, compatible drivers and updated legacy drivers.Double click on Turn On Virtualization Based Security.Select Enabled.Under Select Platform Security Level, select Secure Boot and DMA Protection.Under Virtualization based Protection of Code Integrity, select Enabled with UEFI lock.Click Apply and then OK.Attempt to Run New Applications that have not installed on the SystemNow on the CLIENT2 VM, run a gpupdate /force.Restart CLIENT2 and re-login with the same credentials.Verify that any new application installation or new executable is blocked by the Code Integrity Policy, Example: CamStudio. The CamStudio package is located at \\DC1\C$\Packages\camstudio.exe.Note: Before executing any labs after the Code Integrity Lab in which the CLIENT1 and CLIENT2 VMs are going to be used, ensure that they have been moved to the default Computers container from the Devices OU. Then in both the VMs, delete the SIPolicy.p7b file from c:\Windows\System32\CodeIntegrity. Run a gpupdate /force and reboot both the VMs. This is to ensure that no activity is blocked by Code Integrity.Diagnostics LogsRequirements – Windows Insider Build 18237+Azure subscription to create Storage account Modern ManagementFollow the following sections for enabling diagnostic logs CSP using modern management tools.Configure diagnostic logs CSP using IntuneIn this section you will configure diagnostic logs CSP using Intune.TaskDetailed StepsComplete these steps from a physical Internet-connected Windows computer to access the Azure and Intune Portal.Create Groups for use with Diagnostic logs LabClose all browser windows.Start Internet Explorer InPrivate mode.Navigate to and Sign in with labadmin@<AzureDomainName>..On the left navigation bar, click Azure Active Directory > Groups > All groups.Click + New group.In the Group pane fill in the following values:GROUP TYPE: SecurityGROUP NAME: DiagnosticsLogsDemoMEMBERSHIP TYPE: AssignedMEMBERS: TU1,TU2 7. Click Select | Create.Create a storage account to store diagnostic logsClose all browser windows.Start Internet Explorer InPrivate mode.Navigate to and Sign in with labadmin@<AzureDomainName>..On the left navigation bar, click All services.Enter “Storage accounts” in search.Click on Storage accounts.Click on “+Add”.Select valid Azure Subscription.Fill out the form:Resource group (Create new if needed)Storage account nameLocationLeave rest of the things unchanged.Click Review + createClick newly created storage accountClick Storage Explorer(preview)Right Click BLOB CONTAINERS -> Create blob containerGive NameClick OKRight click on new blob container -> Get Shared Access SignatureUpdate Expiry time to a month later than current date (Default is 1 day)Update Permissions to Read, Write and ListClick CreateCopy URL in Notepad – This will be needed in next step.Create a diagnostic logs policyClose all browser windows.Start Internet Explorer InPrivate mode.Navigate to and Sign in with labadmin@<AzureDomainName>..On the left navigation bar, click All services.Enter “Intune” in search.Click on Intune.Click on “Device configuration”.Click on “Profiles”.Click on “+ Create profile”.Fill in formName – Diagnostics CSPPlatform – Windows 10 and laterProfile type – Custom Click Settings -> On OMA-URI settings, Click AddName– ArchieveDefinitionOMA-URI -./Vendor/MSFT/DiagnosticLog/DiagnosticArchive/ArchiveDefinitionData Type – String-2540378460<Collection><ID>New Guid</ID><SasUrl><![CDATA[URL Copied in Line Step 21]]></SasUrl><RegistryKey>HKLM\Software\Microsoft</RegistryKey><Command>%windir%\system32\mdmdiagnosticstool.exe -out %ProgramData%\temp\</Command><FoldersFiles>%ProgramData%\temp\*.*</FoldersFiles><FoldersFiles>%ProgramData%\Microsoft\DiagnosticLogCSP\Collectors\*.etl</FoldersFiles><Command>c:\windows\system32\ipconfig.exe /all</Command><Events>System</Events></Collection>00<Collection><ID>New Guid</ID><SasUrl><![CDATA[URL Copied in Line Step 21]]></SasUrl><RegistryKey>HKLM\Software\Microsoft</RegistryKey><Command>%windir%\system32\mdmdiagnosticstool.exe -out %ProgramData%\temp\</Command><FoldersFiles>%ProgramData%\temp\*.*</FoldersFiles><FoldersFiles>%ProgramData%\Microsoft\DiagnosticLogCSP\Collectors\*.etl</FoldersFiles><Command>c:\windows\system32\ipconfig.exe /all</Command><Events>System</Events></Collection>Value –Select Create.Select Assignments.Select “Select groups to include”.Select “DiagnosticsLogsDemo” and click Select.Click on plete these steps on the AAD joined physical machine/VM. Verify the Policy has been Applied and WorkingLogin to a machine as:TU2@<AzureDomainName>.Select Start.Select Settings.Select Accounts.Select Access work or school.Select Connected to <CompanyName> Azure AD.Click Info.Click Sync to force a policy update and confirm that the sync was successful.Close Settings.Go to [OSDrive]\windows\temp\mdmdiagnosticsFolder with name = GUID mentioned in 32.iv settings should be available.On Any internet connected machine.Close all browser windows.Start Internet Explorer InPrivate mode.Navigate to and Sign in with labadmin@<AzureDomainName>..Click Storage AccountsClick Storage Account created in step 17.Click Storage Explorer (Preview)Click BLOB Containers -> Container Verify logs are getting uploaded.Download zip file. Look at the contents to ensure requested logs are uploaded.FIDO2 Windows Sign InModern ManagementFollow the following sections for enabling the FIDO2 security key method and combined security. FIDO2 Security Key Sign-In for AADJ Windows DevicesRequirements – Windows Insider Build 18942+In this section you will enable FIDO2 security key and enable combined security.TaskDetailed StepsComplete these steps from a physical Internet-connected Windows computer to access the Azure and Intune Portal.Enable security key1.???? Sign in to the Azure portal.2.???? Browse to Azure Active Directory > Security > Authentication methods > Authentication method policy (Preview).3.???? Under the method FIDO2 Security Key, choose the following options: a.???? Enable - Yes or Nob.???? Target - All users or Select users4.???? Save the configuration.Enable combined security5.??? Sign in to the Azure portal as a user administrator or global administrator.6.???? Go to?Azure Active Directory?>?User settings?>?Manage user feature preview settings.7.???? Under?Users can use preview features for registering and managing security info, choose to enable for a?Selected?group of users or for?All?users.Enable FIDO for Windows Device Sign-In8. Sign in to the Azure portal.9. Browse to Microsoft Intune > Device enrollment > Windows enrollment > Windows Hello for Business > Properties10. Under Settings, set User security keys for sign-in to EnabledFIDO2 Security Key Sign-In for Hybrid Azure Windows DevicesPre-requisitesEnabled FIDO Sign-In for your tenant and provisioned a security key.Windows 10 Insider Build 18945 or newer.Version 1.4.32.0 or later of Azure AD Connect.Your Windows Server domain controllers must have the following patches installed:For Windows Server 2016 - Windows Server 2019 - StepsComplete these steps from a physical Internet-connected Windows computer to access the Azure and Intune Portal.Create Kerberos server objectOn the Azure AD Connect Server, open an elevated PowerShell prompt, and navigate to C:\Program Files\Microsoft Azure Active Directory Connect\AzureADKerberos\Run the following PowerShell commands to create a new Azure AD Kerberos server object in both your on-premises Active Directory domain and Azure Active Directory tenant. ".\AzureAdKerberos.psd1"# Specify the on-premises Active Directory domain. A new Azure AD# Kerberos Server object will be created in this Active Directory domain.$domain = "contoso."# Enter an Azure Active Directory global administrator username and password.$cloudCred = Get-Credential# Enter a domain administrator username and password.$domainCred = Get-Credential# Create the new Azure AD Kerberos Server object in Active Directory# and then publish it to Azure Active Directory.Set-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCredViewing and verifying the Azure AD Kerberos ServerYou can view and verify the newly created Azure AD Kerberos Server using the following command:Get-AzureADKerberosServer?-Domain?$domain?-CloudCredential?$cloudCred?-DomainCredential?$domainCredEnable with Group PolicyFor hybrid Azure AD joined devices, organizations can configure the following Group Policy setting to enable FIDO security key sign-in.?The setting can be found under Computer Configuration > Administrative Templates > System > Logon > Turn on security key sign-in:Setting this policy to Enabled allows users to sign in with security keys.Setting this policy to Disabled or Not Configured stops users from signing in with security keys.Try it out:Sign in with FIDO2 security keyNow you can choose the security key credential provider from the Windows 10 lock screen and insert the security key to sign into Windows.Microsoft Docs and further information: Enable passwordless security key sign-in to on-premises resources with Azure Active Directory (preview)?Enable with Group PolicyCompatibilityIn this module, you will go through configuring Upgrade Readiness and scenarios to mitigate web application compatibility with Internet Explorer 11.Prerequisite Sections:Windows Insider Lab for Enterprise – Setup GuideSection 3.3.1 - Build a Windows 10 Developer MachineWindows Analytics Upgrade ReadinessWith the release of Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With new Windows versions being released multiple times a year, ensuring application and driver compatibility on an ongoing basis is key to adopting new Windows versions as they are released. With Windows telemetry enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft.In this section, you will learn how to navigate Upgrade Readiness to understand how you might use it in your environment.The Operations Manager Suite Experience Center will be used to evaluate Windows Analytics Upgrade Readiness using read-only demo data and will not require devices to be configured to send telemetry to the Update Compliance service.Note:This lab guide is aimed at getting you familiar with the Upgrade Readiness workspace. It is not supposed to be a comprehensive guide to using the solution in your organization. REF _Ref498010611 \h \* MERGEFORMAT Appendix – Configuring Windows Analytics has more details on configuring, deploying and reviewing Windows Analytics.Browser CompatibilityFor web apps and sites in Windows 10, modern HTML5-based sites should have a high degree of compatibility and excellent performance through the new Microsoft Edge browser, while older web apps and sites can continue to use Internet Explorer 11 and the Enterprise Mode features that were first introduced in Windows 7 and Windows 8.1 and are still present in Windows 10.PrerequisitesPerform the following tasks before proceeding.TaskDetailed StepsComplete these steps on the APP1 virtual machine.Create a Shared Folder (EMEI) with Full PermissionsOpen File Explorer and browse to C:\.Create a new folder named EMEI.Right-click on EMEI and select Properties.In the EMEI Properties window, go to the Sharing tab.On the Sharing tab, click Advanced Sharing.On the Advanced Sharing window, select Share this folder then click on Permissions.On the Permissions for EMEI window, under Allow select Full Control then click Apply and OK.On the Advanced Sharing window, click Apply and OK.On the EMEI Properties window, click Close.Configure Test WebsiteOn the taskbar, open File Explorer and browse to C:\Packages\Sources.Copy the ContosoLearning folder to C:\inetpub\wwwroot.On the Start menu, open Internet Information Services (IIS) Manager.Under the Connections pane, browse to APP1 (Corp\LabAdmin) > Sites > Default Web Site > ContosoLearning.Right-click on ContosoLearning and select Convert to Application.On the Add Application window, click OK.On ContosoLearning, under the Actions pane select Advanced Settings.On the Advanced Settings window, select Application Pool and click on the ellipses (…).On the Select Application Pool window, set the Application pool to .NET v2.0 then click OK.On the Advanced Settings window, click plete these steps on the CLIENT2 virtual machine.Pin Internet Explorer on the TaskbarOn the Start Menu, search for Internet Explorer.Right-click on Internet Explorer and select Pin to taskbar.Download Enterprise Mode Site List ManagerOpen Internet Explorer and browse to the URL below. the website, click Download.Save EMIESiteListManager.msi to the desktop.Enterprise ModeEnterprise Mode, a compatibility mode that runs on Internet Explorer 11, allows websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.In this section, you will learn how to use and configure Enterprise Mode and the Enterprise Mode Site List Manager.Manually Activate Enterprise ModeTaskDetailed StepsComplete these steps on the CLIENT2 virtual machine.Browse to the Test SiteOn the taskbar, open Internet Explorer and browse to : Notice that the website says that the browser is not supported, only Internet Explorer is supported even if the browser is Internet Explorer.Enable Enterprise ModeRight-click on the Start button and select Run.In the Run window, enter regedit and then click OK.In the Registry Editor window, browse to HKEY_LOCAL_MACHINE\Software\Policies\Microsoft. Right-click on the Microsoft key and select New > Key.Enter Internet Explorer as the name of the new key.Right-click on the Internet Explorer key and select New > Key.Enter Main as the name of the new key.Right-click on the Main key and select New > Key.Enter EnterpriseMode as the name of the new key.Right-click on the EnterpriseMode key and select New > String Value.Enter Enable as the name of the string value.Right-click on the EnterpriseMode key and select New > String Value.Enter SiteList as the name of the string value.Note: Enterprise Mode can be enabled through Group Policy. For more information, go to Enterprise Mode on the Test SiteClose all open Internet Explorer browsers.On the taskbar, open Internet Explorer and browse to the Internet Explorer toolbar, go to Tools and select Enterprise Mode.Note: Enable the Menu bar.Note: Notice now that the website is not displaying the browser support issue due to the Enterprise Mode emulating Internet Explorer 8. Also, see the building icon on the left side of the URL which indicates that Enterprise Mode is enabled for this URL.On the Internet Explorer toolbar, go to Tools and select Enterprise Mode to turn it off for the next labs.Close all Internet Explorer browsers.Enterprise Mode Site List ManagerTaskDetailed StepsComplete these steps on the CLIENT2 virtual machine.Install Enterprise Mode Site List ManagerOn the taskbar, open File Explorer and browse to the desktop.Double-click on EMIESiteListManager.msi.On the Welcome page, click Next.On the End-User License Agreement page, select I accept the terms in the License Agreement and then click Next.On the Destination Folder page, click Next.On the Ready to Install page, click Install.Once complete, click Finish.Create a Site ListFrom the desktop icon, open the Enterprise Mode Site List Manager.On the Enterprise Mode Site List Manager for v.2 schema window, click Add.On the Add new website window, under URL enter app1/ContosoLearning and then click Save.Click on File > Save to XML.Save the file to \\APP1\EMEI as EMEISiteList.plete these steps on the DC1 virtual machine.Enable Enterprise Mode through GPO and Deploy the Site ListFrom the Start Menu, open the Group Policy Management Console.On the Group Policy Management Console, expand to Forest: corp.olympia.local > Domains > corp.olympia.local > Group Policy Objects.Right-click on Group Policy Objects and select New.On the New GPO window, under Name enter Enable Enterprise Mode and then click OK.Right-click on Enable Enterprise Mode and select Edit.On the Group Policy Management Editor window, browse to Computer Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer.On the Settings pane, double-click on Use the Enterprise Mode IE website list policy.On the Use the Enterprise Mode IE website list window, select Enabled.On the Options pane, enter \\APP1\EMEI\EMEISiteList.xml and then click Apply and OK.Close the Group Policy Management Editor.On the Group Policy Management window, right-click on the Devices OU and select Link an Existing GPO…Note: Create a Devices Organizational Unit and from Computers, move the CLIENT2 machine to this OU. On the Select GPO window, select Enable Enterprise Mode and then click plete these steps on the CLIENT2 virtual machine.Validate that Enterprise Mode Policies are AppliedOpen an Administrative Command Prompt and execute gpupdate /force.On the taskbar, open Internet Explorer and browse to : Notice that the website is now automatically configured with Enterprise Mode.Browser Compatibility RemediationThis section covers some of the common compatibility issues found while migrating existing web applications from IE8 to IE11. It demonstrates the tools and techniques to remediate these common issues. This lab is designed for developers and discusses ways to resolve the compatibility issues by updating the application code as it is the best long term solution to make your applications standards compliant and ensure compatibility with modern browsers.PrerequisitesPerform the following tasks before proceeding.TaskDetailed StepsComplete these steps on the CLIENT1 virtual machine.Pin Internet Explorer on the TaskbarOn the Start Menu, search for Internet Explorer.Right-click on Internet Explorer and select Pin to taskbar.User Agent String Detection IssueWeb developers used to check Navigator.AppName property to get the name of the web client. Until Internet Explorer 10, it is used to return “Microsoft Internet Explorer” but from IE 11 it returns “Netscape”. After completing this lab session, you will be able to use the IE Developer Toolbar to change the IE Browser mode.TaskDetailed StepsComplete these steps on the CLIENT1 virtual machine.View the IncompatibilityUse Internet Explorer to navigate to : Notice the incompatibility message at the bottom of the screen in red. **Your browser is not supported by ContosoLearning**. Only Internet Explorer is SupportedThe error message indicates that a validation routine runs when the page loads. The routine checks the browser that is used.Confirm the IncompatibilityRight-click on the page and select View source to open a new window with the page’s source code.On line 145, note that the function checkVersion is called when the page loads. This is the function that results in the browser support message.The issue arises since the version detection logic is checking for the browser name.Close the source page.Prove the FixTo determine the possible fix, press F12 to open the Internet Explorer Developer tools.Click the Emulation tab.From the Document mode drop-down, select 10 to use the IE 10 Document Mode.From the User agent string drop-down, select Internet Explorer 10.The browser window will reload without the support warning.Recommended Fix (OPTIONAL)Modify the code for the default.aspx page to remove the browser detection routine.Consider using feature detection to ensure that a specific feature is present for the application to continue to function.Box ModelBox Model issue is caused by the difference in the browser rendering engine implementation of width and height properties of a container element including the padding, borders and margins.TaskDetailed StepsComplete these steps on the CLIENT1 virtual machine.View the IncompatibilityUse Internet Explorer to navigate to to the application as corp\Administrator using P@ssword.Scroll to the right and bottom. Note that the menu intended for the right side of the page has actually rendered below the content. In Internet Explorer 6, this page item would be rendered on the right-hand side of the My Upcoming Trainings panel.Prove the FixPress F12 to launch the Developer Tools window.Below the DOM Explorer tab, click the Select element icon, or press Ctrl+B.Move the mouse pointer exactly over the grey border surrounding My Upcoming Trainings and click with the left mouse button. This will highlight the panel in the browser and move the DOM Explorer window to the corresponding HTML section - id=”middle”.In the right pane of the DOM Explorer tab, click Styles.Note that there are two entries for #middle. One of these is sourced from default.aspx which overrides the width entry from SiteStyles.css.These are padding properties. Padding and border properties are considered outside the container to which they relate in Internet Explorer 11. In the Internet Explorer 5.5 model, padding and border properties were inside the box model.Select the width property sourced from default.aspx.Reduce the value (in pixels) to determine a suitable value to render the page correctly. Hint: A 100px change is way too much.Recommended Fix (OPTIONAL)Modify the source code for default.aspx on the hosting website with the correct width.This issue can also be fixed by forcing the page to render in Quirks mode by adding an X-UA-Compatible meta tag as shown below to the head section of this page on the server.<meta http-equiv="X-UA-Compatible" content="IE=IE5"/>Popup BlockerThe Pop-Up Blocker is a feature that blocks pop-up (and pop-under) windows initiated automatically by a Web site. Windows Internet Explorer 10/9/8/7 block pop-up windows in the Internet and Restricted sites zones by default. However, Pop-up Blocker allows pop-up windows initiated by a user's actions. This feature can interfere with the functionality of older sites that use popup window on page load.TaskDetailed StepsComplete these steps on the CLIENT1 virtual machine.What could be the IncompatibilityUse Internet Explorer to navigate to to the application as corp\Administrator using P@ssword.Navigate to Register for Training from the menu on the left side of the page.Observe that the register button for each course is disabled (greyed out) and also observe that a pop-up window appears with the Terms and Conditions and once clicked OK, the Register button is enabled for the courses listed.The incompatibility could be that the register button for each course is disabled (greyed out) and a message is displayed on the bottom which says the Pop-Up was blocked.Local FixIf the incompatibly appears, then in order to fix this issue launch the Pop-up Blocker Settings window by clicking on Tools > Internet options. Alternatively, click the gear icon at the top right of the Internet Explorer window and then select Internet options.Note: Enable the Menu bar.Click the Privacy tab.Under Pop-up Blocker, click Settings.In the Pop-up Blocker Settings window type in the Address of website to allow text box.Click Add to add the entered site to the Allowed sites list.Click the Close button to close the current window and click OK on the Internet Options window.Press F5 to refresh the page.Click Register for Training.A pop-up window appears with the Terms and Conditions.Click OK.The Register button is now enabled for the courses listed.Enterprise FixAutomatic popups are allowed by default in sites belonging to the Local Intranet sites zone. Pop-up blocking issues can be resolved for intranet applications by adding the site to the intranet sites collections.In case of external trusted sites having this issue, add the sites to the Trusted sites collection and have the Use Pop-up Blocker section set to Disable.Add the site to Group Policy Path i.e. Computer Configuration\Administrative Templates\Windows Components\Internet Explorer.Note: For more details on Group Policy settings refer to the link: (v=VS.85).aspxclassName AttributeIE11 enables several enhancements to the setAttribute, getAttribute, and removeAttribute methods that are not available when pages are displayed in earlier document modes.To change the class attribute of an element the earlier versions of IE required us to use className as the attribute name. This has been fixed in the IE11 and applications targeting IE 11 Browser should use class instead of className for assigning class attribute.(VS.85).aspxTaskDetailed StepsComplete these steps on the CLIENT1 virtual machine.Validate that the Test Site is not part of the Local Intranet Zone Site ListClick on Tools > Internet options in the Internet Explorer Window.In Internet Options, go to the Security Tab.Click on Local intranet and then click on Sites.In the Local intranet window click on Advanced button which would open up the Local Intranet Sites list.In the sites list verify that app1 is not present.If the site is present, then highlight the site and click on the Remove button.Once you are finished, then click on Close button in the Local Intranet Sites list window.Then click OK button in the Local intranet window and then click OK button in the Internet options window to close them.View the IncompatibilityNavigate to the Events page by clicking on the Events link in the left menu. The URL for the page is: . Re-login if required. Observe that the page is not displayed correctly.Observe that no style is applied to the selected element.Local FixOpen the Developer Tools by pressing F12 and click the Emulation tab at the bottom.Change the Document mode to 7 and User agent string to Internet Explorer 7.Observe that the class attribute is being set on the selected element in IE7 Standards mode. This indicates an issue with the script dynamically assigning the class value at runtime.Observe that the className attribute is being used to set the class property on the table. Also, notice that the id attribute is also being checked against the empty string. This check always fails in IE11 as the getAttribute API will return if id is not defined. To check this, click on the Debugger tab and set a breakpoint on Lines 43 and 44. You can set a breakpoint by clicking the Line numbers.Refresh the page by pressing F5 key and notice that the code never hits the breakpoint confirming our understanding. To fix this issue we can use the Auto responder feature of Fiddler to test the updated script on the page.In the Internet Explorer window go to File > Save as… Then give the webpage a name i.e. Events and Save it as html on the Desktop.Then edit the saved page using Notepad and replace lines 43 to 44 with the code below:if (tables[i] && tables[i].getAttribute("id") == null) { tables[i].setAttribute("class", "block");}Download and install Fiddler from installed, start the Fiddler tool by clicking on Fiddler 4 on the Start Menu. Click Cancel on the prompt that appears.Clear the Fiddler logging by pressing Ctrl+X. Then refresh the Events page.In the Fiddler log you would see the Events.aspx captured.In the Fiddler window click on the AutoResponder tab on the right-hand side.Check the boxes which say Enable rules and Unmatched requests passthrough.Then highlight the Events.aspx and click on the Add Rule button.Then in the Rule Editor section on the bottom right hand of the Fiddler window, click on the drop-down arrow of the second box and choose the option Find a file… Then browse to the modified Events.html page and then click on the Save button.Now go back to the Internet Explorer Window and refresh the Events page. Now Fiddler should catch the request and responder with the modified Events page and you should now see the correct style applied to the table elements.Note: In order to fix the problem permanently, the script on the page would have to be changed on the Server which is hosting the website to reflect the correct width.Note: This issue can also be fixed by forcing the page to render in IE7 standards mode by adding an X-UA-Compatible meta tag as shown below to the head section of this page on the server.<meta http-equiv="X-UA-Compatible" content="IE=IE7"/>GetElementByIDChanges in the getElementById API causes the webpage to break as it is case sensitive. To remediate this, we will have to modify the CSS of the webpage at the source. One would use Fiddler Auto Responder to change the code to onclick="LaunchVideo('overview');".TaskDetailed StepsComplete these steps on the CLIENT1 virtual machine.View the IncompatibilityKeep logged in and navigate to the Training Video page by clicking on the Training Videos on the left menu. The URL for the page is: on the first video which is the Overview video. Observe that nothing happens and it doesn’t play the video.Local FixIn the Developer Tools window (activated with F12), select the Console tab and clear any errors (if any).Click again on the first video, which is the Overview video. Once you click on the video, you would be taken to the section of source code which resulted in the error message. Click on the link and you would be taken to the Debugger tab with the line where the error is.If you go little up in the code on Line 106 you would see the ID is “overview” in lowercase.In the Internet explorer window go to File > Save as… Then give the webpage a name i.e. Training and Save it as html on the Desktop.Then edit the saved page using Notepad and change the case of the word OVERVIEW from lower case to uppercase and then save the file.Start Fiddler tool by clicking on Fiddler 4 on the Start menu.Clear the Fiddler logging by pressing Ctrl+X. Then refresh the Contoso Learning Training page.In the Fiddler log you would see the TrainingVideos.aspx captured.In the Fiddler window click on the AutoResponder tab on the right-hand side.Check the boxes which say Enable rules and Unmatched requests passthrough.Then highlight the TrainingVideos.aspx and click on the Add Rule button.Then in the Rule Editor section on the bottom right hand of the fiddler window, click on the drop-down arrow of the second box and choose the option Find a file… Then browse to the modified Training.html page and then click on the Save button.Now go back to the Internet Explorer window and refresh the Training Videos page. Now the fiddler should catch the request and responder with the modified Training Videos page and you should be able to open up the Overview video.Note: In order to fix the problem permanently, the source code of the page would have to be changed on the Server which is hosting the website to reflect the correct width.Note: This issue can also be fixed by changing the Document Mode to IE5 Quirks Mode in the Developer Toolbar.Z Index Default ValueFor IE browser 5/6/7 the default value for Z-Index is 0 but for IE 8+ it is Auto.TaskDetailed StepsComplete these steps on the CLIENT1 virtual machine.View the IncompatibilityLaunch Internet Explorer 11 and navigate to the Contoso Learning Site by using the URL . Re-login if required. This is an intranet site designed for IE6. Also, on Mousing over Text you should see tool tips. On IE 6 it works absolutely fine but for IE 11 it doesn’t display any text.Open the IE 11 Browser and browse to the site . Mouse over on Menu Items and you should not see any tool tip.To check the logic on the page, right-click and select the View source option. This will open the page source in the Developer Tools under Debugger.Check for Onmouseover event of the image. There you can find that the logic is checking the default value of z-index and comparing whether that is “0” or not which is the default Z-Index value in IE 6.To temporarily workaround this issue, change the document mode to the appropriate version using IE 11 developer toolbar, press F12 and the Internet Explorer Developer Toolbar will be opened if not opened already.Click the Emulation tab.Select Document Mode as 5 and User agent string as Internet Explorer 6.You can now observe a text is displayed.Permanent FixTo resolve this issue the javascript on the page should be updated to first assign a Z-index to the DOM object before comparing its value.Note: This issue can also be fixed by forcing the page to render in IE5 Quirks mode by adding an X-UA-Compatible meta tag as shown below to the head section of this page on the server.<meta http-equiv="X-UA-Compatible" content="IE=IE5"/>Content CenteringContent Centering using text align property is not supported in Internet Explorer 9+. This causes any site developed for IE6 to be left aligned on IE9+ standards mode if they are using text align property for centering. We would need to use the width and margin properties to center align the content.To remediate this, we will have to modify the CSS of the webpage at the source. In order to find the correct CSS values that need to be added to the source of the page on the server we can use the Developer Tools.TaskDetailed StepsComplete these steps on the CLIENT1 virtual machine.View the IncompatibilityNavigate to the Blogs page by clicking on the Blogs link in the left menu. Re-login if required. Observe that the page is not displayed correctly. It is aligned to the left instead of being centered.Local FixPress F12 to open the Developer Tools.Select the Body section under the DOM Explorer tab. Observe that the text align property has been set for this element.This is the typical case where the content is being centered by using the text align property which would render the page correctly in previous versions of IE.Also, observe that the margin property has been set to 0px auto. This should cause the content to be centered in IE11.Also, observe that there are two margin properties that are being applied to the Body element. One of the margin properties is defined inline in the Blogs.aspx page.Observe that the margin property has !important added to the property value in the end. This is forcing the browser to override the original margin setting on the page.Uncheck the second margin value. The first margin value will be automatically enabled. You will find that the page is rendered correctly now.Permanent FixTo remediate the issue at the source, the developer would need to remove the margin style defined on the page which should fix the issue.Note: This issue can also be fixed by forcing the page to render in Quirks mode by adding an X-UA-Compatible meta tag as shown below to the head section of this page on the server.<meta http-equiv="X-UA-Compatible" content="IE=IE5"/>ActiveX ControlsMicrosoft ActiveX controls are reusable software components based on ActiveX technology. ActiveX controls add interactivity and additional functionality, such as animations or pop-up menus to a Web page, application, or software development tool. Internet Explorer 7+ and Microsoft Internet Explorer 6 for Windows XP Service Pack 2 (SP2) block controls that are unsigned, invalid, or explicitly distrusted by the user. In Internet Explorer 9+, users can allow controls to run on more than one Web site, or all Web sites, by responding to the Information Bar that drops down when a control is requested for use. These sites can also be edited through the Manage Add-ons interface.ActiveX Blocking can be remediated by one of the following techniques:Ensure that the ActiveX control is signed. Please refer the below link for ActiveX Signing: (VS.60).aspxEnsure that the client side security certificate matches the server side security certificate.Add the website to the list of local intranet sites.TaskDetailed StepsComplete these steps on the CLIENT1 virtual machine.View the IncompatibilityNavigate to the Contoso Learning Website Obtain Licenses page. The URL for the page is: . Re-login if required. Observe that a UAC prompt is displayed.Install the CertificateYou will notice that there is a warning because the publisher cannot be verified – click on the link for Unknown Publisher.Details of the digital certificate will be displayed – click on the View Certificate button.The certificate will indicate that the certificate is not trusted – press the button to Install Certificate…You will walk through the Certificate Import Wizard. On the first screen, select Local Machine and then click Next.Select Place all certificates in the following store and click Browse…Select the Trusted Root Certification Authorities and then click OK.Click Next.Click Finish.Click OK once the import is successful.Click the OK button on the Certificate dialog.Click the OK button on the Digital Signature Details dialog.Click the OK button on the Security Warning dialog.Signed ActiveX Control InstallationPress F5 to refresh the page now that you have the digital signature installed.You will receive a UAC prompt again, this time indicating that it is a signed control. Click on Install.Press F5 to refresh the page. Now you will not see any control. Close the Internet Explorer.Open gpedit.msc and navigate to Computer Configuration – Administrative Templates – Windows Components – Internet Explorer. Double-click on Let users turn on and use Enterprise Mode from the Tools menu.Click Enabled. Click Apply and OK.Open the Internet Explorer and navigate to the Contoso Learning Website “Obtain Licenses” page. The URL for the page is: . If required re-login.Press F12 to open the Developer Tools. Click the Emulation tab and for the Browser profile, select Enterprise.You will see that the browser has Enterprise mode enabled from the Tools menu.You can see now that the Obtain Licenses button is visible.In case it is still not visible, go to Tools, select Manage add-ons.Check whether ContosoLicenseControl.ObtainLicense is enabled or not. If it is disabled, click on Enable and close the window by clicking Close and refresh the page.Click on Obtain Licenses button.The ActiveX control should now be installed. Click OK.Desktop BridgesThe Windows 10 Desktop Bridge provides consumer and enterprise developers a low friction path to migrate their Win32 apps to Windows 10 Universal Windows Platform (UWP). In doing so, developers can take advantage of Windows 10 features and app distribution not available to traditional Win32 apps. Win32 apps using the Desktop Bridge also provide a safer and cleaner virtualized runtime environment. For more information on the Desktop Bridge see: Lab provides a walkthrough of converting a Win32 app to a UWP using the Desktop App Converter.Prerequisite: Build a Windows 10 Developer Machine (Section 3.3.1) before proceeding with this lab.Desktop Bridge – Convert a Win32 app Installer to a UWP Modern App (APPX)In this activity, starting from a MSI installer, you’d be able to create an AppX package, keeping the best of both worlds: the flexibility of a Win32 app and the better security and distribution model of an AppX package.TaskDetailed StepsComplete these steps on the WIN10DEV virtual machine.Install the Desktop App Converter – Version CheckMake sure your computer is up-to-date with the latest Windows 10 version: Desktop App Converter. To make sure you’re on the right version, just click on the Start button and choose Command Prompt: at the top, you’ll see the Windows 10 build number, which should be 10.0.17134.xx.Install the ‘Desktop App Converter’The Desktop App Converter tool itself, which can be downloaded directly from the Store at the URL ‘Get the app | Get’.Download the Windows Base ImageThe latest base Windows image, which is used as container to generate the appx package. Be aware that this file is quite big (approximately 3.5 GB). It can be downloaded from the following link: . Click Base Image - Build 17134 and save the file to C:\Windows\Temp.Note: The version of the base image much match the version of the OS. In this case, we are working with Windows 10 17134.Launch the ‘Desktop App Converter’ as AdministratorPress ‘Start’, type ‘Desktop App Converter’.Right click on the ‘Desktop App Converter’ icon and choose Run as administrator). Accept the UAC prompt. Under the hood, you will notice that it’s simply a Powershell command prompt, since it’s the technology that empowers the Desktop App Converter.Install the Base ImageInstall the base image, by executing the following PS commands in the folder where you have copied the file you’ve previously downloaded (or, alternatively, you can pass to the -BaseImage parameter the full path of the file).Set-ExecutionPolicy BypassDesktopAppConverter.exe -Setup -BaseImage C:\Windows\Temp\Windows_BaseImage_DAC_17134.wim –VerboseNote: The operation will take a while and, at some point, it may ask you to reboot the machine: the reason is that Desktop App Converter relies on a Windows 10 features (called Containers), which isn’t installed by default.If you get an ErrorIf you get an error related to Containers, you can manually install the feature by right clicking on the Start button, clicking Run, entering appwiz.cpl, clicking OK and then Turn Windows features on or off. You will find one called Containers, enable it and click OK and then let the installation complete and also, if asked, reboot the computer.Note: The Containers feature is available only on Windows 10 Pro or Enterprise.Now you’re all set and you’re ready to convert your first application.Start the Win32 to UWP Conversion ProcessNote: You will convert the Win32 sample app ‘Hello Centennial’. Remember that the Desktop App Converter does not modify your application binaries. It monitors the file locations and registry entries created at install time. It uses this information to create the container your Win32 app will be in.Download the ‘Hello Centennial’ sample Win32 app’s MSI file from here: a folder called C:\Installer and copy the file HelloCentennial.msi here.Create another folder called C:\Output\HelloCentennial.Launch the ‘Desktop App Converter’ as AdministratorPress ‘Start’, type ‘Desktop App Converter’.Right click on the ‘Desktop App Converter’ icon and choose Run as administrator). Accept the UAC prompt.Start the Desktop App Converter ProcessNote: DesktopAppConverter flags:-Installer is the path to the setup file we need to convert. In this case, it’s the HelloCentennial.msi file we’ve previously downloaded from GitHub.-Destination is the folder where we want to store the output files created by the conversion process.-PackageName is the name we want to give to the package.-Publisher is the publisher’s name of the application. If you have some previous experience with UWP development, you’ll recall seeing this information in the manifest file of a UWP app. It’s univocally assigned by the Dev Center when you open a developer account. For the moment, for test purposes, you can just use the name you want, it’s just important that it starts with CN= and that it doesn’t contain spaces.-Version is the version number of the app.-MakeAppx means that, other than generating the folder which will contain all the files that needs to be packaged (like assets, the manifest, etc.), you want also to immediately generate the AppX package.-Verbose is an optional parameter, which is useful because it will show you all the details of what’s going on during the conversion process.-Sign is a parameter that allows to automatically generate the needed certificates to properly sign the AppX package. Without this digital signature, the package can’t be installed on a machine which doesn’t trust the generated certificate.Download and install the Windows 10 1803 SDK: PowerShell type the command:DesktopAppConverter.exe -Installer "C:\Installer\HelloCentennial.msi" -Destination "C:\Output\HelloCentennial" -PackageName "HelloCentennial" -Publisher "CN=Awesome-Apps-Inc" -Version "1.0.0.0" -MakeAppx -Verbose -SignInspect the Output folder. At the end of the process, you will get a folder structure like the following one:The real work done by the tool can be found inside the PackageFiles folder:As you can see, this folder looks a bit like the one that Visual Studio creates when you start a new UWP project. You have an Assets folder, which contains the default images to be used for the tile, the Store, or the icon in the Start menu. You have also a manifest file, the one called AppxManifest.xml.Open the AppxManifest.xml FileNotice that it’s like the manifest file of a UWP app. However, compared to a native UWP app, you’ll find a couple of differences:You’ll find the following Capability, which allows the application to run in full trust. This option is available only for converted apps, a native UWP app will not have this kind of access.<Capabilities> <rescap:Capability Name="runFullTrust" /></Capabilities>You’ll find an Application entry with all the info about the Win32 process that the UWP container will launch.<Application Id="HelloCentennial" Executable="HelloCentennial.exe" EntryPoint="Windows.FullTrustApplication">Continue Inspecting Output: Registry.Dat, VFS FolderYou’ll find other files and folders that captured the MSI setup process. For example, the Registry.dat file contains all the changes applied to the registry. Or, if you explore the VFS folder, you will find all the files that are copied during the installation process. For instance, you’ll be able to find the main executable (the original Windows Forms app) following the path VFS\Users\ContainerAdministrator\AppData\Roaming\Matteo Pagani\Hello Centennial.Attempt to Install the Converted App (APPX)Double click on the file HelloCentennial.appx and you’ll be prompted with the following dialog.However, if you press the Install button out of the box, you’ll see the following error.Install Certificate to Resolve ErrorNote: The reason is that, by default, a UWP package needs to be signed with a valid certificate to be installed and this certificate needs to be trusted by the computer. When we publish a UWP app on the Store, this process is completely transparent: it’s the Store that takes care of signing the AppX package with a valid certificate during the submission process. In this case, instead, we’re trying to sideload a package without using the Store, so we need to take care of signing it.If you remember, when we used the Desktop App Converter tool, we passed a parameter called -Sign, which already did the hard work for us. The package is already signed: the problem is that the certificate used for signing it, now, isn’t trusted by our computer, which leads to an installation failure.To solve this problem, you’ll need to add the certificate in the Trusted Root Certification Authority of the computer. You’ll find it in the folder generated by the tool (the one with the AppX package and the PackageFiles folder) and it’s called auto-generated.cer: simply double click on it, choose Install Certificate and, when you’re prompted where to install it, choose Local Machine and then the option Place all certificates in the following store. By pressing the Browse button, make sure to choose Trusted Root Certification Authorities and complete the process.Retry Installing the Converted App (APPX)Double click on the file HelloCentennial.appx. Uncheck Launch when ready. This time, after pressing the Install button, you will see a progress bar showing the installation status and, at the end, the window will become like the following one.Find ‘HelloCentennial’ in the Start MenuPress the Windows key. Type HelloCentennial.Note: Now you have a Win32 app that has been embedded into a UWP app! Notice the app will have a tile, you’ll be able to pin it to the Start menu and, if you want to uninstall it, just right click on it, and choose Uninstall.Launch the Converted App: ‘HelloCentennial’Select the app from the Start menu to launch it. You’ll notice that it’s still a Win32 app and it will be able to create a text file on the user’s desktop just fine, without requiring any extra dialog or permission.Note: You might have to download and install the prerequisites for the app to launch, which it will do automatically, which is .Net Framework 3.5 (includes 2.0 and 3.0).Additional LabsMDM WINS over GPPrerequisite Sections:Windows Insider Lab for Enterprise – Setup GuideSection 3.2 - Cloud Environment, configuration policies are managed by Group Policy, however Modern Management of Windows 10 with Microsoft Intune also has a set of policies, even policies that are duplicative of Group Policy (where applicable, not all Group Policies are available via MDM or CSP).?In environments where Group Policies are deployed and managed by Intune there’s the question of which policy wins.?The following describes which policy wins according to Windows 10 version.Windows 10 versions 1709 and earlier Group Policy will override MDM policies, even if an identical policy is configured in MDM.Windows 10 version 1803 and beyond there is a new Policy CSP setting called ControlPolicyConflict that includes the policy of MDMWinsOverGP, where the preference of which policy wins can be controlled, i.e. Microsoft Intune MDM policy.For more details about the new ControlPolicyConfict setting please visit: happens to the policy if the device is unenrolled from Intune?? If applicable, Group Policy will re-apply the policies in this scenario.Setting up a PolicyIn the link above, the “scope” of the policy is set for “device” so we’ll need to target the policy at the device scope.To learn more about user and device scopes please visit: the ControlPolicyConfict policy applies to the device, we’ll have to utilize the following string: ./Device/Vendor/MSFT/Policy/Config/AreaName/PolicyName to configure the policy.Next replace AreaName/PolicyName with ControlPolicyConflict/MDMWinsOverGPAfter the modification to the string, the policy should look like the following: ./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGPCreating the PolicyLet’s create a new policy in Intune to control the GP vs. MDM winner.Navigate to portal. and locate Intune.Select Device configuration | Profiles | Create profile.Under Platform select Windows 10 and later.Under Profile type select “custom” and “add”.Name the custom setting with something intuitive.For OMA-URI add the policy OMA-URI string: ./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGPFor Data type select Integer and add the number 1.Supported values for this policy are as follows:0 (default)1 - The MDM policy is used and the GP policy is blocked.?Let’s take a look how the Policy is AppliedOn the Windows 10 device, select the Windows icon > Settings > Accounts > Access work or school and under the account name select Info.Sync with Microsoft Intune by selecting “Sync”.Once the Sync is completed select “Create report”.Once the report is completed a folder will open containing an .html file.Open the .html report and search for “MDMwins”.GP Setting before the MDM policy takes place:MDM setting after the policy is applied (Note: Windows 10 1803 is required to override the GP):Let’s take a look at a report in Intune regarding the policy and if it was successfully applied.?This is useful to make sure the policies are actually applying or not.LoggingBeing able to investigate modifications to a device is extremely important, especially when troubleshooting.In event viewer we can access the event where the policy was applied as shown below.?However digging through events, especially across multiple devices, can be a difficult process.?This is where Microsoft Operations Management Suite (OMS) comes in.Logging with Microsoft Operations Management Suite (OMS)Within OMS there is the Log Analytics solution to manage logs from devices with the OMS agent installed.?I won’t go into details about installing the OMS agent, however I will say it’s straight forward.?Once the agent is installed (which I have it installed on all my devices so I can look at label changes with Azure Information Protection (see my previous post) and other aggregated information) we’ll need to grab the proper event log source name and populate that in Log Analytics.Find and copy the event log source or name: Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider.Paste the event log path in Log Analytics to “Windows Event Logs under Settings > Data > Windows Event Logs” as shown below:Give the logs a few minutes to sync from the device to OMS, then run the query below in log analytics analyzer and look for the MDMWinsOverGP policy created above:For more details about Windows 10 MDM logging please visit: Existing Group Policies to determine Migration to MDMUse the MDM Migration Analysis Tool (MMAT) to evaluate which Group Policies have been set for a target user/computer and cross-reference against its built-in list of supported MDM policies.Download the MDM Migration Analysis Tool (MMAT): Additional Details about Creating Custom ADMX Policies, please view the following Two Great Videos:Enable ADMX backed policies in Intune: backed policy import example: Up to Date with MDM Policies and other Features via What’s new in MDM Enrollment and Management: ADMX ControlPolicyConflict Courtenay Bernier Device Management EMS Enterprise Mobility Suite InTune MDM MDM Migration Analysis Tool MDMWinsOverGP Microsoft Azure Microsoft Intune MMAT Mobility SCCM System Center Configuration Manager Windows 10 Windows 10 MobileMAM FAQFor Frequently asked questions about MAM and app protection, refer to - ................
................

In order to avoid copyright disputes, this page is only a partial summary.

To fulfill the demand for quickly locating and searching documents.

It is intelligent file search solution for home and business.

Literature Lottery

Lab Guide - Windows Insider Lab for Enterprise

To fulfill the demand for quickly locating and searching documents.

Related download

Related searches