Intune Onjob And Job Oriented Training | Intune MDM Course | Intune Tutorial | Intune L1, L2 , L3 |

Intune Onjob And Job Oriented Training | Intune MDM  Course | Intune Tutorial | Intune L1, L2 , L3 |

Show Video

from some people who is joining late so let me share my screen and let me know if you are able to see it okay can you all see my screen yeah it's visible yeah great thank you okay so uh just to start off with my introduction so my name is Raj uh I have overall experience of um for 30 years I've been working with uh in tune for last uh 7 years and earlier I was working with SSM and other endpoint related Technologies okay so uh I currently work in a product based company uh as an architect for uh the complete end user Computing workspace okay and uh this course uh to be very specific is only related mostly to InTune okay and uh we uh I will just uh share the list of the topics that you I'm planning to cover in this uh session it'll be basically covers off with a pure L1 who absolutely don't have any idea of what exactly in tune is and I'll just go ahead The Next Step around L200 where people already have working with in tune in their companies but still they need more clarity more in depth and understanding of what exactly InTune is and how the real world scenarios and how to actually Implement and then troubleshoot work and then day-to-day operations of all how in actually is used in an organization okay I would request everyone to mute uh I'm actually muting from my end and unless if you really want to speak out uh then please go ahead and unmute yourselves and uh talk okay so why do we have to learn in tunee I mean we know right so when it comes to InTune InTune is nothing but a mobile device uh management tool okay earlier MDM tool was a bit different uh because we had two different sections two different tools one was purely to manage their mobile devices and users mobile devices in an organization and uh and also to manage uh windows with tools like GPO and secm okay so uh there were all different tools okay so we had secm landesk for patch management we had uh hpca we had ibmt there are so many huge Enterprise to tools earlier okay now in this modern work and then Modern Way work environment where many people and many organizations are shifting to more cloudbased Technologies they needed a single tool they needed just one single tool which can manage both computers desktop PCS and also mobile devices okay and hence uh the narrowing approach of two different tools having like you know earlier we had uh air watch for mobile air watch and mobile iron for mobile devices and people used the different product like SCM for managing uh windows those desktop operating systems in an organization now they just want to unify a single tool so that it's easier to manage as an IT administrator and if you actually look at it uh why we actually why is everyone in this uh corporate it World wants to use in tune okay so this is the Gartner report this is the last year's Gartner report then even to even in August 2023 also this is again Microsoft is still the number one MDM and end user Computing and is a uem tool okay and and unified endpoint management tool so there is hardly any competition for Microsoft at the moment so every organization will eventually one or the other day will move away from their competition products any competitor products to Microsoft eventually why because they multiple reasons why an organization will tend to move to Microsoft multiple reasons like cost uh if they already have a license for Windows they don't want to buy an additional license for uh AirWatch mobile Aon or any other third party MDM tools so they can just buy a single license each license can have can be used up to five devices so any organization with any number of users will have U not more than five devices a single license can satisfy all of the end point needs okay so this is one of the main reasons why uh computer many companies move to InTune and uh licensing is one thing second thing is ease of management okay so with in tune almost all of the features and uh uh functionalities that you find in other products is also available right now with InTune so that's one thing and now coming back to there's two different we we are speaking about two different kinds of management one is the PC desktop management the other one is the mobile device management so if you look at traditionally what actually happened with the 3D uh well the past 20 years there were Solutions like gpos right the group policy objects and the identity was through active directory and every kind of Windows deployment was through either WS or the secm the OSD so in the operating system in an IT world they used to image the operating system deploy it with multiple tools like WDS and uh which is which was integrated with the system center configuration manager so all of these traditional tools look at the screen like know active directory and then allowing the windows machines to join to domain thereby you get the group policies and rest of the management was taken care by secm right all of these tools had very thick presence of on compromising servers right so everything needs to be created everything every server has to be created we need to install the softwares on those sof those servers the server themselves have to be managed if you look at the waym is installed and monitored and managed that itself is a huge team in any organization I'm not talking about the operational part I'm talking about the SCM maintenance itself patching upgrading the servers batching and upgrading the secm application itself okay and then monitoring ports closing opening and then working with your networking what thing and this SCM is connected to a database so you need to work with your database administrator get the appropriate uh permissions in order to set up an secm configuration for an Enterprise organization it would not take less than 3 months right but today if you actually go to with InTune you just need to buy it okay and people with Office 365 experience can easily relate to this earlier when it was exchange on premise the entire exchange on premise setup was a huge complex uh uh task right it has to be so there was so many designs hlds llds approvals ports uh working with different network team what needs to be exposed outside which servers needs to be placed in DMC all that kind of design used to take a lot of time but today if you go to Office 365 all you have to do is 90% of the task is just to buy a license if you're an organization with 500 users or 10,000 users you just need to go and buy 10,000 licenses right from as soon as you buy it you just need to have a user in Azure ad and start assigning the licenses all of your new or old employees or new employees on new chines they will have their email inboxes their one drive their SharePoint all kinds of access instantly there is absolutely no need to set up so that is the uh uh Cloud advantage that you get you don't need to buy anything don't need to set up sorry you need to buy something but you don't need to buy additional infrastructure server server licenses uh people to manage service everything is now ready is everything the whole Cloud part is I mean the servers everything is managed by Microsoft all you have to do as an IT administrator is to just manage those policies those users those functionalities yeah so you don't have to do anything in the back end so similarly that was how even the InTune is now set up right so we are moving from on promise structure to the cloud structure so instead of active directory we have Azure active directory yeah so now it is called entra ID but here it's purely we're talking about identity based functionality so earlier identity was active directory now here identity for a device identity for a user is now asure active directory okay so it was domain join earlier so and now because we right if you go to any client machine every machine used to join to a domain so that you can log into the domain credentials similarly we have Azure ad join so we joining the machine to asure active directory okay so one thing to keep in mind here is active directory is completely a different thing it's a directory service that is on promise it doesn't mean that the same thing is mve to Cloud okay Azure active director is not exactly an active directory in on promise that that is M to Cloud okay so aure active directory is a lightweighted identity and access management solution from Microsoft all it has is just the usernames and few attribut Utes Associated to the username and few attributes associated with the devices okay apart from that there is nothing great I mean there's no additional functionality that sad provides to the endpoints it just gives you identities traditionally active directory policies here in this left hand side once you join the device to machine you can actually push the group policies that you create but here you don't have a group policy in asure active directory we just have MDM policies which is in tune policies okay so for all the patch management software application deployment and any other software and Hardware inventory all this reporting we had SCM as a server and now here all other policies security and non-security policies can be moved from uh SCM to the cloud-based solution which is in tune so you just need to log into the console and then start creating policies and assigning it to the devices so it is very very simple way of administration one of the biggest Advantage for uh any cloud-based solution not just in tune is the connectivity okay so if you have all the servers residing on an on promise data center in your private corporate Network it is very difficult for the client machines who are sitting at home or who are connected to a public internet to communicate back to the service right your client machines like Windows 10 or mobile devices in order to communicate to a server which is sitting in your corporate environment it needs a VPN solution it needs some kind of uh corporate network connectivity to the client machine so what happened during covid so one of the reason is many people after Co would realize that it is very important to have a cloudbased solution and hence everyone mve to inun for last four years if you go to any other big organization like service based companies you'll only see migration projects Fromm to intun you'll only find co-management projects you'll find projects from migrating from other MDM Solutions like AirWatch mobile iron into InTune okay so this is this will stay for next 5c 6C or 10 years only the migration part okay so most every company will start moving to In Tune eventually one or the other day and you might have already realized it if you're working in a corporate environment and you see that when you talk to customers when you talk to uh management you'll understand how InTune is the leading uh product in all the almost all organization so the other thing is InTune is part of M365 solution from Microsoft okay so you don't have to buy in tune license alone to do something what many Enterprises actually do is they just buy one single M365 product one M365 license the M365 license has uh includes everything okay which is your collaboration suit your Office 365 entire Suite so if you buy one M365 license subscription you'll get Windows operating system subscription you will actually get Microsoft teams Outlook all this email SharePoint one drive storage of 1tb okay all this Yammer via goals all kinds of collaboration and modern work site products you'll actually get with that license and second thing is Windows operating system so what's the third thing to manage all those users and their devices we need some products and solutions security Solutions we also get that as a part of M365 license okay it's actually a suite which has many products so InTune is one of that product where it is included in M365 so we have Defender for end point which is your EDR the endpoint deduction and response your anti molway solution okay this uh vulnerability management all kinds of security software you actually get as a part of M365 resolution in in addition to Office 365 so one single license will cover entire need most of the need for any organization to manage these collaboration requirements like teams meetings emails one drive storage in tune security non security settings everything okay I'll just show you what is available but that is the difference okay so that is what uh uh you actually get with a one single license but in this course we're only focusing mainly on InTune related stuff okay nothing more uh traditional it when we talk about traditional it if you had joined an organization four five six s years back if you really need a new laptop you need to walk up to the it right you need to walk up to the it go go go you say that you are a new joiny of this organization and you actually take a laptop from the it to set up a laptop for you will take some time he has to reimage it he has to take a device image it add to the domain follow some process and give hand over the device to you okay there's a lot of work involved in the back end before you get a new device right so this is not the case anymore because most of the people are sitting at home most of the people needs the devices be to be sent at home and everything need to be operational remotely they don't need to rely on a corporate device connecting to a corporate Network okay they need something like Cloud B cloudbased management tools so what is cloud-based Management in short if you all have absolutely no information it is very simple 10 years back if you all need to access emails you can only go do that by going into the corporate office Network and access emails it is very difficult for you all to access emails outside of the corporate Network okay unless you set up a exchange yeah DMZ facing server which relays emails so with Office 365 and Cloud no matter where you are you can access emails as long as it allows you can access emails from your cyber cafe your mobile phone your home computer everything okay at least limited access you'll get it so that is the advantage of having cloud-based it's just internet based okay the entire management is also for that device will now stay as cloud-based no matter where you are you'll get updated InTune will send software update policies InTune will send application deployments InTune will send security and non-security policies and it can know that your device is here your device is reporting your device is compliant to the standards that it has defined yeah okay so this is what exactly I was talking about if you look at at an Enterprise level and if you're working in a team of M365 solution you'll get you'll come to know you'll actually start working with many people okay so Microsoft InTune is one security product they have additional product called as Microsoft Defender Advanced threat production the ATP now it's defend of for end point the entire Microsoft InTune is dependent on Azure active directory so without Azure adid there is no in yeah in the same terms as like you know without Azure adid there is no Office 365 okay so even if you buy a simple basic Office 365 license you will actually get Azure active directory by default which is already enabled for your tenant you don't have to buy it separately same thing goes if you today you don't have anything in your organization you buy Microsoft InTune they will give you Azure active directory in the back end so you'll actually get to work with the aure thre prodection your Office 365 thread Protection Team and then Microsoft Cloud app secuity one again which is a part of EMS subscription but this is one uh it's a it's a Casp solution okay the broker solution okay so this is uh in short Microsoft Cloud app security what it actually does is it it protects your device connect in to harmful cloud-based Solutions and upload something okay or download something and also monitor it okay you might have seen multiple Solutions in your office if you're working so this is like you know sa for example you using your corporate laptop to upload to Google Drive you want to upload your confidential information non-confidential information or any other files that you want to upload your data personal data photos movies to Google Drive iCloud or one drive personal one drives everything will be tracked with this Cloud app security tool you can block it you can monitor it it can allow it I can it can warn you okay they can do all of this with Cloud app security tool so same thing goes with Defender for endpoint which is again a powerful threat it's both are agentless okay don't have to all of the Microsoft Solutions in this modern workspace windows 10 and 11 mostly are agentless they have already inbuilt agents within the operating system you just activate it you just enable them you just start the services so there is nothing like you know a Microsoft InTune client okay there is nothing like Microsoft Cloud app security client or even the defender client you don't have to install anything you just need to enable it and that is done remotely from as soon as you device is enrolled the cloudbased solution everything gets enabled it's very easy to start managing the device so uh yeah that's that that that is what I was saying agent last right if you today if you want to manage a device with SSM you need to install an SSM agent if you need to manage an antivirus solution you need to install macafe antivirus not an semantic antivirus if you need to install your Z scaler to monitor it and then traffic monitoring you need to install zcr client application so everything you need to install because there are all third party applications they need to install their agent and agent can do its job and send the reporting status back to its services so but here in most of the Microsoft solution the agents are INB built within the windows all you just need to do is just enroll it you don't have to install in and keep updating it so this is uh if you actually look at a high level if you start working uh with some consultants and Architects and a team of end user Computing space they only think about uh enforcing the protection on the endpoint not see there's different ways to to look at it okay people who come from packaging background they'll only think that in is a packaging tool we need to package applications upload it and deploy it people who come from packaging sorry patching background they think that inun is a patching tool where you can download patches and start pushing patches to the client machines okay we have different kinds of perspectives of what exactly InTune can do okay but the way modern Consultants mean the Microsoft's approach of InTune is completely different it's more of uh security tool which manages the security posture of your endpoint so with that it has multiple products integrated I was just speaking about the entire uh management portfolio right so you have identities you have Defender for identity you have Microsoft Azure ad to protect your identity on the device or outside of the device and and for the endpoint you need to protect the endpoint and for that we have Microsoft Defender endpoint and in tune which assets assets the defender for end point this Cloud app security protecting something within the device is fine like you know by bit Locker encryption you can protect your hard drive by pushing an mway solution Ransom way protection or attack surface reduction policies on the end point you can actually push you can actually protect the state of the endpoint manage device but what about online devic online tracking online transactions that you can actually do with Cloud app security okay the entire information protection which is again protecting your one drive data office is6 all of your cloud data is done by the Microsoft Cloud app sorry Office 365 Defender so the entire package is what you get when you buy a M365 license and you into is a part of it but if you're working in a corporate setup where customers have or a Microsoft shop which have this license you'll get amazing experience of working with all these products okay I will after in tune if uh we'll actually cover at a high level of uh theer for endpoint because every interview that you get into no one will just talk about Microsoft in tune questions everyone will definitely ask you asure 0 questions Defender for Cloud app security and Defender for endpoint only then you can expect some okay uh good jobs okay because those are the organization which I think you all need to Target any organization which only does in tune for uh packaging and patching please don't uh attempt to go to those jobs because you'll never get any experience that's not the future at all the future is all about security and if you have good exposure on Defender for identity Defender for cloud Defender for endpoint and along the with the combination of InTune so it's very tough that skill is very tough to find even today outside in the market okay so people with the networking and the security background if they add in tune they'll do wonders in their jobs the same goes the other way also people who have secm background and if they start adding in tune and Defender knowledge so it's very very Niche skill in this market for next at least 3 to four years okay so we'll we'll talk about all this uh in the next classes but coming back to the core in tune way so if you look at it this is the main uh driven so now we're talking about the user driven from the cloud we have Micro we have autopilot okay so autopilot is one technology where we provision devices remotely okay so it is nothing but taking a brand new device giving it to the end user either sending it to their home or any or even in the office all we have to do is assign a license and create create some credentials and give it to him so he'll just log in he'll power on the laptop connect to the internet he will connect to his aure ad account sign in and done allow the device for 15 20 minutes 30 minutes to the internet his entire corporate laptop will be ready okay I'm talking about the brand new unbox device directly shipped from Dell Lenovo HP all of these it gets those devices they can either ship it or they can directly ship it from the resellers to their personal home at home addresses of new employees or existing employees so that is what happened in last 3 years and if you look at many European and the um us Market most of the midsize and the even the Enterprises started actually doing it they don't have an IT team at all what I mean is they don't have an IT team in every location earlier if five locations had it teams to just servicing the laptops we don't have that anymore okay so there's only one Central it team they have cut short the staff for supporting OS deployment supporting laptop provisioning all these jobs are not there anymore if you look at uh the market today they might be in some Enterprises I'm not saying completely no but it's and if you look at the budget and the IT CTO will always keep looking to cut shot those uh unnecessary tasks okay because they know they can use Microsoft autopilot but they will definitely keep asking it why have you all not implemented autopilot yet okay so that is all about zero tou provisioning and once you once the end user at home connects to the internet uh he will actually get all of these uh settings installation of applications and everything will actually the two things that happens when a person Provisions the laptop at home it joins the device to your ad and later enrolls the device to InTune and once the device is enrolled to InTune all of his policy that is related to his user ID will be actually uh be deployed remotely okay so and before uh we even talk about uh any of these things oh if you look at um mean uh the skill set every time I take take interviews people have actually worked in InTune but they miss the fundamentals of the aure ad and hybrid ad related stuff okay there's no there's bit of uh lack of clarity of what exactly how in tune in the backend fun functions how azur in the back end functions okay because traditionally people have gone by the device names right so if I image a machine let's say for example if it's a mission is in Bangalore we'll probably name it as blr laptop 565 some code right they think that that is a unique idea of the device even today okay many people think that that is a unique that was the case back in ad that is a unique identifier okay sorry active directory or SSM but uh that device naming convention is not valid anymore here in cloud-based thing every device has a unique identity which is a GD which is a 64 digigit number and which is completely different okay then people uh without knowing the basic of this they'll start trying to trouble shoot they'll start trying to find out so many things uh within themselves so but not everyone tells it neither there is a documentation around it it's very difficult to find out for freshers as to what is happening in the background because you don't have any logs we don't have any control of uh anything because it's a cloud-based service all you have is just a Soul okay and there is hardly any reporting of any issues that's found here okay there's no proper mechanism there's no proper reporting everyone who is everyone who uses in knows about it but keeping all that in mind we don't have to worry once we know the fundamental of how in actually works what is it based on it's based on simple identities the your user identities and the device identities okay okay and if those identities are properly reflected in in the policies will have to deploy there is no like you know the policies won't get deployed imagine it's a single product for almost three and a half lakh customers in the world right so if one face faces an issue everyone faces an issue there is 99% of the chances that is no problem in the product right there are all the possibilities the problem problem is with your device your network and your configuration right you cannot say InTune is not working you did not make InTune to work that is the ideal statement if InTune is not working it means that it doesn't work for 300 300 sorry 300,000 plus and three and a half lakh customers plus it won't work there might be some product defects but it's already documented we'll already find that in the internet okay what are the known issues what are the frequently occurring issues how do you overcome this all documented okay so everything is available uh in the internet on all the latest updates on what's coming in the future what's the existing issues when they are planning to fix but if something is not working in your environment if it is working with everyone then it is our mistake it is our configuration mistake it is a setup mistake understanding mistake do you think that it'll work okay so many people even thing that uh a single InTune enroll device multiple people can keep on logging in so it won't work that way you find so many discrepancies in the reporting so the principle when it comes to if a device is only managed with in tune the ideal scenario is the device has to be only managed and sorry only used by a single person and if it's a shared device there is a different concept is configuration it's a share device mode okay so there are a lot of good practice is that we need to set up most of your people who are working with InTune and working with customers their job is to convince their senior people of how InTune Works they'll keep getting back to you and asking make this work make this happen do this push that patch push this patch all this they'll keep telling because they're all traditionally minded most of the Senior Management are like you know they are traditionally minded people they think that the way GPO and SSM work work in will also work okay so that transition is what you'll come across in dayto day life and you're are working as an internet administrator so we'll just cover each and everything while we go on in the upcoming classes but fundamentally what you all need to understand is what is hybrid Azure ad join device okay you'll keep hearing the word but a thorough understanding is important here because most of the Enterprises now are hybrid ASO ad joint okay which means if you have uh the hybrid ad join is uh nothing but if you have a device this is a device it is join your active directory domain Services which is your ad so if you go to settings and check it's not in the work group it is joined to ad which means that you can log into your ad with your domain like know back slash and username and then password that will connect to active directory and authenticate and login that is your traditional active directory joined machine and if this device is also joined to Azure active directory this is a cloud-based identity provider okay so this is the so this is a cloud-based identity provider right so if this device is already joined to this and now it is joined to Azure active directory this now means that it's a hybrid ad joint the same device can also be joined sorry logged in with Azure active directory credentials which is nothing but your UPN username at and then password just like how you log into to emails you can log in okay so that is the difference that is a at a high level that is what is the meaning of azure active directory in the back end there is all different okay you'll get primary refresh tokens you'll have different identity the PRT will actually give you single sign on capabilities all that will be happening the background but fundamental information is your device can be logged into this machine the meaning of join is you can log into the machine with your username and password UPN here you canot login with UPN if you join the device with only as sorry ad you have to log in with domain back slash username of course you can make it work but if it is traditionally Ad work it only happens this way so this is exactly meaning it's joined to both on ad and aure AD it is applicable to Windows current and down level client server join happens automatically and then con configured by admin so what happens in most of the organization is there's are devices that are already active directory domain join so you don't have to do anything additional but now we want a device which is join to Azure active directory for that you push a group policy which will ensure that the device is now joined to Azure that is how it becomes an hybrid active directory machine okay you can also do it this way you can take a laptop join to Azure active directory and also join to active directory manually then you that will become hybrid ad CH and coming back to the next one as I was saying this is as you can see there is no connection between your laptop and hello yes uh this is tangar from chenai like a directory can be join from the Windows server or as well as Linux ad no it's only for Linux cannot be joined Azure ID is not even a directory Services right so it is just a identity provider only Windows because sometimes we create an ad in uh Linux as well so that's very ad is fine but not aure ad okay and uh what it can be like older version of the server can also be connected with ad right or else only the latest one will will be able to support servers servers see servers are completely different thing right inter will not even manage server devices okay because some organization will have a older version of the ad they won't like 2012 or 13 12 12 or 16 will be there so that could be possible to join in ad as or what can be done see all servers can be joined to active directory no one will stop it right every server every operating system can join directory like because you have mentioned in the presentation like Windows 10 only we can uh like there is a no no no that is what I'm saying what I said was you can join this machine to active directory okay you can join the CL client server machines to aure active directory that's all you can do okay you cannot do anything anything than that but the same device cannot be managed with InTune why because InTune devices cannot be managed sorry InTune cannot manage server devices and it can be sorry uh I am getting a lot of disturbance hello who whoever is speaking can unmute because I mute everyone I muted everyone so just to clarify no no actually like what is the scenario I'm asking is like we have an head office uh in some other location but we have certain office in different cities actually as well so at that case like we have a centralized data in the central head office actually but it could be accessible on the branch office or it could not be accessible we need any some privileges for uh to access the see aure ready I still didn't understand your question see is a close based identity access solution so why do you need to access it in order to like in order to some sometimes in order to we move on to some different location like uh employees moves to uh basically the it it in it resource will move on to some other location here they will switch over to different location actually they won't be in single location so why do you want to move it because Azure active directory is only one active directory for your whole tenant whole C whole no I'm not asking you that I'm asking you I could log in with the ID with the same IDE or we can have like uh privilege privilege identity manager can manage that uh if at all we have a root user in the aure ID like we can create a duplicate different ID and we can give privilege to that ID and have an access or not you can actually give it okay so that's a complete whatever you can do it right now it has nothing to do with this say for example both are two different things let's only talk about your traditional active directory okay so whatever whatever you can do in traditional active directory you can continue to do it right it is a simple active directory where you can add your machines and if you want to control your privileges you can use your Pim services or directly uh active directory rback roles and start doing it and and we can also have migrate the on from active directory directly into the ad as well right that could be also possible migrate you mean you want to move this server to Cloud no no like uh we have an active directory which is in on PR actually the office okay and now they are planning to move all the data into the cloud environment in that case uh we can migrate whole thing into the uh aure or like like you need to create you miss the entire thing this server cannot be M to Azure active directory okay so let me let me complete this is a physical server okay if you want to move to Cloud you need to create a virtual machine okay which is your again Windows 2000 server virtual machine or 2020 virtual machine copy this data to this virtual machine here in the cloud okay that is called migration of on premise server to a virtual server virtual machine 2012 machine thereby you're getting rid of the server instead of the mission staying in your on premise data center in your office that machine will now move to Azure or Amazon or wherever you want to create that server it will go and move there the same server instead of physical server you have that as a virtual machine that is called as a compromise to Cloud movement this Azure active directory no one second this Azure active directory don't get confused with this active directory here it this is completely different from this this is your to server where you added your domain services and that became your active directory you can do that same by creating your virtual machine here but the Azure active directory is a single identity and management solution where all of your users names only username and passwords can be copied from this active directory to this synchronized from this to here nothing else no no group policies nothing can be synchronized okay this is your Azure active directory which is also your unique identity provider for your office c65 services also okay now yeah what's your question now actually like uh we have already we we have a predefined on server right we already configur the active directory for it was a huge data 10 years of data we have in the uh server actually in that case like we cannot create that is a normal method right creating a VM VM machine in the server and we are migrating it if just just like migrating the onr server directly without creating any VMS in the cloud we can move on or after creating a VM only we can Pro proceed with it without creating VM how can you move no like uh there is a uh without creating I already been done actually likewise ad can be more I'm just asking you no your server is here without creating a server there how can you move right we cannot move okay so I I have one query over here so let's say um right now we are discussing about Azure ad join machine and hybrid right uhhuh ad mach are hybrid so um in both the scenarios we need active directory oname without that it is not possible to use let's because there are certain policies that we are going to apply like say we have and all other things in active directory domain services but we don't have those things those policies let's say if you want to restrict certain settings in one of the machine then in that case we need act directed domain Services right because let's say right now we are discussing about two things one is hybrid ad joint and one is azure ad joint machines okay so let's say if we don't have on Prem okay so we want to work completely know on the cloud in that scenario also we need active directory domain Services no so we actually don't need that okay so active director domain Services what does it give it gives two things one is you can log to the machine as a identity corporate ID second thing is if you need group policies okay you'll give it you need active director apart from that Windows 10 or Windows 11 Mission at a high level doesn't need anything apart from that for an active directory and if you're moving to Cloud the entire group policies that you are talking about restrictions non- restriction policy security policies simple wallpapers printers everything can be done from InTune so InTune is nothing but replacement for your active directory domain services for GP OS and your application deployment yourm patch management policies again for gpos and in including uh the gpus for malware bit Locker security settings all kinds of settings can be done from in so you don't need active directory at all right now and that is the future and if you go and talk to Microsoft or if you go and talk to anyone any organization right now they will tend to move away from active directory they don't need it anymore unless they come back and say we have a lot of applications which are hardcoded to rely on C Bros authentication and traditionally very old applications that are reliable on active directory and then only then they might need it or they already have a huge setup of some 100,000 devices which are already join to active directory and they're difficult to migrate those policies to on promise because of budget because of of people only then they might stay if they have everything you already see that everyone have started to move to a 100% cloud based machines so is it possible to migrate all the policies which are there in direct domain Services is it possible to migrate those policies as so earlier there was difficulty and now if you look at it Microsoft has given a direct solution to migrate instantly okay you can just upload your GPO file it'll populate all of the into MDM policies and you can just click the button all of your MDM policies will be created in InTune okay so let's say in going forward we don't need active directed domain Services right now why we need that because in some of the scenarios you know um some companies are using hybrid ad joint devices that is the reason we need aure abely absolutely correct not not that is not you set up as a new thing because it's already there it's in more of a transition phase okay and if you think if a person has newly joined an organization you don't even join the the device to active directory you directly join the device to aure start managing with in okay this is how the new management will look like okay and there are and more proper uh sorry more uh this is how Azure ad join will look like and if you don't if you have a b b idid this is how it looks like okay you do you register the device the word registration is different and the word here joined is different you join it as an organization you registered as a trusted user for that own devices we can we have to register them right if the company is giving us devices then in that case we need to use Azure ad joint correct so Azure ad is mostly uh required if it's a corporate owned device if it's a typically user owned device you just register it to get some services like SSO and other things okay this is a picture of what I was just speaking about we have three different scenarios uh one is AD hello yeah just one question you told that in tune will not manage so operating system is that right mhm so if you're trying to migrate our infra to from let's say from ad to asure ad so in that case uh like in our they using SCCM for Server patching and stuff MH so what's the solution in that case see the solution for that if you if you look at it uh I would suggest stay with SSM for servers but if you go ask Microsoft they would say start using Azure Arc for servers migrate all of your servers to cloud and uh Azure Cloud will automatically patch the devices for you actually not aware like uh so that's that's something else Azure Cloud for this service correct okay that's somewhat like to In Tune something like uh no it's bit different Azure Arc will actually manage all of your clouds third party clouds also AWS Oracle GD Google Cloud all this so all of your infrastructure servers you can aure use Azure Arc for managing monitoring remotely patching it okay and are there any third party Solutions available that could be every solution will have a third party product right which would uh which would end the dependence uh in the dependence on ad okay what's the dependence of AD right now like for Server patching and stuff Ser patching doesn't require ad okay okay SSM doesn't require ad to for the device to be joined to ad is just making it simple if you install SSM client it'll start managing patch okay okay hi rajes this is here yes please I just wanted toh check with you if uh if the device is enroll in uh in tun it won't get automatically registered in a if it is you start off enrolling the uh device with InTune it will register with Azure ads but not join to Aur it's not join to Aur does it really need to join the in the Aur no right no okay so the second thing if the group policy which which will not be imported you know manually from we don't have the group policy which is managed to the uh mobile devices through our oname so the in policy will not manage mobile devices oh yeah correct for example if you create the INE policy s production policy will do I mean uh inun alone which will be sufficient right yes for Windows mentions okay so I mean the uh you know whatever the policy we created from the InTune production policy to manage the endpoint devices which will be alone right I mean that it will be sufficient right yes okay got it thank you so whatever is available in GPO right now it is available in InTune almost 80% of the things the other 20 people don't need it so Microsoft didn't get it yeah I got it actually through the chart also so I just wanted to get the double confirmation we have the officei E3 license so we can able to use the conditional policy for the inun right yes so we do not need to have a separate license for as you said earlier is part of it ofy right so 365 is different M365 is different yeah is a Microsoft 365 yeah M Microsoft 365 E3 is fine you'll get inun and uh you'll get Azure P1 also so that is fine so the what the policy we have actually you know um our plan is said that actually office certify then the office certify E3 is comes under Microsoft 365 Lighthouse plan one which will be cover the conditional access I don't remember that I have to check just want I have the chart actually if you look at the chart whatever it says it will be true that's it that chart I cannot memorize it so the office E3 and the Microsoft uh 365 E3 both are different right yes okay both are different okay thank you we can move on Okay so sorry what's the difference aity join or registered registered is uh okay at a high level register is if you register device with aure ID you cannot login okay with Azure ID you have to have your personal admin normal personal laptop right you will have your normal account to log to that and then you can later register it if you join the device you can login with your corporate account your office assy account email account to login I'm saying so it means join is for a official laptop orct reg yeah yeah that is what exactly yeah that is what exactly we said here also right so you see this is registered this is typically user own device and this is join this is Corporate own device okay got it so what happens in the background for between those we can cover when we actually get into those details okay so I think we already crossed this demo class but let me just do at high level so this is what it happens V ID is this and uh yeah so with InTune we can all do at uh this is very minimum policies I mean at a basic level once you have in tune we'll create all the these policies config policies with all the policies which requires all this Hardware encryption system features Hardware software compliance policies we set up a compliance policy conditional access policies and then uh we can do all of these corporate enrollments and everything resource access profiles yes uh yeah these are all these uh Wi-Fi VPN email all of these profiles can be set up on both uh corporate and also mobile devices so that's all about Windows okay so but uh for the same license without paying additional things if someone gives you to manage their corporate mobile devices or even personal mobile devices so everyone will just buy it right they don't have to pay it so that is why I was stressing the need and point of why every company start moving to in they don't have to buy separate products for it and whatever InTune does for mobile devices you know everyone now has their mobile devices in hand everyone wants to join teams meeting from their home phone reply emails do all of their corporate stuff from their mobile devices and everything has to be done securely right so to protect all of the corporate devices both mobiles and laptops we have something called as mobile application management so this is a complete Phil a complete subject by itself both MDM and M for mobile devices uh if it's an Enterprise you'll have a separate role and jobs for doing am and for doing MDM separately if it's a small organization you'll get an opportunity to work with all three platforms if it's a big organization a banking industry or some insurance companies or any other big companies Crossing 30,000 40,000 devices you will have a separate job and a role to manage only mobile devices okay so InTune will manage these devices and it has two things one is MDM and M am is a proprietary way of managing those applications for all those M365 Services okay so MDM is managing the device as a whole okay so if you look at this at high difference if you take an Android device and enroll it you will have sub to separate things okay one is managed apps and one is personal apps this is a virtual container actually if this this is an enroll device all of this data cannot be moved to this you'll have a separate work profile in this managed apps alone okay so I'll just move on I'll show you how it actually works say for example you have an M policy deployed to your machine sorry to your mobile device to your personal home phone okay your iPhone your Samsung your OnePlus any phone that you have you get an email you open an email attachment as say for example Excel you cannot copy it to your one drive you cannot copy to your Google Drive you cannot save it to your phone also okay everything is restricted but you can say open the same attachment Excel file okay copy it in word okay you can you cannot save it in your personal storage but you can save it in your corporate one business one drive for business account okay so what it means is everything that uh everything that is there within the mobile device will actually stay within the personal application I mean the work profile itself okay nothing moves away from your corporate office c65 data to your personal data so that's a huge subject and I'll we can actually deal with complete six to five to six classes on am alone and then conditional access policies related to it and every company will start doing it uh you already seen it okay so every company is already doing it and it depends how expertise you are if you're an expert you can finish it off in one week and uh if you're not an expert to convince your management to con your project team get this design policy get this design document hld lldd is approval it will take four five months a simple thing will also take for five months in big companies right so it all depends so this is one uh thing I just wanted to cover yeah yeah so this is again what I was just talking about Co management there are some companies even today they would like to use SCM so if you go and ask Microsoft yes they'll say we are happily supporting config manager it is not going end of life if you want to use it keep continue to using it if you're okay to use it keep continue I mean continue to use it so con Co management is what you see in most of the big Enterprise organization which is I mean which is very complex to move away instantly right it takes 10 years 5 years six years to change something to set up the config manager and apps itself they might have taken uh around like know 10 years they might have have some thousand applications 2,000 applications if you go and ask them move away all of their applications and push it to into they won't do it right so it is very unnecessary cost for them so they won't know it and hence they'll continue to use both config manager and in tune and this is what 60 to 70% or 50% at least of the organizations I'm talking about uh this one uh Enterprises if you talk about smbs small and medium scale businesses uh no one has hardly very few people had config manager they all have in now in tune so a single client machine can be managed by both in tune and config manager and we can choose what needs to be managed in InTune what needs to be managed from configuration manager if we need to push patches Fromm to here this will not this will not work I mean we cannot uh push Patches from I mean patch policies from int if you have decided if you want to push bit locker from in tune and not withm you can do that okay either one this or this incidentally applications can be pushed by both okay so that is we'll talk about in detail about Co management I have one question is it is it possible to manage like um simultaneously let's say if you want to manage a few applications from the InTune and few applications from the configuration manager is it possible to do that yes we can actually do that okay exctly no Poli no policies no policies any one apart from apps correct apart from apps all other things can be only this either this or this if you if you say scmm will do it n cannot do it if you say in tune do the B Locker policym cannot do it even if you push it it will not work but apps you can push Adobe from here you can push sap from here you can push Chrome from here you can also push Firefox from here I mean uh you can do for apps both you can do but for policies either one and is it is it possible to patch the ma let a software update like uh we use configuration manager s for that so is it possible to um do the software patching from both the things put together like we can use in tune and umm mous for the application we can do that but apart from Poli application deployment you can do for patch no because uh yeah because it will write the same Registries so it will not work hi Raj uh I'm W I'm audible oh yes uh you're audible yes uh thank you for your session I'm just saying the thanks note before my question uh yeah my question is just I have a couple of questions um I will after this uh course in course I would like to know which certification I need to do maybe can you can tell me next class also uh and I would like to know the duration of this course uh the dates Saturday Sunday what timing so that I can plan myself so that's the second question and uh yeah and third question is to complete the InTune certification should I complete Azure fundamental certification would you recommend or without that I can do directly in tune this three question this that's it sorry so coming back to your second question sorry uh InTune uh has MD uh yeah md12 I think md102 yeah and uh what is the duration of this course uh Saturday Sunday and timings and when we will complete so that I can plan my certification accordingly because I'm being chased to complete some certification from Microsoft my company so I'm just planning to complete this one so and to follow up to the same question uh whether to complete the inter certification I should do Azure fundamental would you recommend that is not needed so in tune see I'll tell you what is covered in md2 md102 okay and before that and before many people I I'll answer all the questions that you all have so let me share a number whoever is interested whoever whoever friends are interested you all can actually reach reach out to ath so this course right this course will be uh we don't have really a deadline okay so I have a list of things that can help in the real world scenario because even the previous batch I said 18 hours 20 hours now it is 24 hours it's going on it depends how many people ask questions and all just for to hours 4 hours I don't want to have a hard cut off like you know no my time is over these classes are over it doesn't really make sense for other people who have done who really wanted to know everything so the maximum I can we can dedicate is 24 hours so which is uh 4 hours per week okay okay so if uh everything goes on smoothly and everything uh because earlier we had just 18 hours 18 hours I used to complete but I have added more topics because uh the batches that I finished they kept on asking no a lot of Defender for endpoint questions are asked a lot of all this hybrid ad detailed questions are asked I'm not able to clear all this feedback I received from the previous batches so we I think I've added uh wanted to discuss more of Defender endpoint also because that is I when I know that is the core thing not just in tune in tune plus defend of endo is what is being uh checked uh verified at the interview level because everyone nowadays know in tune okay so but what is lacking is the security part so uh that's the second question so 20 to 22 hours is what we plan so I will uh just to know the tentative plan when it will be completed there is no rush we cannot really I cannot say okay because we are in the December first uh December so if I say next month I can say it is January by mid off if every class is being done and if someone wants to are okay with Christmas holidays classes also I'm fine during week days but not everyone will be ready that is a challenge yeah so 4 hours per week it would be Saturday Sunday or only one day Saturday Sunday uh

2023-12-11 04:31

Show Video

Other news