Lab Guide

Windows Insider Lab for Enterprise

Date: November 5, 2021

NOTE: This guide is the authoritative source of delivery guidance for the Windows Insider Lab
for Enterprise. Where content is absent from this guide, refer to the Windows Insider Lab for
Enterprise – Setup Guide.
Table of Contents

1 Introduction............................................................................................................................................... 5
1.1 Lab Objectives................................................................................................................................................ 5

2 Prerequisites.............................................................................................................................................. 7
2.1 On-Premises Environment......................................................................................................................... 7

2.2 Cloud Environment....................................................................................................................................... 8

3 Lab Setup.................................................................................................................................................... 9
3.1 On-Premises Environment......................................................................................................................... 9

3.2 Cloud Environment.................................................................................................................................... 10

3.2.1 .................................................................................................. Setup Azure and Office 365
.....................................................................................................................................................................10
3.2.2 .................................................................................... Setup Enterprise Mobility + Security
.....................................................................................................................................................................12
3.2.3 ................................................................................... Enable and Configure Cloud Services
.....................................................................................................................................................................12

3.3 On-Premises Environment Post Setup Manual Steps...................................................................14

3.3.1 ....................Build a Windows 10 Developer Machine (for Deskop Bridges Scenario only)
.....................................................................................................................................................................14
3.3.2 .................................................................. Configure Azure AD Connect with Device Sync
.....................................................................................................................................................................16

4 Deployment & Management............................................................................................................18

4.1 Modern Device Deployment.................................................................................................................. 18
4.1.1 ............................................................................................................................... AutoPilot
.....................................................................................................................................................................18

4.2 Modern Device Management with Intune........................................................................................ 25

4.2.1 ............................................................ Mobile Device Management using Microsoft Intune
.....................................................................................................................................................................25
4.2.2 .............................................................................. Dynamic Management with Windows 10
.....................................................................................................................................................................29
4.2.3 ...................................... Mobile App Management for Non-Managed Windows 10 Devices
.....................................................................................................................................................................31

4.3 Co-Management......................................................................................................................................... 34

4.4 Modern Application Management with Intune.............................................................................. 38

 4.4.1 ....................................... Application Deployment and Management with Microsoft Intune
.....................................................................................................................................................................38
4.4.2 ................................................ Application Self-Service with Microsoft Store for Business
.....................................................................................................................................................................40

4.5 Enterprise State Roaming........................................................................................................................ 43

4.5.1 .......................................................................................................................... Prerequisites
.....................................................................................................................................................................43
4.5.2 ..................................................................................... Configure Enterprise State Roaming
.....................................................................................................................................................................43

5 Security...................................................................................................................................................... 45
5.1 Windows Information Protection......................................................................................................... 45
5.1.1 ............................................................................................................. Modern Management
.....................................................................................................................................................................45
5.1.2 ........................................................................................................ Traditional Management
.....................................................................................................................................................................49

5.2 Windows Defender Advanced Threat Protection...........................................................................57

5.2.1 ........................................................................................... Onboarding Windows 10 Device
.....................................................................................................................................................................58
5.2.2 ............................................................................................................... Perform Simulation
.....................................................................................................................................................................60

5.3 Windows Defender Application Guard............................................................................................... 60

5.3.1 ............................................................................................................. Modern Management
.....................................................................................................................................................................61
5.3.2 ........................................................................................................ Traditional Management
.....................................................................................................................................................................64

5.4 Windows Defender Exploit Guard........................................................................................................ 65

5.4.1 ............................................................................................................. Modern Management
.....................................................................................................................................................................65
5.4.2 ........................................................................................................ Traditional Management
.....................................................................................................................................................................67

5.5 Windows Hello............................................................................................................................................. 69

5.5.1 ............................................................................................................. Modern Management
.....................................................................................................................................................................69
5.5.2 ........................................................................................................ Traditional Management
.....................................................................................................................................................................70

5.6 Credential Guard......................................................................................................................................... 92

5.6.1 ................................................................................. Check Credential Guard Requirements
.....................................................................................................................................................................92
 5.6.2 ............................................................................................................. Modern Management
.....................................................................................................................................................................93
5.6.3 ........................................................................................................ Traditional Management
.....................................................................................................................................................................95

5.7 Device Encryption (MBAM)..................................................................................................................... 97

5.7.1 ............................................................................................................. Modern Management
.....................................................................................................................................................................98

5.8 Device Guard – User Mode Code Integrity.................................................................................... 100

5.8.1 ............................................................................................................. Modern Management
...................................................................................................................................................................100
5.8.2 ........................................................................................................ Traditional Management
...................................................................................................................................................................101

6 Compatibility........................................................................................................................................ 108
6.1 Windows Analytics Upgrade Readiness.......................................................................................... 108

6.2 Browser Compatibility............................................................................................................................ 108

6.2.1 .......................................................................................................................... Prerequisites
...................................................................................................................................................................109
6.2.2 .................................................................................................................... Enterprise Mode
...................................................................................................................................................................110
6.2.3 ..................................................................................... Browser Compatibility Remediation
...................................................................................................................................................................113

6.3 Desktop Bridges....................................................................................................................................... 123

6.3.1 ..............Desktop Bridge – Convert a Win32 app Installer to a UWP Modern App (APPX)
...................................................................................................................................................................124

7 Additional Labs.................................................................................................................................... 132

7.1.1 ............................................................................................................ MDM WINS over GP
...................................................................................................................................................................132
7.1.2 ............................................................................................................................. MAM FAQ
...................................................................................................................................................................138
1 Introduction

The Windows Insider Lab for Enterprise was designed for Windows Insiders who want to try
new experimental and pre-release Enterprise Privacy and Security features. There are two
versions of the lab:

 Windows Insider Lab for Enterprise v1 – provides a client-side view of the latest
Microsoft 365 enterprise features through access to Olympia Corp - a virtual
corporation has been set up to reflect the IT infrastructure of real world business.
Customers are invited to join Olympia Corp through our online survey. Qualified
customers are then provided with a username and password to access the cloud-
based lab.

 Windows Insider Lab for Enterprise v2 – provides a complete Microsoft 365

deployment and management testing environment that can be run directly on your own
machines. The lab features both client and administrative functionality, including System
Center Configuration Manager Preview plus connectivity to Office 365 and Enterprise
Mobility + Security evaluation trials. Customers can also add the latest Windows 10
Insider Preview Enterprise build to the lab.

This Windows Insider Lab for Enterprise v2 lab guide will guide you through Modern and
Traditional Desktop scenarios to showcase the latest enterprise features and capabilities.

1.1 Lab Objectives

This guide is designed to provide step-by-step guidance in demonstrating the basic
functionality of the feature. It is important that the Prerequisites (Section 2) and Lab Setup
(Section 3) sections be performed before proceeding with the lab activities.

 Lab Setup
o On-Premises Environment
o Cloud Environment
o On-Premises Environment Post Setup Manual Steps
 Servicing
o Windows Analytics Update Compliance
 Deployment & Management
o Modern Device Deployment
o Modern Device Management with AutoPilot
 o Co-Management
o Modern Application Management with Intune
o Enterprise State Roaming
 Security
o Windows Information Protection
o Windows Defender Advanced Threat Protection
o Windows Defender Application Guard
o Windows Defender Exploit Guard
o Windows Hello
o Credential Guard
o Device Encryption (MBAM)
o Device Guard – User Mode Code Integrity
 Compatibility
o Windows Analytics Upgrade Readiness
o Browser Compatibility
o Desktop Bridges
 Additional Labs
o MDM WINS over GP
o MAM FAQ
2 Prerequisites
The following requirements for each environment are needed to support the labs.

2.1 On-Premises Environment

Listed below are the requirements for the on-premises environment:

Complete Task
☐ One (1) physical client or server to host the virtual lab environment. The
requirements are listed below:
 Operating System: Windows Server 2016, or 2012 R2, or Windows 10
with Hyper-V installed and fully updated. Administrative rights on the
Hyper-V Host.
 Memory: At least 32Gb or more.
 Disk Space: At least 300Gb or more.
 Disk Subsystem: High throughput/speed.
 Processor: Preferably a high-end processor for faster processing.
 Ethernet: Two (2) or more Gb NICs.
 Network Connections: Internet connection and External Virtual Switch in
Hyper-V Host connecting to the external adapter of the Hyper-V Host for
Internet connectivity.
☐ One (1) gigabit network lab switch with sufficient ports to connect physical client
devices and lab environment.
☐ Download the latest available 64-bit Windows 10 Insider Preview Enterprise Build
ISO image.
https://www.microsoft.com/en-us/software-
download/windowsinsiderpreviewadvanced

2.2 Cloud Environment

Listed below are the requirements for the cloud environment:
Complete Task
☐ Provide licensed subscriptions or sign-up for a trial subscription for the following
Microsoft Cloud Services. A trial subscription will only be used if the customer has
no existing subscription to these services.
 Microsoft Azure: https://azure.microsoft.com/en-us/free/
 Enterprise Mobility + Security: http://www.microsoft.com/en-us/cloud-
platform/enterprise-mobility-security-trial (configured as part of the Lab
Setup)
 Windows Defender Advanced Threat Protection:
http://www.microsoft.com/en-us/WindowsForBusiness/windows-atp
(configured as part of the Lab Setup)
 Operations Management Suite: http://www.microsoft.com/en-us/cloud-
platform/operations-management-suite-trial
 Office 365 Enterprise E5: https://aka.ms/e5trial (configured as part of the
Lab Setup)

Note: All trial tenants have an evaluation period. These

subscriptions/tenants will expire unless they are extended or if the
customer purchases the system.
Note: It is possible to use an existing trial subscription if the engagement
dates are within the evaluation period.
Note: An appropriate MSDN subscription could be used to activate the
Azure Benefit for 30 days.
3 Lab Setup

3.1 Support
 If you have any questions/suggestions during the lab setup or execution of any scenarios
mentioned in the lab guide, please reach us at [email protected]
Mention Olympia V2 in the subject line.
 We add/update instructions for the features in Lab Guide as in when required. Visit
https://olympia.windows.com to download latest lab guide.

3.2 On-Premises Environment

The on-premises environment is configured by using the Windows Insider Lab for Enterprise v2.
Follow the Windows Insider Lab for Enterprise – Setup Guide to provision the virtual
machines on Hyper-V.

When setup is complete, the following virtual machines are configured and the deployment lab
system is available for use.

Server Name Roles & Products

HYD -DC1 Active Directory Domain Controller, DNS, DHCP, Certificate Services
Windows Server 2019
HYD-CM1 System Center Configuration Manager Technical Preview Branch – Version 1910 (Note: Updated
versions from the System Center Configuration Manager Technical Preview Branch are available via
an In-Console Upgrade)
Windows Deployment Services
Microsoft Deployment Toolkit
Windows 10 ADK
Windows Software Update Services
Microsoft SQL Server 2017
Windows Server 2019
HYD-APP1
Windows Server 2019
HYD-GW1 Remote Access for Internet Connectivity
Windows Server 2019
HYD –CLIENT1 (Optional) If the Windows 10 Insider Preview ISO image is imported, this machine will be created with windows
installed and will be Domain Joined
HYD –CLIENT2 (Optional) If the Windows 10 Insider Preview ISO image is imported, this machine will be created with windows
installed and will be Domain Joined
HYD –CLIENT3 (Optional) If the Windows 10 Insider Preview ISO image is imported, this machine will be created with windows
installed and will be on Workgroup
HYD –CLIENT4 (Optional) If the Windows 10 Insider Preview ISO image is imported, this machine will be created with windows
installed and will be on Workgroup

The table below lists the credentials and access type available in the default implementation.

User Access Type User Name Password

 Local Administrator Administrative Administrator P@ssw0rd
Domain Administrator Enterprise Administrator CORP\LabAdmin P@ssw0rd

3.3 Cloud Environment

Certain lab scenarios require the cloud environment. Follow the steps below to configure and
prepare the required cloud services.

3.3.1 Setup Azure and Office 365

3.3.1.1 New Trial Tent

In this section, you will create an Azure AD and an Office 365 Trial Tenant used for the later lab
environment. Note: if you have already received an Office 365 Trial tenant from the
Olympia team, skip this section and proceed to the next Section 3.2.1.2.

Task Detailed Steps

Complete these steps from an Internet-connected Windows computer.
Create Azure AD 1. Open an InPrivate Browser session.
2. Navigate to https://portal.azure.com
3. Sign in with the email address associated with your Azure subscription.
4. On the left navigation bar, click Create a resource > Identity > Azure Active
Directory.
5. In the Create directory pane fill in the following values:
ORGANIZATION NAME: <CompanyName>
INITIAL DOMAIN NAME: <AzureDomainName>
COUNTRY OR REGION: Choose a region
6. Click Create.
Note: This may take a couple of minutes to complete.
Create Azure AD 7. Sign out from Azure portal and sign back in again.
Admin User 8. Click your email address on the upper right corner and, and click Switch
Directory. Select <AzureDomainName>.onmicrosoft.com.
9. On the left navigation bar, click Azure Active Directory.
10. Under Create, click User.
11. In the User pane, fill in the following values:
NAME: <Admin Name>
USER NAME: <LabAdmin> (Suggestion:
LabAdmin@<AzureDomainName>.onmicrosoft.com)
12. Select Show Password and write down the temporary password
<OldLabAdminPassword>.
13. Click on Directory role, select Global administrator then click Ok.
14. Click Create.
3. Resetting the 15. Logout from Azure Portal.
Password 16. Login to Azure Portal using LabAdmin account.
17. Type in the <OldLabAdminPassword> that you wrote down.
18. Type the new password: <NewLabAdminPassword>.
 Note: Use a strong password.
19. Confirm the new password and sign in.
4. Create a Trial 20. Close all browser windows.
Office 365 Tenant 21. Start a new InPrivate Internet Explorer session.
22. Using a web browser, navigate to https://aka.ms/e5trial.
23. Click Sign in on the top right hand corner.
24. Sign in using the LabAdmin account.
25. Click Admin from the top left hand corner.
26. Click Billing | Subscriptions and click + Add subscriptions.
27. Select Office 365 Enterprise E5 without Audio Conferencing and click Start
free trial.
28. Follow the usual procedure and click Place order. Note: You might have to
perform Steps 26-28 twice so that the subscription shows Active under Billing |
Subscriptions.
5. Create Azure 29. Navigate to https://portal.azure.com.
Test Users 30. Sign in with the email address associated with your Azure subscription if
required.
31. On the left navigation bar, click Azure Active Directory.
32. On the right side of the page hit the User link under Create.
33. In the User pane, fill in the following values:
NAME: Test User1
USER NAME: TU1@<AzureDomainName>.onmicrosoft.com
34. Select Show Password and write down the temporary password.
35. Click Create.
36. Repeat Steps 29 – 35 for a second user as follows:
NAME: Test User2
USER NAME: TU2@<AzureDomainName>.onmicrosoft.com
6. Set Password for 37. Close all browser windows.
your New Users 38. Start Internet Explorer InPrivate mode.
using Office 365 39. Navigate to https://login.microsoftonline.com.
40. Login with the user account created
TU1@<AzureDomainName>.onmicrosoft.com
41. Type in the temporary password that you wrote down.
42. Type the New Password: <newuserpassword>
43. Confirm the new Password: <newuserpassword>
44. Click Sign in.
45. Repeat Steps 37-44 for TU2@<AzureDomainName>.onmicrosoft.com
46. Close all browser windows.

3.3.1.2 Assigned Trial Tent

In this section, you will set the Azure AD and an Office 365 Trial Tenant assigned to you by the
Olympia team. Note: if you do have a pre-assigned trial tenant, refer to Section 3.2.1.1.

Task Detailed Steps

Complete these steps from an Internet-connected Windows computer.
Resetting the 1. Logout from Azure Portal.
 Password 2. Login to Azure Portal using LabAdmin account provided by the Olympia team.
3. Type in the <OldLabAdminPassword> that you wrote down.
4. Type the new password: <NewLabAdminPassword>.
Note: Use a strong password.
5. Confirm the new password and sign in.
Create Azure Test 6. Navigate to https://portal.azure.com.
Users 7. Sign in with the email address associated with the Azure subscription provided
by the Olympia team if required.
8. On the left navigation bar, click Azure Active Directory.
9. On the right side of the page hit the User link under Create.
10. In the User pane, fill in the following values:
NAME: Test User1
USER NAME: TU1@<AzureDomainName>.onmicrosoft.com
11. Select Show Password and write down the temporary password.
12. Click Create.
13. Repeat Steps 29 – 35 for a second user as follows:
NAME: Test User2
USER NAME: TU2@<AzureDomainName>.onmicrosoft.com
Set Password for 14. Close all browser windows.
your New Users 15. Start Internet Explorer InPrivate mode.
using Office 365 16. Navigate to https://login.microsoftonline.com.
17. Login with the user account created
TU1@<AzureDomainName>.onmicrosoft.com
18. Type in the temporary password that you wrote down.
19. Type the New Password: <newuserpassword>
20. Confirm the new Password: <newuserpassword>
21. Click Sign in.
22. Repeat Steps 37-44 for TU2@<AzureDomainName>.onmicrosoft.com
23. Close all browser windows.

3.3.2 Setup Enterprise Mobility + Security

In this section, you will create an Intune Trial Tenant that will be used later on in the lab. This
tenant will be created using the Azure AD that you created in the previous lab. Note: If you
have already received an EMS Trial from the Olympia team, skip this section and proceed
to the next Section 3.2.3.

Task Detailed Steps

Complete these steps from an Internet-connected Windows computer.
Sign Up for a Trial 1. Start a new Internet Explorer window in private mode.
Microsoft Intune 2. Navigate to https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility-
Subscription security-trial and click Sign-up for your free trial and then click Sign in.
3. Sign in with labadmin@<AzureDomainName>.onmicrosoft.com
4. Click Try now to confirm your order.
 5. Click Continue.
6. On the left navigation bar, click Billing > Subscriptions and verify that the
Enterprise Mobility + Security E5 Trial is Active.

3.3.3 Enable and Configure Cloud Services

In the section, you will assign licenses and configure additional cloud services that will be used
in the lab environment.

Task Detailed Steps

Complete these steps from an Internet-connected Windows 10 computer.
Assign Office 365 1. Close all browser windows.
and EM+S 2. Start Internet Explorer InPrivate mode.
Licenses 3. Navigate to https://portal.office.com and Sign in with
labadmin@<AzureDomainName>.onmicrosoft.com. (Or the credentials for the
trail account provided by the Olympia team.) Open the app launcher (top left
corner and click Admin.
4. On the left navigation bar, click Users > Active users.
5. Select all LabAdmin, Test User1 and Test User2 then click the Edit product
licenses action.
6. Select Add to existing product license assignments then click Next.
7. Select the appropriate Location and then set the slider to On for Enterprise
Mobility + Security E5 and Office 365 Enterprise E5 without Audio
Conferencing then click Add.
8. Click Close | Close. Note: Ensure that all the 3 users have both the product
licenses assigned.
Enable Device 9. Close all browser windows and open an InPrivate Browser session.
Registration 10. Navigate to https://portal.azure.com.
11. Sign in with the email address associated with your Azure subscription.
12. Click your email address on the upper right corner and, and click Switch
Directory. Select <AzureDomainName>.onmicrosoft.com if required.
13. On the left navigation bar, click Azure Active Directory > Devices > Device
settings.
14. In the Users may join devices to Azure AD setting, select All if not selected.
15. In the Additional local administrators on Azure AD joined devices, select
Selected.
16. Click Add members and select LabAdmin then click Select. Click OK.
17. In the Users may register their devices with Azure AD setting, select All if not
selected.
18. Click Save.
Enable Windows Note: A trial application should have been started before proceeding with the steps -
Defender ATP https://www.microsoft.com/en-us/windowsforbusiness/windows-atp. It can take up to 7
Trial business days for review of your free trial request. Trial subscriptions may not be available
at the time of lab set up.
19. Open an InPrivate Browser session.
20. Navigate to https://www.microsoft.com/en-us/windowsforbusiness/windows-atp
and click START FREE TRIAL.
21. Check the box next to I accept these terms and conditions and click Next.
22. On the Please enter your details below page, enter your details and click Submit.
23. You will get a message stating that the Windows Defender Advanced Threat
 Protection Team will review your application and contact you via email within 7
business days. Once your application is approved, you will then receive an
invitation email with on-boarding instructions.
24. Within 7 business days, you will then receive an email to activate your trial and
all the on-boarding instructions. Click Activate your trial now. Download the
setup guide. The setup guide also contains instructions and links for the attack
demo.
25. During activation, click Sign in.
26. Sign in with LabAdmin@<AzureDomainName>.onmicrosoft.com
27. Click Try now.
28. Click Continue.

3.4 On-Premises Environment Post Setup Manual Steps

Perform once the on-premises environment provisioning is complete.

3.4.1 Build a Windows 10 Developer Machine (for Desktop

Bridges Scenario only)
In this activity, you will build Windows 10 client virtual machine with developer tools installed.
This is required for the Desktop Bridges lab only, since the versions of the Windows Insider
Preview – Desktop App Converter Base Images is not available for the version of the Windows
10 Insider Preview Enterprise ISO image. They both need to be same for the scenario to work. If
you are not running the Desktop Bridges scenario, you can skip this step.

Task Detailed Steps

Complete these steps from the Hyper-V host machine above.
Download 1. Open File Explorer and create the C:\VMs folder.
Developer VM (if 2. Open Internet Explorer and browse to the URL below.
not previously https://developer.microsoft.com/en-us/windows/downloads/virtual-machines
downloaded) 3. Under Windows 10 Enterprise Evaluation download, click Hyper-V.
4. Download WinDev1805Eval.HyperV.zip to C:\VMs.
5. Once the download completes, browse to C:\VMs, right-click on
WinDev1805Eval.HyperV.zip and select Extract All.
6. In the Select a Destination and Extract Files page, click Extract.
Import VMs 7. Open File Explorer and create the C:\VMs\WIN10DEV folder.
8. Open Hyper-V Manager.
9. In the Actions pane, click Import Virtual Machine.
10. In the Before You Begin page, click Next.
11. In the Locate Folder page, browse to C:\VMs\WinDev1805Eval.HyperV then
click Next.
12. In the Select Virtual Machine page, click Next.
13. In the Choose Import Type page, select Copy the virtual machine then click
Next.
14. In the Choose Destination page, select Store the virtual machine in a different
location, enter the path C:\VMs\WIN10DEV to all folders then click Next.
15. In the Choose Storage Folder page, enter the path C:\VMs\WIN10DEV then
click Next.
 16. In the Summary page, click Finish.
17. In the Hyper-V Manager, right-click on WinDev1805Eval, select Rename and
enter WIN10DEV.
Complete these steps on the WIN10DEV virtual machine.
Configure Virtual 18. In the Hyper-V Manager, right-click on WIN10DEV and select Settings.
Machine Settings 19. Configure the following then click OK.
Memory: 8192
Processor: 4 virtual processors
Network Adapter: HYD-Corpnet
20. Start the WIN10DEV virtual machine.
Install Windows 21. Go to Start and click Settings.
Updates 22. In the Settings app, browse to Update & Security > Windows Update.
23. Click Check for updates.
24. Install all missing updates (restart if needed) until the device is up to date.
Note: This may take at least an hour depending on the Internet speed.
Perform Defender 25. In the Settings app, browse to Update & Security > Windows Security.
Scan 26. Click Open Windows Defender Security Center.
27. Click Virus & threat protection.
28. Click Scan now.
29. Once complete, close Windows Defender Security Center and the Settings app.
Create Checkpoint 30. Create a virtual machine checkpoint.

3.4.2 Configure Azure AD Connect with Device Sync

In this activity, you will configure Azure AD Connect on DC1.

Task Detailed Steps

Complete the following steps on the DC1.

1. Download Azure AD Connect from https://www.microsoft.com/en-

us/download/details.aspx?id=47594
2. Install and Run Azure AD Connect and select I agree to the license terms and
privacy notice and click Continue.
3. Select Use express settings.
4. In the Connect to Azure AD prompt, sign in with
Configure Azure labadmin@<AzureDomainName>.onmicrosoft.com and click Next.
AD Connect 5. In the Connect to AD DS prompt, enter the below and click Next.
USERNAME: CORP\LabAdmin
PASSWORD: P@ssw0rd
6. On the Azure AD sign-in configuration page, select Continue without any
verified domains and click Next.
7. On the Ready to configure page, keep the check box checked next to Start the
synchronization process when configuration completes and click Install. Click
Exit once done.
Configure Device 8. Open Programs and Features and uninstall the Windows Azure Active
Sync Directory Module for Windows PowerShell.
9. Open PowerShell as an administrator.
10. Run the below cmdlet and accept any prompts. Note: Create a directory in C:\,
example C:\MSOnline.
 Save-Script -Name MSOnline -Path <path>
11. Run the below cmdlet and accept any prompts.
Install-Module -Name MSOnline
12. Locate the name of the AAD Connector Account by opening the Azure AD
Connect and clicking Configure and selecting View current configuration and
then clicking Next. Click Exit.
13. Run the below cmdlet and at the credential prompt, provide the Azure AD Admin
credentials.
Import-Module -Name “C:\Program Files\Microsoft Azure Active Directory
Connect\ADPrep\ADSyncPrep.psm1”
$aadadmincred = get-credential;
Initialize-ADSyncDomainJoinedComputerSync -AdConnectorAccount <account
name> -AzureADCredentials $aadAdminCred;
14. Start Internet Explorer InPrivate mode.
15. Navigate to https://portal.azure.com and sign in with
labadmin@<AzureDomainName>.onmicrosoft.com.
16. On the left navigation bar, click Azure Active Directory.
Confirm Devices 17. Select Devices > All devices.
are Hybrid Azure 18. Confirm devices are registered to Azure AD.
AD Joined
Note: In the virtualized lab, in case the devices do not show up, disjoin CLIENT1 and
CLIENT2 from the domain and rejoin them back. After that, from Azure AD
Connect, run Customize synchronization options and then Configure device
options – Hybrid Azure AD join.
4 Deployment & Management
In this module, you will go through Windows 10 capabilities that could help organizations better
deploy and manage Windows devices.

Prerequisite Sections:

a) Windows Insider Lab for Enterprise – Setup Guide

b) Section 3.2 - Cloud Environment
c) Section 3.3.2 - Configure Azure AD Connect with Device Sync

4.1 Modern Device Deployment

With Windows 10, you can continue to use traditional OS deployment, but you can also
“manage out of the box.” AutoPilot transforms new devices into fully-configured, fully-managed
devices. For existing devices running Windows 7 or Windows 8.1, you can use the robust in-
place upgrade process for a fast, reliable move to Windows 10 while automatically preserving all
the existing apps, data, and settings.

4.1.1 AutoPilot
Windows AutoPilot is a collection of technologies used to set up and pre-configure new devices,
getting them ready for productive use.

In this section, you will use the Microsoft Intune to configure AutoPilot for pre-configuring
devices.

4.1.1.1 Prerequisites

Perform the following tasks before proceeding.

Task Detailed Steps

Create a Complete the following steps on the HYPER-V Host.
Checkpoint in
Hyper-V (if not 1. Open Hyper-V Manager.
already created) 2. Right click on HYD-CLIENT4 and select Checkpoint.

Capture Device Complete the following steps on CLIENT4.

ID
3. Open PowerShell as an administrator.
4. Run the below commands and press Y when prompted.
Install-Script –Name Get-WindowsAutoPilotInfo
Set-ExecutionPolicy Unrestricted
5. Change the directory to C:\Program Files\WindowsPowerShell\Scripts and run
 the below command.
.\Get-WindowsAutoPilotInfo.ps1 -ComputerName CLIENT4 –OutputFile
C:\Users\Administrator\Desktop\MyComputers.csv
6. Copy the MyComputers.csv file to the computer that will be used for Microsoft
Intune setup.
7. Open Command Prompt as an administrator.
8. Run from C:\Windows\Systsem32\SYSPREP
SYSPREP\Sysprep.exe /OOBE /SHUTDOWN

4.1.1.2 Set Intune as Management Authority

After you complete the following tasks, you are ready to manage mobile devices and computers.

Task Detailed Steps

Complete these steps from an Internet-connected Windows computer.
Enable Device Note: Before you can enroll mobile devices, you must prepare the Intune service by
Management. Set selecting the appropriate mobile device management authority setting on the Mobile
Mobile Device Device Management page of the Administration workspace. The mobile device
Management Authority management authority setting determines whether you manage mobile devices with
Intune or System Center Configuration Manager with Intune integration. This
guidance assumes Intune is used without System Center Configuration Manager
integration so the setting should be set to Microsoft Intune.
1. Close all browser windows.
2. Start Internet Explorer InPrivate mode.
3. Navigate to https://portal.azure.com and Sign in with
labadmin@<AzureDomainName>.onmicrosoft.com.
4. On the left navigation bar, click All services > Intune.
5. Select Device enrollment.
6. Under Mobile Device Management Authority, select Intune MDM
Authority and click Choose.
Create Groups 7. Close all browser windows.
8. Start Internet Explorer InPrivate mode.
9. Navigate to https://portal.azure.com and Sign in with
labadmin@<AzureDomainName>.onmicrosoft.com.
10. On the left navigation bar, click Azure Active Directory > Groups > All
groups.
11. Click New group.
12. In the Group pane fill in the following values:
Group type: Office 365
Group name: Sales
Membership type: Assigned
Members: Test User1 and Test User2
13. Click Create.
Customize the 14. On the left navigation bar, click All services > Intune.
Company Portal 15. Select Mobile apps > Company Portal branding.
16. Configure the following with settings you choose for your lab:
 Company name
 IT department contact name
 IT department phone number
 IT department email address
  Additional information
 Company privacy statement URL
 Support website URL (not displayed)
 Website name (displayed to user)
 Customize the Theme color, Company logo (max. dimension
PNG/JPG I 400x100px) and background for Company Portal,
it is recommended that you change the default color in your lab to
make it easy to identify if the company portal has been updated.
17. Click Save.
Verify the Company 18. Close all browser windows.
Portal Configuration 19. Start Internet Explorer InPrivate mode.
20. Navigate to https://portal.manage.microsoft.com and Sign in with
TU1@<AzureDomainName>.onmicrosoft.com.
21. Review the company portal, browse to Helpdesk and confirm that the
customizations have been applied.

4.1.1.3 Enable Auto MDM Enrollment

In this activity, you will configure automatic MDM enrollment to Intune upon joining Azure AD.

Task Detailed Steps

Complete these steps from an Internet-connected Windows computer.
Configure Auto 1. Close all browser windows.
MDM Enrollment 2. Start Internet Explorer InPrivate mode.
for Intune 3. Navigate to https://portal.azure.com and Sign in with
labadmin@<AzureDomainName>.onmicrosoft.com.
4. On the left navigation bar, click Azure Active Directory > Mobility (MDM and
MAM) > Microsoft Intune.
5. In the MDM User scope setting, select All.
6. Click Save.

4.1.1.4 Add an App

In this activity, you will add an app to Intune which will automatically download once the device
is enrolled into MDM.

Task Detailed Steps

Complete these steps from an Internet-connected Windows computer.
Add an App 1. Close all browser windows.
2. Start Internet Explorer InPrivate mode.
3. Navigate to https://portal.azure.com and Sign in with
labadmin@<AzureDomainName>.onmicrosoft.com.
4. On the left navigation bar, click All services > Intune.
5. Select Mobile apps > Apps.
6. Click +Add.
7. In the App type dropdown, select Line-of-business app.
Configure App 8. In the Add app pane, click App package file.
9. On the App package file blade, choose the browse button, and select a Windows
 installation file with the extension .msi, .appx, or .appxbundle.
A sample msi file can be downloaded from: https://www.7-zip.org/download.html
10. Click OK.
11. In the Add app pane, click App information.
12. Enter the following information and click OK:
a. Name - Enter the name of the app as it is displayed in the company
portal. Make sure all app names that you use are unique. If the same app
name exists twice, only one of the apps will be displayed to users in the
company portal.
b. Description - Enter a description for the app, which will be displayed to
users in the company portal.
c. Publisher - Enter the name of the publisher of the app.
d. Category - Select one or more of the built-in app categories, or a
category you created. Categorizing apps makes it easier for users to find
the app when they browse the company portal.
e. Display this as a featured app in the Company Portal - Display the
app prominently on the main page of the company portal to appear when
users browse for apps.
f. Information URL - Optionally, enter the URL of a website that contains
information about the app, which will be displayed to users in the
company portal.
g. Privacy URL - Optionally, enter the URL of a website that contains
privacy information for the app. The URL is displayed to users in the
company portal.
h. Command-line arguments - Optionally, enter any command-line
arguments that you want to apply to the .msi file when it runs, like /q.
i. Developer - Optionally, enter the name of the app developer.
j. Owner - Optionally, enter a name for the owner of this app, for example,
HR department.
k. Notes - Enter any notes you would like to associate with this app.
l. Logo - Upload an icon that is associated with the app. The icon is
displayed with the app when users browse the company portal.
13. In the Add app pane, click Add to upload the app to Intune.
Deploy App 14. In the <app name> overview pane, click Assignments.
15. Click Add group.
16. Select Required under Assignment type.
17. Under Included Groups | Selected groups, select Sales.
18. Click Select.
19. Click OK.
20. Click OK again.
21. Click Save.

4.1.1.5 Configure AutoPilot

In this activity, you will configure automatic MDM enrollment to Intune upon joining Azure AD.

Task Detailed Steps

Complete these steps from an Internet-connected Windows computer.
Configure 1. Close all browser windows.
AutoPilot 2. Start Internet Explorer InPrivate mode.
3. Navigate to https://www.portal.azure.com/ and Sign in with
labadmin@<AzureDomainName>.onmicrosoft.com.
 4. On the left navigation bar, click All services > Intune.
5. Click Device enrollment > Windows enrollment > Devices.
6. Click Import, and select the MyComputers.csv file saved from before and click
Import.
7. Once imported, to speed up the process, click Sync and then click Refresh until
you see the device.
8. Under the Microsoft Intune pane, click Groups > + New group.
9. Select Group type – Security, Group name – AutoPilot Devices and
Membership type – Assigned.
10. Click Members, select the machine where the name equals the serial number of
the device. Click Select.
11. Click Create.
12. On the Device enrollment > Windows enrollment pane, click Deployment
Profiles > + Create profile.
13. In the Name box, type AutoPilot Test Profile.
14. In the Join to Azure AD as dropdown, select Azure AD joined.
15. Click Out-of-box experience (OOBE).
16. Select Hide for the End user license agreement (EULA) option.
17. Select Hide for the Privacy Settings option.
18. Select Standard for the User account type option.
19. Click Save.
20. Click Create.
21. Click AutoPilot Test Profile, click Assignments, click + Select groups, select
the AutoPilot Devices group just created and click Select.
22. Click Save.
23. Wait for some time for the device to be showing up in Assigned devices under
AutoPilot Test Profile. To speed up the process, click Sync and then click
Refresh until you see the device there.
24. Click the Devices page by navigating to Device enrollment > Windows
enrollment, and you should be able to see the PROFILE STATUS as Assigning
and then further Assigned.

4.1.1.6 AutoPilot

In this activity, you will walk through the experience of self-service AutoPilot while in OOBE.

Task Detailed Steps

Complete these steps from the CLIENT4 virtual machine.
Perform Azure AD 1. Once OOBE has started, in the Let’s start with region pane, select United States
Join then click Yes.
2. On the Is this the right keyboard layout? pane, select US then click Yes.
3. On the Want to add a second keyboard layout? pane, click Skip.
4. In case you get the Get the latest from Windows pane, click Skip for now.
5. On the Windows 10 License Agreement pane, click Accept.
6. In the Sign in with Microsoft pane, sign in with
TU1@<AzureDomainName>.onmicrosoft.com then click Next.
7. In the Enter your password pane, enter the password then click Next.
8. On the Choose privacy settings for your device pane, click Accept.
9. Follow through the prompts for setting up a PIN for Windows Hello.
10. In the All set! pane, click OK.
Validate Azure AD 11. Go to Start > Settings.
Join and MDM 12. In the Settings app, browse to Accounts > Access work or school.
 Enrollment 13. Confirm that Connected to <CompanyName>’s Azure AD is displayed.
Complete these steps from an Internet-connected Windows computer.
Validate Azure AD 14. Close all browser windows.
and MDM 15. Start Internet Explorer InPrivate mode.
Enrollment 16. Navigate to https://portal.azure.com and Sign in with
labadmin@<AzureDomainName>.onmicrosoft.com.
17. On the left navigation bar, click Azure Active Directory > Users > All users >
Test User1.
18. Click Devices.
19. Confirm that the device is listed there and the following settings are configured:
JOIN TYPE: Azure AD joined
MDM: Microsoft Intune
Complete these steps from the HYPER-V Host.
Revert Virtual 1. Revert HYD-CLIENT4 to the latest checkpoint.
Machines

4.2 Modern Device Management with Intune

Use of personal devices for work, as well as employees working outside the office, may be
changing how your organization manages devices. Certain parts of your organization might
require deep, granular control over devices, while other parts might seek lighter, scenario-based
management that empowers the modern workforce. Windows 10 offers the flexibility to respond
to these changing requirements, and can easily be deployed in a mixed environment. You can
shift the percentage of Windows 10 devices gradually, following the normal upgrade schedules
used in your organization.

4.2.1 Mobile Device Management using Microsoft Intune

In this lab, you will enroll a Windows 10 Device with Microsoft Intune and manage it.

4.2.1.1 Enroll a Windows 10 Device

This section outlines how to enroll a Windows 10 device into Microsoft Intune for MDM.

Task Detailed Steps

Complete these steps on the CLIENT3 virtual machine.
Enroll a Windows 1. Login to the virtual machine as Administrator and go to Start > Settings.
10 Device in 2. In the Settings app, browse to Accounts > Access work or school.
Intune 3. Click Enroll only in device management.
4. The Setup a work or school account dialog box will show, asking for your
account to enroll the device.
5. Provide the TU1@<AzureDomainName>.onmicrosoft.com account and click
Next.
6. In the Microsoft Intune Enrollment page, enter the password then click Sign in.
 Click Got it.
7. In the Settings app, you should see that the device is now connected to the
corporate MDM.
8. Select Connected to <CompanyName> MDM then click Info.
9. Click Sync and confirm that the sync was successful.
Complete these steps from an Internet-connected Windows computer.
Check Windows 10 Note: In this example, we will look in Microsoft Intune to see the device details and we
Device Enrollment can see that it already recognizes Windows 10 as an operating system in Microsoft Intune.
in Microsoft Intune
10. Start Internet Explorer InPrivate mode.
11. Navigate to https://portal.azure.com and Sign in with
labadmin@<AzureDomainName>.onmicrosoft.com.
12. On the left navigation bar, click All services > Intune.
13. Select Devices > All devices.
14. Click on the Windows 10 device that you have enrolled (CLIENT3). Observe the
information that has been collected about the device in all the tabs. You might
have to refresh the page for some time to get the details.

4.2.1.2 Configure Policy Settings and Policies based on OMA-URI

This section outlines how to configure Policies for Windows 10 in Intune available through the
Intune Interface and a Policy through OMA-URI.

Use the Microsoft Intune Windows Phone OMA-URI Policy to deploy OMA-URI (Open Mobile
Alliance Uniform Resource Identifier) settings that can be used to control features on Windows
Phone Devices. These are standard settings that many mobile device manufacturers use to
control device features.

This capability is intended to allow you to deploy Windows 10 Settings that are not configurable
with an Intune Policy. For information about the Settings you can configure with these Policies,
see Configure Security Policy for Mobile Devices in Microsoft Intune.

For help creating OMA-URI Settings for Windows 10 Services, see Windows Phone 10 CSP
Documentation - http://aka.ms/win10csp.

Task Detailed Steps

Complete these steps from an Internet-connected Windows computer.
Create an OMA- 1. Start Internet Explorer InPrivate mode.
URI Policy to 2. Navigate to https://portal.azure.com and Sign in with
Disable Cortana labadmin@<AzureDomainName>.onmicrosoft.com.
3. On the left navigation bar, click All services > Intune.
4. Select Device configuration > Profiles > + Create profile.
5. In the Name field, type Windows 10 – Disable Cortana.
6. Under Platform, select Windows 10 and later.
7. Under Profile type, select Custom.
8. In the Custom OMA-URI Settings pane, click Add.
9. In the Name field enter Windows 10 – Disable Cortana.
10. In the OMA URI field enter (Case sensitive and starting with a period):
 ./Vendor/MSFT/Policy/Config/Experience/AllowCortana
11. For Data type select Integer.
12. For Value enter 0 (0 means the setting is not allowed).
13. Click OK | OK.
14. Click Create.
15. In the Windows 10 – Disable Cortana profile pane, select Assignments.
16. Click Select groups to include.
17. In the Select field, type Sales and select it.
18. Click Select.
19. Click Save.
Complete these steps on the CLIENT3 virtual machine.
Confirm the URI 20. Login to the virtual machine as Administrator and go to Start > Settings.
Configurations are 21. In the Settings app, browse to Accounts > Access work or school.
Applied 22. Select Connected to <CompanyName> MDM then click Info.
23. Click Sync to force a policy update and confirm that the sync was successful.
24. Note that the Cortana icon in the task bar was replaced with a Search icon.
25. In the Settings app, note that the Cortana category was replaced with Search.
Complete these steps from an Internet-connected Windows computer.
Configure 26. Navigate to https://portal.azure.com and Sign in with
Windows Defender labadmin@<AzureDomainName>.onmicrosoft.com.
27. On the left navigation bar, click All services > Intune.
28. Select Device configuration > Profiles > + Create profile.
29. In the Name field, type Allow Real Time Protection on Win 10 Desktops.
30. Under Platform, select Windows 10 and later.
31. Under Profile type, select Custom.
32. In the Custom OMA-URI Settings pane, click Add.
33. In the Name field type Allow Real Time Protection on Win 10 Desktops.
34. Under OMA-URI Settings, click Add…
35. In the Name field enter Allow Real Time Protection.
36. In the OMA URI field enter (Case sensitive and starting with a period):
./Vendor/MSFT/Policy/Config/Defender/AllowRealtimeMonitoring
37. For Data type select Integer.
38. For Value enter 1 (1 means the setting is allowed).
39. Click OK.
40. Click OK.
41. Click Create.
42. In the Allow Real Time Protection on Win 10 Desktops device configuration
profile pane, select Assignments.
43. Click Select groups to include.
44. In the Select field, type Sales and select it.
45. Click Select.
46. Click Save.
Complete these steps on the CLIENT3 virtual machine.
Verify 47. Login to the virtual machine as Administrator and go to Start > Settings.
Configuration is 48. In the Settings app, browse to Accounts > Access work or school.
Applied 49. Select Connected to <CompanyName> MDM then click Info.
50. Click Sync to force a policy update and confirm that the sync was successful.
51. In the Settings app, go back to Update & Security > Windows Security and
click Open Windows Defender Security Center.
52. In the Windows Defender Security Center app, navigate to Virus & threat
protection and click Virus & threat protection settings.
 53. Confirm that the Real-time protection setting is turned On and greyed out
which shows enforcement of the policy.

4.2.2 Dynamic Management with Windows 10

In this lab, you will setup and configure dynamic management policies for Windows 10. For a list
of available dynamic management policies, visit: https://docs.microsoft.com/en-
us/windows/client-management/mdm/dynamicmanagement-csp.

Task Detailed Steps

Complete these steps from an Internet-connected Windows computer.
Configure 1. Close all browser windows.
Dynamic 2. Start Internet Explorer InPrivate mode.
Management 3. Navigate to https://portal.azure.com and Sign in with
Policy labadmin@<AzureDomainName>.onmicrosoft.com.
4. On the left navigation bar, click All services > Intune.
5. Select Device configuration > Profiles > + Create profile.
6. In the Name field, type DisableCameraInCorporateNetwork.
7. Under Platform, select Windows 10 and later.
8. Under Profile type, select Custom.
9. In the Custom OMA-URI Settings pane, click Add.
10. In the Name field enter SettingsPack.
11. In the OMA URI field enter (Case sensitive and starting with a period):
./Vendor/MSFT/DynamicManagement/Contexts/NetworkBased/SettingsPa
ck
12. For Data type select String.
For Value enter
<SyncML>
<SyncBody>
<Replace>
<CmdID>1331</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/Policy/Config/Camera/
AllowCamera</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>0</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
13. Click OK.
14. In the Custom OMA-URI Settings pane, click Add.
15. In the Name field enter SignalDefinition.
16. In the OMA URI field enter (Case sensitive and starting with a period):
./Vendor/MSFT/DynamicManagement/Contexts/NetworkBased/SignalDefi
nition
 17. For Data type select String.
For Value enter
<rule schemaVersion="1.0">
<signal type="ipConfig">
<ipv4Gateway>10.0.0.254</ipv4Gateway>
</signal>
</rule>
18. Click OK.
19. In the Custom OMA-URI Settings pane, click Add.
20. In the Name field enter NotificationsEnabled2.
21. In the OMA URI field enter (Case sensitive and starting with a period):
./Vendor/MSFT/DynamicManagement/NotificationsEnabled
22. For Data type select Boolean.
For Value select
True
23. Click OK | OK.
24. Click Create.
25. In the DisableCameraInCorporateNetwork device configuration profile pane,
select Assignments.
26. Click Select groups to include.
27. In the Select field, type Sales and select it.
28. Click Select.
29. Click Save.
Complete these steps on the CLIENT3 virtual machine.
Verify Policy is 30. Login to the virtual machine as Administrator and go to Start > Settings.
Applied 31. In the Settings app, browse to Accounts > Access work or school.
32. Select Connected to <CompanyName> MDM then click Info.
33. Click Sync to force a policy update and confirm that the sync was successful.
34. On the Hyper-V Host, from the Virtual Machine Connection, right click the
CLIENT3 VM, go to Settings.
35. In the Settings window, under Network Adapter, disable the Corpnet Virtual
Switch.
36. In the Settings on CLIENT3, go to Privacy > Camera.
Note: Camera is currently turned On and unmanaged because the machine is in the Internet
network.
37. On the Hyper-V Host, from the Virtual Machine Connection window of
CLIENT3 VM, go to File > Settings.
38. In the Settings window, under Network Adapter, disable the External Virtual
Switch and enable the Corpnet Virtual Switch.
39. In the Settings app, refresh the Privacy > Camera view.
40. Confirm *Some settings are hidden or managed by your organization is
shown.
Note: Camera is turned Off and fully managed because the machine is in the corporate
network.

4.2.3 Mobile App Management for Non-Managed Windows 10

Devices
The Windows version of mobile application management (MAM) is a lightweight solution for
managing company data access and security on personal devices. MAM support is built into
Windows on top of Windows Information Protection (WIP), starting in Windows 10, version
1803.

In this lab, you will setup and configure Mobile App Management for an unmanaged Windows
10 device.

Task Detailed Steps

Complete these steps from an Internet-connected Windows computer.
Configure MAM 1. Close all browser windows.
Service 2. Start Internet Explorer InPrivate mode.
3. Navigate to https://portal.azure.com and Sign in with
labadmin@<AzureDomainName>.onmicrosoft.com.
4. On the left navigation bar, click Azure Active Directory > Mobility (MDM and
MAM) > Microsoft Intune.
5. In the MAM User scope setting, select All.
6. Click Save.
Configure MAM 7. In the Microsoft Azure navigation bar, select All services > Intune App
Policy Protection > App protection policies.
8. Click Add a policy.
9. In the Name field type Windows 10 MAM.
10. In the Platform setting, select Windows 10.
11. Click Protected apps then click Add apps.
12. In the Add Apps pane, select Microsoft Edge, IE11 and Notepad then click OK.
13. In the Protected apps pane, confirm that the selected apps are listed then click
OK.
14. Back in the Add a policy pane, click Required settings.
15. Under Windows Information Protection mode, select Block then click OK.
16. Click Advanced settings.
17. In the Advanced settings pane, click Add network boundary.
18. In the Add network boundary pane, enter the following then click OK.
BOUNDARY TYPE: Cloud resources
NAME: SharePoint online
VALUE: <AzureDomainName>.sharepoint.com
19. In the Advanced settings pane, under Show the enterprise data protection
icon, click On.
20. Click OK.
21. Click Create.
Deploy MAM 22. Select Windows 10 MAM > Assignments.
Policy 23. Click + Select groups to include.
24. In the Select groups to include pane, enter Sales, select it and then click Select.
Complete these steps on the CLIENT4 virtual machine.
Create test file 25. Login to the virtual machine as Administrator.
26. Right-click on the desktop and select New > Text Document.
27. Rename the file to Sample Document.
28. Open Sample Document.txt.
29. In the Notepad window, enter This is a sample corporate file. then click Save.
30. Close the file.
31. Open an Internet Explorer and navigate to
https://<AzureDomainName>.sharepoint.com.
32. Sign in as TU2@<AzureDomainName>.onmicrosoft.com.
 33. On the left navigation, click Documents.
34. From the desktop, drag and drop the Sample Document.txt file into the
Documents library to upload the file.
35. Once uploaded, delete the Sample Document.txt file from the Desktop.
36. Close all browsers windows.
Connect Corporate 37. Click to Start > Settings.
Account 38. In the Settings app, browse to Accounts > Access work or school.
39. Click Connect.
40. In the Set up a work or school account pane, enter
TU2@<AzureDomainName>.onmicrosoft.com then click Next.
41. Enter the password then click Sign in.
42. In the Help us protect your account pane, click Set it up now then configure the
verification requirements.
43. In the Create a PIN pane, click Create PIN then configure the Pin.
Note: If required, perform Steps 42 and 43 and on the basis of that additional verification
may be required.
44. Click Next and verify your local administrator account password. Click OK.
45. In the Settings app, browse to Accounts > Access work or school.
46. Select Work or school account then click Info.
47. Click Sync to force a policy update and confirm that the sync was successful.
Verify MAM 48. Open an Internet Explorer and navigate to
Policies https://<AzureDomainName>.sharepoint.com.
49. Sign in as TU2@<AzureDomainName>.onmicrosoft.com.
Note: “.<AzureDomainName>.sharepoint.com” is protected and selected both IE11 and
Microsoft Edge (they’re both enlightened apps) therefore a briefcase icon is shown in the
address bar to indicate that it is protected. When the browser or another tab navigate away
from this site, the briefcase will go away.
50. On the left navigation, click Documents.
51. Select Sample Document.txt and click Download.
52. Save the file to the Documents folder.
Note: The briefcase icon under File Name indicates that the file is protected.
53. In the taskbar, open File Explorer and browse to the Documents folder.
Note: The briefcase icon in the file icon and the <AzureDomainName> under the File
ownership column indicates that the file is protected.
54. Open the Sample Document.txt file using Notepad. The file should open
because Notepad is a managed app (policy).
Note: The briefcase icon beside the minimize button indicates that the file is protected.
55. Close Notepad.
56. Open the Sample Document.txt file using WordPad. The file will not open and
a dialog box will show up to indicate that access to the file is denied.
Note: WordPad is not a managed app therefore will not be able to open protected files.
57. Close WordPad.
58. In the Documents folder, right-click on Sample Document.txt and select File
ownership.
Note: The Personal option is currently disabled because the policy is configured to hide
overrides. If the policy is configured to allow overrides, users can remove protection from
the file by selecting Personal.
4.3 Co-Management
Starting with Configuration Manager version 1802, co-management enables you to concurrently
manage Windows 10, version 1803 (also known as the April 2018 Update) devices by using both
Configuration Manager and Intune. It’s a solution that provides a bridge from traditional to
modern management and gives you a path to make the transition using a phased approach.

After you enable co-management, Configuration Manager continues to manage all workloads.
When you decide that you are ready, you can have Intune start managing available workloads.
You can have Intune manage the following workloads: Compliance policies, Windows Update for
Business policies, Resource Access policies, and Endpoint Protection.

4.3.1.1 Prerequisites

Perform the following tasks before proceeding.

Task Detailed Steps

Configure Azure Complete the steps defined in Section 3.4.1.
AD Connect with
Also, install the ConfigMgr Client in CLIENT1 as per steps below:
Device Sync and
Install the 1. On the CLIENT1 VM, disable the firewall mode.
ConfigMgr Client
on CLIENT1

2. On the CM1 VM, launch the Configuration Manager Console and navigate to
Administration > Hierarchy Configuration > Discovery Methods.
3. Select Active Directory System Discovery and click Run Full Discovery Now.
Click Yes on the prompt.
4. Navigate to Assets and Compliance > Devices and ensure that CLIENT1 is
showing in the list of devices.
5. Right-click on CLIENT1 and click on Install Client.
6. On the Install Configuration Manager Client wizard click on Next.
7. Check the box next to Install the client software from a specified site, select the
respective Site and click on Next.
8. Click Next again.
 9. Click on Close.
10. After a few minutes, the CLIENT1 VM will have the client installed and will
indicate so in the Configuration Manager console.

4.3.1.2 Enable Co-Management for Automatic Enrollment

Once Co-management is enabled, devices in the Pilot group can automatically enroll into
Intune. This requires using a verified domain during the Setup Process of Azure AD Connect.

Task Detailed Steps

Complete these steps on the CM1 virtual machine.
Create a Device 1. Open the Configuration Manager Console, browse to Assets and Compliance
Collection workspace and select Device Collections.
2. Right click Device Collections and select Create Device Collection.
3. Input the following information:
General
Name – Enter Co-managed Devices
Limiting collection – Select All Desktop and Server Clients and click Next.
Select Use incremental updates for this collection.
Click Next.
Accept the Warning.
4. Summary – click Next, click Close.
Add a Device to 5. In the Assets & Compliance workspace, select Devices and right-click Client1.
the Collection 6. Select Add Selected Items and then click Add Selected Items to Existing
Device Collection.
7. Select Co-managed devices and click OK.
8. Select Device Collections, right-click Co-managed devices, and select Update
Membership. Click Yes on the warning box to continue.
Enable Co- 9. Open the Configuration Manager Console, browse to Administration > Cloud
Management Services > Co-management.
10. Right-click Co-management and select Configure co-management.
11. In the Co-management Configuration Wizard, Sign In to Intune using
labadmin@<AzureDomainName>.onmicrosoft.com. Click Next.
12. Click Next on the Enablement page.
13. Click Next on the Workloads page.
14. Select Co-managed Devices device collection for the Intune Pilot on the Staging
page. Click Next.
15. Click Next on the Summary page. Click Close.

4.3.1.3 Co-Manage Devices with the Configuration Manager Client

For unverified domains, co-management can still be enabled by enrolling the domain-joined
device into Intune.

Task Detailed Steps

 Complete these steps on the CLIENT1 virtual machine.
Log in to Client1 1. Log in as CORP/LabAdmin with password P@ssw0rd.
2. Open the Settings app, and click Accounts > Access work or school, and click
on + Connect.
3. Log in using TU1@<AzureDomainName>.onmicrosoft.com.
Complete these steps from an Internet-connected Windows computer.
Check Windows 10 Note: In this example, we will look in Microsoft Intune to see the device details and we
Device Enrollment can see that it already recognizes Windows 10 as an operating system in Microsoft Intune.
in Microsoft Intune
4. Start Internet Explorer InPrivate mode.
5. Navigate to https://portal.azure.com and Sign in with
labadmin@<AzureDomainName>.onmicrosoft.com.
6. On the left navigation bar, click All services > Intune.
7. Select Devices > All devices.
8. Click on the Windows 10 device that you have enrolled (CLIENT1). Observe the
information that has been collected about the device.
Complete these steps on the CM1 virtual machine.
Check Co- 9. Open the Configuration Manager Console, browse to Monitoring > Co-
Management Portal management.
10. Confirm 1 device is listed on the Co-managed devices graph. Note: This data
will take some time to appear.

4.4 Modern Application Management with Intune

As an IT admin, you are responsible for making sure that your end users have access to the apps
they need to do their work. Intune offers a range of capabilities to help you get the apps you
need, on the devices you want.

4.4.1 Application Deployment and Management with Microsoft

Intune
Note: This section is applicable in case you have not done this in the previous lab.

4.4.1.1 Add Windows line-of-business (LOB) apps to Microsoft Intune

Intune supports Windows line-of-business apps (.msi files only).

Note: The below steps have been performed in the previous scenarios as well.

Task Detailed Steps

Complete these steps from an Internet-connected Windows computer.
Add Line-of- 1. Close all browser windows.
Business App 2. Start Internet Explorer InPrivate mode.
3. Navigate to https://portal.azure.com and Sign in with
labadmin@<AzureDomainName>.onmicrosoft.com.
 4. On the left navigation bar, click All services > type Intune > Intune.
5. In the navigation pane select Mobile apps > Apps, and click + Add.
6. In the Add app pane, under App type, select Line-of-business app.
Configure Line-of- 7. In the Add app pane, click App package file.
Business App 8. On the App package file blade, choose the browse button, and select a Windows
installation file with the extension .msi, .appx, or .appxbundle.
A sample msi file can be downloaded from: https://www.7-zip.org/download.html
9. Click OK.
10. In the Add app pane, click App information.
11. Enter the following information and click OK:
a. Name - Enter the name of the app as it is displayed in the company
portal. Make sure all app names that you use are unique. If the same app
name exists twice, only one of the apps is displayed to users in the
company portal.
b. Description - Enter a description for the app. The description is
displayed to users in the company portal.
c. Publisher - Enter the name of the publisher of the app.
d. Category - Select one or more of the built-in app categories, or a
category you created. Categorizing apps makes it easier for users to find
the app when they browse the company portal.
e. Display this as a featured app in the Company Portal - Display the
app prominently on the main page of the company portal when users
browse for apps.
f. Information URL - Optionally, enter the URL of a website that contains
information about the app. The URL is displayed to users in the
company portal.
g. Privacy URL - Optionally, enter the URL of a website that contains
privacy information for the app. The URL is displayed to users in the
company portal.
h. Command-line arguments - Optionally, enter any command-line
arguments that you want to apply to the .msi file when it runs, like /q.
i. Developer - Optionally, enter the name of the app developer.
j. Owner - Optionally, enter a name for the owner of this app, for example,
HR department.
k. Notes - Enter any notes you would like to associate with this app.
l. Logo - Upload an icon that is associated with the app. The icon is
displayed with the app when users browse the company portal.
12. In the Add app pane, click Add to upload the app to Intune.
13. Click Select.
14. Click OK.
15. Click OK again.
16. Click Save.

4.4.1.2 Assign Apps to Groups with Microsoft Intune

In the following section, you will assign the Line-of-business app to users and devices.

Task Detailed Steps

Complete these steps from an Internet-connected Windows computer.
Locate App 1. Close all browser windows.
2. Start Internet Explorer InPrivate mode.
3. Navigate to https://portal.azure.com and Sign in with
 labadmin@<AzureDomainName>.onmicrosoft.com.
4. On the left navigation bar, click All services > type Intune > Intune.
5. In the navigation pane select Mobile apps > Apps.
6. On the list of apps blade, click the app you want to assign.
Assign and 7. On the <app name> overview pane, click Assignments.
Configure App 8. Click Add group.
Assignment 9. Select Required under Assignment type.
10. Under Included Groups | Selected Groups, select Sales.
11. Click Select.
12. Click OK.
13. Click OK again.
14. Click Save.

4.4.2 Application Self-Service with Microsoft Store for Business

This section will provide the guidance to setup and experience the Microsoft Store for Business.
Applications that can be discovered, published and managed using the information contained at
the links below.

Task Detailed Steps

Complete these steps from an Internet-connected Windows computer.
Also, login to https://portal.azure.com and https://www.microsoft.com/en-us/business-store
Signup for the 1. Start a new Internet Explorer window in private mode.
Microsoft Store for 2. Click Sign in on the top right hand corner. On the Let’s check if you have an
Business account window, enter the credentials
LabAdmin@<azuredomain>.onmicrosoft.com, which is a global administrator,
created previously and click Next.
3. Once it detects and says You have an account with us. You’re using
LabAdmin@<azuredomain>.onmicrosoft.com with a Microsoft service
already. Sign in with your existing password, click Sign in.
4. Enter the password and click Sign in.
5. On the Microsoft Store for Business and your data screen, check the consent
box and click Accept.
6. You have completed the signup for the Microsoft Store for Business.
Roles and 7. Click Manage and then click Permissions.
Permissions 8. Notice that LabAdmin is already assigned the Global Admin Role. Click Assign
roles.
9. In the Assign roles to people window, review the various roles available along
with their permissions. In the text box above, type TU1 and click Test User1 in
the search results. You can add multiple users in the text box.
10. Once Test User1 is added in the text box above, select the Role – Purchaser and
click Save.
11. The user will then be added with the assigned permissions. At any point you want
to remove the user from the list, select the user and click Remove. For now, do
not remove.
Note: For more information, refer to
https://technet.microsoft.com/library/mt621271(v=vs.85).aspx
Find and Acquire 12. Click Settings. Under Shopping experience, enable Show offline apps: Show
Applications offline licensed apps to people shopping in the Microsoft Store.
 13. Click Shop for my group and click an app of your choice, example OneNote.
14. Review the 2 licensing type: Online and Offline. Select Offline and click Get the
app.
15. If this is the first time you are using Microsoft Store for Business, check the
boxes for the license and click Accept.
16. It will mention that the app has been purchased and added to your inventory.
Click Close. Offline apps can be distributed by using a provisioning package and
include it as part of imaging a device using Deployment Image Servicing and
Management (DISM) or Windows ICD and also can be distributed through a
management tool or server.
Note: You will then be on the page where it will ask you to manage or download
the package for offline use. You do not have to download the package for offline
use for this demo. Just go to the next step.
17. Under Shop for my group, select another app, example Microsoft Remote
Desktop and select Online. Click Get the app. Click to agree to terms,
18. It will mention that the app has been purchased and added to your inventory.
Click Close.
19. Click the “…” box and click Manage. It will then present with 2 methods of
distribution by adding to the private store and Assigning to users. (Online apps
can be distributed by assigning it to employees as well as adding it to your private
store, allowing employees to download it through a management tool.)
20. If you select to add to the private store, it will start adding the app into your
private store and could take upto twenty four hours before the app is available in
the private store as a separate tab.
21. Under Shop for my group, select another app, example DocuSign and click Get
the app. Click Close. If you select Assign Users and then in the text box, type a
username, example TU1, click Test User1 in the search results and click Assign |
Close, the app will be directly available to the user in the Store > My Library
section. You can add multiple users in the text box. The user then can download
and install the app from the store.
Note: For more information, refer to
https://technet.microsoft.com/library/mt606944(v=vs.85).aspx
App Inventory 22. Click Manage and click Products & services and click Apps & software.
Management 23. You can find an app from the Search apps & software text box.
24. You can also refine your search by selecting Refine results based on Product
type, Application type, Source and Private store.
25. You will be able to see the list of apps with the following tabs – Name, Available
quantity, Usage/Total and Date.
26. If you click the (…) for an Online-licensed app, you will see the options – View
license details, Assign to people, View private store details and View product
details.
27. If you click the (…) for an Offline-licensed app, you will see the options –
Download for offline use and View product details.
28. You can even manage app licenses by viewing, assigning and reclaiming
licenses.
Note: You can remove an app from the Private Store. For more information, refer to
https://technet.microsoft.com/library/mt633825(v=vs.85).aspx
Distribute Apps 29. Click Manage, then click Settings and then click Distribute.
with a 30. You should be able to see the available MDM tools.
Management Tool 31. Select the MDM tool you want to synchronize with Store for Business, and then
click Activate. Your MDM tool is ready to use with the Store for Business.
Consult docs for your management tool to learn how to distribute apps from your
synchronized inventory.
 Note: For more information, refer to https://technet.microsoft.com/en-
us/library/mt606939(v=vs.85).aspx

4.5 Enterprise State Roaming

With Windows 10, Azure Active Directory (Azure AD) users gain the ability to securely
synchronize their user settings and application settings data to the cloud. Enterprise State
Roaming provides users with a unified experience across their Windows devices and reduces the
time needed for configuring a new device. Enterprise State Roaming operates similar to the
standard consumer settings sync that was first introduced in Windows 8. Additionally, Enterprise
State Roaming offers:

 Separation of corporate and consumer data – Organizations are in control of their data,
and there is no mixing of corporate data in a consumer cloud account or consumer data
in an enterprise cloud account.
 Enhanced security – Data is automatically encrypted before leaving the user’s Windows
10 device by using Azure Rights Management (Azure RMS), and data stays encrypted at
rest in the cloud. All content stays encrypted at rest in the cloud, except for the
namespaces, like settings names and Windows app names.
 Better management and monitoring – Provides control and visibility over who syncs
settings in your organization and on which devices through the Azure AD portal
integration.

4.5.1 Prerequisites
Perform the following tasks before proceeding.

Task Detailed Steps

Ensure that both CLIENT3 and CLIENT4 virtual machines are Azure AD Domain
Prerequisite Lab Joined using TU1@<AzureDomainName>.onmicrosoft.com and both have been
rebooted atleast once.

4.5.2 Configure Enterprise State Roaming

In this lab, you will setup and configure enterprise state roaming.

Task Detailed Steps

Complete these steps on the DC1 virtual machine.
Enable Enterprise 1. Start Internet Explorer InPrivate mode.
State Roaming in 2. Navigate to https://portal.azure.com and Sign in with
the Azure Web labadmin@<AzureDomainName>.onmicrosoft.com.
Portal 3. On the left navigation bar, click Azure Active Directory > Devices > Device
 settings.
4. In the Users may sync settings and app data across devices setting, select
Selected.
5. Click Selected below and click + Add members.
6. Type TU1, select Test User1 and click Select.
7. Click OK.
8. Click Save.
Complete these steps on the CLIENT3 virtual machine.
Confirm that 9. Log in as TU1@<AzureDomainName>.onmicrosoft.com. If first time login,
Setting Sync is then go through the Windows Hello steps.
Enabled for the 10. Click on Start > Settings > Accounts > Sync your settings.
User 11. Verify that Sync your settings is on.
12. Verify that the test account is listed in the description of the settings page “Sync
Windows settings to other devices using <testaccount>”.
Personalize 13. Right-click on the taskbar and uncheck Lock the taskbar.
Windows Settings 14. Drag the taskbar so that it is positioned to the right of the screen.
on the First
Machine
Complete these steps on the CLIENT4 virtual machine.
Verify that the Note: It may take a few minutes for the sync on one machine to propagate to the other. If
Changes have the sync does not complete. Try logging in and out of both devices or locking and
Synced to the unlocking the device.
Second Machine
15. Log in as TU1@<AzureDomainName>.onmicrosoft.com. If first time login,
then go through the Windows Hello steps.
16. Verify that the position of the taskbar matches the position that was set on
CLIENT3.
5 Security
In this module, you will go through Windows 10 capabilities that could help organizations be
more secure. We will cover the follow scenarios:

 Windows Information Protection

 Windows Defender Advanced Threat Protection
 Windows Defender Application Guard
 Windows Defender Exploit Guard
 Windows Hello
 Credential Guard
 Device Encryption (MBAM)
 Device Guard – User Mode Code Integrity

Prerequisite Sections:

a) Windows Insider Lab for Enterprise – Setup Guide

b) Section 3.2 - Cloud Environment
c) Section 5.3.1.1 – Prerequisites - Install the ConfigMgr Client on CLIENT1.
d) In the lab, CLIENT1 and CLIENT2 are mainly used for Traditional Methods and
CLIENT3 and CLIENT4 are mainly used for Modern Methods, therefore, you must
enroll CLIENT3 and at least CLIENT4 to Microsoft Intune for the labs below. There
are various labs in Section 5 (Deployment and Management), which explain how to
enroll a machine to Microsoft Intune.
In Section 5, it is recommended that you complete these steps on a physical
machine with the required hardware capabilities.

1.1 Windows Information Protection

Windows Information Protection (WIP), previously known as enterprise data protection (EDP),
helps to protect against this potential data leakage without otherwise interfering with the
employee experience. WIP also helps to protect enterprise apps and data against accidental
data leak on enterprise-owned devices and personal devices that employees bring to work
without requiring changes to your environment or other apps.

1.1.1 Modern Management

Follow the following sections for managing Windows Information Protection through modern
management tools.
1.1.1.1 Configuring and Testing WIP using Intune

In this section you will configure a WIP policy where Edge and Notepad are managed
applications. You will test your policy by copy and pasting between managed and unmanaged
applications.

Task Detailed Steps

Create 1. Close all browser windows.
Groups 2. Start Internet Explorer InPrivate mode.
for use 3. Navigate to https://portal.azure.com and Sign in with
with labadmin@<AzureDomainName>.onmicrosoft.com.
WIP 4. On the left navigation bar, click Azure Active Directory > Groups > All groups.
Demo 5. Click + New group.
6. In the Group pane fill in the following values and click Select:
GROUP TYPE: Security
GROUP NAME: WIPDemo
MEMBERSHIP TYPE: Assigned
MEMBERS: TU1,TU2
7. Click Create.
Creating 8.Close all browser windows.
an Intune 9.Start Internet Explorer InPrivate
WIP mode.
Policy 10. Navigate to
https://portal.azure.com and Sign
in with
labadmin@<AzureDomainNa
me>.onmicrosoft.com.
11. On the left navigation bar, click
All services.
12. Enter “Intune” in search.
13. Click on Intune.
14. Click on “Mobile apps”.
15. Click on “App protection
policies”.
16. Click on “+ Add a policy”.
17. Fill in form:
Name: WIP Demo
Description: WIP Demo
Platform: Windows 10
Enrollment state: With enrollment
Protected apps: Click Add apps and
click OK | OK:
Select Microsoft Edge
Select Notepad
Exempt apps: Do not configure
Configure required settings:
Allow Overrides and click OK
Advanced Settings:
Show the enterprise data
protection icon - “ON” and click
OK
18. Select Create.
 19. Select WIP Demo.
20. Select Assignments.
21. Click Select groups to include.
22. Select WIPDemo.
23. Click Select.
Complete these steps on the CLIENT3 virtual machine or
a physical machine.
Verify 24. Login to the virtual machine as:
the TU2@<AzureDomainName>.onmicr
Policy osoft.com
has been 25. Start Notepad.
Applied 26. Enter in the text field
and www.bing.com.
Working 27. Select File > “Save As”.
Note: Notice next to where you enter
the file name you see a lock icon.
28. Use the drop down and select
“Work (<Domain name>)”.
29. Name the file “WipTest” and
click Save.
Note: Notice the new briefcase icon on
the title bar.
30. Close Notepad.
31. Open File Explorer.
32. Navigate to the “Documents”
folder.
Note: Notice the new icon for Wiptest.
This shows it is managed by WIP.
33. Double click on WipTest and
open it again in Notepad.
34. Copy the text www.bing.com.
35. Open up WordPad (NOT WIP
managed).
36. Paste in the text.
Note: Notice you are prompted because
you are copying from a managed
application to an unmanaged
application.
37. Select No.
38. Close WordPad.
39. Open up Edge (WIP managed).
40. Paste in the text.
Note: Notice that this worked. Both
Edge and Notepad are managed
therefore, for copy and paste between
them are allowed.
41. Close Edge.
42. Open IE (NOT WIP Managed).
43. Past in the text.
Note: Notice you are prompted because
you are copying from a managed
application to an unmanaged
application. Select No and close all the
 applications if any are opened.
Removin 44. Close all browser windows.
g the 45. Start Internet Explorer InPrivate
Policy mode.
46. Navigate to
https://portal.azure.com and Sign
in with
labadmin@<AzureDomainNa
me>.onmicrosoft.com.
47. On the left navigation bar, click
All services.
48. Enter “Intune” in search.
49. Click on Intune.
50. Click on “Mobile apps”.
51. Click on “App protection
policies”.
52. Select the policy and click
Delete policy | Yes.
Note: We are deleting the policy in
order to use the same application in
other labs without this policy being
enforced.

1.1.2 Traditional Management

In this section, you will learn how to configure and deploy WIP policies through System Center
Configuration Manager and test different WIP scenarios.

Note: This lab can only be performed if the System Center Configuration Manager environment
is on Current Branch (1802) or higher.

Follow the following sections for managing Windows Information Protection through traditional
management tools.

1.1.2.1 Prerequisites

Perform the following tasks before proceeding.

Task Detailed Steps

Complete these steps on the CLIENT1 virtual machine.
Install Google 1. Open Internet Explorer and browse to the URL below.
Chrome https://www.google.com/intl/en/chrome/browser/desktop/index.html
2. Click DOWNLOAD CHROME.
3. On the Download Chrome for Windows popup window, click ACCEPT AND
INSTALL.
4. Click Run to start the ChromeSetup.exe and accept the UAC prompt if it appears.
5. Once completed successfully, close all the windows.
Pin Applications 6. Pin the following applications to the Start:
a. Internet Explorer
 b. Google Chrome
c. Notepad
d. WordPad
Complete these steps on the CM1 virtual machine.
Create a Collection 7. Open the Configuration Manager Console from the Start Menu.
8. From the Configuration Manager Console, browse to Assets and Compliance.
9. Right-click on Device Collections and select Folder > Create Folder.
10. On the Configuration Manager window, under Folder name enter Windows
Information Protection then click OK.
11. From the Configuration Manager Console, expand Device Collections and right-
click on Windows Information Protection.
12. Select Create Device Collection.
13. On the General page, enter the following then click Next.
Name: Block
Limiting Collection: All Desktop and Server Clients
14. On the Membership Rules page, click Next.
15. On the warning dialog box, click OK.
16. On the Summary page, click Next.
17. On the Completion page, click Close.

1.1.2.2 Configure Data Recovery Agent (DRA) Certificate

In this activity, you will create and enroll for a Data Recovery Agent certificate which is a
prerequisite in configuring WIP policies through System Center Configuration Manager.

Task Detailed Steps

Complete these steps on the DC1 virtual machine.
Create a DRA 1. Open the Certification Authority from the Start Menu.
Certificate 2. On the Certification Authority console, expand corp-DC1-CA, right-click on
Template Certificate Templates and select Manage.
3. On the Certificate Templates Console, right-click on EFS Recovery Agent and
select Duplicate Template.
4. On the Properties of New Template window, go to the General tab.
5. On the General tab, under Template display name enter WIP Recovery Agent,
select Publish certificate in Active Directory, then go to the Request Handling
tab.
6. On the Request Handling tab, verify that under Purpose Encryption is selected
and Allow private key to be exported is selected then go to the Security tab.
7. On the Security tab, select LabAdmin and under Allow, select Enroll.
8. On the Properties of New Template window, click Apply then click OK.
9. Close the Certificate Templates Console.
10. On the Certification Authority console, right-click on Certificate Templates and
select New > Certificate Template to Issue.
11. On the Enable Certificate Templates window, select WIP Recovery Agent then
click OK.
Request a DRA 12. Right-click on Start and select Run.
Certificate 13. On the Run window, enter certmgr.msc then click OK.
14. On the Certificates console, right-click on Personal and select All Tasks >
Request New Certificate….
 15. On the Before You Begin page, click Next.
16. On the Select Certificate Enrollment Policy page, select Active Directory
Enrollment Policy then click Next.
17. On the Request Certificates page, select WIP Recovery Agent then click Enroll.
18. Once enrolled successfully, click Finish.
Export the DRA 19. On the Certificates console, under Personal > Certificates, right-click on the
Certificate certificate issued by corp-DC1-CA and select All Tasks > Export…
20. On the Welcome to the Certificate Export Wizard page, click Next.
21. On the Export Private Key page, select Yes, export the private key then click
Next.
22. On the Export File Format page, click Next.
23. On the Security page, select Password: enter P@ssw0rd under Password: and
Confirm password: then click Next.
24. On the File to Export page, click Browse…
25. On the Save As window, browse to the Desktop, click New folder and rename
the new folder to DRA.
26. Double-click on the DRA folder.
27. Under File name, enter WIP-DRA-key then click Save.
28. On the File to Export page, click Next.
29. Once complete, click Finish.
30. Click OK on the export successful dialog window.
31. On the Certificates console, under Personal > Certificates, right-click on the
certificate issued by corp-DC1-CA and select All Tasks > Export…
32. On the Welcome to the Certificate Export Wizard page, click Next.
33. On the Export Private Key page, select No, do not export the private key then
click Next.
34. On the Export File Format page, select Base-64 encoded X.509 (.CER) then
click Next.
35. On the File to Export page, click Browse…
36. On the Save As window, browse to the Desktop, under File name, enter WIP-
DRA then click Save.
37. On the File to Export page, click Next.
38. Once complete, click Finish.
39. Click OK on the export successful dialog window.
Copy the 40. From the Desktop, copy the file WIP-DRA.cer to \\CM1\Packages$.
Certificate

1.1.2.3 Windows Information Protection Policies

In this activity, you will create and deploy a WIP configuration item and baseline that will block
inappropriate data sharing practices.

Task Detailed Steps

Complete these steps on the CM1 virtual machine.
Create a Block 1. Browse to Assets and Compliance > Compliance Settings > Configuration
WIP Configuration Baselines then click on Create Configuration Baseline from the ribbon bar.
 Baseline 2. On the Create Configuration Baseline window, under Name enter WIP - Block.
3. On the Create Configuration Baseline window, under Configuration data click
Add > Configuration Items.
4. On the Add Configuration Items window, select WIP – Block, click Add then
click OK.
5. On the Create Configuration Baseline window, click OK.
Deploy the WIP 6. Browse to Assets and Compliance > Compliance Settings > Configuration
Policies Baselines.
7. Right-click on WIP – Block then select Deploy.
8. On the Deploy Configuration Baselines window, select Remediate
noncompliant rules when supported and Allow remediation outside the
maintenance window.
9. On the Deploy Configuration Baselines window, under Collection click
Browse…
10. On the Select Collection window, browse to Device Collections > Windows
Information Protection, select Block then click OK.
11. On the Deploy Configuration Baselines window, click OK.

1.1.2.4 Validate Policies

In this activity, you will perform various tests to test the enforcement of the WIP policies in
different scenarios.

Task Detailed Steps

Complete these steps on the CM1 virtual machine.
Add Device to 1. From the Configuration Manager Console, browse to Assets and Compliance >
Collection Devices.
2. Right-click on the CLIENT1 virtual machine and select Add Selected Items >
Add Selected Items to Existing Device Collection.
3. On the Select Collection window, browse to Device Collections > Windows
Information Protection, select Block then click OK.
Complete these steps on the CLIENT1 virtual machine.
Refresh 4. Logon as CORP\LabAdmin and open the Control Panel. Select the
Configuration Configuration Manager icon.
Manager Machine 5. On the Actions tab, select Machine Policy Retrieval & Evaluation Cycle and
Policy click Run Now to force the device to receive updated policy. This can take up to
5 minutes. Click OK.
6. On the Configuration Manager Properties window, go to the Configurations tab
and confirm that the WIP – Block baseline is listed.
7. Select the WIP – Block baseline and click Evaluate.
8. Click Refresh and confirm that the Compliance State has changed to Compliant.
9. On the Configuration Manager Properties window, click OK.
Encryption through 10. Right-click on the Desktop and select New > Bitmap image.
File Explorer 11. Rename the file to Picture1.bmp.
12. Right-click on Picture1.bmp then select File ownership > Work
(Olympia.local).
13. Right-click on Picture1.bmp then select Properties.
14. On the Picture1.bmp Properties window, click Advanced…
15. On the Advanced Attributes window, click Details.
16. On the Enterprise Control window, verify that Olympia.local is listed and the
 status of the file is Protected.
17. Click OK three times.
Note: The briefcase icon indicates that the file is protected.
Encryption through 18. Click Start and open Notepad.
Save on an 19. On the Untitled file, enter This is a protected file.
Enterprise 20. Click File > Save As…
Application 21. On the Save As window, browse to Desktop, under File name select Work
(Olympia.local), enter Protected File1 then click Save.
22. Right-click on Protected File1.txt then select Properties.
23. On the Protected File1 Properties window, click Advanced…
24. On the Advanced Attributes window, click Details.
25. On the Enterprise Control window, verify that Olympia.local is listed and the
status of the file is Protected.
26. Click OK three times.
Note: The briefcase icon indicates that the file is protected.
Automatic 27. Right-click on Start and select Run.
Encryption on 28. On the Run window, enter \\CM1\Packages$ and click OK.
Copy from Trusted 29. Open WIN10X64-Settings and copy Unattend.xml to the Desktop.
Network Shares Note: Before performing this step, in CM1, create a dummy folder called
WIN10X64-Settings and within that create a blank dummy xml file called
Unattend.xml. Also, the file should open by default only in notepad or Internet
Explorer. For this example, notepad has been chosen as the default app.
30. Right-click on Unattend.xml then select Properties.
31. On the Unattend Properties window, click Advanced…
32. On the Advanced Attributes window, click Details.
33. On the Enterprise Control window, verify that Olympia.local is listed and the
status of the file is Protected.
34. Click OK three times.
Note: The briefcase icon indicates that the file is protected.
Open Encrypted 35. On the Desktop, open the Unattend.xml file with Internet Explorer.
Files on an 36. Close Internet Explorer.
Enterprise
Note: The briefcase icon beside the refresh button indicates that the file is protected.
Application
Open Encrypted 37. On the Desktop, open the Unattend.xml file with WordPad.
Files on a Non- 38. Click OK on the access denied prompt.
Enterprise
Note: WordPad is not configured as an Enterprise Application in the Compliance Item
Application
policy created earlier.
Policy 39. Click Start and open Google Chrome.
Enforcement for 40. From the Desktop, drag and drop the Unattend.xml file to Google Chrome.
Copy-Paste 41. Click OK on the Can’t use work content here prompt.
42. On the Desktop, open Protected File1.txt with Notepad.
43. Copy the text within the Protected File1.txt file.
44. Click Start and open WordPad.
45. On WordPad, click Paste.
46. Click OK on the Can’t use work content here prompt.
47. Close WordPad.
48. Click Start and open Internet Explorer.
49. On Internet Explorer, browse to www.bing.com.
50. Right-click on the Bing search text field and select Paste.
51. Click OK on the Can’t use work content here prompt.
 52. Close Internet Explorer.
Note: Bing is treated as separate application and is not configured as an
Enterprise Application in the Compliance Item policy created earlier.
53. Right-click on Start and select Run.
54. On the Run window, enter \\10.0.0.6\MDOP. Click OK.
55. From the Desktop, copy the Unattend.xml file and paste in the MDOP share.
56. On the Interrupted Action window, click Cancel.
Note: Windows Information Protection blocks actions that are against the configured
policies such as opening enterprise files on a non-enterprise application, and copying the
contents of an enterprise file to a non-enterprise application, URL and network share.
Remove 57. On CM1, in the Configuration Manager Console, navigate to Assets and
Encryption Compliance | Compliance Settings | Configuration Items. Select WIP – Block
Complete these and click Properties from the ribbon bar.
steps on the CM1 58. Click the Compliance Rules tab and double-click on WIP App Management
and CLIENT1 Mode.
virtual machine. 59. Scroll slight down and select Off: Turns off Windows Information Protection,
click OK on the Edit Rules window.
60. Click Apply and OK on the WIP – Block Properties window.
61. On the CLIENT1 virtual machine, open the Control Panel. Select the
Configuration Manager icon. On the Actions tab, select Machine Policy
Retrieval & Evaluation Cycle and click Run Now to force the device to receive
updated policy. This can take upto 5 minutes. Click OK.
62. On the Configuration Manager Properties window, go to the Configurations tab,
select the WIP – Block baseline and click Evaluate and Refresh. Click OK.
63. Right-click on Picture1.bmp then select Properties.
Note: Note that the briefcase icon does not show any more on the file.
64. On the Picture1.bmp Properties window, click Advanced…
65. On the Advanced Attributes window, verify that Encrypt contents to secure
data is not selected.
66. Click OK two times.

1.2 Windows Defender Advanced Threat Protection

Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service
that enables enterprise customers to detect, investigate, and respond to advanced threats on
their networks.

Windows Defender ATP uses the following combination of technology built into Windows 10
and Microsoft's robust cloud service:

 Endpoint behavioral sensors: Embedded in Windows 10, these sensors collect and
process behavioral signals from the operating system (for example, process, registry, file,
and network communications) and sends this sensor data to your private, isolated, cloud
instance of Windows Defender ATP.
 Cloud security analytics: Leveraging big-data, machine-learning, and unique Microsoft
optics across the Windows ecosystem (such as the Microsoft Malicious Software Removal
Tool, enterprise cloud products (such as Office 365), and online assets (such as Bing and
 SmartScreen URL reputation), behavioral signals are translated into insights, detections,
and recommended responses to advanced threats.
 Threat intelligence: Generated by Microsoft hunters, security teams, and augmented by
threat intelligence provided by partners, threat intelligence enables Windows Defender
ATP to identify attacker tools, techniques, and procedures, and generate alerts when
these are observed in collected sensor data.

In this section, you will learn how to configure and use Windows Defender ATP to detect and
respond to threats.

Note: This lab can only be performed if the customer has already registered and approved for
the Microsoft WDATP Preview/Trial program (Section 3.2.3).

1.2.1 Onboarding Windows 10 Device

In this activity, you onboard your first Windows 10 client to Windows Defender Advanced Threat
Protection.

Task Detailed Steps

Complete these steps on the CLIENT2 virtual machine.
Download the 1. Log in to the device.
Onboarding 2. Navigate to https://securitycenter.windows.com/
Package 3. Sign in to the portal with labadmin@<AzureDomainName>.onmicrosoft.com
4. On the Getting started page, click Next.
5. On the Set up your preferences page, select the appropriate data storage location
and click Next.
6. Select the appropriate data retention policy and click Next.
7. Select your appropriate organization size and click Next.
8. Select your appropriate industry and click Next.
9. Select the appropriate preview experience option and click Next.
10. Click Continue to create a cloud instance. It will start creating your Windows
Defender ATP cloud instance.
11. On the Endpoint onboarding page, under Select your deployment tool dropdown,
select Local Script (for up to 10 machines) and click Download package. Once
downloaded, click Finish.
12. Click Save as and Save the package to C:\.
Execute the 13. Navigate to C:\, right-click the package and click Extract All…
Onboarding 14. Click Extract.
Package 15. Navigate to the extracted package, right-click on the script file and click Edit.
Note: Note the registry paths we are writing to. Note the log and the Event ID we are
creating in case of successful events using eventcreate.
16. Close notepad.
17. Right-click the script file and click Run as administrator. Press Y to confirm
and continue. Press any key to continue.
18. After 5-10 minutes the device should start reporting to the portal.
Configure the 19. Click the Start menu and type regedit, right-click and choose Run as
Sample Collection administrator.
 Setting 20. Locate the following registry path:
HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat
Protection.
21. Create a DWORD value AllowSampleCollection and set it to 1.
Note: The machine will file sample collection through the portal for deeper investigation.
No samples are collected automatically as this is done by the administrator.
Verify the 22. Check the SENSE service is running, by opening the Command Prompt and
Deployment running: sc query sense. The STATE should be 4 and should be RUNNING.
Success 23. Open the Event Viewer (Local) > Windows Logs > Application log and locate
the Event ID 20 from the source WDATPOnboarding.
24. Open the Event Viewer (Local) > Application and Services Logs > Microsoft >
Windows > SENSE > Operational log. Check for the Event ID 4 to make sure
that the SENSE service is reporting successful server connection every 5 minutes.
Connection frequency may vary depending on factors like battery state.
25. Go to https://securitycenter.windows.com/ portal, then choose Machines View,
on the right locate your machine on the list, its Health State should be Active.
Install Office (If 26. Go to https://portal.office.com and Sign in as
Not Installed) TU2@<AzureDomainName>.onmicrosoft.com
27. Click Install Office 2016.
28. Click Run.

1.2.2 Perform Simulation

In this activity, you will go step-by-step through a typical attack sequence that you will run
yourself.

Note: The setup guide also contains instructions and links for the attack demo.

Task Detailed Steps

Complete these steps on the CLIENT2 virtual machine.
Follow the Demo 1. Click the link to open the WinATP-Intro-Invoice.doc word document from the
Attack Simulation setup guide.
Guidance 2. Since the device has Office 2016 installed, therefore click Yes and OK on the
Office 2016 security prompts.
3. Enter the password to open the word document and click OK. The password is
provided in the setup guide.
4. Click Enable Content on the opened word document.
5. Click OK on the prompt.
6. A Backdoor will run in a command window. Press any key to close.
7. You will now be able to see that an Active alert has been reported to the Windows
Defender Advanced Threat Protection by the device. Navigate through the portal
for further details on the attack and ways to remediate.

1.3 Windows Defender Application Guard

Designed for Windows 10 and Microsoft Edge, Application Guard helps to isolate enterprise-
defined untrusted sites, protecting your company while your employees browse the Internet. As
an enterprise administrator, you define what is among trusted web sites, cloud resources, and
internal networks. Everything not on your list is considered untrusted.

If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer,
Microsoft Edge opens the site in an isolated Hyper-V-enabled container, which is separate from
the host operating system. This container isolation means that if the untrusted site turns out to
be malicious, the host PC is protected, and the attacker can't get to your enterprise data.

Note: Windows Defender Application Guard can only be enabled if the Hardware Requirements
are met as stated in https://docs.microsoft.com/en-us/windows/threat-protection/windows-
defender-application-guard/reqs-wd-app-guard

Note: The machine (Virtual or Physical) should have Hyper-V, TPM and Secure Boot Enabled.

1.3.1 Modern Management

Follow the following sections for managing Windows Defender Application Guard through
modern management tools.

1.3.1.1 Configure Windows Defender Application

In the section below you will be configuring WDAG using modern management.

Task Detailed Steps

Create 1. Close all browser windows.
Groups for 2. Start Internet Explorer InPrivate mode.
use with 3. Navigate to https://portal.azure.com and Sign in with
WD labadmin@<AzureDomainName>.onmicrosoft.com.
Application 4. On the left navigation bar, click Azure Active Directory > Groups > All groups.
Guard 5. Click + New group.
Demo 6. In the Group pane fill in the following values and click Select:
GROUP TYPE: Security
GROUP NAME: WDAGDemo
MEMBERSHIP TYPE: Assigned
MEMBERS: TU1,TU2
7. Click Create.
Creating an 1. Close all browser windows.
Intune 2. Start Internet Explorer InPrivate mode.
WDAG 3. Navigate to https://portal.azure.com and Sign in with
Policy labadmin@<AzureDomainName>.onmicrosoft.com.
4. On the left navigation bar, click All services.
5. Enter “Intune” in search.
6. Click on Intune.
7. Click on “Device configuration”.
8. Click on “Profiles”.
9. Click on “+ Create profile”.
10. Fill in form:
Name: WDAG Demo
 Description: WDAG Demo
Platform: Windows 10 and later
Profile type: Endpoint protection
11. Select “Windows Defender Application Guard”.
12. Fill out form:
Application Guard: Enabled for Edge
Clipboard behavior: Block copy and paste between PC and browser
External content on enterprise sites: Not configured
Print from virtual browser: Allow
Printing types(s): PDF
Collect logs: Not configured
Retain user-generated browser data: Not configured
Graphics acceleration: Not configured
Download files to host file system: Not configured
13. Select OK.
14. Select OK.
15. Select Create.
16. Select Assignments.
17. Select “Select groups to include”.
18. Select “WDAGDemo”. Click Select.
19. Click on Save.
Configure 20. Go back to Intune
trusted site 21. Click “Client Apps”
list 22. Click “App Protection Policies”
23. Click “Create Policy”
24. Fill up the form
a. Name – WDAG Site List
b. Platform – Windows 10
c. Enrollment State – With Enrollment
d. Click Advanced Settings
e. Add network boundary
i. Boundary type – Cloud resources
ii. Name – ECR
iii. Value – “provide list of cloud resources separated by ‘|’ (pipe) symbol.
Ex: powerbi.com| .yammer.com|yammer.com|
olympia.windows.com|/*AppCompat*/
iv. Click OK
Note - Add /*AppCompat*/ to your list of cloud resources to enable TLS connections by
personal apps that connect directly to a cloud resource through an IP address.
f. Add network boundary
i. Boundary type – Neutral resources
ii. Name – NeutralResources
iii. Value – “provide list of websites separated by ‘,’. $ sign is used as
wildcard for websites.
iv. Ex: $.o365.com,$.office.com,$.microsoft.com
v. Click OK
25. Click Create
26. Click on newly created policy
27. Click Assignments
28. Select “Select groups to include”.
29. Select “WDAGDemo”. Click Select.
30. Click on Save.
Complete these steps on a physical machine. (To connect a physical machine to the lab, see Section 3 of the
Set Up Guide.)
Verify the 31. Login to a machine as:
Policy has TU2@<AzureDomainName>.onmicrosoft.com
been 32. Select Start.
Applied 33. Select Settings.
and 34. Select Accounts.
Working 35. Select Access work or school.
36. Select Connected to <CompanyName> Azure AD.
37. Click Info.
38. Click Sync to force a policy update and confirm that the sync was successful.
39. Close Settings. Reboot the machine once.
40. Launch Edge.
41. Press Alt-X.
42. Select “New Application Guard window”.
43. A new windows should appear.
Note: Notice that in the upper left hand corner of the window you should see
Application Guard and a thin orange line at the top of the window. This indicates you
are running in Application mode.

44. Enter the URL www.bing.com.

45. Create a new tab.
46. Copy the URL www.bing.com to the new tab.
Note: Notice that you can do this because it is inside of Application Guard.
47. Open IE.
48. Try to copy the URL from WDAG Edge windows to IE.
Note: Notice that you cannot copy. This is because WDAG is configured to not allow
copy and paste with the OS.
49. Enter the URL of www.msn.com in IE.
50. Copy this URL from IE and try and paste it in WDAG Edge window.
Note: Notice that you cannot copy. This is because WDAG is configured to not allow
coping from the OS to the WDAG Edge windows.
Verify Cloud resources will always open in Host Edge
trusted
website 51. Launch Edge.
behavior 52. Press Alt-X.
53. Select “New Application Guard window”.
54. Navigate to Olympia.windows.com or yammer.com [As these sites are configured as
Cloud resources in step 24]
55. Notice that the website renders in Edge on host OS.
Neutral Site list opens in browser where it is opened.
56. Launch Edge.
57. Press Alt-X.
58. Select “New Application Guard window”.
59. Navigate to o365.com or office.com [As these sites are configured as Neutral resources]
60. Notice that the website renders in WDAG.
61. Launch Edge
62. Navigate to o365.com or office.com [As these sites are configured as Neutral resources]
 63. Notice that the website renders in Host Edge.
Non trusted sites open in WDAG
64. Launch Edge
65. Navigate to www.purple.com
66. Notice website will open in WDAG window as its not part of trusted site list.

1.3.2 Traditional Management

Follow the following sections for managing Windows Defender Application Guard through
traditional management tools.

1.3.2.1 Prerequisites

Task Detailed Steps

Complete these steps on the CLIENT1 virtual machine.
Install the Feature 1. Open the Control Panel, click Programs, and then click Turn Windows
features on or off.
2. Select the check box next to Windows Defender Application Guard and then
click OK.
3. Restart the device.

1.3.2.2 Configure Group Policy Settings

Task Detailed Steps

Complete these steps on the DC1 virtual machine.
Turn On Windows 1. In the Group Policy Management Console, edit the Default Domain Policy by
Defender going to Computer Configuration\Policies\Administrative
Application Guard Templates\Windows Components\Windows Defender Application Guard.
2. Double-click Turn on Windows Defender Application Guard in Enterprise
Mode.
3. Select Enabled and click Apply and OK.
Set Up Network 4. Go to the Computer Configuration\Policies\Administrative
Isolation Templates\Network\Network Isolation\Enterprise resource domains hosted
in the cloud.
5. Select Enabled and type .microsoft.com into the Enterprise cloud resources
box. Click Apply and OK.
6. Go to the Computer Configuration\Policies\Administrative
Templates\Network\Network Isolation\Domains categorized as both work
and personal setting.
7. Select Enabled and type bing.com into the Neutral resources box. Click Apply
and OK.

1.3.2.3 Validate Windows Defender Application Guard

Task Detailed Steps

 Complete these steps on the CLIENT1 virtual machine.
Test Application 1. Update the group policies by running gpupdate /force from the elevated
Guard command prompt. Accept the UAC prompt if required.
2. Start Microsoft Edge and type www.microsoft.com
3. After you submit the URL, Application Guard determines the URL is trusted
because it uses the domain you’ve marked as trusted and shows the site directly
on the host PC instead of in Application Guard.
4. In the same Microsoft Edge browser, type any URL that isn’t part of your trusted
or neutral site lists, example www.msn.com
5. After you submit the URL, Application Guard determines the URL is untrusted
and redirects the request to the hardware-isolated environment.

1.4 Windows Defender Exploit Guard

Windows Defender Exploit Guard (Windows Defender EG) is a new set of host intrusion
prevention capabilities for Windows 10, allowing you to manage and reduce the attack surface
of apps used by your employees.

There are four features in Windows Defender EG:

 Exploit protection can apply exploit mitigation techniques to apps your organization
uses, both individually and to all apps.
 Attack surface reduction rules can reduce the attack surface of your applications with
intelligent rules that stop the vectors used by Office-, script- and mail-based malware.
 Network protection extends the malware and social engineering protection offered by
Windows Defender SmartScreen in Edge to cover network traffic and connectivity on
your organization's devices.
 Controlled folder access helps protect files in key system folders from changes made by
malicious and suspicious apps, including file-encrypting ransomware malware.

1.4.1 Modern Management

Follow the following sections for managing Windows Defender Exploit Guard through modern
management tools.

1.4.1.1 Exploit Guard Controlled Folders

In this section we are going to create a group that will be used to assign users a Exploit Guard
controlled folder policy. In addition we will configure the policy and test that it works.

Task Detailed Steps

Creat 1. Close all browser windows.
e 2. Start Internet Explorer InPrivate mode.
Grou 3. Navigate to https://portal.azure.com and Sign in with
ps labadmin@<AzureDomainName>.onmicrosoft.com.
 4. On the left navigation bar, click Azure Active Directory > Groups > All groups.
5. Click + New group.
6. In the Group pane fill in the following values and click Select:
GROUP TYPE: Security
GROUP NAME: ExploitDemo
MEMBERSHIP TYPE: Assigned
MEMBERS: TU1,TU2
7. Click Create.
Configur 8. On the left navigation bar, click All
e Services.
Windows 9. Enter “Intune” in search.
Defender 10. Click on Intune.
Exploit 11. Under Manage Select “Device
Guard configuration”.
12. Under Manage Select “Profiles”.
13. Select “Create profile”.
14. Name the new profile “Exploit
Protection Demo”.
15. For Platform select “Windows 10
and later”.
16. For Profile type select “Endpoint
protection”.
17. Select “Windows Defender
Exploit Guard”.
18. Select “Controlled folder access”.
19. Change Folder protection to
“Enable”.
20. Select OK.
21. Select OK.
22. Select OK.
23. Select Create.
24. Select Assignments.
25. Click Select groups to include.
26. Check the “ExploitDemo” group.
27. Select “Select”.
28. Click Save.
Complete these steps on the CLIENT3 virtual machine or a
physical machine.
Verify 29. Login to the virtual machine as
Configur TU2@<AzureDomainName>.onmicros
ation is oft.com
Applied 30. Select Start.
31. Select Settings.
32. Select Accounts.
33. Select Access work or school.
34. Select Connected to
<CompanyName> Azure AD.
35. Click Info.
36. Click Sync to force a policy update
and confirm that the sync was
successful.
37. Open up Notepad.exe.
38. Create a simple document.
 39. Save it to “Documents”.
Note: Notice that it saved just fine.
40. Open “Windows PowerShell ISE”.
41. Create a simple script “Get-
process”.
42. Save it to “Documents”.
Note: Notice you cannot save to
Documents because this is a protected
folder. You will get a “File not found”
message.
43. Press OK.
Note: You may also notice a Message
slide in from the right stating it was
blocked by Controlled folder access.
44. Click on the notification icon

to review this notification.

1.4.2 Traditional Management

Follow the following sections for managing Windows Defender Exploit Guard through traditional

management tools.

1.4.2.1 Exploit Protection

Task Detailed Steps

Complete these steps on the CLIENT1 virtual machine.
Configure 1. Open the Windows Defender Security Center by clicking the shield icon in the
Program-Level task bar or searching the start menu for Defender.
Mitigations 2. Click the App & browser control tile (or the app icon on the left menu bar) and
then the Exploit protection settings at the bottom of the screen.
3. Go to the Program settings section and click Add program to customize.
4. Click on Add by program name and type notepad.exe. Click Add.
5. On the next window, scroll down and on Disable Win32k system calls, select
Override system settings and choose On.
6. You will be notified if you need to restart the process or app, or if you need to
restart Windows. Click Apply and accept the UAC prompt.
7. Try to open notepad.exe. Notice the error message. Click OK.
Create and Export 8. Open the Windows Defender Security Center by clicking the shield icon in the
a Configuration task bar or searching the start menu for Defender.
File 9. Click the App & browser control tile (or the app icon on the left menu bar) and
then the Exploit protection settings at the bottom of the screen.
10. At the bottom of the Exploit protection section, click Export settings and then
save the configuration file under Documents.
11. Copy the file to DC1 in a shared folder with full permissions.
Complete these steps on the DC1 virtual machine.
Distribute the 12. On your Group Policy management machine, open the Group Policy
 Configuration File Management Console, right-click the Group Policy Objects and create a new
with Group Policy GPO WDEG.
13. Right click the new Group Policy WDEG and click Edit.
14. In the Group Policy Management Editor go to Computer Configuration.
15. Click Policies then Administrative Templates.
16. Expand the tree to Windows Components > Windows Defender Exploit Guard
> Exploit Protection.
17. Double-click the Use a common set of exploit protection settings setting and set
the option to Enabled.
18. In the Options section, enter the location and filename of the Exploit Protection
Configuration File that you saved from the previous section in a UNC format
including the name of the file and it’s extension and click Apply | OK.

1.4.2.2 Attack Surface Reduction

Task Detailed Steps

Complete these steps on the DC1 virtual machine.
Distribute the 1. On your Group Policy management machine, open the Group Policy
Configuration File Management Console, and right-click the Group Policy Object WDEG.
with Group Policy 2. Click Edit.
3. In the Group Policy Management Editor go to Computer Configuration.
4. Click Policies then Administrative Templates.
5. Expand the tree to Windows Components > Windows Defender Antivirus >
Windows Defender Exploit Guard > Attack Surface Reduction.
6. Double-click the Configure Attack Surface Reduction rules setting and set the
option to Enabled.
Click Show... and enter the following rule ID in Value name:
D3E037E1-3EB8-44C8-A917-57927947596D
7. Set the Value to 1 and click OK.
8. Right-click the root domain, Cclick Link and Existing GPO, select WDEG and
click OK.
Note: The above rule will block JavaScript or VBScript from launching downloaded
executable content as well as block notepad.exe to launch. Do run a gpupdate /force
on the CLIENT2 VM.

1.5 Windows Hello

Windows Hello for Business replaces username and password sign-in to Windows with strong
user authentication based on asymmetric key pair.

In this lab, you will find all the information to deploy Windows Hello for Business in a Certificate
Trust Model in your on-premises environment.

1.5.1 Modern Management

Follow the following sections for managing Windows Hello for Business through modern
management tools.
1.5.1.1 Windows Hello for Business

In this lab we are going to setup Windows Hello for Business in the Cloud.

Task Detailed Steps

Complete these steps from a physical macian Internet-connected Windows computer.
Configuring 1. Close all browser windows.
Windows Hello for 2. Start Internet Explorer InPrivate mode.
Business 3. Navigate to https://portal.azure.com and Sign in with
labadmin@<AzureDomainName>.onmicrosoft.com.
4. On the left navigation bar, click All services.
5. Enter “Intune” in search.
6. Click on Intune.
7. Select “Device enrollment”.
8. Select “Windows enrollment”.
9. Select “Windows Hello for Business”.
10. Choose the Default settings.
11. Select “Properties” and review.
12. Select “Settings”.
13. Enable “Windows Hello for Business”.
14. Review possible settings.
15. Select Save.

1.5.2 Traditional Management

Follow the following sections for managing Windows Hello for Business through traditional
management tools.

1.5.2.1 Validate Active Directory Prerequisites

The key registration process for the On-prem deployment of Windows Hello for Business needs
the Windows Server 2016 Active Directory schema. The key-trust model receives the schema
extension when the first Windows Server 2016 domain controller is added to the forest. The
certificate trust model requires manually updating the current schema to the Windows Server
2016 schema. If you already have a Windows Server 2016 domain controller in your forest, you
can skip the next step.

Task Detailed Steps

Complete these
steps on the DC1
virtual machine.
Create the 1. Open Active Directory Users and Computers.
KeyCredential 2. Click View and click Advanced Features.
Admins Security 3. Expand the domain node from the navigation pane.
 Global Group 4. Right-click the Users container. Click New > Group.
5. Type KeyCredential Admins in the Group name text box.
6. Click OK.

Create the 7. Right-click the Users container. Click New > Group.
Windows Hello 8. Type Windows Hello for Business Users in the Group name text box.
for Business Users 9. Click OK.
Security Global
Group

1.5.2.2 Validate and Configure PKI

Windows Hello for Business must have a public key infrastructure regardless of the deployment
or trust model. All trust models depend on the domain controllers having a certificate. The
certificate serves as a root of trust for clients to ensure they are not communicating with a rogue
domain controller. The certificate trust model extends certificate issuance to client computers.
During Windows Hello for Business provisioning, the user receives a sign-in certificate.

Note: The following instructions may be used to deploy simple public key infrastructure that is
suitable for a lab environment.

Task Detailed Steps

Complete these
steps on the DC1
virtual machine.
Configure a 1. Open the Certification Authority management console.
Domain 2. Right-click Certificate Templates and click Manage.
Controller 3. In the Certificate Templates Console, right-click the Kerberos Authentication
Certificate template in the details pane and click Duplicate Template.
4. On the Compatibility tab, clear the Show resulting changes check box. Select
Windows Server 2012 or Windows Server 2012 R2 from the Certification
Authority list. Select Windows 8 / Windows Server 2012 or Windows 8.1 /
Windows Server 2012 R2 from the Certificate recipient list.
5. On the General tab, type Domain Controller Authentication (Kerberos) in
Template display name. Adjust the validity and renewal period to meet your
enterprise’s needs.
Note: If you use different template names, you’ll need to remember and substitute these
names in different portions of the lab.
6. On the Subject Name tab, select the Build from this Active Directory
information button if it is not already selected. Select None from the Subject
name format list. Select DNS name from the Include this information in
alternate subject name. Clear all other items.
7. On the Cryptography tab, select Key Storage Provider from the Provider
Category list. Select RSA from the Algorithm name list. Type 2048 in the
Minimum key size text box. Select SHA256 from the Request hash list. Click
Apply and OK.
8. Close the console.

Configure an 9. Right-click Certificate Templates and click Manage.

Internal Web 10. In the Certificate Templates Console, right-click the Web Server template in the
Server Certificate details pane and click Duplicate Template.
Template 11. On the Compatibility tab, clear the Show resulting changes check box. Select
Windows Server 2012 or Windows Server 2012 R2 from the Certification
Authority list. Select Windows 8 / Windows Server 2012 or Windows 8.1 /
Windows Server 2012 R2 from the Certificate recipient list.
12. On the General tab, type Internal Web Server in Template display name. Adjust
the validity and renewal period to meet your enterprise’s needs.
Note: If you use different template names, you’ll need to remember and substitute these
names in different portions of the lab.
13. On the Request Handling tab, select Allow private key to be exported.
14. On the Subject Name tab, select the Supply in the request button if it is not
already selected.
15. On the Security tab, Click Add… Type Domain Computers in the Enter the
object names to select box. Click Check Names | OK. Select the Allow check box
next to the Enroll permission.
16. On the Cryptography tab, select Key Storage Provider from the Provider
Category list. Select RSA from the Algorithm name list. Type 2048 in the
Minimum key size text box. Select SHA256 from the Request hash list. Click
Apply and OK.
17. Close the console.

Unpublish 18. Click Certificate Templates in the navigation pane.

Superseded 19. Right-click the Domain Controller certificate template in the content pane and
Certificate select Delete. Click Yes on the Disable certificate templates window.
Templates 20. Repeat Step 19 for the Domain Controller Authentication and Kerberos
Authentication certificate templates.

Publish Certificate 21. Click Certificate Templates in the navigation pane.

Templates to the 22. Right-click the Certificate Templates node. Click New, and click Certificate
Certification Template to Issue.
Authority 23. In the Enable Certificate Templates window, select the Domain Controller
Authentication (Kerberos), and Internal Web Server templates you created in
the previous steps. Click OK to publish the selected certificate templates to the
certification authority.
24. Close the console.

Configure and 25. Start the Group Policy Management Console (gpmc.msc).
Deploy the 26. Expand the domain and select the Group Policy Objects node in the navigation
Domain pane.
Controller Auto 27. Right-click Group Policy Objects and select New.
Certificate 28. Type Domain Controller Auto Certificate Enrollment in the Name box and
Enrollment Group click OK.
Policy Object 29. Right-click the Domain Controller Auto Certificate Enrollment Group Policy
object and click Edit.
30. In the navigation pane, expand Policies under Computer Configuration.
31. Expand Windows Settings, Security Settings, and click Public Key Policies.
32. In the details pane, right-click Certificate Services Client – Auto-Enrollment and
select Properties.
33. Select Enabled from the Configuration Model list.
34. Select the Renew expired certificates, update pending certificates, and remove
revoked certificates check box.
35. Select the Update certificates that use certificate templates check box.
36. Click Apply and OK. Close the Group Policy Management Editor.
37. In the navigation pane, expand the domain and expand the node that has your
Active Directory domain name. Right-click the Domain Controllers
 organizational unit and click Link an Existing GPO…
38. In the Select GPO dialog box, select Domain Controller Auto Certificate
Enrollment or the name of the domain controller certificate enrollment Group
Policy object you previously created and click OK.

1.5.2.3 Prepare and Deploy Windows Server 2016 Active Directory Federation
Services

Task Detailed Steps

Complete these
steps on the
APP1 virtual
machine.
Internal Server 1. Start the Local Computer Certificate Manager (certlm.msc). Accept the UAC
Authentication prompt.
Certificate 2. Expand the Personal node in the navigation pane.
Enrollment 3. Right-click Personal. Select All Tasks and Request New Certificate…
4. Click Next on the Before You Begin page.
5. Click Next on the Select Certificate Enrollment Policy page.
6. On the Request Certificates page, select the Internal Web Server check box.
7. Click the More information is required to enroll for this certificate. Click here
to configure settings link.
8. Under Subject name, select Common name from the Type list. Type the FQDN
of the computer hosting the Active Directory Federation Services role
(app1.corp.olympia.local) and then click Add. Under Alternative name, select
DNS from the Type list. Type the FQDN of the name you will use for your
federation services (fs.corp.olympia.local). The name you use here MUST match
the name you use when configuring the Active Directory Federation Services
server role. Click Add. Click Apply and OK when finished.
9. Click Enroll. Click Finish.
10. A server authentication certificate should appear in the computer’s Personal
certificate store.

Deploy the Active 11. Start Server Manager. Click Local Server in the navigation pane.
Directory 12. Click Manage and then click Add Roles and Features.
Federation Service 13. Click Next on the Before you begin page.
Role 14. On the Select installation type page, select Role-based or feature-based
installation and click Next.
15. On the Select destination server page, choose Select a server from the server
pool. Select the federation server from the Server Pool list. Click Next.
16. On the Select server roles page, select Active Directory Federation Services.
Click Next.
17. Click Next on the Select features page.
18. Click Next on the Active Directory Federation Services (AD FS) page.
19. Click Install to start the role installation.
20. Click Close.

Complete these
steps on the DC1
virtual machine.

Create KDS Root 21. Start an elevated Windows PowerShell console. Accept the UAC prompt if
Key required.
22. Type and execute Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10).

Complete these
steps on the
APP1 virtual
machine.

Configure the 23. Start Server Manager.

Active Directory 24. Click the notification flag in the upper right corner. Click Configure the
Federation Service federation service on this server.
Role 25. On the Welcome page, click Create the first federation server in a federation
server farm and click Next.
26. Click Next on the Connect to Active Directory Domain Services page.
27. On the Specify Service Properties page, select the recently enrolled or imported
certificate from the SSL Certificate (app1.corp.olympia.local) and Federation
Service Name (fs.corp.olympia.local) list.
28. Type the Federation Service Display Name (Hello) in the text box. This is the
name users see when signing in. Click Next.
29. On the Specify Service Account page, select Create a Group Managed Service
Account. In the Account Name box, type adfssvc. Click Next.
30. On the Specify Configuration Database page, select Create a database on this
server using Windows Internal Database and click Next.
31. On the Review Options page, click Next.
32. On the Pre-requisite Checks page, click Configure.
33. When the process completes, click Close.

Complete these
steps on the DC1
virtual machine.

Add the AD FS 34. Open Active Directory Users and Computers.

Service Account 35. Click the Users container in the navigation pane.
to the 36. Right-click KeyCredential Admins in the details pane and click Properties.
KeyCredential 37. Click the Members tab and click Add…
Admin Group and 38. In the Enter the object names to select text box, type adfssvc. Click Check Names
the WHfB Users | OK.
Group 39. Click Apply and OK to return to Active Directory Users and Computers.
40. Right-click Windows Hello for Business Users group and click Properties.
41. Click the Members tab and click Add…
42. In the Enter the object names to select text box, type adfssvc. Click Check Names
| OK.
43. Click Apply and OK to return to Active Directory Users and Computers.
44. Change to server hosting the AD FS Role (APP1) and restart it.

Configure 45. Open Active Directory Users and Computers.

Permissions for 46. Right-click your domain name from the navigation pane and click Properties.
Key Registration 47. Click Security (NOTE: If the Security tab is missing, turn on Advanced Features
from the View menu).
48. Click Advanced. Click Add. Click Select a principal.
49. The Select User, Computer, Service Account, or Group dialog box appears. In the
Enter the object name to select text box, type KeyCredential Admins. Click
Check Names | OK.
50. In the Applies to list box, select Descendant User objects.
 51. Using the scroll bar, scroll to the bottom of the page and click Clear all.
52. In the Properties section, select Read msDS-KeyCredentialLink and Write
msDS-KeyCredentialLink.
53. Then Click OK three times to complete the task.

Complete these steps on the APP1 virtual machine.

Configure the 54. Open the AD FS Management console. Accept the UAC prompt.
Device 55. In the navigation pane, expand Service. Click Device Registration.
Registration 56. In the details pane, click Configure device registration.
Service 57. In the Configure Device Registration dialog, click OK.

Complete these steps on the DC1 virtual machine.

Configure 58. Open the Certification Authority management console.

Registration 59. Right-click Certificate Templates and click Manage.
Authority 60. In the Certificate Templates Console, right click on the Exchange Enrollment
Template Agent (Offline request) template details pane and click Duplicate Template.
61. On the Compatibility tab, clear the Show resulting changes check box. Select
Windows Server 2012 or Windows Server 2012 R2 from the Certification
Authority list. Select Windows 8 / Windows Server 2012 or Windows 8.1 /
Windows Server 2012 R2 from the Certification recipient list.
62. On the General tab, type WHFB Enrollment Agent in Template display name.
Adjust the validity and renewal period to meet your enterprise’s needs.
63. On the Subject Name tab, select the Supply in the request button if it is not
already selected.
Note: The preceding step is very important. Group Managed Service Accounts
(GMSA) do not support the Build from this Active Directory information option
and will result in the AD FS server failing to enroll the enrollment agent certificate.
You must configure the certificate template with Supply in the request to ensure
that AD FS servers can perform the automatic enrollment and renewal of the
enrollment agent certificate.
64. On the Cryptography tab, select Key Storage Provider from the Provider
Category list. Select RSA from the Algorithm name list. Type 2048 in the
Minimum key size text box. Select SHA256 from the Request hash list.
65. On the Security tab, click Add…
66. Click Object Types… Select the Service Accounts check box and click OK.
67. Type adfssvc in the Enter the object names to select text box and click Check
Names | OK.
68. Click the adfssvc from the Group or user names list. In the Permissions for adfssvc
section, select the Allow check box for the Enroll permission. Excluding the
adfssvc user, clear the Allow check box for the Enroll and Autoenroll
permissions for all other items in the Group or user names list if the check
boxes are not already cleared. Click Apply and OK.
69. Close the console.

Configure the 70. Right-click Certificate Templates and click Manage.

WHfB 71. Right-click the Smartcard Logon template and choose Duplicate Template.
Authentication 72. On the Compatibility tab, clear the Show resulting changes check box. Select
Certificate Windows Server 2012 or Windows Server 2012 R2 from the Certification
Template Authority list. Select Windows 8 / Windows Server 2012 or Windows 8.1 /
Windows Server 2012 R2 from the Certification recipient list.
73. On the General tab, type WHFB Authentication in Template display name.
Adjust the validity and renewal period to meet your enterprise’s needs.
Note: If you use different template names, you’ll need to remember and substitute
 these names in different portions of the deployment.
74. On the Cryptography tab, select Key Storage Provider from the Provider
Category list. Select RSA from the Algorithm name list. Type 2048 in the
Minimum key size text box. Select SHA256 from the Request hash list.
75. On the Extensions tab, verify the Application Policies extension includes Smart
Card Logon.
76. On the Issuance Requirements tab, select the ‘This number of authorized
signatures’ check box. Type ‘1’ in the text box. Select Application policy from
the Policy type required in signature. Select Certificate Request Agent from the
Application policy list. Select the Valid existing certificate option.
77. On the Subject Name tab, select the Build from this Active Directory
information button if it is not already selected. Select Fully distinguished name
from the Subject name format list if Fully distinguished name is not already
selected. Select the User principal name (UPN) check box under Include this
information in alternate subject name.
78. On the Request Handling tab, select the Renew with the same key check box.
79. On the Security tab, click Add… Type Windows Hello for Business Users in the
Enter the object names to select text box and click Check Names | OK.
80. Click the Windows Hello for Business Users from the Group or user names list.
In the Permissions for Windows Hello for Business Users section, select the Allow
check box for the Enroll permission. Excluding the Windows Hello for Business
Users group, clear the Allow check box for the Enroll and Autoenroll
permissions for all other entries in the Group or user names section if the
check boxes are not already cleared. Click Apply and OK.
81. Close the console.

Complete these steps on the APP1 virtual machine.

Mark the 82. Open an elevated command prompt. Accept the UAC prompt.
Template as the 83. Run
Windows Hello certutil –dsTemplate WHFBAuthentication msPKI-Private-Key-Flag
Sign-In Template +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY

Complete these steps on the DC1 virtual machine.

Publish 84. Open the Certification Authority management console.

Enrollment Agent 85. Expand the parent node from the navigation pane.
and WHfB 86. Click Certificate Templates in the navigation pane.
Authentication 87. Right-click the Certificate Templates node. Click New, and click Certificate
Templates to the Template to issue.
Certification 88. In the Enable Certificate Templates window, select the WHFB Enrollment Agent
Authority template you created in the previous steps. Click OK to publish the selected
certificate templates to the certification authority.
89. Publish the WHFB Authentication certificate template using Step 88.
90. Close the console.

Complete these
steps on the
APP1 virtual
machine.

Configure the 91. Open an elevated Windows PowerShell prompt. Accept the UAC prompt.
Registration 92. Type and execute the following command Set-AdfsCertificateAuthority
Authority -EnrollmentAgent -EnrollmentAgentCertificateTemplate
 WHFBEnrollmentAgent -WindowsHelloCertificateTemplate
WHFBAuthentication

Complete these
steps on the DC1
virtual machine.

Configure DNS 93. Open the DNS management console.

for Device 94. In the navigation pane, expand the domain controller name node and Forward
Registration Lookup Zones.
95. In the navigation pane, select the node that has the name of your internal Active
Directory domain name.
96. In the navigation pane, right-click the domain name node and click New Host (A
or AAAA)…
97. In the Name box, type the name of the federation service (fs). In the IP address
box, type the IP address of your federation server (10.0.0.9). Click Add Host.
Click OK | Done.
98. Close the DNS Management console.

Create an Intranet 99. Start the Group Policy Management Console (gpmc.msc).
Zone Group 100.Expand the domain and select the Group Policy Objects node in the navigation
Policy pane.
101.Right-click Group Policy Objects and select New.
102.Type Intranet Zone Settings in the name box and click OK.
103.In the content pane, right-click the Intranet Zone Settings Group Policy object
and click Edit.
104.In the navigation pane, expand Policies under Computer Configuration.
105.Expand Administrative Templates > Windows Components > Internet Explorer >
Internet Control Panel, and select Security Page.
106.In the content pane, double-click Site to Zone Assignment List. Click Enabled.
107.Click Show… In the Value name column, type the url of the federation service
beginning with https (https://fs.corp.olympia.local). In the Value column, type
the number 1. Click OK.
108.Click Apply | OK.
109.Then close the Group Policy Management Editor.

Deploy the 110.In the navigation pane, expand the domain and right-click the node that has your
Intranet Zone Active Directory domain name and click Link an Existing GPO…
Group Policy 111.In the Select GPO dialog box, select Intranet Zone Settings or the name of the
Windows Hello for Business Group Policy object you previously created and click
OK.

1.5.2.4 Validate and Deploy Multifactor Authentication Services (MFA)

Task Detailed Steps

Complete these
steps on the
APP1 virtual
machine.
Download the 1. Sign in to the Azure portal as an administrator.
MFA Server 2. On the left, select Azure Active Directory.
 3. Select Users.
4. Select All users.
5. Select More | Multi-Factor Authentication.
6. Under multi-factor authentication section, select service settings.
7. On the service settings page, at the bottom of the screen click Go to the portal and
a new page will open.
8. Click Download and another new page will open.
9. Click the Download link and save the installer.
10. Keep all these pages open as we will refer to it after running the installer.

Install and 11. Double-click the executable and click Install to install the prerequisites. Follow the
Configure the prompts until those are installed.
MFA Server 12. Select I Agree and click Next.
13. On the Select Installation Folder screen, make sure that the folder is correct and
click Next. Accept the UAC prompt.
14. Once the installation is complete, click Finish.
15. Start the Multi-Factor Authentication Server and accept the UAC prompt.
16. Back on the page that you downloaded the server from, click the Generate link.
Copy this information into the Azure MFA Server in the boxes provided and click
Activate. Cancel any prompts.

1.5.2.5 Configure and Deploy Multifactor Authentication Services

Standalone MFA Server:

The Azure MFA server uses a primary and secondary replication model for its configuration
database. The primary Azure MFA server hosts the writeable partition of the configuration
database. All secondary Azure MFA servers hosts read-only partitions of the configuration
database. All production environment should deploy a minimum of two MFA Servers.

For this lab, the primary MFA uses the name mf*a* or mfa.corp.olympia.local. All secondary
servers use the name mfa*n* or mfan.corp.olympia.local, where n is the number of the
deployed MFA server.

The primary MFA server is also responsible for synchronizing from Active Directory, therefore, it
should be domain joined and fully patched.

Task Detailed Steps

Complete these steps on the APP1 virtual machine.
Enroll for Server 1. Start the Local Computer Certificate Manager (certlm.msc). Accept the UAC
Authentication prompt.
2. Expand the Personal node in the navigation pane.
3. Right-click Personal. Select All Tasks and Request New Certificate…
4. Click Next on the Before You Begin page.
5. Click Next on the Select Certificate Enrollment Policy page.
6. On the Request Certificates page, select the Internal Web Server check box.
7. Click the More information is required to enroll for this certificate. Click
here to configure settings link.
8. Under Subject name, select Common Name from the Type list. Type the FQDN
 of the primary MFA server and then click Add (app1.corp.olympia.local). Click
Apply and OK when finished.
9. Click Enroll.
10. Click Finish.

Install the Web 11. Install the following services if they are already not installed:
Server Role  Common HTTP Features > Default Document.
 Common HTTP Features > Directory Browsing.
 Common HTTP Features > HTTP Errors.
 Common HTTP Features > Static Content.
 Health and Diagnostics > HTTP Logging.
 Performance > Static Content Compression.
 Security > Request Filtering.
 Security > Basic Authentication.
 Management Tools > IIS Management Console.
 Management Tools > IIS 6 Management Compatibility.
 Application Development > ASP & ASP.NET <AllVersions>.

Update the Server 12. Update the server using Windows Update until the server has no required or
optional updates as the Azure MFA Server software may require one or more of
these updates for the installation and software to correctly work. These procedures
install additional components that may need to be updated.

Configure the IIS 13. Start the Internet Information Services (IIS) Manager console.
Server’s Certificate 14. In the navigation pane, expand the node with the same name as the local
computer. Expand Sites and select Default Web Site.
15. In the Actions pane, click Bindings…
16. In the Site Bindings dialog, Click Add…
17. In the Add Site Binding dialog, select https from the Type list. In the SSL
certificate list, select the certificate (app1.corp.olympia.local) with the name that
matches the FQDN of the computer.
18. Click OK. Click Close. From the Actions pane, click Restart.

Complete these steps on the DC1 virtual machine.

Create Phonefactor 19. Open Active Directory Users and Computers.

Admin Group 20. In the navigation pane, expand the node with the organization’s Active Directory
domain name. Right-click the Users container, select New, and select Group.
21. In the New Object – Group dialog box, type Phonefactor Admins in Group
name.
22. Click OK.

Add Accounts to 23. In the navigation pane, expand the node with the organization’s Active Directory
the Phonefactor domain name. Select Users. In the content pane, right-click the Phonefactor
Admins Group Admins security group and select Properties.
24. Click the Members tab.
25. Click Add… Click Object Types… In the Object Types dialog box, select
Computers and click OK. Enter the following user and/or computer accounts in
the Enter the object names to select box and then click Check Names | OK |
Apply | OK.
 The computer account for the primary MFA Server (APP1).
 Group or User account that will manage the User Portal Server (Domain
Admins).
User Portal Server:

The User Portal is an IIS Internet Information Server web site that allows users to enroll in Multi-
Factor Authentication and maintain their accounts. A user may change their phone number,
change their PIN, or bypass Multi-Factor Authentication during their next sign on. Users will log
in to the User Portal using their normal username and password and will either complete a
Multi-Factor Authentication call or answer security questions to complete their authentication. If
user enrollment is allowed, a user will configure their phone number and PIN the first time they
log in to the User Portal. User Portal Administrators may be set up and granted permission to
add new users and update existing users.

Task Detailed Steps

Complete these steps on the APP1 virtual machine.
Enroll for Server 1. Start the Local Computer Certificate Manager (certlm.msc). Accept the UAC
Authentication prompt.
2. Expand the Personal node in the navigation pane.
3. Right-click Personal. Select All Tasks and Request New Certificate…
4. Click Next on the Before You Begin page.
5. Click Next on the Select Certificate Enrollment Policy page.
6. On the Request Certificates page, select the Internal Web Server check box.
7. Click the More information is required to enroll for this certificate. Click here
to configure settings link.
8. Under Subject name, select Common name from the Type list. Type the FQDN
of the primary MFA server and then click Add (app1.corp.olympia.local).
9. Under Alternative name, select DNS from the Type list. Type the FQDN of the
name you will use for your User Portal service and then click Add
(mfaweb.corp.olympia.local).
10. Click Apply and OK when finished.
11. Click Enroll.
12. Click Finish.

Configure the IIS 13. Start the Internet Information Services (IIS) Manager console.
Server’s 14. In the navigation pane, expand the node with the same name as the local computer.
Certificate Expand Sites and select Default Web Site.
15. In the Actions pane, click Bindings…
16. In the Site Bindings dialog, Click Add…
17. In the Add Site Binding dialog, select https from the Type list, select a different
Port than 443, example 444. In the SSL certificate list, select the certificate
(app1.corp.olympia.local) with the name that matches the FQDN of the computer.
18. Click OK. Click Close. From the Actions pane, click Restart.

Complete these steps on the DC1 virtual machine.

Create 19. Open Active Directory Users and Computers.

WebServices SDK 20. In the navigation pane, expand the node with the organization’s Active Directory
User Account domain name. Right-click the Users container, select New, and select User.
21. In the New Object – User dialog box, type PFWSDK_ in the First name and User
logon name boxes, which is the name of the primary MFA server running the Web
Services SDK. Click Next.
22. Type a strong password and confirm it in the respective boxes. Clear User must
 change password at next logon. Click Next. Click Finish to create the user
account.

Add the MFA 23. In the navigation pane, expand the node with the organization’s Active Directory
SDK User domain name. Select Users. In the content pane, right-click the Phonefactor
Account to the Admins security group and select Properties.
Phonefactor 24. Click the Members tab.
Admins Group 25. Click Add… Type the PFWSDK_ user name in the Enter the object names to
select box and then click Check Names | OK | Apply | OK. Now it should show
the following:
The computer account for the primary MFA Server (APP1).
The Webservices SDK user account (PFWSDK_).
Group or User account that will manage the User Portal Server (Domain Admins).

1.5.2.6 Installing Standalone Azure MFA Server

When you install Azure Multi-Factor Authentication Server, you have the following options:

1. Install Azure Multi-Factor Authentication Server locally on the same server as AD FS (this
option will be used for this LAB).
2. Install the Azure Multi-Factor Authentication adapter locally on the AD FS server, and
then install Multi-Factor Authentication Server on a different computer (preferred
deployment for production environments).
3.

Task Detailed Steps

Complete these steps on the APP1 virtual machine.
Secure Windows 1. In the Azure Multi-Factor Authentication Server management console, click the
Server AD FS AD FS icon. Select the options Allow user enrollment and Allow users to select
with Azure Multi- method.
Factor 2. Click Install AD FS Adapter…
Authentication 3. If the Active Directory window is displayed, that means two things. Your computer
Server is joined to a domain, and the Active Directory configuration for securing
communication between the AD FS adapter and the Multi-Factor Authentication
service is incomplete. Click Next to automatically complete this configuration, or
select the Skip automatic Active Directory configuration and configure settings
manually check box to proceed.
4. If the Local Group windows is displayed, that means two things. Your computer is
not joined to a domain, and the local group configuration for securing
communication between the AD FS adapter and the Multi-Factor Authentication
service is incomplete. Click Next to automatically complete this configuration, or
select the Skip automatic Local Group configuration and configure settings
manually check box.
5. In the installation wizard, click Next. Azure Multi-Factor Authentication Server
creates the PhoneFactor Admins group and adds the AD FS service account to the
PhoneFactor Admins group.
6. On the Launch Installer page, click Next.
7. In the Multi-Factor Authentication AD FS Adapter installer, click Next.
8. Click Close when the installation is finished.
9. When the adapter has been installed, you must register it with AD FS. Open an
 elevated Windows PowerShell, accept the UAC prompt and run the following
command:
C:\Program Files\Multi-Factor Authentication Server\Register-
MultiFactorAuthenticationAdfsAdapter.ps1
10. To use your newly registered adapter, edit the authentication method in AD FS. In
the AD FS management console, go to the Authentication Methods node under
Service. In the Multi-factor Authentication Methods section, click the Edit link.
In the Edit Authentication Methods window, select Azure Multi-Factor
Authentication Server as an additional authentication method, and then click
Apply | OK. The adapter is registered as Azure Multi-Factor Authentication
Server. Restart the AD FS service for the registration to take effect.
11. At this point, Multi-Factor Authentication Server is set up to be an additional
authentication provider to use with AD FS.

Configure 12. Start the Multi-Factor Authentication Server application. Accept the UAC
Company Settings prompt.
13. Click Company Settings.
14. On the General Tab, select Fail Authentication from the When Internet is not
accessible list.
15. In User defaults, select Phone call or Text message.
16. Select Enable Global Services if you want to allow Multi-Factor Authentications
to be made to telephone numbers in rate zones that have an associated charge.
17. Clear the User can change phone check box to prevent users from changing their
phone during the Multi-Factor Authentication call or in the User Portal. A
consistent configuration is for users to change their phone numbers in Active
Directory and let those changes synchronize to the multi-factor server using the
Synchronization features in Directory Integration.
18. Select Fail Authentication from the When user is disabled list. Users should
provision their account through the user portal.
19. Select the appropriate language from the Phone call language, Text message
language, Mobile app language, and OATH token language lists.
20. Under Default PIN rules, select the User can change PIN checkbox to enable
users to change their PIN during multi-factor authentication and through the user
portal.
21. Configure the Minimum length for the PIN.
22. Select the Prevent weak PINs check box to reject weak PINs. A weak PIN is any
PIN that could be easily guessed by a hacker are not allowed:
 3 sequential digits.
 3 repeating digits.
 Or any 4 digit subset of user phone number.
If you clear this box, then there are no restrictions on PIN format. For
example: User tries to reset PIN to 1235 and is rejected because it's a weak
PIN. User will be prompted to enter a valid PIN.
23. Select the Expiration days check box if you want to expire PINs. If enabled,
provide a numeric value representing the number of days the PIN is valid.
24. Select the PIN history check box if you want to remember previously used PINs
for the user. PIN history stores old PINs for each user. Users are not allowed to
reset their PIN to any value stored in their PIN History. When cleared, no PIN
history is stored. The default value is 5 and range is 1 to 10.

Configure 25. From the Multi-Factor Authentication Server window, click the Directory
Directory Integration icon.
Integration 26. Click the Settings tab.
Settings and 27. Select Use Active Directory.
Synchronization 28. Select Include trusted domains to have the Multi-Factor Authentication Server
attempt to connect to domains trusted by the current domain, another domain in the
forest, or domains involved in a forest trust. When not importing or synchronizing
users from any of the trusted domains, clear the checkbox to improve performance.

Add Test User to 29. Open Active Directory Users and Computers.
WHfB Group 30. Click the CORP | USERS OU in the navigation pane.
31. Right-click TestUser1 and click Properties.
Complete these
32. Click the Telephones tab and enter a Mobile number including the country code.
steps on the DC1
33. Click the Member Of tab and click Add…
virtual machine.
34. In the Enter the object names to select text box, type Windows Hello for Business
Users. Click Check Names | OK.
35. Click Apply | OK to return to Active Directory Users and Computers.

Add a 36. Click the Synchronization tab.

Synchronization 37. On the Synchronization tab, click Add…
Item 38. In the Add Synchronization Item dialog, select Security Groups from the View
list.
Complete these
39. Select the group you are using for replication from the list of groups (Windows
steps on the
Hello for Business Users).
APP1 virtual
40. Select Selected Security Group – Recursive or, select Security Group from the
machine.
Import list if you do not plan to nest groups.
41. Select Add new users and Update existing users.
42. Select the attributes appropriate for your environment for Import phone and
Backup.
43. Select Enabled and select Only New Users with Phone Number from the list.
44. Click Add | OK | Close.
45. Ensure that the following checkboxes are selected – Enable synchronization with
Active Directory, Synchronization interval: minute and Require administrator
approval when disabled or removed users exceed threshold 5.
46. Click Synchronize Now. Click OK.

Install the Web 47. From the Multi-Factor Authentication Server window, click the Web Service SDK
Service SDK icon and click Install Web Service SDK…
48. Select the Site as Default Web Site, Virtual directory as
MultiFactorAuthWebServiceSdk and Application Pool as DefaultAppPool.
Click Next.
49. Once installed, click Close.

Edit the MFA AD 50. Copy the below 4 Files from C:\Program Files\Multi-Factor Authentication
FS Adapter Server to C:\inetpub\wwwroot\MultiFactorAuthWebServiceSdk.
Config File MultiFactorAuthenticationAdfsAdapterSetup64.msi
Register-MultiFactorAuthenticationAdfsAdapter.ps1
Unregister-MultiFactorAuthenticationAdfsAdapter.ps1
MultiFactorAuthenticationAdfsAdapter.config
51. Browse to C:\inetpub\wwwroot\MultiFactorAuthWebServiceSdk (or
appropriate directory based on the virtual directory name) and edit the
MultiFactorAuthenticationAdfsAdapter.config file.
52. Locate the UseWebServiceSdk key and change the value from false to true.
53. Locate the WebServiceSdkUsername key and set the value to the username of the
Web Service SDK account in the PhoneFactor Admins security group. Use a
qualified username, like domain\username or machine\username
(CORP\PFWSDK_).
54. Locate the WebServiceSdkPassword key and set the value to the password of the
 Web Service SDK account in the PhoneFactor Admins security group.
(P@ssw0rd).
55. Locate the WebServiceSdkUrl key and set the value to the URL of the Web
Service SDK that is running on the Azure Multi-Factor Authentication Server
(https://app1.corp.olympia.local/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx).
Since SSL is used for this connection, refer to the Web Service SDK by server
name, not IP address, since the SSL certificate was issued for the server name. If
the server name does not resolve to an IP address from the Internet-facing server,
add an entry to the hosts file on that server to map the name of the Azure Multi-
Factor Authentication Server to its IP address. Save the
MultiFactorAuthenticationAdfsAdapter.config file after changes have been
made.

Edit the ADFS 56. Edit the Register-MultiFactorAuthenticationAdfsAdapter.ps1 script by adding

Adapter Windows -ConfigurationFilePath <path> to the end of the Register-
PowerShell
AdfsAuthenticationProvider command which is the full path to the
Cmdlet
MultiFactorAuthenticationAdfsAdapter.config file -
C:\inetpub\wwwroot\MultiFactorAuthWebServiceSdk\MultiFactorAuthentica
tionAdfsAdapter.config.

Run the ADFS Note: At this stage, do not run the Register-
Adapter Windows MultiFactorAuthenticationAdfsAdapter.ps1 script in PowerShell to register the
PowerShell adapter because the adapter is already registered as
Cmdlet WindowsAzureMultiFactorAuthentication.
57. Restart the ADFS service for the changes to take effect.

Test AD FS with 58. In the Multi-Factor Authentication server, on the left, click Users.
the Multifactor 59. In the list of users, select a user (TestUser1) that is enabled and has a valid phone
Authentication number to which you have access.
Connector 60. Click Test…
61. In the Test User dialog, provide the user’s password to authenticate the user to
Active Directory and click Test.
62. Enter the one-time passcode once received on the phone and click OK.
63. Click OK on the Authentication successful message and click Close.

The Multi-Factor Authentication server communicates with the Azure MFA cloud service to
perform a second factor authentication for the user. The Azure MFA cloud service contacts the
phone number provided and asks for the user to perform the second factor authentication
configured for the user. Successfully providing the second factor should result in the Multi-
factor authentication server showing a success dialog.

1.5.2.7 Configure Windows Hello for Business Policy Settings

Task Detailed Steps

Complete these steps on the DC1 virtual machine.
Create the WHfB 1. Start the Group Policy Management Console (gpmc.msc).
GPO 2. Expand the domain and select the Group Policy Objects node in the navigation
pane.
3. Right-click Group Policy Objects and select New.
 4. Type Enable Windows Hello for Business in the Name box and click OK.
5. In the content pane, right-click the Enable Windows Hello for Business Group
Policy object and click Edit.
6. In the navigation pane, expand Policies under User Configuration.
7. Expand Administrative Templates > Windows Components, and select Windows
Hello for Business.
8. In the content pane, double-click Use Windows Hello for Business. Click
Enabled and click Apply | OK.
9. Double-click Use certificate for on-premises authentication. Click Enabled and
click Apply | OK.

Configure 10. In the navigation pane, expand Policies under User Configuration.
Automatic 11. Expand Windows Settings > Security Settings, and click Public Key Policies.
Certificate 12. In the details pane, double-click Certificate Services Client – Auto-Enrollment.
Enrollment 13. Select Enabled from the Configuration Model list.
14. Select the Renew expired certificates, update pending certificates, and remove
revoked certificates check box.
15. Select the Update certificates that use certificate templates check box.
16. Click Apply | OK. Close the Group Policy Management Editor.

Configure 17. Double-click the Enable Windows Hello for Business Group Policy object.
Security in the 18. In the Security Filtering section of the content pane, click Add… Type Windows
WHfB GPO Hello for Business Users or the name of the security group you previously created
and click Check Names | OK.
19. Click the Delegation tab. Select Authenticated Users and click Advanced…
20. In the Group or user names list, select Authenticated Users. In the Permissions for
Authenticated Users list, clear the Allow check box for the Apply group policy
permission. Click Apply | OK.

Deploy the WHfB 21. In the navigation pane, expand the domain and right-click the node that has your
GPO Active Directory domain name and click Link an Existing GPO…
22. In the Select GPO dialog box, select Enable Windows Hello for Business or the
name of the Windows Hello for Business Group Policy object you previously
created and click OK.

Just to reassure, linking the Windows Hello for Business Group Policy object to the domain
ensures the Group Policy object is in scope for all domain users. However, not all users will have
the policy settings applied to them. Only users who are members of the Windows Hello for
Business group receive the policy settings. All other users ignore the Group Policy object.

1.5.2.8 Validate Windows Hello

Task Detailed Steps

Complete these
steps on the
CLIENT1 virtual
machine.

Validate Policies 1. Restart the machine. Even restart DC1 and APP1 and wait for some time.
2. Log in as TestUser1.
1.6 Credential Guard
In this lab, you will activate Credential Guard.

Credential Guard provides an additional layer for protecting secrets, specifically domain user
credentials by storing them in a container, secured by the Virtual Secure Mode (VSM), based on
Virtualization Based Security (VBS).

These types of containers are separated both from the kernel and the user mode, therefore
increasing the difficulty for an attacker, even after compromising the system to steal the
credentials directly from Local Security Authority Subsystem (LSASS), for example.

Before working on this lab, you must have:

 A Physical Computer with a Trusted Platform Module (TPM) chip (2.0 recommended), a
CPU with VT-x and VT-d capabilities.
 Windows 10 Enterprise running on the Host.
 Local Administrator Account.
 It is recommended that you use a Host for testing purposes. Please do not use your
personal machines. Also, the Host must not be domain joined into your company
domain, so that there is no compliance or configuration/support issues.

Note: The machine (Virtual or Physical) should have Hyper-V, TPM and Secure Boot Enabled.

1.6.1 Check Credential Guard Requirements

In this exercise, you will:

 Check if the requirements for Credential Guard are fulfilled.

 Manually activate Credential Guard and its dependencies.

Task Detailed Steps

Complete these steps on the CLIENT3 virtual machine or a physical machine.
System 1. Open MSINFO32.EXE (elevated) and check if:
Verification  BIOS Mode = UEFI
 Secure Boot State = On
Note: Only TPM, Secure Boot and Hyper-V Roles are enabled and checked.
2. If any of the above values are not enabled, then boot into your BIOS/UEFI and
activate them.
3. Note that if UEFI is in CSM (compatibility) mode, changing it to UEFI Native
will require the partition layout to be GPT instead of MBR (requires formatting
the hard drive).
TPM Verification 4. Open TPM.MSC and make sure that the TPM is turned on.
5. If TPM is turned off/not visible, make sure that it exists physically and it is
 enabled in BIOS/UEFI.
6. If the TPM is turned on but not initialized:
a. Create the TPM owner password using Automatically create the
password option.
b. In the Save your TPM owner password, click Save the password and
select a location to save the password, and then click Save (file is saved
as computer_name.tpm).
c. Click Initialize.
d. After this, the TPM should be ready for use.
Note: The recommended version of TPM is 2.0. Windows might refuse to activate
Credential Guard if the computer contains an older TPM version/revision.
Enable Required 7. Go to Control Panel > Programs > Turn Windows features on or off.
Features 8. Check Hyper-V.
9. Click OK.
10. Restart the computer.
Note: Hyper-V supplies the virtualization core.

1.6.2 Modern Management

Follow the following sections for managing Credential Guard through modern management
tools.

1.6.2.1 Configure Credential Guard using Intune

In this section you will configure Credential Guard using Intune.

Task Detailed Steps

Complete these steps from a physical Internet-connected Windows computer to access the Azure and
Intune Portal.
Create 1. Close all browser windows.
Groups for 2. Start Internet Explorer InPrivate mode.
use with 3. Navigate to https://portal.azure.com and Sign in with
Credential labadmin@<AzureDomainName>.onmicrosoft.com.
Guard Lab 4. On the left navigation bar, click Azure Active Directory > Groups > All groups.
5. Click + New group.
6. In the Group pane fill in the following values:
GROUP TYPE: Security
GROUP NAME: CredGuardDemo
MEMBERSHIP TYPE: Assigned
MEMBERS: TU1,TU2
7. Click Select | Create.
Creating 8. Close all browser windows.
an Intune 9. Start Internet Explorer InPrivate mode.
Credential 10. Navigate to https://portal.azure.com and Sign in with
Guard labadmin@<AzureDomainName>.onmicrosoft.com.
Policy 11. On the left navigation bar, click All services.
12. Enter “Intune” in search.
13. Click on Intune.
 14. Click on “Device configuration”.
15. Click on “Profiles”.
16. Click on “+ Create profile”.
17. Fill out the form:
Name: Cred Guard Demo
Description: Cred Guard Demo
Platform: Windows 10 and later
Profile type: Endpoint Protection
Settings: Windows Defender Credential Guard>Enable with EUFI lock
18. Select OK | OK.
19. Select Create.
20. Select Assignments.
21. Select “Select groups to include”.
22. Check and select “CredGuardDemo”.
23. Click on Save.
Complete these steps on the physical machine above.
Verify the 24. Login to a machine as:
Policy has TU2@<AzureDomainName>.onmicrosoft.com
been 29. Select Start.
Applied 30. Select Settings.
and 31. Select Accounts.
Working 32. Select Access work or school.
33. Select Connected to <CompanyName> Azure AD.
34. Click Info.
35. Click Sync to force a policy update and confirm that the sync was successful.
36. Close Settings.
37. Reboot the machine.
38. Log back in using the same credentials.
39. Click Start.
40. Type and click “System Information”.
41. Verify that “Virtualization-based security is running”.
Note: After the first boot it should be “Enabled but not running”
42. Reboot the machine again.
43. Click Start.
44. Type and click “System Information” elevated.
45. Verify that “Virtualization-based Security is running”.
Note: It can take up to 3 reboots to see that it is running.

1.6.3 Traditional Management

Follow the following sections for managing Credential Guard through traditional management
tools.

1.6.3.1 Configure VBS and Credential Guard

Now that the required features and components are in place, activate the Virtualization Based
Security and Credential Guard.

Task Detailed Steps

Complete these steps on physical machine above.
 System 1. Open gpedit.msc and accept the UAC prompt if required.
Configuration 2. Go to Computer Configuration > Administrative Templates > System >
Device Guard.
3. Edit the Turn On Virtualization Based Security policy by selecting Enabled.
4. Select Secure Boot in the Select Platform Security Level.
5. Select Enabled with UEFI lock in the Credential Guard Configuration.
6. Click Apply and OK.
7. Restart the computer and check “System Information” elevated and verify that
“Virtualization-based Security is running”.

1.6.3.2 Troubleshoot Credential Guard

After enabling all of the above features and settings, make sure that no errors were logged and
all the components are properly configured.

Task Detailed Steps

Complete these steps on physical machine above..
Logging 1. Device Guard policies are logged in Event Viewer at Applications and Services Logs >
Microsoft > Windows > DeviceGuard > Operational.
2. An event ID 7000 should be logged, which contains the selected settings within the
policy (when successfully applied).
MSInfo32 3. Open MSINFO32.EXE (elevated) and confirm that the options are defined as in the
following screenshot.

Registry 4. Browse to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard.
5. Verify if EnableVirtualizationBasedSecurity is set to 1.
6. Verify if RequirePlatformSecurityFeatures is set to 1 (Secure Boot).
7. Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.
8. Verify if the LsaCfgFlags is set to 1.
Process 9. Open Task Manager.
10. Verify the presence of Lsalso.exe.

1.7 Device Encryption (MBAM)

In this section we will walk you through setting up BitLocker using modern management.

BitLocker Drive Encryption is a data protection feature that integrates with the operating system
and addresses the threats of data theft or exposure from lost, stolen, or inappropriately
decommissioned computers.

BitLocker provides the most protection when used with a Trusted Platform Module (TPM)
version 1.2 or later. The TPM is a hardware component installed in many newer computers by
the computer manufacturers. It works with BitLocker to help protect user data and to ensure
that a computer has not been tampered with while the system was offline.

On computers that do not have a TPM version 1.2 or later, you can still use BitLocker to encrypt
the Windows operating system drive. However, this implementation will require the user to
insert a USB startup key to start the computer or resume from hibernation. Starting with
Windows 8, you can use an operating system volume password to protect the operating system
volume on a computer without TPM. Both options do not provide the pre-startup system
integrity verification offered by BitLocker with a TPM.

In addition to the TPM, BitLocker offers the option to lock the normal startup process until the
user supplies a personal identification number (PIN) or inserts a removable device, such as a USB
flash drive, that contains a startup key. These additional security measures provide multifactor
authentication and assurance that the computer will not start or resume from hibernation until
the correct PIN or startup key is presented.

Note: The machine (Virtual or Physical) should have Hyper-V, TPM and Secure Boot Enabled.

1.7.1 Modern Management

Follow the following sections for managing BitLocker through modern management tools.

1.7.1.1 Setup BitLocker with Intune

The below section will walk you through setting up BitLocker with Intune.

Task Detailed Steps

Complete these steps from an Internet-connected Windows computer.
Create Groups 1. Close all browser windows.
2. Start Internet Explorer InPrivate mode.
3. Navigate to https://portal.azure.com and Sign in with
labadmin@<AzureDomainName>.onmicrosoft.com.
4. On the left navigation bar, click Azure Active Directory > Groups > All groups.
5. Click + New group.
6. In the Group pane fill in the following values and click Select:
GROUP TYPE: Security
GROUP NAME: BitLockerDemo
MEMBERSHIP TYPE: Assigned
MEMBERS: TU1,TU2
7. Click Create.
Configure 8. On the left navigation bar, click All Services.
Windows Bitlocker 9. Enter “Intune” in search.
10. Click on Intune.
11. Under Manage select “Device configuration”.
12. Under Manage select “Profiles”.
13. Select “+ Create profile”.
 14. Name the new profile “Bitlocker Demo”.
15. For Platform select “Windows 10 and later”.
16. For Profile type select “Endpoint protection”.
17. Select “Windows Encryption” under Settings.
18. Fill out the form and click OK:
Encrypt devices: Require
Encrypt storage card: Not configured
Warning for other disk encryption: Not configured
Configure encryption method: Enable
Encryption for operating system drives: XTS-AES 128-bit
Encryption for fixed data-drives: XTS-AES 128-bit
Encryption for removable data-drives: AES-CBC 128-bit
Additional authentication at startup: Not configured
Note: The rest is not going to be configured.
19. Click OK and click Create.
20. Click Assignments and click Select groups to include.
21. Check BitLockerDemo and click Select.
22. Click Save.
Complete these steps on the physical machine above.
Verify the Policy 23. Login to a machine as:
has been Applied TU2@<AzureDomainName>.onmicrosoft.com
and Working 24. Select Start.
25. Select Settings.
26. Select Accounts.
27. Select Access work or school.
28. Select Connected to <CompanyName> Azure AD.
29. Click Info.
30. Click Sync to force a policy update and confirm that the sync was successful.
31. You will notice that a notification appears Encryption needed, asking you to start
encryption.

1.8 Device Guard – User Mode Code Integrity

1.8.1 Modern Management

Task Detailed Steps

Create 1. Close all browser windows.
Groups 2. Start Internet Explorer InPrivate mode.
for use 3. Navigate to https://portal.azure.com and Sign in with
with labadmin@<AzureDomainName>.onmicrosoft.com.
WDAC 4. On the left navigation bar, click Azure Active Directory > Groups > All groups.
Demo 5. Click + New group.
6. In the Group pane fill in the following values and click Select:
GROUP TYPE: Security
GROUP NAME: WDACDemo
MEMBERSHIP TYPE: Assigned
MEMBERS: TU1,TU2
7. Click Create.
Config 8. Close all browser windows.
uring 9. Start Internet Explorer InPrivate mode.
 WDAC 10. Navigate to https://portal.azure.com and Sign in with
with labadmin@<AzureDomainName>.onmicrosoft.com.
Intune 11. On the left navigation bar, click All services.
12. Enter “Intune” in search.
13. Click on Intune.
14. Click on “Device configuration”.
15. Click on “Profiles”.
16. Click on “+ Create profile”.
17. Fill in form:
Name: WDAC Demo
Description: WDAC Demo
Platform: Windows 10 and later
Profile type: Endpoint protection
18. Click on “Windows Defender Application Control”.
19. Fill in form:
Application control code integrity policies: Enforce
Trust apps with good reputation: Enable
20. Select OK.
21. Select OK.
22. Select Create.
23. Select Assignments.
24. Select “Select groups to include”.
25. Select “WDACDemo” and click Select.
26. Click on Save.
Verify 27. Login to the virtual machine as
Config TU2@<AzureDomainName>.onmicrosoft.com
uration 28. Select Start.
is 29. Select Settings.
Applie 30. Select Accounts.
d 31. Select Access work or school.
32. Select Connected to <CompanyName> Azure AD.
Compl
33. Click Info.
ete
34. Click Sync to force a policy update and confirm that the sync was successful.
these
35. Open up Edge.
steps
on the 36. Navigate to https://www.7-zip.org/download.html.
CLIE 37. Download and install the latest version of the application.
NT3 38. Once installed run the application.
virtual Note: The application should run because it has a good reputation.
machi To block remove the application and install an older version.
ne or a
physic
al
machi
ne.

1.8.2 Traditional Management

Device Guard is a combination of enterprise-related hardware and software security features
that, when configured together, will lock a device down so that it can only run trusted
applications that you define in your code integrity policies. If the app isn’t trusted it can’t run,
period. With hardware that meets basic requirements, it also means that even if an attacker
manages to get control of the Windows kernel, he or she will be much less likely to be able to
run malicious executable code. With appropriate hardware, Device Guard can use the new
virtualization-based security in Windows 10 (available in Enterprise and Education desktop SKUs
and in all Server SKUs) to isolate the Code Integrity service from the Microsoft Windows kernel
itself. In this case, the Code Integrity service runs alongside the kernel in a Windows hypervisor-
protected container.

In this section, you will learn how to Configure and Deploy Code Integrity Policies and Enable
Device Guard in an enterprise.

1.8.2.1 Prerequisites

Perform the following tasks before proceeding to the succeeding sections.

Task Detailed Steps

Complete these steps on the DC1 virtual machine.
Download VLC 1. Open Internet Explorer and browse to the URL below.
Media Player http://www.videolan.org/vlc/
2. Click Download VLC and save vlc-3.0.3-win64.exe to C:\Packages.
Download 3. Open Internet Explorer and browse to the URL below.
CamStudio http://camstudio.org/
4. Click Download and save camstudio.exe to C:\Packages.

1.8.2.2 Create CI Policy from a Golden System

In this activity, you will go through the steps in creating your first Code Integrity (CI) policy from
a “Golden” system.

Task Detailed Steps

Complete these steps on the CLIENT1 virtual machine.
Open PowerShell 1. Logon as a Domain Administrator (corp\labadmin) and from the Start Menu, start
an elevated instance of PowerShell.
Create Shadow 2. From the PowerShell window, run the following commands:
Copy of System
$s1 = (gwmi -List Win32_ShadowCopy).Create("C:\", "ClientAccessible")
Drive
$s2 = gwmi Win32_ShadowCopy | ? { $_.ID -eq $s1.ShadowID }
$d = $s2.DeviceObject + "\"
cmd /c mklink /d C:\scpy "$d"
Generate a New 3. From the PowerShell window, run the following commands:
Policy from Scan
New-CIPolicy -level PcaCertificate -filepath C:\PoCPolicy.xml –scanpath
C:\scpy –u
Note: It may take around 20-30 minutes and during the process a base policy will
already be created and also if required, increase the memory of the virtual
machine for this process to run efficiently. Ignore any errors received after
 command execution completes.
Explore Policy 4. Save the file PoCPolicy.xml to a network location, example: \\DC1\C$.
Configuration 5. Open the file and review the content without making changes. Open the file
C:\PoCPolicy.xml with Notepad.
6. Close the file.

1.8.2.3 Configurable Code Integrity – Audit Mode

In this activity, you will create a CI policy and deploy it in audit mode.

Task Detailed Steps

Complete these steps on the CLIENT1 virtual machine.
Convert from XML 1. From the PowerShell window, run the following commands:
to Binary File ConvertFrom-CIPolicy C:\PoCPolicy.xml C:\PoCPolicy.bin
Install Complied 2. From the PowerShell window, run the following commands:
Policy
cp C:\PoCPolicy.bin c:\Windows\System32\CodeIntegrity\SIPolicy.p7b
3. Restart CLIENT1 and re-login with the same credentials.
Verify Audit Logs 4. Launch the installation package for VLC located at \\DC1\C$\Packages\vlc-
3.0.3-win64.exe and install the package. The installation will be successful at this
point.
5. Right-click on the Start button and click Run.
6. Enter eventvwr.msc and click OK.
7. In the Event Viewer MMC, browse to Event Viewer (Local) > Applications and
Services Logs > Microsoft > Windows > CodeIntegrity > Operational.
8. Browse through the log files especially Event ID 3076.

1.8.2.4 Creating CI Policy from Audit Logs

In this activity, you will go through the steps in creating a Code Integrity (CI) policy from audit
log events.

Task Detailed Steps

Complete these steps on the CLIENT1 virtual machine.
Create a CI Policy 67. From the Start Menu, start an elevated instance of PowerShell.
from Audit Logs 68. From the PowerShell window, run the following commands:
New-CIPolicy -l PcaCertificate -f C:\AuditPoCPolicy.xml –a –u
Note: Ignore any errors received after command execution completes.
69. Open the file C:\AuditPoCPolicy.xml with Notepad.
70. Close the file.
Merge Golden 71. From the PowerShell window, run the following commands:
Policy with Policy
Merge-CIPolicy –OutputFilePath C:\MergedPoCPolicy.xml –PolicyPaths
from Audit Logs
C:\AuditPoCPolicy.xml,C:\PoCPolicy.xml
72. Open the file C:\MergedPoCPolicy.xml with Notepad.
73. Close the file.
1.8.2.5 Configurable Code Integrity – Enforce Mode

In this activity, you will deploy and enforce a CI policy to lock down the system.

Task Detailed Steps

Complete these steps on the CLIENT1 virtual machine.
Disable Audit 1. From the PowerShell window, run the following commands:
Mode
Set-RuleOption –option 3 -delete –FilePath C:\MergedPoCPolicy.xml
2. Open the file C:\MergedPoCPolicy.xml with Notepad.
3. Close the file.
Convert from XML 4. From the PowerShell window, run the following commands:
to Binary File ConvertFrom-CIPolicy C:\MergedPoCPolicy.xml C:\MergedPoCPolicy.bin
Install Compiled 5. From the PowerShell window, run the following command:
Policy
cp C:\MergedPoCPolicy.bin
c:\Windows\System32\CodeIntegrity\SIPolicy.p7b
6. Restart CLIENT1 and re-login with the same credentials.
Install or Launch 7. Launch the installation package for CamStudio located at
Your \\DC1\C$\Packages\camstudio.exe. The application should not launch at this
Application(s) stage and throw errors, which means it is blocked by code integrity.
Verify Audit Logs 8. Right-click on the Start button and click Run.
9. Enter eventvwr.msc and click OK.
10. In the Event Viewer MMC, browse to Event Viewer (Local) > Applications and
Services Logs > Microsoft > Windows > CodeIntegrity > Operational.
11. Browse through the log files especially Event ID 3077.

1.8.2.6 Configure Group Policies

In this activity, you will learn how to configure and deploy group policies to enforce the
configuration.

Task Detailed Steps

Complete these steps on the DC1 and the CLIENT2 virtual machines.
Create Device 1. Create a folder in the C: drive by the name CodeIntegrity and in this folder, copy
Guard GPO the SIPolicy.p7b file created in the previous task from the CLIENT1 VM. The
path of this file in the CLIENT1 VM is C:\Windows\System32\CodeIntegrity.
2. Navigate to C:\CodeIntegrity, right-click CodeIntegrity folder and click
Properties.
3. Click the Sharing tab and click Advanced Sharing…
4. Check the box next to Share this folder and click Permissions.
5. Ensure Everyone is in the list and has been granted Full Control. Click Apply
and click OK two times.
6. Click the Security tab and ensure that Everyone is in the list and has been
granted Full Control.
7. Click the Advanced button and again ensure that Everyone is in the list and has
been granted Full Control. Close all the windows.
8. Now navigate to C:\CodeIntegrity\SIPolicy.p7b that has been copied and right-
 click on the file and click Properties.
9. Click the Security tab and ensure that Everyone is in the list and has been
granted Full Control.
10. Click the Advanced button and again ensure that Everyone is in the list and has
been granted Full Control. Close all the windows.
Note: At any point if you see that Everyone has not been granted Full Control permissions,
do the needful.
11. Back in the DC1 VM, in the Active Directory Users and Computers, create an OU
called Devices and move the CLIENT2 VM to the Devices OU from the default
Computers container.
12. Open the Group Policy Management Console.
13. Right-click on Group Policy Management > Forest: corp.olympia.local >
Domains > corp.olympia.local > Group Policy Objects and select New.
14. Under Name, enter Device Guard Policies and then click OK.
15. Right-click Devices OU, click Link an Existing GPO…
16. Select Device Guard Policies and click OK.
Deploy Code 17. Right-click Device Guard Policies and select Edit.
Integrity Policy 18. Browse to Computer Configuration\Policies\Administrative
and Enable VBS Templates\System\Device Guard.
for KCMI 19. Double click on Deploy Windows Defender Application Control.
20. Select Enabled.
21. Under Code Integrity Policy file path, enter \\DC1\CodeIntegrity\SIPolicy.p7b.
22. Click Apply and then OK.
Note: The below policy is just for informational purposes and cannot be demonstrated. It
will need a Physical Windows 10 Enterprise hypervisor enabled machine with Secure Boot
or Trusted Boot enabled and other dependencies like Virtualization Extensions and all
Virtualization capabilities turned on, including Input/Output Memory Management Unit
(IOMMU) support, compatible drivers and updated legacy drivers.
23. Double click on Turn On Virtualization Based Security.
24. Select Enabled.
25. Under Select Platform Security Level, select Secure Boot and DMA Protection.
26. Under Virtualization based Protection of Code Integrity, select Enabled with
UEFI lock.
27. Click Apply and then OK.
Attempt to Run 28. Now on the CLIENT2 VM, run a gpupdate /force.
New Applications 29. Restart CLIENT2 and re-login with the same credentials.
that have not 30. Verify that any new application installation or new executable is blocked by the
installed on the Code Integrity Policy, Example: CamStudio. The CamStudio package is located
System at \\DC1\C$\Packages\camstudio.exe.
Note: Before executing any labs after the Code Integrity Lab in which the CLIENT1
and CLIENT2 VMs are going to be used, ensure that they have been moved to the
default Computers container from the Devices OU. Then in both the VMs, delete the
SIPolicy.p7b file from c:\Windows\System32\CodeIntegrity. Run a gpupdate
/force and reboot both the VMs. This is to ensure that no activity is blocked by Code
Integrity.

5.1 Diagnostics Logs

Requirements –
  Windows Insider Build 18237+
 Azure subscription to create Storage account

5.1.1 Modern Management

Follow the following sections for enabling diagnostic logs CSP using modern management tools.

5.1.1.1 Configure diagnostic logs CSP using Intune

In this section you will configure diagnostic logs CSP using Intune.

Task Detailed Steps

Complete these steps from a physical Internet-connected Windows computer to access the Azure and
Intune Portal.
Create 1. Close all browser windows.
Groups for 2. Start Internet Explorer InPrivate mode.
use with 3. Navigate to https://portal.azure.com and Sign in with
Diagnostic labadmin@<AzureDomainName>.onmicrosoft.com.
logs Lab 4. On the left navigation bar, click Azure Active Directory > Groups > All groups.
5. Click + New group.
6. In the Group pane fill in the following values:
GROUP TYPE: Security
GROUP NAME: DiagnosticsLogsDemo
MEMBERSHIP TYPE: Assigned
MEMBERS: TU1,TU2
7. Click Select | Create.
Create a 8. Close all browser windows.
storage 9. Start Internet Explorer InPrivate mode.
account to 10. Navigate to https://portal.azure.com and Sign in with
store labadmin@<AzureDomainName>.onmicrosoft.com.
diagnostic 11. On the left navigation bar, click All services.
logs 12. Enter “Storage accounts” in search.
13. Click on Storage accounts.
14. Click on “+Add”.
15. Select valid Azure Subscription.
16. Fill out the form:
Resource group (Create new if needed)
Storage account name
Location

Leave rest of the things unchanged.

17. Click Review + create
18. Click newly created storage account
19. Click Storage Explorer(preview)
20. Right Click BLOB CONTAINERS -> Create blob container
21. Give Name
22. Click OK
23. Right click on new blob container -> Get Shared Access Signature
a. Update Expiry time to a month later than current date (Default is 1 day)
 b. Update Permissions to Read, Write and List
c. Click Create
24. Copy URL in Notepad – This will be needed in next step.
Create a 25. Close all browser windows.
diagnostic 26. Start Internet Explorer InPrivate mode.
logs policy 27. Navigate to https://portal.azure.com and Sign in with
labadmin@<AzureDomainName>.onmicrosoft.com.
28. On the left navigation bar, click All services.
29. Enter “Intune” in search.
30. Click on Intune.
31. Click on “Device configuration”.
32. Click on “Profiles”.
33. Click on “+ Create profile”.
34. Fill in form
a. Name – Diagnostics CSP
b. Platform – Windows 10 and later
c. Profile type – Custom
Click Settings -> On OMA-URI settings, Click Add
i. Name– ArchieveDefinition
ii. OMA-URI -
./Vendor/MSFT/DiagnosticLog/DiagnosticArchive/ArchiveDefinition
iii. Data Type – String
iv. Value –
35. Select Create.

1. <Collection>
<ID>New Guid</ID>
<SasUrl><![CDATA[URL Copied in Line Step 21]]></SasUrl>
<RegistryKey>HKLM\Software\Microsoft</RegistryKey>
<Command>%windir%\system32\mdmdiagnosticstool.exe -out %ProgramData
%\temp\</Command>
<FoldersFiles>%ProgramData%\temp\*.*</FoldersFiles>
<FoldersFiles>%ProgramData
%\Microsoft\DiagnosticLogCSP\Collectors\*.etl</FoldersFiles>
<Command>c:\windows\system32\ipconfig.exe /all</Command>
<Events>System</Events>
36. Select Assignments.
37. Select “Select groups to include”.
38. Select “DiagnosticsLogsDemo” and click Select.
39. Click on Save.

Complete these steps on the AAD joined physical machine/VM.

Verify the 40. Login to a machine as:
Policy has TU2@<AzureDomainName>.onmicrosoft.com
been 46. Select Start.
Applied 47. Select Settings.
and 48. Select Accounts.
Working 49. Select Access work or school.
50. Select Connected to <CompanyName> Azure AD.
51. Click Info.
52. Click Sync to force a policy update and confirm that the sync was successful.
 53. Close Settings.
54. Go to [OSDrive]\windows\temp\mdmdiagnostics
55. Folder with name = GUID mentioned in 32.iv settings should be available.
On Any internet connected machine.
56. Close all browser windows.
57. Start Internet Explorer InPrivate mode.
58. Navigate to https://portal.azure.com and Sign in with
labadmin@<AzureDomainName>.onmicrosoft.com.
59. Click Storage Accounts
60. Click Storage Account created in step 17.
61. Click Storage Explorer (Preview)
62. Click BLOB Containers -> Container
63. Verify logs are getting uploaded.
64. Download zip file. Look at the contents to ensure requested logs are uploaded.

5.2 FIDO2 Windows Sign In

5.2.1 Modern Management
Follow the following sections for enabling the FIDO2 security key method and combined
security.

5.2.1.1 FIDO2 Security Key Sign-In for AADJ Windows Devices

Requirements –

 Windows Insider Build 18942+

In this section you will enable FIDO2 security key and enable combined security.

Task Detailed Steps

Complete these steps from a physical Internet-connected Windows computer to access the Azure and
Intune Portal.

1.     Sign in to the Azure portal.

Enable 2.     Browse to Azure Active Directory > Security > Authentication methods >
security Authentication method policy (Preview).
key
3.     Under the method FIDO2 Security Key, choose the following options:
a.     Enable - Yes or No
b.     Target - All users or Select users
4.     Save the configuration.

5.    Sign in to the Azure portal as a user administrator or global administrator.

 Enable 6.     Go to Azure Active Directory > User settings > Manage user feature preview
combined settings.
security 7.     Under Users can use preview features for registering and managing security
info, choose to enable for a Selected group of users or for All users.

Enable
FIDO for 8. Sign in to the Azure portal.
Windows
9. Browse to Microsoft Intune > Device enrollment > Windows enrollment >
Device
Sign-In Windows Hello for Business > Properties
10. Under Settings, set User security keys for sign-in to Enabled

5.2.1.2 FIDO2 Security Key Sign-In for Hybrid Azure Windows Devices

Pre-requisites

 Enabled FIDO Sign-In for your tenant and provisioned a security key.
 Windows 10 Insider Build 18945 or newer.
 Version 1.4.32.0 or later of Azure AD Connect.
 Your Windows Server domain controllers must have the following patches installed:
o For Windows Server 2016 -
https://support.microsoft.com/help/4534307/windows-10-update-kb4534307
o For Windows Server 2019 -
https://support.microsoft.com/help/4534321/windows-10-update-kb4534321

Task Detailed Steps

Complete these steps from a physical Internet-connected Windows computer to access the Azure and
Intune Portal.

1. On the Azure AD Connect Server, open an elevated PowerShell prompt, and navigate
Create to C:\Program Files\Microsoft Azure Active Directory Connect\AzureADKerberos\
Kerberos 2. Run the following PowerShell commands to create a new Azure AD Kerberos server
server object in both your on-premises Active Directory domain and Azure Active Directory
object tenant.
a. https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-
authentication-passwordless-security-key-on-premises
b. Import-Module ".\AzureAdKerberos.psd1"

# Specify the on-premises Active Directory domain. A new Azure AD

 # Kerberos Server object will be created in this Active Directory domain.

$domain = "contoso.corp.com"

# Enter an Azure Active Directory global administrator username and password.

$cloudCred = Get-Credential

# Enter a domain administrator username and password.

$domainCred = Get-Credential

# Create the new Azure AD Kerberos Server object in Active Directory

# and then publish it to Azure Active Directory.

Set-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred

-DomainCredential $domainCred

Viewing
and 3. You can view and verify the newly created Azure AD Kerberos Server using the
verifying following command:
the Azure
AD  Get-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -
Kerberos DomainCredential $domainCred
Server

4. For hybrid Azure AD joined devices, organizations can configure the following Group
Enable Policy setting to enable FIDO security key sign-in. 
with Group  The setting can be found under Computer Configuration > Administrative Templates
Policy > System > Logon > Turn on security key sign-in:
 Setting this policy to Enabled allows users to sign in with security keys.
 Setting this policy to Disabled or Not Configured stops users from signing in with
security keys.

Try it out:
Sign in with FIDO2 security key
Now you can choose the security key credential provider from the Windows 10 lock screen and insert the
security key to sign into Windows.

Microsoft Docs and further information:

Enable passwordless security key sign-in to on-premises resources with Azure Active Directory (preview) 

Enable with Group Policy

6 Compatibility
In this module, you will go through configuring Upgrade Readiness and scenarios to mitigate
web application compatibility with Internet Explorer 11.

Prerequisite Sections:

a) Windows Insider Lab for Enterprise – Setup Guide

b) Section 3.3.1 - Build a Windows 10 Developer Machine

6.1 Windows Analytics Upgrade Readiness

With the release of Upgrade Readiness, enterprises now have the tools to plan and manage the
upgrade process end to end, allowing them to adopt new Windows releases more quickly. With
new Windows versions being released multiple times a year, ensuring application and driver
compatibility on an ongoing basis is key to adopting new Windows versions as they are
released. With Windows telemetry enabled, Upgrade Readiness collects system, application, and
driver data for analysis. We then identify compatibility issues that can block an upgrade and
suggest fixes when they are known to Microsoft.

In this section, you will learn how to navigate Upgrade Readiness to understand how you might
use it in your environment.

The Operations Manager Suite Experience Center will be used to evaluate Windows Analytics
Upgrade Readiness using read-only demo data and will not require devices to be configured to
send telemetry to the Update Compliance service.

Note:

This lab guide is aimed at getting you familiar with the Upgrade Readiness workspace. It
is not supposed to be a comprehensive guide to using the solution in your organization.

Error: Reference source not found has more details on configuring, deploying and reviewing
Windows Analytics.
6.2 Browser Compatibility
For web apps and sites in Windows 10, modern HTML5-based sites should have a high degree
of compatibility and excellent performance through the new Microsoft Edge browser, while
older web apps and sites can continue to use Internet Explorer 11 and the Enterprise Mode
features that were first introduced in Windows 7 and Windows 8.1 and are still present in
Windows 10.

6.2.1 Prerequisites
Perform the following tasks before proceeding.

Task Detailed Steps

Complete these steps on the APP1 virtual machine.
Create a Shared 1. Open File Explorer and browse to C:\.
Folder (EMEI) 2. Create a new folder named EMEI.
with Full 3. Right-click on EMEI and select Properties.
Permissions 4. In the EMEI Properties window, go to the Sharing tab.
5. On the Sharing tab, click Advanced Sharing.
6. On the Advanced Sharing window, select Share this folder then click on
Permissions.
7. On the Permissions for EMEI window, under Allow select Full Control then
click Apply and OK.
8. On the Advanced Sharing window, click Apply and OK.
9. On the EMEI Properties window, click Close.
Configure Test 10. On the taskbar, open File Explorer and browse to C:\Packages\Sources.
Website 11. Copy the ContosoLearning folder to C:\inetpub\wwwroot.
12. On the Start menu, open Internet Information Services (IIS) Manager.
13. Under the Connections pane, browse to APP1 (Corp\LabAdmin) > Sites >
Default Web Site > ContosoLearning.
14. Right-click on ContosoLearning and select Convert to Application.
15. On the Add Application window, click OK.
16. On ContosoLearning, under the Actions pane select Advanced Settings.
17. On the Advanced Settings window, select Application Pool and click on the
ellipses (…).
18. On the Select Application Pool window, set the Application pool to .NET v2.0
then click OK.
19. On the Advanced Settings window, click OK.
Complete these steps on the CLIENT2 virtual machine.
Pin Internet 20. On the Start Menu, search for Internet Explorer.
Explorer on the 21. Right-click on Internet Explorer and select Pin to taskbar.
Taskbar
Download 22. Open Internet Explorer and browse to the URL below.
Enterprise Mode http://www.microsoft.com/en-us/download/details.aspx?id=49974
Site List Manager 23. From the website, click Download.
24. Save EMIESiteListManager.msi to the desktop.
 6.2.2 Enterprise Mode
Enterprise Mode, a compatibility mode that runs on Internet Explorer 11, allows websites render
using a modified browser configuration that’s designed to emulate either Windows Internet
Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems
associated with web apps written and tested on older versions of Internet Explorer.

In this section, you will learn how to use and configure Enterprise Mode and the Enterprise
Mode Site List Manager.

6.2.2.1 Manually Activate Enterprise Mode

Task Detailed Steps

Complete these steps on the CLIENT2 virtual machine.
Browse to the Test 1. On the taskbar, open Internet Explorer and browse to
Site http://app1/ContosoLearning.
Note: Notice that the website says that the browser is not supported, only Internet Explorer
is supported even if the browser is Internet Explorer.
Enable Enterprise 2. Right-click on the Start button and select Run.
Mode 3. In the Run window, enter regedit and then click OK.
4. In the Registry Editor window, browse to
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft.
5. Right-click on the Microsoft key and select New > Key.
6. Enter Internet Explorer as the name of the new key.
7. Right-click on the Internet Explorer key and select New > Key.
8. Enter Main as the name of the new key.
9. Right-click on the Main key and select New > Key.
10. Enter EnterpriseMode as the name of the new key.
11. Right-click on the EnterpriseMode key and select New > String Value.
12. Enter Enable as the name of the string value.
13. Right-click on the EnterpriseMode key and select New > String Value.
14. Enter SiteList as the name of the string value.
Note: Enterprise Mode can be enabled through Group Policy. For more information, go to
https://technet.microsoft.com/en-us/itpro/Internet-explorer/ie11-deploy-guide/turn-on-
enterprise-mode-and-use-a-site-list.
Enable Enterprise 15. Close all open Internet Explorer browsers.
Mode on the Test 16. On the taskbar, open Internet Explorer and browse to
Site http://app1/ContosoLearning.
17. On the Internet Explorer toolbar, go to Tools and select Enterprise Mode.
Note: Enable the Menu bar.
Note: Notice now that the website is not displaying the browser support issue due to the
Enterprise Mode emulating Internet Explorer 8. Also, see the building icon on the left side
of the URL which indicates that Enterprise Mode is enabled for this URL.
18. On the Internet Explorer toolbar, go to Tools and select Enterprise Mode to turn
it off for the next labs.
19. Close all Internet Explorer browsers.
6.2.2.2 Enterprise Mode Site List Manager

Task Detailed Steps

Complete these steps on the CLIENT2 virtual machine.
Install Enterprise 1. On the taskbar, open File Explorer and browse to the desktop.
Mode Site List 2. Double-click on EMIESiteListManager.msi.
Manager 3. On the Welcome page, click Next.
4. On the End-User License Agreement page, select I accept the terms in the
License Agreement and then click Next.
5. On the Destination Folder page, click Next.
6. On the Ready to Install page, click Install.
7. Once complete, click Finish.
Create a Site List 8. From the desktop icon, open the Enterprise Mode Site List Manager.
9. On the Enterprise Mode Site List Manager for v.2 schema window, click Add.
10. On the Add new website window, under URL enter app1/ContosoLearning and
then click Save.
11. Click on File > Save to XML.
12. Save the file to \\APP1\EMEI as EMEISiteList.xml.
Complete these steps on the DC1 virtual machine.
Enable Enterprise 13. From the Start Menu, open the Group Policy Management Console.
Mode through 14. On the Group Policy Management Console, expand to Forest:
GPO and Deploy corp.olympia.local > Domains > corp.olympia.local > Group Policy Objects.
the Site List 15. Right-click on Group Policy Objects and select New.
16. On the New GPO window, under Name enter Enable Enterprise Mode and then
click OK.
17. Right-click on Enable Enterprise Mode and select Edit.
18. On the Group Policy Management Editor window, browse to Computer
Configuration > Policies > Administrative Templates > Windows
Components > Internet Explorer.
19. On the Settings pane, double-click on Use the Enterprise Mode IE website list
policy.
20. On the Use the Enterprise Mode IE website list window, select Enabled.
21. On the Options pane, enter \\APP1\EMEI\EMEISiteList.xml and then click
Apply and OK.
22. Close the Group Policy Management Editor.
23. On the Group Policy Management window, right-click on the Devices OU and
select Link an Existing GPO…
Note: Create a Devices Organizational Unit and from Computers, move the
CLIENT2 machine to this OU.
24. On the Select GPO window, select Enable Enterprise Mode and then click OK.
Complete these steps on the CLIENT2 virtual machine.
Validate that 25. Open an Administrative Command Prompt and execute gpupdate /force.
Enterprise Mode 26. On the taskbar, open Internet Explorer and browse to
Policies are http://app1/ContosoLearning.
Applied
Note: Notice that the website is now automatically configured with Enterprise Mode.
 6.2.3 Browser Compatibility Remediation
This section covers some of the common compatibility issues found while migrating existing
web applications from IE8 to IE11. It demonstrates the tools and techniques to remediate these
common issues. This lab is designed for developers and discusses ways to resolve the
compatibility issues by updating the application code as it is the best long term solution to
make your applications standards compliant and ensure compatibility with modern browsers.

6.2.3.1 Prerequisites

Perform the following tasks before proceeding.

Task Detailed Steps

Complete these steps on the CLIENT1 virtual machine.
Pin Internet 1. On the Start Menu, search for Internet Explorer.
Explorer on the 2. Right-click on Internet Explorer and select Pin to taskbar.
Taskbar

6.2.3.2 User Agent String Detection Issue

Web developers used to check Navigator.AppName property to get the name of the web client.
Until Internet Explorer 10, it is used to return “Microsoft Internet Explorer” but from IE 11 it
returns “Netscape”. After completing this lab session, you will be able to use the IE Developer
Toolbar to change the IE Browser mode.

Task Detailed Steps

Complete these steps on the CLIENT1 virtual machine.
View the 1. Use Internet Explorer to navigate to http://app1/contosolearning.
Incompatibility
Note: Notice the incompatibility message at the bottom of the screen in red. **Your
browser is not supported by ContosoLearning**. Only Internet Explorer is Supported
2. The error message indicates that a validation routine runs when the page loads.
The routine checks the browser that is used.
Confirm the 3. Right-click on the page and select View source to open a new window with the
Incompatibility page’s source code.
4. On line 145, note that the function checkVersion is called when the page loads.
This is the function that results in the browser support message.
5. The issue arises since the version detection logic is checking for the browser
name.
6. Close the source page.
Prove the Fix 7. To determine the possible fix, press F12 to open the Internet Explorer Developer
tools.
8. Click the Emulation tab.
9. From the Document mode drop-down, select 10 to use the IE 10 Document
Mode.
10. From the User agent string drop-down, select Internet Explorer 10.
 11. The browser window will reload without the support warning.
Recommended Fix 12. Modify the code for the default.aspx page to remove the browser detection
(OPTIONAL) routine.
13. Consider using feature detection to ensure that a specific feature is present for the
application to continue to function.

6.2.3.3 Box Model

Box Model issue is caused by the difference in the browser rendering engine implementation of
width and height properties of a container element including the padding, borders and margins.

Task Detailed Steps

Complete these steps on the CLIENT1 virtual machine.
View the 1. Use Internet Explorer to navigate to http://app1/contosolearning.
Incompatibility 2. Login to the application as corp\Administrator using P@ssword.
3. Scroll to the right and bottom. Note that the menu intended for the right side of the
page has actually rendered below the content. In Internet Explorer 6, this page item
would be rendered on the right-hand side of the My Upcoming Trainings panel.
Prove the Fix 4. Press F12 to launch the Developer Tools window.
5. Below the DOM Explorer tab, click the Select element icon, or press Ctrl+B.
6. Move the mouse pointer exactly over the grey border surrounding My Upcoming
Trainings and click with the left mouse button. This will highlight the panel in the
browser and move the DOM Explorer window to the corresponding HTML section -
id=”middle”.
7. In the right pane of the DOM Explorer tab, click Styles.
8. Note that there are two entries for #middle. One of these is sourced from default.aspx
which overrides the width entry from SiteStyles.css.
9. These are padding properties. Padding and border properties are considered outside
the container to which they relate in Internet Explorer 11. In the Internet Explorer 5.5
model, padding and border properties were inside the box model.
10. Select the width property sourced from default.aspx.
11. Reduce the value (in pixels) to determine a suitable value to render the page
correctly. Hint: A 100px change is way too much.
Recommended Fix 12. Modify the source code for default.aspx on the hosting website with the correct
(OPTIONAL) width.
13. This issue can also be fixed by forcing the page to render in Quirks mode by adding
an X-UA-Compatible meta tag as shown below to the head section of this page on the
server.
<meta http-equiv="X-UA-Compatible" content="IE=IE5"/>

6.2.3.4 Popup Blocker

The Pop-Up Blocker is a feature that blocks pop-up (and pop-under) windows initiated
automatically by a Web site. Windows Internet Explorer 10/9/8/7 block pop-up windows in the
Internet and Restricted sites zones by default. However, Pop-up Blocker allows pop-up windows
initiated by a user's actions. This feature can interfere with the functionality of older sites that
use popup window on page load.
 Task Detailed Steps
Complete these steps on the CLIENT1 virtual machine.
What could be the 1. Use Internet Explorer to navigate to http://app1/contosolearning.
Incompatibility 2. Login to the application as corp\Administrator using P@ssword.
3. Navigate to Register for Training from the menu on the left side of the page.
4. Observe that the register button for each course is disabled (greyed out) and also
observe that a pop-up window appears with the Terms and Conditions and once
clicked OK, the Register button is enabled for the courses listed.
5. The incompatibility could be that the register button for each course is disabled
(greyed out) and a message is displayed on the bottom which says the Pop-Up
was blocked.
Local Fix 6. If the incompatibly appears, then in order to fix this issue launch the Pop-up
Blocker Settings window by clicking on Tools > Internet options. Alternatively,
click the gear icon at the top right of the Internet Explorer window and then
select Internet options.
Note: Enable the Menu bar.
7. Click the Privacy tab.
8. Under Pop-up Blocker, click Settings.
9. In the Pop-up Blocker Settings window type http://app1/contosolearning in the
Address of website to allow text box.
10. Click Add to add the entered site to the Allowed sites list.
11. Click the Close button to close the current window and click OK on the Internet
Options window.
12. Press F5 to refresh the page.
13. Click Register for Training.
14. A pop-up window appears with the Terms and Conditions.
15. Click OK.
16. The Register button is now enabled for the courses listed.
Enterprise Fix 17. Automatic popups are allowed by default in sites belonging to the Local Intranet
sites zone. Pop-up blocking issues can be resolved for intranet applications by
adding the site to the intranet sites collections.
18. In case of external trusted sites having this issue, add the sites to the Trusted sites
collection and have the Use Pop-up Blocker section set to Disable.
19. Add the site to Group Policy Path i.e. Computer Configuration\Administrative
Templates\Windows Components\Internet Explorer.
Note: For more details on Group Policy settings refer to the link:
http://msdn.microsoft.com/en-us/library/dd565668(v=VS.85).aspx

6.2.3.5 className Attribute

IE11 enables several enhancements to the setAttribute, getAttribute, and removeAttribute

methods that are not available when pages are displayed in earlier document modes.

To change the class attribute of an element the earlier versions of IE required us to use
className as the attribute name. This has been fixed in the IE11 and applications targeting IE 11
Browser should use class instead of className for assigning class attribute.

http://msdn.microsoft.com/en-us/library/ms536429(VS.85).aspx
 Task Detailed Steps
Complete these steps on the CLIENT1 virtual machine.
Validate that the 1. Click on Tools > Internet options in the Internet Explorer Window.
Test Site is not part 2. In Internet Options, go to the Security Tab.
of the Local 3. Click on Local intranet and then click on Sites.
Intranet Zone Site 4. In the Local intranet window click on Advanced button which would open up the
List Local Intranet Sites list.
5. In the sites list verify that app1 is not present.
6. If the site is present, then highlight the site and click on the Remove button.
7. Once you are finished, then click on Close button in the Local Intranet Sites list
window.
8. Then click OK button in the Local intranet window and then click OK button in
the Internet options window to close them.
View the 9. Navigate to the Events page by clicking on the Events link in the left menu. The
Incompatibility URL for the page is: http://app1/ContosoLearning/Events.aspx. Re-login if
required. Observe that the page is not displayed correctly.
10. Observe that no style is applied to the selected element.
Local Fix 11. Open the Developer Tools by pressing F12 and click the Emulation tab at the
bottom.
12. Change the Document mode to 7 and User agent string to Internet Explorer 7.
13. Observe that the class attribute is being set on the selected element in IE7
Standards mode. This indicates an issue with the script dynamically assigning the
class value at runtime.
14. Observe that the className attribute is being used to set the class property on the
table. Also, notice that the id attribute is also being checked against the empty
string. This check always fails in IE11 as the getAttribute API will return if id is
not defined. To check this, click on the Debugger tab and set a breakpoint on
Lines 43 and 44. You can set a breakpoint by clicking the Line numbers.
15. Refresh the page by pressing F5 key and notice that the code never hits the
breakpoint confirming our understanding. To fix this issue we can use the Auto
responder feature of Fiddler to test the updated script on the page.
16. In the Internet Explorer window go to File > Save as… Then give the webpage a
name i.e. Events and Save it as html on the Desktop.
17. Then edit the saved page using Notepad and replace lines 43 to 44 with the code
below:
if (tables[i] && tables[i].getAttribute("id") == null) {
tables[i].setAttribute("class", "block");
}
18. Download and install Fiddler from http://www.telerik.com/download/fiddler.
19. Once installed, start the Fiddler tool by clicking on Fiddler 4 on the Start Menu.
Click Cancel on the prompt that appears.
20. Clear the Fiddler logging by pressing Ctrl+X. Then refresh the Events page.
21. In the Fiddler log you would see the Events.aspx captured.
22. In the Fiddler window click on the AutoResponder tab on the right-hand side.
23. Check the boxes which say Enable rules and Unmatched requests passthrough.
24. Then highlight the Events.aspx and click on the Add Rule button.
25. Then in the Rule Editor section on the bottom right hand of the Fiddler window,
click on the drop-down arrow of the second box and choose the option Find a
file… Then browse to the modified Events.html page and then click on the Save
button.
26. Now go back to the Internet Explorer Window and refresh the Events page. Now
Fiddler should catch the request and responder with the modified Events page and
you should now see the correct style applied to the table elements.
Note: In order to fix the problem permanently, the script on the page would have to be changed
on the Server which is hosting the website to reflect the correct width.

Note: This issue can also be fixed by forcing the page to render in IE7 standards mode by
adding an X-UA-Compatible meta tag as shown below to the head section of this page on the
server.

<meta http-equiv="X-UA-Compatible" content="IE=IE7"/>

6.2.3.6 GetElementByID

Changes in the getElementById API causes the webpage to break as it is case sensitive. To
remediate this, we will have to modify the CSS of the webpage at the source. One would use
Fiddler Auto Responder to change the code to onclick="LaunchVideo('overview');".

Task Detailed Steps

Complete these steps on the CLIENT1 virtual machine.
View the 1. Keep logged in and navigate to the Training Video page by clicking on the
Incompatibility Training Videos on the left menu. The URL for the page is:
http://app1/ContosoLearning/TrainingVideos.aspx.
2. Click on the first video which is the Overview video. Observe that nothing
happens and it doesn’t play the video.
Local Fix 3. In the Developer Tools window (activated with F12), select the Console tab and
clear any errors (if any).
4. Click again on the first video, which is the Overview video. Once you click on
the video, you would be taken to the section of source code which resulted in the
error message. Click on the link and you would be taken to the Debugger tab with
the line where the error is.
5. If you go little up in the code on Line 106 you would see the ID is “overview” in
lowercase.
6. In the Internet explorer window go to File > Save as… Then give the webpage a
name i.e. Training and Save it as html on the Desktop.
7. Then edit the saved page using Notepad and change the case of the word
OVERVIEW from lower case to uppercase and then save the file.
8. Start Fiddler tool by clicking on Fiddler 4 on the Start menu.
9. Clear the Fiddler logging by pressing Ctrl+X. Then refresh the Contoso Learning
Training page.
10. In the Fiddler log you would see the TrainingVideos.aspx captured.
11. In the Fiddler window click on the AutoResponder tab on the right-hand side.
12. Check the boxes which say Enable rules and Unmatched requests passthrough.
13. Then highlight the TrainingVideos.aspx and click on the Add Rule button.
14. Then in the Rule Editor section on the bottom right hand of the fiddler window,
click on the drop-down arrow of the second box and choose the option Find a
file… Then browse to the modified Training.html page and then click on the
Save button.
15. Now go back to the Internet Explorer window and refresh the Training Videos
page. Now the fiddler should catch the request and responder with the modified
Training Videos page and you should be able to open up the Overview video.
Note: In order to fix the problem permanently, the source code of the page would have to be
changed on the Server which is hosting the website to reflect the correct width.

Note: This issue can also be fixed by changing the Document Mode to IE5 Quirks Mode in the
Developer Toolbar.

6.2.3.7 Z Index Default Value

For IE browser 5/6/7 the default value for Z-Index is 0 but for IE 8+ it is Auto.

Task Detailed Steps

Complete these steps on the CLIENT1 virtual machine.
View the 1. Launch Internet Explorer 11 and navigate to the Contoso Learning Site by using
Incompatibility the URL http://app1/ContosoLearning/OnlineResources.aspx. Re-login if
required. This is an intranet site designed for IE6. Also, on Mousing over Text
you should see tool tips. On IE 6 it works absolutely fine but for IE 11 it doesn’t
display any text.
2. Open the IE 11 Browser and browse to the site
http://app1/ContosoLearning/OnlineResources.aspx. Mouse over on Menu
Items and you should not see any tool tip.
3. To check the logic on the page, right-click and select the View source option.
This will open the page source in the Developer Tools under Debugger.
4. Check for Onmouseover event of the image. There you can find that the logic is
checking the default value of z-index and comparing whether that is “0” or not
which is the default Z-Index value in IE 6.
5. To temporarily workaround this issue, change the document mode to the
appropriate version using IE 11 developer toolbar, press F12 and the Internet
Explorer Developer Toolbar will be opened if not opened already.
6. Click the Emulation tab.
7. Select Document Mode as 5 and User agent string as Internet Explorer 6.
8. You can now observe a text is displayed.
Permanent Fix 9. To resolve this issue the javascript on the page should be updated to first assign a
Z-index to the DOM object before comparing its value.

Note: This issue can also be fixed by forcing the page to render in IE5 Quirks mode by adding
an X-UA-Compatible meta tag as shown below to the head section of this page on the server.

<meta http-equiv="X-UA-Compatible" content="IE=IE5"/>

6.2.3.8 Content Centering

Content Centering using text align property is not supported in Internet Explorer 9+. This causes
any site developed for IE6 to be left aligned on IE9+ standards mode if they are using text align
property for centering. We would need to use the width and margin properties to center align
the content.
To remediate this, we will have to modify the CSS of the webpage at the source. In order to find
the correct CSS values that need to be added to the source of the page on the server we can use
the Developer Tools.

Task Detailed Steps

Complete these steps on the CLIENT1 virtual machine.
View the 1. Navigate to the Blogs page by clicking on the Blogs link in the left menu. Re-
Incompatibility login if required. Observe that the page is not displayed correctly. It is aligned to
the left instead of being centered.
Local Fix 2. Press F12 to open the Developer Tools.
3. Select the Body section under the DOM Explorer tab. Observe that the text align
property has been set for this element.
4. This is the typical case where the content is being centered by using the text align
property which would render the page correctly in previous versions of IE.
5. Also, observe that the margin property has been set to 0px auto. This should
cause the content to be centered in IE11.
6. Also, observe that there are two margin properties that are being applied to the
Body element. One of the margin properties is defined inline in the Blogs.aspx
page.
7. Observe that the margin property has !important added to the property value in
the end. This is forcing the browser to override the original margin setting on the
page.
8. Uncheck the second margin value. The first margin value will be automatically
enabled.
9. You will find that the page is rendered correctly now.
Permanent Fix 10. To remediate the issue at the source, the developer would need to remove the
margin style defined on the page which should fix the issue.

Note: This issue can also be fixed by forcing the page to render in Quirks mode by adding an X-
UA-Compatible meta tag as shown below to the head section of this page on the server.

<meta http-equiv="X-UA-Compatible" content="IE=IE5"/>

6.2.3.9 ActiveX Controls

Microsoft ActiveX controls are reusable software components based on ActiveX technology.
ActiveX controls add interactivity and additional functionality, such as animations or pop-up
menus to a Web page, application, or software development tool. Internet Explorer 7+ and
Microsoft Internet Explorer 6 for Windows XP Service Pack 2 (SP2) block controls that are
unsigned, invalid, or explicitly distrusted by the user. In Internet Explorer 9+, users can allow
controls to run on more than one Web site, or all Web sites, by responding to the Information
Bar that drops down when a control is requested for use. These sites can also be edited through
the Manage Add-ons interface.

ActiveX Blocking can be remediated by one of the following techniques:

 1. Ensure that the ActiveX control is signed. Please refer the below link for ActiveX Signing:
http://msdn.microsoft.com/en-us/library/aa231196(VS.60).aspx
2. Ensure that the client side security certificate matches the server side security certificate.
3. Add the website to the list of local intranet sites.

Task Detailed Steps

Complete these steps on the CLIENT1 virtual machine.
View the 1. Navigate to the Contoso Learning Website Obtain Licenses page. The URL for
Incompatibility the page is: http://app1/ContosoLearning/ObtainLicenses.aspx. Re-login if
required. Observe that a UAC prompt is displayed.
Install the 2. You will notice that there is a warning because the publisher cannot be verified –
Certificate click on the link for Unknown Publisher.
3. Details of the digital certificate will be displayed – click on the View Certificate
button.
4. The certificate will indicate that the certificate is not trusted – press the button to
Install Certificate…
5. You will walk through the Certificate Import Wizard. On the first screen, select
Local Machine and then click Next.
6. Select Place all certificates in the following store and click Browse…
7. Select the Trusted Root Certification Authorities and then click OK.
8. Click Next.
9. Click Finish.
10. Click OK once the import is successful.
11. Click the OK button on the Certificate dialog.
12. Click the OK button on the Digital Signature Details dialog.
13. Click the OK button on the Security Warning dialog.
Signed ActiveX 14. Press F5 to refresh the page now that you have the digital signature installed.
Control Installation 15. You will receive a UAC prompt again, this time indicating that it is a signed
control. Click on Install.
16. Press F5 to refresh the page. Now you will not see any control. Close the Internet
Explorer.
17. Open gpedit.msc and navigate to Computer Configuration – Administrative
Templates – Windows Components – Internet Explorer. Double-click on Let
users turn on and use Enterprise Mode from the Tools menu.
18. Click Enabled. Click Apply and OK.
19. Open the Internet Explorer and navigate to the Contoso Learning Website
“Obtain Licenses” page. The URL for the page is:
http://app1/ContosoLearning/ObtainLicenses.aspx. If required re-login.
20. Press F12 to open the Developer Tools. Click the Emulation tab and for the
Browser profile, select Enterprise.
21. You will see that the browser has Enterprise mode enabled from the Tools
menu.
22. You can see now that the Obtain Licenses button is visible.
23. In case it is still not visible, go to Tools, select Manage add-ons.
24. Check whether ContosoLicenseControl.ObtainLicense is enabled or not. If it is
disabled, click on Enable and close the window by clicking Close and refresh the
page.
25. Click on Obtain Licenses button.
26. The ActiveX control should now be installed. Click OK.
6.3 Desktop Bridges
The Windows 10 Desktop Bridge provides consumer and enterprise developers a low friction
path to migrate their Win32 apps to Windows 10 Universal Windows Platform (UWP). In doing
so, developers can take advantage of Windows 10 features and app distribution not available to
traditional Win32 apps. Win32 apps using the Desktop Bridge also provide a safer and cleaner
virtualized runtime environment. For more information on the Desktop Bridge see:
https://developer.microsoft.com/en-us/windows/bridges/desktop

This Lab provides a walkthrough of converting a Win32 app to a UWP using the Desktop App
Converter.

Prerequisite: Build a Windows 10 Developer Machine (Section 3.3.1) before proceeding

with this lab.

6.3.1 Desktop Bridge – Convert a Win32 app Installer to a UWP

Modern App (APPX)
In this activity, starting from a MSI installer, you’d be able to create an AppX package, keeping
the best of both worlds: the flexibility of a Win32 app and the better security and distribution
model of an AppX package.

Task Detailed Steps

Complete these steps on the WIN10DEV virtual machine.
Install the Desktop 1. Make sure your computer is up-to-date with the latest Windows 10 version:
App Converter – Desktop App Converter. To make sure you’re on the right version, just click on
Version Check the Start button and choose Command Prompt: at the top, you’ll see the
Windows 10 build number, which should be 10.0.17134.xx.
Install the ‘Desktop 2. The Desktop App Converter tool itself, which can be downloaded directly from
App Converter’ the Store at the URL https://www.microsoft.com/store/apps/9nblggh4skzw
3. Click ‘Get the app | Get’.
Download the 4. The latest base Windows image, which is used as container to generate the appx
Windows Base package. Be aware that this file is quite big (approximately 3.5 GB). It can be
Image downloaded from the following link: https://www.microsoft.com/en-us/software-
download/dac#. Click Base Image - Build 17134 and save the file to
C:\Windows\Temp.
Note: The version of the base image much match the version of the OS. In this
case, we are working with Windows 10 17134.
Launch the 5. Press ‘Start’, type ‘Desktop App Converter’.
‘Desktop App 6. Right click on the ‘Desktop App Converter’ icon and choose Run as
Converter’ as administrator). Accept the UAC prompt. Under the hood, you will notice that
Administrator it’s simply a Powershell command prompt, since it’s the technology that
empowers the Desktop App Converter.
Install the Base 7. Install the base image, by executing the following PS commands in the folder
Image where you have copied the file you’ve previously downloaded (or, alternatively,
 you can pass to the -BaseImage parameter the full path of the file).
a. Set-ExecutionPolicy Bypass
b. DesktopAppConverter.exe -Setup -BaseImage
C:\Windows\Temp\Windows_BaseImage_DAC_17134.wim –
Verbose
Note: The operation will take a while and, at some point, it may ask you to reboot
the machine: the reason is that Desktop App Converter relies on a Windows 10
features (called Containers), which isn’t installed by default.
If you get an Error 8. If you get an error related to Containers, you can manually install the feature by
right clicking on the Start button, clicking Run, entering appwiz.cpl, clicking
OK and then Turn Windows features on or off. You will find one called
Containers, enable it and click OK and then let the installation complete and
also, if asked, reboot the computer.

Note: The Containers feature is available only on Windows 10 Pro or

Enterprise.
9. Now you’re all set and you’re ready to convert your first application.
Start the Win32 to Note: You will convert the Win32 sample app ‘Hello Centennial’. Remember that the
UWP Conversion Desktop App Converter does not modify your application binaries. It monitors the file
Process locations and registry entries created at install time. It uses this information to create the
container your Win32 app will be in.

10. Download the ‘Hello Centennial’ sample Win32 app’s MSI file from here:
https://github.com/qmatteoq/DesktopBridge/blob/master/1.%20Desktop%20App
%20Converter/HelloCentennial.msi
11. Create a folder called C:\Installer and copy the file HelloCentennial.msi here.
12. Create another folder called C:\Output\HelloCentennial.
Launch the 13. Press ‘Start’, type ‘Desktop App Converter’.
‘Desktop App 14. Right click on the ‘Desktop App Converter’ icon and choose Run as
Converter’ as administrator). Accept the UAC prompt.
Administrator
Start the Desktop Note: DesktopAppConverter flags:
App Converter  -Installer is the path to the setup file we need to convert. In this case, it’s the
Process HelloCentennial.msi file we’ve previously downloaded from GitHub.
 -Destination is the folder where we want to store the output files created by the
conversion process.
  -PackageName is the name we want to give to the package.
 -Publisher is the publisher’s name of the application. If you have some previous
experience with UWP development, you’ll recall seeing this information in the
manifest file of a UWP app. It’s univocally assigned by the Dev Center when you
open a developer account. For the moment, for test purposes, you can just use the
name you want, it’s just important that it starts with CN= and that it doesn’t
contain spaces.
 -Version is the version number of the app.
 -MakeAppx means that, other than generating the folder which will contain all
the files that needs to be packaged (like assets, the manifest, etc.), you want also
to immediately generate the AppX package.
 -Verbose is an optional parameter, which is useful because it will show you all
the details of what’s going on during the conversion process.
 -Sign is a parameter that allows to automatically generate the needed certificates
to properly sign the AppX package. Without this digital signature, the package
can’t be installed on a machine which doesn’t trust the generated certificate.
15. Download and install the Windows 10 1803 SDK:
https://developer.microsoft.com/en-US/windows/downloads/windows-10-sdk
16. In PowerShell type the command:
DesktopAppConverter.exe -Installer "C:\Installer\HelloCentennial.msi"
-Destination "C:\Output\HelloCentennial" -PackageName
"HelloCentennial" -Publisher "CN=Awesome-Apps-Inc" -Version "1.0.0.0"
-MakeAppx -Verbose -Sign
17. Inspect the Output folder. At the end of the process, you will get a folder
structure like the following one:

The real work done by the tool can be found inside the PackageFiles folder:

18. As you can see, this folder looks a bit like the one that Visual Studio creates when
you start a new UWP project. You have an Assets folder, which contains the
default images to be used for the tile, the Store, or the icon in the Start menu. You
have also a manifest file, the one called AppxManifest.xml.
Open the 19. Notice that it’s like the manifest file of a UWP app. However, compared to a
AppxManifest.xml native UWP app, you’ll find a couple of differences:
File  You’ll find the following Capability, which allows the application to run in full
trust. This option is available only for converted apps, a native UWP app will not
 have this kind of access.
<Capabilities>
<rescap:Capability Name="runFullTrust" />
</Capabilities>
 You’ll find an Application entry with all the info about the Win32 process that
the UWP container will launch.

<Application Id="HelloCentennial" Executable="HelloCentennial.exe"

EntryPoint="Windows.FullTrustApplication">
Continue 20. You’ll find other files and folders that captured the MSI setup process. For
Inspecting Output: example, the Registry.dat file contains all the changes applied to the registry. Or,
Registry.Dat, VFS if you explore the VFS folder, you will find all the files that are copied during the
Folder installation process. For instance, you’ll be able to find the main executable (the
original Windows Forms app) following the path
VFS\Users\ContainerAdministrator\AppData\Roaming\Matteo Pagani\Hello
Centennial.
Attempt to Install 21. Double click on the file HelloCentennial.appx and you’ll be prompted with the
the Converted App following dialog.
(APPX)

However, if you press the Install button out of the box, you’ll see the following error.
Install Certificate Note: The reason is that, by default, a UWP package needs to be signed with a valid
to Resolve Error certificate to be installed and this certificate needs to be trusted by the computer. When we
publish a UWP app on the Store, this process is completely transparent: it’s the Store that
takes care of signing the AppX package with a valid certificate during the submission
process. In this case, instead, we’re trying to sideload a package without using the Store, so
we need to take care of signing it.
If you remember, when we used the Desktop App Converter tool, we passed a parameter
called -Sign, which already did the hard work for us. The package is already signed: the
problem is that the certificate used for signing it, now, isn’t trusted by our computer, which
leads to an installation failure.
22. To solve this problem, you’ll need to add the certificate in the Trusted Root
Certification Authority of the computer. You’ll find it in the folder generated by
the tool (the one with the AppX package and the PackageFiles folder) and it’s
called auto-generated.cer: simply double click on it, choose Install Certificate
and, when you’re prompted where to install it, choose Local Machine and then
the option Place all certificates in the following store. By pressing the Browse
button, make sure to choose Trusted Root Certification Authorities and
complete the process.
Retry Installing the 23. Double click on the file HelloCentennial.appx. Uncheck Launch when ready.
Converted App This time, after pressing the Install button, you will see a progress bar showing
(APPX) the installation status and, at the end, the window will become like the following
one.

Find 24. Press the Windows key. Type HelloCentennial.

‘HelloCentennial’
Note: Now you have a Win32 app that has been embedded into a UWP app! Notice
in the Start Menu
the app will have a tile, you’ll be able to pin it to the Start menu and, if you want to
 uninstall it, just right click on it, and choose Uninstall.

Launch the 25. Select the app from the Start menu to launch it. You’ll notice that it’s still a
Converted App: Win32 app and it will be able to create a text file on the user’s desktop just fine,
‘HelloCentennial’ without requiring any extra dialog or permission.
Note: You might have to download and install the prerequisites for the app to
launch, which it will do automatically, which is .Net Framework 3.5 (includes 2.0
and 3.0).
7 Additional Labs

7.1.1 MDM WINS over GP

Prerequisite Sections:
a) Windows Insider Lab for Enterprise – Setup Guide
b) Section 3.2 - Cloud Environment
https://blogs.technet.microsoft.com/cbernier/2018/04/02/windows-10-group-policy-vs-intune-
mdm-policy-who-wins/
Traditionally, configuration policies are managed by Group Policy, however Modern
Management of Windows 10 with Microsoft Intune also has a set of policies, even policies that
are duplicative of Group Policy (where applicable, not all Group Policies are available via MDM or
CSP). In environments where Group Policies are deployed and managed by Intune there’s the
question of which policy wins. The following describes which policy wins according to Windows
10 version.

 Windows 10 versions 1709 and earlier Group Policy will override MDM policies, even if
an identical policy is configured in MDM.

 Windows 10 version 1803 and beyond there is a new Policy CSP setting called
ControlPolicyConflict that includes the policy of MDMWinsOverGP, where the
preference of which policy wins can be controlled, i.e. Microsoft Intune MDM policy.

For more details about the new ControlPolicyConfict setting please visit:
https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-
controlpolicyconflict#controlpolicyconflict-mdmwinsovergp 
What happens to the policy if the device is unenrolled from Intune?  If applicable, Group Policy
will re-apply the policies in this scenario.
Setting up a Policy
In the link above, the “scope” of the policy is set for “device” so we’ll need to target the policy at
the device scope.
To learn more about user and device scopes please visit: https://docs.microsoft.com/en-
us/windows/client-management/mdm/policy-configuration-service-provider#policy-scope 
Since the ControlPolicyConfict policy applies to the device, we’ll have to utilize the following
string: ./Device/Vendor/MSFT/Policy/Config/AreaName/PolicyName to configure the
policy.
Next replace AreaName/PolicyName with ControlPolicyConflict/MDMWinsOverGP
After the modification to the string, the policy should look like the following:
./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP
Creating the Policy
Let’s create a new policy in Intune to control the GP vs. MDM winner.

1. Navigate to portal.azure.com and locate Intune.

2. Select Device configuration | Profiles | Create profile.
3. Under Platform select Windows 10 and later.
4. Under Profile type select “custom” and “add”.
5. Name the custom setting with something intuitive.
6. For OMA-URI add the policy OMA-URI string:
./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP
7. For Data type select Integer and add the number 1.

Supported values for this policy are as follows:

0 (default)
1 - The MDM policy is used and the GP policy is blocked.

 Let’s take a look how the Policy is Applied

1. On the Windows 10 device, select the Windows icon > Settings > Accounts > Access
work or school and under the account name select Info.
 2. Sync with Microsoft Intune by selecting “Sync”.
3. Once the Sync is completed select “Create report”.

 Once the report is completed a folder will open containing an .html file.
 Open the .html report and search for “MDMwins”.

GP Setting before the MDM policy takes place:

MDM setting after the policy is applied (Note: Windows 10 1803 is required to override the GP):

Let’s take a look at a report in Intune regarding the policy and if it was successfully applied. This
is useful to make sure the policies are actually applying or not.
Logging
Being able to investigate modifications to a device is extremely important, especially when
troubleshooting.
In event viewer we can access the event where the policy was applied as shown below. However
digging through events, especially across multiple devices, can be a difficult process. This is
where Microsoft Operations Management Suite (OMS) comes in.

Logging with Microsoft Operations Management Suite (OMS)

Within OMS there is the Log Analytics solution to manage logs from devices with the OMS
agent installed. I won’t go into details about installing the OMS agent, however I will say it’s
straight forward. Once the agent is installed (which I have it installed on all my devices so I can
look at label changes with Azure Information Protection (see my previous post) and other
aggregated information) we’ll need to grab the proper event log source name and populate that
in Log Analytics.
Find and copy the event log source or name: Microsoft-Windows-DeviceManagement-
Enterprise-Diagnostics-Provider.
Paste the event log path in Log Analytics to “Windows Event Logs under Settings > Data >
Windows Event Logs” as shown below:
Give the logs a few minutes to sync from the device to OMS, then run the query below in log
analytics analyzer and look for the MDMWinsOverGP policy created above:

For more details about Windows 10 MDM logging please visit: https://docs.microsoft.com/en-
us/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10
Evaluating Existing Group Policies to determine Migration to MDM
Use the MDM Migration Analysis Tool (MMAT) to evaluate which Group Policies have been set
for a target user/computer and cross-reference against its built-in list of supported MDM
policies.
Download the MDM Migration Analysis Tool (MMAT):
https://github.com/WindowsDeviceManagement/MMAT
For Additional Details about Creating Custom ADMX Policies, please view the following
Two Great Videos:
Enable ADMX backed policies in Intune: https://www.microsoft.com/en-
us/videoplayer/embed/bdc9b54b-11b0-4bdb-a022-c339d16e7121
ADMX backed policy import example: https://www.microsoft.com/en-
us/videoplayer/embed/a59888b1-429f-4a49-8570-c39a143d9a73
Keep Up to Date with MDM Policies and other Features via What’s new in MDM
Enrollment and Management
https://docs.microsoft.com/en-us/windows/client-management/mdm/new-in-windows-mdm-
enrollment-management
Tags: ADMX ControlPolicyConflict Courtenay Bernier Device Management EMS Enterprise
Mobility Suite InTune MDM MDM Migration Analysis Tool MDMWinsOverGP Microsoft Azure
Microsoft Intune MMAT Mobility SCCM System Center Configuration Manager Windows 10
Windows 10 Mobile

7.1.2 MAM FAQ

For Frequently asked questions about MAM and app protection, refer to -
https://docs.microsoft.com/en-us/intune/mam-faq