Chapter 19
Managing Windows PCs in the enterprise
Throughout this book, our emphasis has been on how individuals can get the most out of Microsoft Windows: learn how to use its many features, save time with shortcuts and workarounds, and customize it to suit specific needs. Most of this information applies equally to a variety of devices—including tablets, laptops, and desktop PCs—in a variety of environments. Whether you use Windows as a standalone system, in a home network, in a small business network, or in an enterprise-scale operation, you can make use of this knowledge.
In this chapter, however, we depart from that focus on the individual to provide an overview of topics, products, and techniques that are useful primarily on business networks. Most require a business edition of Windows: Windows 11 Pro or Windows 11 Enterprise. (Windows 11 Education editions can also use most of these features, as can Windows 11 Pro Workstation.)
In addition, many of these features rely on Active Directory Domain Services (AD DS), which are available only on centrally managed networks running Windows Server. Azure Active Directory (Azure AD) provides a set of cloud-based management tools without the requirement to operate a local server.
Of course, we don’t have the space in this book—or any other single book—to fully document the wealth of business tools Microsoft makes available for Windows 11. Instead, our goal here is to provide a survey of some widely used tools, along with pointers to more in-depth information.
Using a domain-based network
Elsewhere in this book, we describe setup, configuration, and usage of peer-to-peer (or workgroup) networks. This is the type of network usually found in homes and small businesses, and it doesn’t require a server; each computer on the network is an equally empowered peer, and access to the device and its data is managed locally.
Windows 11 Pro, Enterprise, and Education editions can also be configured in an AD DS domain. This is sometimes called on-premises Active Directory or even Windows Server Active Directory to differentiate it from Azure AD, which operates as a fully managed cloud-based service.
The traditional AD DS domain-based network requires at least one computer running a version of Windows Server, although large networks typically contain many such servers. In addition, at least one server must be designated a domain controller, a process known as promotion. Most domain-based networks contain additional domain controllers to provide for load balancing and fault tolerance.
AD DS provides identity and access services, enabling users to sign on to any domain-joined device using a single user account. In addition, if an administrator integrates AD DS with Azure AD and synchronizes accounts, then users can not only access on-premises resources and apps, they can also access cloud-based apps using single sign-on (SSO).
Note
When users and devices are joined to an on-premises AD DS environment and also to Azure AD, the result is a hybrid network. We describe this configuration in more detail later in this chapter.
AD DS supports a logical structure based on forests, trees, domains, organizational units (OUs), and sites. These containers enable administrators to group users and computers in ways that reflect the structure of the organization—by geography or department, for example.
An on-premises domain controller offers full, policy-based management capabilities, and all computers and user accounts in the on-premises environment can be centrally managed through management tools available to domain administrators who connect (typically using remote connections) to the Windows Server.
Note
You can install the domain management tools on a Windows 11 workstation by adding the Remote Server Administration Tools (RSAT) feature. Open Settings > Apps > Optional Features. Next to the Add An Optional Feature heading, click View Features and then search for RSAT. Select the appropriate tools from the (long) resulting list; you must have administrative permissions to connect to the server using these tools.
When you have more than a handful of computers in a network, connecting (or joining) them to a Windows domain makes them much easier to manage, albeit at a significant cost. Windows servers are expensive, and they require skilled administrators to keep them running properly.
Note
To join a computer to a domain, you must sign in as an administrator on the local computer and provide appropriate credentials in the domain to perform the join.
A detailed description of domains and Active Directory is well beyond the scope of this book. However, here are two resources to get you started:
Windows Server: https://www.microsoft.com/cloud-platform/windows-server
Active Directory Domain Services Overview: https://bit.ly/ADDS-overview
Managing an Azure AD-based network
Azure AD provides authentication and authorization services for cloud apps hosted in Azure or Microsoft 365. It also supports widely used internet authentication protocols and standards, such as SAML and OAuth, which enables you to use Azure AD to authenticate your user accounts for access to third-party cloud apps. In addition, depending on the version of Azure AD you have, you can implement features such as multifactor authentication (MFA) and conditional access.
Note
Conditional access allows administrators to create and configure policies and conditions that users must satisfy to be able to access apps or resources. For example, an administrator can require that if a user signs in from an untrusted location, they must use MFA to authenticate before being able to connect to their Exchange Online mailbox.
While Azure AD has some fundamental similarities to AD DS, it’s a very different beast. For example, instead of using security groups to define administrative access (administrators, standard users, and so on), it provides administrative access by using role-based access control (RBAC). This aligns with the approach taken by other cloud providers.
Azure AD allows management of devices as well as user accounts. Figure 19-1, for example, shows a list of devices for the fictional organization Contoso. For mobile devices running iOS and Android, the entry under the Join Type column is Azure AD Registered. By contrast, computers running Windows desktop operating systems are listed as Azure AD Joined, which provides users with a better sign-in experience. (Don’t be fooled by entries under the Version heading. A version number of 10.0.22000 or higher represents a device running Windows 11.)
Figure 19-1 Using this Azure AZ management console, administrators can review and manage devices regardless of which operating system those devices are running.
You can add users by using the Azure Active Directory admin center, or by using Windows PowerShell. To review and modify the properties of a user account, select its entry under the All Users node. If the network is configured to use Azure AD Connect, an administrator can synchronize user accounts from on-premises AD DS to Azure AD. In this configuration, synced users are displayed with the Directory Synced value of Yes, as shown in Figure 19-2.
Figure 19-2 Users on an enterprise network can be added to Azure AD, or synced from on-premises AD DS.
There are a number of versions of Azure AD:
Free Included with any subscription to a Microsoft online app or service for business use.
Microsoft 365 Apps Included in specific versions of Microsoft 365 (formerly Office 365) subscriptions. Provides the same basic function as the free version, but also supports features like self-service password reset (SSPR).
Premium P1 Available with Microsoft 365 E3 or Microsoft 365 Business subscriptions. Provides same capabilities as the free version but also includes features such as conditional access and on-premises synchronization.
Premium P2 Available with Microsoft 365 Enterprise E5. Includes all the features found in Azure AD P1 and includes Azure Identity Protection and Privileged Identity Management.
Note
Premium editions of Azure AD are available as a separate subscription that can be added on to a Microsoft 365 subscription.
Learn more about Azure AD here: https://bit.ly/AzureAD-intro.
Managing hybrid networks
Over the past decade, an ever-growing number of organizations have begun replacing on-premises servers with cloud-based resources. This is generally a gradual process, involving a period when some apps and resources are in on-premises domain-based networks and also in the cloud. This type of deployment is known as a hybrid network.
Network administrators typically want users to be able to sign in to their computers using a single user account that unlocks access to apps and resources regardless of where they’re located. There are two ways to set up a hybrid network.
A network administrator can choose to sync user accounts from AD DS to Azure AD using Azure AD Connect, as described earlier. In this configuration, users sign in with a single AD DS user account that enables access to on-premises resources and apps, while also providing access to cloud-based resources and apps. This is a convenient feature for administrators and users alike.
As an alternative, an administrator can join computers to both the AD DS domain and Azure AD. This configuration is known as Hybrid Azure AD Join and uses Azure AD Connect to complete the process. When configuring Azure AD Connect, an administrator can optionally specify to enable device synchronization, so that devices in the on-premises domain are synced as devices to Azure AD.
Co-management enables administrators to choose whether to manage hybrid devices using on-premises tools, such as Microsoft Endpoint Configuration Manager, or to use mobile device management (MDM) solutions such as Microsoft Intune. We discuss both of these tools later in this chapter.
Managing computers with Group Policy
Active Directory administrators use Group Policy to configure computers throughout sites, domains, or OUs. An administrator creates Group Policy Objects (GPOs), which are a collection of settings that are applied to a user’s device when they sign in. Thousands of Group Policy settings are available, although administrators need to enable and configure only those they want to enforce in their organization. After configuring the desired settings, the administrator then links a GPO to an appropriate container, such as an OU.
Then, any computer and user objects stored in that OU are configured by the settings in the GPO. The Group Policy Management console is displayed in Figure 19-3.
In a domain environment, Group Policy enables an administrator to apply policy settings and restrictions to users and computers in a single step by linking the policy to a container. Contrast that centralized management strategy with a workgroup, where you must make similar Group Policy settings on each computer where you want such restrictions imposed.
Figure 19-3 Administrators use the Group Policy Management console to create GPOs and link them to containers in Windows Server Active Directory.
Using Group Policy, an administrator can configure the following aspects of computer and user settings:
Software Settings Enables you to deploy apps to targeted computers or users.
Windows Settings Enables you to configure scripts that run during startup and shutdown or when signing in or signing out. Also provides access to important security settings.
Administrative Templates Provides access to many thousands of settings grouped into specific categories, such as Network, Printers, System, and Windows Components. Available settings can be updated when Microsoft releases a new version of Windows or Microsoft Office.
Figure 19-4 displays the Group Policy Management Editor for the Default Domain Policy in Contoso.com.
Figure 19-4 Administrators use the Group Policy Management Editor to modify the settings of a GPO.
As mentioned, the Administrative Templates node of a GPO can be updated. This requires an administrator to download and install the underlying template files, known as .admx files. For each .admx file, Microsoft provides a downloadable spreadsheet that lists the policy settings for computer and user configurations included with that version.
This spreadsheet is cumulative, so it includes all policy settings that apply to all versions of Windows 10 and Windows 11. The list also provides other details about each setting, such as the scope of the setting (machine or user), the registry value it controls, and whether a setting change requires a sign-off or reboot to take effect. The spreadsheet for Windows 11 22H2 is at https://bit.ly/Win11-22H2-GPO-reference..
For more information about Group Policy, visit the following website: https://bit.ly/Win11-22H2-GPO-reference.
Using Local Group Policy Editor
You don’t need a Windows domain controller or an Active Directory infrastructure to apply Group Policy. You can apply policies on individual Windows 11 devices using Local Group Policy Editor (Gpedit.msc). In fact, we use this tool to illustrate all of the examples in this book. You can do the same, even if you don’t have access to the Group Policy Management console on a domain controller or don’t need the power of Active Directory.
Setting policies using Local Group Policy uses fundamentally similar methods as those used in an Active Directory domain. However, there are a few differences, including the following:
Domain-based GPOs support both policies and preferences. Preferences enable you to configure initial settings for the computer or user that a local user or administrator can choose to change. The Local Group Policy supports only policies and not preferences.
In the Local Group Policy Editor, although the Software Settings folder is still visible, it’s nonfunctional in a local context. You cannot configure app deployment settings using local Group Policy.
Local Group Policies can be assigned to the local computer only, whereas GPOs in a domain are linked to containers that typically affect numerous computers.
User settings in Local Group Policies can be targeted at
All users
A specific user account
Administrators
Nonadministrators
Domain-based GPOs can be targeted at all users in an OU to which the GPO is linked. However, this behavior can be altered through a feature called Security Filtering.
Any settings configured through a Local Group Policy on a computer that’s AD DS domain-joined are potentially overwritten by GPOs linked to the domain or OUs in which the computer resides. In other words, Local Group Policies have a lower precedence than domain-based GPOs.
In general, you can use Local Group Policy Editor to explore available settings regardless of how you want to apply those policies. To begin exploring Group Policy, type gpedit in the Start search box, and then click Edit Group Policy. As shown in Figure 19-5, Local Group Policy Editor appears in the familiar Microsoft Management Console format.
Figure 19-5 Selecting a folder or a subfolder in the navigation pane displays all policy settings associated with that group in the details pane. When you select a setting, a description of the setting appears.
The Computer Configuration branch of Group Policy includes various computer-related settings, and the User Configuration branch includes various user-related settings. The line between computer settings and user settings is often blurred, however. Your best bet for discovering the policies you need is to scan them all. You’ll find a treasure trove of useful settings, including many that can’t be made any other way short of manually editing the registry.
In the Administrative Templates folders are many hundreds of computer settings and even more user settings, which makes this sound like a daunting task—but you can quickly skim the folder names in Local Group Policy Editor, ignoring most of them, and then scan the policies in each folder of interest.
To learn more about each policy, simply select it in Local Group Policy Editor, as shown in Figure 19-3. If you select the Extended tab at the bottom of the window, a description of the selected policy appears in the center pane.
Note
Some settings appear in both User Configuration and Computer Configuration. In a case of conflicting settings, the Computer Configuration setting always takes precedence.
Changing policy settings
Each policy setting in the Administrative Templates folders has one of three settings: Not Configured, Enabled, or Disabled. By default, all policy settings in the local Group Policy objects are initially set to Not Configured.
To change a policy setting, open Local Group Policy Editor and double-click the name of the policy setting you want to change or click the Policy Setting link that appears in the center pane of the Extended tab. A dialog then appears, as shown in Figure 19-6.
Near the top of the dialog for each setting is a large area labeled Comment, where you can add your own remarks about a policy, which can come in handy later when you are trying to remember why you changed a specific policy. The Help pane below the Comment area includes detailed information about the policy setting (the same information that appears in the center pane of the Extended tab). The pane to the left of the Help pane offers options relevant to the current policy. Previous Setting and Next Setting buttons make it convenient to go through an entire folder without opening and closing individual dialogs.
Figure 19-6 When a policy setting has configurable options, like the Start and End times shown here under the Active Hours heading, they’re available only when the policy is set to Enabled.
Deploying Windows 11 in the enterprise
In larger organizations, managing PCs individually is impractical. For large-scale Windows deployments, administrators typically use centralized management software for a variety of tasks: to deploy Windows, to administer updates for Windows and other software, to manage hardware inventory and track software licenses, and to apply policies throughout an organization. These tasks traditionally apply to PCs that are owned and managed by the organization, but increasingly they’re being applied to personal devices that are used to access company services and store company data. This option typically uses mobile device management (MDM) software, which can configure security policies on devices from a variety of manufacturers, including PCs running Windows 11. This option is often referred to as Bring Your Own Device (BYOD).
Enterprise administrators have a wide selection of third-party MDM and system management tools they can use for a network with a large number of Windows 11 PCs. This section lists a number of Microsoft tools you’re likely to encounter in such an environment.
Microsoft Endpoint Configuration Manager
Microsoft Endpoint Configuration Manager describes a family of tools for administrators responsible for managing devices and users, both on-premises and in the cloud. Configuration Manager is a console-based application that enables an enormous range of capabilities, including allowing administrators to distribute applications, manage devices, and enforce network security.
Configuration Manager is a powerful but complex system that enables you to control all aspects of computer management. It integrates with other management tools, including Microsoft Intune, to give administrators excellent visibility into the status of their infrastructure. With the Configuration Manager console, shown in Figure 19-7, administrators can perform the following management tasks:
Deploy and manage apps.
Manage and distribute software updates.
Deploy operating systems.
Manage and deploy Windows and application updates.
Gather and interpret desktop analytics data.
Manage Microsoft Edge browser.
Configure and perform Microsoft 365 Apps management.
Figure 19-7 Administrators use the Microsoft Endpoint Configuration Manager console to manage an organization’s computing infrastructure using Endpoint Manager.
Microsoft Deployment Toolkit
You can use the Microsoft Deployment Toolkit (MDT) to deploy Windows operating systems within an on-premises network of any size. Unlike Configuration Manager, MDT is useful only for deploying Windows; it’s not a tool for ongoing management and maintenance. That said, it’s pretty good at what it does, and doesn’t require as much specialist knowledge as Configuration Manager.
Note
The MDT can be downloaded, free, from the Microsoft download website: https://www.microsoft.com/download/details.aspx?id=54259.
MDT uses files saved in the Windows Imaging File format (.wim) and supports two types of image files:
Boot images Used to start a computer that has no local operating system installed (sometimes called bare-metal computers). Sometimes, this image is distributed to the target computers using a memory stick. But perhaps more commonly, boot images can be accessed across the network by using a PXE-capable network adapter; in this instance, the boot image is stored on a deployment server. The boot image contains a runtime version of Windows called Windows PE, which is used to launch setup, or, in this case, to launch a program that is used to apply an operating system image.
Operating system images Hardware-agnostic images that contain a complete operating system. These OS images can be applied from the Windows product DVD, in which case they’re generic; alternatively, you can capture the hard disk of a working computer to create a custom image, which might contain specific apps, drivers, and settings appropriate to your organization.
By using the MDT Deployment Workbench, shown in Figure 19-8, you can perform numerous management tasks, including the following:
Deploy Windows operating systems.
Upgrade Windows operating systems.
Migrate user settings using User State Migration Tool (USMT).
Deploy apps during OS deployment.
Deploy drivers during OS deployment.
Monitor current deployments.
Apply local GPOs as a GPO pack.
Figure 19-8 The MDT Deployment Workbench is used to upload apps, images, drivers, and other packages. The administrator then creates a task sequence to perform the desired deployment.
Full documentation for MDT is located at https://bit.ly/mdt-documentation.
Windows System Image Manager
Windows System Image Manager (Windows SIM) is part of the free downloadable Windows Assessment and Deployment Kit (Windows ADK). In addition to Windows SIM, Windows contains application compatibility testing tools and deployment utilities.
Windows SIM works hand in hand with the Deployment Image Servicing and Management (DISM) tool and Windows Configuration Designer to create and configure provisioning packages that can be applied both after deploying Windows 11 to a computer, or during the Out Of Box Experience (OOBE) in Windows 11 setup.
You use Windows SIM to create answer files. These are XML text files used by Windows Setup to automate the responses to questions posed during the various stages of Windows Setup. You can use Windows SIM to perform the following tasks:
Create and edit answer files.
Validate your answer files against a Windows installation image.
Review configurable settings in your Windows image.
Include additional drivers, apps, and supplemental packages.
Note
If you save your answer file as Autounattend.xml, and store the file on the installation media in the root directory, Windows Setup automatically locates the file and uses the stored responses during setup.
To learn more about Windows SIM, go to https://bit.ly/Windows-SIM-overview.
Windows Autopilot
Windows Autopilot is a cloud-based deployment and provisioning tool, part of Microsoft’s Mobile Device Management (MDM) and Mobile Application Management (MAM) system called Intune.
Note
Businesses can license Microsoft Endpoint Configuration Manager with Microsoft Intune; this hybrid on-premises and cloud-based management solution is referred to as Endpoint Manager.
Rather than relying on images to deploy Windows, Autopilot uses the default factory image supplied as part of a new PC from a hardware OEM. When the user turns on the PC, Windows Autopilot intercepts the (OOBE portion of setup and directs the device to the organization’s server, which then provisions the device according to the organization’s requirements. This provisioning process includes the deployment of configuration profiles, compliance policies, apps, and security settings.
Windows Autopilot works only on computers that are preinstalled with Windows 10/11 Pro, Enterprise, or Education. In addition, the devices must be assigned to an Azure AD group and the users must have permission to join the devices to Azure AD. Here’s how Windows Autopilot works in practice.
An organization purchases a batch of new computers from a hardware vendor. That vendor in turn uploads the device IDs of these new computers to the Autopilot service and then ships the devices to the organization (or directly to the users). When the user turns on the computer, it connects to the Autopilot service and checks for the presence of its ID. Because the OEM previously uploaded the device IDs, OOBE now follows the prescribed settings of the organization’s Autopilot profile.
After the user enters their Azure AD account credentials, their device is Azure AD joined, enrolled in Intune, and ready for use.
Note
Although it’s a requirement that devices have internet access during setup, it’s important to note that this means the device must be able to connect to the Autopilot service and also to both Azure AD and Intune. This is not usually a problem, but can sometimes be an issue when devices connect through managed networks that control which URLs and IP addresses can be visited by users.
Using Autopilot is straightforward for organizations already using Intune.
After new and existing devices are Autopilot-enabled, an administrator can sign in using a special keyboard combination and trigger an Autopilot Reset when needed. This reset removes any personal files, apps, and settings. It resets target computers to an approved state, ready for use by a new organizational user.
Windows Server Update Services
In the Windows-as-a-Service era, Microsoft expects most of its customers running Windows 11 PCs in homes and small businesses to connect directly to Windows Update servers. In large organizations, administrators typically want more control over the update process.
Windows Server Update Services (WSUS) provides that control by enabling administrators to manage their own update servers, approving updates to Windows and hardware devices only after they’re confident that they’ll install without issues.
Note
WSUS is implemented by installing the Windows Server Update Services server role on a Windows Server computer.
To use WSUS on Windows 11, you must modify a number of computer settings to point your Windows 11 devices to the internal WSUS servers. This is best achieved by using Group Policy.
Open the Group Policy Management console and then select the appropriate GPO for editing. Open the GPO in the Group Policy Management Editor and navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update > Manage Updates Offered From Windows Server Update Service. Then select the Specify Intranet Microsoft Update Service Location policy. Enable this policy, and then, as shown in Figure 19-9, specify the intranet server URL, the statistics URL, and optionally, the alternate download server URL.
Figure 19-9 Edit these Group Policy settings to specify from which WSUS server the client computers will obtain their updates. You can also specify a secondary update server.
The official documentation for WSUS is at https://bit.ly/WSUS-intro.
Windows Update for Business
Windows Update for Business is not really a service; rather, it’s a collection of configurable settings that you can use to determine when Windows Updates are applied to your Windows 11 computers. You can apply these settings using Group Policy or by using an Intune device configuration profile.
As we noted earlier, Windows updates are divided into two main categories: quality updates and feature updates. (For more details, see “Keeping Windows up to date” in Chapter 12, “Windows security and privacy.”) Quality updates are delivered monthly (although some critical security updates are delivered “out of band”—that is, outside the regular schedule) and are cumulative; in other words, each new update package includes operating system fixes and minor changes from previous releases. Feature updates, as the name suggests, introduce new features and are now released annually in the second half of each year.
Note
Feature updates are now identified with a year prefix and a suffix that identifies when in the year the update was released. Windows 11 version 22H2, for example, was released in the second half of 2022.
To implement Windows Update for Business in an on-premises environment, you use Group Policy on a domain controller in larger networks; on small networks without a Windows domain, you can use local Group Policy settings. Open the Group Policy Management console or Local Group Policy Editor and then select the appropriate GPO for editing.
Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update > Manage Updates Offered From Windows Update. Then enable and configure the following settings, shown in Figure 19-10:
Select When Preview Builds And Feature Updates Are Received Enables you to defer these updates for up to 365 days.
Select When Quality Updates Are Received Enables you to defer quality updates for up to 30 days.
Manage Preview Builds Enables you to opt into a Windows Insider channel for previews of upcoming updates. Choose between Dev Channel, Beta Channel, and Release Preview Channel.
Figure 19-10 You will typically group your computers together and then use GPO security filtering to apply different Windows Update for Business settings.
On a domain-based network, an administrator can configure all computers with the same settings by creating a GPO and linking it to the domain object. To create different update settings for different groups of computers, use the following high-level procedure:
Create a security group for each collection of computers and add the required computers to that group.
Create a separate GPO for each collection of computers.
Link the GPOs to the domain object in the organization.
Use security filtering to ensure that a particular GPO only applies to a specific group.
Configure the required update settings in each GPO.
In this way, administrators can ensure that specific update settings are applied to groups of computers that they want to manage in the same fashion. For example, an organization might want a small group of technically sophisticated users to install updates as soon as they’re released by Microsoft, knowing those users will report any issues they encounter. Remaining devices can be configured to defer updates for 10 to 14 days, after they’ve been given the all-clear by those early adopters. It’s also easy to reconfigure the update settings for a computer because all you need to do is remove that computer from one security group and add it as a member to another security group; this causes the computer to reconfigure its update settings.
Managing Windows 11 in the cloud
Many organizations are moving some or all of their IT infrastructure to the cloud. If you work for a small organization, it’s entirely possible that all your services are delivered via cloud providers. For larger organizations, and certainly for enterprise-level organizations, you’ll probably find that your infrastructure is hybrid; in other words, some services are provided by servers and apps in on-premises networks while others are delivered through service providers in the cloud.
Microsoft offers a range of cloud services that can be used with Windows 11. We describe them in more detail in this section.
Microsoft 365 and Windows Enterprise licensing
Microsoft 365 (formerly known as Office 365) is often an organization’s starting point to the cloud. Rather than manage and maintain Windows Server computers to host apps like Exchange Server and SharePoint Server, organizations choose to subscribe to a solution that provides these capabilities in a serverless, managed, pay-as-you-go subscription, with the option to add the traditional Office desktop apps (Word, Excel, PowerPointOutlook, and more).
Microsoft 365 Enterprise plans can include Windows licenses and other advanced features as well. Microsoft 365 Enterprise E3 plans, for example, include the following:
Windows 11 Enterprise licenses for users.
Device and app management through Intune.
Advanced identity and access management features.
Threat protection, information protection, and compliance management.
Microsoft 365 Enterprise E5 includes all the standard plan features, together with those for Enterprise E3, plus the following additional capabilities:
Advanced analytics.
Additional identity and access management features.
Additional information protection.
Additional compliance management features.
You can review the current Microsoft 365 Enterprise plans at the following Microsoft website: https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans.
Administrators can manage an organization’s Microsoft 365 subscription from web-based portals, as displayed in Figure 19-11. They can also use Windows PowerShell to perform more granular administrative tasks.
Figure 19-11 You can use the Microsoft 365 Admin Center to manage Microsoft 365 services. Each service, such as Exchange Online, also provides its own management tool that is accessible through a web browser.
To access these services, a user must sign in to Azure AD using a licensed account. For Windows 11, this typically means performing an Azure AD Join operation. Any user can do this during Windows Setup, or thereafter in Settings. An administrator can also automate the Azure AD Join process by using provisioning.
A Windows 11 computer that is Azure AD joined enables a user to sign in to that computer using their Azure AD user account. All installed client apps (such as Outlook or Teams) are automatically configured to use the signed-in user account details.
Note
Users cannot Azure AD Join non-Windows computers, such as Apple Macs running MacOS or phones or tablets running iOS or Android. However, these devices can be registered in Azure AD. As long as the user account associated with a device is licensed, the user can connect to the Microsoft 365 services, but they can’t seamlessly sign in to services using that Azure AD account; instead, they must enter the Azure AD user account details for each app they want to connect with.
Azure Virtual Machines running Windows 11
Perhaps the first exposure many IT professionals have to Microsoft Azure is hosting infrastructure, such as file servers running on virtual machines (VMs). Over the past few years, organizations have increasingly used virtualization to support on-premises workloads. Moving to the cloud is often viewed as a means to run those same VMs in someone else’s datacenters, as displayed in Figure 19-12.
Figure 19-12 Adding VMs to Azure is straightforward. You can set up a cloud-based VM from scratch, or migrate your on-premises VMs to the cloud.
Installing Windows 11 on a VM in Azure is a fairly straightforward process and doesn’t require advanced technical skills. When you create a VM in Azure, you define the operating system and virtual machine hardware characteristics using a wizard that guides you through the process.
Note
To create an Azure VM with Windows 11, you’ll need an Azure subscription. The subscription is free, but the VM incurs charges when it’s running.
Sign in as an administrator in your Azure subscription and select Virtual Machines. Click Create, and follow the on-screen instructions to define the characteristics of your VM. Some important ones, on the Basics page, are the following:
Image Choose an appropriate Windows 11 image from the extensive selection.
Size Choose a suitable virtual processor and allocate the desired amount of virtual memory.
Licensing You can select the I Confirm I Have An Eligible Windows 10/11 License With Multi-tenant Hosting Rights option if you already have a Windows 11 Enterprise E3/E5 per user or Azure Virtual Desktop Access per user license. This saves you from paying for a Windows 11 license for the VM. For more details, visit https://bit.ly/deploy-win11-on-azure.
It’s important to note that because the VM with Windows 11 is running in Azure, you must connect to it remotely. For graphical access, you can do this using the Remote Desktop Protocol (RDP), which is enabled by default.
Note
Be prepared for a rude shock if you forget to shut down a running Azure VM after using it. You pay by the minute for any Azure resources you’re using, even if a virtual device is simply idling. For Windows 11 Azure VMs, remember to shut down when the session is complete.
Windows 365 cloud PCs
Although installing Windows 11 on a VM in Azure has benefits, it’s perhaps not the easiest way of accessing a cloud-based Windows PC. This is where Windows 365 can be beneficial.
Windows 365 is a fully hosted Windows desktop PC that runs in the Microsoft cloud, but is accessible from virtually any device that has an internet connection, including tablets and PCs running non-Microsoft operating systems. The service is independent of Azure and Microsoft 365 and is available for a free 30-day trial.
For a more detailed overview, visit https://learn.microsoft.com/windows-365/overview.
There’s no technical configuration required; select the appropriate subscription and click Buy Now. You can choose a cloud PC by selecting from a list of configurations that vary from a basic model (2 virtual CPUs, with 4 GB of memory, and 64 GB of storage) to much more powerful devices with up to 8 vCPUs, 32 GB of RAM, and 512 GB of storage.
The Basic, Standard, and Premium configurations come inclusive with installed features and apps, such as Microsoft Endpoint Manager, desktop versions of Office apps, and integration with Intune for MDM.
Organizations can choose from two options:
Windows 365 Business For smaller companies and organizations of up to 300 seats. Provides a ready-to-use cloud PC with straightforward management.
Windows 365 Enterprise For large organizations that need unlimited seats for licensing. Enables administrators to build custom cloud PCs from images they create.
Windows 365 cloud PCs are charged monthly on a per-user basis. You can review current pricing plans for Windows 365 at https://www.microsoft.com/windows-365/all-pricing.
Microsoft Defender for Endpoint
As an organization moves resources into the cloud, its security focus shifts toward the endpoints—the devices that employees use to access organizational data. Microsoft Defender for Endpoint offers a collection of security tools designed for enterprise administrators. It provides the following capabilities:
Endpoint behavioral sensors Built in to Windows 11, sensors monitor behavior of the operating system and collect related data. This data is then sent to the organization’s instance of Microsoft Defender for Endpoint in the cloud.
Cloud security analytics The behavioral data collected from endpoints is presented in a meaningful way, identifying threats, helping security analysts understand what’s happening, and providing suggestions for mitigating detected threats.
Threat intelligence This feature helps security professionals identify specific attacker tools and techniques, generating alerts when those tools and techniques are found in endpoint data.
As with most enterprise features, Microsoft Defender for Endpoint is available in a variety of subscription plans at different price points. It also requires configuration of the devices to be monitored, using Group Policy or management tools such as Intune.
Find out more at https://bit.ly/ms-defender-for-endpoint.
Microsoft Intune
As mentioned earlier, Intune enables administrators to perform mobile device management (MDM) and mobile application management (MAM) for their organization’s devices. Intune performs a similar function to Group Policy in an on-premises network. However, Intune works in a different way. Whereas AD DS only supports Windows computers, administrators can use Intune to manage and configure a variety of devices, running a range of operating systems that includes MacOS, iOS, Android, and, of course, Windows 10 and Windows 11.
The Overview page in the Microsoft Endpoint Manager admin center displays summary information about managed devices, as shown in Figure 19-13.
Figure 19-13 A view of the Devices page in Microsoft Endpoint Manager admin center. From here, administrators can review the enrollment status, compliance status, and configuration status of users’ devices.
Administrators can use Intune to perform the following management tasks:
Configure devices Create and apply device configuration profiles that can configure firmware settings, device restrictions, email accounts, Wi-Fi and VPN connectivity profiles, and much more.
Verify compliance Create and apply compliance policies that require devices to meet specified security settings. Noncompliant devices can be removed from Intune. You can also use compliance status in Azure AD conditional access policies.
Deploy and configure apps Distribute, configure, and manage a variety of app types, including Windows desktop apps, Store apps, and line of business apps.
Secure devices Use endpoint security policies to configure the desired security settings for devices, including settings like disk encryption, firewall settings, account protection, and endpoint detection and response.
It’s important to note that some management features require that users’ devices be enrolled in Intune. However, not all features require this. It’s possible, for example, to manage the settings in apps without device enrollment.
Generally, devices are enrolled in Intune when they are joined to Azure AD. However, you can also enroll into Intune in other ways, including as a separate task by using the Settings app in Windows 11.
Note
Enrollment creates a management relationship between the device and Intune.
After you’ve enrolled and configured devices, you can review their properties in the Intune console. You can review hardware, discovered apps, device compliance, device configuration (as displayed in Figure 19-14), app configuration, recovery keys (BitLocker), and other settings
Figure 19-14 The device configuration page for a Windows 11 PC in Intune gives administrators tools for monitoring and managing device configurations.
Full documentation for Microsoft Intune is available at https://learn.microsoft.com/mem/intune/.
Managing apps with Intune
A signa feature of Intune is the ability to deploy and manage apps to a variety of operating systems. On Windows 11 PCs, administrators can deploy the following types of apps:
Store apps Rather than requiring, or even allowing, users to install apps from the OS store for their device, an Intune administrator can create a Store app deployment that points to the URL for the required app. They can then make the app available for users in the organization without additional intervention.
Microsoft 365 Apps Administrators can deploy Outlook, Excel, Word, and other Office desktop apps (collectively branded as Microsoft 365 Apps) to both Windows and macOS users. For Windows users, they can determine which specific components are installed.
Microsoft Edge Using Intune, administrators can deploy the new Edge browser to devices running macOS or Windows. They can deploy Edge to iOS and Android devices using the app stores for those platforms.
Other Includes web link apps, line of business apps, and Win32 apps.
After deployment, administrators can use App Configuration Policies to configure the apps’ settings. They can also use App Protection Policies to stipulate requirements for the use of an app when connecting to corporate data. These settings determine what a user can do with corporate data on their device and, importantly, whether the corporate data can be decrypted and shared outside the organization. These policies vary based on the operating system of the managed device.
In Figure 19-15, the administrator has selected the All Apps node resulting in a filtered display of the available apps for the organization. For these apps to be delivered to user devices, an administrator typically assigns the apps to a group.
Figure 19-15 The Endpoint Manager admin center All Apps folder displays a list of all apps owned by the organization. The list can be filtered, as here, to apps for Windows only.
Managing special-purpose computers
Throughout this book, we focus almost exclusively on desktop and notebook PCs that are configured for use by a single primary user, with secondary accounts set up as needed for others in a family or business who occasionally need to use that device. In businesses, however, other scenarios are sometimes appropriate. In the following sections, we look at two specialized Windows configurations: shared PCs and kiosk devices.
Using shared PC mode
A school or business might find it useful to have a shared PC—one that can be used by any student or employee as needed or one that you want to make available for temporary use by customers and visitors. A feature in Windows 11 called shared PC mode makes this easier than in previous versions.
Shared PC mode requires that the computer be joined to an AD DS domain or to Azure Active Directory. After that step is complete, an administrator applies a series of customizations using mobile device management software, such as Microsoft Intune; as an alternative, they can use a provisioning package created with the Windows Configuration Designer (WCD), which is free in the Microsoft Store: https://www.microsoft.com/store/productId/9NBLGGH4TX22. Figure 19-16 shows the first step of creating a provisioning package using WCD.
Using either method, you can configure the shared PC to allow access by anyone with an account in the organization’s directory, guests, or both. You can also configure what happens when a user signs off: automatically delete the account’s local profile and data, or save the cached data for faster sign-in next time.
You can find step-by-step instructions for setting up and using shared PC mode at https://bit.ly/shared-pc-mode.
Figure 19-16 Smaller organizations that don’t have access to MDM software can use the Windows Configuration Designer to create a Shared PC provisioning package.
Setting up a kiosk device
Another common scenario in business is to set up a kiosk device—a computer that is set up to do only one thing. An office might use this computer as a check-in device for guests; a retail business could put a kiosk PC on the retail floor and allow customers to use the device’s touchscreen to view a product catalog or check prices. You could configure a device using these tools to run a single app, such as a banking program or an inventory app, while eliminating the risk that a worker will inadvertently allow the machine to be compromised by using a web browser or an email program.
Windows 11 supports several additional kiosk configurations, including multiapp kiosks, which display a simplified Start menu that makes it possible for kiosk users to choose from a list of allowed apps.
You can also configure a kiosk device to run Microsoft Edge in a variety of configurations—as a public browser with user data protected, for example, or as a digital sign or interactive display showing the contents of a single site.
To set up kiosk mode, open Settings > Accounts > Other Users. Under the Set Up A Kiosk heading, click Get Started.
Next, either specify to create a new account to run kiosk mode, or select an existing account, and click Next. We recommend that you choose the option to create a new account for kiosk use; when you do so, Windows automatically configures that account to sign in automatically at startup. If you choose an existing account, users need to sign in using that account’s password.
After specifying the user account, choose the app that will run in kiosk mode, as shown in Figure 19-17.
Figure 19-17 You can choose any modern app to run that’s installed on the kiosk computer. If you use provisioning to configure kiosk mode, you can also select a desktop app.
If you choose Microsoft Edge as the single app to run, the Set Up A Kiosk page in Settings offers these two options:
As a digital sign or interactive display
As a public browser
Click Next to specify the default URL where the browser will return after a defined period of inactivity, which will also reset the current browser session. Then click Next and Close. Kiosk mode is now set up.
You can configure a kiosk-mode device in multi-app mode or any browsing configuration using an XML file and mobile device management software such as Microsoft Intune, or you can create a provisioning package using Windows Configuration Designer, as discussed earlier in this section.
With your device thus configured, it launches directly to the configured kiosk app, running in a full screen and lacking most elements of the Windows 11 interface, including the Start button and taskbar. To exit kiosk mode, press Ctrl+Alt+Delete and sign in using another account.
To undo or adjust this setup, return to Settings > Accounts > Other Users. Click Assigned Access, click to select the user account configured for kiosk mode, and click Remove Kiosk. Click the app name to reveal a Change Kiosk App button that allows you to choose a different app.