Practice Lab: Creating and Deploying Configuration Profiles
Summary
In this lab, you will use Microsoft Intune to create and apply a Configuration profile for a Windows 11 device.
Prerequisites
To following lab(s) must be completed before this lab:
-
0101-Managing Identities in Azure AD
-
0102-Synchronizing Identities by using Azure AD Connect
-
0203-Manage Device Enrollment into Intune
-
0204-Enrolling devices into Intune
Note: You will also need a mobile phone that can receive text messages used to secure Windows Hello sign in authentication to Azure AD.
Exercise 1: Create and apply a Configuration profile
Scenario
You need to use Azure Active Directory (Azure AD) and Intune to manage members of the Developers department at Contoso . You have been asked to evaluate the solutions that would enable the users to work effectively and securely on Windows 11 devices. Aaron Nicholls has volunteered to help you test and evaluate the solution and provide feedback. He has also given you some initial requirements that must be included and applied to the developer's Windows devices:
- The Gaming section in Settings should not be visible.
- The Privacy section in Settings should be restricted as much as possible.
- The C:\DevProjects folder must be excluded from Windows Defender.
- The process devbuild.exe must be excluded from Windows Defender.
- Most used apps and Recently added apps should not be displayed on the Start menu.
Task 1: Verify device settings
-
Sign in to SEA-WS1 as Aaron Nicholls with the PIN 102938.
-
On the taskbar, select Start and then select Settings.
-
On the Settings navigation list, verify that you can see the Gaming setting.
-
Select the Personalization setting and then on the Personalization page, select Start. Ensure that Show recently added apps and Show most used apps are both set to On.
-
In the Settings app, select Privacy & security.
-
On the Privacy & security page, take note of the options under Security, Windows permissions, and App permissions.
-
On the Privacy & security page, select Windows Security and then select Open Windows Security.
-
On the Windows Security page, select Virus & threat protection.
-
On the Virus & threat protection page, under Virus & threat protection settings, select Manage settings .
-
Scroll down to Exclusions and select Add or remove exclusions. At the User Account Control, select Yes.
-
On the Exclusions page, verify that no exclusions have been configured.
-
Close the Windows Security window.
-
Close the Settings window.
Task 2: Create a Configuration profile based on scenario requirements
-
Switch to SEA-SVR1.
-
On SEA-SVR1, on the taskbar, select Microsoft Edge.
-
In Microsoft Edge, type https://intune.microsoft.com in the address bar, and then press Enter.
-
Sign in as
[email protected]
with the tenant Admin password. -
In the Microsoft Intune admin center, select Devices from the navigation bar.
-
On the Devices | Overview page, select Configuration Profiles.
-
On the Devices | Configuration profiles blade, in the details pane, select Create profile.
-
In the Create a profile blade, select the following options, and then select Create:
- Platform: Windows 10 and later
- Profile type: Templates
- Template name: Device restrictions
-
In the Basics blade, enter the following information, and then select Next:
- Name: Contoso Developer - standard
- Description: Basic restrictions and configuration for Contoso Developers.
-
On the Configurations settings blade, expand Control Panel and Settings.
-
Select Block next to the Gaming and Privacy options.
-
On the Device restrictions blade, expand Start.
-
Scroll down and select Block next to Most used apps, Recently added apps and Recently opened items in Jump Lists.
-
On the Device restrictions blade, scroll down and expand Microsoft Defender Antivirus.
-
Under Microsoft Defender Antivirus, scroll down and expand Microsoft Defender Antivirus Exclusions.
-
Under Microsoft Defender Antivirus Exclusions in the Files and folders box, type the following:
C:\DevProjects.
-
In the Processes box, type the following: DevBuild.exe.
-
Select Next three times until you reach the Review + create blade. Select Create.
Task 3: Create the Contoso Developer device group
-
In the Microsoft Intune admin center, in the navigation pane, select Groups.
-
On the Groups | All groups blade, select New group.
-
On the New Group blade, enter the following information:
- Group type: Security
- Group name: Contoso Developer devices
- Group description: All Windows devices in Contoso Developer department
- Membership type: Assigned
-
Under Members, select No members selected.
-
On the Add members blade, in the Search box type Sea. Select SEA-WS1 and then choose Select.
-
On the New Group blade, select Create.
-
On the Groups | All groups blade, verify that the Contoso developer devices group is displayed.
Task 4: Create a dynamic Azure AD device group
-
On the Groups | All Groups blade, on the details pane, select New group.
-
On the Group blade, provide the following values:
- Group type: Security
- Group name: Windows Devices
- Membership type: Dynamic Device
-
Under the Dynamic Device Members section, select Add dynamic query.
-
On the Dynamic membership rules blade, in the Rule syntax section, select Edit.
-
In the Edit rule syntax text box, add the following simple membership rule and select OK.
(device.deviceOSType -contains "Windows")
-
On the Dynamic membership rules blade, select Save.
-
On the New Group page, select Create.
Task 5: Assign a Configuration profile to Windows devices
-
In the Microsoft Intune admin center, in the navigation pane, select Devices.
-
On the Devices | Overview blade, select Configuration profiles.
-
On the Devices | Configuration profiles blade, in the details pane, select the Contoso Developer – standard profile.
-
On the Contoso Developer – standard blade, scroll down to the Assignments section, and select Edit.
-
On the Assignments page, under Included groups select Add groups.
-
On the Select groups to include blade, in the Search box, select Contoso Developer devices and then select Select.
-
Back on the Device restrictions blade, select Review + save, then select Save.
-
In the Microsoft Intune admin center, select Devices in the breadcrumb navigation menu.
Task 6: Verify that the Configuration profile is applied
-
Switch to SEA-WS1.
-
On SEA-WS1, on the taskbar, select Start and then select Settings.
-
In Settings, select Accounts and then select Access work or school.
-
In the Access work or school section, select the Connected to Contoso's Azure AD link and then select Info.
-
In the Managed by Contoso page, scroll down and then under Device sync status, select Sync. Wait for the synchronization to complete.
-
Close the Settings app.
Note: The sync progress may take up to 15 minutes before the profile is applied to the Windows 11 device. Signing out or restarting the device can accelerate this process. PIN 102938
-
On SEA-WS1, select Start and then select Settings. Verify that the Gaming setting has been removed.
-
Select Privacy & security and notice that many of the privacy settings are now hidden.
-
Select the Personalization setting and then select Start. Verify that Show recently added apps and Show most used apps are set to Off.
-
In the Settings app, select Privacy and Security.
-
On the Privacy & Security page, select Windows Security and then select Open Windows Security.
-
On the Windows Security page, select Virus & threat protection.
-
On the Virus & threat protection page, select Manage settings under Virus & threat protection settings.
-
Scroll down to Exclusions and select Add or remove exclusions. Select Yes at the User Account Control message.
-
On the Exclusions page, verify that C:\DevProjects and DevBuild.exe are displayed.
-
Close the Windows Security page and then close the Settings app.
Results: After completing this exercise, you will have successfully created and assigned a Configuration profile for a Windows 11 device.
Exercise 2: Modify an assigned Configuration profile policy
Scenario
There was an exception to Contoso's policy that specifies that members of the Developer department should not have the Privacy options blocked in Settings on their devices. This change should be implemented and tested.
Task 1: Change settings in an assigned Configuration profile
-
Switch to SEA-SVR1.
-
On SEA-SVR1, in the Microsoft Intune admin center, select Devices and then select Configuration Profiles.
-
On the Devices | Configuration profiles blade, in the details pane select Contoso Developer - standard.
-
On the Contoso Developer - standard blade, scroll down to the Configuration settings section, and then select Edit.
-
On the Device restrictions page, expand Control Panel and Settings.
-
Next to Privacy, select Not configured.
-
Select Review + save, and then select Save.
Task 2: Force device synchronization from Intune Manager admin center
-
On SEA-SVR1, in the Microsoft Intune admin center, select Devices in the navigation pane and then select All devices.
-
In the details pane, select SEA-WS1.
-
On the SEA-WS1 blade, select Sync and when prompted select Yes.
Note: Intune will contact the device and tell it to synchronize all policies. This may take up to 5 minutes.
-
Close Microsoft Edge.
Task 3: Verify changes on SEA-WS1
-
Switch to SEA-WS1.
-
On SEA-WS1 and on the taskbar, select Start and then select the Settings app.
-
In the Settings app, select Privacy & security and verify that all of the customization options are back.
-
Close all open windows and sign out of SEA-WS1.
Results: After completing this exercise, you will have successfully modified an assigned a Configuration profile, modified a Configuration profile, and verified the changes.
END OF LAB