Академический Документы
Профессиональный Документы
Культура Документы
20703-2A
Integrating MDM and Cloud Services with
System Center Configuration Manager
Companion Content
ii Integrating MDM and Cloud Services with System Center Configuration Manager
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, e-mail address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not
responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.
These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its
affiliates) and you. Please read them. They apply to your use of the content accompanying this agreement which
includes the media on which you received it, if any. These license terms also apply to Trainer Content and any
updates and supplements for the Licensed Content unless other terms accompany those items. If so, those terms
apply.
BY ACCESSING, DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS.
IF YOU DO NOT ACCEPT THEM, DO NOT ACCESS, DOWNLOAD OR USE THE LICENSED CONTENT.
If you comply with these license terms, you have the rights below for each license you acquire.
1. DEFINITIONS.
a. “Authorized Learning Center” means a Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, or such other entity as Microsoft may designate from time to time.
b. “Authorized Training Session” means the instructor-led training class using Microsoft Instructor-Led
Courseware conducted by a Trainer at or through an Authorized Learning Center.
c. “Classroom Device” means one (1) dedicated, secure computer that an Authorized Learning Center owns
or controls that is located at an Authorized Learning Center’s training facilities that meets or exceeds the
hardware level specified for the particular Microsoft Instructor-Led Courseware.
d. “End User” means an individual who is (i) duly enrolled in and attending an Authorized Training Session
or Private Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee.
e. “Licensed Content” means the content accompanying this agreement which may include the Microsoft
Instructor-Led Courseware or Trainer Content.
f. “Microsoft Certified Trainer” or “MCT” means an individual who is (i) engaged to teach a training session
to End Users on behalf of an Authorized Learning Center or MPN Member, and (ii) currently certified as a
Microsoft Certified Trainer under the Microsoft Certification Program.
g. “Microsoft Instructor-Led Courseware” means the Microsoft-branded instructor-led training course that
educates IT professionals and developers on Microsoft technologies. A Microsoft Instructor-Led
Courseware title may be branded as MOC, Microsoft Dynamics or Microsoft Business Group courseware.
h. “Microsoft IT Academy Program Member” means an active member of the Microsoft IT Academy
Program.
i. “Microsoft Learning Competency Member” means an active member of the Microsoft Partner Network
program in good standing that currently holds the Learning Competency status.
j. “MOC” means the “Official Microsoft Learning Product” instructor-led courseware known as Microsoft
Official Course that educates IT professionals and developers on Microsoft technologies.
k. “MPN Member” means an active Microsoft Partner Network program member in good standing.
l. “Personal Device” means one (1) personal computer, device, workstation or other digital electronic device
that you personally own or control that meets or exceeds the hardware level specified for the particular
Microsoft Instructor-Led Courseware.
m. “Private Training Session” means the instructor-led training classes provided by MPN Members for
corporate customers to teach a predefined learning objective using Microsoft Instructor-Led Courseware.
These classes are not advertised or promoted to the general public and class attendance is restricted to
individuals employed by or contracted by the corporate customer.
n. “Trainer” means (i) an academically accredited educator engaged by a Microsoft IT Academy Program
Member to teach an Authorized Training Session, and/or (ii) a MCT.
o. “Trainer Content” means the trainer version of the Microsoft Instructor-Led Courseware and additional
supplemental content designated solely for Trainers’ use to teach a training session using the Microsoft
Instructor-Led Courseware. Trainer Content may include Microsoft PowerPoint presentations, trainer
preparation guide, train the trainer materials, Microsoft One Note packs, classroom setup guide and Pre-
release course feedback form. To clarify, Trainer Content does not include any software, virtual hard
disks or virtual machines.
2. USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is licensed on a one copy
per user basis, such that you must acquire a license for each individual that accesses or uses the Licensed
Content.
2.1 Below are five separate sets of use rights. Only one set of rights apply to you.
2.2 Separation of Components. The Licensed Content is licensed as a single unit and you may not
separate their components and install them on different devices.
2.3 Redistribution of Licensed Content. Except as expressly provided in the use rights above, you may
not distribute any Licensed Content or any portion thereof (including any permitted modifications) to any
third parties without the express written permission of Microsoft.
2.4 Third Party Notices. The Licensed Content may include third party code tent that Microsoft, not the
third party, licenses to you under this agreement. Notices, if any, for the third party code ntent are included
for your information only.
2.5 Additional Terms. Some Licensed Content may contain components with additional terms,
conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also
apply to your use of that respective component and supplements the terms described in this agreement.
a. Pre-Release Licensed Content. This Licensed Content subject matter is on the Pre-release version of
the Microsoft technology. The technology may not work the way a final version of the technology will
and we may change the technology for the final version. We also may not release a final version.
Licensed Content based on the final version of the technology may not contain the same information as
the Licensed Content based on the Pre-release version. Microsoft is under no obligation to provide you
with any further content, including any Licensed Content based on the final version of the technology.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or
through its third party designee, you give to Microsoft without charge, the right to use, share and
commercialize your feedback in any way and for any purpose. You also give to third parties, without
charge, any patent rights needed for their products, technologies and services to use or interface with
any specific parts of a Microsoft technology, Microsoft product, or service that includes the feedback.
You will not give feedback that is subject to a license that requires Microsoft to license its technology,
technologies, or products to third parties because we include your feedback in them. These rights
survive this agreement.
c. Pre-release Term. If you are an Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, MPN Member or Trainer, you will cease using all copies of the Licensed Content on
the Pre-release technology upon (i) the date which Microsoft informs you is the end date for using the
Licensed Content on the Pre-release technology, or (ii) sixty (60) days after the commercial release of the
technology that is the subject of the Licensed Content, whichever is earliest (“Pre-release term”).
Upon expiration or termination of the Pre-release term, you will irretrievably delete and destroy all copies
of the Licensed Content in your possession or under your control.
4. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more
rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only
allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not:
• access or allow any individual to access the Licensed Content if they have not acquired a valid license
for the Licensed Content,
• alter, remove or obscure any copyright or other protective notices (including watermarks), branding
or identifications contained in the Licensed Content,
• modify or create a derivative work of any Licensed Content,
• publicly display, or make the Licensed Content available for others to access or use,
• copy, print, install, sell, publish, transmit, lend, adapt, reuse, link to or post, make available or
distribute the Licensed Content to any third party,
• work around any technical limitations in the Licensed Content, or
• reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the
Licensed Content except and only to the extent that applicable law expressly permits, despite this
limitation.
5. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to
you in this agreement. The Licensed Content is protected by copyright and other intellectual property laws
and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the
Licensed Content.
6. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations.
You must comply with all domestic and international export laws and regulations that apply to the Licensed
Content. These laws include restrictions on destinations, end users and end use. For additional information,
see www.microsoft.com/exporting.
7. SUPPORT SERVICES. Because the Licensed Content is “as is”, we may not provide support services for it.
8. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail
to comply with the terms and conditions of this agreement. Upon termination of this agreement for any
reason, you will immediately stop all use of and delete and destroy all copies of the Licensed Content in
your possession or under your control.
9. LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed
Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible for
the contents of any third party sites, any links contained in third party sites, or any changes or updates to
third party sites. Microsoft is not responsible for webcasting or any other form of transmission received
from any third party sites. Microsoft is providing these links to third party sites to you only as a
convenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third party
site.
10. ENTIRE AGREEMENT. This agreement, and any additional terms for the Trainer Content, updates and
supplements are the entire agreement for the Licensed Content, updates and supplements.
12. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws
of your country. You may also have rights with respect to the party from whom you acquired the Licensed
Content. This agreement does not change your rights under the laws of your country if the laws of your
country do not permit it to do so.
13. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS" AND "AS
AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND ITS RESPECTIVE
AFFILIATES GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. YOU MAY
HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT
CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT AND
ITS RESPECTIVE AFFILIATES EXCLUDES ANY IMPLIED WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.
14. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP
TO US$5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL,
LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this
agreement are provided below in French.
Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en français.
EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Toute
utilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune autre garantie
expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont exclues.
EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits
prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de votre
pays si celles-ci ne le permettent pas.
Module 1
Extending the Configuration Manager infrastructure to
support Internet-based and mobile devices
Contents:
Module Review and Takeaways 2
Lab Review Questions and Answers 3
1-2 Integrating MDM and Cloud Services with System Center Configuration Manager
Question: You need to configure directory syncing between your local Active Directory Domain Services
(AD DS) and Azure AD. Which tool would you use to perform this task?
( ) Active Directory Users and Computers
( ) DirSync
( ) Azure AD Connect
Answer:
( ) Active Directory Users and Computers
( ) DirSync
Question: After a trial run of using Azure AD, users state that they find it difficult to remember their
onmicrosoft.com account. What can you do to address this concern?
Answer: You can add a custom domain that matches your AD DS domain name. You also need
to configure appropriate external Domain Name System (DNS) settings, and you need to validate
the custom domain from Azure. This allows users to utilize the same sign-in credentials as they
use for their internal domain
Question: On which existing certificate template is the Distribution Point certificate template based?
Why do you need to create a new certificate template?
Answer: The Configuration Manager Distribution Point certificate template is based on the
Workstation Authentication template, which is the same template that the Configuration
Manager client certificate uses. However, it requires the private key to be exportable because,
for computers that are not members of AD DS, you must import the certificate as a file. You
cannot select it from the certificate store.
1-4 Integrating MDM and Cloud Services with System Center Configuration Manager
Question: Which Configuration Manager functionality could you use to deploy a partner organization’s
enterprise root certification authority (CA) certificate to Configuration Manager clients that are members
of your organization’s Active Directory forest?
Answer: You can use Certificate Profiles functionality to deploy root CA certificates to
Configuration Manager clients that are not domain members within your forest.
Question: You have configured a cloud-based distribution point; however, your clients can’t seem to
resolve the name of the cloud-based service. What should you do?
Answer: Before clients can access a cloud-based distribution point, they must be able to resolve
the name of the cloud-based distribution point to an IP address that Azure manages. To resolve
the service name that you provided with the cloud-based distribution point service certificate (for
example, clouddp1.adatum.com) to your Azure service FQDN (for example,
d1594d4527614a09b934d470.cloudapp.net), DNS servers on the Internet must have a DNS alias
(CNAME) resource record. Your clients will then be able to resolve the Azure service fully
qualified domain name (FQDN) to the IP address by using DNS servers on the Internet.
Question: To keep the cost of a cloud-based distribution point manageable, you need to ensure that only
a maximum of 100 GB is stored on the cloud service. How can you ensure this?
Answer: You can configure and specify a storage alert threshold set to 100 GB.
Managing clients on the Internet 2-1
Module 2
Managing clients on the Internet
Contents:
Lesson 1: Methods for managing Internet-based clients 2
Lesson 1
Methods for managing Internet-based clients
Contents:
Question and Answers 3
Resources 3
Managing clients on the Internet 2-3
( ) It supports only the management point and software update point site system roles.
Answer:
(√) It requires a public key infrastructure (PKI).
( ) It supports only the management point and software update point site system roles.
Resources
Additional Reading: For more information, refer to “Manage clients on the Internet with
Configuration Manager” at https://aka.ms/kajvjb
2-4 Integrating MDM and Cloud Services with System Center Configuration Manager
Lesson 2
Planning and implementing Internet-based client
management
Contents:
Question and Answers 5
Managing clients on the Internet 2-5
( ) Enable the Enable user policy requests from Internet clients client policy setting.
Answer:
Lesson 3
Planning and implementing the Cloud Management
Gateway
Contents:
Question and Answers 7
Resources 7
Managing clients on the Internet 2-7
( ) Management point
( ) Enrollment point
Answer:
( ) Fallback status point
( ) Enrollment point
Resources
Additional Reading: Use the Azure pricing calculator and the Azure bandwidth calculator
to help determine the potential costs. For the calculators, refer to “Pricing calculator” at
https://aka.ms/jutfbp and “Bandwidth Pricing Details” at https://aka.ms/bqyzn4
2-8 Integrating MDM and Cloud Services with System Center Configuration Manager
• IBCM does not require a cloud subscription. However, it does require that you expose corporate
network services to the Internet.
• The Cloud Management Gateway does not directly expose internal network services to the
Internet. However, you incur a subscription cost for this service.
• Both solutions require a PKI and custom certificate templates.
Review Questions
Question: You decide to implement IBCM to manage Configuration Manager clients on the Internet.
Describe the ways that you might design the network infrastructure to provide access to the Internet.
Answer: A common design involves creating a new forest in a perimeter network. This new forest
then contains any services that are needed on the Internet, such as a management point or
distribution point. If you want to take advantage of user-based policies, you must ensure that the
perimeter network forest trusts the internal corporate forests.
You can also publish the internal services by using a web proxy server and configure SSL bridging
or SSL tunneling.
Question: Your Internet-based solution requires that you apply user policies over the Internet. Will you
implement IBCM or the Cloud Management Gateway?
Answer: The Cloud Management Gateway does not currently support user-based policies. You
must implement IBCM. Note that user authentication must take place, so the management point
must have access to the domain controller.
Question: You have just configured the Cloud Management Gateway. You want to deploy software to a
client on the Internet, however you don’t understand how to enable the distribution points to use the
Cloud Management Gateway. What do you do?
Answer: Currently, the Cloud Management Gateway supports only cloud-based distribution
points. You must configure a cloud-based distribution point to support software deployments.
Internet-based Configuration Manager Verify that the client and server certificates are correctly
clients can’t communicate with the configured and that DNS name resolution is in place.
management point. It’s common that the name on the certificate isn’t the
same name that is registered in DNS. Be sure that the
names match.
After setting up the Cloud Management All clients must initially be on the corporate network to
Gateway, Internet clients can’t connect. receive location information for the Cloud Management
Gateway service. Be sure to have the client devices
connect to the internal environment before being placed
on the Internet.
Managing clients on the Internet 2-9
Answer: You need to configure a Web Server certificate, a distribution point client certificate,
and a client certificate.
Question: You add a new distribution point to the Configuration Manager environment. What do you
need to do to make it accessible to both intranet and Internet clients?
Answer: Import the .pfx certificate file that has been exported for distribution points, and then
configure HTTPS. Also, configure the Allow intranet and Internet connections option.
Question: You want to make sure that a new distribution point is accessible only from Internet clients.
What should you do?
Answer: Configure the distribution point to allow only Internet-only connections. You configure
this on the General tab of the Distribution point Properties dialog box.
Answer: You need to first open the hierarchy settings and select the check box to consent to use
pre-release features.
Question: What is the purpose of exporting the Azure management certificate twice?
Answer: You need to export the certificate in both .pfx and.cer file formats. You use the .cer
format when uploading the management certificate to Azure. You use the .pfx format when
configuring the service in Configuration Manager.
Question: What do you need to do to ensure that clients can resolve the cloudmgw.cloudapp.net DNS
name to the Cloud Management Gateway service?
Answer: You need to register this name in the public Domain Name System (DNS) so that client
devices can resolve and find the service in Azure.
Managing Microsoft Store for Business apps by using Configuration Manager 3-1
Module 3
Managing Microsoft Store for Business apps by using
Configuration Manager
Contents:
Lesson 1: Overview of Microsoft Store for Business 2
Lesson 2: Managing Microsoft Store for Business apps by using Configuration Manager 6
Lesson 1
Overview of Microsoft Store for Business
Contents:
Question and Answers 3
Resources 5
Managing Microsoft Store for Business apps by using Configuration Manager 3-3
( ) Windows 7 PC
( ) Windows 10 tablet
( ) Android 7 tablet
Answer:
( ) Windows 7 PC
( ) Android 7 tablet
Feedback: You can install apps from Microsoft Store for Business only on Windows 10 devices.
Question: Users can install offline licensed apps only if they have an Azure AD account.
( ) True
( ) False
Answer:
( ) True
(√) False
Feedback: Offline licensed apps can install on a device even if the device does not have Internet
connectivity and the user does not have an Azure AD account.
Question: An organization must pay a monthly fee for using Microsoft Store for Business.
( ) True
( ) False
Answer:
( ) True
(√) False
Feedback: Microsoft Store for Business is a cloud service that is available for free. However, an
organization must be using Azure AD to be able to use Microsoft Store for Business.
Answer: The main difference is that Windows Store is for general audiences, while Microsoft
Store for Business is aimed at organizations. Hence, in Windows Store, users can find all types of
apps, including games, books, music, and TV shows. In Microsoft Store for Business, you can find
business-related modern Windows 10 apps and line-of-business (LOB) apps.
Question: Can you sign in to Microsoft Store for Business with a Microsoft account?
3-4 Integrating MDM and Cloud Services with System Center Configuration Manager
Answer: A Microsoft account is necessary only to install an app from Windows Store. However,
you cannot use a Microsoft account to sign in to Microsoft Store for Business; you must use a
Microsoft Azure Active Directory (Azure AD) account to sign in to it.
Answer: No, you can’t install an app from Microsoft Store for Business on a device that is
running Windows 8.1 Update. Apps from Microsoft Store for Business can install only on
Windows 10 devices.
Question: Is an Azure AD account necessary if you want to browse Microsoft Store for Business and not
install any apps from it?
Answer: Yes, an Azure AD account is necessary even if you only want to browse Microsoft Store
for Business. Users must authenticate before they can access Microsoft Store for Business. This is
different than with the public Windows Store, where users can browse the store but must
authenticate with a Microsoft account before installing an app.
Answer: You can sign up for Microsoft Store for Business in a web browser, for example, in
Internet Explorer 11 or in Microsoft Edge. You can use a web browser both for managing
Microsoft Store for Business and for browsing the available apps in a private store, and for
installing apps from Microsoft Store for Business. Company users would probably use the Store
app for browsing Microsoft Store for Business and for installing apps from the store.
Question: Do you need to add company users to a role to be able to browse Microsoft Store for
Business?
Answer: No. After you set up Microsoft Store for Business, all company users who have Azure AD
accounts can access and browse it. If you want to delegate permissions to some users—for
example, to purchase apps and to add them to the private store—you must add them to a role.
Question: Can you include an online licensed app from a private store in an image that you plan to
deploy on a new Windows 10 computer?
Answer: Online licensed apps require that a user first connects and authenticates to Microsoft
Store for Business, and only then can the user install the app. Online licensed apps can’t be
downloaded and included in an image.
Answer: An online licensed app requires that users connect and authenticate to Microsoft Store
for Business before they can install the app. For distributing online licensed apps, you can use a
private store, assign apps to users, or you can use an MDM management tool such as
Configuration Manager or Microsoft Intune.
Question: Can you assign an app from Microsoft Store for Business to a Windows 10 device?
Answer: No, you can assign apps from Microsoft Store for Business only to company users. You
can’t assign apps from Microsoft Store for Business to groups or devices.
Resources
Additional Reading: For a list of URLs that must be allowed on the firewall or proxy server
to be able to access Windows Store and Microsoft Store for Business, refer to
https://aka.ms/p0db8f
Additional Reading: For additional information on offline licensing in Microsoft Store for
Business, refer to https://aka.ms/lhidy7
Additional Reading: For more information about working with LOB apps in Microsoft
Store for Business, refer to https://aka.ms/wwf42z
Additional Reading: For additional information on distributing offline licensed apps, refer
to https://aka.ms/oaj2fm
3-6 Integrating MDM and Cloud Services with System Center Configuration Manager
Lesson 2
Managing Microsoft Store for Business apps by using
Configuration Manager
Contents:
Question and Answers 7
Resources 9
Managing Microsoft Store for Business apps by using Configuration Manager 3-7
( ) True
( ) False
Answer:
( ) True
(√) False
Feedback: You can deploy online and offline licensed Microsoft Store for Business apps by using
Configuration Manager. Online licensed apps are installed from Microsoft Store for Business even
when you deploy them by using Configuration Manager, while offline licensed apps are
downloaded and installed from a Configuration Manager distribution point.
Question: You are planning to implement Microsoft Store for Business syncing with Configuration
Manager. Where can you find the client ID and client secret key?
Answer: You can find the client ID and client secret key in Azure AD. Both are generated when
you register Configuration Manager as a web app in Azure AD.
Question: If you deploy an online licensed Microsoft Store for Business app by using Configuration
Manager, a user must still authenticate to Azure AD.
( ) True
( ) False
Answer:
(√) True
( ) False
Feedback: When you deploy an online licensed Microsoft Store for Business app by using
Configuration Manager, the app is installed from Microsoft Store for Business, and users must
authenticate to Microsoft Store for Business with their Azure AD accounts.
How does Configuration Manager work with Microsoft Store for Business?
Question: What must you do in Configuration Manager before you can start using Configuration
Manager to deploy apps that you obtained in Microsoft Store for Business?
Answer: Before you can start using Configuration Manager to deploy apps that you obtain in
Microsoft Store for Business, you must add the Microsoft Store for Business account in
Configuration Manager. You must also perform some additional preparation steps before adding
a Microsoft Store for Business account in Configuration Manager, but they are done in Azure
Portal and in Microsoft Store for Business.
Question: Can you use Configuration Manager to deploy apps from Microsoft Store for Business to
computers that are running Windows 10 Anniversary Update (version 1607)?
Answer: Yes, you can use Configuration Manager to deploy apps from Microsoft Store for
Business to computers that are running Windows 10 Anniversary Update (version 1607).
However, if you deploy the apps to computers that are running Windows 10 prior to Creators
Update (version 1703), some limitations exist, such as that users will have to install apps from
Microsoft Store for Business manually, even when apps are deployed by using Configuration
Manager.
3-8 Integrating MDM and Cloud Services with System Center Configuration Manager
Answer: Yes, you can deploy online licensed Microsoft Store for Business apps and offline
licensed Microsoft Store for Business apps by using Configuration Manager.
Question: Can you deploy paid offline licensed Microsoft Store for Business apps with Configuration
Manager?
Answer: No, you can’t deploy paid offline licensed Microsoft Store for Business apps with
Configuration Manager. This is the only type of Microsoft Store for Business app that you can’t
deploy with Configuration Manager.
Question: Can you use Configuration Manager to manage Microsoft Store for Business?
Answer: No. You can connect Configuration Manager with Microsoft Store for Business.
Configuration Manager can synchronize inventory data, and you can use it for deploying
Microsoft Store for Business apps. However, you can’t use Configuration Manager to manage
Microsoft Store for Business. You manage it through a web browser even after you connect
Microsoft Store for Business with Configuration Manager.
Answer: By using Microsoft Store for Business, you can assign apps only to individual users.
When you use Configuration Manager to deploy Microsoft Store for Business apps, you can
deploy them to a user collection or a device collection. This means that you can deploy an app to
multiple users at one time, or you can deploy the app to all users that are using a certain device.
Question: After syncing license information, what must you do to deploy Microsoft Store for Business
apps by using Configuration Manager?
Answer: To deploy Microsoft Store for Business apps by using Configuration Manager, you must
first create applications from the synced licensing information, and then you must deploy the
applications to a user or device collection.
Answer: No, you can’t see that information in Configuration Manager. Configuration Manager
synchronizes only information such as the list of purchased apps, the number of purchased
licenses, and the number of available licenses. It does not synchronize which users have licenses
Managing Microsoft Store for Business apps by using Configuration Manager 3-9
to run specific Microsoft Store for Business apps. Microsoft Store for Business tracks licensing
information for online licensed apps.
Question: You want to view the users who installed a certain Microsoft Store for Business app that was
deployed by using Configuration Manager. How can you view this list in Configuration Manager?
Answer: You can see the list of users who installed a Microsoft Store for Business app in the
Monitoring workspace of Configuration Manager. Expand Deployments, and then double-click
the app that was used to deploy the Microsoft Store for Business app.
Resources
How does Configuration Manager work with Microsoft Store for Business?
Answer: The user must be a global administrator in an Azure AD tenant to be able to sign up for
Microsoft Store for Business.
Question: You want to add a payable app to Microsoft Store for Business. Will company users have to pay
when they want to install the app from the private store?
Answer: No. If you want to add a payable app to Microsoft Store for Business, you need to buy
and pay for the required number of copies of the app. Then, company users will be able to install
the app from Microsoft Store for Business without paying for it. You should be aware that only as
many company users will be able to install the app as the number of app copies that you
purchased.
Question: You need to create a Microsoft Store for Business account for every company user who will
access the store.
( ) True
( ) False
Answer:
( ) True
(√) False
Feedback: Users utilize Azure AD accounts for accessing Microsoft Store for Business. You don’t
need to create any additional account for them to access Microsoft Store for Business.
Answer:
( ) True
(√) False
Feedback: Company users can run the Store app on their Windows 10 devices. However, a built-
in administrator can’t run the Store app. If they try to run it, they will receive a message stating
that this app can’t open.
Managing Microsoft Store for Business apps by using Configuration Manager 3-11
Question: Can you sign up for Microsoft Store for Business by using the Store app?
Answer: Windows 10 includes the Store app, and you can use it to access, browse, and install
available apps from the Windows Store and from Microsoft Store for Business. However, you
can’t sign up for Microsoft Store for Business in the Store app; you must use a web browser to
sign up for Microsoft Store for Business.
Question: You used the Sync account to sign up for Microsoft Store for Business. Which permissions does
this account have in Azure AD?
Answer: The Sync account is a global administrator for the Azure AD tenant. This account was
created when you set up synchronization with on-premises Active Directory Domain Services (AD
DS) in the lab from Module 1, “Extending the Configuration Manager infrastructure to support
Internet-based and mobile devices.”
Question: Do you need to add a user to the Basic purchaser role to be able to browse and install apps
from Microsoft Store for Business?
Answer: No, you don’t need to add users to any role to be able to browse and install apps from
Microsoft Store for Business. All company users can perform this action by default.
Question: Why were you unable to view any apps in the private store even though you had several apps
there?
Answer: The private store updates every 24 hours. Even after you add apps to the private store, it
takes up to 24 hours before added apps appear in the private store, regardless of whether you
access the store by using the Store app or a web browser.
Question: In which tool did you activate synchronization with Configuration Manager?
Answer: You activated synchronization with Configuration Manager in Microsoft Store for
Business. You manage Microsoft Store for Business in a web browser, so you activated
synchronization with Configuration Manager in Internet Explorer.
Question: Do installation files for online licensed Microsoft Store for Business apps download to
Configuration Manager when you synchronize Configuration Manager with Microsoft Store for Business?
Answer: No. When you synchronize Microsoft Store for Business with Configuration Manager,
only licensing information syncs. After synchronization, you can see the Microsoft Store for
3-12 Integrating MDM and Cloud Services with System Center Configuration Manager
Business apps that are available and how they are licensed, but their installation files do not
download to Configuration Manager.
Question: Can you deploy Microsoft Store for Business apps to multiple users and groups when you are
using Configuration Manager?
Answer: Yes. One of the reasons for synchronizing Microsoft Store for Business with
Configuration Manager and using Configuration Manager to deploy Microsoft Store for Business
apps is additional flexibility, which includes deployment to collections.
Managing Office 365 apps by using Configuration Manager 4-1
Module 4
Managing Office 365 apps by using Configuration Manager
Contents:
Lesson 1: Overview of Office 365 ProPlus 2
Lesson 1
Overview of Office 365 ProPlus
Contents:
Question and Answers 3
Resources 3
Managing Office 365 apps by using Configuration Manager 4-3
Answer:
(√) Up to five different computers per client
Resources
Reference Links: For the full system requirements of Office 365, refer to “System
requirements for Office” at https://aka.ms/qopby2.
Additional Reading: For more information about modifying the configuration.xml file,
refer to “Configuration options for the Office 2016 Deployment Tool” at https://aka.ms/mrm8hy.
4-4 Integrating MDM and Cloud Services with System Center Configuration Manager
Lesson 2
Deploying Office 365 client applications by using
Configuration Manager
Contents:
Question and Answers 5
Resources 5
Managing Office 365 apps by using Configuration Manager 4-5
( ) Software Inventory
( ) Hardware Inventory
( ) Software Metering
( ) Asset Intelligence
Answer:
( ) Software Inventory
( ) Software Metering
( ) Asset Intelligence
Feedback: The Hardware Inventory feature needs to be enabled before Configuration Manager
can determine which workstations have the software installed. By default, Hardware Inventory
should be enabled unless it has been purposefully turned off in the client settings.
Resources
Additional Reading: For additional information about version and build numbers for
Office 365 ProPlus, refer to “Version and build numbers of update channel releases” at
https://aka.ms/veqaw2.
4-6 Integrating MDM and Cloud Services with System Center Configuration Manager
Lesson 3
Managing and updating an Office 365 client
deployment
Contents:
Question and Answers 7
Managing Office 365 apps by using Configuration Manager 4-7
( ) Critical Updates
( ) Definition Updates
( ) Updates
( ) Upgrades
( ) Security Updates
Answer:
( ) Critical Updates
( ) Definition Updates
(√) Updates
( ) Upgrades
( ) Security Updates
Feedback: The Updates classification is needed to download updates related to an Office 365
client.
4-8 Integrating MDM and Cloud Services with System Center Configuration Manager
Answer: You can modify the configuration.xml file and add the exclusion by using the
ExcludeApp section.
Question: You have a specific workstation that two people share during opposite works shifts. What can
you do to ensure that each person has a valid license for Office 365?
Answer: Be sure to include the SharedComputerLicensing property and have it set to True in
the Configuration.xml file.
Managing Office 365 apps by using Configuration Manager 4-9
Answer: You need to ensure that Ada Russel has been assigned a license for the Office 365
applications. You can assign the license from the user account object in the Office 365 admin
center.
Question: What is the default update channel for Office 365 applications that you download from the
Office 365 portal?
Answer: The default channel is the Deferred Channel (Semi-annual Channel (Broad)) that
provides updates every four months.
Question: You want to prevent users from using the Office 365 portal to install applications. What should
you do?
Answer: Configure software download settings and turn off all options in the Office 365 portal.
Answer: You should create a custom client device setting and deploy it to the specific collections
that contain the workstations.
Mobile device management by using Configuration Manager 5-1
Module 5
Mobile device management by using Configuration
Manager
Contents:
Lesson 1: Overview of mobile device management 2
Lesson 2: Configuring the Exchange Server connector for mobile device management 4
Lesson 1
Overview of mobile device management
Contents:
Question and Answers 3
Resources 3
Mobile device management by using Configuration Manager 5-3
Answer: If you want to manage Android and iOS devices that employees are using to check
organizational email, without deploying client software on those devices, use Exchange Server
Connector with your Configuration Manager deployment.
Resources
Additional Reading: For more information on OMA DM, refer to “OMA DM protocol
support” at http://aka.ms/Lb6evj.
5-4 Integrating MDM and Cloud Services with System Center Configuration Manager
Lesson 2
Configuring the Exchange Server connector for
mobile device management
Contents:
Question and Answers 5
Resources 5
Mobile device management by using Configuration Manager 5-5
Resources
Additional Reading: For more information on conditional access, refer to “Manage access
to services in System Center Configuration Manager” at https://aka.ms/tkn3y8.
5-6 Integrating MDM and Cloud Services with System Center Configuration Manager
Answer: Answers will vary, but will often include a requirement that the organization wants to
perform some form of device management that only interacts with organizational infrastructure
through Exchange messaging. It could also be necessary to perform some level of management
without deploying client software on the device to be managed.
Mobile device management by using Configuration Manager 5-7
( ) Retire/Wipe
( ) Deploy applications
Answer:
(√) Retire/Wipe
( ) Deploy applications
Question: You need to be sure that any mobile devices that have not been active for 30 days are not
synchronized into Configuration Manager from Exchange Server. What should you do?
Answer: Modify the Exchange Server Connector Properties, enable the Ignore mobile devices
that are inactive for more than (days) option, and set the value to 30.
Hybrid MDM with Configuration Manager and Intune 6-1
Module 6
Hybrid MDM with Configuration Manager and Intune
Contents:
Lesson 1: Planning and preparing for hybrid MDM 2
Lesson 1
Planning and preparing for hybrid MDM
Contents:
Question and Answers 3
Resources 3
Hybrid MDM with Configuration Manager and Intune 6-3
( ) BYOD
( ) DEP
( ) Apple Configurator
( ) Azure AD autoenrollment
Answer:
( ) BYOD
(√) DEP
( ) Azure AD autoenrollment
Resources
Reference Links: As of July 2017, Intune stand-alone has moved many of its features to the
Microsoft Azure cloud platform. This provides Intune with enhanced scalability, role-based access
through the Azure Portal, custom reporting, and programmatic access using a software
development kit (SDK) and Windows PowerShell management options.
6-4 Integrating MDM and Cloud Services with System Center Configuration Manager
Lesson 2
Configuring hybrid MDM with Configuration
Manager and Intune
Contents:
Question and Answers 5
Resources 5
Hybrid MDM with Configuration Manager and Intune 6-5
( ) Company Portal
( ) Azure
( ) Intune subscription
( ) Office 365
Answer:
( ) Company Portal
( ) Azure
(√) Intune subscription
( ) Office 365
Feedback:
When you configure the subscription settings to Intune from within the Configuration Manager
console, you are prompted to set the Mobile Device Management Authority.
Resources
Additional Reading: For more information about the Service Connection Tool, refer to Use
the Service Connection Tool for System Center Configuration Manager located at:
https://aka.ms/h5d7df.
6-6 Integrating MDM and Cloud Services with System Center Configuration Manager
Answer: Answers will vary, but might include the Apple Device Enrollment program (DEP), Apple
configurator, manual enrollment using Company Portal, Automatic enrollment using Azure, or
bulk enrollment using the device enrollment manager.
• Provide the connection and authentication to Intune for both hybrid and on-
premises MDM.
Hybrid MDM with Configuration Manager and Intune 6-7
Answer: This setting can be configured by opening the Microsoft Intune Subscription Properties
and then changing the Device Enrollment Limit value. This value is also configured when you add
the new subscription.
Question: During the subscription configuration, you need to specify a collection. What is the purpose of
this collection?
Answer: The user collection specified in the Intune subscription contains the list of users that are
enabled to enroll devices for management.
Device platform enrollment by using Configuration Manager MDM 7-1
Module 7
Device platform enrollment by using Configuration Manager
MDM
Contents:
Lesson 1: Enrolling Windows devices into MDM 2
Lesson 2: Enrolling Android devices into MDM 4
Lesson 1
Enrolling Windows devices into MDM
Contents:
Question and Answers 3
Resources 3
Device platform enrollment by using Configuration Manager MDM 7-3
( ) Passwords
( ) Personal email
( ) Contacts
Answer:
( ) Passwords
( ) Personal email
( ) Contacts
(√) Phone number of the device
Resources
Additional Reading: For more information, refer to “Windows Hello for business settings
in System Center Configuration Manager (hybrid)” at https://aka.ms/pdu2gh.
Additional Reading: For information on enrolling Windows 8.1 devices, refer to “Enroll
your Windows device in Intune” at https://aka.ms/o0ghrd.
7-4 Integrating MDM and Cloud Services with System Center Configuration Manager
Lesson 2
Enrolling Android devices into MDM
Contents:
Question and Answers 5
Resources 5
Device platform enrollment by using Configuration Manager MDM 7-5
( ) Configuration Manager
( ) Microsoft Azure
Answer:
( ) The Company Portal app
( ) Configuration Manager
( ) Microsoft Azure
(√) The Intune classic portal
Feedback:
To configure Android for Work settings, you need to access the Intune classic portal.
Resources
Lesson 3
Enrolling iOS devices into MDM
Contents:
Question and Answers 7
Resources 7
Device platform enrollment by using Configuration Manager MDM 7-7
Answer:
( ) Configure the device to be in unsupervised mode.
Feedback:
An exported enrollment profile URL expires after two weeks. You will need to regenerate the
enrollment profile URL.
Resources
Additional Reading: For more information about creating a CSV file for predeclared
devices, refer to “Predeclare devices with IMEI or iOS serial numbers” at https://aka.ms/qxwk4s.
Additional Reading: For more information about the Find My iPhone Activation Lock
feature, refer to “Find My iPhone Activation Lock” at https://aka.ms/a8klqv.
Additional Reading: For more information on creating configuration items for iOS and
Mac OS X devices, refer to “How to create configuration items for iOS and Mac OS X devices
managed with Intune” at https://aka.ms/xeta3j.
7-8 Integrating MDM and Cloud Services with System Center Configuration Manager
Lesson 4
Managing mobile devices in Configuration Manager
Contents:
Question and Answers 9
Resources 9
Device platform enrollment by using Configuration Manager MDM 7-9
( ) Group Policy
( ) Compliance policies
Answer:
( ) Group Policy
Feedback:
To apply rules for connecting to Exchange Online, you need to configure conditional access
policy settings and associated compliance policies.
Resources
Additional Reading: For more information on managing volume-purchased apps, refer to:
Additional Reading: For a list of managed apps that support application management
policies, refer to “Offer security and familiarity with Intune-managed apps” at
https://aka.ms/y5av86.
7-10 Integrating MDM and Cloud Services with System Center Configuration Manager
Answer: Answers will vary, but might include password policies and feature restrictions.
Question: Which bulk mobile device enrollment methods will you use in your organization?
Answer: Answers will vary, but should include Apple Configurator for iOS.
Device platform enrollment by using Configuration Manager MDM 7-11
Answer: Explain to your manager that you do not need to obtain the tokens. An application
enrollment token is required only for Windows Phone 8.0 devices. However, because you are
managing only Windows 10 devices, you do not need to configure the application enrollment
token settings.
Question: During the lab, you installed the Company Portal app by using the Windows Store. What are
some alternative ways to deploy and install the app on devices?
Answer: You can install the Company Portal app from Microsoft Store for Business, or you can
sideload the app and deploy it by using standard Configuration Manager application deployment
tasks.
Question: In the lab, when you configured the Android for Work binding, a synchronization error
displayed in Configuration Manager. How can you fix this error?
Answer: The synchronization error appeared because you did not publish any application from
the Google Play for Work website. This error will disappear as soon as you publish an application
from the Google Play for Work website.
Answer: When you create the configuration item, the Supported Platforms page will display
any compatibility issues with the configuration item.
Question: In the lab, after you configured apps to be available to the mobile device user, where would
the user find the available apps?
Answer: The user can view the published apps in the Company Portal app.
On-premises mobile device management using Configuration Manager 8-1
Module 8
On-premises mobile device management using
Configuration Manager
Contents:
Lesson 1: Overview of On-premises mobile device management 2
Lesson 2: Configuring On-premises MDM using Configuration Manager 6
Lesson 1
Overview of On-premises mobile device management
Contents:
Question and Answers 3
Resources 5
On-premises mobile device management using Configuration Manager 8-3
( ) Windows 10 Home
( ) Windows 10 Team
( ) Windows 10 Pro
( ) Android 6 (“Marshmallow”)
( ) Android 7 (“Nougat”)
Answer:
( ) Windows 10 Home
(√) Windows 10 Team
( ) Android 6 (“Marshmallow”)
( ) Android 7 (“Nougat”)
Feedback:
You can only use On-premises MDM for managing modern Windows 10 devices. This includes
Windows 10 Team and Windows 10 Pro devices. You cannot enroll Windows 10 Home for On-
premises MDM.
Question: Which of the following Configuration Manager site system roles does On-premises MDM
require?
( ) Distribution point
( ) Enrollment point
( ) Exchange Server connector
Answer:
From the listed site system roles, On-premises MDM requires only the Configuration Manager
site database server, distribution point, and enrollment point.
Answer: If you want to implement On-premises MDM, you must add the Microsoft Intune
subscription to Configuration Manager. In such a scenario, Intune is used only for tracking device
8-4 Integrating MDM and Cloud Services with System Center Configuration Manager
licensing, and not for device management. However, an Intune subscription is mandatory.
Because Intune is a cloud service, you cannot use it in an environment without Internet
connectivity, which means that you cannot implement On-premises MDM in an environment
without Internet connectivity.
Answer: No. All communication between managed mobile devices and On-premises MDM
infrastructure is encrypted with Secure Sockets Layer (SSL), which requires that Configuration
Manager servers have certificates. Modern devices that are managed by On-premises MDM must
trust the certification authority that signed their certificates and must be able to access CRL
distribution point.
Answer: No. Management of devices by using On-premises MDM is based on the OMA DM
standard, and modern devices already implement support for this standard in their operating
systems. Therefore, you do not need to deploy any agent to devices that you want to manage by
using On-premises MDM.
Question: Do you have the same management options for client devices that have the Configuration
Management agent installed and for devices that On-premises MDM manages?
Answer: No, On-premises MDM management provides less extensive client management
functionality compared to devices that have the Configuration Manager agent installed. For
example, with On-premises MDM-managed devices, you cannot perform software inventory and
discovery.
Answer: Surface Hub is a conferencing and presentation device that runs on the Windows 10
Team operating system. Because you can enroll the Windows 10 Team operating system for On-
premises MDM, you can manage Surface Hub device by using On-premises MDM.
Answer: No, the System Health Validator Point site system role is not needed for On-premises
MDM. If you want to implement On-premises MDM, you must make sure that the Configuration
Manager deployment includes the enrollment point, proxy enrollment point, management point,
and distribution point site system roles.
Question: Which protocol do modern Windows 10 devices use for communicating with the On-premises
MDM infrastructure?
On-premises mobile device management using Configuration Manager 8-5
Answer: Modern Windows 10 devices use the HTTPS protocol for communicating with On-
premises MDM infrastructure.
Resources
Advantages and disadvantages of On-premises MDM
Additional Reading: For more information on Windows 10 Team and how it compares to
Windows 10 Enterprise, refer to “Differences between Surface Hub and Windows 10 Enterprise” at
https://aka.ms/anvb6i.
Additional Reading: For a complete list of supported platforms that can be managed by
Configuration Manager, refer to Supported operating systems for clients and devices for System
Center Configuration Manager at https://aka.ms/joz2l0.
8-6 Integrating MDM and Cloud Services with System Center Configuration Manager
Lesson 2
Configuring On-premises MDM using Configuration
Manager
Contents:
Question and Answers 7
Resources 9
On-premises mobile device management using Configuration Manager 8-7
Answer: The user can enroll devices for On-premises MDM only after he is discovered by
Configuration Manager through the Active Directory discovery method and added to the user
collection that can enroll devices. You should verify if the user is already in the Configuration
Manager collection, and if he is not, you should run discovery for Active Directory users.
Question: How many modern devices can a user enroll for On-premises MDM by default?
( )1
( )5
( ) 15
( ) 25
( ) 255
Answer:
( )1
( )5
(√) 15
( ) 25
( ) 255
Feedback:
By default, a user can enroll 15 modern devices for On-premises MDM. You can view and modify
this setting on the properties of the Microsoft Intune subscription in the Configuration Manager
console.
Answer: No, you only need Configuration Manager for managing modern devices in an On-
premises MDM implementation. You still require Microsoft Intune for tracking licenses and for
notifying Internet-connected modern devices that an updated policy is available on management
point.
Question: When you add the Microsoft Intune subscription to Configuration Manager, you specify that
users in Collection1 will be able to enroll their devices for management. Later, you discover that users who
are not in Collection1 are also able to enroll their devices for On-premises MDM. What might be the
reason for such behavior?
Answer: You can specify the user collection whose members will be able to enroll their devices
for management in the Create Microsoft Intune Subscription Wizard. This setting is used only
with Hybrid MDM; it is ignored for On-premises MDM. For On-premises MDM, you configure the
enrollment settings in Default or Custom Client Settings.
8-8 Integrating MDM and Cloud Services with System Center Configuration Manager
Answer: Because you are managing PCs, the Configuration Manager deployment already has
management point(s). Therefore, you don’t need to deploy a new management point for
managing modern devices You just need to make sure that the management point is configured
properly for managing modern devices.
Question: Can you manage a Windows 10 modern device that is connected to the Internet by using On-
premises MDM?
Answer: No. Configuration Manager (Current Branch) only supports intranet connections from
modern devices to the distribution points and management points for On-premises MDM. If a
Windows 10 modern device is connected to the Internet, you cannot manage it by using On-
premises MDM.
Question: Why is the default AD CS configuration not appropriate if you want to manage workgroup
devices?
Answer: By default, AD CS publishes the CRL in AD DS. Domain devices can access it, but if a
device is not a domain member, it cannot access the CRL. If you want use On-premises MDM to
manage workgroup devices, you must make sure that the CA publishes the CRL to a location that
is accessible to these devices. Therefore, you should configure AD CS to publish CRL to a location
where it can be accessed by using HTTP.
Answer: If you want to manage modern Windows 10 devices that are not domain members by
using On-premises MDM, you must install a root CA certificate on these devices. The certificate is
installed in the trusted root CAs certificate store.
Answer: You need to create custom client settings, configure enrollment in these client settings,
and then deploy the custom client settings to a user collection that contains users who should be
able to enroll their modern devices.
On-premises mobile device management using Configuration Manager 8-9
Question: Which three client settings does Configuration Manager support for On-premises MDM?
Answer: For On-premises MDM, Configuration Manager supports only the enrollment, client
policy, and software deployment client settings.
Answer: If you want to enroll multiple devices for On-premises MDM with minimal effort, you
should create an enrollment package and run it on the devices. You can create an enrollment
package in the Configuration Manager console.
Question: You have a Windows 10 tablet that is in a workgroup. What must you do on the tablet before
you can manually enroll it for On-premises MDM?
Answer: Before you can enroll a modern Windows 10 device for On-premises MDM, the device
must trust the CA that signed the certificate used by the enrollment point. Because the tablet is in
a workgroup, you must add the CA to the trusted root CAs before you can manually enroll the
device for On-premises MDM.
Resources
Additional Reading: For more additional information on the Configuration Manager site
system roles, refer to “Plan for site system servers and site system roles for System Center
Configuration Manager” at https://aka.ms/u84i7c.
Additional Reading: For more information on the Configuration Manager client settings,
refer to “About client settings in System Center Configuration Manager” at https://aka.ms/ac4x5t.
8-10 Integrating MDM and Cloud Services with System Center Configuration Manager
Answer: You should choose to deploy a Hybrid MDM solution. By using On-premises MDM, you
can manage only modern Windows 10 devices. If some users were to obtain iOS devices later,
you would not be able to manage these devices by using On-premises MDM. You can use Hybrid
MDM for managing Windows 10 modern devices, and iOS and Android modern devices.
Question: What are modern devices? Can you manage all modern devices by using On-premises MDM?
Answer: Modern devices are devices that include support for the OMA DM standard. This
standard specifies how you can manage a device, and devices that support this standard don’t
need an additional agent for you to manage them. On-premises MDM uses the OMA DM
standard for managing devices, but only Windows 10 devices can be enrolled and managed by
On-premises MDM. Other modern devices cannot be managed by On-premises MDM.
Question: Do you use Microsoft Intune for managing devices that are enrolled for On-premises MDM?
Answer: No. Although Microsoft Intune is required for On-Premises MDM, you do not use Intune
for managing devices in such an environment. You use Intune only for tracking licenses for the
enrolled devices, but not for managing the devices. If devices have Internet connectivity, Intune
can also notify the device to check for a policy update on the management point.
On-premises mobile device management using Configuration Manager 8-11
Answer: By default, a CRL is published in AD DS, and only devices that are domain members can
access it. However, many devices that you want to manage by using On-premises MDM,
including LON-BYOD1-B and LON-BYOD2-B, are in a workgroup and cannot access the CRL in
AD DS. Therefore, you need to add a CDP that is accessible over the HTTP protocol.
Question: Why do you need to import the AdatumCA root CA certificate into the trusted root CAs store
on LON-BYOD1-B to be able to enroll it for On-premises MDM? Why did you not need to import the
root CA certificate on LON-BYOD2-B?
Answer: A trusted root CA certificate must be in the trusted root store of the modern Windows
10 device to be able to enroll the device for On-premises MDM. Both LON-BYOD1-B and LON-
BYOD2-B didn’t trust the AdatumCA CA. On LON-BYOD1-B, you imported the certificate
manually, while on LON-BYOD2-B, the root CA certificate was included in the enrollment
package, and it was imported when you ran the enrollment package.
Question: How can you differentiate devices that are managed by On-premises MDM from devices that
are managed by the Configuration Manager agent in the Configuration Manager console?
Answer: In the Configuration Manager console, devices that are managed by On-premises MDM
are represented by a different icon compared to devices that are managed by the Configuration
Manager agent. If a device is managed by the installed agent, it is represented by a computer
icon. If the device is managed by On-premises MDM, it is represented by a mobile device icon.