5May
Azure AD Join with automatic MDM enrollment – Deploy and upgrade operating systems
Azure AD Join with automatic MDM enrollment

You can dynamically provision Windows 10 devices using Azure AD and a Mobile Device Management (MDM) solution, such as Microsoft Intune. Once a device is enrolled into management, Microsoft Intune can deploy compliance and corporate security policies to the device in a similar way (but not the same) as Group Policy objects are used within a domain-based environment to configure computers.

MDM can be used to add or remove apps, restrict device features, and more. Through the application of MDM policies, Azure AD can block or allow access to corporate resources or applications based on the status of the device compliance.

To benefit from the cloud-based dynamic provisioning, you need the following requirements:

  • Windows 10 Pro or Windows 10 Enterprise
  • Azure AD for identity management
  • A mobile device management solution, such as Microsoft Intune
Perform Azure AD join

In a traditional domain-based environment, the protection of user identities is a major security concern. With a username and password, a malicious hacker can cause havoc on any system. For a cloud-enabled workplace, the device is also a key component of your infrastructure. In a similar way to the user, the device is another identity that you need to protect. Azure AD allows you to join Windows 10–based devices to the cloud-based directory, and you can provide management tools to keep the device healthy and safeguarded.

For some businesses, the traditional on-premises model serves them, and they may not want to (or need to) change. Azure AD works very well in the following scenarios:

Cloud-based services and resources When most of the applications and resources that the organization uses are in the cloud, such as Microsoft 365 apps (Office 365 ProPlus) or Dynamics 365, joining client devices to Azure AD can increase the usability and ease of access.

Bring Your Own Device (BYOD) Users can join their devices to your business environment. Azure AD can manage and protect resource access for Windows 10 and non-Microsoft devices, such as iPads or Android tablets, that cannot join an AD DS domain. Personal and business data can be kept separate, and business data can be wiped from the device when the device leaves (or is removed from) management.

Mobility of the workforce Many organizations have employees working remotely or from home. In settings where workers infrequently visit a traditional on-premises domain environment, opting for a cloud-based management solution could be beneficial. Azure AD and Intune support the joining and remote management of mobile devices such as laptops, tablets, and smartphones.

Users can join Windows 10 devices to Azure AD during initial Windows 10 setup, or a device can be joined at a later stage by using the Settings app. Windows 10 devices can connect to Azure AD in several ways, as follows:

  • Join a new Windows 10 device to Azure AD
  • Join an existing Windows 10 device to Azure AD
  • Register a Windows 10 device to Azure AD

Exam Tip

You can only join Windows 10 devices to Azure AD. iOS and Android devices can be registered but not joined.
5Mar
Join a New Windows 10 Device to Azure AD – Deploy and upgrade operating systems
Join a New Windows 10 Device to Azure AD

You can use Windows Autopilot to manage a device once it’s powered. Autopilot guides the user to enable the device to be joined to Azure AD and auto-enrolled in Microsoft Intune. However, if the organization does not use Windows Autopilot, the user can manually take a new Windows 10 device and join the device to Azure AD during the first-run experience.

If the device is running either Windows 10 Professional or Windows 10 Enterprise, the Out-Of-Box Experience (OOBE) will present the setup process for company-owned devices, which is described below.

To join a new Windows 10 device to Azure AD during the first-run experience, use the following steps:

  1. Start the new device and allow the setup process to begin.
  2. On the Let’s start with region. Is this correct? page, select the regional setting that you need and select Yes.
  3. On the Is this the right keyboard layout? page, select the keyboard layout settings and select Yes.
  4. On the Want to add a second keyboard layout? page, add a layout, or select Skip.
  5. The computer attempts to automatically connect to the internet, but if it does not succeed, you will be presented with the Let’s connect you to a network page where you can select a network connection.
  6. On the Sign in with Microsoft page, enter your organization or school account and select Next.
  7. Enter your password and select Next.

 Exam Tip

If the Azure AD administrator has configured it, you might be prompted to confirm your identity using another authentication factor, such as a text message, or use of the Authenticator app.

  1. Your device is now Azure AD joined and enrolled in Intune for MDM. Depending on settings, you will be presented with the Setting up your device for work page.
  2. On the Choose privacy settings for your device page, choose the appropriate settings and then select Accept. Device setup might continue, depending on the settings being applied to your device through MDM.
  3. Depending on organizational settings, your users might be prompted to set up Windows Hello. By default, they will be prompted to set up a PIN. When prompted to set up a PIN, select OK.
  4. In the Set up a PIN dialog box, enter the desired PIN twice and select OK. Your desktop should now display.

You should now be automatically signed in to the device and joined to your organization or school Azure AD tenant and presented with the desktop.
5Feb
Join an Existing Windows 10 Device to Azure AD – Deploy and upgrade operating systems
Join an Existing Windows 10 Device to Azure AD

In this method, you join an existing Windows 10 device to Azure AD. You can join a Windows 10 device to Azure AD at any time using the following procedure:

  1. Open the Settings app and then select Accounts.
  2. In Accounts, select the Access work or school tab.
  3. Select Connect.
  4. On the Set up a work or school account page, under Alternative actions, select Join this device to Azure Active Directory, as displayed in Figure 1-4.

Figure 1-4 Joining a device to Azure AD

  1. On the Sign in page, enter your work or school username and select Next.
  2. On the Enter password page, enter your password and select Sign in.
  3. On the Make sure this is your organization page, confirm that the details on the screen are correct and then select Join.
  4. On the You’re all set! page, select Done.
  5. To verify that your device is connected to your organization, you should see your Azure AD email address listed under the Connect button and connected to Azure AD.

If you have access to the Azure Active Directory portal, then you can confirm that the device is joined to Azure AD by following these steps:

  1. Sign in as global admin to the Azure portal at https://portal.azure.com.
  2. On the left navigation bar, select Azure Active Directory.
  3. In the Manage section, select Devices.
  4. Verify that the device is listed, as displayed in Figure 1-5.

Figure 1-5 Viewing joined devices in Azure AD
5Dec
Register Devices to Azure AD – Deploy and upgrade operating systems
Register Devices to Azure AD

You connect a Windows 10 device to Azure Active Directory using the Add Work Or School Account feature found in the Settings app. Device registration can be used to allow devices to be known by both Azure AD and MDM solutions.

Devices that are registered with Azure AD and managed by Microsoft Intune can have conditional access rules applied to them. In this way, personally owned devices can be configured so that they meet your corporate standards for security and compliance.

Use the following procedure to take an existing Windows 10 device and register it with Azure AD:

  1. Open the Settings app and click Accounts.
  2. In Accounts, select the Access work or school tab.
  3. Select Connect.
  4. On the Set up a work or school account page, displayed in Figure 1-4, enter your organizational email account, select Next, and then complete the wizard.

To verify that your device is registered to your organization or school Azure AD tenant, complete these steps.

  1. Open the Settings app and select Accounts.
  2. In Accounts, select the Access work or school tab.
  3. On the Access work or school page, verify that your organization or school Azure AD email address is listed under the Connect button.

Note Register Byo Devices to Azure AD

You can register a personally owned device with Azure AD using the Set Up A Work Or Education Account wizard. Personal devices are then known to Azure AD but are not fully managed by the organization.

The role of MDT and Configuration Manager

If your organization is predominantly managing an enterprise on-premises environment, it’s highly likely you’ll be using MDT and possibly also Configuration Manager. These tools enable you to deploy, configure, and manage Windows 10, apps, and drivers within your infrastructure. You’ll also likely be using Configuration Manager to collect data from your devices for inventory, upgrade planning, update status, and many other purposes.

Some organizations might intend to manage a hybrid infrastructure, with devices configured as part of both an on-premises Active Directory forest and enrolled in Intune. In these scenarios, you’ll need to consider which device management workloads are best handled by Intune, and which by Configuration Manager.
5Nov
Implementing MDT as Part of your Deployment Strategy – Deploy and upgrade operating systems
Implementing MDT as Part of your Deployment Strategy

MDT provides a unified collection of tools and related processes. You can use these tools and processes to implement a complete deployment solution for your on-premises environment.

Note Zero-Touch Installation

By combining MDT with Configuration Manager, you can implement zero-touch (ZTI) deployments.

Before you can use MDT, you must ensure your infrastructure meets the following requirements:

  • AD DS Provides authentication, and also joins endpoints to Active Directory during deployment.
  • Windows Server Used to host MDT deployment shares and related content.
  • Windows Assessment and Deployment Kit (Windows ADK) Provides additional capabilities during deployment.

Optionally, you can also consider integrating MDT with the following additional components:

  • Windows Deployment Services (WDS) Enables you to provide network-driven operating system deployment to bare-metal devices. Installed as a Windows Server role.
  • Windows Server Updates Services (WSUS) Enables you to manage Windows Updates during the deployment process. Installed as a Windows Server role.

After you’ve installed MDT on your Windows Server, you can begin to use it to support your on-premises deployments. MDT consists of the following key components:

  • Boot images These are Window PE images used to initiate operating system deployment.

Note Pxe Boot

You can start boot images from bare-metal computers using PXE network boot.

  • Operating system images These are either full source files or custom images that you import into the Workbench. Figure 1-6 displays the Deployment Workbench in MDT, with the Operating Systems folder open.

Figure 1-6 Adding operating system images in MDT

  • Applications Enables you to add any apps that you want to deploy to devices. MDT supports a wide variety of app install formats, including MSI packages, .exe files, and Universal Windows apps.
  • Drivers Used to deploy required driver updates to your devices.
  • Packages Can be used to deploy packages, such as language packs. Can also be used for Windows updates, although WSUS is usually more appropriate.
  • Task sequences Task sequences are the collection of actions performed to complete a specific job. You use predefined templates to create your task sequences. Tasks might include: Gather, Format and Partition, Inject Drivers, Apply Operating System, or Windows Update.

You must determine whether you can use MDT as part of your organization’s deployment strategy. If all your users’ devices are cloud managed, and you have little or no on-premises infrastructure, then MDT isn’t suitable for you. However, in hybrid environments, you’ll need to consider whether to use MDT, with or without Configuration Manager, or to use Intune.

Answering YES to all or most of the following questions suggests that MDT would be useful in your organization:

  • Are you mostly deploying to AD DS joined devices?
  • Do you need to deploy a standard image to your users?
  • Will many applications be part of this image?
  • Must all your devices be the same?
  • Will some of your devices be bare-metal?

However, if you can answer YES to the following questions, you might consider using Windows Autopilot to provision your devices:

  • Are you mostly provisioning devices that are NOT AD DS joined?
  • Will most of your devices have dissimilar configurations?
  • Do you intend to use Intune as a means to deploy and configure apps?
  • Do you want to use Windows Update for Business to deliver Windows 10 updates?
  • Will users have a choice about which applications they have?
5Sep
Implementing Configuration Manager as Part of your Deployment Strategy – Deploy and upgrade operating systems
Implementing Configuration Manager as Part of your Deployment Strategy

Many organizations have relied on Configuration Manager to not only manage their operating system deployments, but to act as the core of their device management strategies. Although Configuration Manager, displayed in Figure 1-7, has been around for quite a while, it still has a critical role to play, acting as a bridge between traditional and modern management. This is especially true for organizations managing hybrid devices (those joined both to Azure AD and AD DS).

Figure 1-7 The Operating System Images node in the Software Library

Configuration Manager offers a wide range of services, including the following:

  • Operating system deployment
  • Application management
  • Update and servicing management
  • Device inventory
  • Cloud management capability
  • Advanced reporting capability
  • Integration with Azure AD
  • Integration with Desktop Analytics
  • Remote control
  • User state migration

The question is, can Configuration Manager help your organization with their Windows 10 deployment strategy, or are MDT or Intune sufficient? Configuration Manager uses boot and operating system images, much like MDT. It also supports capabilities that help deliver upgrade packages, device drivers, and operating system and software updates.

Configuration Manager also uses task sequences as the means to complete a collection of actions. However, Configuration Manager extends these capabilities by supporting schedule-based deployments. This extends MDT’s lite-touch (LTI) deployment model to ZTI.

Configuration Manager uses task sequences to complete the following typical tasks:

  • Deployment of:
    • An operating system to a new or rebuilt device.
    • A Windows 10 upgrade.
  • Capturing an operating system image.
  • Migrating user state settings.
5Jul
Plan upgrade and downgrade paths – Deploy and upgrade operating systems

Plan upgrade and downgrade paths

In situations where organizations have an existing environment of Windows 7 and/or Windows 8.1 devices that are fully working and supported, Microsoft recommends using an in-place upgrade strategy to deploy Windows 10 to these devices.

The upgrade process takes care of updating the operating system while retaining the apps, user data, and user settings. Utilizing in-place upgrades can offer a low-risk, quick, and reliable method of transforming devices and enabling users to be productive once the upgrade has completed.

If administrators fear that an existing installation is “old” or not a reliable candidate to upgrade to Windows 10, they could redeploy the legacy operating system—complete with apps, policies, and settings—and then perform the in-place upgrade shortly afterward. Another benefit of using an in-place upgrade approach is that driver and app compatibility issues are minimized.

When planning to deploy Windows 10, you should consider whether your existing version of Windows can be directly upgraded to Windows 10. You should also consider whether you can migrate from one edition of Windows 10 to a different edition of the same release.

As long as you are running Windows 7 or a later operating system, you can upgrade to Windows 10. This includes upgrading from one release of Windows 10, such as Version 2004, to a later release, such as Windows 10 Version 20H2.

When upgrading from one version of Windows to a later version, the upgrade process can preserve personal data, settings, and applications.

In a few situations, you can perform an edition downgrade. In these situations, you should note that all personal data is maintained; however, any incompatible applications and settings will be removed.

Note Windows 10 LTSC

An in-place upgrade from Windows 7, Windows 8.1, or Windows 10 Semi-Annual Channel to Windows 10 Long-Term Servicing Channel (LTSC) version is not supported. For more information relating to Windows 10 LTSC and how it should be used, visit https://docs.microsoft.com/windows/deployment/update/waas-overview#long-term-servicing-channel.

You should review the information shown in Table 1-4, which shows the various upgrade and downgrade paths available in Windows 10. The Windows 10 Mobile and Windows 10 Mobile Enterprise editions have been omitted from the table because these versions are nearing the end of support from Microsoft at the time of this printing.

TABLE 1-4 Windows 10 upgrade and downgrade paths

Destination Edition
Starting Edition  Windows 10 HomeWindows 10 ProWindows 10 Pro EducationWindows 10 EducationWindows 10 Enterprise
 Windows 7StarterXXXX 
  Home BasicXXXX 
  Home PremiumXXXX 
  ProfessionalDXXXX
  UltimateDXXXX
  Enterprise   XX
 Windows 8.1(Core)XXXX 
  ConnectedXXXX 
  ProDXXXX
  Pro StudentDXXXX
  Pro WMCDXXXX
  Enterprise   XX
  Embedded Industry    X
  Windows RT     
  Windows Phone 8.1     
 Windows 10HomeXXXX 
  ProDXXXX
  Education   XD
  Enterprise   XX

When reviewing the table, use the following key:

  • X The upgrade path is supported.
  • D The downgrade path is supported.

Note Windows 10 Edition Upgrade

For organizations performing a supported upgrade from one edition of Windows 10 to another, the process is quick and easy. The new product key can be added to the device, and the device will be upgraded. There are more than 84 possible variants of the edition upgrade; some require a reboot and others allow the upgrade without a reboot. You should review the table shown on the Microsoft website at https://docs.microsoft.com/windows/deployment/upgrade/windows-10-edition-upgrades.
5Jun
Downgrade paths due to license expiration – Deploy and upgrade operating systems
Downgrade paths due to license expiration

Organizations with an expired or expiring volume license agreement can opt to downgrade their edition of Windows 10 to an edition with an active license. Like the options for performing an edition upgrade, if a downgrade path is supported, then the user’s apps and settings will be available in the downgraded version of Windows 10.

You cannot downgrade from any edition of Windows 10 to Windows 7, 8, or 8.1. You also cannot downgrade from a later version of Windows 10 to an earlier version of the same edition (for example, Windows 10 Pro Version 1909 to Version 1903) unless you use the built-in rollback process.

Review the supported Windows 10 downgrade paths shown in Table 1-5. If a path is not supported, then you will need to perform a clean installation.

TABLE 1-5 Windows 10 upgrade and downgrade paths

Destination Edition
  HomeProWindows 10 Pro for WorkstationPro EducationEducationEnterprise LTSCEnterprise
Starting EditionHome       
 Pro       
 Pro for Workstation       
 Pro Education       
 EducationXXX   S
 Enterprise LTSC       
 Enterprise XXXS  

When reviewing the table, use the following key:

  • X = The downgrade path is supported.
  • S = Supported, but path is not considered a downgrade or an upgrade.
  • [blank] = Not supported or not a downgrade option.

Note Windows 10 Enterprise Subscription Activation

For organizations using Windows 10 Enterprise Subscription Activation, if the license expires, devices will automatically revert to the original edition when the 90-day grace period expires. For example, if you originally upgrade to Windows 10 Enterprise from Windows 10 Pro, then the device will revert to Windows 10 Pro. If you want to downgrade from Window 10 Enterprise to Windows 10 Pro for Workstations, Pro Education, or Education editions, you must obtain an additional activation key, which will supersede the original firmware-embedded Windows 10 Pro key.
5Apr
Upgrading from Windows 10 in S Mode – Deploy and upgrade operating systems
Upgrading from Windows 10 in S Mode

If you have devices that ship with Windows 10 in S Mode, the edition of Windows can be upgraded at any time using the Microsoft Store. The switch from S Mode to Windows 10 Home, Pro, Pro Education, or Enterprise is a one-time switch, and the device cannot be reverted to Windows 10 in S Mode without a complete wipe and reload of the operating system.

Table 1-6 shows several methods you can use to switch devices out of Windows 10 in S Mode.

TABLE 1-6 Windows 10 in S Mode switch methods

ToolDescription
Settings appUnless it’s been disabled, this app allows you to configure one device at a time.
Microsoft StoreUnless it’s been disabled, the Microsoft Store allows you to configure one device at a time; a Microsoft account is required.
Microsoft IntuneAllows you to configure a group of devices that are known to Azure AD.

To switch one device at a time, you can use the Settings app and then perform Activation on the device. Alternatively, a user with a Microsoft account can use the Microsoft Store.

Organizations can use the following procedure to switch multiple devices in bulk using Microsoft Intune:

  1. Open the Microsoft Endpoint Manager admin center and sign in with a global administrator account.
  2. In the navigation pane, select Devices.
  3. Then select Configuration profiles.
  4. On the Configuration profiles page, select Create profile.
  5. On the Create a profile blade, in the Platform list, select Windows 10 and later.
  6. In the Profile type list, select Templates; then select Edition upgrade and mode switch.
  7. Select Create.
  8. In the Edition upgrade and mode switch wizard, on the Basics tab, enter a name and description, and then select Next.
  9. On the Configuration settings tab, expand the Mode switch (Windows Insider Only) list.
  10. In the Switch out of S mode list, displayed in Figure 1-8, select Switch, and then select Next.

Figure 1-8 Select Edition Upgrade And Mode Switch settings

  1. On the Assignments tab, define the groups to which you want to assign the profile, and then select Next.
  2. On the Applicability Rules tab, define any filtering rules you want to use. These determine specific operating system editions that are affected by the profile. Select Next.
  3. On the Review + create tab, select Create. The profile is created.

Note Block Switching out of Windows 10 In S Mode

You can control the ability of which devices or users can switch out of Windows 10 in S Mode by using Group Policy. Review the GPO at Device Configuration\Profiles\Windows 10 And Later\Edition Upgrade And Mode Switch In Microsoft Intune.
5Mar
Manage in-place upgrades – Deploy and upgrade operating systems
Manage in-place upgrades

In previous versions of Windows, you could use several tools to help you assess, perform, and manage the task of upgrading to a new operating system. This process includes tools, such as the Microsoft Assessment and Planning (MAP) toolkit and the Application Compatibility Toolkit (ACT), which are included in the Windows Assessment and Deployment Kit (Windows ADK). These tools assist in discovering applications and device drivers and then testing them for potential compatibility issues with the new OS. All these tools and processes require specialist knowledge and often add significant time and cost to the rollout project.

Many large enterprises use Configuration Manager, which is a powerful, yet complex, tool to manage devices, apps, and upgrades within an organization. Configuration Manager (Current Branch) continues to be supported by Microsoft and can be used to upgrade a Windows 7 or later operating system to Windows 10.

Plan app compatibility

Generally speaking, applications designed to work with Windows 7 will work well with Windows 10. However, applications designed to work with Windows XP might well manifest installation or runtime problems. This is primarily because the operating system architecture and the security model for Windows XP differs from that used by all subsequent versions of Windows. If you’re still using older applications, you’ll need to create an inventory of those apps, and test their compatibility with Windows 10.

If you encounter problems when running older apps with Windows 10, use the following high-level procedures to attempt to resolve most common issues:

  • Run as administrator Most Windows XP-designed apps expect that all local users are administrators. This is no longer the case. But by running as administrator, you can provide a familiar context for your legacy apps.
  • Make sure all application dependencies are installed An older application might require a Windows component that is not installed.
  • Use the Application Compatibility Toolkit (ACT) to resolve runtime issues This toolkit is part of the Windows ADK. It provides the Standard User Analyzer tool and the Compatibility Administrator. If your application doesn’t work properly, load the Compatibility Administrator and run the application within it. Then apply mitigations until the app runs successfully.

Exam Tip

You can use the Compatibility Administrator to create an application fix, sometimes referred to as a shim. This is a file with an SDB extension. You apply the fix to other instances of the installed app by using the sdbinst.exe command-line tool.

  • Correct restrictive AppLocker policy settings in Group Policy If you find a policy that prohibits the application from running, either remove the policy, or else disable the specific blocking rule.

If your app doesn’t work, and you’ve tried adding dependencies, and repairing or reinstalling the app, you might need to consider one of the following approaches:

  • Update the app Download application updates from the software vendor, and apply those.
  • Upgrade the app If updates don’t work, or aren’t available, consider upgrading to a more recent version of the app.
  • Consider virtualizing the app If the app works on Windows XP, consider creating a Windows XP virtual machine, and running the app on that VM.
  • Use RemoteApp apps In an on-premises environment, consider deploying Remote Desktop Services (RDS) and then installing and publishing the app in an RBS site collection. Users launch RemoteApp apps by selecting them from Start like any other app. But the apps actually run on the configured RDS server.
  • Implement Windows Virtual Desktop Providing a similar functionality to RDS, you can use Azure to host your virtualized apps.
  • Replace the app If all else fails, you might need to consider finding a replacement app. Make sure you consult with your users about the required functionality. What we in IT consider to be a better app might not provide the specific function the users require.

Note In-Place Upgrades and Legacy Apps

When you perform in-place upgrades, applications and their related data and settings are retained. Sometimes, by performing in-place upgrades rather than migrations to Windows 10, you can avoid legacy application installation issues.

Copyright © 2025 Microsoft PL-300 Certification Exam Study Guide | Powered by tissotfun