Adding a Microsoft Store Application

There may be times when you need to add a Microsoft Store application to the App Rules list. The following steps will show you how to complete this task:

  1. In the App Rules area (see Figure 14.7), click Add. The Add App Rule box appears.
  2. In the Title box, add a name for the app. In this example, it’s Microsoft OneNote.
  3. From the Windows Information Protection Mode drop-d own list, choose Allow to turn WIP on to help protect that app’s company data.
  4. Select Store App from the Rule Template drop- down list. The box will change to show the store app rule options.
  5. Type the name of the app and the name of its publisher, and then click OK. For this UWP app example, the publisher is CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US and the product name is Microsoft.Office.OneNote.

FIGURE 14.7 Create Configuration Item Wizard – Add App Rule

6. After configuring the policy, you can review all of the settings by looking at the Summary screen. Click Summary to review the policy choices and then click Next to finish and save the policy.

WIP File Behavior

Files and apps can be categorized as either work or personal. Where you get the file and where you save new files determines whether files are protected by WIP.

When working with existing files:

           If you get a file from a corporate location, it will automatically be WIP-p rotected.

   If you get it from a personal location, it will not be WIP- protected. When saving new files:

          If you save it to a corporate location, it will be WIP-p rotected.

         If you save it to a personal location, it will not be WIP- protected.

Enlightened apps also provide the option when saving a file to specify whether it’s corporate- related or personal. However, if you store a work file to a personal location, WIP gives you the option of saving it as a personal file or saving it at a different location.

Determine the Enterprise Context of an App

You can check the context of an app on your machine by using Windows Task Manager. But you must first activate the Enterprise Context column in Task Manager. To activate the column, perform the following:

  1. Open Task Manager and, if you aren’t already in the detail view, click More Details.
  2. Select the Details tab.
  3. Right- click in the column heading area and then click Select Columns.
  4. Scroll down, select the Enterprise Context option, and then click OK to close the box. The Enterprise Context column will now be visible in Task Manager.

The Enterprise Context column displays what each app can do with your corporate data:

Domain If your domain is displayed, the app is running in corporate- related mode and protects the content the app is currently accessing.

Personal If Personal is displayed, the app is running in personal mode and can’t touch any work data or resources.

Exempt If Exempt is displayed, the app is running in trusted mode and WIP policies are bypassed.

Monitor WIP Events

A device protected by WIP will generate different events that are saved to the event log on the local machine. WIP will create audit events in the following situations:

       A user changes the File ownership for a file from corporate to personal data.

       Data is marked as corporate data but shared to a personal app or web page. Can be shared through copy and paste, drag and drop, sharing a contact, uploading to a personal web page, or if the user grants a personal app temporary access to a protected file.

    An app has custom audit events.

You can use Windows Event Forwarding to collect the WIP audit events and then view those events using Event Viewer.

Changing File Ownership

It is possible to change the file ownership using Windows Explorer. You simply check File Ownership and change it from Personal to Work, or vice versa. When you perform this operation, it will be saved to the event log.

Creating a Configuration Item for WIP- Hybrid Data and Servers

To create a configuration item for WIP, follow these steps:

  1. Open the SCCM console, click the Assets And Compliance node, expand the Overview node, expand the Compliance Settings node, and then expand the Configuration Items node (see Figure 14.3).

FIGURE 14.3 System Center Configuration Manager console

2. Click the Create Configuration Item button. The Create Configuration Item Wizard will start (see Figure 14.4).

FIGURE 14.4 Create Configuration Item Wizard

3. On the General Information page, type a name (required) and a description (optional) for the policy into the Name and Description boxes.

4. In the Specify The Type Of Configuration Item That You Want To Create area, select the option that represents whether you’d like to use SCCM for device management, and then click Next. The options are as follows:

       Settings For Devices Managed With The Configuration Manager Client: Windows 10

       Settings For Devices Managed Without The Configuration Manager Client: Windows 8.1 and Windows 10

5. On the Supported Platforms page (see Figure 14.5), click the Windows 10 box, and then click Next.

FIGURE 14.5 Create Configuration Item Wizard – Supported Platforms

6. On the Device Settings page (see Figure 14.6), click Windows Information Protection, and then click Next.

FIGURE 14.6 Create Configuration Item Wizard – Device Settings

7. The Configure Windows Information Protection settings page appears, where you can configure a policy for the company.

When you create a process in SCCM, you can choose the apps that will be granted access to corporate data via WIP. Apps on the list can protect and restrict data from being copied or moved to unapproved apps.

The steps to add app rules are based on the type of rule template that is being applied.

You can add the following:

         Store app (known as a Universal Windows Platform [UWP] app)

        Signed Windows desktop app

        AppLocker policy file

In the following sections, we will be adding Microsoft OneNote, which is a store app, to the App Rules list.

Add an App Using Intune- Hybrid Data and Servers

This is an example of how to use Intune to add and assign an app for your corporate users. You will first want to sign in to the Microsoft Endpoint Manager admin center as a global administrator or an Intune Service administrator. Perform these steps to add an app to Intune:

  1. Sign in to Microsoft Endpoint Manager admin center and select Apps All Apps Add.
  2. From the App Type drop- down list, select Windows 10.
  3. Click Select. The Add App steps are displayed.
  4. Confirm the default details in the App Suite Information step and click Next.
  5. Confirm the default settings in the App Settings step and click Next.
  6. Select the group assignments for the app.
  7. Click Next to display the Review + Create page. Review the values and settings you entered for the app.
  8. When you are done, click Create to add the app to Intune.
Assign the App to a Group

Once you have added an app using Microsoft Intune, you can assign the app to additional groups of users or devices.

Perform these steps to assign an app to a group:

  1. In Intune, select Apps All Apps.
  2. Select the app that you want to assign.
  3. Click Properties. Next to Assignments click Edit.
  4. Click Add Group in the Required section. The Select Group pane is displayed.
  5. Find the group that you want to add and click Select at the bottom of the pane.
  6. Click Review + Save Save to assign the group.

You now have assigned the app to an additional group.

Install the App on the Enrolled Device

Your end users must install and use the Company Portal app to install an app that is available in Intune. Here are the steps:

  1. Log into the enrolled Windows 10 Desktop device. The device must be enrolled with Intune and must be signed in using an account contained in the group that was assigned to the app.
  2. From the Start Menu, open the Microsoft Store. Then, find the Company Portal app and install it.
  3. Launch the Company Portal app.
  4. Click the app that you added using Intune.
  5. Click Install.

Protecting Enterprise Data Using Windows Information Protection

Information protection in today’s cybersecurity settings consists of four parts:

          Device Protection: Protect system and data when a device is lost or stolen.

         Data Separation: Containment and data separation.

             Leak Protection: Prevent unauthorized users and apps from accessing and leaking data.

       Sharing Protection: Protect data when shared with others, or shared outside of corporate devices and control.

Windows Information Protection (WIP) helps protect corporate data in a world that  is increasingly becoming a Bring Your Own Device (BYOD) environment. Since many  organizations are allowing employees to connect their own devices to their network, the possibility of corporate data being compromised because of non- corporate programs running on these personal devices is increasing. WIP helps protect information by separating corporate applications and corporate data from being disclosed by personal devices and personal applications.

WIP was previously known as Enterprise Data Protection (EDP). WIP is a built-i n Windows 10/11 feature that allows you to maintain and monitor company data separate from any personal data that is on a user’s device.

WIP aids in protecting against possible data leaks and protects enterprise apps and data on both enterprise- owned and personal devices without interfering with the user’s experience while on the corporate network. Users do not need to open any special apps or enter into any specific modes in order for WIP to work. Users just use apps that they are used to and WIP will provide the data protection.

Besides separating corporate and personal data, WIP can also determine which users and apps have access to particular data and can determine what users are allowed to do with that corporate data. For example, you have the ability to stop a user from copying corporate data from an approved app and pasting that data into another unapproved app.

The WIP Intune policy maintains a list of protected apps, corporate network locations, the levels of protection granted, and the encryption settings. WIP provides the following:

       Allows you to track issues and find corrective actions by using audit reports.

       Integrates with existing management systems to deploy, configure, and manage WIPs. Management systems can include Microsoft Intune, Microsoft Configuration Manager (MCM), or an MDM.

Provides added protection for present line- of- business apps without needing to update any apps.

     Provides the capability to remove corporate data from Intune MDM–enrolled devices while, at the same time, not touching the personal data on a device.

       Separates personal data from corporate data, without the need for the user to change apps or settings.

You can set a WIP policy with a different level of protection and management modes. There are four protection and management modes (see Figure 14.2):

       Block: Prevents users from engaging in unauthorized actions, such as copying and pasting corporate data. WIP searches for unacceptable data sharing and will stop the user from performing any further.

       Override: Alerts users whenever they try to execute an unauthorized action. The user can ignore the warning and proceed with the unauthorized action; however, WIP will log the event in its audit log where you can review it later.

       Silent: Will run in the background, tracking the user’s actions with no indicator of an unauthorized action and logging any inappropriate data sharing. However, if an action is blocked, the action will be prevented as usual.

      Off: WIP is disabled and provides no protection or auditing.

FIGURE 14.2 Configure Windows Information Protection Settings

Windows Autopilot Reset

Takes the device back to a business- ready state by:

     Removing personal files, apps, and settings

    Reapplying a device’s original settings

       Setting the region, language, and keyboard to the original values

      Maintaining the device’s identity connection to Azure AD

       Maintaining the device’s management connection to Intune

The Autopilot Reset process automatically keeps information from the existing device:

    Wi- Fi connection details

    Provisioning packages previously applied

      A provisioning package present on a USB drive when the reset process is started

       Azure AD device membership and MDM enrollment information

When Autopilot Reset is used on a device, the device’s primary user will be removed and the next person who signs in after the reset will become the new primary user.

Autopilot Reset does not support Hybrid Azure AD joined devices; a full device wipe will be required. Once a hybrid device goes through a full device reset, it may take up to 24 hours for it to be ready to be deployed.

Pre- provisioning

This was once referred to as the Autopilot White Glove feature, but it has been renamed to

Windows Autopilot for pre- provisioned deployment. The provisioning process is split with the time- consuming portions being done by the IT administrators, partners, or OEMs (this is called the technician flow). The end user just needs to perform a few necessary settings and policies and then they can begin using their device (this is called the user flow). Autopilot for pre- provisioned deployment supports two distinct scenarios:

User- Driven Deployments with Azure AD Join The device will be joined to an Azure AD tenant.

User- Driven Deployments with Hybrid Azure AD Join The device will be joined to an on- premises Active Directory domain and separately registered with Azure AD.

Each scenario consists of two parts: a technician flow and a user flow.

Support for Existing Devices

Autopilot for existing devices only supports user-d riven Azure AD and Hybrid Azure AD profiles. Self- deploying and pre- provisioning profiles are not supported.

Windows Autopilot Devices

Devices that have been registered with the Autopilot service are displayed in the Admin Center, as shown in Figure 14.1, under Devices Enroll Devices Windows Enrollment Windows Autopilot Deployment Program Devices.

Devices that are listed in Intune under Devices Windows | Windows Devices are not the same as Windows Autopilot devices (Devices Enroll Devices Windows Enrollment Windows Autopilot Deployment Program | Devices).

Windows Autopilot devices are added to the list of Windows devices when both of the following are complete:

     The Autopilot registration process is successful.

     A licensed user has signed in on the device.

Planning for Secure Applications Data on Devices

AS YOU PLAN AND PREPARE THE SECURE APPLICATIONS DATA ON DEVICES, KEEP IN MIND THE FOLLOWING:

Configuring Managed Apps for Mobile

Application Management

Sometimes the assumption is made that MDM is the same as MAM. However, that is not necessarily the case. MDM is more about controlling devices whereas MAM is concerned with your company applications and data.

MAM is software that protects and enables you to control company applications on your end users’ devices. It allows you to apply and enforce policies on apps and limit the sharing of corporate data. It also allows you to separate corporate from personal data on these devices.

MAM Basics

Intune MAM refers to the suite of Intune management features that allow you to publish, push, configure, secure, monitor, and update mobile apps to your users. It allows you to manage and protect your company data within an application. Intune MAM supports two configurations:

Intune MDM + MAM You can manage apps using MAM on devices that are enrolled with Intune MDM. Users should use Intune in the Microsoft Endpoint Manager admin center.

Unenrolled Devices with MAM Managed Applications You can manage corporate data and accounts in apps using MAM on unenrolled devices or devices enrolled with third- party enterprise mobility management (EMM) providers. Users should use Intune in the Microsoft Endpoint Manager admin center.

Planning for Secure Applications Data on Devices

Most app- related information can be found in the Apps workload. You can find this by signing into the Microsoft Endpoint Manager admin center and selecting Apps. The apps workload provides links to access common app information and functionality. The top of the App workload navigation menu provides commonly used app details:

Overview Allows you to view the tenant name, MDM authority, tenant location, account status, app installation status, and app protection policy status.

All Apps Displays a list of all available apps and their statuses.

Monitor Apps There are a few options under this section:

App Licenses You can view, assign, and monitor volume-p urchased apps from the app stores.

Discovered Apps You can view apps that were assigned by Intune or installed on a device.

App Install Status You can view the status of an app assignment that you created.

App Protection Status You can view the status of an app protection policy for a selected user.

By Platform You can select these platforms to view the available apps by platform:

Windows, iOS, macOS, and Android.

Policy There are a few options under this section:

App Protection Policies Choose this option to associate settings with an app and help protect the company data it uses.

App Configuration Policies Choose this option to supply settings that might be required when a user runs an app.

iOS App Provisioning Profiles iOS apps include a provisioning profile and code that is signed by a certificate. When the certificate expires, the app can no longer be run. Intune gives you the tools to assign a new provisioning profile policy to devices that have apps that are nearing expiration.

S Mode Supplemental Policies Choose this option to authorize additional applications to run on your managed S mode devices.

Policies for Office apps Choose this option to create mobile app management policies for Office mobile apps that connect to Microsoft 365 services.

Policy Sets Choose this option to create an assignable collection of apps, policies, and other management objects that you have built.

Other There are a few options under this section:

App Selective Wipe Choose this option to remove only corporate data from a selected user’s device.

App Categories You can add, pin, and delete app category names.

E- books Some app stores give you the ability to purchase multiple licenses for an app or books that you want to use in your company.

Help and Support Choose this to troubleshoot, request support, or view Intune status.

Autopilot Benefits – Hybrid Data and Servers

Administrators used to spend hours upon hours building and customizing images that would later be used to deploy devices. But with Autopilot, you do not need to reimage or manually set up new devices before giving them to your end users.

Devices can be shipped to your users directly from the vendor. It only takes a few simple actions to make the device ready to use. The end user just connects to the network and verifies their credentials. Beyond that, everything else is automated by Autopilot. Here are some of the key benefits:

Easy Device Setup Users connect their devices to the Internet and answer some quick setup questions, and Autopilot installs all preconfigured user, device, and app policies.

Increased Employee Satisfaction Devices configured with Autopilot provide users with an easy login experience that reduces the need for tech support.

Saves Time and Resources Instead of setting up devices, you can create a customized OOBE of preconfigured apps and settings, and then deploy them to users’ devices using the cloud.

Ability to Use the Device Anywhere Devices configured using Autopilot can be shipped anywhere and set up wherever. The user only needs an Internet connection.

Autopilot Prerequisites

Autopilot relies on specific capabilities that are available in Windows 10/11, Azure AD, and MDM services. Let’s take a look at the requirements for Autopilot.

Software Requirements

In order to use Autopilot, a supported version of Windows 11 or Windows 10 semiannual channel is required.

Networking Requirements

The network requirements depend on various Internet- based services. Access to these services must be provided for Autopilot to function properly:

          Ensure DNS name resolution for Internet DNS names

               Allow access to all hosts through ports 80 (HTTP), 443 (HTTPS), and 123 (UDP/NTP)

Licensing Requirements

Autopilot depends on specific capabilities available in Windows 10/11 and Azure AD and an MDM service such as Microsoft Intune. One of the following subscriptions is required:

     Microsoft 365 Business Premium subscription

     Microsoft 365 F1 or F3 subscription

     Microsoft 365 Academic A1, A3, or A5 subscription

       Microsoft 365 Enterprise E3 or E5 subscription, which include all Windows 10, Microsoft 365, and Enterprise Mobility and Security (EM+S) features (Azure AD and Intune)

     Enterprise Mobility + Security E3 or E5 subscription

     Intune for Education subscription

       Azure Active Directory Premium P1 or P2 and Microsoft Intune subscription (or an alternative MDM service)

According to Microsoft, the following subscriptions are also recommended, but not required:

      Microsoft 365 Apps for Enterprise (formerly Office 365 Pro Plus)

       Windows Subscription Activation, to automatically upgrade devices from Windows 10 Pro to Windows 10 Enterprise

Configuration Requirements

Before Autopilot can be used to support common Autopilot scenarios, the following configuration tasks must be done:

      Configure Azure AD automatic enrollment.

     Configure Azure AD custom branding.

     Enable Windows Subscription Activation.

Some scenarios have other requirements. There are typically two tasks that should be done:

       Device registration: Devices must be added to Autopilot to support most Autopilot scenarios.

       Profile configuration: Once devices have been added to Autopilot, a profile of settings must be applied to each device.

Autopilot Profiles

Autopilot profiles control how Windows is installed on user devices. The profiles contain settings that are automatically set and optional settings that you can configure manually. Automatically set options include the following:

Skip Cortana, OneDrive, And OEM Registration This option will skip the installation of apps such as Cortana and OneDrive.

Sign- in Experience With Your Company Brand If you have an “Add your company branding to Microsoft 365 Sign- In page,” then the device will get that experience when signing in.

MDM Auto-e nrollment With Configured AAD Accounts The user identity will be managed by Azure AD. The user will log in using their Microsoft 365 Business Premium credentials.

Manually set options include:

Skip Privacy Settings (Off by Default) If this is set to On, the user will not see the license agreement for the device and Windows when they first sign in.

Don’t Allow The User To Become The Local Admin If this is set to On, the user will not be able to install any personal apps.

Deployment Scenarios

You have several ways to deploy Autopilot:

■        User- driven mode

■        Self- deploying mode

        Windows Autopilot Reset

■        Pre- provisioning

        Support for existing devices

User- Driven Mode

Autopilot user- driven mode allows you to configure new Windows devices to automatically transform them from their factory state to a ready- to- use state. This process doesn’t require that an administrator even touch the device. The devices can be shipped or distributed to the end user directly with the following instructions:

  1. Unbox the device, plug it in, and turn it on.
  2. Choose a language, locale, and keyboard.
  3. Connect the device to a wireless or wired network with Internet access.
  4. Specify your corporate email address and password.

The rest of the process is automated. The device will automatically:

  1. Join the organization.
  2. Enroll in Intune (or another MDM service).
  3. Get configured as defined by your company.
Self- Deploying Mode

Self- deployment mode is very similar to user- driven mode. This mode allows you to deploy a device with little to no user interaction. For devices with an Ethernet connection, no user interaction is required. However, for devices connected using Wi-F i, the user must only:

      Choose the language, locale, and keyboard

     Make a network connection

Self- deploying mode provides the following:

     Joins the device to Azure Active Directory

       Enrolls the device in Intune (or another MDM service) using Azure AD for automatic MDM enrollment

       Makes sure that all policies, applications, certificates, and networking profiles are provisioned on the device

      Uses the Enrollment Status Page to prevent access until the device is fully provisioned

Self- deploying mode does not support Active Directory Join or Hybrid Azure AD Join. All devices will be joined to Azure AD.

Policy Settings Using Basic Mobility and Security – Hybrid Data and Servers

(Microsoft 365)

In Microsoft 365, the Basic Mobility and Security service provides a built- in MDM solution that provides the core device management features.

The Basic Mobility and Security service is hosted by the Intune service and contains a subset of Intune services. Even though it has some of the features used by Intune, according to Microsoft, it’s not an “Intune- lite” solution.

You can use Basic Mobility and Security to manage many types of mobile devices. Each person must have an applicable Microsoft 365 license, and their device must be enrolled in Basic Mobility and Security. Once the devices are enrolled, you can manage, block access to, and even wipe the devices.

When you create policies or profiles, they can only be deployed by assigning them to groups of users. You can’t directly assign a policy to a specific user or to an individual device. The user will receive an enrollment message on their device, and once they have completed the enrollment, then their device will be constrained by the policies that you set. Then, using the MDM management tool, you can monitor the policy deployment.

Using Basic Mobility and Security, you can manage these mobile devices settings:

Organizationwide Device Access Settings You can specify whether you want to allow or deny access to Exchange mail for devices that are not supported by Basic Mobility and Security and which groups should be excluded from access control.

Device Security Policies You can use these policies to protect devices from unauthorized access. These policies include password settings, encryption settings, managing email profile settings, and settings that control the use of device features, such as Bluetooth and videoconferencing.

Many MDM solutions help protect organizational data by making sure that users and devices meet specific requirements. These are known as compliance policies and act as the rules and settings that users and devices must meet in order to be compliant. When you pair them with Conditional Access requirements, you can deny users and devices that do not meet your rules. You can use some of these policies to help affect the entire Microsoft 365 experience:

Compliance Microsoft uses the default compliance rules that are built into Configuration Manager for mobile devices, but also offers configuration items (CIs) and built- in compliance rules whose values are based on Microsoft’s digital security requirements. Microsoft has created a configuration baseline for those CIs and targeted the configuration baseline to mobile devices.

Messaging The default policies for Exchange align policy settings between Exchange ActiveSync (EAS) and MDM.

Security The default policies enforce Microsoft corporate compliance settings on mobile devices, such as password policy and encryption settings.

Policy Settings Using Microsoft Intune

Microsoft Intune is a cloud- based service that focuses on MDM and MAM. With Intune, you can control how your mobile devices are used. It also allows you to configure specific policies that control applications using MAM.

Intune allows you to control how mobiles devices are used whether it’s a corporate owned or a personal device. On personal devices, Intune can help ensure that corporate data is protected, and it can also isolate the corporate data from personal data. Intune allows you to manage multiple devices per person, regardless of the different platforms that are run on the different devices. In Intune, users will see a dialog box that tells them about the policies. They can then select to allow or cancel device enrollment.

You can manage the same settings in Microsoft Intune as in Basic Mobility and Security as well as other settings:

              Application deployment, configuration policies, and protection policies

■             Conditional Access

            Device compliance policies

             Device configuration policies

             Device enrollment and restrictions

       Software updates, which include Windows 10/11 update rings and update policies for iOS

While Basic Mobility and Security is part of the Microsoft 365 plans, Microsoft Intune is a stand- alone product included with certain Microsoft 365 plans. Table 14.1 identifies which plans provide the MDM solution.

TABLE 14.1 Microsoft 365 plans

Microsoft 365 AppsYesNo
Microsoft 365 Business BasicYesNo
Microsoft 365 Business StandardYesNo
Office 365 E1YesNo
Office 365 E3YesNo
Office 365 E5YesNo
Microsoft 365 Business PremiumYesYes
Microsoft 365 Firstline 3YesYes
Microsoft 365 Enterprise E3YesYes
Microsoft 365 Enterprise E5YesYes

TABLE 14.1 Microsoft 365 plans (Continued)

PlanBasic Mobility and SecurityMicrosoft Intune
Microsoft 365 Education A1YesYes
Microsoft 365 Education A3YesYes
Microsoft 365 Education A5YesYes
Microsoft IntuneNoYes
Enterprise Mobility & Security E3NoYes
Enterprise Mobility & Security E5NoYes

Understanding AutoPilot

Windows Autopilot is a set of programs that helps simplify and streamline bulk deployment, setup, and configuration of devices. Autopilot allows you to truly have a zero- touch installation of the Windows client operating system. You can use Autopilot to reset, repurpose, and recover devices, reducing the time spent on deploying, managing, and retiring devices.

Autopilot allows you to:

         Auto- enroll devices into MDM services.

          Automatically join devices to Azure AD or Active Directory (via Hybrid Azure AD Join).

          Create and auto- assign devices to configuration groups based on a device’s profile.

         Customize out- of- box- experience (OOBE) content specific to your organization.

You can use Autopilot to set up and preconfigure new Windows devices for your organization, right out of the box, without having to build an image or infrastructure to manage. Users go through the process by themselves, without making any decisions and without the need to involve an IT administrator.

With Autopilot Reset, existing devices can be quickly prepared for a new user. The Reset capability can also be used if a device needs to be fixed in order to bring the device back to a working state.

You can provide new devices to your end users without the need to build, maintain, and apply custom operating system images to the devices by using Microsoft Intune and Autopilot. Once deployed, Windows devices can be managed by tools such as Microsoft Intune, Windows Update for Business, Configuration Manager, and other similar tools.

Autopilot allows you to get a list of device IDs from a manufacturer. You enter the device IDs into your Azure environment. You assign a device profile to that machine and that’s it.

Once the user logs on to the Internet, the machine automatically recognizes that it is part of your organization and the installation is completed— without any IT intervention.

Using Microsoft Endpoint Manager

Microsoft Endpoint Manager is used for maintaining, monitoring, and protecting your end users and endpoints. Whether you are using the cloud or using an on-p remises networks, Microsoft Endpoint Manager will help keep your data safe and secure. It consists of the tools and services that you can use to monitor and maintain your endpoints. Endpoints include:

■        Apps

■         Desktop computers

■         Embedded devices

■         Mobile devices

■        Servers

■         Shared devices

■         Virtual machines

Microsoft Endpoint Manager includes a variety of services:

        Azure Active Directory (Azure AD)

■         Co- management

         Configuration Manager

■         Desktop Analytics

         Endpoint Manager Admin Center

■         Microsoft Intune

■         Windows Autopilot

Endpoint Manager uses Azure Active Directory (Azure AD) to identify devices, groups, multifactor authentication (MFA), and users.

Co-m anagement is used to join an already existent on- premises Configuration Manager asset to the cloud by using either Intune or another Microsoft 365 cloud service. As an administrator, you will determine which service will be the management authority.

Desktop Analytics is a cloud- based service that works in conjunction with Configuration Manager. It helps you make important decisions regarding the update readiness of a Windows client. Desktop Analytics looks at the data from your company along with data collected from millions of other devices that are connected to the Microsoft cloud to help provide information on apps, security updates, and more. Desktop Analytics is used to keep Windows 10 devices current.

The Endpoint Manager Admin Center is a comprehensive website that you can use to manage devices and create policies. It is where you can locate the Microsoft Intune service, as well as other device management–related settings.

Microsoft Intune is a cloud- based mobile device management (MDM) and mobile application management (MAM) provider that you use for apps and devices. Using the cloud, Intune can create and check for compliance, deploy apps, and change features and settings on a variety of devices.

Windows Autopilot is used to streamline the way devices get deployed, reset, and repurposed by using a deployment method that requires no interaction from the IT department. Autopilot is used to preconfigure devices and to automatically enroll devices in Intune. Your users simply unbox the device and turn it on, and Windows Autopilot will configure it from the cloud using just a few steps.

What deployment method should you use? This is a question that is often asked. There really is no right or wrong answer. Use what works best for you and your organization and consider what you wish to accomplish. You can start with Windows Autopilot if you are continually provisioning new devices, or you can use Intune if you add rules and control settings for your apps, devices, and users.

Endpoint Manager can be thought of in three separate parts:

Cloud All your data is stored in Azure. This method provides you with the benefits of mobility on the cloud as well as the security advantages that are provided by Azure.

On- premises If you aren’t ready to use the cloud, then you can keep your existing systems in house. All hardware and software applications are hosted onsite.

Hybrid These environments use a combination of both cloud and on- premises solutions.

There are a number of benefits to using Microsoft Endpoint Manager to manage and protect your endpoints. You can:

           Confirm that user devices are configured and protected according to corporate policies.

          Confirm that your corporate security rules are in place.

          Ensure that corporate services are available to your end users and on all of their devices.

       Ensure that your company is using correct credentials in order to access and share corporate information.

         Protect the apps and devices that access your resources.

         Protect the data that your users are accessing.

If you have Microsoft Endpoint Configuration Manager and Microsoft Intune, then you already have Microsoft Endpoint Manager. These are all now one management system.

Using Mobile Device Management

Mobile device management (MDM) is basically a way in which administrators can manage mobile devices. It refers to a set of functions and features that regulate the use of mobile devices to make sure they are compliant with corporate policies.

MDM allows you to maintain, secure, and enforce mobile endpoint policies. You can use it to set up Windows 10/11 policies that can incorporate a wide variety of scenarios, such as the ability to control a user’s access to the Windows Store or the ability to access the corporate VPN.

To help you manage corporate security policies and business applications, Windows 10 and Windows 11 provide an enterprise management solution that consists of two parts:

       The enrollment client, which enrolls and configures the device to communicate with the enterprise management server

       The management client, which synchronizes with the management server to check for updates and apply policies

MDM administers mobile devices without joining them to an on- premises Active

Directory Domain Service (AD DS). In order to manage a device using MDM, implement MDM by using an MDM authority and MDM clients. Microsoft offers two MDM authority solutions:

             Basic Mobility and Security (Microsoft 365)

■             Microsoft Intune

Once the device is enrolled, you can still implement policies and profiles to manage the device. Each of these solutions use Microsoft 365 Endpoint Manager for administering the MDM solutions. They each manage enrolled devices, but they provide distinct capabilities.

MDM client functionality is included with the Windows 10/11 operating system. MDM includes the delivery of applications, settings, and data to devices that are enrolled to MDM. Windows 10/11 devices can be enrolled in MDM by any of these methods:

               Being enrolled into Azure AD (if Azure AD and MDM are configured)

             Using Group Policies in a hybrid environment

            Using a provisioning package

            Using the Settings app

             Manually configuring

MDM authority, such as Intune, can provide these capabilities:

Application Management You can install apps and manage settings by using both MDM and Mobile Application Management (MAM).

Configuring Devices You can use profiles and policies to configure devices, control what users can access, and set device settings to comply with corporate policies.

Device Enrollment MDM can only manage supported devices that have been enrolled. In order to manage a device, the device can either include the MDM client functionality, such as Windows 10, or you must install a Company Portal app (for example, on Android or iOS devices).

Monitoring and Reporting With the MDM management tool, you can get a notification if a device is having an issue or if a policy was not properly applied. Enrolled devices can also be added to groups. You can also configure Windows Autopilot device deployment by using Intune.

Selective Delete Data Should a device ever get lost or stolen, or if a user leaves your company, you can wipe the corporate data is that is on the device. A wipe is basically just erasing the data from the hard disk on the device. You have the option to either wipe all the data on the device or perform a selective wipe, which will leave the user’s personal data on the device intact.

Even if a device isn’t a member of the domain, the device can be managed by MDM. If you have a Windows 10/11 device that is a member of the domain, then you can manage it by using Group Policy and MDM simultaneously. With Windows 10 version 1803 and newer, you can specify whether a Group Policy setting or an MDM policy setting will take precedence if there is a conflict.

You can manage the following Windows 10/11 configuration areas by using MDM:

        Application management

         Device configuration and security

■         Enrollment

■         Inventory

■         Remote assistance

■         Unenrollment

Application management benefits include:

        Custom Windows Store

        Business Store Portal (BSP) app deployments; license reclaim

        Enterprise app management

       Line- of- business (LOB) app management

         Win32 (MSI) app management

        App inventory (LOB/Store apps)

        App allow/deny lists using AppLocker

         Windows Information Protection (WIP)

Device configuration and security benefits include:

            Device update control

■             Email provisioning

■            Enterprise Wi- Fi

               Extended set of policies for client certificate management

              Kiosk, Start screen, Start Menu configuration, and control

■             MDM push

■             VPN management

Enrollment benefits include:

            Azure AD integration

■             Bulk enrollment

■             Converged protocol

■            Provisioning

■             Simple bootstrap

Inventory benefits include additional device inventory. Remote Assistance benefits include:

        Enhanced inventory for compliance decisions

■         Full device wipe

   Remote lock, PIN reset, ring and find Unenrollment benefits include:

       Removal of enterprise configuration (apps, certs, profiles, policies) and enterprise- encrypted data (with EDP)

        Unenrollment with alerts

Review Questions- Managing Data in a Hybrid Network

  1. You are the administrator for a mid- sized organization. You have been asked by the owner to set up an NLB cluster. You want to use PowerShell to do this. What cmdlet should you use?
    A. New- NlbCluster
    B. Create- NlbCluster
    C. Setup- NlbCluster
    D. Set- NlbCluster
  2. You and a colleague are discussing Azure and the tools that it has that can help you with load balancing. One of the tools is a network- layer load balancer that improves network performance and availability of your applications. What is this tool called?
    A. Azure Application Gateway
    B. Azure Front Door
    C. Azure Load Balancer
    D. Azure Traffic Manager
  3. What is the maximum number of nodes that can participate in a Windows Server 2022 NLB single cluster?
    A. 32
    B. 4
    C. 16
    D. 64
  4. Which of the following actions should be performed against an NLB cluster node if maintenance needs to be performed while not terminating current connections?
    A. evict
    B. drainstop
    C. pause
    D. stop
  5. Which of the following actions should be performed against an NLB cluster node if maintenance needs to be performed and all connections must be terminated immediately?
    A. evict
    B. drainstop
    C. pause
    D. stop
  6. You are the network administrator for your organization and you want to stop virtual machine replication. What PowerShell cmdlet should you use?
    A. Stop- VMReplication
    B. Terminate- VMReplication
    C. Kill- VMReplication
    D. Drainstop- VMReplication
  7. You are the network administrator for a company that has a Windows Server 2022 Hyper V failover cluster. This cluster contains two nodes named ServerA and ServerB. On ServerA, you create a virtual machine named VirtualMachineA by using Hyper- V Manage. You need to configure VirtualMachineA to move to ServerB automatically if ServerA becomes unavailable. What should you do?
    A. In the Failover Cluster Manager, run the Configure Role actions.
    B. In the Hyper- V Manager, click VirtualMachineA and click Enable Replication.
    C. In the Hyper- V Manager click ServerA and modify the Hyper- V settings.
    D. Using Windows PowerShell, run the Enable- VMReplication cmdlet.
  8. To configure an NLB cluster with unicast, what is the minimum number of network adapters required in each node?
    A. One
    B. Two
    C. Three
    D. Six
  9. Users who are connecting to an NLB cluster have been complaining that after using the site for a few minutes they are prompted to log in using their username. What should you do to fix the problem and retain scalability?
    A. Create a port rule to allow only ports 80 and 443.
    B. Set the cluster affinity to None.
    C. Set the filtering mode to Single Host.
    D. Set the cluster affinity to Single.
  10. Users who are connecting to an NLB cluster through the Internet are complaining that they keep connecting to different NLB nodes in different locations. You want to keep Internet users connecting to the same NLB members each time they connect. What should you do to fix the problem?
    A. Create a port rule to allow only ports 80 and 443.
    B. Set the cluster affinity to None.
    C. Set the cluster affinity to Class C.
    D. Set the cluster affinity to Single.
  11. You have a failover cluster named FailoverCluster1 that has the following configurations:
    ■ Number of nodes: 6
    ■ Quorum: Dynamic quorum
    ■ Witness: File share, Dynamic witness
    While maintaining the quorum, what is the maximum number of nodes that can fail simultaneously?
    A. 1
    B. 2
    C. 3
    D. 4
  12. Your company uses Storage Spaces Direct. What should you use if you want to view the available storage in a Storage Space Direct storage pool?
    A. System Configuration
    B. File Server Resource Manager (FSRM)
    C. Get- StorageFileServer cmdlet
    D. Failover Cluster Manager
  13. You are the administrator for a mid- sized organization. You have been asked by the owner to view the information about an NLB cluster. You want to use PowerShell to view the cluster. What command should you use?
    A. Get- NlbCluster
    B. Create- NlbCluster
    C. Setup- NlbCluster
    D. Set- NlbCluster
  14. You have a failover cluster named Failover1 that contains two nodes named Svr1 and Svr2. Failover1 is configured to use a file share witness. You are planning on configuring Failover1 to use a cloud witness. What storage account type should you configure if you need to configure Azure Storage accounts for the cloud witness?
    A. Premium Block Blobs
    B. Premium File Shares
    C. Premium Page Blobs
    D. Standard
  15. You have a failover cluster named Failover1 that contains two nodes named Svr1 and Svr2. Failover1 is configured to use a file share witness. You are planning on configuring Failover1 to use a cloud witness. What authentication method should you configure if you need to configure Azure Storage accounts for the cloud witness?
    A. Access Key
    B. Shared Access Signature (SAS)
    C. System- Assigned Managed Identity in Azure AD
    D. User- Assigned Managed Identity in Azure AD
  16. You are the administrator for a mid- sized organization. You have been asked by the owner to change the Hyper- V replication settings. You want to use PowerShell to change the settings. What cmdlet should you use?
    A. Set- VMReplication
    B. Get- VMReplication
    C. Setup- VMReplication
    D. Create- VMReplication
  17. You need to distribute an application evenly among your virtual machines. The virtual machines are configured in a multitenant setup across multiple Hyper- V VMs. What can you do in this environment?
    A. Windows Server Network Load Balancing (NLB) nodes
    B. Application Load Balancing (ALB) nodes
    C. RAS Load Balancing (RLB) nodes.
    D. Software Load Balancing (SLB) nodes
  18. You have three servers named Server1, Server2, and Server3 that run Windows Server and have the Hyper- V server role installed. You are planning to create a hyper- converged cluster to host Hyper- V virtual machines. What three actions should you perform if you need to ensure that you can store VMs in Storage Spaces Direct? (Choose three).
    A. Add a Scale- Out File Server for application role.
    B. Create a Distributed File System (DFS) namespace.
    C. Create a failover cluster.
    D. Create a file share.
    E. Create a volume.
    F. Enable Storage Spaces Direct.
  19. You are planning to deploy Storage Spaces Direct on Windows Server. As a part of the process, you have already deployed the Windows Server and configured the network. Now, the next step is to configure Storage Spaces Direct. Given these options, choose the substeps that are recommended in order to configure Storage Spaces Direct.
    A. Clean your drives to ensure that the drives are empty.
    B. Configure a cluster witness.
    C. Enable Storage Spaces Direct.
    D. Create the volumes.
    E. Deploy virtual machines for hyper- converged deployments.
    F. All of these.
  20. You and a colleague are discussing working with cluster nodes. One of the actions you can perform is an irreversible process. What is this action called?
    A. Add another node.
    B. Evict a node.
    C. Pause a node.
    D. Stop a node.

Manage and Monitor Storage Spaces Direct- Managing Data in a Hybrid Network

You can use the following tools to manage and monitor Storage Spaces Direct:

    Windows Admin Center

      Server Manager & Failover Cluster Manager

    Windows PowerShell

        System Center Virtual Machine Manager (SCVMM) and Operations Manager

Storage Spaces Direct Using Windows PowerShell

Table 13.5 contains just some of the PowerShell commands that you can use to configure and manage Storage Spaces Direct.

TABLE 13.5 Storage Spaces Direct PowerShell commands

Disable- NetQosFlowControl This command allows you to turn off flow control. Enable-                                                   This command enables Storage Spaces Direct.  ClusterStorageSpacesDirect Enable- NetAdapterQos     This command allows you to apply network QoS policies to the target adapters. Enable- NetAdapterRDMA                 This command allows you to enable remote direct memory access (RDMA) on a network adapter. Enable- NetQosFlowControl This command allows you to turn on flow control. Enable-                                                    This command allows you to enable highly available  ClusterStorageSpacesDirect Storage Spaces that use directly attached storage, Storage Spaces Direct (S2D), on a cluster.
Get- ClusterAvailableDiskThis command allows you to view the information about the disks that can support failover clustering and are visible to all nodes. But these disks are not yet part of the set of clustered disks.
Get- ClusterParameterThis command allows you to view detailed information about an object in a failover cluster. Use this command to manage private properties for a cluster object.
Get- NetAdapterThis command will retrieve a list of the network adapters.
Get- StoragePoolThis command allows you to see a specific storage pool, or a set of StoragePool objects.
Get- StorageTierThis command allows you to see storage tiers on Windows Storage subsystems. Use this command to see Storage Spaces Direct default tier templates called Performance and Capacity.
New- ClusterThis command creates a new cluster.
New- NetQosPolicyThis command allows you to create a new network QoS policy.
New- NetQosTrafficClassThis command allows you to create a traffic class (like SMB).

TABLE 13.5 Storage Spaces Direct PowerShell commands (Continued)

PowerShell commandDescription
New- VolumeThis command creates a new volume.
Set- ItemThis command allows you to configure the trusted hosts to all hosts.
Test- ClusterThis command allows you to test a set of servers for use as a Storage Spaces Direct cluster.
Update-  StorageProviderCacheThis command allows you to update the cache of the service for a particular provider and associated child objects.

PowerShell Commands for Hyper- V High Availability

When configuring Hyper- V high availability, you may want to set up some of the components using PowerShell. Table 13.6 shows you some of the available PowerShell commands available for setting up Hyper- V high availability.

TABLE 13.6 PowerShell commands for high availability

Complete- VMFailoverThis command helps finish a virtual machine’s failover process on the Replica server.
Disable- VMMigrationThis command allows you to disable virtual machine migration on a virtual machine host.
Enable- VMMigrationThis command allows you to enable virtual machine migration on a virtual machine host.
Enable- VMReplicationThis command lets you enable replication of a virtual machine.
Get- VMMigrationNetworkThis command shows you the virtual machine networks used for migration.
Get- VMReplicationThis command shows you the replication settings for a virtual machine.

PowerShell Commands for Hyper- V High Availability

Get- VMReplicationAuthoriza tionEntryThis command shows you the authorization entries of a Replica server.
Get- VMReplicationServerThis command shows you the replication and authentication settings of a Replica server.
Import- VMInitialReplicationThis command imports initial replication files for a Replica virtual machine when using external media.
Measure- VMReplicationThis command shows you the replication statistics and information associated with a virtual machine.
New- VMReplicationAuthoriza tionEntryThis command allows you to create an authorization entry to replicate data to a specified Replica server.
Remove- VMMigrationNetworkThis command allows you to remove a network from use in migration.
Remove- VMReplicationThis command removes the replication from a specific virtual machine.
Reset-  VMReplicationStatisticsThis command allows you to reset the replication statistics of a virtual machine.
Resume- VMReplicationThis command allows you to resume virtual machine replication after an error, a pause, a suspension, or a resynchronization.
Set- VMProcessorThis command allows you to configure which processors are used for a virtual machine.
Set- VMReplicationThis command allows you to modify the replication settings of a virtual machine.
Set- VMReplicationServerThis command allows an admin to configure a host as a Replica server.
Start- VMInitialReplicationThis command starts replication of a virtual machine.
Stop- VMReplicationThis command stops replication of a virtual machine.
Suspend- VMReplicationThis command suspends replication of a virtual machine.
Test- VMReplicationConnection This command allows you to test the connection of a primary server and a Replica server.

Summary

High availability is more than just clustering. It is achieved through improved hardware, software, and processes. This chapter focused on how to configure failover clustering and network load balancing in order to achieve high availability and scalability.

High availability should be approached through proper hardware configuration, training, and operational discipline. Failover clustering provides a highly available base for many applications, such as databases and mail servers.

Network load- balanced clusters are used to provide high availability and scalability for network- based applications, such as VPNs and web servers. Network load-b alanced clusters can be configured with any edition of Windows Server 2022 except for the Windows Server 2022 Hyper- V Edition.

You can also set up high availability on Windows Server 2022 Hyper-V  without using clustering. You can also set up live migrations on Hyper- V virtual machines. Live migration allows you to move a virtual machine from one server to another without any impact on the users. This can be very useful if you have a Hyper-V  server that is starting to show hardware issues. You can move the virtual machine from the server with issues to a server without any issues.

Exam Essentials

Know the hardware requirements for network load balancing (NLB). Network load balancing has distinct hardware requirements.

Know the PowerShell commands for NLB. Make sure you know the PowerShell commands for NLB. Understand which command is used to create, manage, and stop NLB clusters.

Understand live migration. Understand how live migrations work and why we use them. Live migrations allow you to move a virtual machine from one server to another without any impact on the users.

Know PowerShell for VM replication. Make sure you know the different PowerShell commands for virtual machine replication. Understand which commands are used to create, manage, and stop VM replication.

Know how to implement and manage Storage Spaces and Storage Spaces Direct. Know how to configure Storage Spaces Direct and how to create a failover cluster by using Storage Spaces Direct. Know the difference between Storage Spaces and Storages Spaces Direct. Understand how to upgrade a Storage Spaces Direct node and how to implement networking.

Exam Essentials

Understand how to implement a Windows Server failover cluster. Know how to implement failover clusters on- premises, hybrid, and cloud infrastructures and know how to create failover clusters. Understand how to stretch clusters and configure storage. Be able to modify quorum options and configure network adapters. Know how to work with cluster workload options and how to configure cluster sets and Scale- Out File Servers. Understand Floating IPs, and be able to implement load balancing. Understand Blob Storage.Know how to manage failover clustering. Understand how to implement cluster-a ware updating and how to recover a failed cluster node. Know how to upgrade a node to Windows Server 2022 and how to manage failover workloads between nodes. Know how to install Windows Updates on cluster nodes and how to manage failover clusters by using the Windows Admin Center.

Requirements to Set Up Storage Spaces Direct- Managing Data in a Hybrid Network

To set up Storage Spaces Direct properly, you must make sure that all your hardware components meet the minimum requirements. Table 13.4 was taken directly from Microsoft’s website and contains Microsoft’s recommendations for proper configuration of

Storage Spaces Direct. To see the entire list of recommendations, please visit Microsoft’s

website at https://learn.microsoft.com/en- us/windows- server/storage/ storage- spaces/storage- spaces- direct- hardware- requirements.

TABLE 13.4 Storage Spaces Direct requirements

ServersMinimum of 2 servers, maximum of 16 servers. All servers should be the same make and model. Requires Windows Server Datacenter Edition. You can use the Server Core installation option, or Server with Desktop Experience. 
CPUMinimum of Intel Nehalem or later compatible processor, or AMD EPYC or later compatible processor. 
Memory4 GB of RAM per terabyte (TB) of cache drive capacity on each server to store Storage Spaces Direct metadata. Any memory used by Windows Server, VMs, and other apps or workloads. 
BootAny boot device supported by Windows Server, which now includes SATADOM. RAID 1 mirror is not required, but is supported for boot. Recommended: 200 GB minimum size. 
NetworkingMinimum interconnect for small scale 2- 3 node:10 Gbps network interface card (NIC), or faster. Recommends two or more network connections from each node for redundancy and performance. Recommended interconnect for high performance, at scale, or deployments of 4+: NICs that are remote- direct memory access (RDMA) capable, iWARP (recommended) or RoCE. Recommends two or more network connections from each node for redundancy and performance. 25 Gbps NIC or faster. Switched or switchless node interconnects: Switched: Network switches must be properly configured to handle the bandwidth and networking type. If using RDMA that implements the RoCE protocol, network device and switch configuration is even more important. Switchless: Nodes can be interconnected using direct connections, avoiding using a switch. It’s required that every node have a direct connection with every other node of the cluster. 
DrivesUse local- attached SATA, SAS, or NVMe drives. Every drive must be physically connected to only one server. All servers must have the same drive types. Recommended: All servers have the same drive configuration. SSDs must have power- loss protection, i.e., they are enterprise- grade. Recommended: SSDs used for cache have high endurance, providing minimum of 5 drive- writes- per- day (DWPD). Add capacity drives in multiples of the number of NVMe or SSD cache devices. Not supported: Multi- path IO (MPIO) or physically connecting drives via multiple paths. 
ComponentRequirements
Host- bus adapter (HBA)Simple pass- through SAS HBA for both SAS and SATA drives. SCSI Enclosure Services (SES) for SAS and SATA drives. Any direct-a ttached storage enclosures must present Unique ID. Not supported: RAID HBA controllers or SAN (Fibre Channel, iSCSI, FCoE) devices.
Configuring Storage Spaces Direct

To configure Storage Spaces Direct, follow these steps:

The steps to configure Storage Spaces Direct involve a large number of PowerShell commands. Microsoft includes a number of scripts that you can copy from their website that will assist in performing these steps. For more information, visit https://learn.microsoft.com/en- us/ windows- server/storage/storage- spaces/deploy- storage-  spaces- direct#step- 3- configure- storage- spaces- direct.

Microsoft recommends that these scripts not be run remotely by using a PowerShell session; instead, they should be run in a local PowerShell session on the management system using administrative permissions.

Clean the drives. Before you can enable Storage Spaces Direct, make sure that the drives are empty and that there are no old partitions or other data.

Validate the cluster. For this step you will run a cluster validation tool using the Test- Cluster PowerShell command that will ensure that the server nodes are properly configured to create a cluster by using Storage Spaces Direct.

Create the cluster. For this step you will create a cluster using the New- Cluster PowerShell command, including the nodes that you previously validated. Just note that it may take some time for the DNS entry to be replicated for this cluster.

Configure a cluster witness. For this step Microsoft recommends that you configure a witness for the cluster. I discussed how to create a cluster witness earlier in this chapter. Enable Storage Spaces Direct. For this step you will use the Enable- ClusterStorage

SpacesDirect PowerShell cmdlet, which will put the storage system into the Storage

Spaces Direct mode and automatically create the pool, configure the Storage Spaces Direct caches, and create two tiers as default tiers called Capacity and Performance. This command may take several minutes to complete. When done, the system will be ready for you to create the volumes.

Create volumes. For this step you will use the New- Volume PowerShell cmdlet. This command will create the virtual disk, partitions, format the disk, and create a volume with the same name. It will also add the volume to the cluster shared volume (CSV).

Enable the CSV cache (optional). If you wish, you can enable the CSV cache to use system memory (RAM) as a write- through block- level cache of read operations that aren’t already cached by the Windows cache manager. By enabling this, you will reduce the amount of memory available to run VMs on a hyper-c onverged cluster.

Deploy virtual machines for hyper- converged deployments. For this step, if you have deployed a hyper- converged cluster, then you will want to provision the VMs on the Storage Spaces Direct cluster.

Upgrade a Storage Spaces Direct Node

To upgrade a Storage Spaces Direct cluster, you have four options available. Each option has its own pros and cons, so choose a method that best suits your needs.

The first option is an in- place upgrade while the VMs are running on each server in the cluster. With this option, there will be no downtime for the VMs, but you must wait for storage jobs (mirror repair) to finish after each server is upgraded.

The second option is a clean OS installation while the VMs are running on each server in the cluster. Again, with this option there will be no downtime for the VMs, but you must wait for storage jobs (mirror repair) to finish after each server is upgraded. You also need to set up each server and all its apps and roles again. Microsoft recommends this option over an in- place upgrade.

The third option is an in- place upgrade while the VMs are stopped on each server in the cluster. There’s no downtime for the VMs, but you do not have to wait for storage jobs (mirror repair) to finish.

The fourth option is a clean OS installation while the VMs are stopped on each server in the cluster. there’s no downtime for the VMs, but you do not have to wait for storage jobs (mirror repair) to finish. Microsoft recommends this option over an in- place upgrade.

Before you proceed with an upgrade, make sure that you have backups available just in case an issue arises during the upgrade process. Also, ensure that your hardware vendor has a BIOS, firmware, and drivers for your servers to support Windows Server 2022.