Overview
Microsoft Intune is a cloud-based endpoint management platform that allows organizations to manage their employees’ devices and applications. It provides mobile device management (MDM), mobile application management (MAM), and PC management capabilities.
With Intune, organizations can enroll devices into management, configure device settings and policies, deploy applications, and secure data on those devices. It allows IT administrators to manage devices that run on various operating systems, including iOS, Android, macOS, and Windows.
Microsoft Intune provides several options to enroll devices but it totally depends upon your scenario. Here I’ve simplified it for you. Intune comes with the following plans:
- Microsoft 365 E5
- Microsoft 365 E3
- Enterprise Mobility + Security E5
- Enterprise Mobility + Security E3
- Microsoft 365 Business Premium
- Microsoft 365 F1
- Microsoft 365 F3
- Microsoft 365 Government G5
- Microsoft 365 Government G3
- Intune for Education
Let’s see what options we have?
I’m not going into deep dive in other options because in this article we will focus on enrollment for domain joined computers scenario.
Manual Enrollment
- Device will only enroll to Intune, will not register to Azure AD.
- User don’t have Azure AD License.
- Device enrollment type is personal.
Automatic Enrollment
- User have Azure AD Premium License.
- Device register/join to Azure AD first then will be enrolled automatically.
Autopilot
- Azure AD Premium license is required.
- Devices are owned by organization or school.
- Bulk enrollment of brand new devices.
- Devices are enrolled as corporate.
Co-Management
Co-management manages Windows 10/11 devices using Configuration Manager and Microsoft Intune together.
Intune Company Portal
Linux, Android and iOS devices can be registered using Intune Company Portal.
- Android 8.0 and later
- Apple iOS 14.0 and later
- Ubuntu Desktop 22.04 LTS with a GNOME graphical desktop environment
- Ubuntu Desktop 20.04 LTS with a GNOME graphical desktop environment
https://www.linkedin.com/embeds/publishingEmbed.html?articleId=7825447989730855816&li_theme=light
Enrollment Options Compatibility Matrix
You can check the following enrollment option compatibility chart according to your scenario.
https://www.linkedin.com/embeds/publishingEmbed.html?articleId=8922058606284908799&li_theme=light
Device Enrollment Setup for Domain Joined Computers using GPO
Scenario:
An organization has on-premise Active Directory and domain joined clients. We need to enroll those domain joined computers to Intune MDM solution.
Let’s check what we need to achieve this?
Prerequisites:
- Windows 10 version 1709 (RS3) and later
- Device Registration to Azure AD
- Intune AD Connector (Windows Server 2016 or above)
You have to install the Intune connector for Active Directory on an on-premises server and register devices in Windows Autopilot.
The Intune Connector for your Active Directory creates autopilot-enrolled computers in the on-premises Active Directory domain. The computer that hosts the Intune Connector must have the rights to create the computer objects within the domain.
Hybrid Azure AD, What does it mean?
This enrollment option is available for domain-joined devices that you want to manage using Intune. Before enrolling, the devices must be hybrid Azure AD joined. Meaning, the devices are registered in on-premises Active Directory (AD), and registered in Azure AD.
Setting up Hybrid Environment
- Microsoft Azure AD Connect
Configuring Hybrid Azure AD:
Setting up Intune AD Connector
- Navigate to your Office 365 Admin Portal
- Click on “Endpoint Manager”
- Navigate to Devices -> Windows -> Windows Enrollment
- Click on “Intune Connector AD Connector”
Delegate permission for Intune Connector for Active Directory (Required if Intune Connector is Deployed on Different Server)
Let’s Verify
Open up CMD and run “dsregcmd /status”
Before Hybrid:
After Hybrid:
Configuring of Windows Autopilot Profile
Setting up Windows Configuration Profile
Many environments use on-premises Active Directory (AD). When AD domain-joined devices are also joined to Azure AD, they’re called hybrid Azure AD joined devices. Using Windows Autopilot, you can enroll hybrid Azure AD joined devices in Intune. To enroll, you also need a Domain Join configuration profile. A Domain Join configuration profile includes on-premises Active Directory domain information. When devices are provisioning (and typically offline), this profile deploys the AD domain details so devices know which on-premises domain to join. If you don’t create a domain join profile, these devices might fail to deploy.
Deploying GPO
You must create an Organization Until(OU) in the Active Directory, to include all the devices that you want to auto-enroll in the Intune MDM. You will need the OU in the next step to assign a GPO for the auto-enrollment.
- Open the Active Directory
- Select where do you want to create the OU.
- Move all the devices that you plan to auto-enroll to the specific OU.
- In my Active Directory I have created an Organization Unit with the Name “HybridAD“
CSP to Disable User Setting in ESP
Below CSP configuration will prevent this timeout error. Let’s go through the steps to configure this CSP.
./Vendor/MSFT/DMClient/Provider/MS DM Server/FirstSyncStatus/SkipUserStatusPage
Finally Windows 10 Clients are Successfully Joined.
Resources:
https://www.linkedin.com/embeds/publishingEmbed.html?articleId=8922058606284908799&li_theme=light
