44. Auto-enroll Hybrid Azure AD Joined Devices to Intune Using Group Policy

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everyone welcome to amazon tv webcast in this video we are going to see the steps on automatic enrollment of hybrid azure ready join devices to intune using group policy object we can use a group policy to trigger auto enrollment to mobile device management for active directory domain join devices the enrollment into tune is triggered by a group policy created on a local active directory and happens without any user interaction using this we can automatically mask and roll a large number of domain join corporate devices into microsoft intune the environment process starts in the background once users sign in to the device with his or her azure ad account let's understand the prerequisites for automatic in-tune enrollment of hybrid azure ad joined windows 10 devices first ensure that the user who is going to enroll the device has a valid intune license let's check that sign in to the azure portal using an account with global administrator permissions you can access azure ready portal using the url https collin doubleslash aad.portal.azure.com under manage click on users click on user name which is testuser1 in my case under manage click on licenses we can confirm that user has active enterprise mobility plus security e5 license assigned to him click on enterprise mobility plus security e5 verify user has license for microsoft intune as well second ensure that auto enrollment is activated for those users who are going to enroll the device into in tune to verify it click on azure active directory under manage click on mobility mdmnm click on microsoft intune as we can see that the all users can register the devices in indian or their scope for the indian mdm user scope is set for all third verify that the device os version is windows 10 version 1709 or later let's jump to our windows 10 client computer this is our windows 10 client computer which is part of our on premises active directory open run menu type winver and press enter key we can see the os is windows 10 with version 21 h1 auto enrollment into in tune via group policy is valid only for devices that are hybrid as ready join let's verify that let's right click on start button select system you can see the full device name is venden hyphen cli 01.msfsura.local so this device name is wind and hyphen cli 01. to confirm this let's go to azure ad admin center web interface let me click on azure active directory again under manage click on devices click on all devices here we can see device is listed here under all devices wind and hyphen cli01 and you can confirm that join type is hybrid azure adjoin method we have another way to verify that let's again go back to our windows 10 client computer let's again open command prompt and at command prompt i'm going to type command ds rag cmd slash status let's press enter key under device state we can confirm azure ad join is set to yes as well as domain join is also set to yes we can confirm that the device is properly hybrid join if both azure ready join and domain join are set to yes and that is our case now let's have a look into group policy implementation for automatic in tune enrollment for that we will go to our domain controller virtual machine on this virtual machine we have installed and configured azure ad connect tool in the previous videos now i'm going to open group policy management console for that i'm going to click on tools and select the group policy management right click on group policy objects and select new enter the name of the gpu that you want to deploy to windows 10 clients for in-tune enrollment here i'm giving name microsoft intune mdm gpo click on ok to create a new gpu right click on newly created gpu and select edit navigate to computer configuration policies administrative templates windows components and scroll down until you find the mdm folder let me maximize it double click on enable automatic mdm enrollment using default azure ad credentials policy so this is the policy setting which specifies whether to automatically enroll the device to the mobile device management service configured in azure active directory if the enrollment is successful the device will remotely be managed by the mdm service click on enable option to enable the intune enrollment option for hybrid adjoined windows 10 devices select credential type to use option is important the default option is to use user credentials if you click on this drop down arrow you have another option device credential we will use the default option which is user credential click on apply and click on ok now we have created and configured the group policy for mdm in tune enrollment i'm going to close group policy management editor console the next step is to link the group policy to an ou in active directory i have stored the computer account of windows 10 computer under ou name of workstations so i'll link the gpu to workstations ou right click on workstations ou and select link an existing gpu select the mdm engine group policy which we have created earlier microsoft in tune mdm gpu click ok to complete the gpu assignment now let's manually update the group policy on windows 10 computer since we don't want to wait for the group policy to update automatically but first i'm going to close group policy management console and let's go back to our windows 10 virtual machine here at command prompt i'm going to type command gp update slash force and let's press enter key okay computer and user policy update has completed successfully but we also want to restart the computer as well so i'm going to close a command prompt and let's restart this windows 10 computer now let's go back to our domain controller we will initiate manual sync to azure 80 using azure ready connect tool to see the result instantly for that i am going to right click on start button and click on windows powershell admin we will use the cm delete start hyphen adsync sync cycle space hyphen policy type delta to manual sync azure active directory and our on-premises active directory let's press enter key to start the sync process okay it is successful now now i'm going to close windows powershell we have one more issue is there let me show you my domain name for on the masses active directory is amazon.local and if i show you the upn of my user test user1 if you double click on it and click on account the upn is user1 at msfsura.local if you see the upn in azure active directory that will be the change uh let's click on users and if you click on if you see for test user one if we check the upn for rts user one it is user one at msfsura dot on microsoft.com now here we have a problem if we use this local upn to sign into windows 10 computer then we are not able to auto enroll hybrid azure ad join device to tune even if we have configured the group policy let me show you that let's go to a windows 10 computer here we are using the user account of test user one so basically we are using user1 at msfsurat.local to sign into this windows 10 computer and let's see what happens let me open the command prompt let's type the command ds rag cmd slash status under tenant details if you see for these three urls mdm url mdm tou url and mdm compliance url these three urls as you can see this list is empty even if we have configured this thing in azure active directory tenant the reason is simple because we are using local user principal name which is user1 at msfsura.local and that's why we are not getting required information let me show you the same thing in azure ad admin center web interface as well if you click on mobility mdm and mm and if you click on microsoft in tune here you can see those urls so this url should be here instead of it is showing us blank so already i told you the reason that we are using local user principle name and that's why we are not getting those url and if we are not getting those urls that means we are not able to enroll for mdm in microsoft intune if you check same thing in azure active directory as well let me click on devices and if you click on all devices still you can see a windows 10 client computer is there but under mdm you can see it is set to none and even we don't have owner as well so now to fix this issue i'm going back on my domain controller and let's open domains and trust now i need to add the upn go for the properties and here we need to add alternative upn suffix now with suffix we need to add this suffix okay so i'm going to copy it let's copy it let's go back to our domain controller and a paste here okay so we're adding this suffix msfsura dot on microsoft.com to fix the issue add apply and okay and now i need to change the upn of those users who are syncing with azure active directory so we have only five users who are syncing with azure active directory so this is way how we can change a upn okay so nav users upn is going to be user1 at msfsurat.onmicrosoft.com we need to do the same for all other users okay let's do the same for ts203 test user 4 and his user file apply and ok now on premise user accounts upn is matching with the upn in azure active directory okay now let's go back to windows 10 computer and first we need to sign out from here and we need to login to this windows 10 computer using that new upn okay i'm going to click on other user now here you can see our domain name is there but instead of i'm going to specify the entire up which is going to be user1 at msfsurat.onmicrosoft.com again i want to show the upn user 1 at msfsurat.onmicrosoft.com now let's specify the user password and click on sign in okay now let's open the command prompt and now let's type command ds read cmd slash status let's press enter key let's check the urls again and now you can see we have mdm urls now we can see all three urls are listed here so that means now this windows 10 computer uh should be successfully auto enrolled in microsoft intune let's verify that so to verify the enrollment from the azure active directory admin center we need to go there so let's go to azure ad admin center uh click on azure active directory click on devices click on all devices and here we have our device uh let me click on refresh and let's see what happens okay still it is not there let's again click on refresh it is still showing mdm none and owner is not there so again let's go back to our domain controller and i'm going to perform the manual sync again to see the results quickly okay it is successful let's go back to the azure ad admin center web interface let me click on refresh okay it is still not there i'm going to refresh the entire webpage and let's see what happens okay still it is not there let's go back to windows 10 client computer and let's restart this computer once and let's check what happens okay let's again signing to this windows 10 computer using the test user 1's credential okay let's go back to the azure admin center web interface and let me click on refresh still it is not there uh let me refresh the entire webpage see it is not there let's click on settings click on accounts on the left side select access work or school click on connected to and if the info button is enabled then this device is enrolled here it is showing us that is it is android here we can see the management server address okay but still we are not able to see the same thing in azure active directory so let's go back to the azure active directory admin center let me click on refresh and now now we can see a windows 10 device is there it is enabled join type is hybrid azure ad join but the important thing is here here we can see owner it is issues of one and under mdm why it is showing us none let me refresh the entire page there is still none okay let me click on sync okay sync is in progress okay it was successful let's again go back to the azure ad admin center web interface and finally now we have microsoft in tune under mdm so we can see a windows 10 device join type is hybrid azure adjoin owner is ts201 and under mdm now we can confirm it is enrolled to microsoft to intune so at the moment we can see that our hybrid azure ad join windows 10 device has successfully enrolled in microsoft in tune so that concludes the video on auto enrollment of hybrid azure ad joined windows 10 device to microsoft intune using group policy object thank you all for watching this video have a nice day

Info

Channel: MSFT WebCast

Views: 21,546

Rating: undefined out of 5

Keywords: Azure Active directory tutorial for beginners, Azure Active Directory, azure active directory tutorial, intune auto enrollment hybrid azure ad, hybrid azure ad join auto enroll intune, How to enroll existing Hybrid AD Joined device to Intune, Intune Enrollment Using Group Policy, Manually enroll a Hybrid Azure AD Join Windows 10, Enroll Azure AD joined device in Intune, Hybrid Azure AD join Intune, automatic enrollment in Intune, Enroll domain joined devices to Intune, azure, intune

Id: WFqny7YXGL8

Channel Id: undefined

Length: 18min 48sec (1128 seconds)

Published: Tue Jul 26 2022