Auto-enroll Hybrid Azure AD Joined Devices to Intune Using Group Policy

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi guys I hope you all are doing well and welcome to Office 365 Concepts this is the ninth video of Microsoft InTune series in the last video we discussed how to enroll a personally owned Windows 11 machine using company portal in this particular video we will learn how to auto enroll hybrid Azure ad joined Windows machine using group policy we will discuss what are the prerequisites that need to be met we will learn how to create group policy for auto enrollment and we will verify the enrollment process from the machine and from the Microsoft endpoint manager if you have a device that is already hybrid Azure ad joined you can enroll that device to Microsoft in tune so that you can manage and control that device from endpoint manager you can deploy or remove applications on that device from endpoint manager you can apply conditional access policies you can wipe the device so in nutshell when a device is enrolled in InTune you can have a complete control over that device from endpoint manager if you are new to hybrid Azure ID joint feature I have uploaded a complete series for Azure ad and have discussed hybrid Azure ID joint feature in detail I will share the link in description of that video and you can go through it but for this demo just understand that when a device is joined with on-premise active directory and is registered with Azure ad as well that device is called hybrid Azure 80 joint device there are multiple ways to enroll a hybrid Azure ID joint device to Microsoft InTune you can use Group Policy to enable auto enrollment or you can use Windows autopilot with the help of a connector to enroll hybrid Azure ad join devices to Microsoft InTune but for this particular demo we will create a group policy in on-premise active directory so that we can automate the enrollment process for hybrid Azure ad joined devices so before you proceed with this process you need to meet certain prerequisites you need to make sure that you have hybrid Azure ad joined deployed in your tenant and your devices should be reflecting in Azure ad as hybrid Azure ad joint devices so to verify this you can go to Azure active directory you can go to devices all devices and here we can see one device is showing as hybrid Azure ad joint device and same thing can be verified from the machine itself if you go to the Windows machine that is hybrid Azure ready joined and if you go to command prompt in command prompt you can run DS reg CMD slash status hit enter now here we can see it says Azure ad joined yes and domain joined yes that means this particular device is joined with your on-premise active directory and this is the domain name for your on-premise ad as well as it is registered with Azure active directory also and the next prerequisite for enrolling hybrid Azure ID joint device is the version of operating system if you are using Windows 10 you need to make sure the version of the operating system is 1709 or later you can verify the version from here you can go to run type here when were hit enter and this will show you the version of the operating system next you need to verify if Auto enrollment is enabled in your Microsoft InTune tenant so let's go to endpoint manager you will go to devices under devices you will go to Windows because we are enrolling the Windows device and under Windows devices you will go to Windows enrollment and here you will click automatic enrollment if you are watching this series from the beginning we have already discussed this and we have already configured this so from here you can control the auto enrollment of devices in your tenant if you select none that means no one will be able to enroll device in your tenant sum is for groups a group of the users all means for all of the users Auto enrollment is configured in your tenant so either you can select sum or all as per your business requirement and make sure mam user scope is set to none so we have verified this also so with this we have met all the prerequisites now the next step is we need to create a group policy in our local active directory so go to your domain controller and here go to group policy management now first we will create a group policy and then we will link that particular group policy to an OU or organizational unit where our machines are stored now if we go to uses and computers so in my on-premise environment I have created one folder or one OU with names synced and the device that is hybrid Azure 80 joint this device is placed inside this OU so I will create a group policy and then I will link that group policy to this OU so let's go back to group policy management now here what you will do right click on Group Policy object click new give it a name for example hybrid photo and role GPO for example you can give it any name click ok next you need to expand Group Policy objects under this you will find the GPU that you just created right click on it click edit and here let me expand it Under Computer configuration you will expand policies administrative templates Windows components and then look for MDM under MDM folder you will see one group policy that says enable automatic MDM enrollment using default Azure ID credentials double click on this policy enable this policy and where it says select credential type to use here you will see two options device credential or user credential you will select user credential click apply click ok so this GPU is created now the next step is we will link this particular group policy with the OU where our device is stored and the OU is synced so let's go back to group policy management let's close this window now here you can see this OU synced where our devices stored you will right click on this OU and then click link and existing GPU now here you will select the GPU that you just created hybrid Auto enroll GPU and click ok so this particular GPU is linked with this OU now let's go to the machine the Windows 10 machine and in command prompt we will type GP update slash Force so that this group policy can be replicated immediately so the group policy has been completed now let's run DSR agcmd slash status hit enter we might have to restart this machine but let's give it a try so here we can see MDM URL mdm2 URL and MDM compliance URL so looks like this machine is enrolled to Microsoft InTune now let's go to endpoint manager windows windows Windows devices let's refresh the page this is not yet enrolled let's go back to machine and let's restart this machine and let's go to settings in settings go to accounts access work or school and here we can see this on-premise account and we can see info option here as well that means this device is enrolled with Microsoft InTune you can see this sync option you can synchronize your device from here with your endpoint manager and from here you can create diagnostic report as we have discussed in previous sessions now one thing I missed to inform you that during the prerequisites or during meeting the prerequisites there is one prerequisite when you enroll hybrid Azure 80 joint devices with your Microsoft InTune the user account that you will be using in Windows machine that particular account should be synchronized to Azure active directory go to domain controller in users and computers for my scenario I have this account hybrid user that I'm using to log in in this machine in Windows 10 machine and same account is synchronized to Azure active directory in users you can see here hybrid user this is the account that is synchronized from on-premise ad and this account has Enterprise Mobility Plus security E5 license assigned and this license has Microsoft InTune plan one service included so I missed to inform you this so this is one of the prerequisites now after this let's go to devices we have verified the configuration from machine now let's go to devices all devices so here we can see this hybrid Azure ID join device owner is hybrid user MDM says Microsoft InTune compliances yes now let's go to endpoint manager devices all devices windows and here as well let me verify the display name it's 9nk 9nk so it says ownership corporate compliance compliant operating system Windows now if you remember in one of the previous videos we created a security group for corporate devices since this is a corporate device the ownership is Corporate so this particular device should be added in that particular Security Group so go to groups and this is the group that we created corporate on Windows device if you want to verify the Dynamic rule so it says device ownership equals company companies for the corporate devices and device operating system equals windows so that means any Windows machine that has device ownership as corporate that particular device will be added in this group let's go to members and here we can see 9nk this device is added in this group now let's go back to device properties in endpoint manager so from here you can check the attributes from here you can check the properties of this device now let me show the compliance policy go to device compliance and here you can see Windows 10 corporate device compliance policy is added to this machine this one and if you check device configuration profile this is also added to this hybrid user apart from this if you want to synchronize this device go to device properties click on sync click yes and this device will synchronize with Microsoft endpoint manager in the next video we will learn how to add and deploy applications on Windows devices so if you have learned something new from this particular video please write in comments and subscribe to the channel thank you guys thank you for your time take care
Info
Channel: Office365Concepts
Views: 10,389
Rating: undefined out of 5
Keywords: Azure active directory, enroll hybrid azure ad joined, microsoft intune, office365concepts, hybrid azure ad join auto enroll intune, intune enrollment using group policy, hybrid azure ad join intune, intune auto enrollment hybrid azure ad, enroll domain joined devices to intune, enroll azure ad joined device in intune, automatic enrollment in intune, auto enrollment, auto enrollment intune, enroll hybrid joined device to intune, enroll hybrid, office 365 concepts, intune videos
Id: UlboaSt7A30
Channel Id: undefined
Length: 14min 13sec (853 seconds)
Published: Tue Apr 18 2023
Related Videos
Microsoft Intune From Zero to Hero
Andy Malone MVP
42K
Understanding Azure AD Hybrid Join
John Savill's Technical Training
21K
Onboard Hybrid Azure AD Joined Devices to Intune
Concepts Work
39K
Setup Hybrid Azure AD Join, Intune Connector for AD supporting Autopilot and Autoenrollment
Intune Expert
10K
Intune Auto Enrollment with Windows Group Policy
Travis Roberts
3.8K
Enroll Windows 10 devices in Microsoft Intune, Enroll corporate device intune
Office365Concepts
15K
44. Auto-enroll Hybrid Azure AD Joined Devices to Intune Using Group Policy
MSFT WebCast
20K
2023E05 - ABM and macOS provisioning (I.T)
Intune Training
3.2K
Do I Need the Intune Connector for Active Directory?
Dean Ellerby MVP
1K
What is Hybrid Azure AD Joined device | A step by step demo to Hybrid Join a device in Azure AD
Office365Concepts
12K
Thinking about Intune Autopilot ? Do NOT Domain Join!
CloudManagement.Community
19K
Hybrid Windows Autopilot - Step by Step - How hard can it be?
CloudManagement.Community
31K
How to Migrate Group Policies into Microsoft Intune!
Andy Malone MVP
9.4K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.