Enroll Windows 10 devices in Microsoft Intune, Enroll corporate device intune

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi guys I hope you all are doing well and welcome to the next video of this series of Microsoft InTune in the last video we discussed how to set up your tenant for automatic device enrollment for Windows devices in this particular video we will learn how to enroll corporate on Windows 10 devices using self enrollment method I will practically demonstrate to you how an end user can enroll a corporate on Windows 10 machine we will create and apply compliance policies to that machine we will apply configuration policy on the device we will check the status of the device post enrollment we will learn how to sync device from the machine and from endpoint manager and we will learn how to collect logs to troubleshoot device enrollment issues self enrollment method is where users can self enroll their devices to Microsoft InTune as an administrator you can share instructions to the users like how to enroll a device and users can follow those instructions and they can enroll their devices to Microsoft InTune this type of enrollment is called self enrollment method before you enroll a device to Microsoft InTune the user account that user will be using to enroll a particular device should have InTune supported license assigned in my tenant I have a user account with name Bob Ross and this user account has Enterprise Mobility E5 license assigned and as we can see here Microsoft InTune plan 1 is included within this license so this user can use his account to enroll devices to Microsoft InTune and before we start enrolling a device to Microsoft InTune we will create a compliance policy and a configuration policy we will apply these policies to a group and that group will have only the corporate oned devices as a member so how we can assign policies only to the corporate on devices to achieve this we will create a security group in Azure ad I'll show you step by step how you can do it so go to groups new group select security give it a name for example I'll give it a name corporate on Windows devices I will leave description empty and membership type will be dynamic device because we are going to add devices within this group Next we will go to add Dynamic query and under property we will select device ownership device ownership and operator will be equal and the value will be company now let me explain this to you when you enroll a device to Microsoft InTune be it a personal device or a corporate on device when you go to devices for example let's consider an example for Windows device so here you will see all the devices those are enrolled in Microsoft InTune and under ownership it will show you if that device is a corporate on device or it is a personal device So within this group we are adding only the corporate on devices if you have enrolled a personal oned device or personally on device to Microsoft in tune the ownership will be personal and in case you have enrolled a corporate on device then the ownership will be corporate but when you will create a group a security group in Azure ad and when you will create a query to add corporate on devices within security group you will use the property device ownership and the value will be company for corporate on devices you will type company not corporate for personally on devices you will add value personal and for corporate on devices you will add value company so this way you can add corporate on devices within a security group we will add one more query here and device operating system type equals windows so that means only the windows devices and those are company owned or the corporate on devices will be added within this particular group so create such query and click save click create and this group will be created however if you will check the membership type or you will check the members of this Security Group you will not see the devices as of now because we haven't enrolled any device to Microsoft InTune so this is the group that we created and let's go to members it says there is no member because there is no device enrolled yet there are many other conditions that you can use within the security group but for this demo I have used these two conditions so let me close this and now we will go to endpoint manager and let's create compliance policy we are going to create compliance policy for the windows devices so we'll go to devices windows and here we will click compliance policies click create policy this is the default policy we will create a custom policy select platform Windows 10 and later click create let's give it a name for example Windows 10 corporate devices and click next let's make some changes here within these settings let's say under system security select firewall for example I want firewall to be enabled I want firewall should be enabled on that particular device else mark That device as non-compliant I want antivirus as well and let's click next under actions for known compliance you will see a default rule that says Mark device non-compliant immediately if you want to create another rule you can credit from here like send email to end user add device to retire list as per your requirement you can create that rule but by default it says as soon as the device is not meeting these conditions firewall and Antivirus is not enabled on that device that you are going to enroll to Microsoft InTune mark That device as non-compliant immediately next is assignments under assignments you can assign this policy either to groups to devices or to users we are going to add a group under this policy that we just created that is Corporate on Windows devices select so this policy will be applied only to this group and all the devices that will be member of this group will inherit this policy from this group so click next review your changes if you want to make any changes go back make the changes and click create so we have created compliance policy now let's go to Windows devices again and let's create configuration profile let's create a profile select platform Windows 10 and under profile type we will select templates you can review all these settings and you can select any setting that you want to enforce on the device as per your business requirement for this demo I will be selecting device restrictions category click create and give it a name for example Windows 10 corporate devices go next now under device restrictions categories you will see these many settings that you can configure or you can control on the machine you can control app Store settings connectivity settings cloud storage settings you can control printer settings control panel settings display settings you can control almost all of these settings from Microsoft InTune for this demo I'm going to use general settings like I'll go to General and I'll block OneDrive on this machine that I'm going to enroll I'll disable USB and that's it so let's go to next under assignments again we are going to add the same Group corporate on Windows devices click select this group is added click next no changes are required here click next review your changes click create so we have created configuration profile as well now let's enroll Windows 10 device to InTune I have this Windows 10 machine this is hosted on VMware Workstation and I'm going to enroll this device to Microsoft InTune this is a corporate device so we will be joining this device to Azure active directory the difference between personally owned and corporate on device is in personally on devices users will use their personal credentials to login to the device and incorporate on devices users will use Azure active directory credentials to login to the machine this is the difference between personally owned and corporate on device since this is the corporate on device we will join this device with Azure ad if you want to enroll a personal device you will register that device with Azure ID I have discussed Azure active directory registered and Azure ad joined devices in detail in Azure active directory Series in case you have missed that series I'll share the link within the description and you can go through it so in order to enroll a corporate oned Windows 10 device you will go to settings go to accounts access work or school click connect and click join this device to Azure active directory now here you need to type the username of the Azure ad account that has Microsoft InTune license assigned I have one account with name Bob at Office 365 concepts.com enter password sign in now here I can see the terms and conditions that we configured in our tenant in one of the previous videos now here I'm getting an option to accept and decline If I decline I will not be able to proceed with the enrollment I have to accept these terms and conditions so I'll click accept so now this is asking you to confirm if this is the right organization to which you are going to join this device this is connecting to Office 365 concepts.com that is the domain that I'm using in my channel I'm using these credentials to join this device to Azure ad and the user type will be administrator so click join so it says the device is connected to a phase 365 Concepts when you are ready to use this new account select this card button select your current account picture switch account and login with this account that is azure active directory account so click done and go to account switch user click other user and let's login with Azure active directory account here now this will ask you to create a pin so click next so create a pin here so this is done click ok and now we are logged in so let's go to settings under settings go to accounts access work or school and here we can see the account that we use to join and enroll this device to InTune now when you join a device with Azure active directory you see only disconnect option but if you see info that means this device is enrolled with Microsoft InTune as well so if you see info next to disconnect that means this particular device is enrolled with Microsoft InTune now let's go to command prompt and let's check the status of this device enrollment so let's type let me maximize Big Font let's type d s r e g CMG status so here we can see Azure 80 joined ES and if you will check here you can see other details as well like device ID thumb print and other details but we have to check MGM URL you see here MDM URL terms of use that we created this is the compliance URL and this is the MGM enrollment URL if you see these URLs here that means this device is successfully enrolled with Microsoft into next you can see Azure adprt is set to yes that means seamless single sign-on is enabled on this device so let's go back to our Azure active directory tenant first let's verify this device in Azure ad go to devices all devices we can see these devices joined here with Azure ad owner of this device is Bob Ross MDM is Microsoft InTune that means we are managing this device with Microsoft in tune it is compliant that means the firewall and Antivirus is enabled on this particular device and if you want to check other details you can click on the device you can check all the attributes from here and let's go to endpoint manager devices windows under Windows devices we can see this device is enrolled with Microsoft in tune now here you see ownership it says corporate that means this is company owned or corporate owned device apart from that if you want to check the properties of this device in endpoint manager you can click on the device and it will list all the properties you can see the device name here ownership serial number of this device the user that is the account that we use to enroll this device enrolled by Bob Ross it is compliant and operating system is Windows and the device model is VMware because this particular device is hosted on VMware this is not a physical machine it's a virtual machine now let's go to machine and let's understand how to sync a device from machine itself so go to settings again you will go to accounts and within accounts you will click access work or school and then you will click info now under info you will see a button that says sync if you want to sync this particular device with Microsoft endpoint manager or InTune portal let's say the administrator has enrolled a new policy in endpoint manager and you want to pull those policies in this machine so you will click sync this device will connect with the MDM server to your tenant and it will fetch it will collect all the new changes those are done within InTune portal and here you can see the last attempted sync sync in progress this is the date and time when the sync was initiated and let me show you how you can sync a device from Microsoft endpoint manager if you go to devices click on the device and here you will see sync you need to click on the sync option and click yes it says InTune will attempt to check in with this device if successful it will sync current actions or policies to the device would you like to continue so you can click yes and it will push the new changes or the new policies that you have created in InTune to the device so this is how you sync a device from endpoint manager if you want to do it from machine you can do it from here so let's go back to input manager and let's push async so it says sync initiated now if you remember we created a security group in Azure ad and that time it was not showing any member this is the group that we created so let's go to this group and let's verify the changes now so now you can see here this device is added within this group as a member and now if I'll go back to device properties let me show you again go to Windows go to Windows devices click on the device and under device properties click device compliance it will show you the compliance policies those are applied on the device so here we can see this Windows 10 corporate devices this is the compliance policy that we created and we applied that policy on the security group so this is applied and it says it is compliant now let me show you one thing let's go back to device let me minimize this and let's go to firewall so what I'll do I'm going to disable firewall on this machine so let's turn it off turn it off click ok so this is disabled now let's go back to account sync now let's wait for a couple of minutes and here we can see this device is showing compliant it should become as non-compliant so while this sync is running let me show you how to collect logs or what logs we can collect to troubleshoot device enrollment issues let's go back to machine and let's go to here within account and access worker school account so here under sync you will see create report it says Advanced Diagnostic report your ID or support person may want additional information to help with troubleshooting click on create report and this will generate a report in this location so click export and now let's go to this location that is C drive users public and public documents and here we can see MDM Diagnostics you can open this file now within this file you will see you will find all the details related to this particular machine machine name organization name operating system processor to which organization this uh machine is joined or managed when was the last successful sync initiated to which server it is connected you can see other options like which policies are configured on this particular machine you will find lots of information within this file so this is the one file that you can collect if you are troubleshooting device enrollment issues apart from this particular report you can collect even viewer logs as well so go to Event Viewer logs in the meantime let's see the status of this device Let me refresh so now you can see it says non-compliant because I have disabled firewall in this particular machine let's go back and let's enable firewall let's enable it click ok so it's enabled let me minimize this browser settings and click sync after few minutes this device will sync again and it will show compliant so let's go to Event Viewer and let's see what sort of logs we can collect for device enrollment issues so within Event Viewer logs you will go to applications and services logs expand Microsoft expand windows and here you will look for device management let me expand it device management Enterprise diagnostic provider you will look for these logs click on admin and here you will see all the logs related to the device enrollment moreover you can use a command to collect MDM logs to troubleshoot device enrollment issues so you will go to command prompt and in command prompt you will type MDM Diagnostics tool hyphen out out will have the parameter where you want to store this MDM diagnostic tool logs so I want to save it in C drive and I want to save it in a folder with name MDM hit enter so it says report location folder C drive in MDM folder so this will generate few files within this folder so let's go to C drive and here we can see MDM folder and we can see these many logs these are the MDM Event Viewer logs this is the MDM diagnostic report and these are the Event Viewer logs to troubleshoot the enrollment process so this is how you can collect these logs and let's verify the status of this device in InTune so now it says compliant because we have enabled firewall on this machine so this is how you enroll a corporate on Windows 10 device to Microsoft in tune in the next video we will learn how to enroll personally owned Windows 10 devices to Microsoft InTune so if you have learned something new from this particular video please write in comments and subscribe to the channel thank you guys thank you for your time take care
Info
Channel: Office365Concepts
Views: 19,436
Rating: undefined out of 5
Keywords: Corporate owned windows 10, enroll device, enroll window device to intune, enroll windows 10 device to intune, enroll windows device, intune logs, mdm, microsoft endpoint manager, microsoft intune, mobile device management, mdm logs, mdm logs in event viewer, intune corporate-owned dedicated devices, enroll corporate device, enroll corporate device intune, mdm vs mam intune, enroll windows devices in intune, enroll windows 10 device in intune, enroll windows 10 intune manua
Id: PmsCl6uCbMg
Channel Id: undefined
Length: 27min 29sec (1649 seconds)
Published: Thu Apr 06 2023
Related Videos
Enroll Windows 11 Devices in Intune using Company Portal App
Office365Concepts
6.1K
Enroll Windows 10 device in Microsoft Intune, Bring Your Own Device (BYOD)
Office365Concepts
7.6K
Microsoft Intune From Zero to Hero
Andy Malone MVP
63K
Auto-enroll Hybrid Azure AD Joined Devices to Intune Using Group Policy
Office365Concepts
12K
Onboard Hybrid Azure AD Joined Devices to Intune
Concepts Work
39K
2023E05 - ABM and macOS provisioning (I.T)
Intune Training
5.1K
Provisioning Devices in Microsoft Intune (Endpoint Manager)
Andy Malone MVP
23K
S02E07 - Manage Android Devices with Intune - A Comprehensive Guide - Leon Ashton-Leatherland (I.T)
Intune Training
48K
AZ-305 Designing Microsoft Azure Infrastructure Solutions Study Cram - Over 100,000 views
John Savill's Technical Training
351K
5. How to Setup Windows Automatic Enrollment in Microsoft Intune
MSFT WebCast
17K
The Ultimate Guide to Intune Autopilot - How to use Windows Autopilot with Microsoft Intune
CloudManagement.Community
78K
🔥Google Cloud InDepth Tutorial | Google Cloud Platform Tutorial 2023 | Cloud Computing | Simplilearn
Simplilearn
200K
S03E09 - Enrolling iOS Devices To Intune (I.T)
Intune Training
48K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.