Intune Auto Enrollment with Windows Group Policy

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
in this video we're going to configure InTune Auto enrollment with group policies [Music] hello everyone I'm Travis and welcome to my channel in order for our clients to be managed they need to be enrolled in InTune there are a few ways that this can take place for this example we're going to configure Auto enrollment for domain join workstations using a GPL before that please like subscribe and share with a friend check out my courses on Azure virtual Desktop Windows 365 and hybrid identities with Windows 80 and Azure 80 hybrid identities is a part of what we're talking about in this video also subscribe to my newsletter links to all that goodness is below and thank you channel members for your support back to it I have to be upfront about this one there's a lot of material on auto enrollment beyond what I can cover in one video I'm narrowing the scope of this to configuring Auto enrollment so our domain join Windows clients are automatically enrolled into InTune in order for a device to be managed by InTune it has to be enrolled into InTune there are a few ways to handle enrollment we can manually add a cell phone to InTune for example by signing into the InTune app on the device Auto enrollment is a way as the name suggests to automatically enroll clients into InTune it verifies that only authorized and authenticated devices are managed by the Enterprise with domain join computers we can automatically add devices to InTune once an InTune enabled user logs in that's what we're covering in this video in order to automatically enroll domain join devices we need to configure a group policy to trigger the enrollment that implies we have Windows ad Azure active director domain Services doesn't support hybrid Azure adjoin and isn't supported for auto enrollment there are a few other things we need we need a Windows ad domain synchronizing to Azure ID with Azure 80 connect sync Azure 80 connect sync must be configured to synchronize devices not just users and we have to use Azure 80 connect sync Azure 80 connect Cloud sync does not yet synchronize devices the Enterprise must be configured for mobile device management services and for this example mobile device management is scoped to a user group the windows devices will configure for auto enrollment can't already be joined to InTune and have to have a supported version of Windows 10 or Windows 11. to configure the group policy object the domain needs an administrative template for Windows 10 or Windows 11. the administrative template defines the settings in our group policy and here's where things get interesting their administrative templates available for multiple versions of Windows 10 and windows 11 but the windows 11 template is not backwards compatible with the Windows 10 settings for the purpose of this video we simply need to use a recent template because the MDM setting we're using is available on both I'll include a link to a blog post below that outlines what to do if you have both Windows 10 and windows 11 in the environment coming up we're going to configure our environment for MDM and enable the group policy then join a client to The Domain and verify it's added to InTune be sure to stick around to the end to learn about the mistakes and problems I had when I created this demo let's jump into the portal to get started here we are in the InTune portal at intune.microsoft.com let's start by creating a group for our mobile device management users this video is on auto enrolling devices but InTune is licensed to users not devices this group is for our MDM enabled users go to groups create a new group leave it as the type security and give it a name MDM users for this example you can add a description if you'd like leave the rest and go to members AB users with an InTune license assigned this example it's test one end crate we now have our MDM group with our MDM users next we're going to enable MDM support for our Azure 80 tenant or I guess I should call it the Andra ID tenant now we can do this from the InTune portal or Azure ID we'll do it from Entune let's go to devices enroll devices we have the option for automatic enrollment let's open that for the MDM scope we have the option for none what it's set to now sum and all all will enable MDM for all users they still require a license for this example we'll select some next click on no group selected and we'll select a group we'll add the group we just created MDM users select the group we can leave the terms in compliant URL as it's set and we won't change mam let's save and now our organization is enabled for auto enrollment next we need to move to the windows ad domain to configure groups and Group Policy objects the first step is to add a group for our MDM manage devices we'll use this to filter our group policy objects coming up from Windows 80 users and computers go to computers and we'll add a group we'll call this one MDM devices and click ok we'll add our devices to this group in an upcoming step now that we have our group let's go to group policy management and create our group policy object from Group Policy objects let's create a new group policy and we'll call this MDM enrollment let's edit that group policy we just created Under Computer configuration go to policies administrative templates we'll go to Windows components and MDM open enable automatic MDM enrollment using default Azure ID credential settings if you don't see this setting your Windows 10 or Windows 11 administrative templates are out of date I'll add a link below to the location of updated templates let's enable the setting select the user credential option device credentials are only supported for co-managed or Azure virtual desktop session hosts we can leave the MDM application ID blank click apply and ok and we can close the GPO editor let's select the policy we just modified next we'll add a security group filter so the policy only applies to computers in the MDM device group we just created click add and we'll search for that group the group is added next we have to link this policy to an Lu if all your client computers are in a single OU you can link it to that for this example we'll link it to the domain so it will be scoped at all ous and computers in them the security group filter will prevent the policy from applying to computers that are not in the MDM device Security Group so we'll go to the domain link existing GPL and select the MDM enrollment GPO once that's linked our domain Group Policy is configured for auto enrollment next we'll verify Auto enrollment we'll start the process by viewing our devices in InTune we'll go to InTune devices and windows devices at this point we have no windows clients in the environment next we'll go to Windows ad the computer is joined to The Domain but we need to add it to the MDM device group we configured earlier computers in this group will get the auto enrollment GPO settings from Azure ID users and computers We'll add the computer to the MDM device group be sure to include computer objects the computer for this example is MDM client one will apply remember if you're in a domain with multiple sites and domain controllers you may need to wait for replication to take place next we'll restart the client computer to apply the GPO this client happens to be an Azure VM so let's go to the Azure portal and we'll restart the client we could also log in and run GP update while we're waiting for the restart let's go to Azure ad and verify the client is showing as hybrid joined here we are in devices in Azure ad let's go to all devices from here we'll filter on hybrid join so we'll select join type and set it to hybrid Azure ID joined there's the client we're using this is an important step because the device has to be hybrid joined before it can be added to InTune with a group policy Auto enrollment if it's not showing be sure that Azure ad connect sync has ran and if OU filters are in place the computer account is in an OU configured for synchronization next we'll log into the client computer with the user account that has an InTune license assigned now that we're logged in let's open up task scheduler as an administrator to check for a device management task we have to start it as an administrator to view the tasks once in task scheduler we'll go to Microsoft windows and Enterprise management we have a task called schedule created by enrollment client for automatically enrolling in MDM from aad that indicates the group policy was applied let's go to InTune and see if our client is available here we are in InTune let's go to devices and windows and there's our Windows client with our user listed as the primary user one thing to note this didn't happen immediately I did have to wait and refresh a couple times before it showed up as compliant that's the demo on auto enrolling clients to in tune with a group policy as promised I wanted to give you a few items that I got wrong when I created this demo and hopefully you can avoid the same mistakes first be sure that the windows 80 computer account is configured to hybrid Azure ID join to Azure ID I had an OU filter in place and initially my computer account was not synchronizing to Azure ID for my first attempt I used a Windows 10 multi-user OS image on an Azure VM for the client the steps in this video are not intended for a multi-user OS there's a different GPO setting for that also I was testing in a virtualized environment I don't have a lot of spare Hardware laying around make sure your InTune user has rights to RDP into the computer admins can RDP to Windows by default but normal users may need to be added for remote access in Windows 10 or Windows 11. I logged in as a local admin join the VM to The Domain and added the user for RDP access before recording starting this video that's a walkthrough of how to automatically enroll Windows 80 join devices to InTune with a group policy please don't forget to like And subscribe and thanks for watching
Info
Channel: Travis Roberts
Views: 6,632
Rating: undefined out of 5
Keywords: Intune Enrollment, Intune Auto Enroll, automatic enrollment, Group Policy, Windows AD, AD DS, Azure AD, Intune, Microsoft, Mobile Device Management, MDM, Mobile Application Management, MAM, Intune Portal, free, tutorial, Intune learning, walkthrough, azure, azure training, azure free, mobile endpoint management, MEM, GPO
Id: 3GTyvjvd2xk
Channel Id: undefined
Length: 13min 1sec (781 seconds)
Published: Sun Jul 23 2023
Related Videos
Keep Windows Secure with Intune Compliance Policies
Travis Roberts
1.9K
Microsoft Intune From Zero to Hero
Andy Malone MVP
75K
Learn how to join Windows 11 to Azure AD & Intune
Andy Malone MVP
33K
Auto-enroll Hybrid Azure AD Joined Devices to Intune Using Group Policy
Office365Concepts
14K
Azure DevOps Boards - Use the Product Backlog to manage project requirements, tasks and bugs
Dani Kahil
1K
How to Migrate Group Policies into Microsoft Intune!
Andy Malone MVP
12K
User-Initiated Intune Enrollment and Azure AD Join
Travis Roberts
1.6K
Microsoft Intune Suite - All You Need to Know in 30mins
Andy Malone MVP
63K
What is Entra ID, Entra Domain Services, and Windows AD?
Travis Roberts
3.7K
Microsoft OneDrive: The Future of File Management is Here
Microsoft 365
483K
Onboard Hybrid Azure AD Joined Devices to Intune
Concepts Work
40K
What you need to know about Azure Premium SSD V2 Disks
Travis Roberts
474
Crazy easy Intune App Deployment with Pckgr
Andy Malone MVP
19K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.