Microsoft Endpoint Manager Intune Intro, Windows 10 Autopilot Enrolment, Hybrid Azure AD join Part 1

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Great video. For quicker and more autonomous results, it's easier to run "get-WindowsAutoPilotInfo -online" .. this will auto populate into Endpoint manager 👍

👍︎︎ 2 👤︎︎ u/RenzokukenBlitz 📅︎︎ Nov 24 2020 🗫︎ replies

Part 2 - Microsoft Endpoint Manager Intune, Windows 10 Application Delivery, Office 365, Chrome https://youtu.be/Oh2CaMnEMVo

👍︎︎ 1 👤︎︎ u/cloudgamer101 📅︎︎ Dec 02 2020 🗫︎ replies

Captions

[Applause] [Music] hello and welcome everyone so this video part one shows a step-by-step guide how to enroll windows 10 devices to microsoft's endpoint manager for device management so endpoint manager combined services you may know and already be using including microsoft intune configuration manager desktop analytics co-management and windows autopilot so these services are part of the microsoft 365 stack to help secure access protect data and respond and manage risk as shown in the diagram we'll walk through the process manually and also automatically using autopilot by hybrid joining a device so that is visible and both joined to on-premise ad and also azure ad so we show obtaining the hardware hash of the device and then importing this into endpoint manager so the device can be automatically registered and built with the assigned policy to that device the idea being is that this registration is performed by the oem reseller or distributor from which the devices were purchased or the registration can also be done within your organization by collecting the hardware identity and uploading it manually also shown will be the configuration of hybrid azure adjoin in ad connect to register devices from on-premise ad to azure ad and the in-tune connector which creates also pilot enrolled computers in the uh on-premise active directory domain so we've already configured and added a custom domain in the azure tenant cloud inspired dot co dot uk and have an ad connect sync um up and running so we won't be covering that in this video but links are in the description going through the ad connect piece and custom domain setup if you need them so part two of this video will be released soon going through application delivery and rollout and part three will cover patching and updates to devices so please subscribe to the channel to be notified of up and coming parts of this video series together with technical videos on cloud and certification thank you so in summary this video will cover setting up trial licenses different device identities a group creation for both users and devices autopilot profiles the intune connector install piece ad connect hybrid azure ad join configuration exporting and importing hardware hashes for device registration domain join profiles for windows 10 devices so they're automatically added and joined to the domain and finally with all these settings in place we register a windows 10 device into intune by turning it on from scratch with the outer box experience and looking at the steps of setup and automatic configuration of that device so first of all if you go to endpoint.microsoft.com to access the endpoint manager admin center here is where we configure all of our devices within the portal so as you can see we don't have access due to no licensing is installed at the moment so we can sign up for a one month trial of intune for 25 users so the links are in the description for this so once the trial setup is complete we now assign our in-tune license within the azure portal to our users so normally we would create a group here for production in our on-premise ad and then add users that require a license and then using adconnect we would sync that group up to azure but as it's just a test we'll add users directly here right now when we now go back to the portal and our licenses have been assigned we can now see that our portal is now active and we have access now so let's talk about the different device identities available to us so when a device is registered in azure id you have three device options as always deregistered and as already joined the really registering devices with a jaw id and then can be managed um by joy d and inching hybrid a jaw adjoined on the other hand means that a device is registered with both on-premise ad domain joined and also azure id at the same time so this allows you to manage devices via traditional on-premise ad tools like gpo's etc and also register it with azure id for management so we would join a windows 10 device as a hybrid azure ad joined later on in this video so we will now create a group in azure id to enable us to apply policy to that group and add our users that have been synced from on-premise ad to azure ad so that group will be applied to an inching policy [Music] so we will use mdm enrollment so they're both corporate and bring your own devices can be automatically enrolled so to enable this we can sign up to a free trial of azure active directory premium subscription also make sure that our users are added for testing as stated before for production we would normally sync an ad group here but for now we will for testing we'll just add users direct so if we go into azure active directory and then we click on mdm and if we click on intune here we can check out our mdm user scope and we can add our user group um here to enable our users to be discovered by autopilot so if we go back into azure active directory and we can also check out that our azure ad tenant allows users to be joining devices to azure ad and we can also request multi-factor authentication if required and we do need to check that under enrollment restrictions that windows mdm is allowed [Music] so we are now ready to create our first autopilot enrollment profile to enroll windows 10 devices so this will be user based so if we go to devices enroll devices and windows autopilot deployment profiles so let's type a profile name and if we click next so these settings you can see uh determine what our users are shown within the outer box experience so this policy is user driven and joins devices as azure adjoined so we have many other options here such as show or hide microsoft licensing terms privacy settings we'll leave this by by default for now during this policy and then the next section we will show you where to manually add devices so they appear in endpoint manager so we have the option to apply this policy to all devices or devices within a group so we'll add our group that we created earlier on and apply it to this policy so any users within that group get this policy applied so if we now look in endpoint manager portal we can see that we have no devices currently registered so let's add one manually to show you where it's done for azure ad joined or registered devices device if you right click start go to settings go to accounts go to work or school so we click connect and then we enter the azure active directory user we wish to connect with which is also part of the group we added to the policy so if we enter our password if we approve our mfa request you can see that our windows 10 device is now added so if we go to azure id and go to devices we can see our device listed here and also if we go to the intune portal or endpoint manager we can also look under devices and see our device listed within intune so this can be covered automatically by user sign-in or group policy or by gathering the hardware hash of the device and uploading to the windows autopilot service then when either a user signs in using their azure ad credentials or a device hardware hash matches the uploaded hash enrollment is done automatically of device um to a dynamic group and that group would be assigned to an enrollment profile so this is shown later on in the video [Music] so the intune connector for your active directory creates autopilot enrolled computers in the on-premise active directory domain so the computer that hosts the in-tune connector must have the rights to create the computer objects within the domain so we have created a windows 10 ou where domain joined devices will be located and now we can set uh delegation on that ou for the server that will have the intune connector installed so we right click the windows 10 ou and then go to delegate control click add to add our server where the intune connector will be installed shortly click add tick computers enter our server name [Music] click next and then choose to create a custom task to delegate click only the following objects and then tick computer objects tick both create and delete selected objects click next and then click full control click finish we also need to check within server manager that the ie enhanced security configuration is turned to off so now we install the intune connector click configure now and then we can sign in with our azure ad account and also our on-premise domain admin accounts so we can register it within azure id and now we can see our in-tune connector is active within our endpoint manager portal [Music] so now we configure ad connect for hybrid azure adjoin which enables the device in active directory on premise to register with azure id we don't go through the ad connect install here if you want to learn how to do that there's links in the description and videos within my channel so if we log in with the azure id credentials and then we can see an option um for hybrid uh azure adjoin so if we select that option and we're just worried about windows 10 devices here so we're just going to choose windows 10 devices so if we choose our domain and then we click add and then type our credentials for on premise [Music] let's add our device group to enable our devices to be discovered dynamically by autopilot enrollment so this is a security group with a membership type of dynamic device so let's choose dynamic device there from the drop down and then if we add a dynamic query so this query is a custom query which we can add in which will pick up all our imported devices and hardware hashes that we import in the next section [Music] so to manually register a device you must first capture its hardware hash so once this process is completed the resulting hash can be uploaded to the windows autopilot service so first of all as shown we need to install the autopilot script and then once installed we run this command to export the hardware hash um to a csv file so this is results of the csv file so we we can import this now within the portal in the next section so within the portal if we go to devices and then we go to enrol devices and then to devices and then we can import the csv file as shown earlier on so let's create a autopilot enrolment profile that targets user driven hybrid azure adjoin devices and assigns our dynamic devices group that picks up our devices or hardware hashes of our devices we created earlier so once we've created the profile name if we click next and then if we choose user devices and then if we join to azure 80 as hybrid azure ad joined various options you can configure here so i'm going to choose skip ad connectivity set that to yes i'm going to choose to show the microsoft software licensing terms so i'm going to show that and also i'm going to set my keyboard language as well so in this section we're going to add our dynamic device group we created earlier with all our devices registered within it so that policy applies using this group [Music] so drawing enrolments we want to change or check to see if the invo enrollment status is enabled to give us the ability and to show the installation status during uh enrollment we're just going to tickle yes and then accept the defaults [Music] so there are many profiles that you can actually assign to your end user devices so in this instance we're going to create a domain join profile which will enable us to ultimately uh join our demo devices automatically um to our windows uh domain so after we enter a profile name we can choose our naming convention prefix so for when devices are joined to the domain so in this instance anything after win 10 hyphen will be randomized and we enter our domain name and then our we choose uh or enter our organizational unit um for on-premise ad where these devices will be joined so in this case it's windows 10 ou where we set our delegation earlier we now add in our dynamic devices group that we created earlier on so this policy is applied to that group and then once we're happy we click next and then we click create to create the domain policy so if we didn't want to upload the hardware hash and registered by device there is a gpo available to enable endpoint manager enrolments using default azure ad credentials so we can download and install administrative templates and add these then into group policy again the links are in the description below for the downloads so we go to the installation directory where our templates have been installed and we copy the directory and we can paste this into our sysvol directory here as shown so if we now go into group policy management and then we've created a policy here which we can edit we go to policies administrative templates and then windows components and then you should see an mdm selection here and basically we just need to enable the automatic mdm uh enrollment and then choose user credentials and okay so this is a computer group policy which is applied to the windows 10u where our windows devices will be domain joined and located [Music] so when you hybrid join a device it means it is visible and joined to both your on-premise active directory and also azure ad now you can hybrid joy dejoin and manage them both as well so this way you're able to use tools such as single sign-on and conditional access while still being able to apply gpos and other on-premise utilities so we have created our dynamic device group which picks up our hardware hashes that we imported and automatically adds our devices to that device group so we have applied a hybrid azure adjoin autopilot policy to enroll devices so here is our windows 10 device we've just switched on we'll now take a look at taking a windows 10 device using the out of box experience by booting the device up from scratch so it will then automatically be joined to the domain from our domain join profile we created earlier and then enrolled into intune from the previous imported hardware hash so first of all we type our synced joy the username and password the windows 10 device is automatically registered as a hybrid azure adjoin device in as your id as shown with its original hostname out of the box this name is then changed following our domain join profile naming convention which was win10 hyphen and then a random name as you can see the domain profile has now been activated so it's on the cloud inspired domain and also the uh hostname is registered within our windows 10 ou within on-premise active directory so our device has now finished its out of box configuration and we are logged into the domain so when we go to settings and accounts we can see that our work or school account is configured and also joined to the azure ad as a hybrid azure adjoin device we can also see the status from a command line so as already joined as yes and domain joined is also equals yes and single sign-on is also configured so when we run the company portal application within our device we can see the device can access company resources and there are no available apps available at this time so the next video in this series to be released shortly will cover in tune application deployment to windows 10 devices and also patch management so thank you very much for watching the video please subscribe to the channel to receive updates on new videos posted weekly all the very best take care and see you in the next video bye for now you

Info

Channel: Cloud Inspired

Views: 13,026

Rating: undefined out of 5

Keywords: microsoft endpoint manager, intune, connector, autopilot, training, admin center, oobe, mdm, hybrid azure ad join, azure AD registered, azure AD joined, auto, enrolment, profile, windows 10, hardware hash, domain join

Id: kRy8Ip6u8vA

Channel Id: undefined

Length: 24min 9sec (1449 seconds)

Published: Mon Nov 23 2020