Microsoft Intune Enrollment Experiences with Windows 11

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello and welcome to the microsoft intune enrollment experiences with the windows 11 video my name is zapano matarazzo and i'm a program manager in the intune product group this video is a collection of walkthroughs showing the end user enrollment experiences of windows 11 devices with microsoft intune since we already covered the configuration of the intune service to enable all these scenarios in previous videos if you're interested in learning more about it please follow the links in the description below this video is divided in three parts in the first part we're gonna look at the enrollment of personally owned devices or bring your own devices in the second part we're gonna look at the enrollment of corporate-owned devices with user interaction meaning that the end users have to take an action to get their devices enrolled into the intune service in the third part we're gonna look at the enrollment of corporate-owned devices with bulk enrollment meaning that the enrollment into the intune service can be automated or performed in an attended fashion in this first part which is enrollment of personally owned devices we're gonna look at three different walkthroughs we're going to look at the enrollment using modern apps and in then we will look at add workers will account and lastly we will look at the enrollment via company portal in all these scenarios the devices will be registered in azure directory and then automatically enrolled into the intune service with user affinity which means that the end users will be bound to the device from an intune perspective users will still be able to sign into these devices with either their personal microsoft account or a local account but at the same time they will get single sent on to any applications that are tied to their azure active data three tenant for example microsoft 365 apps in this first walkthrough we have alizon signing in to her device using her microsoft account she types her pin and she opens edge to have separate browsing data between her personal account and her school account alizon decides to add a profile to microsoft edge as part of this process she signs in with her school account the benefit of doing so is that she can access her synced favorites collections and browsing history after typing her credentials alizon is prompted with the modern authentication signing screen we have already seen that this dialog box in previous videos but let's briefly describe it as alizon can take three different paths here she could select no sign in to this app only in which case alizon can start using edge and getting access to her synchronized settings nothing else would happen to the device a second option for alizon would be to remove the flag allow my organization to manage my device and select ok in this case what happens is that alison gets all adds synchronized settings and her device gets registered in azure active directory this would provide alizon with the added benefit of single cenon to all the applications that are registered in her azure tera3 tenant the last option is that alizon selects ok keeping allow my organization to manage my device flagged the end result in this case is that alizon not only gets her edge setting synchronized to this device and her device registered in azure active directory but the device would also be enrolled in intune getting managed by alison's school so in this case she selects ok now the device is getting registered and rolling in tune settings and applications targeted to either alizone or the device are getting applied by intune we can easily verify that the device is indeed managed by intune by looking at the settings application here we can select accounts and select access work or school here we see that alizon's account is connected to the device and that the device is managed by the school district by selecting info we can verify which policies and applications are pushed by intune now minecraft is already installed so we can open it and minecraft education edition is one of those applications that are tied to the azure academy tenant of arizon so she gets singles and on to minecraft education edition making it very easy for alizon to start using this application now in this second walkthrough we're going to look at the enrollment using add work or school account alizon again is signing into her device with their microsoft account but in this case she decides to open settings from here she selects accounts access worker school and here really she has two options she could use adword school account and select connect or select a role only in device management this second option would not register this device in azure active directory providing single synonym capabilities so alizon decides to select connect she has to authenticate using her azure accidental credentials and after sending the device will get first registered in azure active directory and automatically enrolled in intune settings and applications will start to be applied to this device and this may take some time depending on how many settings and apps you have deployed as we saw before we can always verify which settings and apps are pushed by intune since that they will appear in this list we can also verify that like in the previous example we have singles and on to any azure ac directory connected applications for example minecraft education edition and this brings us to the third and last walkthrough for bring your own devices in this case the enrollment into intune will be done using company portal alizon signs into her device using her microsoft account and opens the microsoft store here she's gonna search for the application company portal and she will install the application once the application is installed alizon opens it and she authenticates here we have the same modern authentication dialog box that we saw in the first walkthrough with microsoft edge alizon selects ok and the device is now registered in azure directory and the rolling in tune the benefit of using company portal for alizon is that now she can do self-servicing and installing any applications that have been made available to her by the i.t department applications and settings are being pushed by intune and we can verify that the minecraft education edition is installed alizone opens it and as before she got single sound onto it this concludes the first part of this video where we covered the enrollment of bring your own devices in this second part we will be covering the enrollment of corporate owned devices with user interaction in the first walkthrough we're looking at the out of box experience of windows 11 which brings a refreshed user interface and more options compared to windows 10. in the second walkthrough we will enroll our device using windows autopilot user-driven mode and in the third walkthrough we will be looking at the windows autopilot pre-provisioning process in all these scenarios the devices will be azurely joined and then automatically enrolled in the intune service with user affinity users will be able to sign in to these devices with their azure active directory account and getting singles and on to any applications tied to their azure accelerator tenant looking at the new out of box experience in windows 11 here we're turning the device on for the first time similarly to windows 10 in windows 11 we are prompted to select our region then we have the prompt for the keyboard layout and then the prompt for an additional keyboard layout after which we need to connect to the internet in this case we are connecting to a wi-fi network we type the password and select next the device will check for critical updates and in the next screen we have this new option to rename the device which makes it very convenient for the end user note that if you rename the device there will be a reboot and then it will proceed with the next part of the out of box experience for simplicity we are going to skip this part now we are prompted to pick between a bring your own device scenario or a corporate own device scenario we select the second option after which we must authenticate using an azure active directory account we type our credentials and after the authentication we must accept the end user license agreement and now the device is joining azure active directory and automatically enrolling in intune applications and settings that are targeted to either the device or to the end user are starting to be applied from intune and this may take some time depending on how many applications and settings you have configured note that by default the user who is performing the azure e-join will become a local administrator on this device moving to the second walkthrough of corporate on devices with end user interaction here we are looking at windows autopilot in this case the device has been registered in windows autopilot and assigned a user-driven mode profile let's now look at how the out-of-box experience is different for alizon compared to the previous walkthrough alizon is turning the device on for the first time and like before she must select the region a keyboard and an additional keyboard then she connects to the internet via wi-fi note that if this device was hardwired without a pilot we could automatically configure region and keyboard making this experience even simpler after the device is connected to the internet it detects that it has an autopilot profile assigned as you can see the device belongs to alizon school alizon types her username and their password like we saw in the previous walkthrough the device is now azure dejoined and enrolled in intune applications and settings are delivered to the device and this again may take a little bit of time depending on how many applications and settings you have in place this out of box experience was much simpler compared to the standard one for alizon she wasn't prompted to rename her device she didn't have to pick between personal or corporate device ownership she didn't even have to accept the end user license agreement the only thing left to do for alizon was to type her username and her password last but not least this autopilot profile was configured to set alizon as a standard user instead of being a local administrator making this device more secure now we're gonna look at the third and last scenario for corporate-owned devices with end-user interaction autopilot pre-provisioning this scenario is an improvement of the standard autopilot usage dream mode the one that we just described since the device will go through a pre-provisioning phase where it is joined to azure active directory and pre-enrolled in intune applications and settings can be applied in this phase before the device is delivered to the end user in this case the device has been registered in windows autopilot and assigned a pre-provisioning profile the device is turned on for the first time in a staging or provisioning facility by either an oem a resettler or maybe a technician in the organization's id department the technician will ensure that the device is hardwired and connected to the internet and once the device is in outer box experience the technician taps the window key 5 times now the technician can select the option pre-provision with windows autopilot and select next the device retrieves the autopilot profile indicating that the device belongs to the school the technician selects next in the next phase the device will automatically join azure active directory and the running in tune the technician doesn't have to provide any credentials so the device can proceed on its own applications and settings that have been targeted to the device will be installed after some time the device will complete this pre-provisioning phase and if successful it will display a green checkbox indicating that the deployment completed now the technician selects the reseal button which places the device back in the autobox experience and shuts down the device can now be shipped to the end user now the device is in the hands of alizon and she turns it on ideally this device will automatically connect to the network maybe the wi-fi was configured during the pre-provisioning phase alizon is prompted to type her username and her password the device will go through a quick phase of final setup where additional applications and settings may get installed after alizon signs in and her profile is loaded we see that alizon's experience is nicer than before all customizations are already on the device some applications may get installed after alizon signs in because they require the user profile to be loaded for example teams or progressive web apps but nevertheless this experience is much nicer for the end user note that autopilot pre-provisioning has hardware requirements like tpm2 and hardware attestation that must be met so ensure that your devices can meet these requirements before trying this scenario this was the last walkthrough for the end user enrollment experiences for corporate-owned devices in the third and last part of this video we will be covering the enrollment of corporate on devices without user interaction starting with the provisioning package enrollment and then looking at windows autopilot self-deploying mode in these scenarios the devices will be azurely joined and then enrolled in the intune service without user affinity these enrollment types do not tie a device to a particular user so they're a good option for shared devices or kiosks for example these enrollment types are also very common in education as they enable large scale rollouts without any end user involvements users will still be able to sign into these devices with their azure active directory accounts and getting singles and on to any applications that are tied to their azure active directory tenant before we start with the provisioning package experience walkthrough let's take a quick look at the new version of sata school pcs that we are releasing with windows 11. we will create a provisioning package that we will then use to enroll one of our devices here we are on a technician machine and we have already installed the new version of setup school pcs from the microsoft store we select the get started button here we select next we can provide a name for the provisioning package and then we can sign in with an azure active directory account so that the bug token can be created in this tenant after authenticating we can select next we can then add a wi-fi network accept and select next we select which version of windows we want to provision for example we select windows 11 and we can specify additional customizations for example we can add an azure active directory preferred tenant domain name to make it easier for our users to log in we make some basic configurations for example we provide a device name with a prefix and we don't need to configure too many settings here because we will push most of these settings from intune for simplicity we add also a couple of applications for example minecraft and company portal pre-caching of applications will allow users to start using these applications without waiting for intune to deliver them we can customize the wallpaper and lock screen and once we're ready we select accept we then save the provisioning package to a usb stick and now that we have our package ready we can grab a device that is in the autobox experience and plug the usb stick in here we turn our device on and as soon as the ub is ready we can then plug the usb stick in the device will be parsing the provisioning package that is stored on the usb device and for example the device is now renaming joining azure active directory and enrolling in in tune eventually the device will reboot and once all the settings and applications that have been configured on the package are applied to the device we will then see the windows login screen now alizon can sign in and since the device is managed by intune any applications and settings that are configured in intune will start to be applied this process like we saw in previous walkthroughs may take a little bit of time depending on how many settings you have in place note that this process of rolling devices using a provisioning package is usually carried out by the at staff and devices are delivered to the users already enrolled in our walkthrough alizon signed into the device as soon as the enronment completed so not all applications and settings were on the device right away if you want to improve the first and user experience by delivering a device that is fully configured you could either keep the devices on the network a little while until all apps and settings are applied or you may want to add an enrollment status page which prevents the device to load the user profiles until all applications are installed the provisioning package enrolment process is very easy to implement and at the same time it provides great flexibility because we don't have any specific hardware dependencies if the devices meet the minimum requirements of windows 11 this process can be carried out on any device moving to the second walkthrough of corporate-owned devices without end-user interaction here we're looking at windows autopilot self-deploying mode in this case the device has been registered in windows autopilot and assigned a self-deployment mode profile the device is turned on for the first time and in this case it is hardwired and already connected to the internet which allows us to achieve a zero touch provisioning experience the device will fetch an autopilot profile automatically join azure attitude directory on its own and enroll in intune so no need for an end user to provide any credentials in this scenario we also configured an enrollment status page which prevents the users from signing in until all applications and settings targeted to the device are installed like before this process may take some time depending on number of applications and settings configured and this process can be either carried out by the it department or potentially even an end user letting the autopilot provisioning process completing in front of the user at the end of this process our device is fully configured making this an optimal experience for allison which is also very similar to the autopilot pre-provisioning one as alizon signs in most of the applications and settings that she needs are already on the device other applications that may require the user profile to be loaded will install after the first sign-in for example here we see teams and progressive web apps autopilot self-deploying mode is an excellent choice for shared devices or kiosk scenarios but like autopilot provisioning it requires the devices to meet certain hardware requirements like tpm2 chipsets and the support for device at the station this concludes the third and last part of this video where we covered the user-less enrollment of devices in microsoft in tune so let's now recap what we covered today we started with the enrollment of personally owned devices by looking at modern apps and worker school account and enrollment via company portal then we move to corporate owned scenarios first by looking at enrollments with user interaction with the standard out-of-box experience in windows 11 then windows autopilot user driven mode and at the end the enrollment with autopilot pre-provisioning for corporate owned devices without user interaction we looked at how to create a provisioning package using the new version of setup school pcs then we provision the device with that same provisioning package in the last walkthrough we looked at autopilot self-deploying mode here are some resources for you there are links to microsoft docs links to previously released videos how to configure the intune service to enable the scenarios describing these walkthroughs lastly we have links to interactive guides you can find all these links in the description below

Info

Channel: Intune for Education Customer Acceleration Team

Views: 851

Rating: undefined out of 5

Keywords: Win11, Windows 11, Intune, Autopilot, SUSP, SUSPCs, I4E, Education, PPKG, Provisioning Package, User-Driven, Self-Deploying, Pre-Provisioning

Id: IPlwPI_pUpE

Channel Id: undefined

Length: 23min 38sec (1418 seconds)

Published: Tue Oct 05 2021