Onboard Hybrid Azure AD Joined Devices to Intune

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi guys hope you're all doing well welcome back to our series of microsoft intune and in this video we are going to talk about the process that you need to follow to get your hybrid azure 80 join devices onboarded to in tune now we'll also talk about the purpose behind using this feature or i'll try to make you understand that whether your enterprise does even need this feature or not okay so if you're watching the series from the beginning in the last video we have discussed about device enrollment manager accounts and how you can use them for windows as a platform whereas the core agenda of this video will be knowing how hybrid azure ad join devices can be onboarded to in tune what are the certain prerequisites that you need to keep in mind how exactly this feature works and what are the benefits that you can avail if you use there's a specific feature now before you go ahead and make any change it's very important for you to understand that whether a specific feature is going to solve any problem or not so let's proceed by understanding a typical use case six months back every machine that the user was using was a domain join machine and they were coming to office and in order to adhere security standards and hardening standards of your enterprise you were creating group policy objects and that were getting deployed to these machines right but since we are talking about intune i assume that you already know what is azure 80 and what is hybrid azure led join device so in a nutshell if i get the same machine joined to azure ada as well i can term this machine as hybrid azure radio join device and then i can use the capabilities of azure 80 as a product which it has to offer likewise conditional access right but all this configuration that we were doing was moreover related to user identity that means securing user identity but if we talk about the end point which the user is using it has a specific operating system which requires regular patching os needs to be upgraded device compliance needs to be checked and depending upon your requirements you have to deploy specific applications as well now in a typical environment you may be having a solution that is helping you to get all these things done for you let's take an example of accm but most of these solutions or solutions like sccm requires on-prem connectivity okay now let's say you have not implemented cloud management gateway now there is a very important reason behind implementing or behind adding this particular line over here and that is you may have a solution that can get patching done or application deployed over the internet as well it's absolutely fine then in this case you just may want to evaluate how scalable in tune can be in terms of getting these things done for you okay but let's say you have a solution which doesn't work over the internet right which still requires on-prem connectivity then you can consider using this particular feature now even if you have a solution like this you know where which requires the on-prem connectivity there are certain things which you need to keep in mind that it's an internal network you need to take care of network bound with you need to take care of storage but the moment you will start onboarding your machines to in tune this parameter of on-prem connectivity no longer exists even if the user is working from home they will get the updates they will get the patches but obviously then in this case users will be using their own network bandwidth that means they must be using their own personal wi-fi because the entire network has been switched from on-prem to their homes right so yes there are certain things which you need to keep in mind if you want to use this particular feature because everything is moving towards cloud and we have to reach a stage wherein we have to be limitless in terms of removing all the dependencies right so in a typical environment if you are only using sccm you are not using cloud management gateway then if your machine is not able to contact your on-prem environment it will not get os updates or it will not get the regular updates that you are doing to adhere to security standards from an os perspective okay so let's say you switch to intune now that means you get your hybrid azure ready join machines onboarded to intune then what will be this change you can get the regular patching done irrespective of the client's location you can get the os updates done you can get the group policy updates done and they are termed as mdm policy so if you guys have lately seen the endpoint.microsoft.com configuration policy section there is an admin templates option available from where you can actually configure mdm policies you can have a device compliance check in place and obviously you can get the application deployed through intune now these are certain features which i have listed down but anything which in tune has to offer as a product that can be done the moment you onboard hybrid azure adjoin device to entune so this is a typical use case now you can relate whether you need this feature or not or how you should evaluate or what should be the scale of your evaluation when you want to implement this feature in your enterprise but there are certain prerequisites which you need to keep in mind all the windows 10 machine that you are scoping must be at least 1709 or above the users must have license for entune and the users should be properly scoped from in tune as well so when i say properly scoped when you go to automatic enrollment section there we select the mdm scope make sure you have defined it appropriately and obviously the last and the most important one is your hybrid machine must have prt available that means it should be an ideal hybrid environment without any issues then only everything will work in place this is something which i will show you in my lab or i'll show you the working scenario and a non-working scenario okay now what are the benefits obviously no user interaction required to get a machine onboarded to in tune because you're doing this from a group policy object right so since you're doing this from a group policy object you can trigger a mass enrollment as well and obviously you can use device compliance policy device configuration policy you can do app deployment or anything which in tune has to offer as a product the best part is a standard user that is using your domain join machine doesn't have admin access on their box right so they will not be able to unroll the device from in tune as well now let's talk about how exactly it works so in a typical environment a machine is domain joined as well as joined to azure active directory it's a hybrid azure design device now what we are going to do is we are going to create a group policy object in our on-prem 80 once that group policy object is pushed to a specific device there is a task which gets created on this particular device and this task gets the machine enrolled to enjoy now once the machine is enrolled to in tune you can use all the capabilities which in tune has to offer as a product okay so this was all about knowing the theoretical part of using this feature and how exactly it works what are the prerequisites now let's see everything in action and for that what i'm going to do is i'm going to switch to my machine which is my 80 and then we'll see the first step to create a group policy object so this is my dc where i have signed in and i've opened the group policy management console and this is the policy that i have created so if i'll right click on this and then i'll click on edit i can show you the settings which you have to update to use this particular feature you have to go to computer configuration then click on policy then click on admin templates then click on windows components and then there will be a folder named as mdm now the moment you will navigate to this particular folder the first heading that you see over here which is enable automatic mdm enrollment using default azure ad credentials this is a section that you have to enable or this is the policy that you have to enable and make sure that you have selected user credential because as of now till this particular date device credential is not supported it will be supported in the future but as of now it's not so make sure that you select this particular option and then you can click on ok that's all you have to do from a group policy object perspective now if you have if you're doing this in your development environment you may be considering doing this in a default domain policy but if you're doing this in your production environment with a typical scope of respective ous and everything in place then make sure you create a new group policy object and get that added to a specific ou itself okay now once this policy is created then you can actually link this group policy object to a specific ou in my case i have linked this group policy object to this particular ou which is auto hybrid and it has one specific device in place and that device name is in tune auto so as of now this device is working as ex as expected and let me show you the use case of a working scenario okay so this is my machine which is onboarded to in tune and this machine is hybrid azure adjoined as well so if i'll go to command prompt and if i'll say ds reg cmd space forward slash status i should get azure adprd set to yes as well as this machine is typically hybrid already joined as you can see i'm getting all these details right so now if i go to start and then i'll go to setting and then i'll click on accounts and then i'll click on access work or school account and then i'll click on this option as you can see i'm getting this button which is info which only gets highlighted if your device is enrolled in entune right or mdm solution and as you can see i'm getting the last sync time on what is the server address which it has to reach okay but once the group policy object that you have created reaches this particular endpoint make sure there is a task created in this particular folder which is enterprise management now how to navigate to this particular folder go to task scheduler library go to windows and then there will be a folder named as enterprise management and it must have some good inside it okay that means this particular feature is enabled now if you get any error let's say there are certain issues in getting your device enrolled or for some reason this enrollment is not happening as expected then go to this particular folder which is an event viewer you have to go to application and service logs then go to microsoft then go to windows and then go to this specific folder which is device management enterprise diagnostic provider if there will be any error that errors will get listed over here so this is how a typical machine gets onboarded to intune and as i've said before that once the machine is onboarded to intune you can actually have any feature deployed which in tune has to offer as a product okay so if i go to endpoint.microsoft.com let me show you the changes that you can see or that you can check to verify whether this intune enrollment of a hybrid azure led join device is working as expected or not so as of now i'm logged into endpoint.microsoft.com and if i'll go to windows device section that entune auto device is getting listed over here and as you can see it is mdm compliant as well okay now if i search for the same device in azure active directory it will show me that the machine is hybrid azure 80 joined as well as in tune compliant now this is the best part because your on-prem solution is doing its task it's absolutely fine but from an evaluation perspective let's say you want to switch this particular task to in tune so then you can see or you can observe that how much organized information you are getting whether your current tool is giving you the organized information or whether it is entering you can actually do a comparison section as well right so if i talk about this in tune auto device i can see that this device is hybrid azurely dejoined as well as it is managed by microsoft in tune and the compliant is set to yes now there is one more device which is not in scope of the group policy object that i have created and that is this particular device which is hybrid in tune if i show you this device what we can see that mdm has set to none as well as this is not compliant now since it is not in scope that's why it is not compliant so let me bring up that device and show you what will be the difference in terms of user experience so this is my machine which is not scoped for the group policy object and as you can see the host name is hybrid intune now if i go to settings on this particular device let's see what are the different set of options that i'm getting okay so if i'll go to accounts and then if i'll go to access work or school account then i'll click on this particular option and as you can see i'm not getting that info button listed over here which was there in the working scenario now the reason behind that is because on a working machine it is mdm enrolled and i'm getting this info button which actually helps me to push sync and check the diagnostic report as well but the fact is that since the non-working machine which is this one which is hybrid in tune it's not enrolled to mdm that's why as a user i'm getting this option now a standard user cannot use this particular option because it requires admin access okay so these are the couple of things which you can check on an endpoint to verify whether the enrollment should be triggered or not the first step will always be to verify whether the group policy object is applied or not or whether this particular machine is receiving the respective group policy object or not okay so that can that is something which can be done from an rsop console itself you'll come to know whether your machine is actually scoped for a specific policy if the machine is scoped for a specific policy and things are not working as as expected then you can go to event viewer on your machine and check for these particular logs but before checking these logs you can also verify whether the task is getting listed in this particular folder or not okay so this was all about knowing the theoretical part on the practical part regarding using this particular feature or knowing whether your enterprise doesn't even require this feature or not so let's talk about a quick summary of what all we have discussed in this particular video we have discussed about the process that you need to follow to get the devices onboarded to in tune and specifically those devices which are hybrid azure adjoin devices what are the prerequisites that you need to keep in mind how exactly this feature works what are the benefits of using this particular feature in the next video i'm going to talk about blocking personally owned devices with the help of serial key hash pushed into in tune so that will be a really interesting video now if you think that this channel is helping you to learn anything new please feel free to subscribe and get this video shared with your technical community thank you so much thanks for your time

Info

Channel: Concepts Work

Views: 39,654

Rating: undefined out of 5

Keywords: Intune, Intune IOS app deployment, IOS, Intune App Protection, Intune Selective Wipe, Intune MDM, Intune Mobile Device Management, Windows, Windows Device Enrollment, IntuneMDM, MDM, Mobile Device Managment, Automatic Enrollment, Device Enrollment Account Restrictions, Device Enrollment Manager, Onboard Hybrid Azure joined Device

Id: Ucpqiq7KYPk

Channel Id: undefined

Length: 17min 1sec (1021 seconds)

Published: Sun Aug 30 2020