Provisioning Devices in Microsoft Intune (Endpoint Manager)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

so here's the deal i've just finished teaching a class and one of my students asked me andy i'm very confused with devices in endpoint manager what's the difference between azure ad registered azure adjoined and hybrid azure adjoined and i thought what a great idea for a session [Music] greetings fellow youtubers welcome back to the channel great to see you i really appreciate you stopping by this week it's the turn of endpoint manager or aka in tune which comes part of microsoft 365. i've done sessions before on this but this week i had a couple of interesting questions from some students that were asking you know um there's a lot of confusion out there about you know what is azure adjoined what is hybrid joined and what is azure ad registered and in which situations you would use each of these and i thought yeah that's a really good example or a really good suggestion rather for a session so i've got a couple of demos that are going to take you through the different scenarios and we're going to discuss those very things now if you haven't subscribed to the channel i would love it if you would go ahead click on the subscribe button ring the bell and you won't miss out on the good stuff in the future and as you know as always i love your comments questions and feedback and i do always respond so please get them uh down below so without any more jibber jabber i think it's time for a demo so the first scenario is hybrid azure ad domain join so what i'm going to do here is i'm going to go into my windows server and in my windows server here if i go into active directory users and computers so in here you can see that i've got all my users but i've also got my various uh computers in here as well and what i'm going to do is i've actually got them in here i've got them i've got my seattle clients and i've got a folder here called seattle servers and one of the first things that you want to do is obviously export these over into azure active directory now when you deploy azure ad connect by default it takes your users groups and email so your email contacts for example um but getting your devices in requires a little bit more of an effort so this is essentially what you need to do there are a couple of things that you need to do so first of all i'm going to go into group policy management in my portal and i'm going to edit my default domain policy so in here i'm going to come into computer configuration i'm going to go into policies admin templates and in admin templates i'm going to go into windows components and in here down at the bottom you can see we've got something called device registration so and it says register domain joined computers as devices okay so again you can see i've gone ahead and i've enabled that so that's the first thing you do that that is part one so once you've done that what i'm now going to do is i'm now going to and i've already installed azure ad connect on my machine and i'm going to go into here and just pull that up a little bit and i'll click on configure so what i want to do is i want to now configure device options and click on next and i'm going to click on next i'm going to just put in my username and password so this is the global admin account and it will just log me in okay so i have essentially three options here do i want to configure hybrid azure ad domain join do i want to configure device right back or do i want to disable device right back so i'm going to go with the hybrid azure ad domain join i'm going to click next and it's windows 10 or later which of course includes windows 11. so i'm going to go ahead it's detected my domain and i want essentially it to go into azure active directory it prompts me for my on-premises credentials so i'll go ahead and i'll pop those credentials in and you can see that that's now gone in please note it will can also generate a powershell script for you as well so i'm going to click next and off it goes and it performs that configuration for me and you can see that that's now worked and it's gone green okay so looks good so now i'm gonna go ahead and click on configure and that now is done so that's it so now i'm going to go back into my portal and you can now see that in my azure active directory i've now come into all devices and you can see that all my windows devices have come in including my servers and also my clients now except for two of these machines you can see that i've got two which have have been specifically azure ad domain joined that means that these users have actually joined directly to azure active directory but with a hybrid azure ad domain join you can see that these machines have now come through so the differences are if i go into let's say let's say one here which is azure ad domain joined um sorry this is um hybrid you can see that uh it sh it gives me a subset of the information but i can't change very much okay i can decide whether i want to add this user to a group and it shows me if there's any kind of bit locker information if this drive is bitlocker but you can see at the moment i can't manage the device i can disable it and i can delete it um now you should know with the hybrid environment um you have a subset of management capabilities that you can manage this machine with so for example think i can deploy software to it um through the azure active directory um you've got limited management capabilities with it i can configure um let's say conditional access policies but the one thing i can i cannot do is it's not a remote machine it's not something that you can manually um work with in in tune and indeed if i go into in tune here and i come into devices in intune now remember in tune is a combination of two products so intune is the devices and the apps and we've got endpoint which is managing all the security capabilities here so if i click onto devices and now go into all devices here you won't see those azure hybrid devices because they're not being managed by intune those devices are being managed by azure active directory and that's the first of our examples azure ad so these are that is hybrid azure ad joint whereas these two devices here these are joined by users okay now what i'm going to do here is i'm just going to show you that so i'm going to very quickly just flip over and i'm going to go into another user's machine here so if i go into let's say ws2 okay so here in ws2 you can see that diego is currently here and diego is gonna go ahead and log in so diego is azure ad domain joined so how did we work this out so azure ad domain joined what this does it allows your users to directly join azure active directory now to do this you need to grant the user permission and i'll show you that in a moment okay so here in my windows 10 machine what i'm going to do is i'm just going to scroll up here and i'm going to go into my settings okay and here in my settings to join to azure ad domain join the first thing you do is you go into accounts and in accounts it says access work or school and you can see that at the moment i'm already connected now if i click on to connect here what diego did essentially you need to do a school or workplace join and what i've done is i've gone ahead and connected to azure active directory and you can see that this is already in so if i click into manage diego can now go into his account he can see that this machine is now azure ad joined so what this means is that this because you have joined directly into azure active directory you'll notice here that when diego went into microsoft 365 it didn't ask him for any username and password and this is purely because this is pure single sign-on now um you can click onto info here and you can see all the details of this i can sync so if there are any new settings or permissions or anything i can go ahead and sync that here um but the key thing for diego to note is that this is essentially a corporate device a corporate device that's managed by an intune administrator so if i just flip back to my other server here and i'm just going to log on here i'll show you what i mean so that's diego's machine he's logged in um how as an administrator can i manage that okay so here we are in uh in tune again and what i want to do is i'm going to go into the 365 in fact i'm going to go into azure active directory and here in azure active directory i'm going to scroll down and i'm going to come into let's just have a quick look here mobility mdm and mam so mobile device management and mobile application management you've got two options here intune and intune enrollment so if i just click onto in tune and it's basically saying okay which users do you want to manage through mobile device management and i've said all okay and also the user scope all okay so that's the first thing right so i'm doing that and again with the intune enrollment i'm saying all users are allowed to enroll their devices okay so now that i've done that i can then say right okay let's head back to contoso and the next thing then is if i go into again devices so the difference between azure ad domain joined and hybrid joint if i go into all devices here if i go ahead and let's say click onto a device so for example i've got ws2 here and this is the device this is azure ad domain joined and this is the machine that diego is using so look at the difference here so now i can manage this device and when i click on manage here it actually takes me into intune okay so in here i can see details of all the hardware i can collect definitions of virus definitions i can retire the device if i want to i can do a remote wipe so you know if diego leaves the company or you want to give it to somebody else the sync option is the same as the one that i just showed you in the client and you've also got other things that you can do you can physically restart the machine you can uh autopilot reset which is you can deploy a fresh version of windows you've got a couple of antivirus scans here that you can do um again you can manage things like bitlocker so the drive encryption so you've got much more to manage here i can view the hardware on the device i can see all the software that's on this device as well if the device is compliant if you've configured any configuration settings or app configuration settings here and if you've deployed any managed apps to this device so you can see i've gone ahead and i've deployed edge the edge browser here all right so the real difference you can see a real difference between a hybrid azure ad domain join device and a azure ad domain join device so with the azure ad you can manage this device in in tune aka endpoint manager now the third of our scenarios is azure ad registered now the difference here is that if i click into apps so with devices of course these are managed devices which means you're managing them as an administrator in intune and you can see that i've got ios i've got mac os i've got android and so on um what if your users want to use bring your own device all right well there is no that's fine you can do that i actually like it to be honest i think it's very very good for security with a corporate managed device um apps are pushed onto the phone as regular apps and the difference is that if the user left the company i could do a remote wipe of that device and it would completely wipe the device with a bring your own device what this does is rather than doing an azure ad domain join what you do is you basically set the user up um to do an azure ad register so it means that they can use their own device so they can use their own mobile phone and what happens is when they uh try and configure their email for corporate use it says hang on you need to register this device now once the device is registered what that means is that the user is their own device now you're probably thinking well i don't want corporate apps to go on this device because corporate apps would appear like regular apps but when the user logs in it says hang on a minute in order to access email you need to register the device so what happens is it connects to the apple uh app store or the android app store and it downloads a portal which looks a bit like a web page um any apps that i've deployed in intune will then get placed into that portal now the idea of that is that it keeps personal data separate from corporate data and you can't do things like cut copy paste all right um and also you you know so for security it's really really beneficial now ultimately if the user leaves the company and i want to let's say erase the user's data then it doesn't delete the user's personal data it just deletes that portal with the corporate apps so from a security perspective it's really good at isolating the personal to the business all right so there you have it just an overview of what did we see we saw azure ad um in a number of different forms so hybrid so hybrid um assuming that you've got active directory on premises you've deployed azure ad connect once you've done that you're then in hybrid there's a couple of little tweaks that you need to do in group policy and on the azure ad client once that's switched on any workstations on-premises will then sync across into azure ad and you've got a semi amount of management that you can do with them if you switch on azure ad sync so if you want to azure ad connect once you've enabled your users to do that they can then use their corporate devices so they they then assign their corporate devices and it means you as an administrator can completely manage that device in intune so you can manage things like the security of it you can manage the apps you can upgrade the apps remove the apps and you can retire the device completely okay that's a corporate device azure ad registered it means again that it's a user's personal device and that they when they register they're prompted to download a portal which comes from the app store any corporate apps go on go within that portal in other words it's almost like a bubble if you will so they can't cut copy paste they can't print they can't take screenshots with their camera um brilliant security so three different options for three different scenarios hey look i really hope you found this session useful if you did give me a big thumbs up i really appreciate it if you've got any questions of course get them down below and i'll do my best to answer them for you and if you're not subscribed of course go ahead and click on that subscribe i really appreciate it so i hope you've enjoyed the session and uh we'll see you next time thank you so much and you stay safe out there take care hey thanks so much for dropping by today here's a couple of videos that you may enjoy and while you're here go ahead click on the subscribe button and you won't miss out [Music]

Info

Channel: Andy Malone MVP

Views: 24,608

Rating: undefined out of 5

Keywords: Administering devices in Microsoft Intune, Administering devices in Microsoft endpoint Manager, Microsoft 365, Office 365, Andy Malone MVP, MVPBuzz, MCTBuzz

Id: gcH0AEzyJ4g

Channel Id: undefined

Length: 21min 13sec (1273 seconds)

Published: Fri Nov 26 2021