S02E17 - Microsoft Intune and Autopilot Quick Start Guide (2020 Edition) - (I.T)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Nice. I was just researching Intune as a way to implement Bitlocker on AD joined laptops. We use Azure so I thought I'd look into it.

👍︎︎ 1 👤︎︎ u/JD193 📅︎︎ Dec 08 2021 🗫︎ replies

Captions

hello and welcome to another episode of intune.training the place to learn how to use microsoft intune the stephen adams show with ben the intern what's up boys hey how about yourself man i'm excited to get started been a long week got got the holiday week coming up which won't be coming up it will have passed by the time you see this video but uh you know good stuff i'm excited hey um ben is is the sun out where you're at uh listen because i noticed you've got your guns out today and i assume it must be a sunny day uh that's that'd be the uh comes right yeah yeah to clarify it was hot a couple of days ago and then i realized how much i like wearing uh cutoffs so i've just been wearing it like three days in a row the joys of working from home exactly yeah but when you get on a client call do you just put sleeves on yeah they're they're detachable they're like zippers yeah nice all right well we're gonna already make this video longer than we wanted to with this uh banter so let's get to it all right so if you've watched our uh episode one you will have uh see it's it has it has not aged well because half of the stuff in there is no longer it has all moved over to endpoint.microsoft.com instead of the intune portal which was inside of azure plus some other things have changed the gui's have changed and stuff and we feel like it's time for a refresh but we want to keep it a little bit short because the the you if you want the conversational piece of it um you can go watch the other video that talks about why you should do intune and all the benefits of it that all is still relevant um this is just to you know if you want to get a quick start we want to walk through the how to create an intune tenant and get you all the way from intune to autopilot um and do that very quickly so here we go so the guys are gonna walk me through it and i'm just going to click on things sweet so let me share my screen and we'll get going let's see i've got our branding ready to go excellent so yeah the first thing we basically do we just need to set up a a subscription um in in azure so yeah where do we go from there probably portal.azure.com create one yep okay hold on let me zoom in just a wee bit there we go oh so we've got to create one oh yeah get get a new email address so you could have used your adam at intune.training account there but this is where we're just going to use a random one yeah yeah i'm assuming adam at outlook.com is going to be taken just yeah yes there we go let's see yeah that's amazing this time instead of where we had it previously what in the upside down place okay so we're gonna watch adam solve the puzzle this is so good done 4.7 seconds good work adam do it faster hold on i didn't know i was getting tired i didn't know i was getting talking oh that's so good come on okay cool so we've we've registered uh a subscription now um you can obviously see how easy that was so if we hit uh manage azure active directory view in the middle screen there adam it's going to come up and say this is your aid tenant you don't have one so we want to create one right at the top in the middle so this is where we're creating it via azure and using that as the starting point you can also start it through the office portal as well mm-hmm so it's it's not very good steve because we started from the office portal before and that let us customize what this account what our tenant name became yeah is this going to force us to have a have this is my tenant name or is there we can go and customize it yep so if you just see where we're saying we're creating a tenon type of an azure active directory yep um we don't want to do b2c because we don't have an existing tenant that's where you can link it to an existing this is where we put our company name so intern.training and then we're going to set that as our on microsoft without dot in the middle so i believe it's not a supported character really that makes sense sort of uh so we go and review and create it's all available and oh look at that okay so that's very nice that's a that's a really big change from what we have for that's nice all right so this is actually creating the azure active directory tendency so that's where you get the on microsoft tenant associated and everything associate that and everything from there so the reason why that doesn't get created when you create your initial tenant inside azure is because azure doesn't need aad operated but azure doesn't but parts of azure work better with aad associated okay and so we can see here that our tenant is being created and that error error occurred this section there just for those playing at home was when adam went to azure active directory so while that's going through what we're going to the next step we're going to look at is associating the licensing so there's a few different licensing options we can look at here previously when we went through the video we leveraged the pure intune license in this one we're going to use the m365 e5 license because that includes office windows 10 e5 and ems yeah it's just the easiest it's almost taking the conversation out of you know a way you just just get that license yeah it probably costs a fair bit as we found out recently when we've uh monetization to our website where it's not a cheap license but in a lab environment you want to be able to just do stuff without having to worry about licensing exactly if you're production is very limited to only e3 or associated licenses and you want to replicate that go with e3 but for what we're using it go the e5 so on the left hand side check that out you can delete the tenant you can end it i thought you were going to click on that once you delete the tenant you need to clean up a whole lot of stuff it's yeah it's we don't have the ability to sign into the aad tenant without the right account so we're going to hit new user at the top and we're going to create adam at intern dot training internet training dot on microsoft that like i'm going to type the same thing in all the lines there we go and we have because we haven't banned your domain or anything else there we can't change that uh create your password set it as what you want and make sure you give it the role of global admin ga set your location it's important yes always have to have a location set to be able to set a license cool so now we'll sign in with the adam at intern training dot on microsoft there we go yes go team passwords so now that you've got your password sorted you should uh go back to last week's video and and read about uh windows update for business so you never need to use the password again it goes hello for business what did i say update for business ae update for business i've got updates on the mind yep so oh wow your password expires after 90 days that's a new card that i've seen there i haven't seen that before that's cool um so we're going to select uh billing absolutely and then we're going to go purchase services i believe it has nothing to do with the zoom that's just literally nothing there i'll uh select dock mode okay yep yep definitely better uh hang on hang on just fly that is a feature no one should be using live mode that is perfect i love it it forces it to reload the page it's so good yeah that's great so then under m365 you'll see there and you can scroll to the right hand side and keep going across so there's all the basics and then yeah yeah there's the e5 uh option there so that one there i think will be the one you want so you just hit details uh and get trial there we go so we now need to prove that we're not a uh robot so adam's going to put his mobile phone in there off screen okay so we are at the confirm your order cool and hit continue there you go so now if you go to your users active user and we select adam and we then go and select licenses and we'll have the ability to assign the license so the first thing you'll see is assigned that perfectly because default user yeah you're going to save uh yeah i was going to say so this is obviously from admin.microsoft.com but for for those that like their single pane of glass uh you can also do this from portal.azure.com as well through umd and one of the important things about doing it through aad is you can associate it to a user group that's correct make sure you use user groups it makes your life easier in the long run when yeah automatic licenses yeah so when you associate a license today if a new feature gets added over time it doesn't automatically get turned on for previously assigned licenses so this is where it's super important always assign it to a group because then you can just turn it straight on for everybody rather than having to go through and turning it on all the features that are missing so just just a word of caution on that one cool so we now have our licenses or our subscription yep so the next step that we're going to go and look at is branding so i'll let ben take the navigation for that uh yeah so uh this will be an interesting one i haven't done this in a while um so we're going to go into the azure active directory hit view and then company branding get free premium trial do you need to re no just yep and then just make sure you sign in with your intern training yeah perfect because that has the license associated to that oh yeah the other one did not that makes sense company branding so by default if you don't have this set the autopilot page won't pop up saying welcome to company name that's correct so this is the minimum requirement yep and so also for for everyone watching uh you don't need to put a lot in to get this to work you literally just need to fill in one thing um so if you just wanted to try it out grab an image chuck it in um and then and then we're good to go basically ai one that's the wrong one so i think the second one in the image at the top in the first video uh we spent a fair amount of time watching steve figure out how to use um photoshop i think yep into the training training if only that domain existed steve yeah if only um so the thing with the advanced settings down the bottom this is where you can have the icon appearing in the top part of your autopilot page and things like that yeah correct um we don't have any square resizable images for our tenant um but that's what that's for yeah you can also yes we do we do oh perfect there we go sweet i know it's been a long time but we did it now these aren't these aren't the intern dot training but no um so the check box you set down the bottom there adam we probably want to set that to yes so this is where it allows users to stay signed in yeah and show the option to tick the box to say remember or get me signed in so that's something i'd highly recommend to do good good attempt just gonna slide that one in there uh do you do you want orange because i could do that i don't know too many characters six six yeah okay all right let's see what it turns out oh god okay this is going to be ugly maybe ffa definitely all right so we now have company branding this is where we can go in there and add multiple for different language language regions as well yep uh so okay so that's the the most important thing and uh i i believe uh the last thing that we need to do in the portal.azure.com now we can do the next part which is the mdm auth stuff from here as well because we're here but you can actually do this stuff from endpoint.microsoft.com as well that's correct well let's just do it there then yeah all right so we're going to go to aka.ms.dmac microsoft.com still zoomed and tenant administration and then uh in the token uh yeah connectors and tokens yeah that's the one uh and then it is not there uh it's under devices enrollment what are we looking for devices mdm yeah oh i knew that one automatic enrollment perfect so for this scenario let's just do all in some organizations you may need to set it to some while you're doing pilots and things like that just to call it out we've done videos about you know what this is and we'll probably do more in the future um it's it's important around scoping but this is just to show you how quickly it can be done all right so we've done our mdm author now anything uh that hits that uh with the correct sort of autopilot stuff we'll we'll sign in or we'll be allowed to sign in so the next thing we need to do is set up an autopilot profile um to actually get the thing to come up so device question do do we want to set up the business store so it starts syncing yes first um yes uh oh yeah yeah that makes sense it can take a little while um so what we're doing here is uh going to the store to set up the sync between the store and our intune environment uh so that we can uh publish applications most notably the company portal um so settings yeah and distribute but yeah as ben was saying cutting off is it's pretty important to have there so we activate both of those for microsoft entune and engine enrollment uh and then what we need to also do is when we go and select our first application item so if we go shop for my group and then search for company portal and select that when we hit get the app it's going to pop up a license agreement which you need to accept before you can go forward you only need to do that once for the tenant but it's always important to remember to be like adam and read through the terms and conditions exactly yeah you guys have all seen that south park episode right so this will go through it's going to go and authorize it for your tenant and then the last step is going into the me map portal or endpoint.microsoft portal and uh under tenant administration and telling it to go and use it under connectors and tokens and first one on the cab first cab off the rank and we just hit enable there and then we hit save at the top and that will allow us to sync it so we still need to go back to the store for business and make sure that company portal has been selected and added to which it has perfect so we'll see uh six applications sync across including these five applications there so that's expected so those five apps are on by default yep so let's pop back over um now this may still be going we can we can check it we'll come back to this we'll come back to that yeah we'll come back to that so the sync can take anywhere between five to ten minutes um i've seen it faster i've seen it longer um but yeah so we're going to go through and set up the autopilot uh deployment profile now so deployment profiles and create profile windows pc hololens hey all right that wasn't there before all right well it's not i don't know i'm just typing words because you aren't good yeah the all targeted devices to you what i call it this is if the device makes the minimum spec of 1700 1709 or higher and the group the computer is added to a group even though it's not in autopilot if it's registered into intune it will go and register it across so you don't then have to go and harvest the hashes for new devices that you've done out of the box differently now i've also heard that if you've if you've used this and then you delete an autopilot device that's been auto registered this way it won't auto re-register itself is that true i've not tested it no interesting one we'll have to we'll have to do a test exam okay so we're just gonna do this real quick uh as as the name uh minus the underscores is pointed out we're gonna do a very basic um aadj uh azure ad joined scenario it's gonna be user driven um you can do self deploying that's fine that's the thing but we're gonna do user driven for now that's right um uh and most of these we're gonna keep defaults so we're gonna hide the license terms and privacy settings which automatically accepts them um we're going to hide changing the account options with the standard user account because we don't want our user to be an admin though technically this user will be the admin because he's also the they get that in tune admin because the live manager get in that group that's right that's right so one of the places your normal average user would not that's great that's great so one of the things to call out with the privacy settings you can go and configure what's enabled and disabled via an intune policy later yeah for sure um okay so where i mean at this point we can turn white glove on or off if we want it doesn't really matter we're not going to be doing it so we'll just leave it as no we can set our language region which is great um so we can do operating system default or we can specify um so this is good in a scenario where you have uh multiple regions in your environment you would just want to sort of standardize that and have a different naming template for each region yeah that's great sorry that's where you handle that we can sit there and say in the us we're going to start with us that's exactly right so we're going to say yes to the automatic configure keyboard which is cool um is a thing that you need to think about if you are going to do white glove that you can't do that uh because it doesn't give you time to to uh to switch it over to the white glove stuff uh and then we're not going to give it a name template um because we don't care yeah we don't name our computers exactly and next um we are going to don't have a group we don't have a group so let's just skip past that we'll create a group really quickly uh and then we'll go back in and we'll assign it cool so we can do this from the portal as well um groups new group that's the security group that we have your name is going to be star [Laughter] yeah that's fine autopilot star power yeah gotcha boom and then we add our members yeah um which would be a computer object not a user object so at this point in time we don't have any computers registered to the tenant yeah so we don't need to do that oh yeah we should probably do that as a dynamic device yes but do you have the query really quickly yes give me uh three seconds uh end point what we're talking through here is the dynamic membership rule is the ability to dynamically add any computer that's registered to the tenant that's running windows 10 into this group um which is great because then saves us having to worry about anything uh any policy not applying and we covered this in depth in the in the first video and talked about the it's the ztd id and yeah what that means and where that comes from and those sorts of things but the one thing you need to be mindful of as well is when using dynamic groups sometimes the computer object can drop out and need to reprocess before it comes back into the group yeah so you may have a situation where it doesn't apply correctly so just calling that out it's something to be understanding of with enrollment status page as well cool so just hit save pause pause your video at this moment if you want that code there but you can easily google that um all right so we now have that group being star power and we're now going to go back to enroll devices oh yeah we need to we need to do that and then we assign the properties and then we go to assignments edit and we're going to select our group being start our power and we have start save all the way through and we're all happy sweet um we'll do the esp as well um yeah so really yeah super simple all right yeah go ahead yeah so yeah this the ui is a little weird you got to click on the uh all uses and devices to get into it um so we'll just stick yes it's the default policy so if you go and have a second policy over the top of it it comes down to priority um but the defaults always going to be the last one that's hit yeah we'll keep things fairly default here most of this is is fairly well tuned um we do want to uh block device until the required apps are installed so we wanted to say selected on that last one the last one we selected and i'm going to select the company portal as our as our app that we expect to be installed we'll also probably want to assign that yes cool okay cool let's go i'm just waiting for you guys to tell me what to do and then we edit and we're going to add a group as required yeah yeah now this is an important thing to just point out is that there's a required section and then available and uninstall which is different than most of the other things where you go to assign most of them are just you know include or exclude and and these specifically have different stuff here so that's right okay so we've got apps we've got esp we've got a autopilot autopilot profile we have a license and we have a user um so all we're missing now is that device uh to be registered um so basically what we need to do now is hopefully we've got a machine cool earlier here's one we prepared earlier we're going to harvest the hash using uh the get windows autopilot info and we'll do it online so automatically shift f10 connected oh powershell we'll do we'll do ben's way this time oh thank you okay the correct way so we're going to set the execution policy to bypass set executive policy and bypass cool and now we'll go install scripts what letter comes next and then you'll breathe in and then you breathe out and then in and then out yes yes this looks a little bit better um if you're the nosy person like i am um i generally will put in uh verbose to make this uh a bit more fun do me a favor and don't put in ps1 all steve's fault that's always comfortable with that all right cool yeah should autocomplete dash online yeah put in a group tag as well because it's well no we're just gonna breeze past that exactly all right cool um so this won't take super long um the online thing we've talked about before um it's it's pulling down a couple of other modules that it relies on it's basically automating the process of grabbing the csv um and then turning it you know and then bundling it up and then authenticating and pushing it into your tenant it's a really really good feature it's actually something that i'm i'm quite surprised that people still don't there's so many people that don't know that it's uh an option um that you can use the online piece yeah that's crazy yeah everybody uses the so this originally started as a create this create a csv file and take the csv file go and import it in your portal and and that's what we did in our first video i believe yeah that's correct and actually we had exported the json and injected it yeah perhaps um but uh if you more info about that we've got videos where we've covered that and um in i'm trying to talk i can't talk talk and type see sorry um we've had we have other videos where we've covered that in more in depth uh also blogs and things um michael niehaus wrote the module or the script so check that out on microsoft wow it's an interesting email address yeah hey that's a good sign right there look at that we have a brand check it out i've just got lucky remembering my password so the first time we have to consent on behalf of the organization this is another reason that we uh need to be ga uh at this point we um need to consent on behalf but it is best practice too that's correct otherwise everyone's going to get that prompt and it's going to be nice okay so now this part does actually take a little while and it'll take a minute for this to all get registered up um so we will just fast forward past this on the editing if i remember to edit it otherwise just know that if you if we keep talking from this point and we're not at the next screen uh then i forgot to edit it okay so we're back um you can see that the uh import time took 184 seconds so just make up what we were talking about on your own um okay so now what so we have now put the device in so we probably should go check it out right we'll just go see if it actually works you know so at the moment it says it has um so we'll go into enroll devices and then devices and check it out we have our magical thing now one thing to note is the profile status is saying not assigned um so this is another one where we're probably going to need to fast forward a little bit um we can't do anything until that dynamic group rule takes effect um it might be there uh already um but then the uh the autopilot assignment policy uh takes again another say five to ten minutes to actually uh assign so what we need to do though is if we go back to devices we at least need to hit the sync for the first time this the script already hit the sync for us does it go to enroll devices for me it does yeah the last but we we can we can do it uh and device profiles oh devices yep okay of course the last successful sync but let's think again because it's always good to resync it okay um there is a limited number of times she can do that per minute or per hour yeah if you if you get here and you hit sync and you start getting errors um you've hit that mark where you can't sync anymore you can't break anything it just it doesn't look nice what i always do is i always end up hitting sync instead of hitting refresh because you know the icon is exactly the same pictures kind of guy so yeah so this is going to take a while so we'll we'll do the same thing we'll just fast forward um go back to nachos beautiful music in the background or something all right so we are back um that took a long time you could probably check the clock and see how long that actually took but it took about five minutes um okay so we have a uh an assigned profile now yep so if we zoom in you see that little guy like zoom it what's up um we can also reverse check that this is applied as well um by going into the uh devices enroll devices uh autopilot policy and just concerns right both before we do that i'm going to assign a user oh cool oh fancy i'll put my name on there always hit save i keep forgetting to do that and i keep wondering why it's not sticking yeah so you can also this is where you can uh populate the group tag thing if you want to start tagging things um i think group tags a great way of managing devices because you can we've obviously got that group there with the um uh with the ztd id uh dynamic membership um you can also create automated things with group tags which i'm pretty sure we've done a video on yes i have yeah so if we go back to devices yeah enroll devices deployment profiles applications and sign devices and there we go no i know it's set assigned but it's just good to be able to go in and just validate it exactly especially if you uh if you have multiple uh policies um you want to make sure that it's gone to the correct one this is where you can check that all right so we are there and just uh reboot your machine from then yeah please just a moment all right here we go fun times neil all right what we're expecting is to be at the autopilot ubi screen with our tenant branding and username yes once it loads up after a moment or three and then so what you'll note there is it actually skipped the region and keyboard selection yeah so that is what folder too in the autopilot profile sorry um yeah no no i just wanted to uh sort of drop on that as well so when i was suggesting uh or when i said earlier that you need to be careful with skipping this stuff if you want to do things like white glove you have to do white glove before this point so if you skip the region and the keyboard you don't get the chance to do that so it is just something that you need to need to be cognizant of um it speeds things up yeah it's fantastic but it does remove some of that check it out and there we are folks welcome to microsoft services so this is a new uh thing that we've started this is i've seen several cases of this so far and this seems to be some some weird bug um you should not normally see this um but we this is being investigated as far as i'm aware um yeah definitely strange so yeah anyway if i put in my password that i should remember but really we're going to stop the video here um because this is it we're there we've done we've built everything out to be able to auto pilot the machine is going to provision into our tenant it's going to be good to go um we'll see the enrollment status page pop up here in just a moment and we will kill it so so there it is so you've seen end to end setting up an intune tenant from scratch setting up your trial setting up the azure active directory and setting up autopilot and just like that i mean probably when we cut this i mean even if we without cutting this we're probably an hour maybe uh end to end and that's with fumbling some some stuff around here yeah yeah um if you do this you know when so when you do this in your production if you watch our um our video uh our first video we go into much more detail on this but you know you're going to pick you're going to have a domain name and you're going to be assigning that to uh to your stuff you're going to be putting in credit card information so you can buy licenses and things but just to get a proof of concept up and running excuse me up and running for your um for your company i mean really if we put it into these terms we've built a tenant and a device in almost the time that it would take you to do osd for like two machines yeah um with config manager so and now you just spin up the next plug in the next machine and go to town and you're you're you're there with no infrastructure it's pretty cool and if you're labbing this we have a video on uh being able to build your machines quickly and even injecting a json file in here which we can get into more detail on um in other videos so we've got a lot of videos on our channel a lot of them talk about this we've got several autopilot several provisioning videos things like that but we just wanted to revisit this from a you know new um screens new guise new urls kind of perspective new experience and just kind of take you there and so look before we can even sum up we're already about to be at the log on screen so uh it's pretty cool stuff yep so so cool anything else guys no i think i think you summarized it very well awesome all right well um thanks guys for walking us through that and um hopefully you will stick around on the channel if you're new here um definitely dig through and uh otherwise yeah thanks for joining us thanks for joining us see ya you

Info

Channel: Intune Training

Views: 28,300

Rating: undefined out of 5

Keywords: Microsoft, Intune, Training, Azure, AAD, MEM, MSIntune, Microsoft Endpoint Management, MEMIntune

Id: OYaDWKqg1uY

Channel Id: undefined

Length: 40min 25sec (2425 seconds)

Published: Tue Dec 08 2020