Provisioning Devices in Microsoft Intune (Endpoint Manager)
HTML-код
- Опубликовано: 6 окт 2024
- This time I examine joining and provisioning devices to Intune in Microsoft 365. we'll discuss Hybrid Azure AD, Azure AD Join and Azure AD registered devices. How to join them, manage them and administer them. So buckle up and get ready to learn. As always, I'd love your feedback, questions and comments.
Visit my site at www.Andymalone...
Thank you, Andy. In my previous role, there were issues with using personal devices to join the corporate network. An authorization was being asked.
My pleasure :-)
Hi Andy, I just watched this video for a second time, and I got much more out of it. Again, thanks for an excellent explanation of these key concepts, that can be, as your student experienced confusing, but you have done a great job redressing in this video!
I’m very happy to hear that and all the best 😊👍
Andy, Nice job, it clarified a lot of ambuguity , I had around these 3 concepts. I subscribed and look forward to more content from your channel. Thank you!
Hi Joshua I’m delighted that you enjoyed the video and thank you so much for subscribing, it means a lot to me. Welcome to my channel, it’s great to have you on board.😊👍
Excellent Andi. You are such a great trainer.
Thanks so much I appreciate that👍😀
HEY Andy,
We Have a Hybrid AD environment including On-prem And Entra AD(which we recently added).
The project's scope is to deploy new laptops for the users in the org with 3 goals.
1. We want to Implement Intune only to new devices with respective users without having to do anything to current devices which are currently On-prem AD joined.
2. We will eventually switch from Hybrid AD to Azure AD only. (Long-term goal- It might take months to take place).
Questions according to the scenario explained above:
1. What is the Best possible way to implement Intune (Hybrid or Just Intune)?
2. Once we configure the devices as Entra hybrid joined devices can we switch them to Entra Registered/Joined devices? TBH I have yet to figure out the difference between Entra Joined and Entra registered devices.
Honestly, I would strongly recommend moving the client laptops directly to Entra ID rather than hybrid. Personally I think hybrid is looking backwards and to be fair you can do most things now in Intune and still connect to your active directory if needed. Like I said just my opinion but good luck 👍
Fantastic, thank you for clarifying
You’re welcome. Watch out for a new in tune video shortly. It’s a good one!
Your tutorials are very clear and easy to follow.
Thank you so much, I really appreciate all your videos!
Thanks Daniel I really appreciate that :-) Have a great Christmas.
Awesome video, even for review! Thanks again!
Thank you so much for the wonderful video, I love the way you explain. Could you kindly give an example where on perm AD make sense?
Sure thing! A traditional large corporate will probably have a mixed environment with a traditional ADDS network. Too be honest I'm struggling to think why a company would want to stay with an old AD. Perhaps a government, military type of company, but even then there are options for these types of organisations in the cloud. For me I think it's only a matter of time before they all migrate. As the Borg sat, resistance in futile.
Excellent explanation ...Thanks a lot
Amazing as always
Thanks very much for the nice comment
This was a great idea for a discussion thankyou.
You’re very welcome and thanks for dropping by😀
Hi Andy. First off, love your tutorials (especially on Microsoft Azure and Intune) and learning a lot from your videos. Question for you. when repurposing a corporate device, what is your preferred method when wiping an Intuned device? For example, when a person leaves a company and the computer needs to be re-imaged so it can be given it to another user such as a new hire. I use Fresh Start but when I look in my Secure Score in Microsoft Defender for regressions on exposed devices, I see the old device name reporting. When I investigate further into that device using the Device ID it actually shows the new device name that was given to another user. It might just be an endpoint device reporting issue. Thank you for your time and help.
Absolutely, simply re purpose with Intune and it will reset the device.
I'm not sure what went wrong on your end. I have all my AD computers hybrid joined and I manage them all in Intune. Also in the case of directly Azure AD joined device, you're not showing how to enrol it. Instead you're starting with an already enrolled device. Slightly off the subject. I was hoping to see some magic way to enrol a device already joined to Azure AD without user interaction. But I guess nothing hanged in this aspect. Good video though. Helpful for some
I just noticed this video is 1 year old. But my commend is still valid as I've had my PCs hybrid joined for nearly 3 years
Update: you're missing the GPO setting to enrol Hybrid joined devices in MDM. That's why your your 'manage' option is greyed out and devices not in Intune.
Thanks for this. I always feel that hybrid joint devices are looking backwards. I would always try and ensure that devices are Azure AD joined. For better support on this area I will check out learn.microsoft.com and also ping the Microsoft tech community as they have better expertise in this area. The best of luck
Thanks for your videos, Andy! Can you show how this applies to iOS devices and the differences that administrators should know?
I did cover this in a previous video. To use Apple you need to join Apple’s DEP programme and obtain a certificate. Once the certificate is in in tune, you can then start deploying Apple devices. It’s super simple and yes I do plan to cover it in the future session. 👍
Hi Andy great video. i have a few questions and hopefully u can help me clear my doubts. Thanks in advance :)
1. If hybrid AD joined devices are not enrolled in intune, how can i manage those devices
2. For personal windows devices when user sign in to any office apps does it enrolled to intune so that can be managed
3. Is there a way to block users from using personal windows devices becos we dont want them sign in with their company email and accessing email or one drive etc
1 - You managed them via Group Policy or System Centre config endpoint manager.
2 - You can Azure AD register personal devices. This separates personal and corporate apps.
3 - Yes, conditional access.
@@AndyMaloneMVP thanks for the info.
for hybrid azure AD joined devices - dont they get auto enrolled to intune or there is no way to mange them via intune?
@@bloodstallion it’s optional 😊
Hi Andy. All your videos are great and I am thankful for them! Would you mind advising how to make a device AD registered? How Dows Azure make the difference between a corporate and BYOD? Thank you
A registered device is the same as a corporate device in nature, except it's personally owned. BYOD. Create a device profile, allocate apps to user / device as normal. When user attempts to connect to outlook etc they will be prompted to register their device. App store will download an Intune agent. Instead of seeing apps on device, it will install apps into a portal on your phone. If user leaves, then only the corporate portal is deleted. The users personal stuff is unafected. docs.microsoft.com/en-us/mem/intune/enrollment/windows-enrollment-methods and here docs.microsoft.com/en-us/mem/intune/fundamentals/deployment-guide-enrollment-windows and here www.anoopcnair.com/windows-10-intune-enrollment-manual-process/
@@AndyMaloneMVP Thank you very much! :)
Hi. Thanks for the video. I'm a long time Windows admin. I got a question: Why join devices to Azure at all? What is the winning concept here? I'd love to hear more about "why" from you. At our company, we have all we need within our local Active Directory. I'm confused.
For me joining a PC to active directory in hybrid mode is looking backwards. The only reason you’re probably doing this it’s because of things like group policy and file access. All of which can be accomplished in Azure AD. In fact, the only benefit of a hybrid Azure AD device is that you can use conditional access. Azure AD joined devices provide the complete package. Not only can you manage them in in tune including group, policy, settings, application, deployment management and so on. You can also take advantage of the full suite of Microsoft security and compliance tools. So as you can see, it’s a no brainer.
Thank you for the video(s)! Question on the Azure AD joined device, in properties of the system the device shows to be in WORKGROUP. Did I miss an enrollment step or will Azure AD joined devices never show to be joined to the domain like on prem devices do? Thank you in advance for answering, keep those videos coming as they are highly appreciated!
You are correct. Only active directory domains show up in Windows domains, everything else appears as a work group.
Thanks Andy for this great tutorial! Just a quick question though, does Hybrid Azure AD, Azure AD Join and Azure AD registered devices require Intune license assigned to the user to join their devices?
It all depends in Intune is being used to MANAGE the device. Hybrid Azure AD joined devices cannot be managed by intune directly. You need the Endpoint System Centre add on. Without this, on prem AD has authority over the device. You can still use Conditional access on these devices though, and to be honest I see no other reason for Hybrid join. Azure AD & registered devices can access resources and being "semi" managed with MDM / MAM but if you want full functionality, you'll need intune. I know thats not entirely clear. But Microsoft licensing is a minefield. docs.microsoft.com/en-us/mem/intune/fundamentals/licenses Another good resource is M365maps.com
@@AndyMaloneMVP Got it! Thank you, Andy!
Great video Andy. Thank you sir. Question: If I want to switch a hybrid joined machine to a full Azure AD joined so I can fully manage in intune, how is this done?
Hey Chris you can do this in 2 ways. User managed by having the user do a school and workplace join in accounts in settings. Or using autopilot. If the latter I recorded a video on this a while back. Good luck and thanks again😊
If it’s Hybrid joined, the only supported and recommended path is a full device reset, then allow autopilot to complete the AADJ and Intune enroll.
Andy, thanks so much. You explained everything to the bone.
When i do Azure AD Joined, it prompts me to login on the computer login screen with my corporate email and password. Is there a way to login with just a username and password rather than with my corporate email?
I I’m afraid not. This is the login defined by Azure AD connect
Hi Andy, Thank you for the Video, I have learn a lot. Just quick question on the licensing; I am on a Microsoft 365 business standard right now, what plan should i upgrade to to explore this features Microsoft 365 Business Premium 1, or should i add Intune as stand alone to my currently subscription?🙏
Good one. I have business premium and it's fine for me. You perhaps could get an Intune trial to try it out. (If it's available in your region.)
@@AndyMaloneMVP thank you for the feetback. I have subscribed for MO365 P1 trial but I cant locate the endpoint Manager. Am i on the wrong subscription!!?
When 'Hybrid Azure AD' is selected, is co-management (Intune & SCCM) the only choice to use Intune ? or Can we choose 'Intune alone' ?
In hybrid mode, there is a connector for SCCM that connects in tune, so that you can manage both cloud and on premises. As I’ve said previously, though, this is designed to be a temporary measure. Ultimately, all your management will be done in in tune..
Hi Andy are you doing any online classes to attend? I would like to join your session, please.
Yes, soon I'll keep you updated.
Hello Andy. All your videos are very educational … i have questions, we have p1 license m365 e3 and f3. Setting up Windows Hello for Business using Configuration Profiles Identity Protection for Profile Type. Some devices added to the group using AD On-Premise have status succeeded and some pending for so many days. These devices are all Hybrid Azure AD Joined. Any thing i am missing or is there a trick to make this to work? Regards and hope you can help me with these issues …
Hi JoJo, thanks for the comment. It’s probably a licensing issue. I suspect. Remember that the licensing is based on a power user, not device. Users can have multiple devices. For more details I will check out docs.microsoft.com as this is the definitive repository of information. Good luck and thanks again, Andy
Hi Andy, thank you for this informative video. Well, i have a scenario here, where one of our clients created Provisioning Package in their environment. Eventually machines are registered AzureAD join, but they are unable to enroll the same machines in Intune. Could you please help us here ?
User has set MDM scope for few users only.
And in dsreg staus is like below
AzureAdJoined : YES
EnterpriseJoined : NO
IsDeviceJoined : YES
IsUserAzureAD : NO
Hmm could be licence issue. Post to the Microsoft Tech community :-)
Hi Andy, is there a way to change a AAD registered device to AAD joined or Hybrid? As I can't add them to my company's Defender for Endpoint as needs to be joined or Hybrid.
You have to do a a reset I'm afraid.
@@AndyMaloneMVP thanks for replying Andy. I figured that but said I'd ask.
@@AndyMaloneMVP You mean reinstall Windows?
Can you not run a powershell script or registry change to avoid having to unregister/re-register the device ?
Nice password manager, what are you using there?
No password manager Mark, just a simple copy and paste from VM.😊
Currently is it fair to say that Intune can now replicate, if not improve, everything that can be achieved with Group Policy? I'm wondering if there's much keeping businesses tied to their on-premises AD other than habit?
With the introduction of Universal print I agree I think we are at a stage where we can finally cut the cord.😊
Hi Andy, can you please just let me know how can I connect a device with intune? The device is registered with Hybrid Azure AD.
I'll add it to my list for you.
@@AndyMaloneMVP Appriciate it, Thanks buddy👍.
Has the Microsoft.Intune.Enrollment MDM application been deprecated. I don't see it, just Microsoft.Intune.
No, it’s just been moved inside Microsoft tune
Hi Andy, Nice video, thanks. When I go into the Mobility (MDM and MAM) option in AAD, it only shows Microsoft Intune (Not Microsoft Intune Enrollment, like 12:16 in your video). Also, when I go to an Azure AD Joined device the Manage button is still greyed out?
You don’t have the correct licence. I’m using an E5 + EM&S
In the video I noticed you have MDM and MAM both set to All. Will this not stop BYOD devices from registering because MAM takes precedence over MDM for non corporate devices?
👏🏻👍🏻🖖🏻
You’re welcome 👍
What is device writeback?
Writes device info back to Active Directory on premises
Hi Andy,
@8.08 If the device is hybrid AD joined and auto enrollment is enabled why is that it doesnt show up in intune portal ? Do i have to manually enroll them
Sometimes it's a delay in the UI
@@AndyMaloneMVP when i try to enroll the device by log in company portal manually (no auto enrollment). it says device is manged by other organisation
@@bloodstallion not sure sorry. You might want to place a support call.
Hi Andy I finally got it working. Initially I was logged in to user account. After log in to domain admin account it was still giving me the same error and I did a sync it worked and it finally showed up in intune portal eventhough error was still there. Then when I log back to user account and then sign in to company portal I didn’t get any error. Under work or school account now I see MS logo and MDM connected.
Btw I think it’s normal to see the hybrid azure ad joined device owner as N/A in AAD portal. Is there a way we can manually assign the user name though
Hello thanks for the video, AV, EDR, ASR, in endpoint manager will affect the onboarded devices on defender without having intune?
I’m not sure if you’re making a statement or asking a question with this one😊
Im asking a question
@@djelieattieh1773 generally Intune security adds value in terms of security but I’d recommend Defender for endpoint for full compatibility and functionality.
@@AndyMaloneMVP i have defender for endpoint but i went to endpoint manager and implement those policies so i want to know if it will take actions on the onboarded devices on defender
@@djelieattieh1773 I believe so but I’m not 100% on every setting. Check docs.Microsoft.com that’s what I would Or just try it in a test environment. Best way to learn.👍
why intune needs apple account id for ios enrollment?
Because it’s an Apple requirement!. Let’s say you purchase 1000 iPads and want to deploy them through InTune. You simply register an Apple deployment certificate, which is associated with your order. So when your students switch on their iPads the Apple system directs them to InTune. That’s why it’s needed.
@@AndyMaloneMVP Thank you very much.. may i know why intune needs google account id for managed google play.
@@AndyMaloneMVP Thank you... is it compulsory for google account for enrolling anroid devices. without google account is it not possible?
Hi Andy, I got a question to ask. Say like I got a user named A with a laptop and I want to azure join his laptop, then what is the minimum licence I need to assign to the user A?
Any enterprise license will do the job. You can also add an InTune license separately, this is a very cost-effective way to do it for more details on Microsoft licenses check out M365maps.com thanks again
@@AndyMaloneMVP thanks for the quick response n guiding me dear Andy. Should it be a must Enterprise license? Won't business licence do the job? In case I want tazure join user device+ manage it via intune, then a business premium license sufficient?
@@chasssnorumusuko You get some functionality with business premium, but it is limited. You would need a full InTune license to get full functionality.
@@AndyMaloneMVP thanks Andy, I will give it a try asap. You r a Rock Star. Thanks for your guidance n teaching all of us here n all the efforts you keeping to educate us is much appreciated. Subscribed ur channel n will share it with my friends
@@chasssnorumusuko You know with a business license you do get a subset of features however for full functionality you could add on the full InTune license it’s not that much more expensive. A good website is M365maps.com it’s a good resource site for licensing
Great video Andy. Can we move hybrid AD domain joined devices to Intune without resetting the device ?
Unfortunately not at the moment. As I said in the video the device can either be Azure AD joined or AD joined.
@@AndyMaloneMVP thanks Andy for the prompt response. So the only option is to join the device from Hybrid AD and reconnect to Intune ?
@@WithSajan I’m afraid so. Windows can only be authorised by 1 directory service not both.
@@EMKABMART I agree, however, I feel that focusing on on premises technologies is looking backwards don’t you?