The best Microsoft 365 tips on the web

Add devices in Endpoint Manager - Azure AD or Hybrid Join

Earlier I wrote a blog to add one device yourself in Endpoint manager and general explanation of what Windows Autopilot can do for you.

If you want to deploy your entire organization in Microsoft Endpoint manager, there are several scenarios possible. You can install Endpoint manager in different ways.

A Hybrid way - Hybrid Azure AD Join. This is the easiest way to quickly add all devices but does not provide all the features of a Azure AD joined device. Such as reset, autopilot deployment without company network etc..

Or a full cloud way - Azure AD Join. This puts management in Endpoint manager, in the cloud. And gives the autonomy to continue using things you still have on-premises such as file servers.

Tip: Just because your device is not known in the local Active Directory doesn't mean you can no longer use on-premises resources. A practical example here are fileshares. These are still addressable because your identities are known on-premises in the local AD and synced to Azure AD. Other examples are authentication to Web servers, Web apps, or other services you have set up.

Two ways to add devices in Endpoint manager

User-drivenUser-driven with with-gloveUser-driven for existing devicesSelf-deployingAutopilot reset
Azure AD Join✔️✔️✔️✔️✔️
Hybrid Azure AD Join✔️✔️✔️

Also read: Deliver us from Hybrid | SSO to domain resources from Azure Ad Joined Devices (call4cloud.co.uk)

You can use Endpoint manager and Windows Autopilot to set up connected devices (Azure AD) in a hybrid mode via Azure Active Directory. If you want to accomplish this go further in this blog post via Microsoft Docs.

Add devices directly Endpoint manager - Azure AD Join - Administrator settings

All the exact steps to roll out devices below:

  • a 2nd preparatory step is via this URL to set the MDM user scope to all + MAM user scope.
  • You can certainly work with some and/or define groups here. If you allow ALL, anyone can unboard devices. You best not want that.
  • A 3rd step is to create a Windows Autopilot profile. We will go into this later in the article.

Configuring Windows Autopilot for Azure AD Join

You can start with Microsoft' s baseline if you don't already have experience with Windows Autopilot. One advantage: Everything is perfectly configured. Disadvantage: Many security policies. But you can change them later.

the 2nd option is to create a deployment profile for Azure AD Join. This can be done from https://endpoint.Microsoft.com or directly at: https://endpoint.microsoft.com/#blade/Microsoft_Intune_Enrollment/AutopilotMenuBlade/

Below is the exact explanation.

Create a new profile -> Create profile -> Windows PC

Create a profile as shown in this example.

As of now, you can automatically register any device in Endpoint manager from a clean-install of Windows 10 as in this example.

Better yet is to use a dynamic group and convert included groups to persona.

Rolling out a device reactively via "access to work or school"

Often, Windows 10 devices are already installed without MDM. This gives the result that there is no control by IT Administrators. Users must have local administrator privileges can add their own devices in endpoint manager.

Benefit: Control

Downside: Often they are still in the local Active Directory. BUT just because you chose this scenario you can reset later so they come fully under management.

Technical Documentation: Windows Autopilot User-Driven Mode | Microsoft Docs

1. Start your Windows 10 computer and click start

2. Click on settings and choose accounts

3. Click connect in the 'access work or school' menu

4. Enter your login information

5. Enter your password

All in order!

Letting users register their own devices

This wizard comes up automatically for various applications such as: Company Portal - Office 365 installation - Outlook configuration (last step) - OR if users themselves click on access work or school.

If users want to be able to add devices themselves, you must later also make these devices known in Windows Autopilot. So that when resetting you don't run into problems. Testing! See also the screenshot UserMode at the top.

Unknown device

Install Company Portal through the Microsoft Store

Log in with a user account from your tenant (user-mode)

Think about user-mode! This is not an IT Administrator interaction!

You can also add devices through Access Work or school.

Are you getting error message 8018002 when registering. Check the MDM Scope OR give the user an Endpoint manager license.

"Allow My Organization to manage my device" disable? -> Devices - Microsoft Endpoint Manager admin center

Other Endpoint manager blogs

Save passwords, favorites and settings in Microsoft Edge
Download and deploy Microsoft Edge for business Server 2016 / 2019
Configure automatic login + sync in Edge with intune
Microsoft Intune Company Portal installation - Endpoint manager
Automatically set Google as default search engine in Edge Browser
Windows insider ring testing with Microsoft Endpoint manager - Intune

0 0 vote
Article review
Please let us know if there are

Inline feedbacks
See all comments
Would love to know your thoughts, please leave a comment.x