365tips.be

Blogs about: Microsoft Teams, backgrounds, Intune, OneDrive, Exchange, Azure AD, Windows 10, Security, Tenant, Exchange, best-practice, tips & tricks

Add devices in Endpoint Manager - Azure AD or Hybrid Join

Earlier I wrote a blog to add a single device in Endpoint manager and a general explanation of what Windows Autopilot can do for you.

If you want to deploy your entire organisation in Microsoft Endpoint manager, there are several possible scenarios. You can install Endpoint manager in different ways.

A Hybrid way - Hybrid Azure AD Join. This is the easiest way to quickly add all devices but does not give all the features of a Azure AD joined device. Like resetting, autopilot deployment without a company network etc..

Or a full cloud way - Azure AD Join. This puts the management in Endpoint manager, in the cloud. And gives you the autonomy to keep using things you still have on-premises such as file servers.

Tip: Just because your device is not known in the local Active Directory does not mean you cannot use on-premises resources. A practical example here are fileshares. These are still reachable because your identities are known on-premises in the local AD and are synchronised to Azure AD. Other examples are authentication to web servers, web apps, or other services that you have set up.

Two ways to add devices in Endpoint manager

User-drivenUser-driven with-gloveUser-driven for existing devicesSelf-deployingAutopilot reset
Azure AD Join✔️✔️✔️✔️✔️
Hybrid Azure AD Join✔️✔️✔️

Also read: Deliver us from Hybrid | SSO to domain resources from Azure Ad Joined Devices (call4cloud.com)

You can use Endpoint manager and Windows Autopilot to set up connected devices (Azure AD) in a hybrid mode via Azure Active Directory. If you want to implement this, continue in this blog post via Microsoft Docs.

Add devices directly Endpoint manager - Azure AD Join - Administrator settings

All the exact steps to deploy devices below:

  • A second preliminary step is to set the MDM user scope to all + MAM user scope via this URL.
  • You can certainly work with some and/or define groups. If you allow ALL, anyone can unboard devices. You do not want that.
  • The third step is to create a Windows Autopilot profile. We will discuss this later in the article.
1

Configuring Windows Autopilot for Azure AD Join

You can start with Microsoft 's baseline if you have no experience with Windows Autopilot. Advantage: Everything is perfectly configured. Disadvantage: Many security policies. But you can change them later.

the 2nd option is to create a deployment profile for Azure AD Join. This can be done from https://endpoint.Microsoft.com or directly through: https://endpoint.microsoft.com/#blade/Microsoft_Intune_Enrollment/AutopilotMenuBlade/

Here is the exact explanation.

1

Create a new profile -> Create profile -> Windows PC

1

Create a profile as shown in this example.

1

From now on, you can register any device automatically in Endpoint manager from a clean install of Windows 10 as shown in this example.

Better still is to use a dynamic group and convert included groups to persona.

Reactive deployment of a device via "access to work or school".

Often Windows 10 devices are already installed without MDM. This results in a lack of control by IT administrators. Users need local administrator rights to add their devices themselves in endpoint manager.

Advantage: Control

Disadvantage: Often they are still in the local Active Directory. BUT just because you chose this scenario, you can later reset them so that they come under full management.

Technical documentation: Windows Autopilot User-Driven Mode | Microsoft Docs

1. Start your Windows 10 computer and click on start

1

2. Click on settings and choose accounts

1

3. Click on connect in the menu 'access to work or school'.

1

4. Enter your login details

1

5. Enter your password

1
1

Everything is in order!

1
1

Let users register their own devices

This wizard pops up automatically in various applications such as: Company Portal - Office 365 installation - Outlook configuration (last step) - OR when users themselves click on access work or school.

If users want to be able to add devices themselves, you must also make these devices known in Windows Autopilot later on. So that you don't get into trouble when resetting them. Test it! See also the screenshot UserMode above.

Unknown device

1

Install Company Portal from the Microsoft Store

1

Log on with a user account from your tenant (user-mode)

Remember user-mode! This is not IT-Administrator interaction!

1
1
1
1

You can also add devices via Access Work or School.

1

Do you get error 8018002 when registering. Check the MDM Scope OR give the user an Endpoint manager licence.

Disable "Allow My Organization to manage my device"? -> Devices - Microsoft Endpoint Manager admin centre

Other Endpoint Manager blogs

Save passwords, favorites and settings in Microsoft Edge
Download and deploy Microsoft Edge for business Server 2016 / 2019
Configure automatic logon + sync in Edge with intune
Microsoft Intune Company Portal installation - Endpoint manager
Automatically set Google as default search engine in Edge Browser
Windows insider ring testing with Microsoft Endpoint manager - Intune
WHAT'S NEW IN INTUNE - RELEASE 2011

About the author

Tagged:
0 0 votes
Product review
Subscribe
Please let us know if there are
guest

0 Reactions
Inline feedbacks
See all comments
0
Would love to know your thoughts, please leave a comment.x