Add devices in Endpoint Manager - Azure AD or Hybrid Join
If you want to deploy your entire organization in Microsoft Endpoint manager, there are several scenarios possible. You can install Endpoint manager in different ways.
A Hybrid way - Hybrid Azure AD Join. This is the easiest way to quickly add all devices but does not provide all the features of a Azure AD joined device. Such as reset, autopilot deployment without company network etc..
Or a full cloud way - Azure AD Join. This puts management in Endpoint manager, in the cloud. And gives the autonomy to continue using things you still have on-premises such as file servers.
Tip: Just because your device is not known in the local Active Directory doesn't mean you can no longer use on-premises resources. A practical example here are fileshares. These are still addressable because your identities are known on-premises in the local AD and synced to Azure AD. Other examples are authentication to Web servers, Web apps, or other services you have set up.
Two ways to add devices in Endpoint manager
|User-driven||User-driven with with-glove||User-driven for existing devices||Self-deploying||Autopilot reset|
|Azure AD Join||✔️||✔️||✔️||✔️||✔️|
|Hybrid Azure AD Join||✔️||✔️||✔️|
You can use Endpoint manager and Windows Autopilot to set up connected devices (Azure AD) in a hybrid mode via Azure Active Directory. If you want to accomplish this go further in this blog post via Microsoft Docs.
Add devices directly Endpoint manager - Azure AD Join - Administrator settings
All the exact steps to roll out devices below:
- Add your domain to your tenant - This ensures that your domain can use MDM = Endpoint manager.
- a 2nd preparatory step is to use this URL to set the MDM user scope to all + MAM user scope.
- You can certainly work with some and/or define groups here. If you allow ALL, anyone can unboard devices. You best not want that.
- A 3rd step is to create a Windows Autopilot profile. We will go into this later in the article.
Configuring Windows Autopilot for Azure AD Join
You can start with Microsoft' s baseline if you don't already have experience with Windows Autopilot. One advantage: Everything is perfectly configured. Disadvantage: Many security policies. But you can change them later.
the 2nd option is to create a deployment profile for Azure AD Join. This can be done from https://endpoint.Microsoft.com or directly at: https://endpoint.microsoft.com/#blade/Microsoft_Intune_Enrollment/AutopilotMenuBlade/
Below is the exact explanation.
Create a new profile -> Create profile -> Windows PC
Create a profile as shown in this example.
Better yet is to use a dynamic group and convert included groups to persona.
Rolling out a device reactively via "access to work or school"
Often, Windows 10 devices are already installed without MDM. This gives the result that there is no control by IT Administrators. Users must have local administrator privileges can add their own devices in endpoint manager.
Downside: Often they are still in the local Active Directory. BUT just because you chose this scenario you can reset later so they come fully under management.
Technical Documentation: Windows Autopilot User-Driven Mode | Microsoft Docs
1. Start your Windows 10 computer and click start
2. Click on settings and choose accounts
3. Click connect in the 'access work or school' menu
4. Enter your login information
5. Enter your password
All in order!
Letting users register their own devices
This wizard comes up automatically for various applications such as: Company Portal - Office 365 installation - Outlook configuration (last step) - OR if users themselves click on access work or school.
If users want to be able to add devices themselves, you must later also make these devices known in Windows Autopilot. So that when resetting you don't run into problems. Testing! See also the screenshot UserMode at the top.
Install Company Portal through the Microsoft Store
Log in with a user account from your tenant (user-mode)
Think about user-mode! This is not an IT Administrator interaction!
You can also add devices through Access Work or school.
Are you getting error message 8018002 when registering. Check the MDM Scope OR give the user an Endpoint manager license.
"Allow My Organization to manage my device" disable? -> Devices - Microsoft Endpoint Manager admin center
Other Endpoint manager blogs
Save passwords, favorites and settings in Microsoft Edge
Download and deploy Microsoft Edge for business Server 2016 / 2019
Configure automatic login + sync in Edge with intune
Microsoft Intune Company Portal installation - Endpoint manager
Automatically set Google as default search engine in Edge Browser
Windows insider ring testing with Microsoft Endpoint manager - Intune
WHAT'S NEW IN INTUNE - RELEASE 2011