Add devices in Endpoint Manager - Azure AD or Hybrid Join
If you want to deploy your entire organisation in Microsoft Endpoint manager, there are several possible scenarios. You can install Endpoint manager in different ways.
A Hybrid way - Hybrid Azure AD Join. This is the easiest way to quickly add all devices but does not give all the features of a Azure AD joined device. Like resetting, autopilot deployment without a company network etc..
Or a full cloud way - Azure AD Join. This puts the management in Endpoint manager, in the cloud. And gives you the autonomy to keep using things you still have on-premises such as file servers.
Tip: Just because your device is not known in the local Active Directory does not mean you cannot use on-premises resources. A practical example here are fileshares. These are still reachable because your identities are known on-premises in the local AD and are synchronised to Azure AD. Other examples are authentication to web servers, web apps, or other services that you have set up.
Two ways to add devices in Endpoint manager
|User-driven||User-driven with-glove||User-driven for existing devices||Self-deploying||Autopilot reset|
|Azure AD Join||✔️||✔️||✔️||✔️||✔️|
|Hybrid Azure AD Join||✔️||✔️||✔️|
You can use Endpoint manager and Windows Autopilot to set up connected devices (Azure AD) in a hybrid mode via Azure Active Directory. If you want to implement this, continue in this blog post via Microsoft Docs.
Add devices directly Endpoint manager - Azure AD Join - Administrator settings
All the exact steps to deploy devices below:
- Add your domain to your tenant - This ensures that your domain can be used for MDM = Endpoint manager.
- A second preliminary step is to set the MDM user scope to all + MAM user scope via this URL.
- You can certainly work with some and/or define groups. If you allow ALL, anyone can unboard devices. You do not want that.
- The third step is to create a Windows Autopilot profile. We will discuss this later in the article.
Configuring Windows Autopilot for Azure AD Join
You can start with Microsoft 's baseline if you have no experience with Windows Autopilot. Advantage: Everything is perfectly configured. Disadvantage: Many security policies. But you can change them later.
the 2nd option is to create a deployment profile for Azure AD Join. This can be done from https://endpoint.Microsoft.com or directly through: https://endpoint.microsoft.com/#blade/Microsoft_Intune_Enrollment/AutopilotMenuBlade/
Here is the exact explanation.
Create a new profile -> Create profile -> Windows PC
Create a profile as shown in this example.
Better still is to use a dynamic group and convert included groups to persona.
Reactive deployment of a device via "access to work or school".
Often Windows 10 devices are already installed without MDM. This results in a lack of control by IT administrators. Users need local administrator rights to add their devices themselves in endpoint manager.
Disadvantage: Often they are still in the local Active Directory. BUT just because you chose this scenario, you can later reset them so that they come under full management.
Technical documentation: Windows Autopilot User-Driven Mode | Microsoft Docs
1. Start your Windows 10 computer and click on start
2. Click on settings and choose accounts
3. Click on connect in the menu 'access to work or school'.
4. Enter your login details
5. Enter your password
Everything is in order!
Let users register their own devices
This wizard pops up automatically in various applications such as: Company Portal - Office 365 installation - Outlook configuration (last step) - OR when users themselves click on access work or school.
If users want to be able to add devices themselves, you must also make these devices known in Windows Autopilot later on. So that you don't get into trouble when resetting them. Test it! See also the screenshot UserMode above.
Install Company Portal from the Microsoft Store
Log on with a user account from your tenant (user-mode)
Remember user-mode! This is not IT-Administrator interaction!
You can also add devices via Access Work or School.
Do you get error 8018002 when registering. Check the MDM Scope OR give the user an Endpoint manager licence.
Disable "Allow My Organization to manage my device"? -> Devices - Microsoft Endpoint Manager admin centre
Other Endpoint Manager blogs
Save passwords, favorites and settings in Microsoft Edge
Download and deploy Microsoft Edge for business Server 2016 / 2019
Configure automatic logon + sync in Edge with intune
Microsoft Intune Company Portal installation - Endpoint manager
Automatically set Google as default search engine in Edge Browser
Windows insider ring testing with Microsoft Endpoint manager - Intune
WHAT'S NEW IN INTUNE - RELEASE 2011