Intune Configuring Windows Enrollment

Intune Configuring Windows Enrollment

Adam Nichols

There are a lot of guides out there for Microsoft Intune, this one is going to be focused at Windows Management primarily around Azure AD Join, replacing much of the on-premise functionality to provide a Modern approach to Windows Management.

I always start at the Windows Enrollment you can find this section under Devices >  Device enrollment > Enroll devices > Windows enrollment. This section of the Endpoint Manager portal connects to other sections around the Azure Resource Manager Portal like Automatic Enrollment which will take you to the Mobility section in Azure Active Directory.

Now This blog we are going to keep things in the General Section Later we will touch on Windows Autopilot Deployment Program.

SNAGHTML1485c238.PNG

Automatic Enrollment: Quickstart - Set up automatic enrollment in Intune | Microsoft Docs

I did a BLOG on this if you want recommendation on how to configure this portion of Enrollment. This section is critical for Autopilot and auto Windows Enrollment into MDM.

SNAGHTML1a76651.PNG

Windows Hello for Business: Intune endpoint security Account protection policy settings | Microsoft Docs

Hello for Business is turn on by default for Azure AD joined Windows devices, this is where you could turn it off as a Tenant wide configuration or mandate it on. This section is being depreciated and moved to Endpoint Security under Account Protection. If you have not configured this Do not do it here! Head to Endpoint Protection. This will give you the ability to target groups and exclude as needed far better experience. This is not required for Azure AD Join but I will write a more in-depth blog at a later date.

SNAGHTML15b938ba.PNG

CNAME Validation: Set up enrollment for Windows devices by using Microsoft Intune | Microsoft Docs

This is a critical part of MDM discovery, though not required, it is possible if you do not configure this component and home realm discovery fails to pull the endpoint the user will be prompted to enter there MDM server address, by defining the CNAME Intune will be able to pull the endpoint on behalf of the user.. These CNAMEs are added to external facing DNS and Internal if the namespace of the validated domain is managed internally.

SNAGHTML165da002.PNG

I always validate this configuration with customer prior to getting started to make sure we don’t have any issues, if this is not done I request and change control and get these going, while we are building out the rest of the enrollment.

SNAGHTML15bc7c0e.PNG

Enrollment Status Page: Set up the Enrollment Status Page - Microsoft Intune | Microsoft Docs

The Enrollment Status page is an awesome feature, this gives us the ability to define the users visual experience as there devices is onboarded into Azure AD and the user First time sign in experience. This configuration takes on many option and are covered in greater depth in this BLOG. Just keep in mind if you are working in a Prod Environment DO NOT EDIT the All users and all devices policy. This by default leaves ESP off for all users and devices by default, you should always use targeting for testing and validation so your users don’t start complaining about a BLUE status page when they log on.

OneDrive for Business Auto Registration - Old School

OneDrive for Business Auto Registration - Old School
Configuring Windows Enrolment Status Page (ESP)

Configuring Windows Enrolment Status Page (ESP)

Related Posts