Configuration Hybrid Azure Active Directory joined-devices

Time to start blogging once again! I have some, hopefully, interesting topics to write about.

I now run this WordPress site at Azure as a App Service with a D1 App Service Plan and with Azure Database for MySQL – and of course, I also run Azure DNS 🙂

This restart of the blog starts with how to setup Hybrid Azure Active Directory and auto-enrollment of Windows 10 devices to Intune.

Happy reading!

Preparation – Configuration Hybrid Azure Active Directory joined devices

  • Is there a value from $scp.Keywords then everything is running , if not, continue with the script below:

  • If ADFS is used, follow the guide below to set the Issuance of Claims –
    https://docs.microsoft.com/en-us/azure/active-directory/device-management-hybridazuread-joined-devices-setup#step-2-setup-issuance-of-claims

Preparation – Intune auto-enrollment Windows 10

  • Prerequisite:
    • AD-joinad computer with Windows 10, version 1709
    • Intune MDM configured
    • Active Directory registered against Azure AD
    • Update Central Store with Windows 10, version 1709 ADMX and ADM
    • Intune/EMS license activated on the affected users
  • Verify on any computer if the device is Azure AD registered
    • Start cmd

Under Device State should the AzureAdJoined value show Yes.

Create auto-enrollment GPO

  • Create a new GPO or open an existing GPO.
    • Go to Computer Configuration > Administrative Templates > Windows Components > MDM
    • Open Auto MDM Enrollment with AAD Token setting, choose Enabled, then click OK.
    • Go then to Computer Configuration > Administrative Templates > Windows Components/Device Registration
    • Open Register domain joined computers as devices, choose Enabled, then click OK.
    • Go to Computer Configuration > Windows Components > Internet Explorer > Internet Control Panel > Security Page
    • Open Site to Zone Assignment List, choose Enabled, click then on Show under Options and add:
      https://device.login.microsoftonline.com with the value 1 for it to end up under Local Intranet Zone.
    • Make sure the GPO is pointed to the correct OU or security group.

Successful enrollment?

Event Viewer – Microsoft > Windows > DeviceManagement-Enterprise > Diagnostics > Provider > Admin. Should contain Event ID: 75 with message “Auto MDM Enroll: Succeeded”.

Task Scheduler – Microsoft > Windows > EnterpriseMgmt. There was previously a task named “Schedule created by enrollment client for automatically enrolling in MDM from AAD Properties”.
After a completed and successful auto-enrollment, the task will have disappeared and there should be a folder with a GUID name.

Settings – Start > Settings > Accounts > Access work or school. Is the Info button available if you press the domain, auto-enrollment is completed and successful.

Intune portalen – Under Devices > Azure AD-devices will all devices exist and under Join Type, should it say “Hybrid Azure AD joined” and under MDM, it should say Microsoft Intune.

Notes from Microsoft:
When you have completed the required steps, domain-joined devices are ready to automatically join Azure AD:

  • All domain-joined devices running Windows 10 Anniversary Update and Windows Server 2016 automatically register with Azure AD at device restart or user sign-in.
  • New devices register with Azure AD when the device restarts after the domain join operation is completed.
  • Devices that were previously Azure AD registered (for example, for Intune) transition to “Domain Joined, AAD Registered”; however it takes some time for this process to complete across all devices due to the normal flow of domain and user activity.

You may also like...

1 Response

  1. e39_540i says:

    All the links are broken

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: