Configuration Hybrid Azure Active Directory joined-devices

Time to start blogging once again! I have some, hopefully, interesting topics to write about.

I now run this WordPress site at Azure as a App Service with a D1 App Service Plan and with Azure Database for MySQL – and of course, I also run Azure DNS 🙂

This restart of the blog starts with how to setup Hybrid Azure Active Directory and auto-enrollment of Windows 10 devices to Intune.

Happy reading!

Preparation – Configuration Hybrid Azure Active Directory joined devices

• Use the latest Windows 10 version to reduce the problems.
• Use the latest version of Azure AD Connect – https://www.microsoft.com/enus/download/details.aspx?id=47594
• Install Azure Active Directory PowerShell V1 (AdministrationConfig-V1.1.166.0-GA.msi) – http://connect.microsoft.com/site1164/Downloads/DownloadDetails.aspx?DownloadID=59185
• Are there multiple forest must the Service Connection Point (SCP) exist in all forests that contain domain-joined devices, see more info: https://docs.microsoft.com/en-us/azure/activedirectory/device-management-hybrid-azuread-joined-devices-setup#step-1-configureservice-connection-point
• Run the commands in PowerShell, change to your domain:
  

• Is there a value from $scp.Keywords then everything is running , if not, continue with the script below:
  
  
  Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1"; $aadAdminCred = Get-Credential -Message "Your credentials for Azure"; $adAccount = Get-Credential -Message "i.e. domain\svc_aadconnect@domain.com"; Connect-MsolService -Credential $aadAdminCred; Initialize-ADSyncDomainJoinedComputerSync –AdConnectorAccount $adAccount - AzureADCredentials $aadAdminCred;

  1 2 3 4 5 6 7

  Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1"; $aadAdminCred = Get-Credential -Message "Your credentials for Azure"; $adAccount = Get-Credential -Message "i.e. domain\svc_aadconnect@domain.com"; Connect-MsolService -Credential $aadAdminCred; Initialize-ADSyncDomainJoinedComputerSync –AdConnectorAccount $adAccount - AzureADCredentials $aadAdminCred;

• 
• If ADFS is used, follow the guide below to set the Issuance of Claims –
  https://docs.microsoft.com/en-us/azure/active-directory/device-management-hybridazuread-joined-devices-setup#step-2-setup-issuance-of-claims

Preparation – Intune auto-enrollment Windows 10

• Prerequisite:
  • AD-joinad computer with Windows 10, version 1709
  • Intune MDM configured
  • Active Directory registered against Azure AD
  • Update Central Store with Windows 10, version 1709 ADMX and ADM
  • Intune/EMS license activated on the affected users
    
• Verify on any computer if the device is Azure AD registered
  • Start cmd
    

Under Device State should the AzureAdJoined value show Yes.

Create auto-enrollment GPO

• Create a new GPO or open an existing GPO.
  • Go to Computer Configuration > Administrative Templates > Windows Components > MDM
    
  • Open Auto MDM Enrollment with AAD Token setting, choose Enabled, then click OK.
    
  • Go then to Computer Configuration > Administrative Templates > Windows Components/Device Registration
    
  • Open Register domain joined computers as devices, choose Enabled, then click OK.
    
  • Go to Computer Configuration > Windows Components > Internet Explorer > Internet Control Panel > Security Page
    
  • Open Site to Zone Assignment List, choose Enabled, click then on Show under Options and add:
    https://device.login.microsoftonline.com with the value 1 for it to end up under Local Intranet Zone.
    
  • Make sure the GPO is pointed to the correct OU or security group.

Successful enrollment?

Event Viewer – Microsoft > Windows > DeviceManagement-Enterprise > Diagnostics > Provider > Admin. Should contain Event ID: 75 with message “Auto MDM Enroll: Succeeded”.

Task Scheduler – Microsoft > Windows > EnterpriseMgmt. There was previously a task named “Schedule created by enrollment client for automatically enrolling in MDM from AAD Properties”.
After a completed and successful auto-enrollment, the task will have disappeared and there should be a folder with a GUID name.

Settings – Start > Settings > Accounts > Access work or school. Is the Info button available if you press the domain, auto-enrollment is completed and successful.

Intune portalen – Under Devices > Azure AD-devices will all devices exist and under Join Type, should it say “Hybrid Azure AD joined” and under MDM, it should say Microsoft Intune.

Notes from Microsoft:
When you have completed the required steps, domain-joined devices are ready to automatically join Azure AD:

• All domain-joined devices running Windows 10 Anniversary Update and Windows Server 2016 automatically register with Azure AD at device restart or user sign-in.
• New devices register with Azure AD when the device restarts after the domain join operation is completed.
• Devices that were previously Azure AD registered (for example, for Intune) transition to “Domain Joined, AAD Registered”; however it takes some time for this process to complete across all devices due to the normal flow of domain and user activity.