• Uncategorized
  • 1

Configuration Hybrid Azure Active Directory joined-devices

Time to start blogging once again! I have some, hopefully, interesting topics to write about.

I now run this WordPress site at Azure as a App Service with a D1 App Service Plan and with Azure Database for MySQL – and of course, I also run Azure DNS 🙂

This restart of the blog starts with how to setup Hybrid Azure Active Directory and auto-enrollment of Windows 10 devices to Intune.

Happy reading!

Preparation – Configuration Hybrid Azure Active Directory joined devices

$scp = New-Object System.DirectoryServices.DirectoryEntry;
$scp.Path = "LDAP://CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration
  • Is there a value from $scp.Keywords then everything is running , if not, continue with the script below:

    Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory
    $aadAdminCred = Get-Credential -Message "Your credentials for Azure";
    $adAccount = Get-Credential -Message "i.e. domain\svc_aadconnect@domain.com";
    Connect-MsolService -Credential $aadAdminCred;
    Initialize-ADSyncDomainJoinedComputerSync –AdConnectorAccount $adAccount -
    AzureADCredentials $aadAdminCred;
  • If ADFS is used, follow the guide below to set the Issuance of Claims –

Preparation – Intune auto-enrollment Windows 10

  • Prerequisite:
    • AD-joinad computer with Windows 10, version 1709
    • Intune MDM configured
    • Active Directory registered against Azure AD
    • Update Central Store with Windows 10, version 1709 ADMX and ADM
    • Intune/EMS license activated on the affected users
  • Verify on any computer if the device is Azure AD registered
    • Start cmd
dsregcmd /status

Under Device State should the AzureAdJoined value show Yes.

Create auto-enrollment GPO

  • Create a new GPO or open an existing GPO.
    • Go to Computer Configuration > Administrative Templates > Windows Components > MDM
    • Open Auto MDM Enrollment with AAD Token setting, choose Enabled, then click OK.
    • Go then to Computer Configuration > Administrative Templates > Windows Components/Device Registration
    • Open Register domain joined computers as devices, choose Enabled, then click OK.
    • Go to Computer Configuration > Windows Components > Internet Explorer > Internet Control Panel > Security Page
    • Open Site to Zone Assignment List, choose Enabled, click then on Show under Options and add:
      https://device.login.microsoftonline.com with the value 1 for it to end up under Local Intranet Zone.
    • Make sure the GPO is pointed to the correct OU or security group.

Successful enrollment?

Event Viewer – Microsoft > Windows > DeviceManagement-Enterprise > Diagnostics > Provider > Admin. Should contain Event ID: 75 with message “Auto MDM Enroll: Succeeded”.

Task Scheduler – Microsoft > Windows > EnterpriseMgmt. There was previously a task named “Schedule created by enrollment client for automatically enrolling in MDM from AAD Properties”.
After a completed and successful auto-enrollment, the task will have disappeared and there should be a folder with a GUID name.

Settings – Start > Settings > Accounts > Access work or school. Is the Info button available if you press the domain, auto-enrollment is completed and successful.

Intune portalen – Under Devices > Azure AD-devices will all devices exist and under Join Type, should it say “Hybrid Azure AD joined” and under MDM, it should say Microsoft Intune.

Notes from Microsoft:
When you have completed the required steps, domain-joined devices are ready to automatically join Azure AD:

  • All domain-joined devices running Windows 10 Anniversary Update and Windows Server 2016 automatically register with Azure AD at device restart or user sign-in.
  • New devices register with Azure AD when the device restarts after the domain join operation is completed.
  • Devices that were previously Azure AD registered (for example, for Intune) transition to “Domain Joined, AAD Registered”; however it takes some time for this process to complete across all devices due to the normal flow of domain and user activity.

You may also like...

1 Response

  1. e39_540i says:

    All the links are broken

Leave a Reply to e39_540i Cancel reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: