Tag: AutoPilot

Enrolling shared Hybrid Azure AD Joined Windows devices to Intune

I think this is a really interesting case and although Hybrid Azure AD Join is something I am not recommending over Azure AD Join, sometimes there are circumstances that leads to no other choice but to adjust and make the best out of the situation and plan for a better solution more long-term.

Current situation and scenario goal

The mission is to enroll all Windows devices (shared and Hybrid Azure AD Joined) to Intune and the specifications are as below:

  • Windows 10 and 11 Enterprise 21H2 (or 22H2) computers which are Hybrid Azure AD Joined.
  • The devices are used as shared computers, so there are no primary users of these devices.
  • Intune licenses are device based, not user based which is the typical and most common scenario.
  • Microsoft Endpoint Manager Configuration Manager is NOT used.

The million-dollar question is how these shared computers can be enrolled into Intune automatically? The scenario must cover both enrolling newly deployed computers as well as existing computers. The solution must be fully automated i.e., no manual steps must exist in the process.

Note: The typical GPO to enable MDM automatic enrollment via user credential cannot be used as the users do not have Intune licenses.

Potential solutions

My thoughts on how to come to a solution came pretty much in this order, and turns out to be a real challenge

1. Use “Device Credential” in the GPO “Enable automatic MDM enrollment…”

The GPO “Enable automatic MDM enrollment using default Azure AD credentials” got a new option some years ago and can be set to “device credential” instead of the default “user credential”. Sounds like the perfect solution!

Problem: Error code 0x80180001 in the event logs “Device based token is not supported to enrollment type OnPremiseGroup PolicyCoManaged”. It turns out that this setting is only supported using MEMCM/SCCM or Azure Virtual Desktop, and obviously blocked or not meeting the technical requirements on other machines.

2. Autopilot self-deploying mode profile

That was a good idea although self-deploying profiles cannot be used as it supports only Azure AD Join and not Hybrid Azure AD Join.

3. Provisioning package – Only enrollment

Using a provisioning package (PPKG) you could potentially enroll into an MDM solution (such as Intune) using Workplace/Enrollment settings as noted in Bulk enrollment – Windows Client Management | Microsoft Docs. However, “username and password security type not supported”. However, this enrollment seems to primarily be targeted and intended for third party MDM solutions or the now long gong feature to enroll into on-premises MDM in Configuration Manager, not Intune. Or did anyone succeed in enrolling into Intune this way? If so, please ping me!

4. Provisioning package – Using bulk enrollment token

Although this way is typically used for performing Azure AD Join + automatic Intune enrollment using a Device Enrollment Manager (DEM) account, I thought I’d try it out to see what happens as I never tried this on a Hybrid Azure AD Joined computer.

Well after obtaining the bulk enrollment token through the simple wizard in Windows Imaging and Configuration Designer, I switched to advanced mode and got rid of everything from the provisioning package apart from the Azure/bulk enrollment token parts.

I then ran the provisioning package on my target test machine and the enrollment seem to have worked. Although, it resulted in another device object in Azure AD, and it successfully enrolled into Intune.

Running a PPKG using Bulk Enrollment token on an already Hybrid Azure AD Joined Windows device – this is the result in Azure AD!

Hmm, not ideal but a big step in the right direction. Another question or thought is that even though this works technically, how far from being a supported is this scenario? Intune-device based licensing supports DEM accounts as enrollment type as per Licenses available for Microsoft Intune | Microsoft Docs, and the bulk enrollment is supported as well as per Enroll devices using a device enrollment manager account – Microsoft Intune | Microsoft Docs.

Next steps and summary

Well, automating the application of PPKG from step 4 above as part of the deployment process is easy, it needs some additional checks though as the provisioning package must only be run after the successful Hybrid Azure AD Join has taken place, otherwise I see this will fail. Not optimal and requires more testing, and even if this would work the scenario is a true corner-case!

Going back to Autopilot self-deploying mode seems a lot easier, so let’s evaluate what needs to be in place for this to become reality, overcoming the hurdles!

Accelerate your modern desktop journey – get started with a boom!

The benefits of a modern workplace and modern desktop are many. Users and companies now more than ever need to be ready for a mobile world. A user expects to be able to work from anywhere and many organizations needs to be prepared for changes such as scaling in terms of growth, acquisitions or even in the worst-case downsizing.

The road to a modern desktop the Microsoft way is to activate and use co-management to take it in baby steps. My philosophy is to build a use case without co-management using a cloud-only solution and use that to showcase what can be done in your organization. The idea is to accelerate the journey to the modern desktop as it will be a great example of what can be achieved and how well it works.

Vision

Do “deployment” of a new Windows 10 device or reset your existing Windows 10 device and have in mind that everything you need should be available to you automatically! That means settings, applications and documents and files so that you can start working immediately.

The goal is to setup an environment where you can join any Windows 10 device to your environment, letting it be totally agnostic from your physical network.

License pre-reqs

  • Azure AD Premium P1 (or P2) or EM+S E3 or E5 or Microsoft 365 E3, E5 or any other license including Azure AD P1 (or the automatic MDM enrollment feature).
  • Intune licenses as part of EM+S or Microsoft 365 or standalone Intune licenses.
  • Windows 10 Pro or Enterprise.

AutoPilot as the modern “deployment solution”

Deployment in the new world is not done image based with certification of drivers and network PXE boot. Instead you (or preferably the vendor or a partner) register devices you need to deploy using the AutoPilot service that Microsoft provide.

When the device is booted for the first time, it fetches the AutoPilot profile and applies it, and when your user login using their email address the Windows 10 device is joined to Azure AD and at the same time enrolled into Intune (requires Azure AD Premium P1 license).

By activating the Intune Enrollment Status page, you can also see the progress and making sure that the device is (almost) ready when the user´s logged in.

Actions:

OneDrive Known Folder Move is the modern folder redirection

One of the most important things I want available on any device I use is my files and documents. By activating and using OneDrive Known Folder Move, I can get my Desktop, Documents and Pictures folders redirected to my OneDrive for Business.

This is just like good old folder redirection where you redirect these folders to the network with offline files (yikes!), but now you do it for OneDrive where you also get a better sync than with offline files.

Actions:

MSIX is the future

Repackaging packages to MSIX is the future. Why? Because there are several benefits over traditional MSI packaging and distribution. Delta updates of apps is one advantage, another big advantage is how the updates of apps work, which is a huge problem today in many enterprises.

But wait, did not Microsoft release Win32 app support in Intune? Yeah, they did, but why on earth would you want to put makeup on the pig? By moving your existing Win32 app packages to a modern management solution is like moving to a new house and bringing everything with you, not only your stuff and furniture but also the dust and dirt.

Actions:

Enterprise state roaming

To get some basic sync of settings such as background image and other customizations as well as favorites in Edge, saved credentials in Windows and more you activate Enterprise State Roaming so that the settings roam with you. This feature has a lot to wish for but at least provides basic profile roaming.

Actions:

Follow up using Windows Analytics

As all your clients are disconnected from your infrastructure in our scenario you need to be able to followup important things such as patch status, and this can be done using Windows Analytics and Update Compliance specifically.

Actions:

Helping your users remotely

When your Windows 10 devices are basically anywhere in the world you must be able to remote control them to provide support whenever needed. You can do this using Quick Assist which has been with Windows 10 since 1607. It works just like TeamViewer, which is very popular, in the sense that Quick Assist works basically anywhere if you have a working internet connection.

Worth noting is that in Windows 10 v1809 you will learn that the person giving assist is signed on to the Quick Assist app when providing support, so all you must do is to provide the connection ID to the end user and off you go!

Key fact – access to on-premise recourses!

Well, I think most can agree on that they few organizations have no moved or migrated all on-premise resources to the cloud. Therefore, most users still need to access resources only available on-premise.

A magic feature exists thanks to Azure AD Connect, which means that whenever your Azure AD joined Windows 10 devices is on your corporate network and has contact with a domain controller you get a Kerberos ticket for that user! This can be used to access any on-premise resources although the device is not part of the on-premise domain at all!

Read more about how this works from Michael Niehaus.

Summary

With all these steps you have a quick way of getting started with a top modern workplace which works anywhere in the world. And, to add to that, whenever their devices are in the corporate network, the user gets access to any internal resources such as files, printers and applications the user have access to.

If you want to deep dive into this, contact either Addskills Cornerstone Group or Lexicon group for a 3-day training on managing and deploying Windows 10 in a new modern way.

Follow-up to TechDays Sweden session “Windows 10 in new smart ways – not like you’ve always done it”

This is a follow-up blog post to my session yesterday at TechDays Sweden: “Windows 10 in new smart ways – not like you’ve always done it”. Thank you all who attended my session – it was a pleasure! The slides can be found here (in Swedish).

The link I mentioned about all news coming to MDM, and in particular new MDM settings are published at docs.microsoft.com.

And finally some resources to get you started with the move to modern IT – as I demoed in my session. Remember that the transition to a modern environment for managing devices will take time. As you lay a puzzle, lay out your path to modern management and IT one piece at a time!

AutoPilot – “hands-free deployment“

Desktop App Converter – Make AppX:s out of your MSI:s and legacy apps

“Co-management”
This basically mean that you can manage clients with SCCM and MDM at the same time. It’s branded as SCCM+MDM but you can also leverage this if you are not using MDM. So you can basically use and on-premise AD domain joined machine which is configured using GPOs and MDM join that machine to get MDM configuration at the same time. The idea is to make the move to modern management in a smooth way!

Windows Update for Business + Update Compliance
Transition from using WSUS (+SCCM) to manage updates and move to Update Compliance to follow up the status of patches, not quality updates and feature updates.

Device Health
Verify crashes for your Windows clients and more to come very soon!

Power BI – Intune Data Warehouse
Insights into how your users are actually accessing for instance Office 365 applications