How to setup automatic MDM enrollment of Windows 10 with AzureAD – Mobile-First Cloud-First

This is not a new feature – but it is new that I can be done the new Azure Portal  (Codename Ibiza) https://portal.azure.com

The reason for settings this up is: when a Windows 10 devices is AzureAD joined then it is also automatic enrolled in Intune as a MDM managed Windows 10 devices.

This blogpost is created in feb. 2017 when Azure Active Directory still is in preview in the new AzureAD portal  – so Microsoft can and may change the functionality, location and look of this setting.

Requirement:

  • AzureAD premium subscription
  • Microsoft Intune subscription
  • Intune set as MDM Authority
  • Windows 10 Pro, Windows 10 Enterprise, Windows 10 Pro Education, Windows 10 Education or Windows 10 Team

Recommendation:

Create the following dns records:

CNAME : EnterpriseEnrollment.company_domain.com Points to : EnterpriseEnrollment-s.manage.microsoft.com

TTL : 1 Hour

CNAME : EnterpriseRegistration.company_domain.com Points to : EnterpriseRegistration.windows.net

TTL : 1 Hour

How to:

Start https://portal.azure.com

Find Azure Active Directory and click on it

Select Mobility (MDM and MAM)

Then select Microsoft Intune

Select All – or Some if you only want this to apply to specified groups

Go into “Users and Groups”

Click on “Device Settings”

Then you can setup automatic MDM enrollment

  1. Users may join devices to Azure AD
    1. In my case I set it to all – but in some cases it can make sense to only allow some groups of users to AzureAD join there devices
  2. Additional Administrators on Azure AD Joined devices – here you can setup extra users to be local admin on AzureAD joined devices. The user that are enrolling the devices always becomes member of the local administrators security group. Be aware that this settings is the same for all devices in the tenant.
  3.   Require Multi-Factor Auth to join devices – this can be a good ideer so your are know who the users are when enrolling a device into AzureAD
  4. Maximum number of devices per user. Be aware that Intune only allows 15 devices per user – so when you hit number 16 for a user the devices not be in Intune automatically
  5. Click save – and you are ready to go.

The user experience:

The is the OOBE from Windows 10.

Use Express settings

Who owns this PC?

Select : My work or school owns it

Click Next

Login with your work or school account

Enter username and password

Click Sign in

The Windows 10 will AzureAD join your device and automatic MDM enroll the device.

It will now be ready to be managed with Intune.

Related Posts