When you enroll a Windows 10-based device using Mobile Device Management, remember that the device gets enrolled as a mobile device and does not appear as a “Computer” device type in Microsoft Intune as you might expect. Instead, the device appears under “Mobile Devices.” This is by design. To enroll a Windows 10 device and have it display as a computer in Microsoft Intune, the Microsoft Intune client software must be installed. For more details please see the following:
In this longer post I’m showing you how can you turn on auto-MDM enrollment with Azure Active Directory (AAD) and Microsoft Intune.
By combining login, Azure AD Join and Intune MDM enrollment in one easy step, Microsoft made it drop dead simple to bring devices into well-managed state that complies with corporate policies.
To get started, let’s talk about some of the major capabilities in Windows 10 that will be powered by Azure AD:
- Self-provisioning of corporate owned devices. With Windows 10, employees can configure a brand new device in the out-of-box experience, without IT involvement.
- Use existing organizational accounts. Employees can use their Azure AD account to login to Windows (the same account they use to sign into Office365).
- Automatic MDM enrollment. Windows 10 PC’s and tablets can be automatically enrolled in an organizations device management solution as part of joining them to Azure AD. This will work with Microsoft Intune and with 3rd party MDMs.
- Single Sign-On to company resources in the cloud. Users will get single sign-on from the Windows desktop to apps and resources in the cloud, such as Office 365 and thousands of business applications that rely on Azure AD for authentication.
- Single Sign-on on-premises: Windows 10 PC’s and tablets that are joined to Azure AD will also provide SSO to on-premises resources when connect to the corporate network and from anywhere with the Azure AD Application Proxy.
- Enterprise-ready Windows store. The Windows Store will support app acquisition and licensing with Azure AD accounts. Organizations will be able to volume-license apps and make them available to the users in their organization.
- Support for modern form factors. Azure AD Join will work on devices that don’t have the traditional domain join capabilities.
- OS State Roaming. Things like OS settings, Desktop wall paper, Tile configuration, websites and Wi-Fi passwords will be synchronized across corporate owned Azure AD joined devices.
Azure Active Directory Device Registration is the foundation for device-based conditional access scenarios. When a device is registered, Azure Active Directory Device Registration provisions the device with an identity which is used to authenticate the device when the user signs in. The authenticated device, and the attributes of the device, can then be used to enforce conditional access policies for applications that are hosted in the cloud and on-premises.
When combined with a Mobile Device Management solution such as Intune, the device attributes in Azure Active Directory will be updated with more information about the device. This allows you to create conditional access rules that enforce access from devices will meet your standards for security and compliance.
Azure Active Directory Device Registration is available in your Azure Active Directory. The service includes support for iOS, Android, and Windows devices. I’m testing below with Windows 10 standalone workstation.
Scenarios enabled by Azure Active Directory Device Registration
- Conditional Access to applications that are hosted on-premises: You can use registered devices with access policies for applications that are configured to use AD FS with Windows Server 2012 R2. For more information about setting up conditional access for on-premises, see Setting up On-premises Conditional Access using Azure Active Directory Device Registration.
- Conditional Access for Office 365 applications with Microsoft Intune: IT admins can provision conditional access device policies to secure corporate resources, while at the same time allowing information workers on compliant devices to reach the services. For more information, see Conditional Access Device Policies for Office 365 services.
Get your subscriptions
- Microsoft Intune: If you do not have an existing subscription to Microsoft Intune, you can sign up for a trial subscription.
Azure AD Premium is required to configure automatic MDM enrollment with Intune. If you do not have a subscription, you can sign up for a trial subscription.
Enable Azure Active Directory Device Registration
Enable Azure AD Registration in the Azure Portal: Log on to the Azure Portal as Administrator –> ‘Active Directory‘ –> ‘Directory‘ –> ‘Configure‘ –> ‘Devices‘ –> ‘Users may workplace join devices’
Configure Azure Active Directory Devices Registration discovery
If you don’t have a custom vanity domain associated with your Azure AD/Office 365 subscription, you can skip this section. My default domain is testlab.onmicrosoft.com, so I don’t need this extra configuration.
Otherwise, if the domain name of your choise whose DNS domain name that is currently not in used on the Internet, you’ll need to add the following two DNS records for the domain at your DNS host.
Configure automatic MDM enrollment
In the Azure management portal, navigate to ‘Active Directory’ node and select your directory and then ‘Applications’ tab you should see Microsoft Intune in the list of applications. Note that if you do not have an Azure AD Premium subscription or do not have a Microsoft Intune subscription you will not see Microsoft Intune in the list of applications.
Click on the arrow and you should see a page that enables you to configure Microsoft Intune.Click the ‘Configure’ button to start configuring automatic MDM enrollment with Microsoft Intune. On the Configure tab of this page, you can see a couple of URLs for Intune:
MDM Enrollment URL – This URL is used to enroll Windows 10 devices for management with Microsoft Intune. This is done automatically when users join their devices to Azure AD or when they add a work account to their Windows 10 machine, if automatic MDM enrollment is enabled for them.
MDM Compliance URL – When a device is found to be out of compliance, Azure AD’s conditional access control engine will block access to users for applications that require compliant devices. In this scenario an access denied message will be displayed to end users. Users will also see this compliance URL on the access denied page. The compliance URL helps end users understand why their device is not compliant with policy and how they can bring it back into compliance.
You do not need to change any of these URLs. They are automatically configured for your Azure AD tenant.
On scrolling down further, you will notice a setting that lets you specify which users’ devices should be managed by Microsoft Intune. These users’ Windows 10 devices will be automatically enrolled for management with Microsoft Intune.
Joining a device to a domain in a hybrid AD environment
Some attributes in the Intune Admin portal are not correct.
IMPORTANT: as I said at the beginning, after these steps you can just use the conditional access feature of Microsoft Intune and you have a basic hardware inventory. But you cannot manage your device!
Through the power and simplicity of a highly secure Azure AD account, users can immediately get access to corporate resources and the applications they need to be productive, while IT can be assured that those devices are secured for (via Azure AD) and (via Intune) from the first minute of business life. Customers can also optionally choose to upgrade from Pro to Enterprise by simply passing a key through Intune. This means easily adding additional management (as afforded by the Enterprise SKU) simply by passing this key – there isn’t even a need to reimage!