Join a corporate owned Windows 10 device to Azure Active Directory with automatic Intune enrollment
With Windows 10 just around the corner, many organizations are look at what features it can bring to the table. One of them that I’m extremely excited about is the one where users can join their corporate owned devices, or for that matter their personal devices as well, to Azure Active Directory straight of the box. No IT-department involvement required, you just unpack the device, sign in and you’re ready to go.
In this post I’m gonna demonstrate how that work flow looks like, but I want you to bare in mind this is based of a preview of Windows 10 (build 10130). As with this build, from what I can understand and have seen from Microsoft at Ignite, the current build does not include the upcoming OOBE experience when you’re joining the Windows 10 device to Azure Active Directory. What Microsoft is aiming for is to prompt you with a question if you’d like to enable enrollment of your device with Intune, right after you’ve joined the device with your work credentials (Azure Active Directory credentials). You can read more about that here:
Joining a corporate owned device to Azure Active Directory
Let’s create a scenario that we’ll work with through this post. A user called James has just been handed a new device from the company that he works at, that has not been pre-deployed or configured by the IT-department. Basically James has just received it off the shelf. James wants to be up and running as quickly as possible and make sure that he has access to his cloud-based apps and that he is compliant with the company policies, meaning that his new device needs to be managed. James is aware of his work credentials, that have been synchronized to Azure Active Directory.
Again, this is still in preview. Now that we have that out of the way, here goes.
1. Once James starts up his new device that came with Windows 10 pre-installed, he’s presented with the following screen:
2. After he’s selected the Use Express setting, he waits a while looking at the spinning wheel.
3. Now James get’s an option to select who owns this the device that he’s just received. Since it’s a corporate owned device, James selects My organization and clicks Next.
4. Another spinning wheel is shown for a second while James waits, and is then presented with an option where he can choose to join Azure Active Directory or a on-premise domain. James selects Join Azure AD and clicks continue, because that’s what he’s been instructed to do in order to get up and running as quickly as possible.
5. James is now asked to enter his work credentials. Once he’s entered them correctly, he clicks on Sign in. In the final release of Windows 10, I’m assuming that at this point, James is asked if he’s like to automatically enroll the device into Intune. This is just speculations, we’ll have to see what the final product looks like.
6. A white screen informs James that he has to wait while the device is being joined to Azure Active Directory.
7. Once the join has taken place, James can see that his new device is being setup and some apps are being installed.
8. The next step is for James to create a work PIN, he does so by clicking on Create PIN.
9. James enter a PIN that he can easily remember and clicks on OK.
10. After waiting a short while, James is being logged on and is presented with the Desktop of Windows 10.
James is now up and running with his corporate owned device that is joined to Azure Active Directory. The next step for James is to enroll his new device into Intune.
Enroll a corporate owned device with Windows 10 in Intune
As I described before, this step is not required for if the user chooses to automatically enroll into Intune during the OOBE phase. But I’ve chosen to include this anyway to show you how it can be done manually. Let’s go back to our scenario with James.
1. James clicks on Start and then chooses Settings.
2. He then clicks on Accounts.
3. Now he clicks on Work access in the left menu. As you can see in the picture below, James account information shows up as AzureAD\JamesAndersson. This means that he’s logged on with his work credentials.
4. James clicks on the Connect button.
5. James enters his email address and clicks on Continue.
6. After entering his password, he clicks on Sign in.
7. The enrollment process is now completed, and James clicks on Done.
8. As shown in the picture below, James has successfully enrolled his new device and can now become compliant with company policies.
I really can’t stretch it any further, but I want to point out that this is still a preview of how it currently looks in Windows 10. But I wanted to give you an idea of what’s coming and how it can be leveraged in a User Drive enrollment scenario.
Chief Technical Architect and Enterprise Mobility MVP since 2016. Nickolaj has been in the IT industry for the past 10 years specializing in Enterprise Mobility and Security, Windows devices and deployments including automation. Awarded as PowerShell Hero in 2015 by the community for his script and tools contributions. Creator of ConfigMgr Prerequisites Tool, ConfigMgr OSD FrontEnd, ConfigMgr WebService to name a few. Frequent speaker at conferences and user groups.