Configure automatic Microsoft Intune enrollment of Windows 10 devices when joining Azure Active Directory
If your company is evaluating Windows 10, which I assume they are, one of the new features with Windows 10 is that you can have your end users to join their off-the-shelf purchased Windows 10 PC to Azure Active Directory. With this feature, users simply just have to know their email and password to get started. For IT departments, they’re able to configure their Azure Active Directory subscription for automatic enrollment of AAD-joined devices with Microsoft Intune. To me, this capability is simply just brilliant. End-users are now able to simply just log on, get all their settings and apps and automatically be managed by the IT department.
In this post I intend to outline the steps required to setup the Azure subscription with Azure Active Directory for automatic Microsoft Intune enrollment.
In order to enable your Azure Active Directory subscription, you’ll need to have purchased Azure Active Directory Premium licenses (or setup a trial for 30-days). As well for the premium licenses, you’ll of course also need a Microsoft Intune tenant. In order to setup a demo environment for the purpose of demonstrating this feature, I’ve performed the following steps:
- Registered a Microsoft Intune tenant by signing up for a 30-day trial
- Signed up for Azure with the tenant created for Microsoft Intune
- Added a 30-day trial of Azure Active Directory Premium
- Assigned an Azure Active Directory Premium license to my Global Administrator account (this is required to be able to configure the Microsoft Intune app through the Azure portal)
At this point, I’ve created a few test users and an All Users group in the Azure Active Directory. This group comes in handy at a later stage when we’re about to configure the Microsoft Intune application through the Azure portal.
It’s also worth mentioning that every user that’s gonna have their Azure Active Directory joined devices automatically enrolled into Microsoft Intune, needs to have an Azure Active Directory Premium license assigned.
This can be managed in the Azure portal under your Azure Active Directory – Licenses – Azure Active Directory Premium. See screenshot below:
Configure Microsoft Intune application in Azure portal
Before we go ahead and configure anything in the Azure Active Directory, it’s important that you’ve set your Microsoft Intune tenant to manage your mobile devices. This can be done by following this great documentation on TechNet:
In addition to configuring the MDM authority in Microsoft Intune, you’ll also need to configure a DNS CNAME on your public registrar for your domain. Follow the documentation from the TechNet below:
When you’ve configured your DNS correctly, you can verify it by opening the Intune Admin console, going to Admin – Mobile Device Management – Windows and enter your domain in the Test-Auto Detection field, see picture below:
When all of this is taken care of, let’s start configuring Azure Active Directory.
1. Once you’ve your Microsoft Intune tenant setup and the Azure subscription with a premium license assign for your Global Administrator account, go into your Azure Active Directory (mine is called EMS Management).
2. Click on the Applications option in the top menu, and click on Microsoft Intune.
3. Click on Configure.
4. On the Properties view of the Microsoft Intune application, make sure that the following is configured:
MDM Enrollment URL: https://manage.Microsoft.com/enrollmentserver/discovery.svc
MDM Compliance URL: https://portal.manage.microsoft.com/?portalAction=Compliance
5. The group that I created earlier called All Users, this is where it comes in handy. As you’ve probably noticed, there’s a section under the URL settings where you can configure what users devices should be managed by the MDM service, which in this case is Microsoft Intune. You could easily just to get going select the ALL option, but that would mean every single user in your Azure Active Directory. You may actually want to narrow it down a bit and controlling it with some sort of group memberships. Click on GROUPS and choose Select Groups.
6. In the window that appears, click on the + sign next to the group of users you want to add. The group will then be shown in the right pane under the Selected view. Click the check mark button when you’re ready. Remember to save your configuration by clicking on the Save button in the middle at the bottom of the page.
Note, you can of course add several groups.
7. When you’ve configured everything, it should look similar to the following:
Now you’ve successfully configured the Microsoft Intune application in your Azure Active Directory to automatically enroll devices once they are joined to Azure Active Directory. It’s not really complicated at all to be honest, as you’ve seen in this post. Your users can now simply just go and buy any off-the-shelf PC they desire and in a heartbeat be compliant with company policies.
End user experience when joining Azure Active Directory
In a previous post, I’ve shown how the experience looked like in the Windows 10 Preview. Not much has changed really, so I won’t go over every step again. I will highlight the important part of the process, where the end user is simply just selecting to join his or hers new off-the-shelf PC to Azure AD in the OOBE.
Once the user has either choose to use the express setting for privacy and other, he or she is presented with a selection of how to join this PC. When Azure AD is selected, as in the screen below:
Another screen is then presented with the work account and password fields for the user to enter. Clicking Sign in results in the PC being not only joined to Azure Active Directory, with the configuration we’ve setup in this post, the PC will also be managed automatically by Microsoft Intune.
Once the user is taken to the desktop after creating a PIN, we can see in the Settings app under Accounts that the PC is indeed enrolled into Microsoft Intune:
If we would to check in the Intune Admin console under Groups – All Devices – Ungrouped Devices, we can see that the PC in fact has been enrolled into Microsoft Intune:
Pretty slick and easy! As I’ve stated before, I think this sort of mobile device management is going to increase within companies with the release of Windows 10. This cloud-optimized management solution is great for companies that are looking at getting their work force more productive right out of the box. As for organizations that are looking at Windows 10 management with ConfigMgr and EMS (Mirosoft Intune), this procedure works the exact same way, only instead the PC will end up in ConfigMgr being managed as a mobile device through the Microsoft Intune service.