When setting up new Intune environments, choosing the right enrollment strategy is key. What enrollment options are there, and what steps are necessary for their implementation? In the coming posts, I will answer those questions and provide a detailed insight into the world of Intune enrollment strategies.
The basic structure of Intune Device Enrollment
Architectures
Entra ID Join
Enrollment methods in Intune
User-Driven
Method, which after the configuration and installation of the system-related configurations and apps, as well as the subsequent sealing, requires a user login to install all configurations, apps, etc., assigned to the user
Self-Deploying
With this method, a user is first assigned in the Intune Admin Center. After that, the device goes through all the setup steps (configurations, apps, etc.) both in the computer and user context.
Hybrid Join
Enrollment methods in Intune
User-Driven:
After the configuration and installation of the system-related configurations and apps, as well as the subsequent sealing, a user login is required.
Windows Autopilot
What’s Windows Autopilot?
Windows Autopilot is a service from Microsoft that helps IT administrators automatically set up and prepare new Windows devices without having to manually configure them. Once a device is connected to the internet and registered with Autopilot, it can be automatically configured with the correct settings, apps, and policies specific to a user or group.
The process typically begins by the hardware manufacturer or IT administrator uploading the device information into the Autopilot service. When the end-user starts the device for the first time and establishes an internet connection, Windows Autopilot recognizes the device and applies the pre-configured settings, simplifying the setup process. This significantly reduces the time effort for IT departments since no physical presence of the device or IT personnel is required, while also providing an user-friendly setup experience for the end-user.
New Devices
Option 1: Automatic registration by the manufacturer in Intune
When ordering the required devices directly from the manufacturer or through a reseller, one can request them to register the devices in one’s own context of Windows Autopilot. For this, the Tenant ID must always be provided. After this has been done, the manufacturer of the devices can independently register the devices after being granted the appropriate permissions.
Option 2: Automatic registration through script
If the devices have not been previously registered in Windows Autopilot via OEM, it can easily be done by oneself. For this, the script “get-windowsautopilotinfo” provided by Microsoft is used. However, to avoid it asking for a username and password, an Enterprise App Registration in Entra ID must be created.
App Registration Setup
- Open App Registration Page
- Create a new registration -> “New Registration”
- Enter a name like “Windows Autopilot Registration”
- Select API permission
- Add permission
- Choose Microsoft Graph
- Select Application permission
- Grant the following permission: DeviceManagementServiceConfig.ReadWrite.All
- Then click on “Grant admin consent for ‘Tenantname'”
- Afterward, select Certificates and secrets and create a new client secret
- Give the secret a name like “Windows Autopilot Registration Token”
- Copy the client secret (AppSecret), Application ID (AppId), and Directory ID (TenantId)
Scripts
Autopilot.cmd
powershell.exe -executionpolicy bypass -file .\autopilot.ps1
Autopilot.ps1
Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Confirm:$false -Force:$true
Install-Script get-windowsautopilotinfo -Confirm:$false -Force:$true
get-windowsautopilotinfo -Online -TenantId xxxx -AppId xxxx -AppSecret xxxx
The following information must be inserted into the script: TenantId, AppId, AppSecret.
Source: https://powershellisfun.com/ – Great blog, highly recommended!
After that, both scripts need to be copied to a USB stick. During the Windows setup of the respective device, open a CMD window with Shift + F10, navigate to the USB stick (usually drive F:), and enter the following command: autopilot.cmd
Afterward, the script will automatically execute all the steps for registration with Windows Autopilot, and the devices will be visible here.
Option 3: Manual Registration (online or via CSV)
During the setup of a device, press Shift + F10 to open a CMD window. Then enter the following commands to perform the manual online registration with Windows Autopilot:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
PowerShell.exe -ExecutionPolicy Bypass
Install-Script -name Get-WindowsAutopilotInfo -Force
Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned
Get-WindowsAutopilotInfo -Online
Alternatively, the hardware hash can also be written to a CSV file:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory -Path "C:\HWID"
Set-Location -Path "C:\HWID"
$env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned
Install-Script -Name Get-WindowsAutopilotInfo
Get-WindowsAutopilotInfo -OutputFile AutopilotHWID.csv
With this approach, the CSV file must then be manually uploaded in the Intune Admin Center.
Existing devices
Option 1: Automatic Registration via GPO (Hybrid)
For this, a Group Policy must be created on the domain controller.
Path: Computer Configuration > Administrative Templates > Windows Components > MDM > Enable automatic MDM enrollment using default Microsoft Entra credentials.
ADMX-Template / Settings missing?
Optional steps after registration
- Registration of devices for Windows Autopilot using the scripts described above. These can be distributed as a logon script via GPO.
- Alternatively, all clients can also be converted to Autopilot devices via a deployment profile in Intune. However, this should be approached with caution. More on this in a future post.
Option 2: Reinstalling the client
Especially with older devices, it is recommended to reinstall them when switching to Intune. This way, you’ll get a standardized installation without any previous errors or legacy problems. After reinstallation, the devices can be added to Windows Autopilot via script.
Option 3: Co-Managed
If Microsoft Endpoint Configuration Manager is already in use, workloads can be gradually shifted to Intune. This allows for a smooth transition from MECM to Intune. More on this here or in a future post.
Why no Hybrid-Join?
Cloud Kerberos trust (Cloud Trust)
This configuration allows for a trust relationship between the local domain and Entra ID / Azure. As a result, devices that are only connected to Entra ID can also access local resources such as network drives and printers.
ADMX-Import
All ADMX files can be easily imported into Intune. Subsequently, all settings, similar to an existing GPO, can also be created as an Intune configuration profile.
GPO-Analyzer
The GPO Analyzer included in Intune allows for the analysis of existing GPOs and their native representation in Intune, provided the corresponding settings are available.
More advantages of Entra ID (only) Join
- Faster Setup
- More flexible
- No local components
- Best Practice
Procedure
Inventory of the existing environment
Analysis of the existing environment. The following questions could be asked:
- How have devices been set up so far?
- What software was used?
- What were the key features of the software?
- How much time was required per device?
- What user interactions were necessary?
- What applications are installed?
- Are these specially configured?
Moreover, it is important to examine how and, most importantly, with which settings the clients were provisioned. Which GPOs are in use and why? Are some even duplicated? Can these be represented in Intune? If only partially, how could the other parts be implemented? Possibly with scripts? Or in another way?
The answers to all these questions should be summarized in a document and discussed with the respective contacts.
Decision on the rollout architecture
Based on the inventory, it can now be decided whether a device will be hybrid joined or only Entra ID joined.
In most cases, an Entra ID Only Join can be realized without any problems. Virtually all scenarios are feasible this way (in conjunction with Cloudtrust). If a customer, for example, cannot commit to a cloud-only setup due to regulations, a hybrid setup must be chosen.
Decision on the rollout method: Existing devices
If the devices are in a Windows domain, the initial “Intune Join” can be done via GPO. Afterward, it is recommended to add the devices to Windows Autopilot via script.
However, the crucial question arises: Do you want to proceed with the hybrid setup or offer the devices as Entra ID Joined? In the latter case, the devices now in Windows Autopilot could be reset via Autopilot Reset and joined as Entra ID only. If you opt for a hybrid setup, this step is not necessary.
Decision on the rollout method: New devices
Depending on the architecture, you now have more or less of the above-described rollout methods to choose from. The following questions can help with the decision:
- How is the workload distribution between internal IT and the user managed?
- Can the users take over part of the setup? For example, self-enroll for apps in the user context, or should the entire setup be covered by pre-provisioning from internal IT?
- If the setup is taken over by the IT department, should this be done via several authorized users or through a so-called DEM (Device Enrollment Manager) user?
- Is there a BYOD (Bring Your Own Device) approach or not?
Depending on how the above questions were answered, the following approaches can be chosen among others:
- The user orders the device to their home, logs in during setup, and the device is configured.
- IT orders the device, installs apps (computer context), seals the device, and sends it to the user. The user logs in, and the device installs the apps in the user context.
- IT orders the device and has it completely set up using a DEM (Device Enrollment Manager) user, then sends it to the user.
Next steps
After all parameters have been defined and documented, it’s time to move on to implementation. All further steps, such as setting up the deployment profiles, and much more, is described in detail in the next post of the series “Get started with Intune 2024.”