In the previous article, we explored various enrollment concepts. Now, we setup our new Microsoft Intune environment. This guide provides a full guide of steps necessary for a successful enrollment with Windows Autopilot.
Overview
Domain Setup
Microsoft 365 Admin Center
To use Microsoft Intune and Windows Autopilot properly, it’s recommended to use a custom domain. Let’s set this up. Open the “Domains” section in the M365 admin center and follow these steps to add the necessary DNS records for Microsoft Intune.
DNS Records
Enterprise Registration
| Type | Hostname | Value | TTL |
| CNAME | enterpriseregistration | enterpriseregistration.windows.net | 3600 |
Enterprise Enrollment
| Type | Hostname | Value | TTL |
| CNAME | enterpriseenrollment | enterpriseenrollment-s.manage.microsoft.com | 3600 |
Check
After adding DNS records, Microsoft checks them. If the necessary records are published by your DNS provider, your “Domain Section” in the admin center should look like this:
To ensure everything is set up correctly, go to the Intune admin center and start CNAME validation from here.
Enrollment Settings
Automatic Enrollment Overview
- MDM User Scope: This setting allows you to specify which users in your organization will be managed by Intune’s MDM (Mobile Device Management) capabilities. Options include “none” for no users, “Some” for specific users or groups, and “All” for every user.
- MDM URLs: Terms of use, discovery, and compliance URLs for MDM are provided. The discovery URL is particularly important as it allows devices to locate the MDM service. The compliance URL is used to manage or display compliance policies.
Strategy
DEM-User
If you decide to use a Device Enrollment Manager (DEM) user to set up your devices, create an enrollment group with the name “AZ-S-DEM-Enrollment” and add every eligible user from your IT department to it. Now, switch the “MDM user scope” to “Some” and select the group that was created earlier.
To change these users into Device Enrollment Managers (DEM), additional steps are necessary. Go to the Enrollment section and select the “Device Enrollment Managers” tab, then add any eligible user from your IT department.
Here, you’ll find an explanation of DEM users, their benefits, and limitations.
User Enrollment
If you want your users to be able to self-enroll their devices, you have multiple options. The simplest method is to enable MDM enrollment for everyone. However, this is also the most insecure and uncontrollable method. With Microsoft Intune, our goal is to provide a managed device environment while maintaining control over all aspects. Therefore, I recommend creating a group named “AZ-S-Self-Enrollment” and adding every eligible user to it. Alternatively, you could create a dynamic group “AZ-D-Self-Enrollment” and filter users based on a specific attribute or license.
After setting up the group, change the “MDM user scope” to “Some” and select the group you previously created.
Restrictions
Device plattform restrictions
With device platform restrictions, you can define which type of device is allowed to be managed with Intune. You can find this setting in the Intune admin center. Click on “All Users” > “Properties”, and you will see this page.
Click on “Edit” and adjust the settings to your company’s needs. Consider the following situations:
BYOD (Bring your Own Device)
If your company allows users to onboard their own personal devices, you have to allow personally owned devices. If your company uses only Windows devices, you should block the other types.
It’s optional to set a minimum/maximum range of (Windows) OS versions. To avoid outdated systems and problems with newer Intune services, I would recommend adding Windows 10 22H2 as the minimum OS version if possible.
Company Owned Devices Only
If your company only allows company devices, please disable every option to use personally owned devices.
Device limit restrictions
This section defines the limit of devices a user can enroll and can be found here. The default value is 5, which means a user can enroll up to 5 devices, including Windows, MacOS, iOS, or Android devices (if you have allowed it in device platform restrictions). Adjust this value according to your company’s needs.
I would set it to 2, because in most situations a user has a notebook / pc and a phone.
Windows Autopilot Setup
Please have a look at my previous post to see how to add devices to Windows Autopilot.
Overview of Windows Autopilot Enrollment
Deployment Profile
Every Windows device will reach out to Autopilot Service during the setup process, if it’s associated with a tenant then Windows Autopilot will provide it with your “Windows Autopilot Deployment Profile” of your choice.
In his blog, Rudy offers a comprehensive and precise description what happens during autopilot deployment.
Windows Autopilot Deployment Profiles can be created here. An “Entra ID only join (user-driven)” profile looks like this:
Basics
- Name: The identifier of the configuration profile.
- Description: A field to add additional information about the profile.
- Convert all targeted devices to Autopilot: Here you define if every device will be automatically converted to an Autopilot-device or not.
- Device type: Specifies the type of device the profile, in this case, a Windows PC.
Out-of-box experience (OOBE)
- Deployment mode: Set to “User-Driven,” which means the setup process is initiated by the user. It could also be set to “Self-Deploying”. If you use this method, please have a look at my last blogpost for more information.
- Join to Microsoft Entra ID as: The device will join Microsoft Entra as part of its configuration. You could select hybrid join if it’s needed.
- Language (Region): Set to “Operating system default,” meaning the device will use the default language and region settings of the operating system. It’s possible to set your own region here.
- Automatically configure keyboard: The keyboard layout will be configured automatically to what you set in “Language (Region)”.
- Keep in mind that not every language and keyboard layout is pre-installed in every Windows version. If you want a specific region/language, for example, English (UK), but with a EN-SG (Swiss German keyboard), it’s not possible to set it in the deployment profile. To set a specific language scenario, I recommend working with scripts. More on that in a future post.
- Microsoft Software License Terms: Set to “Hide,” indicating these terms will not be shown to the user during setup.
- Privacy settings: Also set to “Hide,” so privacy settings will not be visible to the user during the setup.
- Hide change account options: The option to change account settings is hidden during setup.
- User account type: Designated as “Standard,” meaning the user will not have administrative privileges.
- Allow pre-provisioned deployment: This is set to “Yes,” allowing for deployment scenarios where the device is set up before being given to the user. Please have a look at this post.
- Apply device name template: Specific naming templates can be used for the device with Entra ID Join. It’s not supported with Hybrid Join
- Enter a name: Here, a template for the device name is provided as “COMP-CLI-%RAND:3%,” where %RAND:3% will generate a random three-character string for each device name.
Assignments
- Included groups: Specifies the groups assigned to the profile.
- Excluded groups: Specifies the groups excluded from this profile.
Self-deploying is generally available now! To learn more about it please read my previous post.
Enrollment Status Page
The last part of the configuration/enrollment process involves the Enrollment Status Page (ESP). It can be accessed as follows: Navigate to “All users and all devices” > “Properties”, where you’ll encounter the default configuration, which appears as follows:
Boring right? While many people may prefer it this way, I like to know what the device is doing. So, let’s turn it on to view every parameter of the configuration:
Explanation
- Show app and profile configuration progress: When enabled, it allows users / admins to see the configuration progress of assigned apps and profiles during the initial device setup and first sign-in.
- Show an error when installation takes longer than specified number of minutes: If an app installation exceeds 60 minutes, an error will be shown. I recommend to set it to a lower value, otherwise you’ll lose too much time in case of an error.
- Show custom message when time limit or error occurs: When enabled, a custom message will be displayed if the setup time exceeds the specified limit or if an error occurs.
- Turn on log collection and diagnostics page for end users: If enabled, this allows end users to view a page that collects logs and diagnostics.
- Only show page to devices provisioned by out-of-box experience (OOBE): When enabled, only devices set up through OOBE will display the enrollment status page.
- Block device use until all apps and profiles are installed: This setting, when enabled, restricts the use of the device until all applications and profiles are fully installed / deployed.
- Allow users to reset device if installation error occurs: When enabled, users are permitted to reset their device, if there is an error during the installation process.
- Allow users to use device if installation error occurs: If enabled, users can use the device even if an installation error occurs.
- Block device use until required apps are installed if they are assigned to the user/device: This setting ensures that the device use is blocked until all the required apps that are assigned to the user or device are installed. It can be set to apply to all required apps or only selected ones.
That’s it
After setting up the Enrollment Status Page and completing all the previous steps described in this post, you’re theoretically ready to set up your first device with Microsoft Intune. But wait, there are settings needed for your devices, right? More on that in the next post.
