This video will cover the following areas of configuration in support for setup and configuration of the Intune Connector for Active Directory. This solution support autoenrollment and autopilot for enrollment into Microsoft Intune.
Video of Content:
- Gather Information you’re going to need.
- Required Network endpoints for Microsoft Intune.
- Identify Server for Connector setup installation.
- Create a service account Intune Connector service.
- Setup and enable Windows Automatic MDM Enrollment
- Create an Organizational Unit for autopilot enrolled device accounts.
- Create and Provision OU for autopilot enrolled device objects.
- Configure Hybrid Azure AD-joined devices for Active Directory.
- Network connectivity requirements for Hybrid.
- Configure Hybrid AAD Join Managed Domains with Azure AD Connect.
- Clear Service Connection Point entry in Active Directory.
- Enable Device Synchronization with Azure AD Connect.
- Deploy, Configure SCP Group Policy for Automatic device enrollment.
- Install the Intune Connector for Active Directory.
- Create a domain joined device configuration profile.
- If Using Intune Proxy, Configure Web Proxy – Optional.
- Create a Dynamic Device Group and User a Group.
- Register Autopilot devices.
- Setup Deployment Profile to Register Devices.
- Use Windows PowerShell to Register devices
- Use Desktop using Settings > Accounts to Register devices
- Use Configuration Manager to get Hash ID’s
- Upload Device Hash ID’s in Intune to Register devices
- Use Windows 11 Diagnostics page hash export
- Configure device settings supporting configurations
Reference requirements
- Service overview and network port requirements for Windows
- How to configure a firewall for Active Directory domains and trusts
- Hybrid Identity Required Ports and Protocols
Articles for Reference
- Deploy hybrid Azure AD-joined devices by using Intune and Windows Autopilot
- Work with existing on-premises proxy servers
- Understanding hybrid Azure AD join and co-management
- Plan your hybrid Azure Active Directory join implementation
- Hybrid Azure AD join targeted deployment
- Configure hybrid Azure AD join – Setup Azure AD Connect
- Required Network endpoints for Microsoft Intune
- Configure hybrid Azure AD join
- Desktop Hash Export
- Manually register devices with Windows Autopilot
- Gather information from Configuration Manager
- Download Azure AD Connect
- Configure Azure AD Device Settings
- Network endpoints for Microsoft Intune
Help and Support
If anyone needs some assistance and/or have question, I can be reached on Telegram > https://t.me/IntuneExperts.
Hybrid Azure AD + Intune Connector for Active Directory and Autopilot
1. Setup and Configure Intune Connector for AD
#6054
1.1. Install the Intune Connector for Active Directory
#6055
Before beginning the installation, make sure that all of the Intune connector server prerequisites have been met.
Turn off Internet Explorer Enhanced Security Configuration. By default Windows Server has Internet Explorer Enhanced Security Configuration turned on. If you’re unable to sign into the Intune Connector for Active Directory, then turn off Internet Explorer Enhanced Security Configuration for the Administrator. To turn off Internet Explorer Enhanced Security Configuration:
- On the server where the Intune Connector will be installed, open Server Manager.
- In the left pane of Server Manager, select Local Server.
- In the right PROPERTIES pane of Server Manager, select the On or Off link next to IE Enhanced Security Configuration.
- In the Internet Explorer Enhanced Security Configuration window, select Off under Administrators:, and then select OK.
Note:
- Grant the Intune Connector Service account Global Administrator Role.
- The Global administrator role is a temporary requirement at the time of installation.
- After you sign into the Connector, it can take several minutes to appear in the Microsoft Intune admin center. It appears only if it can successfully communicate with the Intune service.
- Inactive Intune connectors still appear in the Intune Connectors blade and will automatically be cleaned up after 30 days.
Download the Intune Connector.
- In the Microsoft Intune admin center, select Devices > Windows > Windows enrollment > Intune Connector for Active Directory > Add.
- Follow the instructions to download the Connector.
- Open the downloaded Connector setup file, ODJConnectorBootstrapper.exe, to install the Connector.
- At the end of the setup, select Configure Now.
- Select Sign In.
- Enter the Global administrator or Intune administrator role credentials. The user account must have an assigned Intune license.
- Go to Devices > Windows > Windows enrollment > Intune Connector for Active Directory, and then confirm that the connection status is Active.
Set Service Account for the Connector service:
- Start from the server with the Intune Connector installed.
- From that start menu, Type Services.msc.
- Search and look for “Intune ODJConnector Service”
- Right Click on “Intune ODJConnector Service” and Click Properties.
- Set the service account and password.
- Click Ok, to save the settings.
Verify Intune Connector for Active Directory setup is successful and Active.
- In the Microsoft Intune admin center, select Devices > Enroll devices > Windows Enrollment > Intune Connector for Active Directory.
- In this area you should see the Connector name, Status, Latest sync time, and Version. Under Status you should see a Green Active indicator. This indicates the installation was successful. see example below.
Logging
- After installing the Intune Connector, it will start logging in the Event Viewer under the path Applications and Services Logs > Microsoft > Intune > ODJConnectorService. Under this path you will find Admin and Operational logs.
Ref:
1.2. Create a service account Intune Connector service
#6056
Create a service account that will run the Intune Connector service on the identified server. The Intune Connector service account must have the following permissions:
- Log on as a service.
- Must be part of the Domain user group.
- Must be a member of the local Administrators group on the Windows server that hosts the Intune Connector.
- The Intune Connector requires the same endpoints as Intune.
Multiple Intune Connectors
- If your organization has multiple domains and you install multiple Intune Connectors, you must use a service account that can create computer objects in all domains, even if you plan to implement hybrid Azure AD join only for a specific domain. If these domains are untrusted domains, you must uninstall the connectors from domains in which you don’t want to use Windows Autopilot. Otherwise, with multiple connectors across multiple domains, all connectors must be able to create computer objects in all domains.
1.3. Create a Domain Join Device Configuration Profile
#6057
Create a Domain Join Device Configuration that will join devices to the local Active Directory domain. The following information is needed when creating a domain join device configuration profile in Intune.
- Computer name prefix: Naming convention for computer names when joining the domain.
- Domain name: AD OU Path for where autopilot enrolled computers will be placed.
- Organization Unit: AD Domain name computers will be joined to.
Navigate to the Endpoint Manager Admin center, https://endpoint.microsoft.com/.
- Click on Devices.
- Click on Windows.
- Click on Configuration profiles.
- Click Create profile.
- For the Platform; Select Windows 10 and later.
- For the Profile type; Select templates.
- Select Domain Join.
- Then Select Create.
- For the Name; give the profile a name like: “Autopilot domain join profile“.
- For the Description; give a description for example. “This is a device configuration that joins computers to Active Directory for computers enrolling into Intune via Autopilot.”
- Click Next.
- For the Computer name prefix; Add for example: DT-
- For the Domain name, Add the name of the domain: YourCompany.org
- For the Organization Unit; Add the OU path for example: OU=Autopilot-Devices,DC=MyDomainName,DC=org
- Note: No quotes around the values entered.
- Click Next.
- Click Next in the Scope tags section.
- Assign to the Dynamic device group you created earlier in the setup.
- Click Next.
- Click Next in the Applicability Rule section.
- Review configurations and settings.
- Click Create.
Assignment
- Assign Domain Join Device Configuration Profile to Dynamic Group for Autopilot Windows Corporate devices.
- Autopilot-Devices
1.4. Create and Provision OU for autopilot enrolled device objects
#6058
Create and Provision an Organizational Unit\OU that will hold autopilot enrolled device objects when the Intune Connector for Active Directory creates autopilot-enrolled computers in the on-premises Active Directory domain. The computer that hosts the Intune Connector must have the rights to create the computer objects within the domain.
- In some domains, computers aren’t granted the rights to create computers. Additionally, domains have a built-in limit (default of 10) that applies to all users and computers that aren’t delegated rights to create computer objects. The rights must be delegated to computers that host the Intune Connector on the organizational unit where hybrid Azure AD-joined devices are created.
The organizational unit that’s granted the rights to create computers must match:
- The organizational unit that’s entered in the Domain Join profile.
- If no profile is selected, the computer’s domain name for your domain.
Configure computer limits:
- Open Active Directory Users and Computers (DSA.msc).
- Right-click the organizational unit to use to create hybrid Azure AD-joined computers > Delegate Control.
- In the Delegation of Control wizard, select Next > Add > Object Types.
- In the Object Types pane, select the Computers > OK.
- In the Select Users, Computers, or Groups pane, in the Enter the object names to select box, enter the name of the computer where the Connector is installed.
- Select Check Names to validate your entry > OK > Next.
- Select Create a custom task to delegate > Next.
- Select Only the following objects in the folder > Computer objects.
- Select Create selected objects in this folder and Delete selected objects in this folder.
- Select Next.
- Under Permissions, select the Full Control check box. This action selects all the other options.
- Select Next > Finish.
For configuration; See Article: Enrollment for hybrid Azure AD-joined devices – Windows Autopilot | Microsoft Docs
1.5. If Using Intune Proxy, Configure Web Proxy – Optional
#6059
Configure web proxy settings.
- If you have a web proxy in your networking environment, ensure that the Intune Connector for Active Directory works properly by referring to work with existing on-premises proxy servers.
If Using Proxy
- By default, the Intune Connector for Active Directory will attempt to automatically locate a proxy server on the network using Web Proxy Auto-Discovery.
- If the Web Proxy Auto Discovery is not working;
Configure web proxy settings.
- If the Intune Connector for Active Directory has to use a Proxy, the following configuration may be required if the Intune Connector for Active Directory does not show up in Intune.
- If the Intune Connector for Active Directory does not show up, follow the steps in the following article to resolve:
===Begin Proxy Settings Setup ===
To fix the issue, add the required proxy configuration to the following file:
- %ProgramFiles%\Microsoft Intune\ODJConnector\ODJConnectorSvc\ODJConnectorSvc.exe.config
To do this, follow these steps:
- Open the .config file. You can see the following lines at the top of the file:
- Add the following lines after <configuration>, then save the file.
1.<system.net>
<defaultProxy>
<proxy
usesystemdefault
=
"false"
proxyaddress
=
"http://<proxy server address>:<port>"
/>
</defaultProxy>
</system.net>
2.A completed XML looks like the following:
<?xml version="1.0" encoding="utf-8" ?>
<configuration> <system.net>
<defaultProxy>
<proxy
usesystemdefault
=
"false"
proxyaddress
=
"http://<proxy server address>:<port>"
/>
</defaultProxy>
</system.net> </configuration>
- Restart the Intune ODJConnector Service.
===End Proxy Settings Setup ===
Completely bypass outbound proxies
- You can configure the connector to bypass your on-premises proxy to ensure it uses direct connectivity to the Azure services. We recommend this approach, as long as your network policy allows for it, because it means that you have one less configuration to maintain.
- To disable outbound proxy usage for the connector, edit the :ProgramFiles%\Microsoft Intune\ODJConnector\ODJConnectorSvc\ODJConnectorSvc.exe.config file and set the default proxy to “False” as shown in the following code example:
====== Begin Config File =====
<?xml version=”1.0″ encoding=”utf-8″ ?>
<configuration>
<system.net>
<defaultProxy>
<defaultProxy enabled=”False” />
</defaultProxy>
</system.net>
<runtime>
<assemblyBinding xmlns=”urn:schemas-microsoft-com:asm.v1″>
<dependentAssembly>
<assemblyIdentity name=”mscorlib” publicKeyToken=”b77a5c561934e089″ culture=”neutral”/>
<bindingRedirect oldVersion=”0.0.0.0-2.0.0.0″ newVersion=”4.6.0.0″ />
</dependentAssembly>
</assemblyBinding>
</runtime>
<startup>
<supportedRuntime version=”v4.0″ sku=”.NETFramework,Version=v4.6″ />
</startup>
<appSettings>
<add key=”SignInURL” value=”https://portal.manage.microsoft.com/Home/ClientLogon”/>
<add key=”LocationServiceEndpoint” value=”RestUserAuthLocationService/RestUserAuthLocationService/ServiceAddresses”/>
</appSettings>
</configuration>
====== End Config File =====
- To ensure that the Connector Updater service also bypasses the proxy, make a similar change to C:\Program Files\Microsoft Intune\ODJConnector\ODJConnectorSvc\ODJConnectorSvc.exe.config.
====== Begin Config File =====
<?xml version=”1.0″ encoding=”utf-8″ ?>
<configuration>
<system.net>
<defaultProxy>
<defaultProxy enabled=”False” />
</defaultProxy>
</system.net>
<startup>
<supportedRuntime version=”v4.0″ sku=”.NETFramework,Version=v4.6″ />
</startup>
<appSettings>
<add key=”BaseServiceAddress” value=”https://manage.microsoft.com/” />
</appSettings>
</configuration>
====== End Config File =====
Note: Be sure to make copies of the original files, in case you need to revert to the default .config files.
1.6. Register Autopilot Devices
#6060
You can perform Windows Autopilot device registration within your organization by manually collecting the hardware identity of devices (hardware hashes) and uploading this information in a comma-separated-values (CSV) file. Capturing the hardware hash for manual registration requires booting the device into Windows. So, this process is primarily for testing and evaluation scenarios.
Register your Autopilot devices with either of the following options:
- Register autopilot devices that are already enrolled.
- Register autopilot devices that are not enrolled.
- Register autopilot devices from an OEM.
Register autopilot devices that are already enrolled.
- Create an Autopilot deployment profile with the setting Convert all targeted devices to Autopilot set to Yes.
- Assign the profile to a group that contains the members that you want to automatically register with Autopilot.
👉 Refer to: #6549 Setup Deployment Profile to Register Devices
Register autopilot devices that are not enrolled.
- If your devices aren’t yet enrolled, you can register them yourself. For more information, see Manual registration.
Ideally, registration of a device with Windows Autopilot is performed by the OEM, reseller, or distributor from which the device was purchased. However, it is also possible to register devices manually.
You might need to register a device manually if:
- The device was obtained from a non-participant device manufacturer or reseller.
- The device is a virtual machine (VM).
- The device does not otherwise qualify for automatic registration, such as an existing legacy device.
To manually register a device, you must first capture its hardware hash. Once this process has completed, the resulting hardware hash can be uploaded to the Windows Autopilot service. Because this process requires booting the device into Windows to obtain the hardware hash, manual registration is intended primarily for testing and evaluation scenarios.
Customers can only register devices with a hardware hash. Other methods (PKID, tuple) are available through OEMs or CSP partners as described in the previous sections.
There are 4 ways to collect the hardware ID/hash ID:
- Using Microsoft Configuration Manager.
- Using Windows PowerShell.
- From the Desktop using Settings > Accounts.
- During OOBE by using the Diagnostics Page (Windows 11 only).
4 methods:
- 👉 Refer to: #6550 Use Windows PowerShell to Register devices.
- 👉 Refer to: #6551 Use Desktop using Settings > Accounts to Register devices
- 👉 Refer to: #6553 Use Configuration Manager to get Hash ID’s
- 👉 Refer to: #6554 Use Windows 11 Diagnostics page hash export
- 👉 Refer to: #6552 Upload Device Hash ID’s in Intune to Register devices
Register autopilot devices from an OEM.
- The vendor registers the device hash ID’s for you\the organization.
- If you’re buying new devices, some OEMs can register the devices for you. For more information, see OEM registration.
1.6.1. Setup Deployment Profile to Register Devices
#6549
Setup Windows Autopilot Deployment Profile
- In the Microsoft Intune admin center, select Devices > Enroll devices > Windows enrollment > Deployment Profiles.
- Click Create profile > Windows PC.
- For the Name, enter a name for example: “Default Windows Autopilot Deployment Profile“.
- For the Description, enter a description for example: “This is the default Windows Autopilot deployment profile that targets and registers all Windows devices that enroll via Autopilot.“
- Select YES for the Convert all targeted devices to Autopilot.
- Example shown below.
- Click Next.
- In the Out-of-box experience (OOBE) section, set the features settings.
- Deployment mode: User-Driven
- Join to Azure AD as: Hybrid Azure AD Joined
- Skip AD connectivity check: Yes
- Microsoft Software License Terms: Hide
- Privacy settings: Hide
- Hide change account options: Hide
- User account type: Standard
- Allow pre-provisioned deployment: No
- Language (Region): Operating system default
- Automatically configure keyboard: Yes
- Apply device name template: No
- Example shown below.
- Click Next.
- Click Next in the scope tags section.
- In the Assignments section, assign the deployment profile to the dynamic device group created earlier.
- Click Next.
- Click Create.
1.6.2. Use Windows PowerShell to Register devices
#6550
Use Windows PowerShell to Register devices.
- Capture Device Hash ID
- While logged into a Windows devices
- Start PowerShell
- Copy the following text to a PowerShell.ps1 file: (Note: run Set-ExecutionPolicy to Yes)
New-Item -Type Directory -Path “C:\HWID”
Set-Location -Path “C:\HWID”
$env:Path += “;C:\Program Files\WindowsPowerShell\Scripts”
Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned
Install-Script -Name Get-WindowsAutopilotInfo
Get-WindowsAutopilotInfo -OutputFile AutopilotHWID.csv
- After capturing the Hash ID from each device, combine all CSV files content into one CSV file, then Upload device Hash ID to Microsoft Intune.
Two option to upload the device hash to Intune, run the next PowerShell script to upload the hash automatically. Or you can login to the Endpoint Manager admin center and upload the device hash manually using the steps in the Upload Device Hash IDs to Intune section below.
- While OOBE is running, you can start uploading the hardware hash by opening a command prompt (Shift+F10 at the sign-in prompt) and using the following commands:
- You’re prompted to sign in. An account with the Intune Administrator role is sufficient, and the device hash will then be uploaded automatically.
- After you confirm the details of the uploaded device hash, run a sync in the Microsoft Intune admin center.
- Select Devices > Windows > Windows enrollment > Devices (under Windows Autopilot Deployment Program) > Sync.
Use Windows PowerShell to Register devices.
- Capture Device Hash ID
- While logged into a Windows devices
- Start PowerShell
- Copy the following text to a PowerShell.ps1 file: (Note: run Set-ExecutionPolicy to Yes)
New-Item -Type Directory -Path “C:\HWID”
Set-Location -Path “C:\HWID”
$env:Path += “;C:\Program Files\WindowsPowerShell\Scripts”
Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned
Install-Script -Name Get-WindowsAutopilotInfo
Get-WindowsAutopilotInfo -OutputFile AutopilotHWID.csv
- After capturing the Hash ID from each device, combine all CSV files content into one CSV file, then Upload device Hash ID to Microsoft Intune.
Two option to upload the device hash to Intune, run the next PowerShell script to upload the hash automatically. Or you can login to the Endpoint Manager admin center and upload the device hash manually using the steps in the Upload Device Hash IDs to Intune section below.
- While OOBE is running, you can start uploading the hardware hash by opening a command prompt (Shift+F10 at the sign-in prompt) and using the following commands:
PowerShell.exe -ExecutionPolicy Bypass
Install-Script -name Get-WindowsAutopilotInfo -Force
Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned
Get-WindowsAutopilotInfo -Online
- You’re prompted to sign in. An account with the Intune Administrator role is sufficient, and the device hash will then be uploaded automatically.
- After you confirm the details of the uploaded device hash, run a sync in the Microsoft Intune admin center.
- Select Devices > Windows > Windows enrollment > Devices (under Windows Autopilot Deployment Program) > Sync.
1.6.3. Use Desktop using Settings > Accounts to Register devices
#6551
Use Desktop using Settings > Accounts to Register devices
- From the Windows 10 or Windows 11 Start menu, right click and select Settings > Accounts > Access work or school.
- Export log files. The logs will include a CSV file with the hardware hash.
- Windows 11: In the Export your management log files tile, click Export.
- Windows 10: Click the Export your management log files link.
- Log files are exported to the Users\Public\Documents\MDMDiagnostics directory.
1.6.4. Upload Device Hash ID’s in Intune to Register devices
#6552
Upload Device Hash IDs to Intune:
- Start by navigating to the Admin Center https://endpoint.microsoft.com.
- Click on Devices.
- Click on Enroll devices.
- Under Windows enrollment, Click on Devices.
- At the top Click Import.
- Click Select a file for Specify the path to the list you want to import.
- After select the CSV file to import, at the bottom Click Import. Importing can take several minutes.
- After a few minutes you should see a list of all import device Hash IDs.
Add Devices to Intune
- After import is complete, select Devices > Windows > Windows enrollment > Devices (under Windows Autopilot Deployment Program) > Sync.
- A message says that the synchronization is in progress. The process might take a few minutes to complete, depending on how many devices are being synchronized.
- Refresh the view to see the new devices.
1.6.5. Use Configuration Manager to get Hash ID’s
#6553
Microsoft Configuration Manager automatically collects the hardware hashes for existing Windows devices. For more information, see Gather information from Configuration Manager for Windows Autopilot. You can extract the hash information from Configuration Manager into a CSV file.
Use Configuration Manager to collect and report the device information required by Intune. This information includes the device serial number, Windows product identifier, and a hardware identifier. It’s used to register the device in Intune to support Windows Autopilot.
- In the Configuration Manager console, go to the Monitoring workspace, expand the Reporting node, expand Reports, and select the Hardware – General node.
- Run the report, Windows Autopilot Device Information, and view the results.
- In the report viewer, select the Export icon, and choose the CSV (comma-delimited) option.
- After saving the file, upload the data to Intune.
Now from that file you want to the contents and format the data into a new CSV file only the 3 following headers and columns.
- Device Serial Number, Windows Product ID, Hardware Hash
You should have a CSV file that looks like the following example:
When opened in Excel, the file contents look like the following example:
1.6.6. Use Windows 11 Diagnostics page hash export
#6554
To export a hardware hash using the Windows Autopilot Diagnostics Page, the device must be running Windows 11.
- Windows Autopilot Diagnostics are available in OOBE.
- During OOBE, press Ctrl-Shift-D to bring up the Diagnostics Page. From this page, you can export logs to a thumb drive. The logs will include a CSV file with the hardware hash.
Desktop Hash Export:
- From the Windows 10 or Windows 11 Start menu, right click and select Settings > Accounts > Access work or school.
- Export log files. The logs will include a CSV file with the hardware hash.
- In Windows 11: In the Export your management log files tile, click Export.
- In Windows 10: Click the Export your management log files link.
- Log files are exported to the Users\Public\Documents\MDMDiagnostics directory.
1.7. Identify Server for Connector setup installation
#6061
You will need to identify a server for the Intune Connector for AD installation. This server cannot be the same server as where the Azure AD Connect sync tool is installed.
Intune Connector for AD Requirements
- Server-side Prerequisites
- Server: Windows Server 2016 or above
- Server: Must have access to Internet and Active Directory.
- .NET Framework version 4.7.2 or later.
Client-side Prerequisites
- Windows 10, version 1809 or later.
- Internet access.
- If using a Proxy, the Proxy rule should be applicable for the client side as well as for server side in a Windows Autopilot Hybrid Domain Join scenario.
- Connectivity to Active Directory and domain controller during deployment.
- .NET Framework version 4.7.2 or later.
Note:
- Must not be the same server where the Azure AD Connect is installed.
Scalability
- To increase scale and availability, you can install multiple connectors in your environment. We recommend installing the Connector on a server that’s not running any other Intune connectors. Each connector must be able to create computer objects in any domain that you want to support.
1.8. Requirements
#6541
The following are the requirements for deployment of the Intune Connector for Active Directory.
Requirements.
- Gather Information you’re going to need.
- Required Network endpoints for Microsoft Intune.
- Identify Server for Connector setup installation.
- Create a service account Intune Connector service.
- Setup and enable Windows Automatic MDM Enrollment
- Create an Organizational Unit\OU for autopilot enrolled device accounts.
- Create and Provision OU for autopilot enrolled device objects.
- Configure Hybrid Azure AD-joined devices for Active Directory.
- Network connectivity requirements for Hybrid.
- Configure Hybrid AAD Join Managed Domains with Azure AD Connect.
- Clear Service Connection Point entry in Active Directory.
- Enable Device Synchronization with Azure AD Connect.
- Deploy, Configure SCP Group Policy for Automatic device enrollment. – Deployment.
- Install the Intune Connector for Active Directory.
- Create a domain joined device configuration profile.
- If Using Intune Proxy, Configure Web Proxy – Optional.
- Create a Dynamic Device Group and User a Group.
- Register Autopilot devices.
- Setup Deployment Profile to Register Devices.
- Use Windows PowerShell to Register devices.
- Use Desktop using Settings > Accounts to Register devices.
- Use Configuration Manager to get Hash ID’s.
- Upload Device Hash ID’s in Intune to Register devices.
- Use Windows 11 Diagnostics page hash export.
- Configure device settings supporting configurations.
1.9. Required Network endpoints for Microsoft Intune
#6542
The following information also applies to the Microsoft Intune Certificate Connector. The connector has the same network requirements as managed devices.
- The proxy server must support both HTTP (80) and HTTPS (443) because Intune clients use both protocols. Windows Information Protection uses port 444.
- For some tasks (like downloading software updates for the classic pc agent), Intune requires unauthenticated proxy server access to manage.microsoft.com.
Note:
- The inspection of SSL traffic is not supported to ‘manage.microsoft.com’ endpoint.
For more information:
1.10. Setup and enable Windows Automatic MDM Enrollment
#6543
Identify if you will be targeting a group of users or all users. It is recommended to use the All option and target all users. If you only target a subset of users, you will be forced to come back to this every to change the group targeted or having to add users to the group for ever new user you want to participate in Intune.
Note: By targeting all users have no user impact, this just enabling the users to be able to participate in Intune and enrollment devices automatically when other settings and configurations finally come into play.
- Sign into Azure, in the left pane, select Azure Active Directory > Mobility (MDM and MAM) > Microsoft Intune.
- Make sure users who deploy Azure AD-joined devices by using Intune and Windows are members of a group included in MDM User scope.
- Use the default values in the MDM Terms of use URL, MDM Discovery URL, and MDM Compliance URL boxes, and then select Save.
1.11. Configure Hybrid Azure AD-joined devices for Active Directory
#6544
You can validate your planning and prerequisites for hybrid Azure AD joining devices using a targeted deployment before enabling it across the entire organization. This article explains how to accomplish a targeted deployment of hybrid Azure AD join.
- Confirm Network connectivity requirements.
- 👉 Refer to: #6561 Network connectivity requirements for Hybrid
- Configure Hybrid AAD Join with Azure AD Connect for Managed Domains.
- 👉 Refer to: #6563 Configure Hybrid AAD Join Managed Domains with Azure AD Connect
- Clear the Service Connection Point (SCP) entry from Active Directory (AD) if it exists.
- 👉 Refer to: #6556 Clear Service Connector Point entry in Active Directory
- 👉 Refer to: #6556 Clear Service Connector Point entry in Active Directory
- Enable Device Synchronization. You may also need to customize synchronization options in Azure AD Connect to enable device synchronization.
- 👉 Refer to: #6564 Enable Device Synchronization with Azure AD Connect
- Configure client-side registry setting for SCP on your domain-joined computers using a Group Policy Object (GPO).
- 👉 Refer to: #6484 Create & Configure SCP Group Policy for Automatic device enrollment
- 👉 Refer to: #6484 Create & Configure SCP Group Policy for Automatic device enrollment
- If you’re using Active Directory Federation Services (AD FS), you must also configure the client-side registry setting for SCP on your AD FS server using a GPO. – Out of Scope of this content.
Deploy hybrid Azure AD-joined devices by using Intune and Windows Autopilot.
Configure hybrid Azure AD join.
1.11.1. Create & Configure SCP Group Policy for Automatic device enrollment
#6484
Use the following information to setup a Group Policy object that will apply to targeted devices that will be configured to automatically enroll into Microsoft Intune.
Group Policy Title:
- Autoenrollment for Desktops
Settings
- Computer Configuration
- Policies
- Administrative Templates
- Windows Component/MDM
- Policy: Enable automatic MDM enrollment using default Azure AD Credentials
- Select Credentials Type to Use: Device Credential when using SCCM
- Select Credentials Type to Use: Device Credential when using Intune Only
- Policy: Enable automatic MDM enrollment using default Azure AD Credentials
- Windows Component/MDM
- Administrative Templates
- Policies
Identifies the Azure AD Tenant devices will be Hybrid joined with:
- Preferences
- Windows Settings
- Registry
- BlockAADWorkplaceJoin
- General
- Properties
- Hive: HKEY_LOCAL_MACHINE
- Key path: SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ\AAD
- Value name: TenantID
- Value type: REG_SZ
- Value data: <Tenant ID> example: 5050c000-cccc-aaaa-cccc-99c9b5e52929
- Properties
- General
- BlockAADWorkplaceJoin
- Registry
- Windows Settings
- Preferences
- Windows Settings
- Registry
- BlockAADWorkplaceJoin
- General
- Properties
- Hive: HKEY_LOCAL_MACHINE
- Key path: SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ\AAD
- Value name: TenantName
- Value type: REG_SZ
- Value data: <Tenant Domain> example: your-domain.onmicrosoft.com
- Properties
- General
- BlockAADWorkplaceJoin
- Registry
- Windows Settings
Sets weather or not to Block AAD join on devices:
- Preferences
- Windows Settings
- Registry
- BlockAADWorkplaceJoin
- General
- Properties
- Hive: HKEY_LOCAL_MACHINE
- Key path: SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin
- Value name: BlockAADWorkplaceJoin
- Value type: REG_DWORD
- Value data: 0x0 (0) = Disabled
- Properties
- General
- BlockAADWorkplaceJoin
- Registry
- Windows Settings
1.11.2. Clear Service Connection Point entry in Active Directory
#6556
Use the Active Directory Services Interfaces Editor (ADSI Edit) to modify the SCP objects in AD.
- Launch the ADSI Edit desktop application from and administrative workstation or a domain controller as an Enterprise Administrator.
- Connect to the Configuration Naming Context of your domain.
- Browse to CN=Configuration,DC=contoso,DC=com > CN=Services > CN=Device Registration Configuration.
- Right-click on the leaf object CN=62a0ff2e-97b9-4513-943f-0d221bd30080 and select Properties.
- Select keywords from the Attribute Editor window and select Edit.
- Select the values of azureADId and azureADName (one at a time) and select Remove.
- Close ADSI Edit.
1.11.3. Network connectivity requirements for Hybrid
#6561
Hybrid Azure AD join requires devices to have access to the following Microsoft resources from inside your organization’s network:
- https://enterpriseregistration.windows.net
- https://login.microsoftonline.com
- https://device.login.microsoftonline.com
- https://autologon.microsoftazuread-sso.com (If you use or plan to use seamless SSO)
- Your organization’s Security Token Service (STS) (For federated domains)
Warning
- If your organization uses proxy servers that intercept SSL traffic for scenarios like data loss prevention or Azure AD tenant restrictions, ensure that traffic to https://device.login.microsoftonline.com is excluded from TLS break-and-inspect. Failure to exclude this URL may cause interference with client certificate authentication, cause issues with device registration, and device-based Conditional Access.
- If your organization requires access to the internet via an outbound proxy, you can use Web Proxy Auto-Discovery (WPAD) to enable Windows 10 or newer computers for device registration with Azure AD. To address issues configuring and managing WPAD, see Troubleshooting Automatic Detection.
- If you don’t use WPAD, you can configure WinHTTP proxy settings on your computer with a Group Policy Object (GPO) beginning with Windows 10 1709. For more information, see WinHTTP Proxy Settings deployed by GPO.
Note
- If you configure proxy settings on your computer by using WinHTTP settings, any computers that can’t connect to the configured proxy will fail to connect to the internet.
- If your organization requires access to the internet via an authenticated outbound proxy, make sure that your Windows 10 or newer computers can successfully authenticate to the outbound proxy. Because Windows 10 or newer computers run device registration by using machine context, configure outbound proxy authentication by using machine context. Follow up with your outbound proxy provider on the configuration requirements.
Verify devices can access the required Microsoft resources under the system account by using the Test Device Registration Connectivity script.
1.11.4. Configure Hybrid AAD Join Managed Domains with Azure AD Connect
#6563
If you have not done so already, add your local domain and configure Azure AD for managed domains. Managed domains use password hash sync (PHS) or pass-through authentication (PTA) with seamless single sign-on.
Configure hybrid Azure AD join by using Azure AD Connect for a managed domain:
- Start Azure AD Connect, and then select Configure.
- In Additional tasks, select Configure device options, and then select Next.
- In Overview, select Next.
- In Connect to Azure AD, enter the credentials of a Global Administrator for your Azure AD tenant.
- In Device options, select Configure Hybrid Azure AD join, and then select Next.
- In Device operating systems, select the operating systems that devices in your Active Directory environment use, and then select Next.
- In SCP configuration, for each forest where you want Azure AD Connect to configure the SCP, complete the following steps, and then select Next.
- Select the Forest.
- Select an Authentication Service.
- Select Add to enter the enterprise administrator credentials.
- In Ready to configure, select Configure.
- In Configuration complete, select Exit.
1.11.5. Enable Device Synchronization with Azure AD Connect
#6564
To enable device synchronization with Azure AD Connect, start by logging on to the Azure AD Connect server where it is installed.
- Login to Azure AD Connect host server.
- Start Azure AD Connect.
- On the Welcome to Azure AD Connect section, Click Configure.
- On the Additional tasks section, Select Customize synchronization options.
- Then Click Next.
- On the Connect your directories section, Click Next.
- If you are not synchronizing everything, On the Domain and OU Filtering section, ensure the OU that was created earlier in the process is selected to sync.
- Then Click Next.
- Click Next on the Optional features section.
- If shown, Click Next on the Group Writeback section to continue.
- You will see the Ready to configure section.
- Ensure a Check is set for Start the synchronization process when configuration completes.
- Then Click Configure.
- Click Exit to complete the process.
1.12. Gather Information you’re going to need
#6546
The following information needs to be gathered prior to the setup of Intune Connector for Active Directory. You will need this information during curse of configuration.
- Name of AD OU Path for where autopilot enrolled devices\computers will be placed.
- Autopilot Devices | Create in AD.
- Name of the Active Directory domain where devices\computers will be joined to.
- phoenixtekk.net
- Naming convention for computer created when joining the domain.
- AUTO-
- An All-Users group name for all user accounts that will participate in Intune.
- All Users
- A Dynamic devices group name that will be used for devices enrolling via Autopilot.
- Autopilot-Devices
- Assignment Rules: (device.devicePhysicalIDs -any _ -contains “[ZTDId]”) and (device.deviceOSType -contains “Windows”) -and (device.deviceOwnership -contains “Company”)
1.13. Create a Dynamic Device Group and User a Group
#6547
Create Dynamic Device Group
- In the Microsoft Intune admin center, select Groups > New group.
- In the Group pane, choose the following options:
- For Group type, select Security.
- Enter a Group name and Group description.
- Select a Membership type.
- If you selected Dynamic Devices for the membership type, in the Group pane, select Dynamic device members.
- Select Edit in the Rule syntax box and enter one of the following code lines:
- To create a group that includes all your devices enrolled via Autopilot , use the following rules:
- (device.devicePhysicalIDs -any _ -contains “[ZTDId]”).
- To create a group for Windows Corporate devices enrolled via Autopilot, use the following rules:
- (device.devicePhysicalIds -any _ -contains “[ZTDId]”) and (device.deviceOSType -contains “Windows”) and (device.deviceOwnership -contains “Company”)
- If you get an error, ensure you are using the exact rules statement above and immediately click Save.
- Intune’s Group Tag field maps to the OrderID attribute on Azure AD devices. If you want to create a group that includes all of your Autopilot devices with a specific Group Tag (OrderID), type: (device.devicePhysicalIds -any _ -eq “[OrderID]:179887111881”).
- To create a group that includes all your Autopilot devices with a specific Purchase Order ID, enter (device.devicePhysicalIds -any _ -eq “[PurchaseOrderId]:76222342342”).
- To create a group that includes all your devices enrolled via Autopilot , use the following rules:
- Select Save > Create.
Create All Users Group
- In the Microsoft Intune admin center, select Groups > New group.
- In the Group pane, choose the following options:
- For Group type, select Security.
- Enter a Group name and Group description.
- Select a Membership type, set to Assigned.
- For the Owner, Set the Owners account.
- For the Member, Set the Member accounts.
- Select Create.
1.14. Configure device settings supporting configurations
#6548
If you want to manage device identities by using the Azure portal, the devices need to be either registered or joined to Azure AD. As an administrator, you can control the process of registering and joining devices by configuring the following device settings.
- Users may join devices to Azure AD: This setting enables you to select the users who can register their devices as Azure AD joined devices. The default is All.
Note
- The Users may join devices to Azure AD setting is applicable only to Azure AD join on Windows 10 or newer. This setting doesn’t apply to hybrid Azure AD joined devices, Azure AD joined VMs in Azure, or Azure AD joined devices that use Windows Autopilot self-deployment mode because these methods work in a user-less context.
- Users may register their devices with Azure AD: You need to configure this setting to allow users to register Windows 10 or newer personal, iOS, Android, and macOS devices with Azure AD. If you select None, devices aren’t allowed to register with Azure AD. Enrollment with Microsoft Intune or mobile device management for Microsoft 365 requires registration. If you’ve configured either of these services, ALL is selected, and NONE is unavailable.
- Require Multi-Factor Authentication to register or join devices with Azure AD:
- We recommend organizations use the Register or join devices user action in Conditional Access to enforce multifactor authentication. You must configure this toggle to No if you use a Conditional Access policy to require multifactor authentication.
- This setting allows you to specify whether users are required to provide another authentication factor to join or register their devices to Azure AD. The default is No. We recommend that you require multifactor authentication when a device is registered or joined. Before you enable multifactor authentication for this service, you must ensure that multifactor authentication is configured for users that register their devices. For more information on Azure AD Multifactor Authentication services, see getting started with Azure AD Multifactor Authentication. This setting may not work with third-party identity providers.
- Maximum number of devices: This setting enables you to select the maximum number of Azure AD joined or Azure AD registered devices that a user can have in Azure AD. If users reach this limit, they can’t add more devices until one or more of the existing devices are removed. The default value is 50. You can increase the value up to 100. If you enter a value above 100, Azure AD will set it to 100. You can also use Unlimited to enforce no limit other than existing quota limits.
Note:
- The Maximum number of devices setting applies to devices that are either Azure AD joined or Azure AD registered. This setting doesn’t apply to hybrid Azure AD joined devices.
- Additional local administrators on Azure AD joined devices: This setting allows you to select the users who are granted local administrator rights on a device. These users are added to the Device Administrators role in Azure AD. Global Administrators in Azure AD and device owners are granted local administrator rights by default. This option is a premium edition capability available through products like Azure AD Premium and Enterprise Mobility + Security.
- Business decision
- Restrict non-admin users from recovering the BitLocker key(s) for their owned devices (preview): In this preview, admins can block self-service BitLocker key access to the registered owner of the device. Default users without the BitLocker read permission will be unable to view or copy their BitLocker key(s) for their owned devices.
- Business decision
1.15. Deploy the SCP Group Policy for Automatic device enrollment
#6567
Deploy the Service Connection Point SCP Group Policy Object for Automatic device enrollment targeting only domain devices you plan and want to automatically enroll into Microsoft Intune.