question

DeathTheHusky-3839 avatar image
0 Votes"
DeathTheHusky-3839 asked DeathTheHusky-3839 commented

What's the better method to join a device automatically to Azure AD

Hello there !

I'm new to Azure AD and we are actually switch in from an old AD.
I'm an IT admin of a school and i actually have been manage hundred devices, it can be for students or administrative persons.
We have :
- Administrative PC (PC owned by the personnal)
- Student Laptop (School lend laptop to student for the year)
- Desktop PC (PC at school for self service, or used as lab when we have physical classes)

My question is :
How to registered and to make every of these PC conform to the AD ?

I tried with the powershell script to then inject in InTunes and to make the PC conforms ==> It's very long mainly when you have a lot of PC, plus we have distributed most of our laptop to student so we don't have the control anymore and they aren't signed up on Azure AD

I tried with joigning an Azure AD directly in the Windows parameters, it works, it's fast and the PC is displayed as "conform" in Intune.
I just have to send the bitlocker key through the network manually but not a problem.


But if you have a faster and better automation of it, i'd take it.
i tried BOOD way but it isn't detected so i didn't get how it work and i'm discovering right now the Windows Configuration Designer from WADK


The problem :
How to register the laptop that we already lend to student in our Azure AD ?
The laptop has an Admin + User Account, we have Office 365 Licence Academy account linked to Azure AD to each PC (the domain name @ is linked).

Microsoft doc are richs in informations, but as a Junior Admin I'm kinda drowning in these informations and i'll thank you for any informations that you'll bring to me.



azure-active-directorymem-intune-enrollment
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered DeathTheHusky-3839 commented

Using the Windows Install Configuration Designer is your best (and only) option to my knowledge to do this in a supported fashion. This will be more or less a manual process to run on each and every device though.

Keep in mind that user data and configuration will not be accessible to them though once the systems are joined to AAD and they login with their AAD identity as their profiles will remain associated with their local identity.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for your help and your advices

0 Votes 0 ·
Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered DeathTheHusky-3839 edited

InTunes

Do you mean Intune?

Are the devices currently joined to an on-prem Active Directory (AD) domain?

What's the goal for joining these existing devices to Azure AD (AAD)?

How are the devices initially provisioned before being given to the users/students?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Do you mean Intune?

Yes joingning* AND* conform

Are the devices currently joined to an on-prem Active Directory (AD) domain?

No

What's the goal for joining these existing devices to Azure AD (AAD)?

Centralization of devices, injection of buisness/educationnal apps (.msi), setting policies.
Most of user aren't comfy with theirs PC, with this method they will get access to all of theirs apps that the school is offering, to keep the PC under our control if one student call for a disruption or a theft, and the policies to keep the PC clean according to school rules

How are the devices initially provisioned before being given to the users/students?

No they aren't, provisionned at all.
It was a while ago for now and we wasn't on Azure yet, but they are connected with theirs Office 365 with the Azure domain, i thought we could detecte theirs devices.




I find the right method to enroll a PC that we have between the end with Windows Configuration Designer from WADK it worked on our lab.



0 Votes 0 ·