question

testuser7-8288 avatar image
0 Votes"
testuser7-8288 asked Crystal-MSFT commented

Intune enrollment of Hybrid-join device

Hello,

I want to provision a HYRBID-JOINED Windows 10 laptop to Intune.


We know that we can do this work through Group Policy Task with MDM-auto-enrollment set up done in AAD
https://docs.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy


So to accomplish Intune Enrollment, a right person with license and within MDM-auto-enrollment scope has to log into the device.
Only after that the GPO will trigger.

Is it possible to do Intune Enrollment under Computer's Identity
After all this computer is properly sitting in AAD with its own identity as registered-user through Self-sign-cert created and pushed out to AAD through AAD-connect.


Thanks.






mem-intune-generalmem-intune-device-configurationsmem-intune-enrollment
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

Crystal-MSFT avatar image
1 Vote"
Crystal-MSFT answered Crystal-MSFT edited

@testuser7-8288, From your description, it seems you want to enroll the device using device credential. If there's any misunderstanding, feel free to let us know.

Based as I know, the Device Credential is only supported for Microsoft Intune enrollment in scenarios with Co-management or Azure Virtual Desktop. If we are not in the two scenarios, we can only use User Credential to do the enrollment..
183521-image.png

Hope it can help.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". 
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



image.png (24.3 KiB)
· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

testuser7-8288 avatar image testuser7-8288 ·

Thanks @Crystal-MSFT yes, I read that.

So to enroll physical Hybrid joined laptops into Intune via GPO, I must use "User Credential"
That means that, somebody MUST sign in so that this policy can pick that signed in credentials, get the token from AAD for Intune and then enroll the device into Intune.
The "enrolled by" attribute in Intune would be that user-id.


The doc says that you can also accomplish MFA during Intune enrollment.
How does that happen from user's experience point of view ???
Per my understanding, this GPO task would be executed behind the scene once user unlocks the device and starts doing his business activities.


Thanks

0 Votes 0 ·
Crystal-MSFT avatar image Crystal-MSFT testuser7-8288 ·

@testuser7-8288, Yes, the AD user needs to sign in to complete the enrollment.

For the GPO, when it is applied successfully, a task scheduler with enrollment command will be created and scheduled to run every 5 minutes for the duration of one day. It can retrieve the right AAD token to start the enrollment when user login the device. Otherwise the enrollment can fail with error.

If MFA is enabled, you may run into an issue that will require users to complete an MFA challenge to enroll the device into Intune. That prompt usually takes the form of a notification that reads something like 'your account needs attention', 'there is an issue with your account', or 'login to fix your account' and etc. Once you select this prompt a traditional modern authentication window should pop up and ask for an MFA prompt. Once you complete this the device can then enroll. Sometimes it will cause issue for the enrollment. Given the situation, we usually suggest to exclude MFA during GPO enrollment to make the process to be smooth.

Hope it can help.

0 Votes 0 ·
testuser7-8288 avatar image
0 Votes"
testuser7-8288 answered Crystal-MSFT commented

Excellent @Crystal-MSFT
This clarifies a lot.

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crystal-MSFT avatar image Crystal-MSFT ·

@testuser7-8288, Thanks for the response. I am glad the information can help. If there's anything else we can help in the future, feel free to post in our Q&A. We are always glad to help.

Thanks for your time and have a nice day!

0 Votes 0 ·