Manage Windows devices with Microsoft 365 Business Premium

If your organization uses Windows Server Active Directory on-premises, you can set up Microsoft 365 Business Premium to protect your Windows devices, while still maintaining access to on-premises resources that require local authentication.

To set this up, implement Hybrid Azure AD joined devices. These devices are joined to both your on-premises Active Directory and your Azure Active Directory.

Note

Microsoft Defender for Business is rolling out to Microsoft 365 Business Premium customers, beginning March 1, 2022. This offering provides additional security features for devices. Learn more about Defender for Business.

Watch: Configure Hybrid Azure Active Directory join

This video describes the steps for how to set this up for the most common scenario, which is also detailed in the steps that follow.

Before you begin

  • Synchronize users to Azure AD with Azure AD Connect.
  • Complete Azure AD Connect Organizational Unit (OU) sync.
  • Make sure all the domain users you sync have licenses for Microsoft 365 Business Premium.

See Synchronize domain users to Microsoft 365 for the steps.

Device actions

In the Device actions list, you can see the Devices states.

Devices and their associated actions can have the following states:

Status Description
Managed by Intune Managed by Microsoft 365 Business Premium.
Retire pending Microsoft 365 Business Premium is getting ready to remove company data from the device.
Retire in progress Microsoft 365 Business Premium is currently removing company data from the device.
Retire failed Remove company data action failed.
Retire canceled Retire action was canceled.
Wipe pending Waiting for factory reset to start.
Wipe in progress Factory reset has been issued.
Wipe failed Couldn't do factory reset.
Wipe canceled Factory wipe was canceled.
Unhealthy An action is pending (or in progress), but the device hasn't checked in for 30+ days.
Delete pending Delete action is pending.
Discovered Microsoft 365 Business Premium has detected the device.

1. Verify MDM Authority in Intune

Go to the Microsoft Endpoint Manager admin center (https://endpoint.microsoft.com) and select Device enrollment, then on the Overview page, make sure MDM authority is Intune.

  • If MDM authority is None, click the MDM authority to set it to Intune.
  • If MDM authority is Microsoft Office 365,go to Devices > Enroll devices and use the Add MDM authority dialog on the right to add Intune MDM authority (the Add MDM Authority dialog is only available if the MDM Authority is set to Microsoft Office 365).

2. Verify Azure AD is enabled for joining computers

  1. Go to the Microsoft 365 admin center at https://admin.microsoft.com and select Azure Active Directory (select Show all if Azure Active Directory is not visible) in the Admin centers list.

  2. In the Azure Active Directory admin center, go to Azure Active Directory , choose Devices and then Device settings.

  3. VerifyUsers may join devices to Azure AD is enabled

    1. To enable all users, set to All.

    2. To enable specific users, set to Selected to enable a specific group of users.

      • Add the desired domain users synced in Azure AD to a security group.

      • Choose Select groups to enable MDM user scope for that security group.

3. Verify Azure AD is enabled for MDM

  1. Go to the Microsoft 365 admin center at https://admin.microsoft.com and select Endpoint Management (select Show all if Endpoint Manager is not visible)

  2. In the Microsoft Endpoint Manager admin center, go to Devices > Windows > Windows Enrollment > Automatic Enrollment.

  3. Verify MDM user scope is enabled.

    1. To enroll all computers, set to All to automatically enroll all user computers that are joined to Azure AD and new computers when the users add a work account to Windows.

    2. Set to Some to enroll the computers of a specific group of users.

      • Add the desired domain users synced in Azure AD to a security group.

      • Choose Select groups to enable MDM user scope for that security group.

4. Create the required resources

Performing the required tasks to configure hybrid Azure AD join has been simplified through the use of the Initialize-SecMgmtHybirdDeviceEnrollment cmdlet found in the SecMgmt PowerShell module. When you invoke this cmdlet it will create and configure the required service connection point and group policy.

You can install this module by invoking the following from an instance of PowerShell:

Install-Module SecMgmt

Important

Install this module on the Windows Server running Azure AD Connect.

To create the required service connection point and group policy, you will invoke the Initialize-SecMgmtHybirdDeviceEnrollment cmdlet. You will need your Microsoft 365 Business Premium global admin credentials when performing this task. When you are ready to create the resources, invoke the following:

PS C:\> Connect-SecMgmtAccount
PS C:\> Initialize-SecMgmtHybirdDeviceEnrollment -GroupPolicyDisplayName 'Device Management'

The first command will establish a connection with the Microsoft cloud, and when you are prompted, specify your Microsoft 365 Business Premium global admin credentials.

  1. In the Group Policy Management Console (GPMC), right-click on the location where you want to link the policy and select Link an existing GPO... from the context menu.

  2. Select the policy created in the above step, then click OK.

Get the latest Administrative Templates

If you do not see the policy Enable automatic MDM enrollment using default Azure AD credentials, it may be because you don’t have the ADMX installed for Windows 10, version 1803, or later. To fix the issue, follow these steps (Note: the latest MDM.admx is backwards compatible):

  1. Download: Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2).

  2. Install the package on a Domain Controller.

  3. Navigate, depending on the Administrative Templates version to the folder: C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2020 Update (20H2).

  4. Rename the Policy Definitions folder in the above path to PolicyDefinitions.

  5. Copy the PolicyDefinitions folder to your SYSVOL share, by default located at C:\Windows\SYSVOL\domain\Policies.

    If you plan to use a central policy store for your entire domain, add the contents of PolicyDefinitions there.

  6. In case you have several Domain Controllers, wait for SYSVOL to replicate for the policies to be available. This procedure will work for any future version of the Administrative Templates as well.

At this point you should be able to see the policy Enable automatic MDM enrollment using default Azure AD credentials available.

Next objective:

Prepare for Office client deployment