In the last part of our guide “Getting started with Microsoft Intune” we’ll walk you through the process of device configuration in Microsoft Intune.
Part 1 – How to sign up for Microsoft Intune, configure MDM authority to Intune, and create a custom domain
Part 2 – User and Group management in Microsoft Intune, assigning licenses
Part 3 – Setting up a configuration policy, Company portal and application management in Microsoft Intune
Configuring devices in Microsoft Intune
Now everything is ready to enroll a device to Microsoft Intune. As previously stated, it’s possible to enroll corporate and BYOD devices with various OS (Android, iOS, macOS, Windows). Let’s take the enrolling process of the Windows device as an example.
There are three ways to enroll a Windows device in Intune:
- Automatic enrollment.
- CNAME registration.
- Windows Autopilot.
Automatic enrollment lets users enrol their Windows 10, 11 devices in Intune. For this, users must add their work account to their BYOD device or join corporate-owned devices to Azure AD. In the background, the device registers and joins Azure Active Directory. Once registered, Intune manages the device.
To enable automatic enrollment, login to Microsoft Endpoint Manager admin center; go to Devices -> Enroll Devices -> Windows enrollment -> Automatic Enrollment.
Next, configure MDM User scope and/or MAM user scope:
- None – MDM automatic enrollment is disabled.
- Some – groups are selected for automatic enrollment.
- All – all users can automatically enroll their devices. Once done, click Save.
To enroll a Windows device using this method, you must create a domain name server (DNS) alias (CNAME record type) that redirects enrollment requests to Intune servers. To put it differently: In trying to connect to Intune, users must enter the Intune server name.
The first step is to create CNAME DNS resource records for your company’s domain. For example, for the domain contoso.com, we would make a CNAME in DNS that redirects EnterpriseEnrollment.contoso.com to enterpriseenrollment-s.manage.microsoft.com. If the company uses more than one UPN suffix, you need to create one CNAME for each domain name and connect each to EnterpriseEnrollment-s.manage.microsoft.com. For example, users at Contoso use these formats as their email/UPN:
It might take up to 72 hours to process the changes to DNS records.
Once all the changes are processed, you must verify CNAME – go to Devices -> Windows -> Windows enrollment -> CNAME Validation. In the Domain box, enter the company website and then choose Test.
Windows Autopilot configuration
Windows Autopilot makes enrollment of devices simple. With Microsoft Intune and Autopilot, you can give new devices to the ned users without building, maintaining and applying custom OS images.
The enrollment process with Autopilot consists of 3 main steps: adding a device, creating of autopilot device group and autopilot deployment file.
1. Adding a device
Firstly, you have to create a CSV file to identify Windows devices and import it into Intune.
In the Microsoft Endpoint Manager admin center, go to Devices -> Windows -> Devices (under Windows Autopilot Deployment Program -> Import.
Under Add Windows Autopilot devices, import your CSV file. It can take several minutes. Once import is complete, go to Devices -> Windows -> Windows enrollment -> Devices (under Windows Autopilot Deployment Program ) -> Sync. A message displays that the synchronization is in progress. The process might take some time to complete, depending on how many devices you’re synchronizing.
2. Autopilot device group
The next step is to create a device group and put the Autopilot devices you just added. In the Microsoft Endpoint Manager admin center, choose Groups > New group.
In the Group blade choose Security for Group type, enter Autopilot Group for Group name, and choose Assigned for Membership type. Afterwards, choose Members and add the Autopilot devices to the group and click Create. To know more about Group management in Microsoft Intune read this blog.
3. Create an Autopilot deployment file
Now you must create a deployment profile so that you can configure the Autopilot devices.
In the Microsoft Endpoint Manager admin center, go to Devices -> Windows -> Windows enrollment -> Deployment Profiles -> Create Profile.
On the Basics page, enter Autopilot Profile for Name and Test profile for Autopilot devices for Description. Set Convert all targeted devices to Autopilot to Yes. This makes sure that all devices in the list get registered with the Autopilot deployment service. Allow 48 hours for the registration to be processed. Select Next.
On the Out-of-box experience (OOBE) page, for Deployment mode, choose User-driven. Devices with this profile are associated with the user enrolling the device. User credentials are required to enroll the device.
In the Join to Azure AD as box, choose Azure AD joined. Configure the following options:
- End-user license agreement (EULA): Hide
- Privacy settings: Show
- User account type: Standard. Click on Next.
On the Assignments page, choose Selected groups for Assign to. Choose Select groups to include, choose Autopilot Group. Select Next.
On the Review + Create page, choose Create to create the profile.
Now you can now distribute the Windows devices to your users. When they sign in for the first time, the Autopilot system will automatically enroll and configure users’ devices.