In this video, Pete Zerger demonstrates how to enable automatic enrollment for Windows 10 devices, as well as how to provide a better user experience in manual enrollment scenarios. Learn how to secure the Intune enrollment process with multi-factor authe
- [Instructor] While intune supports management of mobile platforms, including Apple iOS, Android, and Windows mobile, in the context of this course, we'll focus on Windows 10 enterprise enrollment and how azure active directory premium streamlines management of Windows 10 desktops with intune. We'll look at how to configure automatic enrollment for Windows 10 devices, steps you can take to ease the manual enrollment process, as well as make enrollment more secure by requiring multi-factor authentication.
I'm logged into the azure portal. And I've selected my default directory. For Windows intune, we can simplify the process for Windows 10, which can automatically enroll by adding a work or school account. Automatic enrollment lets users enroll their Windows 10 devices in intune when adding their work account to their personal devices, or joining their corporate devices to your azure AD. In the background, the user's device registers and joins azure active directory.
And once registered, the device is managed with intune. This does come with two prerequisites. The first is azure AD premium. And the second is a Microsoft intune subscription. So to configure automatic enrollment, I'll scroll down and select mobility MDM and MAM and Microsoft intune. And now I'll select the scope of the automated enrollment here. So I can pick all users or some users. And some users, indicative of using a group to scope my automated enrollment.
I have my discovery, compliance, and terms url's. You'll find definitions of all of these items if you simply mouse over. I can also scope my MAM use, not applicable for our situation here. Now note that this only works for Windows 10 devices. Windows 7 and 8.1 device registration is only supported in the federated identity model, which requires AD federation services. I'll save my changes.
And now we have automated enrollment configured for Windows 10. Now by default, multi-factor authentication is not enabled for device registration, but it is recommended. So to configure multi-factor auth for the registration process, while still here in the portal in our azure AD tenant, I'll select enterprise applications. And from the all applications list I'm going to find Microsoft intune enrollment.
Now through conditional access, I can define a policy to require a certain type of device. So I can establish my conditions. So I'll select, for example, device platforms. And under controls, I can require a domain-joined device. So I can make sure that it's work devices that are enrolling. And I can require multi-factor authentication.
And there we have it. So now we are making that enrollment process more secure. So let's talk, for a moment, about enabling easier Windows enrollment when we're not enrolling automatically. So you can certainly let users enroll their devices without azure AD premium automated enrollment. Creating a DNS CNAME or alias record makes it easier by enabling an auto redirect so users don't have to specify a server name. So there's detailed step-by-step documentation on how to create that DNS CNAME record.
And once you believe that record is in place, you can come to the intune screen in your azure portal. Select device enrollment, Windows enrollment, and use the CNAME tester to determine if the CNAME record is set up correctly for your environment. So you'll type in the domain, you'll select the test button. If the record's found, you'll get a green thumbs up. Else, we get the result that you see here. And if you have multiple domains, you'll need to create a CNAME record for each domain that directs back to the enterprise enrollment url.
And now you can tell your users how to enroll their Windows devices, and what to expect after they're brought in to management. So with azure AD premium and Microsoft intune, connecting our Windows 10 desktops for management can be a very light-touch process.
In this course—the first in the series—Microsoft MVP Pete Zerger takes you through the basics of setting up endpoint protection. He begins by explaining how to set up Azure Active Directory Premium. Next, he goes into enabling multi-factor authentication, followed by setting conditions for secure access. To wrap up, Pete covers managing mobile devices with Intune, and publishing applications with Azure AD App Proxy.
- Setting up Azure Active Directory for an organization
- Enabling user-level and application-level multi-factor authentication
- Setting conditions for secure access
- Planning a mobile device management (MDM) strategy
- How Intune (standalone) MDM works
- How Intune mobile application management works
- Publishing applications with Azure AD App Proxy
- Assigning users and groups