Enhancing Your IT Infrastructure with Microsoft Intune #Episode 9F

Topic Covered: Windows Autopilot Deployment Program (Intune Connector for Active Directory)

Good day, LinkedIn audience. In this part, we'll go through how to configure the Intune Connector to connect your on-premises devices to the cloud (Hybrid Azure AD joined). Connecting your on-premises Active Directory to Azure Active Directory, for example. This is the final topic in the Windows Autopilot Program and the section on Windows-based Devices.

Deploy hybrid Azure AD-Joined devices with Intune and Windows Autopilot.

Intune and Windows Autopilot can be used to configure hybrid Azure Active Directory (Azure AD)- joined devices. Follow the procedures in this article to do so.

Also, I would recommend you to go through this Microsoft Document to understand more about Hybrid Azure AD join and Co-management.

▶ Pre-Requisites:

Configure your hybrid Azure AD-joined devices successfully. Use the Get-MsolDevice cmdlet to confirm your device registration.

▶ Device Enrollment Pre-Requisites:

• Use Windows 11 or Windows 10 version 1809 or later.
• Follow the Windows Autopilot network requirements to gain access to the internet.
• Have access to an Active Directory domain controller.
• Ping the domain controller of the domain you're attempting to join with success.
• When using a proxy, the WPAD Proxy settings option must be enabled and configured.
• Undergo the out-of-the-box experience (OOBE).
• In OOBE, use an authorization type that Azure Active Directory allows.

Although it is not essential, setting hybrid Azure AD join for AD FS speeds up the Windows Autopilot Azure AD registration process during deployments.

▶ Intune Connector Server Pre-Requisites:

• Windows Server 2016 or later with .NET Framework version 4.7.2 or later needed to run the Intune Connector for AD.
• Server should have access to the internet and to the Active Directory.
• Multiple connectors can be installed in your environment to boost scalability and availability. I would recommend installing the Connector on a server that does not have any other Intune connectors running. Each connector must be capable of creating computer objects in any domain that you choose to support.
• If your business has numerous domains and you install multiple Intune Connectors, you must utilize a service account that can create computer objects in all domains, even if you only intend to use hybrid Azure AD join for one domain. If these domains are untrusted, you must remove the connectors from the domains where you do not want to use Windows Autopilot. Otherwise, with many connectors spanning different domains, all connectors must be capable of creating computer objects across all domains.

This connector service account must have the following permissions:

1. Log on as a service
2. Part of Domain User Group
3. Member of the Local Administrator group on the Windows server that hosts the Intune connector.

• The Intune Connector requires the same endpoints as Intune.

▶ Set up Windows automatic enrollment

The next step would be setting up the windows automatic enrollment. Please refer to Episode 9 for the setup.

Increase the computer account limit in the Organizational Unit

The Intune Connector for Active Directory produces autopilot-enrolled computers in the on-premises Active Directory domain. The machine that hosts the Intune Connector must be granted permission to create computer objects within the domain.

Computers are not permitted the right to produce computers in some domains. Furthermore, domains have a built-in limit (the default of 10) that applies to all users and machines who have not been assigned the ability to create computer objects. The permissions must be given to computers on the organizational unit when hybrid Azure AD-joined devices are built that host the Intune Connector.

The organizational unit granted computer-creation privileges must match:

1. The administrative unit specified in the Domain Join profile.
2. If no profile is chosen, the computer's domain name will be used for your domain.

• Open Active Directory Users and Computers (DSA.msc).
• Right-click the organizational unit to use to create hybrid Azure AD-joined computers > Delegate Control.

• Select Next > Add > Object Types in the Delegation of Control wizard.
• Select Computers > OK in the Object Types box.

Enter the name of the computer where the Connector is installed in the Enter the object names to select box in the Select Users, Computers, or Groups window.

• To validate your entry, select Check Names > OK > Next.
• Choose Next > Create a custom task to delegate.
• Only the following things in the folder > Computer objects should be selected.
• Select Delete specified things from this folder and create selected objects from this folder.

• Click on Next
• Select the Full Control check box under Permissions. All of the other options are selected by this action.

• Select Next > Finish.

▶ Install the Intune Connector

• Turn off Internet Explorer's Enhanced Security Configuration. Internet Explorer Enhanced Security Configuration is enabled by default on Windows Server. Turn off IE Enhanced Security Configuration for the Administrator if you are unable to login in to the Intune Connector for Active Directory.
• In the Microsoft Endpoint Manager admin center, select Devices > Windows > Windows enrollment > Intune Connector for Active Directory > Add.

• Follow the instructions to download the Connector.
• Open the downloaded Connector setup file, ODJConnectorBootstrapper.exe, to install the Connector.

• At the end of the setup, select Configure.

• Select Sign In.

• Enter the Global administrator or Intune administrator role credentials. The user account must have an assigned Intune license.

• Go to Devices > Windows > Windows enrollment > Intune Connector for Active Directory, and then confirm that the connection status is Active.

▶ Configure web proxy settings

If your networking setup includes a web proxy, check that the Intune Connector for Active Directory functions properly by referring to the Microsoft Document Work with existing on-premises proxy servers.

▶ Create a device group

• Create a Group from Group > New Group
• In the Group pane, choose the following options:

1. For Group type, select Security.
2. Enter a Group name and Group description.
3. Select a Membership type.

• If you selected Dynamic Devices for the membership type, in the Group pane, select Dynamic device members.
• Select Edit in the Rule syntax box and enter one of the following code lines:

1. To create a group that includes all your Autopilot devices, enter (device.devicePhysicalIDs -any _ -contains "[ZTDId]").
2. Intune's Group Tag field maps to the OrderID attribute on Azure AD devices. If you want to create a group that includes all of your Autopilot devices with a specific Group Tag (OrderID), type: (device.devicePhysicalIds -any _ -eq "[OrderID]:179887111881").
3. To create a group that includes all your Autopilot devices with a specific Purchase Order ID, enter (device.devicePhysicalIds -any _ -eq "[PurchaseOrderId]:76222342342").

• Select Save> Create.

▶ Register your Autopilot devices

Choose one of the methods below to enroll your Autopilot devices.

▶ Register Autopilot devices that are already enrolled

1. Make an Autopilot deployment profile. Convert all targeted devices to Autopilot mode with the option set to Yes.
2. Assign the profile to a group that includes the members you want Autopilot to automatically register.

Refer Episode 9 D for more info on creating the deployment profile.

▶ Register Autopilot devices that aren't enrolled

If your devices have not yet been registered, you can do so yourself. Refer this Microsoft document for Manual registration.

▶ Register devices from an OEM

If you're buying new devices, some OEMs can register the devices for you. Refer this Microsoft document for OEM registration.

Now, you will be seeing that the devices will be in both on-premises AD and Azure AD making the devices as Hybrid Azure AD joined device. This is the end of the Windows Device enrollment section. In the next article we will be looking at iOS/iPadOS enrollment section.

#microsoftazurecloud #intune #azurecloudengineer #autopilot #cloudcomputingservices #companybranding #m365 #saas #Modernworkplaceengineer #itinfrastructuremanagement #modernworkplace #digitalworkplace #itsecurity #Windowsenrollment #hybridazureadjoined #Intuneconnector #azureactivedirectory #activedirectory #learningandgrowing #linkedinconnections #linkedincommunity #like #share #support