Get your Tenant ready for Intune device enrollment

If you want to use Microsoft solution of endpoint management a few steps need to be done for using Intune in its full potential. Intune Endpoint Management Console is enpowering all parts from enrollment, managing, app distribution, security perspectives, update guidelines and more. It's the main platform you will be using for getting all tasks done to master endpoints.

Microsoft Enpoint Manager (you should using this because the Azure portal variante will be retired on 1. August 2020)

Prerequisits

Before we're getting started, a few things are essential. Be aware that all I am leading you through is just for an Azure AD deployment and does not cover hybrid scenarios fully.

• You need a Microsoft tenant
• a user with corresponding licensing (Micrsoft Enterprise & Mobility + Security E3/E5)
• devices that are ready to get enrolled with Intune (to get devices assigned to an individual tenant use Michael Niehaus Script with the parameter -online to import it directly. (just run the script once and login with your domain credentials)

What you need to do

• Add Intune as MDM & MAM authority go to the Azure portal then Azure Active Directory, scroll down to Mobility (MDM and MAM) and add an Application containing following values:
  
  Select a group with membership of your user or set it to all. Also make sure you don't use the same groups for MDM and MAM since this can lead into problems.
• Create a deployment profile that is targeted on your user group with all settings configured. Generally the most easy scenario is a User-Driven Azure AD joined device, so you can basically leave everything on defaults.
  
• Optional create an Enrollment Status Page (ESP) while enrolling the device this is what gets displayed and shows the state off all configurations/policies affected on the device.
  
• Take a look on all enrollment restrictions. It's important to allow Windows MDM for enrollment in the device type restrictions. Additionally control your device limit restrictions.
  
• Check permissions to join a device to Azure AD in the Azure portal in Azure AD>Devices. Depending on the security requirements you may not want to let users join devices to Azure AD (or MFA is compulsory).
  

At this point all major parts are ready. Now make sure the deviceID is uploaded via. the script and the device is visible in Windows enrollment>Devices. In here assing the device to a group (or create a dynamic group if you want to create a group that includes all of your Autopilot devices, type:

(device.devicePhysicalIDs -any (_ -contains "[ZTDId]")) )

And do not attempt to enroll a device before the profile status is assinged - otherwise the device will fail in communication.

Device flow

1. Start up the device
2. Go through OOBE (Out of the box experience) until user credentials are required
3. Login with the specified user
4. The device will now start to talk with Intune and request a profile with the scenario, tenant information and all (e.g. device configuraiton profiles, policies, endpoint security...) whats assigned to this device or user.
5. Configuration will now take happen on the device and hopefully it will result successfully.
6. The device is now business ready.

So thats the simple workflow of enrolling a device with Microsoft Intune. Azure AD join would always be my recomendation as it's pretty easy to work with.