Using Intune Autopilot to deploy and manage newly setup Windows 10 & 11 devices?

Question

Using Intune Autopilot to deploy and manage newly setup Windows 10 & 11 devices?

EnterpriseArchitect 2,391

People,

I have a Hybrid Azure AD setup with Azure AD Premium P2.
The OnPremise AD DS is synched with Azure AD Connect.

The Intune license is also available from: https://endpoint.microsoft.com/#view/Microsoft_Intune_DeviceSettings/TenantAdminMenu/~/tenantStatus page.

How can I set up the Intune - Autopilot for newly purchased or set up Windows 10/11 devices for my remote workers across the globe, so they don't have to send in their laptops back to the head office?

The goal is for the remote workers with the new laptops and internet connections to achieve the below:

Join the AD domain MyCompany.local
Configure and Deploy Group Policy for company branding, etc...
Remotely install software

I await any help and suggestions.

Answer 1

Crystal-MSFT 22,121 Microsoft Vendor

@Enterprise Architect, Thanks for posting in Q&A. For your situation to deploy Autopilot Hybrid Azure AD join not in office, you can use VPN. The VPN connection either needs to be automatically established (e.g. “always on”) or it needs to be one that the user can manually initiate from the Windows logon screen.

And the needed VPN configuration needs to be applied during device ESP.

Here is a link with more details for your reference:

https://oofhours.com/2020/06/23/windows-autopilot-user-driven-hybrid-azure-ad-join-over-the-internet-using-a-vpn/

Note: Non-Microsoft link, just for the reference.

Hope it can help.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

EnterpriseArchitect 2,391 Reputation points

2023-03-06T09:49:37.74+00:00

@Crystal-MSFT , Thank you for the reply.
I am using SSL Tunneling VPN with PaloAlto Global Protect, would it be possible to allow my newly purchased device to join into my tenant Azure AD, and then become Hybrid Azure AD Join to my OnPremise MyCorp.local domain, without VPN ?
Crystal-MSFT 22,121 Reputation points Microsoft Vendor

2023-03-07T01:35:56.31+00:00

@Enterprise Architect, Thanks for the reply. Based as I know, Hybrid Azure AD joined device needs to contact DC to do domain join. the devices needs to be in the office or use VPN to connect to Office network. So I am afraid not.
Crystal-MSFT 22,121 Reputation points Microsoft Vendor

2023-03-09T02:11:18.0166667+00:00

@Enterprise Architect, Hope things are going well. I am writing to see if there's anything else we can help. If yes, feel free to let us know.
EnterpriseArchitect 2,391 Reputation points

2023-03-09T02:44:30.63+00:00

Hi @Crystal -MSFT, based on your clarification, I assume I can follow the steps defined in https://learn.microsoft.com/en-us/microsoft-365/solutions/manage-devices-with-intune-overview?view=o365-worldwide after the license has been purchased.

Do I need to manually assign it to the users or devices manually?

Because we have thousands of users and also endpoints, that will be rather hard to manually assign them one by one.
Crystal-MSFT 22,121 Reputation points Microsoft Vendor

2023-03-09T05:37:13.6633333+00:00

@Enterprise Architect, Thanks for the reply. To assign licenses to multiple users, you can assign to group. Here is a link with more details for the reference:

https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/license-users-groups#assign-licenses-to-users-or-groups

For device license, it will be used automatically when the device is enrolled.

https://learn.microsoft.com/en-us/mem/intune/fundamentals/licenses#device-only-licenses

Hope it can help.

Answer 2

Pavel Yannara Mirochnitchenko 7,101

Consider carefully, do you still need Active Directory for this. Specially I would avoid using legacy AD for Computer Accounts, cloud-only would make life much easier. You could leave user accounts as hybrid with AD if you need. Also Group Policies would go away when moving to Intune.

EnterpriseArchitect 2,391 Reputation points

2023-03-06T08:24:47.6766667+00:00

@pavel , I'm using Hybrid AD since there is Exchange Server OnPremise that cannot be decommissioned, there are no mailboxes at all, but it is due to Microsoft, hence I am stuck with Hybrid AD.

Answer 3

Rudy Ooms 456

Try to move over from haadj to aadj for new devices... if you stick to haadj you need to make sure you configure all the requirements to enroll a device with autopilot to your ad and azure/intune
Move over from haadj to aadj for new devices :P ....you don't want to end up in a world of pain when you want to use haadj and autopilot :)

EnterpriseArchitect 2,391 Reputation points

2023-03-06T09:45:27.22+00:00

@Rudy Ooms , Thank you for the suggestion, not sure if the existing HAADJ config can be "moved" into just Azure AD join, since the Workstation must be joined to the OnPremise AD domain MyCorp.local for the GPO and legacy apps to works locally.
Rudy Ooms 456 Reputation points

2023-03-06T14:42:36.73+00:00

Thats why making sure those new aadj enrolled devices would get the config with intune would be the proper way. Besides intune, you still have sso from your aadj devices to your servers on premises (for legacy apps that don't require device auth)

Using Intune Autopilot to deploy and manage newly setup Windows 10 & 11 devices?

2 additional answers

Activity