Enroll HoloLens in MDM

Article
05/24/2022
4 minutes to read
Applies to:

HoloLens (1st gen), HoloLens 2

You can manage multiple Microsoft HoloLens devices simultaneously using solutions like Microsoft Intune. You'll be able to manage settings, select apps to install and set security configurations tailored to your organization's need. See Manage devices running Windows Holographic with Microsoft Intune, the configuration service providers (CSPs) that are supported in Windows Holographic, and the policies supported by Windows Holographic for Business.

Note

Mobile device management (MDM), including the VPN, Bitlocker, and kiosk mode features, is only available when you upgrade to Windows Holographic for Business.

Requirements

Your organization will need to have Mobile Device Management (MDM) set up in order to manage HoloLens devices. Your MDM provider can be Microsoft Intune or a 3rd party provider that uses Microsoft MDM APIs.

Enrollment per scenario

Depending on what stage you are in your deployment we have the following recommendations:

For multi-user shared devices being deployed in production it is suggested you use Autopilot.
For multi-user shared devices that are being initially part of a pilot program, Azure AD Join during OOBE should be sufficient.
For a proof of concept joining a device via the Settings menu may suit your needs if you don't need multiple users per device.

Different ways to enroll

Depending on the type of identity chosen either during OOBE or post sign-in, there are different methods of enrollment.

Note

If your tenant is in a GCC High enviorment you will be unable to select "sign in from another device". You'll need to manually enter your user credentials.

For Multi-User Shared Devices

If Identity is Azure AD and device has been pre-registered with Intune MDM server with specific configuration profile assigned to it, then Azure AD-Join and automatic MDM enrollment will occur during OOBE.
- Also called Autopilot flow Available in 19041.1103+ builds.
If Identity is Azure AD, the during OOBE device can enroll.
- For Azure AD, automatic MDM enrollment only occurs if Azure AD has been configured with enrollment URLs.

For Single User Devices

If Identity is Azure AD, then either during OOBE or Settings App -> Access Work or School -> Connect button.
- For Azure AD, automatic MDM enrollment only occurs if Azure AD has been configured with enrollment URLs.
If Identity is MSA, then using Settings App -> Access Work or School -> Connect button.
- Also called Add Work Account (AWA) flow.
If Identity is Local User, then using Settings App -> Access Work or School -> Enroll only in device management link.
- Also called pure MDM enrollment flow.

Once the device is enrolled with your MDM server, the Settings app will now reflect that the device is enrolled in device management.

Auto-enrollment in MDM

If your organization has an Azure Premium subscription, is using Azure Active Directory (Azure AD) and an MDM solution that accepts an Azure AD token for authentication (currently, only supported in Microsoft Intune and AirWatch), your IT admin can configure Azure AD to automatically allow MDM enrollment after the user signs in with their Azure AD account. Learn how to configure Azure AD enrollment and Azure active directory integration with MDM for detailed background information.

When auto-enrollment is enabled, no extra manual enrollment is needed. When the user signs in with an Azure AD account, the device is enrolled in MDM after completing the first-run experience.

When a device is Azure AD Joined it may affect who considered the device owner.

Unenroll HoloLens from Intune

Depending on the enrollment method, unenrolling your device may not be available.

If your device was enrolled with an Azure AD account or Autopilot, it can’t be unenrolled from Intune. If you wish to unjoin HoloLens from Azure AD or rejoin it to a different to Azure AD tenant, you must reset/reflash the device.

If your device was enrolled from an MSA account that added a work account or from a Local account that enrolled only in device management, then you may unenroll the device. Open the Start menu and then select Settings App -> Access Work or School -> YourAccount -> Disconnect button.

Enrollment troubleshooting

Ensure device is successfully connected to Internet before attempting enrollment post OOBE

Once user has signed-in, ensure internet connection by browsing to any internet facing website on device.

Ensure that Azure Active Directory (Azure AD) join is not disabled in your Azure AD tenant

Refer to Configure your device settings for information about the available options in Azure portal.

Ensure valid license is assigned to the user

Refer to Troubleshoot Windows device enrollment problems in Microsoft Intune specifically following sections, that is, Check device type restrictions and Assign a valid license to the user.

Ensure that MDM enrollment isn't blocked for Windows devices

In order for enrollment to succeed you'll need to make sure that your HoloLens devices can enroll. Since HoloLens is considered a Windows device, there will need to be no enrollment restrictions that could block your deployment. Review this list of restrictions and ensure you'll be able to enroll your devices.