Overview
We're covering the essential requirements for enrolling a device into Intune. Please note that it focuses on best practice setups and may not cover all possible enrolment scenarios.
During new deployments and testing in various environments, customers may encounter specific issues related to their setups. Our Device Support Team is readily available to assist, ensuring prompt resolutions before proceeding with production roll-out.
Here is a comprehensive reference for initial and User Acceptance Testing (UAT) in new environments, providing valuable guidance. However, do keep in mind that additional requirements are necessary for Bring Your Own Device (BYOD) enrolments, Entra hybrid joined enrolments, and co-managed enrolments.
Requirements
Ordering Vanilla Windows Devices
When planning to enroll devices in Intune, requesting "clean" or "vanilla" Windows devices—those with minimal pre-installed software or customisations—offers several significant advantages shown below. For Dell, you can request these as "Ready Image" devices, while HP refers to them as "Corporate Ready" devices.
-
Simplified Management:
- Reduced Complexity: Vanilla devices provide a clean slate, minimising the presence of pre-installed software that can interfere with Intune policies, cause conflicts, or introduce security vulnerabilities. This simplifies management and reduces troubleshooting efforts.
- Consistent Configuration: With a consistent base image, you can more easily apply uniform configurations and security settings across all devices through Intune. This ensures a consistent and secure environment.
-
Enhanced Security:
- Reduced Attack Surface: Minimising pre-installed software reduces the potential attack surface. Fewer applications mean fewer vulnerabilities that attackers can exploit.
- Improved Control: With vanilla devices, you have greater control over the software installed on your devices, ensuring only necessary and approved applications are present.
-
Improved Performance:
- Optimized Resource Utilisation: Devices with minimal pre-installed software typically have better performance and battery life due to reduced resource consumption.
- Faster Boot Times: Fewer startup applications can lead to faster boot times, improving user experience.
Hardware ID Import
We highly advise blocking personal devices from enrolling into Intune. To facilitate the enrollment of corporate devices into Intune, it is imperative to import these devices into the autopilot using their hardware ID. For step-by-step instructions on capturing the hardware hash and importing it into autopilot, please refer to the following two Knowledge Base (KB) articles:
- How to Capture Hardware Hash on a Windows device – Devicie Support Home
- How to Import hardware hash CSV file to Intune – Devicie Support Home
It is important to note that the following three methods require third-party involvement, and Devicie support may be limited in these cases:
- You may contact the device manufacturer and provide them with your Intune tenant ID, requesting them to automatically add newly purchased devices to your autopilot.
- If you have already purchased devices from a manufacturer and possess a business account with them, you might have the option to request a CSV containing your hardware IDs. Subsequently, you can import the CSV into autopilot by following the instructions in the aforementioned KB article.
- An alternative approach involves leveraging a CSP (Cloud Solution Provider) to import your existing devices into Intune. In this scenario, you can request the CSP to perform the necessary device imports on your behalf.
Intune License
For all users intending to enroll devices into Intune, it is essential to have an assigned Intune license linked to their respective accounts.
Additionally, aside from acquiring a standalone license for Intune, users can also access Intune through the following licenses:
- Microsoft 365 E5
- Microsoft 365 E3
- Enterprise Mobility + Security E5
- Enterprise Mobility + Security E3
- Microsoft 365 Business Premium
- Microsoft 365 F1
- Microsoft 365 F3
- Microsoft 365 Government G5
- Microsoft 365 Government G3
- Microsoft Intune for Education
- Microsoft 365 Education A5
- Microsoft 365 Education A3
Entra Joined Device Enrolment Setting
Unless there is a specific and justified reason to block enrolment for all users, it is recommended to adjust the enrolment restrictions for devices on Entra ID.
To do so, navigate to Entra ID > Devices > Device Settings > Microsoft Entra join and registration settings and registration settings and set it to "All."
To modify this setting, please use the following link:
Intune "Automatic Enrolment"
Due to the blockage of personal device enrollment using the Enrolment device platform restrictions, there exists no compelling reason to prevent all users from enrolling into Intune. Even when permitting all users to enroll, the process of device enrollment will remain restricted unless the device hardware ID has been appropriately imported into Intune. It is important to note that only Intune administrators and Global Administrators possess the authority to import devices, ensuring the safety of the "All" option.
To make this adjustment, kindly utilize the provided link below:
Enroll devices - Microsoft Intune admin center
Windows 10 or 11 with Pro SKU
Known Issue with Non-Admin Users Registering Enterprise or Education Licensed Devices into Intune
For organizations utilizing enterprise licenses, it is imperative to apply an enterprise SKU on their devices. However, we have identified a known issue that currently affects non-admin users' ability to register Enterprise or Education licensed devices into Intune, specifically when CIS control 18.9.4.2 is enabled.
As a quick fix to address this issue, we recommend deploying devices with a Pro SKU initially and then enabling the users' enterprise license to facilitate an automatic SKU upgrade.
For detailed information and potential solutions, we invite you to explore the following Knowledge Base (KB) article and blog post:
- Knowledge Base (KB) Article: Autopilot Issue post ESP: "Something Went Wrong" Error during User Setup – Devicie Support Home
- Blog Post: Something Went Wrong | User | Account ESP | Autopilot (call4cloud.nl)
These resources will provide you with a comprehensive understanding of the issue and offer guidance on resolving it effectively.
Cloud Sync Requirement for Device Enrollment into Intune
Despite the continued use of on-premises Active Directory by many organizations, it is essential for users to undergo cloud synchronization to enable device enrolment into Intune.
Similarly, groups that are created on on-premises servers must also undergo synchronization into Entra ID. To achieve this synchronization, we recommend utilizing Entra ID Connect.
To ensure a smooth and seamless device enrolment process, it is crucial that all groups and users are synced into Entra ID through the Entra ID Connect tool. This synchronization will facilitate a unified and integrated experience, enabling users to fully leverage the capabilities of Intune for device enrolment and management.
Entra ID Connect: Get started by using express settings - Microsoft Entra | Microsoft Learn
Ensuring Proper Configuration for Pilot Users and Devices in Intune
To ensure a successful pilot deployment in Intune, it is essential to verify that your pilot users and/or devices are appropriately placed within the designated pilot groups. In specific scenarios, it may be necessary to filter the deployment to a specific group of users or devices, thereby preventing conflicts with existing devices already enrolled in Intune. In such cases, it becomes crucial to add the relevant users and/or devices to the designated pilot groups, as this will enable them to receive the intended policies and configurations.
By diligently organizing your pilot users and devices into the appropriate pilot groups, you can achieve a controlled testing environment, allowing you to assess the deployment's effectiveness and identify any potential challenges before proceeding to a wider deployment. This approach ensures a smoother and more efficient implementation of policies, minimizing any potential disruptions and providing valuable insights for fine-tuning the deployment process.
Requirement for Connection during Out Of Box Experience (OOBE) in Autopilot
Requirement for Connection during Out Of Box Experience (OOBE) in Autopilot
For a seamless Out Of Box Experience (OOBE) in Autopilot, it is essential to have a stable connection to either Ethernet or Wi-Fi. During the OOBE process, the device establishes a connection with Microsoft services to verify its association with any specific tenant. This crucial step allows the device to receive the autopilot profile from Intune, followed by a reboot process before reaching the enrolment status page (ESP).
By ensuring a reliable network connection during this phase, the device can efficiently fetch the necessary configurations and settings from Intune, leading to a smooth and hassle-free enrolment process. This connection facilitates the successful integration of the device into the intended organization's management infrastructure, thereby streamlining subsequent management and policy deployments.
Importance of Whitelisting Microsoft Intune Network Endpoints
To ensure the seamless completion of device enrolment, Microsoft Intune requires access to specific network endpoints. These endpoints play a vital role in facilitating the enrolment process, enabling devices to establish communication with Microsoft services effectively. It is crucial to whitelist these network endpoints to guarantee uninterrupted enrolment.
Microsoft maintains an extensive list of the necessary network endpoints, which must be accessible for successful enrolment. By whitelisting these endpoints, organizations can avoid potential interruptions and prevent enrolment failures. This proactive approach safeguards a smooth enrolment experience for users and ensures devices are efficiently integrated into the Intune management ecosystem.
For comprehensive information on the network endpoints to whitelist, please refer to the following link: Network endpoints for Microsoft Intune | Microsoft Learn
Following this guidance will help create an optimal environment for device enrolment, enhancing the overall efficiency and effectiveness of Intune management.
Troubleshooting Enrolment Issues with Local Proxy Setup
In case you encounter enrolment issues, and your environment utilizes a local proxy setup, it is advisable to conduct a test by bypassing the proxy. This step is essential to determine whether the local proxy is causing the problem.
By temporarily bypassing the proxy during the enrolment process, you can isolate its potential impact on the issue at hand. If the enrolment succeeds without the proxy, it suggests that the proxy settings might be hindering the communication between the device and the necessary Intune services. In contrast, if the enrolment issue persists even after bypassing the proxy, it indicates that the problem lies elsewhere.
This preliminary test assists in narrowing down the root cause of the enrolment problem, streamlining subsequent troubleshooting efforts. Should the issue persist despite bypassing the proxy, you can focus on other potential causes, such as network configuration, device settings, or Intune configurations. However, if the enrolment succeeds without the proxy, you can then investigate the proxy settings and make necessary adjustments to ensure seamless device enrolment.
Windows LAPS Configuration
When implementing Windows Local Administrator Password Solution (LAPS), it is essential to adjust the setting in Entra ID > Devices > Device Settings > Local administrator settings > Enable Microsoft Entra Local Administrator Password Solution to (LAPS) to "Yes."
By enabling this setting, the LAPS feature will function correctly and effectively.
Windows LAPS enhances security by automatically managing unique, complex passwords for local administrators on domain-joined devices. However, to ensure its successful deployment and operation, it is imperative to enable the Local Administrator Settings in Entra ID. This step will enable seamless integration with LAPS and ensure that devices are appropriately managed and secured through the solution.
By carefully configuring this setting, organizations can bolster their security posture and fortify local administrator account management across their domain-joined devices.