INTUNE FAQ

Bartlomiej Cezak

Global Head of Schools IT Transformation

CONTENTS
How to purchase pre-enrolled Windows devices for Intune management? ....................................... 1
Microsoft devices ............................................................................................................................ 1
3rd party devices .............................................................................................................................. 2
How to enrol existing Windows devices for Intune management? ..................................................... 2
Setting up a pilot deployment .......................................................................................................... 3
Deployment accounts .......................................................................................................................... 4
Shared devices ................................................................................................................................... 4
Administrative accounts ...................................................................................................................... 4
Manually add a local administrator to the device ............................................................................ 5
Microsoft Store .................................................................................................................................... 6
Motherboard replacement / TPM issues ............................................................................................. 6
Interacting with DCS support .............................................................................................................. 7

HOW TO PURCHASE PRE-ENROLLED WINDOWS DEVICES FOR INTUNE

MANAGEMENT?

If you order new computers, you can ask the vendor to register the hardware hash with Intune for you.

Important: you must request this before ordering the devices - vendor does this registration at the
manufacturing stage, so if you give this information after placing the order, they may not be able to do
it. Most likely a vendor’s salesperson must add this information to the system when creating the
configuration / ordering the equipment.

The process differs between vendors, but there seem to be two general procedures:

MICROSOFT DEVICES
As we have experienced with Microsoft Surface, the distributor will send you an Excel file with
hardware hashes, which you can send to [email protected] for importing. Microsoft has these
generated automatically based on their serial numbers, so they can do it even after POS. However,
their partners don’t seem to have a lot of knowledge about the process, and it requires some effort to
get them to request this from Microsoft.

3 R D PARTY DEVICES
Other vendors will not provide you with the hardware hash, instead they will register the devices
directly in Intune. Below the information from Microsoft webpage: https://docs.microsoft.com/en-
us/mem/autopilot/add-devices

While the hardware hashes are generated as part of the OEM device manufacturing process, these
should not be provided directly to customers or CSP partners. Instead, the OEM should register
devices on the customer's behalf.

To be able to do this, the vendor must be registered to add devices to the tenant. The current status
of the vendor in any particular tenant can be confirmed here: https://educationstore.microsoft.com/en-
us/manage/partners

A vendor will need three pieces of information to register the devices in Intune: GroupTag,
CloudAssignedTenantDomain and CloudAssignedTenantId.

GroupTag is the three-letter school code (can be found here: IT Transformation - Schools List - All
Items (sharepoint.com)). NAE Corporate does not need to supply a Group Tag (can be left empty).

When placing the order for the devices, please make sure to let the salesperson know that they need
to fill in the tenant ID, group tag and tenant name on the order. This will add the devices automatically
to the Office365 tenant.

As an example, the process for Dell is described here: https://www.dell.com/en-uk/work/shop/help-

me-choose/cp/hmc-autopilot

HOW TO ENROL EXISTING WINDOWS DEVICES FOR INTUNE MANAGEMENT?

The first thing that’s needed is to extract a hardware hash from the device, and upload it into the
Autopilot database. The procedure for hash extraction is shown here:
https://naecentral.sharepoint.com/sites/BC-Infrastructure/SitePages/Items/Enrollment/Supervised-
device-registration.aspx#windows-10. When you have the hash, please send it to [email protected],
and it will be uploaded into the Autopilot database.

The next step is to install a clean Windows 10 OS on the device – the most simple way is to prepare a
USB installation drive, and boot from it. The instructions to prepare the USB installation drive are
below:

1. Download and install Rufus software:

https://github.com/pbatard/rufus/releases/download/v3.8/rufus-3.8.exe

2. Download the Windows 10 image ISO: en-

us_windows_10_business_editions_version_21h2_updated_jan_2022_x64_dvd_0b69c5ac.is
o

3. Input your USB

4. Run Rufus, choose your USB drive, select the image file and UEFI partitioning. Leave the rest
of the settings on default and click start.
The process for installing the Windows 10 OS can be found below.

1. Please kindly make sure that the device is configured as follows:

1. BIOS – UEFI is enabled

2. BIOS – TPM is enabled (if available on the device – it’s required for Bitlocker
encryption).

3. BIOS – Secure Boot is disabled

2. Boot the device from the prepared USB stick, and install Windows 10 Education* (do not
install Pro Education, or Education N).

*NAE Corporate users should install Windows 10 Enterprise.

To correctly enroll a Windows device, a couple of requirements must be met:

1. The user enrolling the device must have an attached Intune license (it is a part of EMS
license suite).

2. The device needs to be registered in the Windows Autopilot database.

3. The user needs to be a part of the group enabled for device enrollment. During the testing, we
will designate a small user group. After that, it will be extended to the school-wide group.

For device enrollment, please follow the process described here:

https://naecentral.sharepoint.com/sites/BC-Infrastructure/SitePages/Items/Enrollment/Windows10---
Supervised1.aspx

Attention: Slide 7 shows “Welcome to Nord Anglia Education” prompt. Please make sure you get that
prompt during deployment – if not, stop the deployment and reboot the device.

SETTING UP A PILOT DEPLOYMENT

To successfully set up a pilot, at least one test device and a user account that will be used for testing
is needed.

The test account should be a standard AD account and have an Intune (EMS E3 or E5) licence
assigned. It also needs to be added to the test group, which will have policies assigned.

Please send the user and device information to the assigned DCS engineer, and they will set it up for
you. Please note that if you prefer to use your standard user accounts these are also perfectly fine.

The first step of the pilot requires filing an inquiry form with the basic information about the school's
Windows devices, which would help DCS engineers set up the environment.
DEPLOYMENT ACCOUNTS

The device management system is set up to allow users to enrol the devices with their standard
Active Directory accounts, without the need for IT to prepare the device and install applications
manually. DCS fully recommends the setup to be done using the end user accounts.

However, should it be required to pre-deploy the device in order to minimize the enrolment time for
the user, it can be done using a deployment account. This type of account is a standard Active
Directory user account, with the same configuration as a particular user group that you are deploying
the devices for. Therefore, separate deployment accounts should be used for Teachers,
Administration and Students, and set up with appropriate AD Extension Attribute parameters, so they
are automatically added to the proper dynamic groups (to put it simply, those settings should be
copied from a functioning Active Directory account). A deployment account also requires an Intune
licence.

When a device is deployed, Intune automatically assigns the account used for deployment as the
device’s Primary User. When using a deployment account, this needs to be changed to the correct
user of the device after enrolment, otherwise the user will not be able to use the application store in
the Company Portal.

SHARED DEVICES

A shared device is a computer that is utilised by users who are rotating between Windows devices on
a regular basis. An example of a shared device would be student lab devices (multiple users rotating
on multiple devices); a computer on the reception desk that has two or three regular users does not
need to be considered a shared device.

Shared devices need to be handled differently that 1:1 devices, as the Office apps installation needs
to be put in Shared Activation mode. This allows multiple users to login to the same device and
activate Office with their own licence without counting this occurrence towards the activation limit for
the user.

Shared devices are assigned a separate profile and require a separate deployment account (although
usually the deployment account for Students has always a shared profile attached, as they are rarely
using 1:1 devices).

Since there is no Primary User for shared devices, it is important to remove the assigned Primary
User for the device in Intune after enrolment. This will put the device in shared mode which will allow
everyone using that device to use the application store in the Company Portal.

ADMINISTRATIVE ACCOUNTS

As per NAE guidelines, the standard user accounts should not have administrative rights on the
devices. For each school admin, a dedicated administrative account should be created, in the format
of [email protected], and synced to AzureAD. Once such account is available,
DCS deployment engineer will grant a Device Administrator role for the account, which will grant local
administrator rights on all the Intune devices.

Currently we are testing the possibility to add local administrator rights to a limited subset of devices,
however the functionality is currently not working correctly (it is expected to be fixed in Windows 20H2
version, and as such this build will be required to support it). Until then, a workaround is possible in
special cases (eg. IT administrators is NAE Regional Offices).

The same admin accounts will be granted rights to Intune console (https://endpoint.microsoft.com).
Please note that currently admin accounts require an Intune licence assigned.

In the Intune console the school administrators will only see the devices that belong to their school
and will be able to execute approved actions only on those devices. The following set of rights is
currently approved by NAE for school administrators:

● Read-only rights to all native Intune views*

● Send custom notifications

● Enable/Disable lost mode

● Play lost mode sound

● Locate device

● Get filevault key

● Manage shared device users

● Reboot now

● Remote lock

● Reset passcode

● Shut down

● Sync device

● Wipe

● Set Primary User

● Update token (allows to sync the devices from Apple School Manager)

● Assign ASM profile

* Please note that does not include access to view Bitlocker keys or search the Windows Autopilot
database. This information can be requested through DCS support.

MANUALLY ADD A LOCAL ADMINISTRATOR TO THE DEVICE

Based on the NAE policy, a standard user account should not have admin rights on the local machine.
An AzureAD admin account should be used when elevated privileges are needed.

However, it is possible to grant an account local admin rights manually; in order to do this please
launch an administrative command line, and execute the command:
net localgroup administrators /add "DOMAIN\username"

eg.:

net localgroup administrators /add "EU\michal.ziolkowski"

MICROSOFT STORE

By default, installation of apps from the public Microsoft Store is disabled for all the users. It is
possible to install apps from the corporate portion of the Microsoft Store (which contains only
preapproved apps), but it is not recommended – the Intune Company Portal app will supply the app
store functionality for both Microsoft Store and Win32 apps.

For the purpose of evaluating Microsoft Store apps, on request school IT administrators can be
excluded from the policy disabling the public store. Please provide an AzureAD user group that should
be excluded from this policy.

MOTHERBOARD REPLACEMENT / TPM ISSUES

The Windows 10 operating system improves most existing security features in the operating system
by making extensive use of the Trusted Platform Module (TPM). Currently the TPM chips are mostly
integrated into the device motherboard, although some devices can still have a discrete TPM chip.
During enrollment of devices, encryption or setup of applications that use Modern Authentication,
some security information is stored in the TPM and used to communicate with the relevant service.

The biggest issue with motherboard replacement is that the identity data of the device joined to
AzureAD is also stored in the TPM chip, which usually gets replaced as well. That means the device
will lose the trust with the AzureAD domain, and cannot authenticate properly with Office365 apps
using the joined user account.

The device will also get a new hardware hash, which needs to be extracted and replaced in the NAE
Autopilot database.

Microsoft has released an official guide for motherboard replacement: https://docs.microsoft.com/en-

us/mem/autopilot/autopilot-mbr

It states that after the replacement, we should gather the hardware hash, replace it in the Autopilot
database, then reset the device through Intune and redeploy it. The same procedure should be
followed in case of issues with the TPM (for example, a faulty TPM replacement).

That will definitely work, but sometimes the following workaround to reset the TPM may prove
effective as well:

- Suspend Bitlocker on the system drive

- Reset tpm (https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/initialize-

and-configure-ownership-of-the-tpm#clear-all-the-keys-from-the-tpm)

- Restart PC

- Turn On\Resume Bitlocker

The procedure above works very well with TPM issues related to Bitlocker, but in other cases the user
account data used for domain join may need to be regenerated as well – that requires deleting the
user credential data for any applications that use modern authentication (eg.
Outlook/Onedrive/Teams).

Another alternative to redeploying the device is disjoining it from AzureAD and joining again
(redeploying is a much easier process, as we can wipe the device from Intune remotely, but if there
are many manual settings on the device it might not be preferable).

In order to do this you should first create a local administrator account on this device, then login to this
account and remove device from Azure AD (from Settings-> Accounts-> Access Work or school ->
Choose account and Disconnect )

After a restart, login to the local admin account and add it to Azure AD from the same settings panel
as above (it is best to use the user's Azure credentials, or a corresponding deployment account).
Please be sure to select the option: "Join the device to Azure Active Directory" before entering the
email address:

When the motherboard is replaced, a new hardware hash must be generated and replaced in the
Autopilot database. It cannot be done while the device is enrolled into Intune (it needs to be deleted
first), so if you’ll be redeploying the device please send the hardware hash to DCS support first (an
engineer can remove and re-add the device while it is being wiped). Should you prefer to rejoin the
device to AzureAD, please send the hash before the device is re-added AzureAD with the information
to delete the old device record from Intune – otherwise you might encounter some issues while
rejoining.

INTERACTING WITH DCS SUPPORT

When the implementation project is completed, the school will be transferred to the support stage of
the Intune project – at that time please kindly send all requests regarding Intune to the DCS support
mailbox: [email protected].

The Intune environment is built on NAE standard user groups for each school:

● Users

● All Staff

● Administration

● Teachers

● Students

These groups are used to assign profiles, scripts and applications.

It is also possible to use more granular groups (for example, YearXX) when something more specific
is needed.
Some examples of requests currently handled by the DCS support team are:

● Wiping a device: please provide either the serial number of the device, or a user name and
general type of device (Windows laptop, iPad, iPhone, etc.)

● Assigning iOS applications: please provide the exact name of the app as seen in Apple
School Manager or App Store, an AzureAD group name to attach the app to, and information
should the app be set as required (installed automatically), or available in the Company portal
(please follow the instructions for purchasing iOS apps, which I’m resending in attachment).

● Resynchronizing Intune with Apple School Manager (in order to get the new devices synced,
or refresh newly added apps/licenses)

● Adding Windows device hardware hashes to Windows Autopilot deployment profiles – please
send files with hardware hashes to be added

● Assigning already prepared Windows applications to user groups – please provide the
application name, an AzureAD group name to attach the app to, and information should the
app be set as required (installed automatically), or available in the Company portal

● Adding new Windows applications – please provide an installer for the application (preferably
through Onedrive link – the .exe installers usually are filtered out by antimalware gateway), or
a link to a download site.

● Troubleshooting of deployment issues – please provide the username and device serial
number. DCS support will verify if the user has Intune licenses attached, and if it’s a member
of the required groups, and if so will look for further cause of the issues.

● Adding new restrictions, functionalities or customizations – please let us know what end effect
is expected, and we will evaluate the possibility.

Please note that policy changes usually require a Change Management process (one of the examples
is changing the Windows wallpaper) and proper testing – we will inform you about the required
process once the request is reviewed.

● Create ad-hoc or scheduled inventory or usage reports based on Intune data.

A couple of guidelines for interacting with DCS support:

● The support mailbox is backed by a ticketing system; therefore we would kindly like to ask to
send all new requests in a separate email thread – otherwise it will get automatically assigned
to the same engineer as the original request.

● Each request is picked up by the first available support engineer. Should you want the
request to be handled by a specific person, please put that person on copy of the email –
please note that this might make the response time a bit longer in case this person is not
available (we are manually reassigning requests in some cases, if we know the wait time
would be longer).

● Please keep in mind that the DCS support team has administrative rights over Intune, and
does not have any access to local AD. As such, they are not able to create any user
accounts, or add licences to users – these requests must be processed by Euvic support.