Learning Path 2:

Execute device
enrollment
MD-102 Microsoft 365 Endpoint Administrator

© Copyright Microsoft Corporation. All rights reserved.

Learning Path Agenda

• Manage device authentication

• Enroll devices using Microsoft Configuration Manager

• Enroll devices using Microsoft Intune

© Copyright Microsoft Corporation. All rights reserved.

Module 1: Manage
device authentication

© Copyright Microsoft Corporation. All rights reserved.

Module 1: Manage device authentication

01 02 03 04
Describe Azure AD Examine Azure AD Join devices to Manage devices
join (Microsoft join (Microsoft Azure AD (Entra joined to Azure AD
Entra join) Entra join) ID) (Entra ID)
prerequisites
limitations and
benefits

© Copyright Microsoft Corporation. All rights reserved.

Describe Azure AD join (Microsoft Entra join)

• Windows Pro or Enterprise Edition can join Azure AD (Entra ID) and AD DS

• Azure AD (Entra ID) joined devices cannot be managed with Group Policy

• Typical scenarios for joining a device to Azure AD (Entra ID):

– If applications and resources that you use are mostly in the cloud

– If you want to separate temporary accounts

– If you want to enable users to join their device to the corporate environment

– You want to transition to cloud-based infrastructure

– You have remote branch offices with limited on-premises infrastructure

• Join devices to Azure AD (Entra ID) during initial setup or later by using system
settings
• Use Hybrid Azure AD (Entra ID) to automatically register on-premises domain-
joined devices with Azure AD (Entra ID)
© Copyright Microsoft Corporation. All rights reserved.
Examine Azure AD join (Entra join) prerequisites
limitations and benefits
Azure AD (Entra ID) limitations Scenarios enabled by using Azure AD (Entra
Azure AD (Entra ID) is not a part of the core ID) with on-premises AD infrastructure
infrastructure Ease of transition to cloud-based infrastructure
Azure AD (Entra ID) does not have the same and MDM
management capabilities as AD DS When on-premises domain join is not possible
(tablets, phones, etc.)
Azure AD (Entra ID) benefits When users primarily need to access Microsoft 365
Single Sign On (SSO) or other SaaS apps integrated with Azure AD (Entra
ID)
Roaming of user settings across joined devices
You want to manage a group of users in Azure AD
Windows Hello support (Entra ID) instead of in Active Directory
Restriction of access to apps from only compliant You want to provide joining capabilities to workers in
devices remote branch offices with limited on-premises
Seamless access to on-premises resources infrastructure

© Copyright Microsoft Corporation. All rights reserved.

Join devices to Azure AD (Entra ID)

1 Joining a device to Azure AD (Entra ID) is simple procedure

You can join to Azure AD (Entra ID) after Windows installation, or you can
2
do it later, at any time by using Settings pane

You need Azure AD (Entra ID) credentials to join device to Azure AD

3
(Entra ID)

© Copyright Microsoft Corporation. All rights reserved.

Manage devices joined to Azure AD (Entra ID)

1 Group Policy manages devices that join on-premises AD DS

Group Policy is not always available or supported for devices that join
2
Azure AD (Entra ID)

Azure AD (Entra ID) supports integration with mobile device

3
management applications such as Intune

When integration between Intune and Azure AD (Entra ID) is configured,

4
a device that joins Azure AD (Entra ID) automatically enrolls with Intune

© Copyright Microsoft Corporation. All rights reserved.

Knowledge Check

Test your knowledge by answering the Knowledge

Check questions at the end of this Learn module

© Copyright Microsoft Corporation. All rights reserved. © Copyright Microsoft Corporation. All rights reserved.
Module 2: Enroll devices
using Microsoft Configuration
Manager

© Copyright Microsoft Corporation. All rights reserved.

Module 2: Enroll devices using Microsoft
Configuration Manager
• Deploy the Microsoft Configuration Manager client

• Monitor the Microsoft Configuration Manager client

• Manage the Microsoft Configuration Manager client

© Copyright Microsoft Corporation. All rights reserved.

Deploy the Microsoft Configuration Manager client

Benefits of the Microsoft Client Deployment Options

Configuration Manager client • Client push
• Enables tracking of software installed on a • Manual deployment
client device • OS deployment
• Provides hardware inventory information • Microsoft Intune
• Ability to manage and deploy the OS and
line-of-business (LoB) applications
• End-user access to self-service catalog of
software

© Copyright Microsoft Corporation. All rights reserved.

Client Deployment Options

Client push Manual deployment OS deployment Microsoft Intune

Deploys the Microsoft Deploys the Microsoft When installing and setting Intune drives Microsoft
Configuration Manager client Configuration Manager client up Windows using a task Configuration Manager client
directly from the Microsoft installation source files and a sequence, slip-stream the installation and registers the
Configuration Manager script file containing the Microsoft Configuration device with the Cloud
console install parameters Manager client into the Management Gateway
Device discovery (Active Executes from the Windows setup and provide Manage each respective
Directory Lightweight ccmsetup.exe file or from the it with the necessary workload from either Intune
Directory Access Protocol MSI that is installation parameters or Microsoft Configuration
(LDAP) integration) part of the client files Must be installed when a Manager after installation
Copies the files to the source Can be time consuming as a device is built for the
computer and initiates the delivery mechanism first time (or rebuilt)
install automatically
Initial copy process may
increase network traffic
© Copyright Microsoft Corporation. All rights reserved.
Monitor the Microsoft Configuration Manager client

1 Client online status. Online (connected to its assigned management point) or offline.

Client activity. Active (it has communicated with Microsoft Configuration Manager in
2 the past seven days) or inactive.

Primary User. The primary user of this device, calculated over a 60-day period of the
3 most frequent Sign-in attempts.

Operating System Build. See the OS version of a device without having to connect to
4 or perform any remote management.

Client check. State of the periodic evaluation that the Microsoft Configuration Manager
5 client runs on the device. The evaluation checks the device and can remediate some of
the problems it finds.

© Copyright Microsoft Corporation. All rights reserved.

Manage the Microsoft Configuration Manager client

• Device appears in Assets and Compliance workspace in the Devices

node after Microsoft Configuration Manager client installation and site
assignment
• Collections
– Represent devices or users that have some commonality in Microsoft Configuration
Manager.
– Perform tasks, such as target a deployment or run a report, on devices in a collection.

• Management options apply to devices in a collection or individual devices

– Start Resource Explorer.

– Start Policy Retrieval.

– Add to a collection.

– Client Settings Resultant Set of Policies (RSOP).

© Copyright Microsoft Corporation. All rights reserved.
Knowledge Check

Test your knowledge by answering the Knowledge

Check questions at the end of this Learn module

© Copyright Microsoft Corporation. All rights reserved. © Copyright Microsoft Corporation. All rights reserved.
Module 3: Enroll devices
using Microsoft Intune

© Copyright Microsoft Corporation. All rights reserved.

Module 3: Enroll devices using Microsoft Intune

• Manage mobile devices with Intune

• Enable mobile device management
• Explain considerations for device enrollment
• Manage corporate enrollment policy
• Enroll Windows devices in Intune
• Enroll Android devices in Intune
• Enroll iOS devices in Intune
• Explore device enrollment manager
• Monitor device enrollment
• Manage devices remotely
© Copyright Microsoft Corporation. All rights reserved.
Manage mobile devices with Intune

• The Intune admin center console includes all the management capabilities
provided by Intune.
• The Intune Company Portal is used to self-manage device enrollment and to
access published applications.
• Device Management Lifecycle
– Enroll

– Configure

– Protect

– Retire

© Copyright Microsoft Corporation. All rights reserved.

Manage mobile devices with Intune

© Copyright Microsoft Corporation. All rights reserved.

Enable mobile device
management
• Mobile device management (MDM)
is an industry standard for
managing mobile devices, such as
smart phones, tablets, laptops and
desktop computers.
• To enable the enrollment of mobile
devices, the MDM Authority must
be set in the Intune configuration.
• By default, Intune allows
enrollment of Windows, Android
and Samsung Knox Standard
devices. To manage iOS and
macOS devices, an Apple MDM
© Copyright Microsoft Corporation. All rights reserved.
push certificate is required.
Explain considerations for device enrollment
Determine enrollment method
• Group Policy
• Joining Azure AD
• Manually (Settings, Provision Package, Company Portal App)

Supported Devices
• Windows 10/11 (Home, Pro, Education, S mode, and Enterprise versions)
• Windows 10/11 Cloud PCs on Windows 365
• Windows 10 IoT and Windows 10 Holographic
• Windows 10 2019 LTSC
• Windows RT 8.1, and Windows 8.1 (sustaining mode)
• Apple iOS/iPadOS 13.0 and later
• macOS X 10.15 and later
• Android 6.0 and later, including Samsung Knox 2.4 and later and Android for Work

Determine devices allowed and criteria

Determine if enrollment is optional or mandatory

© Copyright Microsoft Corporation. All rights reserved.

Manage corporate enrollment policy

• Your initial Azure AD (Entra ID) domain will follow the model:
– your-domain.onmicrosoft.com

• Add one or more of your custom domain names, i.e., Contoso.com

(recommended)
• Add custom domain names in the Microsoft 365 management portal

• Configure Automatic MDM enrollment (recommended)

OR
Create CNAME records to simplify enrollment and device registration when
not licensed for Azure AD (Entra ID) Premium

© Copyright Microsoft Corporation. All rights reserved.

Enroll Windows devices in Intune

Many ways to enroll Windows devices in Microsoft Intune:

• Add work or school account

• Enroll in MDM only (user driven)

• Azure AD (Entra ID) join (Out of Box Experience (OOBE))

• Azure AD (Entra ID) join (Autopilot – User-driven deployment mode)

• Azure AD (Entra ID) join (Autopilot self-deploying mode)

• Enroll in MDM only (Device Enrollment Manager)

• Microsoft Configuration Manager co-management

• Azure AD (Entra ID) join (bulk enrollment)

© Copyright Microsoft Corporation. All rights reserved.

Enroll Android devices in Intune

Enrollment of Android devices is Android Enterprise

typically performed by the end-user:
• Download the Company Portal app from • Android Work Profile
Google Play
• Android Enterprise dedicated
• Open the Company Portal app, sign-in with
• Android Enterprise fully managed
a work or school account
• Follow the instructions given in the app

© Copyright Microsoft Corporation. All rights reserved.

Enroll iOS devices in Intune

• Enrollment of iOS devices can be done by the user or automatically

• To enroll an iOS device using the Company Portal app
– Download the Company Portal app from the Apple app store
– Sign-in to Company Portal app with a work or school account and follow instructions

• Intune support for company-owned iOS device enrollment methods

– Apple's Device Enrollment Program (DEP)
– Apple School Manager
– Apple Configurator Setup Assistant enrollment
– Apple Configurator direct enrollment
– With a device enrollment manager account.

• Supervised mode

© Copyright Microsoft Corporation. All rights reserved.

Explore device enrollment manager

Existing Azure AD users may be added to the device enrollment manager

(DEM) user account, allowing them to enroll up to 1000 devices through the
Company Portal.
• Limitations of devices enrolled using a DEM account

• Permissions for DEM

Global or Intune Service Administrator Azure AD roles are required

to:
• Complete tasks that are related to DEM enrollment in the Admin Portal

• Access all DEM users despite role-based access control (RBAC) permissions being listed and
available under the custom User role

© Copyright Microsoft Corporation. All rights reserved.

Monitor device enrollment

Use Intune admin center Use Azure (Entra) portal

• Information about the individual devices • Intune admin center only shows enrolled
devices
• How many devices are using the different
platforms, including Windows, Android • Azure-AD (Entra ID) joined devices
and iOS
• Device settings

• Configure Enterprise state roaming

• Audit Logs

© Copyright Microsoft Corporation. All rights reserved.

Manage devices remotely

• Perform remote device actions

– Such as Retire, Wipe, Delete, Remote lock, Restart, Sync, Quick Scan and Full Scan, etc.

• Available actions depend on device platform and configuration of the device.

• Manage and monitor device information
– Hardware

– Discovered apps

– Device Compliance policies

– Device Configuration policies

© Copyright Microsoft Corporation. All rights reserved.

Knowledge Check

Test your knowledge by answering the Knowledge

Check questions at the end of this Learn module

© Copyright Microsoft Corporation. All rights reserved. © Copyright Microsoft Corporation. All rights reserved.
Practice Labs

• Configuring and managing Azure AD Join

• Manage Azure AD device registration

• Manage Device Enrollment into Intune

• Enrolling devices into Microsoft Intune

© Copyright Microsoft Corporation. All rights reserved. © Copyright Microsoft Corporation. All rights reserved.
Learning Path Recap
In this learning path, we learned to:

• Manage device authentication

• Enroll devices using Microsoft Configuration Manager
• Enroll devices using Microsoft Intune

© Copyright Microsoft Corporation. All rights reserved.

© Copyright Microsoft Corporation. All rights reserved.