Microsoft Endpoint Manager (Intune) - A set up guide (Part 2 - Getting started & Windows Enrollment)
Ed Collins
ICT, Systems and Network Engineering Veteran | Enterprise Endpoint Management Expert | Microsoft Azure Nerd | Change Manager | Project Manager
(This article is dated, and correct as of August 29th, 2020)
What do I need before I start?
It's always good to start with a plan, no matter how vague or high-level some of the items are on the plan, it is always good to have some sense of direction (to have a dart board, rather than just aimlessly throwing darts at a wall).
For my recommendations about how to plan, see my previous article, Microsoft Endpoint Manager (Intune) - A set up guide (Part 1 - What is it, and Planning).
For the purpose of this series of articles, I am going to assume that you are already using Microsoft Azure Active Directory and so have already configured your domain, DNS and have your users and groups in Azure AD. If this assumption is incorrect, there are definitely more considerations that you will need to incorporate into your plan.
If you are interested in learning how to set up Endpoint Manager (Intune) without using Azure Active Directory, please comment on this article and let me know and I can write another article about that.
With my assumption in mind, the next step is to ensure that you add Intune to your Microsoft 365 subscription.
Once that is done, and you have received the email confirming that your subscription is active, you can sign in to Endpoint Manager (Intune).
Basic Setup
Open a browser and navigate to the following URL:
https://endpoint.microsoft.com
Sign in with an account that is either a Global Administrator or an Intune Service Administrator.
Set the Mobile Device Management authority
When you sign in successfully, you should see a bright orange banner at the top of the window letting you know that you need to set the MDM Authority.
Click on the banner to open the Mobile Device Management Authority setting window:
Select Intune MDM Authority.
Once set, a message will appear stating that the MDM authority is now Intune and the orange banner at the top of the window should disappear.
Licensing
In order to enroll devices, users must have an Intune license applied to their User account in Microsoft 365.
You can actually do this without leaving Endpoint Manager (Intune).
Click on Users, search for a user whose devices should be enrolled into Endpoint Manager (Intune) and click on them. Click Licenses.
Either click + Assignments to add a new license, or click on the desired product to enable the Microsoft Intune license on it.
Click here to see a list of the Products that include Microsoft Intune.
Automatic Enrollment - Windows
If you want your Windows devices to enroll into Endpoint Manager (Intune) automatically when the join or register with Azure, then now is as good a time as any to set that up.
In Endpoint Manager (Intune), click Devices, then select Enroll Devices - Windows enrollment.
Under the General heading, click Automatic Enrollment.
The following should be pre-filled in:
- MDM terms of use URL: https://portal.manage.microsoft.com/TermsofUse.aspx
- MDM discovery URL: https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc
- MDM compliance URL: https://portal.manage.microsoft.com/?portalAction=Compliance
Under MDM user scope, you can select to automatically enroll ALL devices, or SOME.
If you select SOME, you must select an Azure AD security group to apply this setting to. This enables you to specify a subset of users to apply this to. This can be very useful if you are just in the test phases and which to only enroll a pilot group before rolling out to a larger audience.
Please note that in order for devices to be enrolled, the owner/user of the device must have an Intune license (see above).
DNS
To ensure that users don't have to know/remember and enter the Intune server/host name during enrollment, it is a great idea to create CNAME values in your DNS.
For all of your domains, you should create:
- Host Name: EnterpriseEnrollment
- Type: CNAME
- TTL: 3600
- Value: EnterpriseEnrollment-s.manage.microsoft.com
and also:
- Host Name: EnterpriseRegistration
- Type: CNAME
- TTL: 3600
- Value: EnterpriseRegistration.windows.net
So, for example, if you have UPN suffixes [email protected] as well as [email protected], then you will need to create individual CNAME entries for EnterpriseEnrollment.company.com AND EnterpriseEnrollment.another.company.com, both of which point to EnterpriseEnrollment-s.manage.microsoft.com
EnterpriseEnrollment-s.manage.microsoft.com supports a redirect that recognises the domain name of the UPN and directs the enrollment request accordingly.
It's important to note that, as with all DNS changes, these can take up to 72 hours to propagate.
You can test to ensure that your DNS is functioning correctly within Endpoint Manager (Intune) by doing the following:
Click Devices, then select Enroll Devices - Windows enrollment.
Under the General heading, click CNAME Validation.
Enter the domain that you want to validate and click Test
A brief discussion about Company Portal and the End user experience
On all devices, Windows, macOS, iOS, iPadOS and Android, the user will use an application called Company Portal (or the Company Portal website: https://portal.manage.microsoft.com)
This app (or website) is used for enrolling devices, viewing and managing enrolled devices, viewing and installing apps, receiving corporate notifications and viewing corporate support details.
You can customise (or customize for you North Americans) this app (or website) using Endpoint Manager (Intune), and now is as good a time as any to do so.
Within Endpoint Manager (Intune), click on Tenant administration. Under the End user experience menu heading, click Customization.
Here you can create a Default "branding" Policy for your Company Portal (app and site) that will be applied and displayed to your users.
Click on Edit to change these values (and upload image files for your company logo).
You can also create up to 10 alternate Customization Policies, if you need to do so, that you can assign to specific groups. These alternate Customization Policies will override the Default one only for the specified groups.
Terms and conditions
If you really want to, you can create custom Terms and Conditions that will be displayed to the user (and the user will have to agree to) when they enroll a device.
This is done in Endpoint Manager (Intune) > Tenant administration. Under the End user experience menu heading, click Terms and conditions.
You can create multiple sets of Terms and conditions and assign them to specific groups, or just create one, all encompassing version and assign it to All Users or All Intune Licensed Users (built-in groups).
Microsoft Store for Business
If you have decided to allow Endpoint Manager (Intune) to manage and install apps to devices (this is called Mobile App Management or MAM), then you should set up the connections to your volume-purchase Stores.
For Windows devices, this is Microsoft Store for Business.
Click on Tenant administration and then Connectors and tokens.
Click Microsoft Store for Business.
Slide the little slider thingy over to Enable and then click the link to Open the business store.
Sign in to the Microsoft Store for Business using you Global Administrator or Intune Service Administrator account.
In the Business Store, choose the Manage tab, select Settings, and choose the Distribute tab.
Scroll down to Management tools
If you don't specifically have Microsoft Intune available as a mobile device Management tool, choose Add management tool to add Microsoft Intune.
If you don't have Microsoft Intune activated as your mobile device management tool, click Activate next to Microsoft Intune.
Note that you should activate Microsoft Intune rather than Microsoft Intune Enrollment.
We will discuss and cover purchasing, syncing and assigning VPP apps (for Microsoft Windows as well as iOS and Android) in a later article.
So this, for now, takes care of the Windows enrollment piece. (We will cover Autopilot in a later article.)
Resources
I would recommend going through the Microsoft Endpoint Manager (Intune) Deployment Guide to give you more information about this planning.
I would also recommend creating a Reddit account and joining r/Intune. It is an extremely helpful and knowledgeable community of Intune users and admins.
For video tutorials and up to date training, another great resource is this Intune Training YouTube Channel
Introduction to me, Ed Collins.
I've worked in the IT industry now for over 20 years, in 3 different countries, becoming a "jack-of-all-trades" SME in a number of different technologies.
I started after University (where I graduated with a BSc (hons) degree in Computing Science back in 1999) in England as a Technical Author, writing manuals and HTML help systems for Accounting Software (combining 2 of the most notoriously nerdy industries, IT and Accounting!!).
In 2001, I moved into the Systems Admin space, where I stayed (albeit in 3 different countries, England, New Zealand and Canada) until today, traversing various roles from Systems Admin / Engineer or Senior Systems Admin, to Systems Manager, having a couple of forays into Project Management and ITIL & Change Management before landing in my current role as a "Microsoft Technical Analyst".
By far my favourite technology space I have worked in to-date has been Enterprise Mobility.
In this article, and a few to follow, I want to walk through my method of configuring Microsoft Endpoint Manager (Intune).
To some, this may not be relevant or may be boring.
To others, like me, this may be a fascinating topic to start a conversation and/or a useful article to help you.
Please feel free to contact me about this article to discuss the topics, correct me or add to the information provided.