Thanks for this great video. You mention you need windows 10 or 11 specific ADMX Templates but its no longer the case. Per Microsoft, as of 21/07/23, You can now use the new Windows 11 ADMX files (download from Microsoft Download Center) to maintain Windows 11 and Windows 10 clients. Hope that helps others troubling shooting the gpo deployment.
This guy is awesome!!! Thanks Travis!!! Does Azure AD Connect need to be configured for Hybrid Domain Join for AD domain joined devices? This is a great demo!!!
I thought so as well. Or maybe just remove the ability for Auth Users to 'Apply Group Policy'...... Or just link to a lower OU instead of the whole domain if unsure.
Noticed this too and went looking to see if someone had commented already. Authenticated Users includes all AD objects that authenticate against the domain, so leaving that in security filtering and linking the GPO to the root of the domain will apply the policy to all Computer Objects in the domain.
Hello Travis, You do great videos!! I have a question. I have same configuration as you did, but in some of my computers i dont see the Task under EnterpriseMgmt. And the computer remain hybrid Join and dont add to Intune...Any suggestions? Thanks 😁
As I know in a Hybrid environment with GPO enrollment the MDM user scope is not relevant. The MDM user scope typically comes into play when you are using a pure MDM solution for device management. In this case I would only add admins to the MDM user scope so that users can't add devices as a corporate device and all regular users to the MAM user scope. Correct me if it's wrong.
Is there a reason you use users in the Intune group? I’d always been told to use devices, as it will detect the currently logged in user anyway. Speed edit: but thank you for this video! Clean and to the point.
@Travis roberts I'm stuck at the step, which is @10:03 restarted the device, havent logged in with the user credentials that has Business premium license but I dont see that device in all devices
So if the device is domain joined already, the user's log in with their AD account. If we enroll the devices into Intune via this method, will this then make them sign into the computers with their Entra ID account/365 account? Or does the computer need to go through the whole Autopilot stuff for that to happen?
This is so helpful. I'm sure in my hybrid environment the way it enrolls via GPO is nearly the same. As a learning and relatively new admin for M365: If we use conditional access to have everyone require MFA and be hybrid joined to be able to login and use cloud apps, and if we have a machine that has fallen off from Intune (max 270 days?), is there a way to bypass MFA requirement to re-enroll/re-register the device? Not sure if that's even a valid question or i'm getting confused. I also want to know if the MDM certificate in Certificate manageer even factors into the above question at all either.
Thanks for this great video. You mention you need windows 10 or 11 specific ADMX Templates but its no longer the case. Per Microsoft, as of 21/07/23, You can now use the new Windows 11 ADMX files (download from Microsoft Download Center) to maintain Windows 11 and Windows 10 clients. Hope that helps others troubling shooting the gpo deployment.
Great walkthrough, thank you very much
This guy is awesome!!! Thanks Travis!!! Does Azure AD Connect need to be configured for Hybrid Domain Join for AD domain joined devices? This is a great demo!!!
Yes, Azure AD Connect sync has to sync the devices to Azure AD.
Hi Travis, I think you wanted to remove the "Authenticated Users" group from the GPO security filtering list? After adding the group "MDMDevices".
I thought so as well. Or maybe just remove the ability for Auth Users to 'Apply Group Policy'...... Or just link to a lower OU instead of the whole domain if unsure.
agreed otherwise it applies to all
I wondered this too! Can the author please clarify?
Noticed this too and went looking to see if someone had commented already. Authenticated Users includes all AD objects that authenticate against the domain, so leaving that in security filtering and linking the GPO to the root of the domain will apply the policy to all Computer Objects in the domain.
Not working :/
Hello Travis, You do great videos!! I have a question. I have same configuration as you did, but in some of my computers i dont see the Task under EnterpriseMgmt. And the computer remain hybrid Join and dont add to Intune...Any suggestions? Thanks 😁
I'm seeing this as well, any update?
you mentioned a difference with win 11 and 10 in realtion to GPO and auto enroll for intune. What do i need to do here, have both OS's in our network?
Check the links in the comments. That will point you in the right direction.
@@Ciraltos Sorry Travis didnt cop the comments, Ta
Thank you so much :)
You're welcome!
As I know in a Hybrid environment with GPO enrollment the MDM user scope is not relevant. The MDM user scope typically comes into play when you are using a pure MDM solution for device management. In this case I would only add admins to the MDM user scope so that users can't add devices as a corporate device and all regular users to the MAM user scope. Correct me if it's wrong.
You are awesome , if you can make a vlog enrolling already enrolled AAD devices to intune , Thanks
Is there a reason you use users in the Intune group? I’d always been told to use devices, as it will detect the currently logged in user anyway.
Speed edit: but thank you for this video! Clean and to the point.
@Travis roberts I'm stuck at the step, which is @10:03 restarted the device, havent logged in with the user credentials that has Business premium license but I dont see that device in all devices
Thats the video iam looking for. Thank you very much!
So if the device is domain joined already, the user's log in with their AD account. If we enroll the devices into Intune via this method, will this then make them sign into the computers with their Entra ID account/365 account? Or does the computer need to go through the whole Autopilot stuff for that to happen?
This is so helpful. I'm sure in my hybrid environment the way it enrolls via GPO is nearly the same. As a learning and relatively new admin for M365: If we use conditional access to have everyone require MFA and be hybrid joined to be able to login and use cloud apps, and if we have a machine that has fallen off from Intune (max 270 days?), is there a way to bypass MFA requirement to re-enroll/re-register the device? Not sure if that's even a valid question or i'm getting confused. I also want to know if the MDM certificate in Certificate manageer even factors into the above question at all either.
Hi Travis,
I still not able to login with AAD User, as it says the username or password is incorrect.
Azure AD is better than Entra ID