Forum Discussion

BENT17's avatar
BENT17
Brass Contributor
Feb 14, 2019

Intune for Windows 10 issue

Hi all,    I managed to set up Intune for my Windows 10 PCs. So basically they get auto enrolled with their work account, the Terms and conditions appears etc, however the MDM and Compliant are Non...
Intune
mobile device management (mdm)
BENT17's avatar
BENT17
Brass Contributor
Feb 14, 2019

Just an update. I managed to enrol my device however I had to install the company portal to enrol my device. I was under the impression that Windows 10 has it imbuilt and you dont need to stay downloading the Company portal?

  • Oliver Kieselbach's avatar
    Oliver Kieselbach
    MVP
    Feb 15, 2019

    Hi,

     

    you wrote you managed to enroll the device using Company Portal, then it seems that your Auto Enrollment is not working like it should. You need to configure Auto Enrollment correctly then you don't need the company portal for successful enrollment. Just enable the MDM scope and leave the MAM scope at None otherwise MAM will take precedence.

     

    For official documentation see here:

    https://docs.microsoft.com/en-us/intune/windows-enroll

     

    and here the important advice:

    For BYOD devices, the MAM user scope takes precedence if both MAM user scope and MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will use Windows Information Protection (WIP) Policies (if you configured them) rather than being MDM enrolled.

    For corporate devices, the MDM user scope takes precedence if both scopes are enabled. The devices get MDM enrolled.

    best,

    Oliver

    • BENT17's avatar
      BENT17
      Brass Contributor
      Feb 15, 2019
      Thanks - I managed o configure autopilot and it seems to have worked well as now its appearing under devices. What I can't seem to find is how to restrict the device from connecting to anything linked to O365 unless its enrolled.
      • Oliver Kieselbach's avatar
        Oliver Kieselbach
        MVP
        Feb 15, 2019

        Exactly you need to use Conditional Access for this and "require device to be marked as compliant"

         

         

        To complete the picture you should have a compliance policy to define what makes a device compliant.

         

        best,

        Oliver

  • lyonheart14's avatar
    lyonheart14
    Copper Contributor
    Feb 14, 2019

    This is true, the company portal app is not required for enrollment.  Auto-enrollment occurs with the first sign-in after the following 'Enable automatic MDM enrollment using default Azure AD credentials' is applied to a hybrid-joined computer or with AutoPilot when going through the OOBE.  I may have changed my Intune column set but I never see anything referring to an "Azure-connected device."  Are you looking at the Intune portal (devicemanagement.microsoft.com) or Azure Active Directory?

     

    Also, I don't know how long you have waited, but the Azure AD Device entry takes some time (hours?) to update to show "managed" and "compliant" in my experience.

    • BENT17's avatar
      BENT17
      Brass Contributor
      Feb 14, 2019

      Was looking at portal.azure.com

       

      With the company portal app it works.. However without the app all that automatically appears (after adding the work account) is the Azure ad device and nothing appears under All devices 

      • lyonheart14's avatar
        lyonheart14
        Copper Contributor
        Feb 14, 2019

        Is the GPO setup and is the Azure AD device a hybrid-joined device?

         

        Portal.azure.com is very vague, there are specific portals for both Intune and Azure Active Directory within portal.azure.com that can help you troubleshoot enrollment.

    • BENT17's avatar
      BENT17
      Brass Contributor
      Feb 14, 2019

      Was looking at portal.azure.com

Resources