cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
DEPRECATED: Intune with Azure Lab Services
By
RogerBestMSFT
Published Nov 16 2020 03:02 PM 4,612 Views
RogerBestMSFT
Microsoft
‎Nov 16 2020 03:02 PM

DEPRECATED: Intune with Azure Lab Services

‎Nov 16 2020 03:02 PM

DEPRECATED:  We no longer recommend that lab VMs be AAD registered, AAD joined, Hybrid AAD joined, or AD domain joined due to known product limitations.  As a result, the content provided in this post is no longer supported because joining/registering VMs is a prerequisite for enrolling with Intune.  This applies to both the version of Azure Lab Services that uses Lab Accounts, and the newer version that uses Lab Plans.  For more information, please read the following blog post: Use labs without registering/joining to AD/AAD

 

-------------------------------------------------------------------------------------------------------------------------------------------

 

Intune + Azure Lab Services

IntuneHybridAAD.jpg

 

 

A question that we get asked by IT departments is "can Intune be used to manage Windows 10 machines in a lab?" The answer is yes! In this blog post, we will show you how you can enable Intune on your lab's VMs.  This post will focus on getting lab VMs automatically domain joined, enrolled into Intune, and into a specific AD group at the initial student logon.

Benefits

There are several benefits to having the lab VMs being managed by Intune.  The ability to create profiles that configure the VM to allow or restrict capabilities like blocking different URLs, setting sites to open when the browser starts, blocking downloads, and managing Bitlocker encryption.  The Microsoft Endpoint Manager helps deliver a modern management tool for your lab VMs where you can create and customize these configuration profiles.  For an education focused management tool, the Intune for Education is a portal that helps simplify Windows configuration, Take a Test, user management, group / sub-group inheritance and app management.

Prerequisites

These steps assume the following prerequisites have been configured:

 

  1. Check with your account representative for the appropriate Intune licensing.
  2. The Active Directory is setup with a MDM service, that is configured for auto-enrollment.
  3. You have a Azure Lab Services Account peered to a hybrid Azure Active Directory.
    Here is more information on how to setup an Azure Lab Services account that is connected to your network.

Setting up the Lab

  1. Setup Template VM to join the domain.
    Currently, there is a set of PowerShell scripts that are run on the template VM so that the Lab VMs will be domain joined when they are initially started. These set of scripts also rename the Lab VM to make the name unique, including setting a prefix for the VM name that can be used to put the VM in the appropriate AD group, I've included more details later in this blog.
  2. Set Group Policy to auto enroll into Intune.
    The following steps will setup the auto enrollment for the lab VMs. On the template VM setup the auto-enrollment using the following steps:
    • Open the local group policy editor (gpedit.msc)
    • Under Computer Configuration / Administrative Templates / Windows Components / MDM
      • Enable automatic MDM enrollment using default Azure AD credentials set to User Credential.
      • Disable MDM enrollment is disabled.
    • More information is available in the device management documentation.
  3. Publish Template
    Once the template is published, the machines for that class will be created. The students VMs will join the domain on first startup.  When the student logs on with their account, the device will be Intune enabled.

You should start the VMs before the students to get the VMs domain joined and setup for the students. The domain join and setting up the student access may take some time.  Once the domain join has completed, the VMs can be turned off and when the students start and logon to the VM the auto enrollment will occur.  In the case that you run into issues I’ve included a section on troubleshooting.


Additional: Setup dynamic AD group for the class


The Lab VMs are Intune enabled, but an additional step is to have the VMs added to a specific active directory group. Profiles can be set for an AD group so that any VMs added to the group will be configured based on the profile information. The dynamic group allows you to set up rules for which machines are in the group. Each group corresponds to a class or more specifically, the machines within the class. A student could have multiple classes where each class has a different set of requirements and machines that will need to be managed. Dynamic groups use rules to determine which AD group a VM should belong to. The simplest example is to use the VM name prefix (from the domain join script) as the rule for the group. An example rule would be “displayName -startsWith “Prefix”

 

Troubleshooting

 

In the case that the student VMs aren’t working as expected here are some troubleshooting tips.

  • Start with the Domain join scripts.
  • Check the Group Policy on the student VM
    • Confirm that the group policy for auto-enrollment is set on the student VM, if not check the template VM.
  • Check Event viewer on the student VM for information on the auto-enrollment task.

 

Final thoughts


Given the complexity of Active Directory and network configurations this is a specific example to help understand how to get Azure Lab Services working with Intune which opens a whole world of capabilities in managing student VMs.

 

 

0 Likes
Like
1 Comment
Co-Authors
Version history
Last update:
‎Jul 21 2023 06:22 AM
Updated by:
Labels