Device Integration: Simplifying the Process for Integrating with Intune
In my previous article, I wrote about why Intune and Entra ID integration is crucial for organizations that wish to adopt a Zero-Trust security strategy. However, integrating devices into Intune can be challenging.
This article presents a framework and strategies for effectively integrating devices with Intune. The focus for this article is on:
- Entra ID Hybrid integration via Group Policy
- Reimaging devices
- Using Quest On Demand Migration to migrate devices
- Exploring Windows 365 Cloud PCs as an innovative alternative
Integrating with Intune – The Microsoft Entra Hybrid Join Method
Integrating devices with Intune can be completed by configuring Microsoft Entra Hybrid Join by configuring Microsoft Entra Connect to enable the synchronizing of devices to Microsoft Entra. Once configured, devices can be auto-enrolled into Microsoft Intune via Group Policy. This is a streamlined approach for organizations aiming to integrate devices into Intune quickly and maintain both on-premises and cloud-based device management.
One of the main considerations for this method of enrolment is Group Policies. Since both Group Policy and Intune can be used to enforce settings on devices, there is potential for conflicts and inconsistencies. For example, if a setting is configured differently in Group Policy and Intune, the device may not apply the desired value or may toggle between values. To avoid this a full Group Policy audit should be carried out to understand what Group Policies are currently being used and if they can be migrated to Intune. Group Policy Analytics in Microsoft Intune will allow you to import your on-premise GPOs, show settings that Intune supports, and show any deprecated settings or settings that are not available. Once this has been done, a migration of Group Policies to Microsoft Intune should be completed.
Kicking it Old School with Imaging Devices
The method of refreshing devices by reimaging has been around for decades now. I remember running ZenWorks to reimage full classrooms in a couple of hours in one of my earliest jobs at a college. It was an effective way to ensure the desktop experience for students stayed clean and software downloaded by students was effectively removed from the local PC.
Reimaging devices can be a method of enrolling a device straight into Intune with Microsoft Entra ID Join integration, there are three approaches that I would use to reimage devices which are scenario-dependant.
OSDCloud & Wim Witch – In my experience, reimaging via a USB key still has its place in the inventory of an IT Admin. For example, there may be a scenario when a device is completely off the local network and needs a complete refresh. In this scenario, use Wim Witch to create a .wim file which will contain your Windows image with up-to-date Windows updates and drivers specifically for the laptop, then use OSDCloud to deploy the image to the device. If you are able to upload the Hardware Hash into Intune, the device will also enroll into Intune via AutoPilot, which allows the device to be managed remotely with Intune. I only recommend this method in extreme circumstances and not as a reimaging strategy for a whole organization due to the complexities, the potential need for user interaction, and lack of any automation.
ConfigManager or Microsoft Deployment Toolkit (MDT) can be used for a more enterprise method of deploying images. MDT is a free tool for creating and customizing Windows images for deployment. Both tools are able to automate the installation of Windows, applications, drivers, and device updates.
One of the benefits of both tools is they allow a device to be enrolled into Intune using a task sequence. A task sequence is a set of steps executed by the deployment engine on the target device. A task sequence can include installing an operating system, applying drivers, installing applications, running scripts, and joining a domain. By adding a step to the task sequence that enrolls the device into Intune, both tools can leverage the existing infrastructure and process for OS deployment and enable cloud-based management.
The steps to enroll a device into Intune using a task sequence are:
- Create a custom script that uploads the Hardware Hash into Intune (note that although the instructions in this link are for ConfigMgr, they can also be used for MDT).
- Add the custom script to the MDT deployment share as an application.
- Edit the task sequence used to deploy the OS and add a step to install the custom script as an application after the OS installation step.
- Update the deployment share and create a bootable media or network boot image.
- Boot the device from the media or network and start the deployment process.
- After the OS installation, the custom script will run and upload the Hardware Hash into Intune.
- SysPrep should be run as the last step of the task sequence; the device will now be ready to be handed to a user for enrollment into Intune.
If it’s necessary to reimage a device, this approach is best for organizations to enroll devices into Intune.
Leveraging Quest On Demand Migration to Migrate Devices
Quest On Demand Migration provides a robust solution for migrating existing devices from On-Premises Active Directory (AD) or Entra Hybrid Join to Entra ID Join without requiring a device reset or reimage.
- Quest On Demand Migration is the leading product on the market that can perform this migration without requiring any additional infrastructure or software installation. It preserves the user profile and customizations such as desktop settings, bookmarks, documents, and app data, during the migration process. If users have mapped drives or printers they have installed – those are also preserved between logoff and logon with the “migration” in between.
- It can run additional scripts to customize the Intune enrolment, including assigning a Primary User in Intune so the device receives the correct policies.
- The device migration only takes a few minutes. From the user’s perspective, they reboot, go through the Windows Hello setup process, and reauthenticate with Outlook, OneDrive, and Teams.
- This is the least impactful way (and least effort) to get to Intune, allowing you to migrate devices during normal business hours.
Embracing Windows 365 Cloud PCs
An alternative approach I am seeing more organizations use now is the Windows 365 Cloud PC to present an innovative alternative to traditional device management and integration challenges. This section explores how Cloud PCs can be provisioned for users, the advantages of this approach, and considerations for integrating these virtual devices with Intune.
One key advantage of Windows 365 is its simplified management. It is directly integrated into Intune, where administrators can easily create, assign, update, and monitor virtual devices. Users can access their Cloud PCs from any device and location without the need for VPNs or complex configurations.
Windows 365 allows for impressive scalability. Cloud PCs can be scaled on demand, depending on organizational needs and user preferences. Administrators can adjust the CPU, RAM, and storage of each Cloud PC and the number of users and devices. This provides flexibility and efficiency, as organizations can swap licenses between users to ensure they are getting full value from Windows 365 licenses.
As Windows 365 is directly integrated into Intune, Cloud PCs are inherently secure. They run on Microsoft’s cloud infrastructure and comply with its security standards and policies. Data and applications are stored in the cloud, not on the local device, which reduces the risk of data loss, theft, or compromise. Cloud PCs also support Conditional Access, ensuring only authorized users can access their virtual devices.
While Windows 365 Cloud PCs offer many benefits, there may also be a slight drawback that should be considered before adopting this solution. Cloud PCs may incur higher costs than laptops over a typical three-year device cycle, so organizations need to consider using Windows 365 in the right circumstances, such as for temporary staff or contractors to whom we do not want to send a device.
How Should your Organization Migrate to Intune?
Integrating devices with Intune requires a multifaceted approach that accommodates various organizational needs and technological landscapes. Whether through Entra ID Hybrid integration, reimaging, migrating devices with Quest On Demand, or adopting Windows 365 Cloud PCs, each method offers unique advantages. By carefully considering these options, organizations can ensure a smooth transition to a more managed and secure digital environment.
Hello Jon,
I read your article and found your insights particularly enlightening.
However, as we move towards a more security-conscious era, the authentication mechanisms for on-premises servers become increasingly critical. I’ve would think that migrating all devices towards Intune, would lead to protentional access issues. Could you elaborate on how one might address these authentication challenges effectively?
Thank you for your valuable contributions to the field. I look forward to your thoughts on this matter.
Best regards, Jakke