SharePoint Stuff



Azure AD DS Hybrid with Azure AD and Intune MDM Q&A

Written by Luke Smith. Posted in Microsoft

Q1: Why can’t I “factory reset” my Windows 10 device even though it’s listed in Intune under “Azure AD Devices”, however the device is not listed in All Devices
A1: Azure AD Join devices don’t allow you to factory reset. Your device needs to be enrolled with Intune MDM before the device can be “factor reset”. To enable Intune MDM run though the following
1. Enable Intune MDM integration with Azure AD: https://docs.microsoft.com/en-us/intune/windows-enroll
2. License user for EMS (AD Premium and Intune required): https://docs.microsoft.com/en-us/intune/licenses-assign
3. Device Enrolment: https://docs.microsoft.com/en-us/intune-user-help/enroll-your-w10-phone-or-w10-pc-windows
4. To force intune MDM enrolment you can install the company portal app from the Microsoft Store: https://www.microsoft.com/en-gb/store/p/company-portal/9wzdncrfj3pz
NB: if joining windows AD DS and Azure AD see Q3:

Q2: Can I factory reset a Windows 10 device which is Windows AD DS Joined, Azure AD Joined and Intune MDM Managed
A2: Yes, to configure please see Q3

Q3: can I automatically enrol a windows 10 windows AD DS joined device into MDM and Azure AD
A3; Yes, however you need to be using build 1709 or above, for more information please see : https://docs.microsoft.com/en-us/azure/active-directory/device-management-hybrid-azuread-joined-devices-setup and
https://docs.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy

Q4: Is it possible to add the BitLocker Protector key to AzureAD? even if you enabled BitLocker before the device was Azure AD Join?
A4: Yes, the following PowerShell will need to be executed:

Add-BitLockerKeyProtector -MountPoint “C:” -RecoveryPasswordProtector
$BLV = Get-BitLockerVolume -MountPoint “C:”
BackupToAAD-BitLockerKeyProtector -MountPoint “C:” -KeyProtectorId $BLV.KeyProtector[1].KeyProtectorId

Further information:

Intune make sure the DNS CNAMEs are created: https://docs.microsoft.com/en-us/intune/windows-enroll#simplify-windows-enrollment-without-azure-ad-premium
Intune Factory reset\Remove company data descriptions: https://docs.microsoft.com/en-us/intune/devices-wipe
Intune Non-windows updates: https://docs.microsoft.com/en-us/intune/whats-new
Intune device compliance policies: https://docs.microsoft.com/en-us/intune/device-compliance-get-started
BitLocker Management: https://docs.microsoft.com/en-us/windows/device-security/bitlocker/bitlocker-management-for-enterprises

Tags: , , , ,

Trackback from your site.

Luke Smith

I’ve been working with Microsoft Technologies for over 25 years, my main focus now being Microsoft Azure and Office 365. I Manage the Cloud Services at ElysianIT Limited and as a P-SELLER at Microsoft. I have worked with many organisations from SMB to Enterprise. I’ve been working with Microsoft Technologies since DOS 5.0, to date I have been working on Microsoft’s latest cloud technology Windows Azure, Office 365 and Microsoft SharePoint

Leave a comment