SharePoint Stuff



Posts Tagged ‘AD DS’

Azure AD DS Hybrid with Azure AD and Intune MDM Q&A

Written by Luke Smith. Posted in Microsoft

Q1: Why can’t I “factory reset” my Windows 10 device even though it’s listed in Intune under “Azure AD Devices”, however the device is not listed in All Devices
A1: Azure AD Join devices don’t allow you to factory reset. Your device needs to be enrolled with Intune MDM before the device can be “factor reset”. To enable Intune MDM run though the following
1. Enable Intune MDM integration with Azure AD: https://docs.microsoft.com/en-us/intune/windows-enroll
2. License user for EMS (AD Premium and Intune required): https://docs.microsoft.com/en-us/intune/licenses-assign
3. Device Enrolment: https://docs.microsoft.com/en-us/intune-user-help/enroll-your-w10-phone-or-w10-pc-windows
4. To force intune MDM enrolment you can install the company portal app from the Microsoft Store: https://www.microsoft.com/en-gb/store/p/company-portal/9wzdncrfj3pz
NB: if joining windows AD DS and Azure AD see Q3:

Q2: Can I factory reset a Windows 10 device which is Windows AD DS Joined, Azure AD Joined and Intune MDM Managed
A2: Yes, to configure please see Q3

Q3: can I automatically enrol a windows 10 windows AD DS joined device into MDM and Azure AD
A3; Yes, however you need to be using build 1709 or above, for more information please see : https://docs.microsoft.com/en-us/azure/active-directory/device-management-hybrid-azuread-joined-devices-setup and
https://docs.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy

Q4: Is it possible to add the BitLocker Protector key to AzureAD? even if you enabled BitLocker before the device was Azure AD Join?
A4: Yes, the following PowerShell will need to be executed:

Add-BitLockerKeyProtector -MountPoint “C:” -RecoveryPasswordProtector
$BLV = Get-BitLockerVolume -MountPoint “C:”
BackupToAAD-BitLockerKeyProtector -MountPoint “C:” -KeyProtectorId $BLV.KeyProtector[1].KeyProtectorId

Further information:

Intune make sure the DNS CNAMEs are created: https://docs.microsoft.com/en-us/intune/windows-enroll#simplify-windows-enrollment-without-azure-ad-premium
Intune Factory reset\Remove company data descriptions: https://docs.microsoft.com/en-us/intune/devices-wipe
Intune Non-windows updates: https://docs.microsoft.com/en-us/intune/whats-new
Intune device compliance policies: https://docs.microsoft.com/en-us/intune/device-compliance-get-started
BitLocker Management: https://docs.microsoft.com/en-us/windows/device-security/bitlocker/bitlocker-management-for-enterprises

Capacity Planning for Active Directory Domain Services

Written by Luke Smith. Posted in Microsoft

Microsoft guidelines for sizing server specification for Windows Active Directory Domain Services (AD DS)

Component Estimates
Storage/Database Size 40KB to 60KB for each user
RAM Database Size

Base operating system recommendations

Third-party applications

Network 1 Gb
CPU 1000 concurrent users for each core

Link to Microsoft Article: http://social.technet.microsoft.com/wiki/contents/articles/14355.capacity-planning-for-active-directory-domain-services.aspx

Download in a word document Capacity Planning for Active Directory Domain Services