Håvard Siegel Haukeberg

Paste life: Ctrl+C -> Ctrl+V



Azure AD & Intune Enrollment Sways

This post will now be a list of Sway’s for enrollment into Azure AD and Intune.

  • Windows 10 Pro Azure AD join
  • Windows 10 enterprise Education Azure AD Join
  • Azure MFA enrollment
  • Ipad into intune

Windows 10 Professional

Windows 10 Enterprise / Education

Azure MFA Enrollment


Microsoft Intune Enrollment of Android for IT Admin

Step 1: Enrollment

Once a end user has enrolled a Android device it will shortly show up in the Intune portal.

Step 2: Verify status in Intune

This is what a healthy Device should look like in the Intune Portal :


This device is healthy and should have access to email and does not need attention.


If you need device info, the Intune MDM agent will pull information from the device and display some of it here in the general info tab just right to the health status


Just some of the info pulled from Intune



There are many different Android phones out there. They all provide info to Intune MDM differently. Here Sony is not able to convey the OS name correctly to Intune.

Not all android phones report OS correctly


In the device list you can see and sort the list of devices on most of the general information.


Sort and find your device


When the end user enrolled this Sony Android Device he was prompted to group his device himself into a group. This group is displayed here. I have named this group myeself in the Intune portal. You could name it anything other than personal if you want to.


Device Group Mapping


Management channel should be set to intune or intune and EAS when your device is enrolled. We should also se the Compliant status. If it is not compliant, check your compliance policies in intune policy tab or make sure that you have made the device compliant e.g. enabled PIN or encryption/screen lock +++


If your device is not compliant it will be blocked from exchange when you run Conditional Access.


Microsoft Intune Company Portal Enrollment on iPad for end-users

Here is a complete set of screen dumps which the end user will have to see/do in order to enroll a iOS device into Intune.


Conditional Access prevents exchange online sync before enrollment



MDM enrollment with Azure AD Join

This is how you both join Azure AD and enroll for MDM. Your admin need to have configured Automatic MDM enrollment into intune over at for this to work.
1 - system2 - aad join

3 - notification
Disclamer from Windows
4 - login
Note how my icon and text have been pulled Down from Office 365
5 - mfa loading
Azure MFA gateway
6 - custom policy approvment screen
Customizable Policy template for Your org

7 - org check

8 - spell check
Despite the translation error, all is okay now.



Deploy Office 365 MSI with Microsoft Intune

I have wrapped a EXE file (OfficeProPlus click 2 run)  in a MSI wrapper. I have used a Certificate and signed the MSI and now I am going to use Microsoft Intune to push out the installation on PC’s.

Go to and click Apps->Select Apps->Click Add an App

Launch the software wizard and log on.

windows MDM installer beskrivelse

os krav


Click Upload and then wait



Select the software you want to distribute


These users in this group will get this software


forced install
It will be forced to the device


As soon as possible


These are the users in that group which will get this software

Azure AD join on Intune MDM classic agent channel *UPDATED

You can join Azure AD and use the Intune device agent for MDM and not the MDM channel when you enroll. It is a bit tricky and require manual touch on the device.

The best experience is to include the Intune agent in the Windows Image. If can not do this then here is how:

You need this:
  1. Azure AD Enrollment Administrator
  2. Microsoft Intune Agent on USB
  3. Windows 10 clean install (OOBE)
  4. Configure Azure AD to only MDM enroll
  5. Create a group for Security Group with all students
  6. Target Intune to only do MDM for that Group
Optional: Passport for Work registry disable script

Here are the steps:

In Azure AD:

  2. Go to Active Directory
  3. Select your Domain
  4. Select Applications
  5. Select Microsoft Intune
  6. Select Configure
  7. Under manage devices for these users, select Groups then browse and select the all students group. Select it and click on the check mark. Click Save down on the bottom bar.
appsconfigureselect eleverset groups

In Intune:

  1. Create an enrollment administrator in the Intune Console
  2. Go to ->Admin->Administrator->Device Enrollment Administrator Enter an Azure AD user as a device enrollment admin e.g.
  3. *Create group for the devices that the Device Enrollment Administrator is a part of so that all his devices get targeted for a script.
  4. *Disable Passport for Work by pushing a Script to that group. This script Disables Passport for Work on the local machine so that you do not need to enter a pin.
  5. *Here is how you create the script: Create script
  6. *Here is how you package the script: Script Deployment
  7. *Here is how you deploy the script: Deploy custom script
  8. *One client is visible in Microsoft Intune you need to either distribute the software on all clients or on a client that you manually move into a specific group.
  9. That software will be pushed down in time. you may force the install on the device by pressing install on the client or refreshing the policy in Intune.
  10. Get the Intune agent from Admin->Download Client Software and save it to a USB stick.
*Only nessecary if you want to disable the “Create PIN promt” on login.


deployment admin
Enrollment Admin Creation

On the Device:

  1. Boot the clean device.
  2. Under the OOBE experience Select “My company owns this Device”
  3. Log on with that enrollment administrator and complete the setup.
  4. As the admin you will be challenged with a PIN prompt and you need to verify so bring your phone.
  5. Plug in USB and run the EXE file. Remember you need both the EXE and that small certificate file to be in the same folder for the enrollment to be toward your account.
  6. Let the machine sit if you can. The longer it sits, the more stuff will be downloaded so your next user do not have to wait.
  7. Log of your enrollment admin and give the PC to the students and let them log in with their user that is in the Student security group.
  8. The next user that logs on will be a standard user.
  9. He/She will be prompted for a pin but it can be bypassed by doin this:

Koble fra / Fjerne Microsoft Intune fra Office 365

mdm authority

Dersom du har koblet Intune til Office 365 så må du bruke Intune til å styre dine MDM og devices. Min Intune Konto har nå gått ut og når jeg koblet til en mobiltelefon til Office 365 eposten sin så fikk jeg feilmelding på mobilen under sync. Dette skjedde fordi sync policy’en lå i intune og siden intune var deaktivert så ville ikke han sende ut sikkerhetspolicy’en.

Svaret her var å fjerne policyen i Intune, vente på at Intune skulle synce med Office 365 (kan ta noen minutter) og så synce kontoen på nytt.

Nå i fremtiden må jeg koble vekk Intune fra Office 365 og det gjøres slik:

Dersom du ikke vil bruke Microsoft Intune så kan du koble vekk Intune slik:

  1. Kontakt Microsoft support og skriv:
    “Please reset or remove Intune as my MDM authority”
  2. logg inn på
  3. Gå til Admin
4. Velg Mobile Device Management
5. Når Support har resatt MDM Authority så kan du sette den på nytt.

Hentet fra Peter Daalmans [MVP]

Stop Windows Intune Endpoint Protection Scans


So, when I use my computer I like that it runs fast, cool and quiet.
All of a sudden disk starts whirr’ing and the system responds slower. Whats up?
Scheduled Windows Intune Endpoint Protection full scan is whats up.

Unfortunately for Intune, it can’t run while Your computer is off and since most People sleep their computer, they use it while its on.
Lets turn that stuff off…

Reference here:

Navigate to:
Policies->Add New Policy->Windows Intune Agent->Tick: Create and Distribute Custom Policy->Create Policy
Name: Stop Scanning me
Search Plan -> Uncheck Both
Click “Save Policy”
On Promt->yes
Add Your groups->Click Ok

Tip: Also increase the time which you can delay restart after updates have been Applied to: 30 minutes

My Policies
My Policies

Blog at

Up ↑

%d bloggers like this: