Håvard Siegel Haukeberg

Paste life: Ctrl+C -> Ctrl+V


Microsoft Intune

Microsoft Intune enrollment on Android for end users

All Android is not the same

First let me start of by saying that almost all android phones are different in respect to enrollment. These screenshots are taken on a Sony Device. The most complicated part with Android is that the End User have to fix the compliance settings yourself.

How good are your users?

e.g. as seen here the end user need to set the pin-code him/herself to be compliant. Make sure that your users can do this themselves before you start.

Picture by picture guide

Here is how you as a end user will experience Intune in your organization






If you are an IT admin, check out this guide on how it looks like for you in the Intune Portal

Microsoft Intune Enrollment of Android for IT Admin

Step 1: Enrollment

Once a end user has enrolled a Android device it will shortly show up in the Intune portal.

Step 2: Verify status in Intune

This is what a healthy Device should look like in the Intune Portal :


This device is healthy and should have access to email and does not need attention.


If you need device info, the Intune MDM agent will pull information from the device and display some of it here in the general info tab just right to the health status


Just some of the info pulled from Intune



There are many different Android phones out there. They all provide info to Intune MDM differently. Here Sony is not able to convey the OS name correctly to Intune.

Not all android phones report OS correctly


In the device list you can see and sort the list of devices on most of the general information.


Sort and find your device


When the end user enrolled this Sony Android Device he was prompted to group his device himself into a group. This group is displayed here. I have named this group myeself in the Intune portal. You could name it anything other than personal if you want to.


Device Group Mapping


Management channel should be set to intune or intune and EAS when your device is enrolled. We should also se the Compliant status. If it is not compliant, check your compliance policies in intune policy tab or make sure that you have made the device compliant e.g. enabled PIN or encryption/screen lock +++


If your device is not compliant it will be blocked from exchange when you run Conditional Access.


Microsoft Intune Company Portal Enrollment on iPad for end-users

Here is a complete set of screen dumps which the end user will have to see/do in order to enroll a iOS device into Intune.


Conditional Access prevents exchange online sync before enrollment



MDM enrollment with Azure AD Join

This is how you both join Azure AD and enroll for MDM. Your admin need to have configured Automatic MDM enrollment into intune over at for this to work.
1 - system2 - aad join

3 - notification
Disclamer from Windows
4 - login
Note how my icon and text have been pulled Down from Office 365
5 - mfa loading
Azure MFA gateway
6 - custom policy approvment screen
Customizable Policy template for Your org

7 - org check

8 - spell check
Despite the translation error, all is okay now.



How to sign a MSI file for deployment with Microsoft Intune

If you want to use Microsoft Intune to deploy a MSI file it needs to be signed by a Code Signing Certificate. Most MSI’s from software vendors are signed already, but if you created a custom MSI (e.g. Office 365) by wrapping an EXE then you need to sign that MSI.

Using a MSI will enable Intune to push that software using the MDM channel. All MDM joined PC’s will be able to recieve this software.

Scenario this covers: I want to use Microsoft Intune to deploy apps and exe files to PC’s e.g. Office 2016/Custom Software

Step 1 – Buy or get a code certificate. If you do not have it, buy it here:

Step 2 – Download and Install Windows 7 SDK to get the signtool.exe get the SDK from here:
->Accept all defaults and do not change anything. It will prompt errors
->Check that you have the signtool.exe in this folder:
C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin

Step 3 – Get your certificate exported in a PXF file. and put it in the same folder as your MSI file.

Step 4 – Run CMD as administrator and input this command:

“C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\signtool.exe” sign /v /f “c:\exemsi\HaukebergCert.pfx” /p “PASSWORD” /t /v “C:\exemsi\OfficeProPlus.msi

sign ok
The password has been removed


Now you are ready to deploy this MSI file through the MDM channel

Follow this guide to deploy the MSI file in Microsoft Intune MDM channel


IT DEV Connections
We are covering MDM channel here

Adapted from these posts:

Convert Office 2016/365 click to run into a MSI

*UPDATED with new screenshots of Office 365 generator

You can use this free tool to create a Office 365/2016 MSI in order to deploy it with Microsoft Intune.

Office 365 install generator
Click Install Generator
Launch it and install it
Start New
Click Start New
Select 32 bit if a fresh install, if you have 32 bit installed you can not select 64 bit.
Feel free to add a lanugage
Just click Next
Remove stuff you do not want
Ensure you have the right edition or mabye you want to add 64 bit?
Of course you want automatic updates. Click next
Make it real silent. Don’t do Auto Activate
NEW: Self signing certificate. Remember to check and generate. If you do not do this there will be a UAC prompt
Could be anything
Give it a name and click save


You can manually sign the MSI

Or simply Deploy it to Microsoft Intune using the MDM channel.

Deploy custom script with Microsoft Intune

Once you have:

  1. Created a script
  2. Packaged the script in an EXE

you should be ready to deploly that script to computers running the Microsoft Intune Management Agent. The Intune MDM channel does not support EXE, only MSI.

Log into Intune and go to Apps
Select Software Installer and select EXE then browse for the EXE

Follow the Wizard.

You are done. Now you need to move the user or PC into that group for deployment. Deploy to all PC’s? apply to all computers instead of a group.





Venter på å kjøre script
Manuelle oppgaver som kan gjøres på klienten






Azure AD join on Intune MDM classic agent channel *UPDATED

You can join Azure AD and use the Intune device agent for MDM and not the MDM channel when you enroll. It is a bit tricky and require manual touch on the device.

The best experience is to include the Intune agent in the Windows Image. If can not do this then here is how:

You need this:
  1. Azure AD Enrollment Administrator
  2. Microsoft Intune Agent on USB
  3. Windows 10 clean install (OOBE)
  4. Configure Azure AD to only MDM enroll
  5. Create a group for Security Group with all students
  6. Target Intune to only do MDM for that Group
Optional: Passport for Work registry disable script

Here are the steps:

In Azure AD:

  2. Go to Active Directory
  3. Select your Domain
  4. Select Applications
  5. Select Microsoft Intune
  6. Select Configure
  7. Under manage devices for these users, select Groups then browse and select the all students group. Select it and click on the check mark. Click Save down on the bottom bar.
appsconfigureselect eleverset groups

In Intune:

  1. Create an enrollment administrator in the Intune Console
  2. Go to ->Admin->Administrator->Device Enrollment Administrator Enter an Azure AD user as a device enrollment admin e.g.
  3. *Create group for the devices that the Device Enrollment Administrator is a part of so that all his devices get targeted for a script.
  4. *Disable Passport for Work by pushing a Script to that group. This script Disables Passport for Work on the local machine so that you do not need to enter a pin.
  5. *Here is how you create the script: Create script
  6. *Here is how you package the script: Script Deployment
  7. *Here is how you deploy the script: Deploy custom script
  8. *One client is visible in Microsoft Intune you need to either distribute the software on all clients or on a client that you manually move into a specific group.
  9. That software will be pushed down in time. you may force the install on the device by pressing install on the client or refreshing the policy in Intune.
  10. Get the Intune agent from Admin->Download Client Software and save it to a USB stick.
*Only nessecary if you want to disable the “Create PIN promt” on login.


deployment admin
Enrollment Admin Creation

On the Device:

  1. Boot the clean device.
  2. Under the OOBE experience Select “My company owns this Device”
  3. Log on with that enrollment administrator and complete the setup.
  4. As the admin you will be challenged with a PIN prompt and you need to verify so bring your phone.
  5. Plug in USB and run the EXE file. Remember you need both the EXE and that small certificate file to be in the same folder for the enrollment to be toward your account.
  6. Let the machine sit if you can. The longer it sits, the more stuff will be downloaded so your next user do not have to wait.
  7. Log of your enrollment admin and give the PC to the students and let them log in with their user that is in the Student security group.
  8. The next user that logs on will be a standard user.
  9. He/She will be prompted for a pin but it can be bypassed by doin this:

Shared devices (Roaming Profiles) with Microsoft Intune

When you have more users than devices or users share devices and you only have Azure Active Directory the ability to switch users work a bit differently.

The first user that you enroll with will be an Administrator, all subsequent users will be a Standard users.

Microsoft Intune will block  any user to enroll a multitude of devices. The limit is set in Azure Active Direcory at 20 Devices. You can change this.

To do this keep in mind that you need to be an Administrator:

Navigate to:


Click Configure
Screenshot (1)
Select the number of devices you want the users to enroll



That is it. This user can now enroll an 1000 devices. on this domain

Blog at

Up ↑

%d bloggers like this: