Managing Windows Virtual Desktop with Microsoft Endpoint Manager - Part 2 - Enrolling your WVD session host into Intune
This is the second part in the Managing Windows Virtual Desktop with Microsoft Endpoint Manager series. In the previous part I showed you how to join your Windows 10 WVD session hosts to your on-premises AD as well as the Azure AD with the use of the Hybrid Azure Domain Join.
In this post I will share with you how to automatically enroll your WVD session hosts into Intune. And then… well, that’s were the fun begins!
We are going to explore the possibilities with Microsoft Endpoint Manager and WVD together!
- Part 1 – Setup Hybrid Azure AD join
- Part 2 – Enrolling your WVD session host into Intune
- Part 3 – Compliance policies for WVD (Coming soon)
- Part 4 – Setup Windows Update for Business (Coming soon)
- Part 5 – Application deployment (Coming soon)
Current situation
At this moment my complete test environment is running on Azure. My On-Premises AD where I am referring to is also running in Azure. Currently there is no support for Windows 10 Multi-Session, for this guide I am using the Windows 10 Enterprise 2004 image from the Image Gallery.
- On-Premises Active Directory
- Server 2019 configured as Domain Controller
- Correct UPN suffix for my users with a custom domain in Azure (Brainpulse.it)
- AADConnect installed and synced with Azure AD
- Azure Active Directory
- Microsoft 365 E5 Developer subscription
- WVD Environment
-
The WVD Session Hosts are deployed from a Golden Image
-
The WVD Session Hosts are domain joined
-
The hostpool is configured with type “Personal”
-
- Group Policies are being used for managing my WVD hosts
New situation
- On-Premises Active Directory
- Server 2019 configured as Domain Controller
- Correct UPN suffix for my users with a custom domain in Azure (Brainpulse.it)
- AADConnect installed and synced with Azure AD
- Azure Active Directory
- Microsoft 365 E5 Developer subscription
- WVD Environment
-
The WVD Session Hosts are deployed from a Golden Image
-
The WVD Session Hosts are domain joined
-
The WVD Session Hosts will automatically Hybrid Join to Azure AD
-
The WVD Session Hosts will automatically enroll into Intune
-
The hostpool is configured with type “Personal”
-
- Group Policies are being used for managing my WVD hosts
Let’s get started, now that your WVD session hosts are registered and Hybrid Azure AD joined, the fun begins! But before we can manage those devices we should enroll them into Microsoft Intune first. And there is no better way then the automatically way!
Requirements
- WVD Session Host joined to the on-premises Domain as well as the Azure AD (Azure Hybrid Domain Join)
- A configured Mobile Device Management (MDM) service within Azure.
- Make sure you have the latest Administrative Templates for Windows 10
Accept Automatic Enrollment
Before the devices can be automatically enrolled into Intune we first need to make sure the correct configuration is in place.
Sign in to the Azure Portal and go to Azure Active Directory and then navigate to Mobility (MDM and MDM).
If you want to enable automatic enrollment you must choose for All or Some (And specify a group). In this case I choose All.
Automatic enrollment into Intune using Group Policy
Starting with Windows 10 version 1709 it is possible to trigger auto-enrollment to MDM for domain joined devices.
The auto-enrollment into Intune is triggered via the configuration within the group policy and will happen automatically. The enrollment will take place in the background and is only valid for devices which are already hybrid Azure AD joined.
Difference between using User and Device credentials
After reading the documentation I thought that for this scenario I should configure the Device Credential option. Before we dive into the auto-enrollment process let me explain the difference between the options.
User Credentials: Enrolls a Windows 10 device once an Intune licensed user logs into the device.
Device Credentials: Enrolls a Windows 10 device and then assign an user later.
I have tested both configurations and I can conclude that using the Device Credentials will not work at the moment. But the information is a little bit misleading.
I know that I read on the Microsoft Documentation page that using Device Credentials was not supported for automatic enrollment into Intune. At this moment the following Note shows that it should work.
I didn’t see the session hosts so I logged in with the local administrator account and checked the Task Scheduler. I noticed that there was an extra task created by the GPO.
In the event log I saw the following error: Auto MDM Enroll: Device Credential (0x1), Failed (Unknown Win32 Error code: 0x8018002b).
I have contacted Microsoft to get some information about this issue. I have also found two identical issues on the internet which describes the same behavior, you will find the links at the end of this post and I will update this post when there is more information available!
Configure the Group Policy
To get started create a new Group Policy or reuse an existing one. You can find the setting in the Local Computer Policy –> Administrative Templates –> Windows Components –> MDM part of the policy.
Automatic enrollment into Intune
Because of the errors, the following steps and result are with the User Credential option. When I have more information or confirmation from Microsoft regarding the Device Credential I will update this post.
As I mentioned before the configured GPO will create a scheduled task that will run every 5 minutes after creation for 1 day. Since we are using the User Credentials option, this task will only run successful if you log in with a licensed users (Azure AD + Intune).
As long as you don’t login you are seeing the following error, notice that the value of Device Credentials is 0x0 since we are using the User Credential option.
Open up the Event Viewer and navigate to Applications and Services Logs –> Microsoft –> Windows –> DeviceManagement-Enterprise-Diagnostics.
Here you can find the relevant events, you can search for event with ID 75. This event represents a successful enrollment into Intune.
When you navigate to the new Microsoft Endpoint Manager Admin portal you can also see whether or not our WVD session host has been enrolled into Intune.
Navigate to Devices and go to By platform and click on Windows.
You can also verify a successful enrollment via the Account settings with a logged on user. Navigate to Settings –> Accounts –> Access work or school.
Troubleshooting
During the configuration and testing I have experienced the following errors.
Auto MDM Enroll: Device Credential (0x0), Failed (The system tried to delete the JOIN of a drive that is not joined.)
This error happens when your WVD host has not yet been synchronized to the Azure Active Directory. Check your AADConnect configuration and make sure you are synchronizing the correct OU.
Auto MDM Enroll: Device Credential (0x0), Failed (Unknown Win32 Error code: 0x8018002b)
This is the error I am constantly seeing before I log in with a licensed user. This is the part where the automatic enrollment should take place.
Resources
https://github.com/MicrosoftDocs/windows-itpro-docs/issues/4828
https://github.com/MicrosoftDocs/windows-itpro-docs/issues/5543
https://docs.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy
I will update this post as soon as I received some feedback from Microsoft regarding the Device Credential option for the enrollment into Intune.
Stay tuned for the next part!
If you found this post useful, please share it or leave a comment below.