This article is contributed. See the original author and article here.
Intune + Azure Lab Services
A question that we get asked by IT departments is “can Intune be used to manage Windows 10 machines in a lab?” The answer is yes! In this blog post, we will show you how you can enable Intune on your lab’s VMs. This post will focus on getting lab VMs automatically domain joined, enrolled into Intune, and into a specific AD group at the initial student logon.
There are several benefits to having the lab VMs being managed by Intune. The ability to create profiles that configure the VM to allow or restrict capabilities like blocking different URLs, setting sites to open when the browser starts, blocking downloads, and managing Bitlocker encryption. The Microsoft Endpoint Manager helps deliver a modern management tool for your lab VMs where you can create and customize these configuration profiles. For an education focused management tool, the Intune for Education is a portal that helps simplify Windows configuration, Take a Test, user management, group / sub-group inheritance and app management.
These steps assume the following prerequisites have been configured:
- Check with your account representative for the appropriate Intune licensing.
- The Active Directory is setup with a MDM service, that is configured for auto-enrollment.
- You have a Azure Lab Services Account peered to a hybrid Azure Active Directory.
Here is more information on how to setup an Azure Lab Services account that is connected to your network.
Setting up the Lab
- Setup Template VM to join the domain.
Currently, there is a set of PowerShell scripts that are run on the template VM so that the Lab VMs will be domain joined when they are initially started. These set of scripts also rename the Lab VM to make the name unique, including setting a prefix for the VM name that can be used to put the VM in the appropriate AD group, I’ve included more details later in this blog.
- Set Group Policy to auto enroll into Intune.
The following steps will setup the auto enrollment for the lab VMs. On the template VM setup the auto-enrollment using the following steps:
- Open the local group policy editor (gpedit.msc)
- Under Computer Configuration / Administrative Templates / Windows Components / MDM
- Enable automatic MDM enrollment using default Azure AD credentials set to User Credential.
- Disable MDM enrollment is disabled.
- More information is available in the device management documentation.
- Publish Template
Once the template is published, the machines for that class will be created. The students VMs will join the domain on first startup. When the student logs on with their account, the device will be Intune enabled.
You should start the VMs before the students to get the VMs domain joined and setup for the students. The domain join and setting up the student access may take some time. Once the domain join has completed, the VMs can be turned off and when the students start and logon to the VM the auto enrollment will occur. In the case that you run into issues I’ve included a section on troubleshooting.
Additional: Setup dynamic AD group for the class
The Lab VMs are Intune enabled, but an additional step is to have the VMs added to a specific active directory group. Profiles can be set for an AD group so that any VMs added to the group will be configured based on the profile information. The dynamic group allows you to set up rules for which machines are in the group. Each group corresponds to a class or more specifically, the machines within the class. A student could have multiple classes where each class has a different set of requirements and machines that will need to be managed. Dynamic groups use rules to determine which AD group a VM should belong to. The simplest example is to use the VM name prefix (from the domain join script) as the rule for the group. An example rule would be “displayName -startsWith “Prefix”
In the case that the student VMs aren’t working as expected here are some troubleshooting tips.
- Start with the Domain join scripts.
- The Domain join has multiple Powershell scripts that all need to run and succeed.
- Check the Group Policy on the student VM
- Confirm that the group policy for auto-enrollment is set on the student VM, if not check the template VM.
- Check Event viewer on the student VM for information on the auto-enrollment task.
- The MDM team has documentation on the different events that occur during auto-enrollment
Given the complexity of Active Directory and network configurations this is a specific example to help understand how to get Azure Lab Services working with Intune which opens a whole world of capabilities in managing student VMs.
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.