Menu Close

Managing Windows Virtual Desktop with Microsoft Endpoint Manager – Part 2 – Enrolling your WVD session host into Intune

This is the second part in the Managing Windows Virtual Desktop with Microsoft Endpoint Manager series. In the previous part I showed you how to join your Windows 10 WVD session hosts to your on-premises AD as well as the Azure AD with the use of the Hybrid Azure Domain Join.

In this post I will share with you how to automatically enroll your WVD session hosts into Intune. And then… well, that’s were the fun begins!

We are going to explore the possibilities with Microsoft Endpoint Manager and WVD together!

Current situation

At this moment my complete test environment is running on Azure. My On-Premises AD where I am referring to is also running in Azure. Currently there is no support for Windows 10 Multi-Session, for this guide I am using the Windows 10 Enterprise 2004 image from the Image Gallery.

  • On-Premises Active Directory
    • Server 2019 configured as Domain Controller
    • Correct UPN suffix for my users with a custom domain in Azure (Brainpulse.it)
    • AADConnect installed and synced with Azure AD
  • Azure Active Directory
    • Microsoft 365 E5 Developer subscription
  • WVD Environment
    • The WVD Session Hosts are deployed from a Golden Image
    • The WVD Session Hosts are domain joined
    • The hostpool is configured with type “Personal”
  • Group Policies are being used for managing my WVD hosts

New situation

  • On-Premises Active Directory
    • Server 2019 configured as Domain Controller
    • Correct UPN suffix for my users with a custom domain in Azure (Brainpulse.it)
    • AADConnect installed and synced with Azure AD
  • Azure Active Directory
    • Microsoft 365 E5 Developer subscription
  • WVD Environment
    • The WVD Session Hosts are deployed from a Golden Image
    • The WVD Session Hosts are domain joined
    • The WVD Session Hosts will automatically Hybrid Join to Azure AD
    • The WVD Session Hosts will automatically enroll into Intune
    • The hostpool is configured with type “Personal”
  • Group Policies are being used for managing my WVD hosts

Let’s get started, now that your WVD session hosts are registered and Hybrid Azure AD joined, the fun begins! But before we can manage those devices we should enroll them into Microsoft Intune first. And there is no better way then the automatically way!

Requirements

  • WVD Session Host joined to the on-premises Domain as well as the Azure AD (Azure Hybrid Domain Join)
  • A configured Mobile Device Management (MDM) service within Azure.
  • Make sure you have the latest Administrative Templates for Windows 10

Accept Automatic Enrollment

Before the devices can be automatically enrolled into Intune we first need to make sure the correct configuration is in place.

Sign in to the Azure Portal and go to Azure Active Directory and then navigate to Mobility (MDM and MDM).

Azure Portal – Overview

Click on the Microsoft Intune “application” and proceed.

Azure Portal – Mobility

We need to ensure our users can enroll their WVD session host into Intune. You can specify which users devices can be managed by Microsoft Intune.

If you want to enable automatic enrollment you must choose for All or Some (And specify a group). In this case I choose All.

Azure Portal – Intune MDM enrollment

Make sure you hit Save before proceeding to the next step.

Automatic enrollment into Intune using Group Policy

Starting with Windows 10 version 1709 it is possible to trigger auto-enrollment to MDM for domain joined devices.

The auto-enrollment into Intune is triggered via the configuration within the group policy and will happen automatically. The enrollment will take place in the background and is only valid for devices which are already hybrid Azure AD joined.

Difference between using User and Device credentials

After reading the documentation I thought that for this scenario I should configure the Device Credential option. Before we dive into the auto-enrollment process let me explain the difference between the options.

User Credentials: Enrolls a Windows 10 device once an Intune licensed user logs into the device.
Device Credentials: Enrolls a Windows 10 device and then assign an user later.

I have tested both configurations and I can conclude that using the Device Credentials will not work at the moment. But the information is a little bit misleading.

I know that I read on the Microsoft Documentation page that using Device Credentials was not supported for automatic enrollment into Intune. At this moment the following Note shows that it should work.

Microsoft Documentation – Note Device Credentials

Initial I had configured the GPO to use Device Credentials. I expected to see my WVD Session host being automatically enrolled into Intune without logging in.

I didn’t see the session hosts so I logged in with the local administrator account and checked the Task Scheduler. I noticed that there was an extra task created by the GPO.

Task Scheduler – MDM enrollment device credentials

Both of the tasks will fail with an 0x8018002B error code as long as you don’t login with a licensed user.

In the event log I saw the following error: Auto MDM Enroll: Device Credential (0x1), Failed (Unknown Win32 Error code: 0x8018002b).

EventID 76 – Error 0x8018002b

In my opinion the User Credentials option is useless for enrolling the WVD session hosts into Intune. If you deploy a hostpool with multiple hosts you want to enroll those into Intune before users are connecting and logging in.

I have contacted Microsoft to get some information about this issue. I have also found two identical issues on the internet which describes the same behavior, you will find the links at the end of this post and I will update this post when there is more information available!

Configure the Group Policy

To get started create a new Group Policy or reuse an existing one. You can find the setting in the Local Computer Policy –> Administrative Templates –> Windows Components –> MDM part of the policy.

GPO – MDM User/Device Credentials

The setting is called Enable automatic MDM enrollment using default Azure AD credentials. When enrolling my WVD session hosts I would like this to occur right after the session hosts are being created and deployed. Otherwise the configuration profiles will never apply BEFORE the first time the user logs into their session host.

Automatic enrollment into Intune

Because of the errors, the following steps and result are with the User Credential option. When I have more information or confirmation from Microsoft regarding the Device Credential I will update this post.

As I mentioned before the configured GPO will create a scheduled task that will run every 5 minutes after creation for 1 day. Since we are using the User Credentials option, this task will only run successful if you log in with a licensed users (Azure AD + Intune).

As long as you don’t login you are seeing the following error, notice that the value of Device Credentials is 0x0 since we are using the User Credential option.

EventID 76 – User Credentials

So let’s login with a test user and see what happens. If you start Task Scheduler and navigate to EnterpriseMgmt you should see the scheduled task which has been created by the GPO.

Task Scheduler – Automatic MDM enrollment (User Credentials)

You can validate the Last Run Result to see if the task has been run without any errors. Otherwise the exit code of the task will give you some more information about why the automatic enrollment cannot be completed due to things like licensing, AADJ or something else.

Open up the Event Viewer and navigate to Applications and Services Logs –> Microsoft –> Windows –> DeviceManagement-Enterprise-Diagnostics.

Here you can find the relevant events, you can search for event with ID 75. This event represents a successful enrollment into Intune.

EventID 75 – Auto MDM enrollment succeeded

Verifying via the Microsoft Endpoint Manager Admin portal

When you navigate to the new Microsoft Endpoint Manager Admin portal you can also see whether or not our WVD session host has been enrolled into Intune.

Navigate to Devices and go to By platform and click on Windows.

Microsoft Endpoint Manager – Devices

Now you should be able to see our WVD Session Host under Windows devices. If you have more devices you can search for the correct device name. At this moment I have removed all the orphaned devices in my environment so it’s just showing my WVD Session host.

Microsoft Endpoint Manager – WVD session host

You can also see more details when opening up the device from this console. This is the same as with the physical devices enrolled into Microsoft Intune.

Microsoft Endpoint Manager – Device Properties
Microsoft Endpoint Manager – Device overview

Verifying via a logged on user

You can also verify a successful enrollment via the Account settings with a logged on user. Navigate to Settings –> Accounts –> Access work or school.

WVD Session Host – Intune Enrolled

If you don’t see the Info button, it means the device did not completely enroll yet. Click on the Info button and you should see more information about which policies and applications has been assigned or enforced via Microsoft Intune.

WVD Session Host – Intune Enrolled Info

And that’s it! You now have the ability to manage your WVD session hosts with Microsoft Intune. In the next blogs I will walk you through all the options we have for WVD, like creating a group with our WVD session hosts, Security Baselines, Configuration Profiles, Application Management, Windows Update for Business and much more!

Troubleshooting

During the configuration and testing I have experienced the following errors.

Auto MDM Enroll: Device Credential (0x0), Failed (The system tried to delete the JOIN of a drive that is not joined.)

This error happens when your WVD host has not yet been synchronized to the Azure Active Directory. Check your AADConnect configuration and make sure you are synchronizing the correct OU.

Auto MDM Enroll: Device Credential (0x0), Failed (Unknown Win32 Error code: 0x8018002b)

This is the error I am constantly seeing before I log in with a licensed user. This is the part where the automatic enrollment should take place.

Resources

https://github.com/MicrosoftDocs/windows-itpro-docs/issues/4828
https://github.com/MicrosoftDocs/windows-itpro-docs/issues/5543
https://docs.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy

I will update this post as soon as I received some feedback from Microsoft regarding the Device Credential option for the enrollment into Intune.

Stay tuned for the next part!

If you found this post useful, please share it or leave a comment below.