Please follow the steps below to enroll AD devices into Intune and to have access to Office Apps while conditional access policy (in a device compliance context) is active:
License Assigned: M365 E5 (or any other Intune supported license)
- Create a dynamic device group, condition value: _ -contains "[ZTDId]
This translates to: When device is registered in Azure AD with a serial number, add to this device group.
- Create Autopilot Device Configuration Profile and assign it to dynamic device group
Join device to Active Directory domain:
Log into device as Local Admin and run the below powershell command:
Add-Computer -DomainName "cnxncloud.support" -restart
Import HWID of the device into Intune:
Endpoint Mgr -->Devices --> Windows --> Under Windows Autopilot Deployment Program - Devices
- Log into the device with AD credentials
- Open Microsoft store and access Company Portal App
- Open Company Portal App and provide Azure AD credentials for login
- Complete Intune enrollment through Company Portal
Upon completion, the device will appear as compliant within Intune and any Conditional Access policies applied within device compliance context will function as expected.
Note: If GPOs are also enabled, then the devices with compliance issues need to be excluded from the GPOs in order for this solution to work.
In the event GPOs need to be kept in-place, please set Registry value for DisableEnterpriseAuthProxy to 1, so the device sends analytics in a device context rather than a user context.
Microsoft Documentation on Group Policy Settings: https://docs.microsoft.com/en-us/mem/configmgr/desktop-analytics/group-policy-settings#group-policy-settings-that-could-conflict-with-configuration-manager-settings-for-desktop-analytics
Comments
0 comments
Article is closed for comments.