Hybrid Azure AD Joined Intune Autopilot Setup for windows 10 devices

 Requirements for Hybrid Azure AD Joined Intune Autopilot

  • Setup hybrid Azure AD join for the entire domain or domains/forests or only for the selected OU that will contain the Intune devices (for testing/POC purposes).
  • Set Intune/Endpoint Manager as the MDM Authority.
  • Configure company branding in Azure AD.
  • Create company terms and conditions.
  • Configure Intune enrollment for Windows OS Devices
  • Configure Enrollment Restrictions
  • Create Device Enrollment Managers.
  • Create Custom /Default Device Compliance Policies
  • Create Device Categories
  • Create Dynamic or Static (Assigned Groups) for Devices or Users
  • Setup Intune Connector on an AD Joined Server
  • Create Configuration Profile – Domain-Join Profile
  • Configure Hybrid Joined Autopilot Profile
  • Scripting/Powershell Deployment
  •  Third Party Application Deployment
  • Third Party Application Patching
  • Windows Updates Using Intune Update Rings 
  • Windows Upgrade using Feature Updates
  • Device Cleanup Rules
  • Import Device IDs into Intune (through Intune or Microsoft 365 Store)
  •  

Setup hybrid Azure AD join for the entire domain or domains/forests or only for the selected OU that will contain the Intune devices.

 For a hybrid Azure AD joined Intune autopilot to be successful, you need to first make sure that your entire “on-premises” domain is syncing to Azure AD or at least your users and the computer OU in which you will be storing your Intune enrolled devices are syncing to Azure AD using AD Connect. If you have not already done this, follow this Microsoft link to complete it; if not your devices will only be Azure AD joined with objects in the “on-premises” AD. If hybrid Azure AD join is not setup, you will not be able to manage objects with both Intune and on-premises resources as desired for hybrid Azure AD joined windows autopilot setup.

Set Intune/Endpoint Manager as the MDM Authority.

  • Open Endpoint Manager portal, navigate to Tenant Administration and then click on MDM Authority.
  • Now set Microsoft Intune as the MDM authority.

Configure Company Branding In Azure AD

  • Log into Azure AD portal as Global Administrator.
  • In the left blade, navigate to “Company branding” and click on it.
  • Now click “Configure” to open the Company branding configuration page.
  • Add the Background logo; picture less than 300kb, add the banner; less than 10kb, add username hint eg. username@company.com, add Sign-page hint; Welcome to **Company name**, Sign-in page background color; #0080ff, add Square logo as well as Dark-theme logo as well; less than 50kb.
  • You can configure company branding for different languages as well eg. English, French, Spanish, Chinese, etc. To do this click on New Language and set it up.

Create Company Terms and Conditions

  • Open Microsoft Endpoint Manager, click on Tenant Administration and then click on Terms and Conditions; under End User Experiences.
  • Click Create to add terms and conditions information for the company; this will be information surrounding device use and data safety.
  • Once users accept the terms and conditions, you can see their names in the Acceptance Reporting area.

Configure Intune Autoenrollment for Windows OS Devices

  • Within the Microsoft Endpoint Manager portal, click on Devices>>>under Device Enrollment, click Enroll Devices>>>Windows Enrollment>>>Automatic Enrollment.
  • Set MDM User Scope to Some and create an autoenrollment group containing a selected group of users or select All so that all users can configure autoenrollment.

Configure Enrollment Restrictions

  • Within the Microsoft Endpoint Manager portal, click on Devices>>> under Device Enrollment, click Enroll Devices>>> click Enrollment Restrictions.
  • Configure Device Type Restrictions (default is All Users) as well as the Device Limit Restrictions; default is 5 devices.
  • You can create custom device restrictions and limit the groups to specific device platforms. 
  • Priorities can be assigned to the device restrictions so that Priority 1 will take precedence over Priority 2 and others priorities. For example, if you want Finance team to only use iPhone and Macbook then create a custom device restriction and set iOS/iPadOS as well as to Allow and set all others including Windows OS and Android to Block. 
  • If you want Servicedesk to do white-clove setup of the devices before assigning them to the users, then create a custom device limitations policy and set the Device Limit to 100 or more and assign it to the Servicedesk group. This means that each Servicedesk employee will be able to enroll 100 devices (or the set device limit). 

Create Device Enrollment Managers

  • Within the Microsoft Endpoint Manager portal, click on Devices–>under Device Enrollment, click Enroll Devices—>Device Enrollment Managers–>click Add and then include the usernames of the Device enrollment managers.
  • The usernames should be that of the vendors who enroll the devices or the Intune administrators who will be enrolling the devices for the company.
  • Each device manager can enroll up to 1000 devices.

Configure Custom/Default Compliance Policies

  • Within the Microsoft Endpoint Manager, click Endpoint Security>>>Device Compliance, this will take you to the Compliance Policies blade>>>click Policies. You can edit the Default Compliance Policy as desired; This will indicate when a device is compliant or not compliant.
  • To create a customized compliance policy, Endpoint Security–>Device Compliance or Devices>>>Compliance Policies  and then click Create Policy.
  • Configure the BitlockerAntivirusAntispywareMicrosoft Defender AntimalwareReal-Time Protection, as well as Actions for Noncompliance.
  • NB: If the enrollment process is failing at the Account Setup stage, use a custom configuration profile or policy to skip the Account Setup phase and allow it to complete after the end user has logged into the computer. 

Create Order ID  And/ Or Categories

  • Within the Microsoft Endpoint Manager, click Devices and then click Device Categories >>>click Create Device Category.
  • You can create device categories to correspond to dynamic or static Azure AD groups which are in-turn associated with the different departments in the organization. This will ensure that the devices for the various departments are allocated the correct applications.
  • An example of the dynamic group query is (device.deviceCategory -eq “Finance”). You can create one for each of the departments that use special applications or policies.
  •  Unfortunately, in Intune, Device Category is not included as one of the fields in the imported device area; you can only view it ones a device has been added to a dynamic or assigned group. For this reason, it is easier to add devices automatically to a group using the Order ID (which corresponds to Group Tag (one of the fields in the imported devices area)). 
  • To create 3 dynamic device groups for each department; one each for IT, HR, and Finance, follow these steps;
    • Within the Microsoft Endpoint Manager, click Groups>>>click New Group.
    • Group Type (Security); Group Name(HR), Group Description(This group is for HR devices)>>>Membership Type (Dynamic device)
    •  Under Dynamic Device Members; click Add Dynamic Query>>>click Add Expression. In the script area, (device.devicePhysicalIds -any (_ -eq “[OrderID]:HR”))>>>click Create.
    • Do the same for IT; (device.devicePhysicalIds -any (_ -eq “[OrderID]:IT”)) and Finance; (device.devicePhysicalIds -any (_ -eq “[OrderID]:Finance”)).

Create Dynamic or Static (Assigned) Group for Devices or Users

  • Log into the Microsoft Endpoint Manager and navigate to Groups. In the Groups blade, click on New Group, to create a new group.
  • Group Name: All Devices Hybrid Autopilot, Group Type: Security, Membership Type: Dynamic device, Dynamic Query: (device.devicePhysicalIDs -any _ -contains “[ZTDId]”); this can be used for enrolling all workstation devices in the company and provide them with common applications and apply common policies or configurations (this may not be needed if you have groups for specific departments).
  • In order to apply specific applications and policies to specific departments, you need to create dynamic groups and associate them to each department. For example, if you have 4 departments in the company, for instance, HR, IT, Finance, and Executives, with special applications, then create All HR Devices, All IT Devices, All Finance Devices, and All Executives Devices. 
  • Within the Microsoft Endpoint Manager, click Groups>>>click New Group. Group Type (Security); Group Name(HR), Group Description(This group is for HR devices)>>>Membership Type (Dynamic device)
  • Under Dynamic Device Members; click Add Dynamic Query>>>click Add Express. In the script area, (device.devicePhysicalIds -any (_ -eq “[OrderID]:HR”))>>>click Create. Do the same for IT; (device.devicePhysicalIds -any (_ -eq “[OrderID]:IT”)) and Finance; (device.devicePhysicalIds -any (_ -eq “[OrderID]:Finance”)).
  • Optionally, you can add this device category query (device.deviceCategory -eq “Finance”); replace “Finance” with the desired department name such HR, IT or Executives.
  • The scenario will work in this manner, autopilot profile as well as general and department-specific applications will be applied to the various dynamic groups. Once the device is imported with the OrderID/Group Tag and it joins the correct dynamic device group, then the enrollment process can begin. 
  • To ensure that 
  • If you configured Device Category as part of the dynamic device group query, then add the enrolled device to the desired Device Category, by navigating to Devices>>>Windows>>>Windows Devices>>> click on the desired device, click Properties in the left blade and then in the Device Category area, change it to the desired category for it to be automatically included in the desired dynamic group. For example, if the device is for an HR user, then select HR as the Device Category and this will add it to the All HR Devices dynamic group.
  • Make sure to apply all the general applications and policies as well as the department based applications and policies to the department-based dynamic groups.
  • Once this is done correctly, it can replace all the task sequences in SCCM and save you a lot of headache!

Setup Intune Connector On An AD Joined Server

  • Within the Microsoft Endpoint Manager console, navigate to Devices–>under Device Enrollment, click Enroll Devices—> click Windows Enrollment–> click on Intune Connector for Active Directory–> click Add and click on Download the on-premises Intune Connector for Active Directory; to download the ODJConnectorbootstrapper.exe file
  • Setup a new Windows OS server with Active Directory role installed on it or you can use an existing one.
  • Install the ODJConnectorbootstrapper.exe file on the Windows server.
  • After installing the Intune Connector, click Configure Now and then sign in with Global Administrator credentials to complete the setup.
  • Installing Intune Connector also creates the Intune ODJConnector service on the server.
  • Now create a new OU in the on-premise Active Directory where Intune Connector will store devices that have been enrolled in Intune.
  • Right-click on the OU and select Delegate Control. Select Computer as the Object Type, add the computer name of the server hosting the Intune Connector; to delegate permissions for it to add and delete devices in the on-premises active directory.
  • Select Create a custom task to delegate and click Next.
  • In the Active Directory Object Type screen, select the Only the following Objects in the folder as well as Create selected objects in the folder and Delete selected objects in the folder and then click Next.
  • On the Permissions screen, select all the options including Full control and click Next.

Create Configuration Profile - Domain-Join Profile

    • Configuration profiles in Intune are equivalent to Group Policies (GPOs) in Active Directory (AD). Within the Microsoft Endpoint Manager, click Devices–>Windows–>Configuration Profile–>click Create Profile
    • Name (Windows Domain Join Devices); Platform (Windows 10 or later), Profile Type(Domain Join); Computer Name Prefix (SkoaPC); Domain Name (skoanowtechnologies.local); Organizational Unit (OU=Intune, OU=Windows, OU=Laptops, OU=Computers, OU=SkoaNow, DC=Local).
    • You can assign this to the All Devices Hybrid Autopilot dynamic group; as well as the other department level dynamic groups.
    • You can also create other configuration profiles including Administrative Templates, Delivery Optimization, Device Firmware Configuration Firmware, Device Restrictions, Edition Upgrade and Mode Switch, Email, Endpoint Protection, Identity Protection, Kiosk, Microsoft Defender ATP (Windows 10 Desktop), Network Boundary, PKCS Certificate, PKCS Imported Certificate, SCEP Certificate, Secure Assessment (Education), Shared Multi-User Device, Trusted Certificate, VPN, WIFI, and Windows Health Monitoring.
    • For hybrid azure AD joined windows autopilot, when the automatically creating device names is currently not possible. By default, the device name is created in AD and Intune with the random characters (Prefix+randomly generated characters totally 15 characters). The Apply Device Name Template is disabled once you select hybrid Azure AD but set to by default to the Prefix plus randomly generated characters totally 15 characters. The prefix is generated from the prefix indicated in the Domain Join Configuration Profile. Example if the prefix indicated in the Domain Join Configuration Profile is SkoaPC (6 characters), then the device name that will be generated automatically could be SkoaPC10xu5AT24 (15 characters). Once the enrollment process has completed and the device has been added to a dynamic device group, you can rename the devices using the Bulk Action feature and the Rename device action and set the naming rule to; Prefix{{serialnumber}} or Prefix-{{serialnumber}} (which uses the prefix and serial number of each device to generate the name); Prefix{{rand:6}} or Prefix-Prefix{{rand:6}} (which uses the prefix plus 6 randomly generated characters example SkoaPC45uT3B; total characters should be less or equal to 15). If you have different types of devices such as desktops, laptops, and tablets in your environment and you want them to have different prefixes, then you can create separate Domain Join Configuration Profiles for each device type; otherwise you can use one profile for all your devices. 
    • For Azure AD joined only windows autopilot, no domain join configuration profile is needed since the Windows autopilot deployment profile is used to set the device name template. 

Configure Hybrid Joined Autopilot Profile

    • Within the Microsoft Endpoint Manager, click Devices>>>Windows>>>Windows Enrollment>>>click Create Profile, click the drop down arrow and click on Windows PC
    • Name (Hybrid Joined Autopilot Profile); Description(This device will be joined to AD and Azure AD.), Convert All Targeted Devices to Autopilot(Yes)>>>click NEXT. 
    •  Deployment Mode (User-Driven); Join to Azure AD As (Hybrid Azure AD Joined); Skip AD Connectivity Check (Preview)(No); Microsoft Software License Terms (Hide); Privacy Settings (Hide); Hide Change Account Options (Hide); User Account Type (Standard); Allow Pre-Provisioned Deployment (Yes); Language (Region)(Operating System Default); Automatically Configure Keyboard (Yes); Apply Device Name Template (No); assign the profile to a desired dynamic group and click click Review and Save.
    • Note: Apply Device Name Template  is set to No automatically as soon as Join to Azure AD As is set to Hybrid Azure AD Joined. If you set Apply Device Name Template to Yes first before setting Join to Azure AD As to Hybrid Azure AD Joined, then you can set the device name template using serial number such as SkoaPC%Serial%. Even though this is possible, it will still fail since Hybrid Azure AD Join depends on Domain Join Configuration Profile for creating device names during autopilot enrollment process. 
    • Note; If the device is going to be shipped directly to the end user, then change Allow Pre-Provisioned Deployment to No. Setting it to Yes allows the Servicedesk to ensure that the device is setup with all the required applications and troubleshoot any issues that may arise during the enrollment process. Once the end user receives the device, the required applications are already downloaded from Intune and the user can log in and start using the device. 
    • If Allow Pre-Provisioned Deployment is set to No, then the end user has to go through the enrollment and will need to reach out to the Servicedesk if any troubleshooting needs to be done as a result of errors that may occur during the enrollment process. 
    • Note: For existing devices, SCCM can be used to obtain the Device IDs and then upload them into Intune. Once that has been completed then the Hybrid Joined Autopilot Profile can be exported to a JSON file and used in a Task Sequence in SCCM with the desired Windows Operating system;  just like a standard task sequence for imaging a device.
    • The task sequence can be deployed to existing devices and once the installation completes and the device is rebooted, and logged in with UPN (email account), then the device will become hybrid Azure AD joined autopilot device in Intune,

Scripting/Powershell Deployment

    • You can use Powershell script to deploy applications, notifications, and other functions on Intune managed devices. Navigate to Devices >>> Scripts >>> Add >>> select Windows 10
    • Name (Google Chrome); Script Location (C:\My Folder); select the ps1 file in the location (ChromeInstall.ps1); Run This Script As Logged in Credentials (No); Enforce Script Signature Check (No); Run Script in 64bit Powershell Host (No).

Windows and Third Party Application Deployment

  • Application deployment in Intune is a little different as compared to SCCM. Most of the switches used in deploying applications in SCCM work in Intune but for some of them, you have to tweak the switches until it works. You need at least Intune Administrator role in Microsoft Endpoint Manager /Azure to carry out these tasks. 
    • Create a folder structure in a desired location on your computer. Example C:\Users\%Username%\Desktop\Intune\SourceFiles. Now in the Source folder, create folders for each application example GoogleChrome, Notepad ++, etc. Create another folder called OutputFiles, example C:\Users\%Username%\Desktop\Intune\OutputFiles and then create a folder for each application.

Deploying MSI in Intune

    •  Create a folder called GoogleChrome in the SourceFiles folder and place the “GoogleChrome.msi” application in the folder.
    • In Microsoft Endpoint Manager, navigate to Apps>>Windows>>Add
    • App Type (Line-of-business)>>click Select>>click Select App Package File>>select the “GoogleChrome.msi” from the desired location on the computer and click OK.  

Deploying .EXE in Intune

    •  Place the .EXE file example, Notepad++.exe in the Notepad++ folder in the SourceFiles folder. Create another folder called IntuneWinAppUtil in the SourceFiles folder. 
    • Open PowerShell as an administrator and run these scripts;
    • PS C:\Windows\System32> cd C:\Users\%Username%\Desktop\Intune\SourceFiles\IntuneWindAppUtil
    • PS C:\Users\%Username%\Desktop\Intune\SourceFiles\IntuneWindAppUtil> .\IntuneWindAppUtil.exe
    • Please specify the source folder: C:\Users\%Username%\Desktop\Intune\SourceFiles\Notepad++
    • Please specify the setup file: Notepad++.exe
    • Please specify the output folder: C:\Users\%Username%\Desktop\Intune\OutputFiles\Notepad++
    • Do you want to specify catalog folder (Y/N)?: N
    • The process to create the Notepad++.intunewin file will begin and complete after some time period. 
    • When the .intunewin file completes packaging, open Microsoft Endpoint Manager, navigate to Apps>>Windows>>Add
    • App Type (Windows app(Win32))>>click Select>>click Select App Package File>>select the “Notepad++.intunewin” from the C:\Users\%Username%\Desktop\Intune\OutputFiles\Notepad++ on the computer and click OK.  
    • Add the install and uninstall scripts as needed to complete the packaging process.

Deploying Batch Files in Intune

    •   The process used for .EXE is the same that is followed for .BAT or .CMD files; select the .BAT/.CMD file instead of .EXE. 

Deploying Applications from Microsoft Store

    • If you have already purchased a paid or free application in Microsoft Store, then you can open Microsoft Endpoint Manager, navigate to Apps>>Windows>>Add
    • App Type (Microsoft Store app) and follow the same steps to add your desired Microsoft Store application. 

Third Party Application Patching

    • Third-party application updates are not provided automatically in Intune and so one choice is to package the newer versions of applications and deploy them to the devices. 
    • The second choice is that you can subscribe to third-party application patching vendors such as PatchMyPc; which has  services which integrate with Intune and then allows packages to be created automatically for updating third-party applications when the updates become available; https://patchmypc.com/automatically-create-and-deploy-applications-in-microsoft-intune; https://www.youtube.com/watch?v=fYwrLlfdg9A.

Windows Updates Using Intune Update Rings

Windows update rings are used to deploy a comprehension all available Windows updates to workstations. Unlike SCCM, it does not contain only the patches for that month but rather the comprehensive list of all Windows updates. This is useful because it helps to add all missing updates to a device. The only downside is that you are not able to exclude certain packages which are known to cause damage to devices; which was possible in SCCM.  

Windows Update Ring-Test Group-Second Thursday of the Month

    •  Within Microsoft Endpoint Manager, navigate to Devices>>> Update Rings for Windows 10 and Later>>>click Create Profile.
    • BASICS; Name (Windows Update Ring-Test Group-Second Tuesday of the Month); Description (Patch Tuesday deployment to test devices)>>> click Next.
    • UPDATE RING SETTINGS; Servicing Channel (Semi-Annual Channel);  Microsoft Product Updates (Allow); Windows Drivers (Allow); Quality Update Deferral Period (30 days); Feature Updates Deferral Period (365days); Upgrade Windows 10 devices to Latest Windows 11 release (No); Set Feature Update Uninstall Period (60days); Automatic Update Behavior (Auto install and reboot without user control); Restart Checks (Allow); Option To Pause Windows Updates (Enable); Option To Check for Windows Updates (Enable); Require User Approval To Dismiss Restart (Yes); Remind User Prior to Required Auto Restart With Dismissible Reminder (3 hours); Remind User Prior to Required Auto Restart With Permanent Reminder (60 minutes); Use Notification Update Level (Use the default Windows update notifications); Use Deadline Settings (Not Configured); Auto Reboot Before Deadline(Yes)>>> click Next
    • ASSIGNMENTS; Assign it to the Test Collection Group>>> click Review and click Create to create the Windows Update ring.  
    • This will be deployed manually to the Test Collection Group after it has been approved by the Change Approval Board (CAB).
    • Before deploying the Windows Update Ring-Pilot Group, the Windows Update Ring-Test Group needs to be paused. 

Windows Update Ring-Pilot Group-Third Thursday of the Month

    •  Within Microsoft Endpoint Manager, navigate to Devices>>> Update Rings for Windows 10 and Later>>>click Create Profile.
    • BASICS; Name (Windows Update Ring-Pilot Group-Second Thursday of the Month); Description (Monthly deployment to Pilot devices)>>> click Next.
    • UPDATE RING SETTINGS; Servicing Channel (Semi-Annual Channel);  Microsoft Product Updates (Allow); Windows Drivers (Allow); Quality Update Deferral Period (30 days); Feature Updates Deferral Period (365days); Upgrade Windows 10 devices to Latest Windows 11 release (No); Set Feature Update Uninstall Period (60days); Automatic Update Behavior (Auto install and reboot without user control); Restart Checks (Allow); Option To Pause Windows Updates (Enable); Option To Check for Windows Updates (Enable); Require User Approval To Dismiss Restart (Yes); Remind User Prior to Required Auto Restart With Dismissible Reminder (3 hours); Remind User Prior to Required Auto Restart With Permanent Reminder (60 minutes); Use Notification Update Level (Use the default Windows update notifications); Use Deadline Settings (Not Configured); Auto Reboot Before Deadline(Yes)>>> click Next
    • ASSIGNMENTS; Assign it to the Pilot Collection Group>>> click Review and click Create to create the Windows Update ring.
    • Before deploying the Windows Update Ring- Production Group, the Windows Update Ring-Pilot Group needs to be paused.

Windows Update Ring- Production Group-Fourth Thursday of the Month

    •  Within Microsoft Endpoint Manager, navigate to Devices>>> Update Rings for Windows 10 and Later>>>click Create Profile.
    • BASICS; Name (Windows Update Ring-Test Group-Second Tuesday of the Month); Description (Patch Tuesday deployment to test devices)>>> click Next.
    • UPDATE RING SETTINGS; Servicing Channel (Semi-Annual Channel);  Microsoft Product Updates (Allow); Windows Drivers (Allow); Quality Update Deferral Period (30 days); Feature Updates Deferral Period (365days); Upgrade Windows 10 devices to Latest Windows 11 release (No); Set Feature Update Uninstall Period (60days); Automatic Update Behavior (Auto install and reboot without user control); Restart Checks (Allow); Option To Pause Windows Updates (Enable); Option To Check for Windows Updates (Enable); Require User Approval To Dismiss Restart (Yes); Remind User Prior to Required Auto Restart With Dismissible Reminder (3 hours); Remind User Prior to Required Auto Restart With Permanent Reminder (60 minutes); Use Notification Update Level (Use the default Windows update notifications); Use Deadline Settings (Not Configured); Auto Reboot Before Deadline(Yes)>>> click Next.
    • ASSIGNMENTS; Assign it to the Test Collection Group>>> click Review and click Create to create the Windows Update ring.
    • Note: 
    • Quality Updates: are incremental updates that help to improve an existing build of Windows operating system.
    • Feature Updates: usually contain packages that will upgrade a device from one Windows operating system build to the a higher build; example; 1909 to 20H2. 
    • Quality and Feature updates need to be tested thoroughly to make sure it is safe for production environment before deploying the updates to production devices. 
    • In Intune/Endpoint Manager, when you allow feature updates to install, you can use the Set Feature Update Uninstall Period (60days) option to give yourself the chance between 2 to 60days to uninstall it automatically if it is causing issues. After 60 days or the days set, you will not be able to uninstall it automatically; but you can uninstall it manually or by using a script. 
    • You can pause this update ring a few days to the next month’s Patch Tuesday; maybe the first Friday of each month. 
    • Note: If you have a very responsive pilot group who will monitor and report any defects as a result of the windows updates in a timely manner, then you can forego the Test Group so that you have only two deployments. 

Windows Upgrade Using Feature Updates

    •  Within Microsoft Endpoint Manager, navigate to Devices>>>Feature Updates for Windows and Later (Preview)>>>Create Profile>>>Name (Windows 10 (21H2) Deployment), Description (Windows 10 (21H2) Deployment), Feature Update To Deploy (Windows 10 version 21H2), Rollout Options (Make update available as soon as possible)>>>click NEXT and assign it the desired Dynamic Device Group>>>Review and Create. 
    • Note: Before deploying feature updates, test them on a few devices to make sure there are no issues as a result of the deployment. With regards to Windows 11 (21H2) make sure the devices meet the device requirements such as Secure Boot is enabled, and TPM version 2.0.  

Device Cleanup Rules

    • In order to ensure that only active devices are kept in Intune, it is always important to create a rule that automatically cleans any inactive or stale devices which have not communicated with Intune for more than 90 days (number is based on company preference).
    • Navigate to Devices>>>Device Cleanup Rules; Delete devices based on last check in date (Yes); Delete devices that haven’t checked in for this many days (90days).

Azure AD Joined Intune Autopilot Setup

    • Azure AD Joined Intune autopilot setup follows the same steps as hybrid Azure AD joined autopilot setup. The only step that is skipped is the hybrid Azure AD joined setup (the first step). The downside associated with Azure AD joined setup is that you will not be able to leverage group policy (GPO) from Active Directory (AD). However, there are similar policies that can be set using Configuration Profiles and Group Policy Analyzer in Intune/Endpoint Manager.