Mike's MDM Blog

Intune join Azure Arc enabled Windows 11 machines

When we think about ways to Entra and Intune join Windows 11 machines, we usually think about things like Autopilot or Provisioning Packages, but did you know there is an additional method for Azure VMs and Azure Arc enabled machines?

Onboard machine to Azure Arc

Azure Portal

Let’s start by onboarding our test machine to Azure Arc.

Select where your Machines should be:

For our test machine I will go with manual authentication for simplicity, for broader rollouts authentication via service principal will be the more suitable solution:

Once you have specified everything, you will be presented a PowerShell script that will onboard your machine:

Windows Machine

After we copied the PowerShell script to our test machine, we need it to run from an administrative PowerShell terminal:

After authentication the machine is onboarded to Azure Arc:

Entra / Intune join

To do the Entra and Intune join, we now theoretically “just” need to install the “AADLoginForWindows” Extension.

However, since the Extension in the Portal is targeted to Windows Server and Windows 11, it will just do the Entra join, and skip the Intune join, as Windows Server is not supported in Intune.
So, we will need to deploy the extension “manually” using Azure CLI, as we can give the Intune MDM ID as an setting:
(You need to modify the subscription id, resource group name, location and machine name to match your environment)

az extension add --name connectedmachine

az account set --subscription <SubscriptionID>

az connectedmachine extension create --publisher Microsoft.Azure.ActiveDirectory --name AADLoginForWindows --resource-group <RG Group Name> --machine-name <Machine Name> --location 'Germany West Central' --type AADLoginForWindows --settings '{"mdmId": "0000000a-0000-0000-c000-000000000000"}'

I used Cloud Shell for my Azure CLI, but you can use all the usual tools that you would normally use, incl. Azure CLI in DevOps and similar…

If we now check on the machine, we can see it is now Entra and Intune joined:

A few min later the machine is also visible in Intune:

Conclusion

Having an additional method available to join our machines to Intune is always good, and in my opinion this method can be really helpful for example for dev / test machines that are provisioned automatically and usually don’t live for too long, so a manual Autopilot enrollment each time is not a good experience.

Posted

in

by

mmeierm

Tags:

, , ,

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *