Part 2 – Configure Microsoft Intune – Windows hello and Mobility (MDM and MAM)

In the previous Part, I guided you to create a new tenant on This one is working and we can use this tenant to configure Microsoft Intune to manage a Windows 10 device.

In this part, we go further with Microsoft Intune.

We are going to enable Windows 10 automatic enrollment. Go to the Azure Portal – > Azure Active Directory -> Microsoft Intune

For test purpose is user scope All enough. So, set the scope on All. You could change this later for a specific user group, for MDM as MAM. Hit the save button.

What does this function do? This function will automatically enroll the Windows 10 device into Microsoft Intune if they are Azure AD joined. As a user, you can join the Windows 10 device into Azure AD. During this joining process/registration, the device will also be enrolled into Microsoft Intune automatically.

We go further with configuring Microsoft Intune. We have to enable Windows device enrollment. You will need, of course, the Intune portal. Go to All Services (because by default the Intune icon is not in the left side menu) -> search for Intune -> click on Intune (you can also click on the * for adding Intune into the side menu) -> Device enrollment -> Windows enrollment.

Go to Windows Hello for Business

Click on Default

Click Settings

Click on the button Not configured and choose for enabled. You will get more settings. These are my settings for Windows 10 device. TPM is not required because I’m using a virtual machine without TPM.

Click on the Save button and go back to the begin in Microsoft Intune portal.

Let’s try if enrollment works. Go to your Windows 10 device. Crab a random user from Azure AD and try to sign in.

Enter the password.

We have to do some extra security verifications.

Choose your favorite option to verify. I choose always text message.

I received a text message.

We have to create an app password, but this is for later.

Click Next, we are not done yet.

Please choose your option and click Accept.

Please choose your option and click Accept.

Please choose your option and click Accept.

Please choose your option and click Accept.

Please choose your option and click Accept.

Please choose your option and click Accept.

Please choose your option and click Accept.

Windows 10 is Azure AD joined and enrolled into MS Intune. We have enabled Windows Hello in MS Intune and because of that you see this message “Your organization requires Windows Hello” This is a good sign and that applies our configuration in MS Intune.

We must create a PIN. Let’s try 1234… Tis PIN is not allowed by our Windows Hello configuration. You will get this message.

Let’s try 8888 and still it is not allowed, they are too simple. So, I go for a complex one, like 7948. This one is allowed, and everything is all set.

To verify if Windows 10 is joined and enrolled, you have to go settings -> Accounts -> Access Work or School.

You see the name of the Azure AD tenant and beneath that the account name which you have used. Click on that and will get some buttons. Click on the info button.

This gives us information about the sync status with Microsoft Intune.

Go to the Intune portal to verify the sync. From the portal go to Devices -> All Devices. You have to see your enrolled Windows 10 device. The device is managed by MDM. This is all good and your device is managed by Mobile Device Management (MDM)

End of part 2


16 thoughts on “Part 2 – Configure Microsoft Intune – Windows hello and Mobility (MDM and MAM)

  1. RKast

    Hi, if you enable both URLs MAM and MDM for All users then BYOD devices are not enrolled into Intune! So how do you tackle the problem with BYOD devices for users that wont join Azure AD ?

    1. Hi, thanks for your comment. Why would you want to enroll BYOD devices? BYOD is equals MAM which you don’t want to enroll. The alternative way is to change the settings in Mobility from All Users to a specific group with Users which are only using BYOD devices. BYOD will only be registered in Azure AD, not joining the Azure AD.

      1. RKast

        Thank you for your answer!
        Well we want to do some sort of compliancy for BYOD and that only is possible if the device is enrolled in Intune. We don’t want to let enroll all kind of devices in Azure/Intune and let them access corp data without some compliancy. It is a scenario im struggling a bit with (is that correct english :))

      2. No problem at all. With BYOD you can use App protection policy. I do not know what type of device you want to use as BYOD. If the device is Android or iOS, you can use the app protection policy to use Mobile Application Management only (MAM-only or MAM without enrollment). Based on that the app protection has some kind of compliance check for the device. Check it out at the App protection policy and then go to Conditional Launch for the specific settings. So can’t a jailbroken device access corporate data.

        Enroll BYOD device is possible but gives you a lot of administrative tasks, like; more (device) groups, maybe you have to create specific device categories and several policies for BYOD and CYOD. Common practice is to us for BYOD the App protection policies only. A MAM-only/MAM-WE (without enrollment) scenario.

        For Windows 10 devices is it also possible, but Windows 10 uses another technology for MAM. Windows Information Protection will then be used as an App protection policy and works basically in the same way as for Android and iOS.

  2. Rkast

    Albert, but MAM-WE for Windows 10 uses WIP and for WIP you need to enable the MAM User Scope. If we enable the MAM User Scope for ALL or a group then none of the BYOD devices (for the group) end up in Intune and we cannot force bitlocker for example. We want MAM-WE/WIP and use Intune for BYOD to force bitlocker and check compliance. But I think this is a scenario that is not possible.

    1. WIP is encryption, so Bitlocker is not needed for MAM on Windows 10 device. But you can use WIP for enrolled devices. This option is available for MAM on Windows
      10 devices. BYOD enrollment is in that way possible but you must know that personal drives will be full maneges by Intune. The things , like full wipe, are enabled for that device. So, the user must know that they can reset the device and that the personal data will be removed from the device.

      Oh, selective wipe for Windows 10 in MAM-WE scenario is not possible,btw.

  3. Rkast

    Hi Albert, WIP is indeed encrypting the files , thats a good argument to remember thanks getting closer to a solution.
    With WIP we can do a selective wipe of only the corp data btw!

    But another config we want is that a personal windows 10 BYOD device has a password and we cannot enforce that when the windows 10 device is WIP enrolled it must be Intune enrolled.
    I can imagine a user doesnt want to enroll into intune on his personal device, how can we tackle the require password?

    1. Ah, nice! You mean with selective wipe based on MDM enrollment, right?

      Within the MAM-WE policy for Windows 10 devices, you can enforce Windows Hello for Business. This will enforce the user to create a PIN based on the settings you have set. The user’s password will be replaced for a PIN if the user has a password on his BYOD device. This is only for the MAM-WE. If you plan to use MAM with enrollment, then you have to set the PIN in the Configuration policy of Windows 10, instead of the App protection policy.

      1. Rkast

        Yes with mdm enrollment you can do selectie wipe, not sure ifyou can do that without mdm enrollment.
        Mmm requiring a pin is something i keep it in mind.
        I will stop spamming your blog hoe.
        Thanks for your replies and answers.
        Ps Home also supports WIP
        Groeten 😉

      2. Indeed with MDM but not MAM-WE with Windows 10. WIP will work also on Home editions indeed, I wrote a blog about this.

        Haha no problem, that’s why I have a blog for the things like this.

        Good luck with the BYOD scenario. If you want some advice or you have a question, don’t hesitate!

    1. Ah I see, this is nice. Thanks for the update!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: