Entra Join - ethan's notes

You sign in to Microsoft Entra joined devices using a [[Entra ID|Microsoft Entra account]] account. Access to resources can be controlled based on your account and [[Microsoft Entra Conditional Access|Conditional Access]] policies applied to the device. # Check Enrollment Status 1. Open [[PowerShell]]. 2. Enter `dsregcmd /status`. 3. View the **AzureAdJoined** and **DomainJoined** settings. 4. You can use the **DeviceId** and compare the status on the service using either the Microsoft Entra admin center or PowerShell. # Provisioning Options ^[[Plan your Microsoft Entra join deployment - Microsoft Entra | Microsoft Learn](https://learn.microsoft.com/en-us/azure/active-directory/devices/device-join-plan#understand-your-provisioning-options)] You can provision Microsoft Entra joined devices using the following approaches: - **Self-service in OOBE/Settings** - In the self-service mode, users go through the Microsoft Entra join process either during Windows Out of Box Experience (OOBE) or from Windows Settings. For more information, see [Join your work device to your organization's network](https://support.microsoft.com/account-billing/join-your-work-device-to-your-work-or-school-network-ef4d6adb-5095-4e51-829e-5457430f3973). - [[Windows Autopilot]] - Windows Autopilot enables preconfiguration of devices for a smoother Microsoft Entra join experience in OOBE. - **Bulk enrollment** - Bulk enrollment enables an administrator driven Microsoft Entra join by using a bulk provisioning tool to configure devices. For more information, see [Bulk enrollment for Windows devices](https://learn.microsoft.com/en-us/intune/windows-bulk-enroll). Here’s a comparison of these three approaches |Element|Self-service setup|Windows Autopilot|Bulk enrollment| |---|---|---|---| |Require user interaction to set up|Yes|Yes|No| |Require IT effort|No|Yes|Yes| |Applicable flows|OOBE & Settings|OOBE only|OOBE only| |Local admin rights to primary user|Yes, by default|Configurable|No| |Require device OEM support|No|Yes|No| |Supported versions|1511+|1709+|1703+| Choose your deployment approach or approaches by reviewing the previous table and reviewing the following considerations for adopting either approach: - Are your users tech savvy to go through the setup themselves? - Self-service can work best for these users. Consider [[Windows Autopilot]] to enhance the user experience. - Are your users remote or within corporate premises? - Self-service or Autopilot work best for remote users for a hassle-free setup. - Do you prefer a user driven or an admin-managed configuration? - Bulk enrollment works better for admin-driven deployment to set up devices before handing over to users. - Do you purchase devices from 1-2 OEMS, or do you have a wide distribution of OEM devices? - If purchasing from limited OEMs who also support Autopilot, you can benefit from tighter integration with Autopilot. ## Bulk enrollment for Windows devices Join new [[Windows]] devices to [[Entra ID]] and [[Intune]]. To bulk enroll devices for your Azure AD tenant, you create a provisioning package with the [[Windows Configuration Designer (WCD)]] app. Applying the provisioning package to corporate-owned devices [[Entra Join|Joins the device to Entra ID]] and enrolls them for [[Intune]] management. Once the package is applied, it's ready for your Azure AD users to sign in. ## Profile Migration - Using [[ForensIT ProfWiz|ProfWiz]] seems to be the best way to migrate devices/profiles from domain/workgroup to EntraID.