What I need to know:<\/p>\n\n\n\n
What do I gain security wise on MS365 premium and how do I make it happen?<\/p>\n\n\n\n
Entra vs intune, and what does the oobe do instead of enrollment?<\/p>\n\n\n\n
ALL 24H2<\/p>\n\n\n\n
\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014<\/p>\n\n\n\n
T1- no network connection, default key.<\/p>\n\n\n\n
Logged in as local user<\/p>\n\n\n\n
Went to work or school account page, used main button, then main box<\/p>\n\n\n\n
Logged in, then rebooted computer<\/p>\n\n\n\n
Device is now enrolled in ENTRA, and after a few extra minutes, intune as well<\/p>\n\n\n\n
DOES show up in defender portal<\/p>\n\n\n\n
Does not allow you to log in to machine as company user<\/p>\n\n\n\n
Edge does Sync auto- no login needed<\/p>\n\n\n\n
Start menu is updated to company<\/p>\n\n\n\n
Onedrive not auto logged in, but I signed in<\/p>\n\n\n\n
Activation is still not active – relies on device key, not taking from MS365 license<\/p>\n\n\n\n
So very clearly this method gives the company control, but it\u2019s still your device, your users, and your<\/p>\n\n\n\n
Windows licensing<\/p>\n\n\n\n
RESULT :<\/p>\n\n\n\n
This is likely the best option for BYOB Organizations<\/p>\n\n\n\n
\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014<\/p>\n\n\n\n
T2- no network connection, default key<\/p>\n\n\n\n
Went to join to work or school, main connect button, and then clicked option to join Entra bottom of that<\/p>\n\n\n\n
box.<\/p>\n\n\n\n
Initially login is still main user (local account)<\/p>\n\n\n\n
Adding onedrive- first login still required PW\/MFA<\/p>\n\n\n\n
Left allow my org to manage this device checked<\/p>\n\n\n\n
After this: edge has my account, no login required.<\/p>\n\n\n\n
Word\/office is logged in auto<\/p>\n\n\n\n
Windows not showing active, including still running pro<\/p>\n\n\n\n
Restart and sign in as Jim@Ultrex.com on login page<\/p>\n\n\n\n
Signing in as Jim@Ultrex- start menu still personal mode<\/p>\n\n\n\n
Rebooted- went back to local user as default<\/p>\n\n\n\n
Logged in with company email again<\/p>\n\n\n\n
Had to go to activation page, then click to log in again- now device shows proper on all activation settings<\/p>\n\n\n\n
In Intone and Entra dashboards- these two machines (oobe and this) appear fully equal on that front<\/p>\n\n\n\n
After a power down and turn back on, activation has popped out again and wants me to sign back in on<\/p>\n\n\n\n
the activation page<\/p>\n\n\n\n
Device IS on the defender premium page<\/p>\n\n\n\n
Further reboots still default to local user<\/p>\n\n\n\n
Logged in as Jim@Ultrex then deleted local user<\/p>\n\n\n\n
Still logs in as now deleted user by default.<\/p>\n\n\n\n
T oo Messy- Don\u2019t like this option<\/p>\n\n\n\n
RESULT :<\/p>\n\n\n\n
If someone has an existing user, and doesn\u2019t want to start over with a new user profile, they can join Entra<\/p>\n\n\n\n
and Intune, and just leave their current user. When they want to log into the device as an email, they\u2019ll<\/p>\n\n\n\n
need to reload\/lose the current user profile<\/p>\n\n\n\n
\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014<\/p>\n\n\n\n
T3- Still on OOBE. Untouched post-install<\/p>\n\n\n\n
Runs oobebypassnro and login with a local offline user<\/p>\n\n\n\n
Plug machine into network post loading in<\/p>\n\n\n\n
MS store- company portal<\/p>\n\n\n\n
Log in, and leave \u201clet company manage this device checked)<\/p>\n\n\n\n
Device shows up in Entra Dashboard<\/p>\n\n\n\n
Search box is company<\/p>\n\n\n\n
Edge is logged in, no auth needed, bookmarks ext etc all there<\/p>\n\n\n\n
Device now shows up in intune as well. BEFORE onedrive login (maybe 5 minutes)<\/p>\n\n\n\n
Onedrive signs in, auth required<\/p>\n\n\n\n
Still local user<\/p>\n\n\n\n
Sign out<\/p>\n\n\n\n
OOBEd again, going back to OOBE enviro<\/p>\n\n\n\n
Can\u2019t re-enroll the device, fails on OOBE so would need wiped and reloaded at this point<\/p>\n\n\n\n
Based on later findings, I could have deleted from the panel for Entra and Intune, and Joined again.<\/p>\n\n\n\n
Even without that- DID show up in Defender portal for security- doesn\u2019t need email login for security<\/p>\n\n\n\n
\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014<\/p>\n\n\n\n
T4- Logging in with MS365 account from main oobe page (installed pro in the first place)<\/p>\n\n\n\n
Very first login, start menu is Ultrex tied (company logo search etc)<\/p>\n\n\n\n
Initial one drive sign in needed no pw<\/p>\n\n\n\n
Edge was pre logged into my account<\/p>\n\n\n\n
Edge was signed into outlook.com from my very first opening. No MFA, No anything<\/p>\n\n\n\n
RESULT :<\/p>\n\n\n\n
No surprise- if you can do OOBE on pro in the first place, the world is an infinitely better place<\/p>\n\n\n\n
\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014<\/p>\n\n\n\n
T8 – windows 24H2 Home installed fresh<\/p>\n\n\n\n
Local user, 11 Home<\/p>\n\n\n\n
Accounts\/COnnect to work account, main option<\/p>\n\n\n\n
Log in as me<\/p>\n\n\n\n
Device is enrolled in Entra<\/p>\n\n\n\n
Device shows up in intune<\/p>\n\n\n\n
T ook offline, used 3v66t key and upgraded to pro<\/p>\n\n\n\n
Gave back network conection<\/p>\n\n\n\n
OOBE\/Sysprep can\u2019t generalize<\/p>\n\n\n\n
Ran Normal OOBE<\/p>\n\n\n\n
Set up for work or school, but can\u2019t because the device is already enrolled<\/p>\n\n\n\n
Can go into intune and Entra and delete the device from both dashboards, then click try again<\/p>\n\n\n\n
no sooner than 60 seconds later<\/p>\n\n\n\n
Onedrive automatic (No auth needed), edge sync auto, start menu company<\/p>\n\n\n\n
Device shows in Intune and Entra perfectly<\/p>\n\n\n\n
Defender not showing up? (see note below)<\/p>\n\n\n\n
ACTIVATION STATUS: PERFECTION DAMMIT<\/p>\n\n\n\n
This works!<\/p>\n\n\n\n
RESULT :<\/p>\n\n\n\n
If someone has a machine on home, you can join it to Entra and Intune, and then only upgrade<\/p>\n\n\n\n
to pro if they need it for some other reason, and if they do need to upgrade to pro, you\u2019ll have to<\/p>\n\n\n\n
go delete the device from intune and entra dashbpoards. If you do that, then all works well<\/p>\n\n\n\n
\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014<\/p>\n\n\n\n
T9<\/p>\n\n\n\n
Windows 11 Home<\/p>\n\n\n\n
DIDN\u2019T join to company Entra or Intune before upgrading<\/p>\n\n\n\n
Just local user, logged in, upgraded using 3v66t code (like a new purchase)<\/p>\n\n\n\n
Gave back network connection<\/p>\n\n\n\n
Can\u2019t generalize<\/p>\n\n\n\n
Just ran main sysprep<\/p>\n\n\n\n
On next bootup, chose set up for work or school, works perfect, logs in as email, and is<\/p>\n\n\n\n
company controlled<\/p>\n\n\n\n
Signing in to onedrive is fully auto- no pw or MFA needed<\/p>\n\n\n\n
Search box is company info<\/p>\n\n\n\n
Edge is synced auto<\/p>\n\n\n\n
Device shows in Intune and Entra perfectly<\/p>\n\n\n\n
Defender not showing up (see note below)<\/p>\n\n\n\n
ACTIVATION STATUS: PERFECTION DAMMIT<\/p>\n\n\n\n
Note from MS:<\/p>\n\n\n\n
Windows 11 Home devices that have been upgraded to one of the below supported editions<\/p>\n\n\n\n
might require you to run the following command before onboarding:<\/p>\n\n\n\n
DISM \/online \/Add-Capability \/CapabilityName:Microsoft.Windows.Sense.Client~~~~<\/p>\n\n\n\n
. For more information about edition upgrades and features, see Features)<\/p>\n\n\n\n
Was able to confirm that in OS\u2019s upgraded from home, you can run this command, it had a 50%<\/p>\n\n\n\n
success rate across 4 identical VM\u2019s. (literally clones of each other). Even on the ones where it<\/p>\n\n\n\n
ran, it did not bring them into defender management. SO our new default is use Entra and<\/p>\n\n\n\n
Intune if that\u2019s what\u2019s wanted- and you can leave it on HOME. But if you want pro, just freaking<\/p>\n\n\n\n
install Pro in the first place. I\u2019ve also now updated an ISO of 24H2 so it will ALWAYS ask for the<\/p>\n\n\n\n
key, AND let you not put a key, and still select what version of windows to install clean (even if<\/p>\n\n\n\n
one is saved in the EFI or BIOS). From now on, we use that one, please update your ventoy<\/p>\n\n\n\n
soon as possible.<\/p>\n\n\n\n
Final Notes:<\/p>\n\n\n\n
Company portal app is enrolling device in entra\/intune<\/p>\n\n\n\n
Entra and intune can both be done with windows home<\/p>\n\n\n\n
Entra is access to stuff based on identity<\/p>\n\n\n\n
Intune is device management<\/p>\n\n\n\n
Defender portal is weak, and not worth much- but only comes on clean, initial W11 Pro installs.<\/p>\n","protected":false},"excerpt":{"rendered":"
Entra and Intune Research Notes What I need to know: What do I gain security wise on MS365 premium and how do I make it happen? Entra vs intune, and what does the oobe do instead of enrollment? ALL 24H2 \u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014 T1- no network connection, default key. Logged in as local user Went to work […]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[116],"tags":[],"class_list":["post-1617","post","type-post","status-publish","format-standard","hentry","category-intune-and-entra","post-preview"],"_links":{"self":[{"href":"https:\/\/www.ultrexstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/1617","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ultrexstaff.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ultrexstaff.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ultrexstaff.com\/index.php?rest_route=\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ultrexstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1617"}],"version-history":[{"count":1,"href":"https:\/\/www.ultrexstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/1617\/revisions"}],"predecessor-version":[{"id":1618,"href":"https:\/\/www.ultrexstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/1617\/revisions\/1618"}],"wp:attachment":[{"href":"https:\/\/www.ultrexstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1617"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ultrexstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1617"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ultrexstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1617"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}