1. Install a Windows 10 device in Hyper-V
Enable Hyper-V (if not already enabled). Go to Control Panel – Programs – Turn Windows Features on or off – and click on Hyper-V
Your device will ask for a reboot, so accept it. After the reboot you will have Hyper-V enabled on your machine.
So let’s now open Hyper-V and right click on your Hyper-V server. Choose new – Virtual Machine. This will start the Create a new Virtual Machine wizard in Hyper-V.
As you go through the wizard, make sure you have an ISO of Windows 10 1809 ready. You can download one here. Other versions or the latest version is also OK. You just won’t be able to see the updates through Intune (MEM), but that’s alright.
As you go through the wizard, you’ll give your VM a name, choose a Generation (2 or 1), set the memory (4096 recommended), choose your internet connection (default one is fine, is shared internet connection), disk size (40GB should be fine) and at last choose the Windows 10 ISO you’ve downloaded before.
When you are at the end of the wizard, click on ‘Finish’.
Next double click on your machine, and click on ‘Start’. This will make your machine boot up. For generation 2 machines, you’ll have to click to start booting from the ISO (keep that in mind).
Choose the language, time and currency format and keyboard input. After choosing them all, click on ‘Next’.
Click on ‘Install now’.
Click on ‘I don’t have a product key’. We don’t need one at this point, once we will enroll our machine in Intune (MEM) it will get licensed through our M365 or EMS user license.
Choose ‘Windows 10 Pro’ and click on ‘Next’. This will also get upgraded to Enterprise with our user license.
Accept the license terms and click on ‘Next’.
Click on ‘New’ and apply. If you get prompted acknowledge by clicking ‘Yes’.
Click on last time on ‘Next’. The windows 10 installation will begin
2. Going through the OOBE-experience and creating a local administrator account.
After installing Windows 10 through the ISO, we get to the OOBE-experience (Out-Of-The-Box experience). This far we have nothing set up in our Intune (MEM) tenant, no Autopilot, no configuration profiles, nothing. So enrolling it through Autopilot won’t go at this point, but don’t worry, we’ll get there in a later guide post.
For now we’ll just finish the OOBE-experience. So first thing to choose is your region. And click on ‘Next’.
Next choose the correct keyboard layout that fits you and click on ‘Yes’ again.
If you want to add a secondary keyboard layout, do so, or don’t. Click on ‘Add layout’ or ‘Skip’ depending on your choice.
Next Windows will do some background stuff (Network – if Hyper-V is set up right you’ll have internet connection right away through your shared internet connection) and then your machine will reboot.
After the reboot we’ll arrive at the ‘How would you like to set up page’. For now we’ll choose ‘Personal’.
On the next screen choose ‘Offline account’.
Click on ‘Limited experience’ to continue with an offline account.
Next choose a name for your local administrator. I’ll just choose LocalAdmin. Click on ‘Next’.
Choose a password. Make sure you write it down somewhere or remember it! Click on ‘Next’.
Confirm your password and click again on ‘Next’.
In the next screens you’ll be asked to set 3 security questions. Just follow along and set three questions. We won’t be needing these later anyway.
At the ‘do more across devices with active history’, select ‘No’.
Don’t use speech recognition. Click on ‘Accept’.
On the next screen select ‘No’ and click on ‘Next’.
Again click ‘No’ and ‘Accept’.
Choose to sent ‘Basic diagnostic data’ , click on ‘Accept’. We’ll configure all of these settings later on in the guides with settings in Intune (MEM).
Improve inking & typing: ‘No’ and click ‘Accept’.
Tailored experiences: ‘No’ and click ‘Accept’.
Let apps advertise: again ‘No’ and click ‘Accept’.
Windows will get everything ready for you now, just hang on a few minutes.
3. Enrolling your Windows 10 device in Intune (MEM)
Once Windows is done setting up, connect to the device (you’ll get asked) and log in with your local administrator account you choose.
Once logged in I’m gonna let you check two things out: the certificates and the dsregcmd status.
First the certificates, press Windows key + R and then type ‘certlm.msc’. Press enter. Click on ‘Yes’ (you’ll get prompted).
In the Certificates console, click Personal and verify that the following certificates are not listed in the details pane:
- Microsoft Intune MDM Device CA
- MS-Organization-P2P-Access 
Next, right click on Start, and click on ‘PowerShell (Admin)’. This will open an administrative PowerShell session. Click on ‘Yes’ (you’ll get prompted).
In the powershell console, type ‘dsregcmd /status’ and press ‘Enter’. More info on the dsregcmd command you can find here.
You’ll see in the output, that your device is not joined to any Azure AD tenant yet. (AzureAdJoined = No). You are also not Enterprise joined or Domain joined. This is all normal. We’ll get back at this command after joining our organisation in Azure AD.
Click on ‘Start’ and then on ‘Settings’
In the Settings panel, click on ‘Accounts’.
In the Accounts panel, click on ‘Access work or school’.
Click on the ‘+ Connect’ button.
On the next screen click on ‘Join this device to Azure Active Directory’.
Then log in with one of the user accounts you made in the previous guide parts. Click on ‘Next’.
Enter your password and click on ‘Sign in’.
Click on Join when they ask ‘Make sure this is your organization’
At last click on ‘Done’. This screen already tells you that your device is connected to your demo Azure AD tenant.
On the next screen you’ll also see that you’re connected to your Azure AD tenant. Great!
Close the window. Let’s go back to your certificates screen, that is still open, if not open it again (certlm.msc). Refresh the view (Action – Refresh). Open the new folder that has appeared under Personal named Certificates. Now you’ll see that 3 certificates have already been pushed to your device.
Next go to the administrator PowerShell window, and again run the command ‘dsregcmd /status’. You’ll see a whole lot of new information now.
Most important ones to take note off:
- AzureAdJoined: Yes (your device is now joined to Azure AD)
- DeviceId: your device ID, if you search through your registry, this will pop up a few times…
- TenantName: your Azure AD tenant name
- MdmUrl: the microsoft mdm enrollment endpoint
Now reboot the device so we can log in with your Azure AD account.
4. Log in with Azure AD user & verification in MEM dashboard
After the reboot, log in with your Azure AD account – so choose Other user first (the one with whom you joined this device to your tenant).
Next navigate to the Microsoft Endpoint Manager admin center and click on ‘Devices’ – ‘All devices’. Your new device should be in there (check the name on your VM).
That’s it for today’s guide post. Next week I will be covering Compliance Policies.