Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Architecture overview - Streamline Amazon WorkSpaces Management with Intune

Architecture overview

This deployment configures a connection between Azure AD, the Intune service from Autopilot, and an AWS managed-Virtual Private Cloud (VPC) which holds the WorkSpaces being deployed. The following diagram shows the architecture, along with a list of items/resources required to deploy Intune to an AWS managed environment/service successfully:

A diagram that shows EC2 instances for domain resources and AD connector for WorkSpaces authentication, and internet connectivity for Microsoft Azure Cloud.

EC2 instances for domain resources and AD connector for WorkSpaces authentication, and internet connectivity for Microsoft Azure Cloud

Table 1 — items and resources required to deploy Intune to an AWS managed environment/service successfully

Number Description

1

Stand-alone Windows Server OS with Azure AD Connect and Intune Connector installed extending Azure Domain-join function to Amazon WorkSpaces, Hybrid AD Join, and enabling read and writeback to Windows AD Domain. (Optional component Microsoft SQL Server can run on another host, optional configuration for OU filtering.)

  1. User object that is part of Enterprise Admins AD Security Group.

  2. User account with Global Admin Role in Azure AD.

2 Once Windows AD User and Security Group Objects are synchronized to Azure AD, assign Microsoft Licenses for (Intune/Office365) to Amazon WorkSpaces users Windows AD Security Group(s) (to simplify license assignment in Azure AD). MDM and MAM user scopes are enabled here.
3 Assign Microsoft MDM Group Policy to Amazon WorkSpaces Directory OUs that configures Hybrid Domain-join and prepares Amazon WorkSpace for Intune user credential-based enrollment.
4 Create the Autopilot Deployment profile for BYOL Windows 10 Amazon WorkSpaces for Hybrid joined devices that is assigned to the AD Security Group for Amazon WorkSpaces users.
5 User authenticates to Amazon WorkSpaces using Windows AD UPN that matches Azure AD UPN, initiating auto enrollment to Azure Hybrid AD join and Intune Autopilot.
PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.