Let’s understand how to perform Windows 10 Intune Enrollment Using Group Policy. This is a way to enroll hybrid Azure AD joined Windows devices to Intune automatically. You can use Intune (MDM) enrollment group policy with Hybrid Azure AD joined devices. The Hybrid Azure AD joined devices are domain joined + Azure AD registered devices.
I’ve explained the manual process of Windows 10 Intune enrollment for the BYOD scenario and Windows 10 Azure AD Join Manual Process – CYOD scenario. You can refer to my detailed guide to Learn Intune Device Management (Intune Starter Kit).
The Intune group policy is used mainly for WVD (Windows Virtual Desktop) scenarios. It would be best to use this group policy to enroll WVD VMs to Microsoft Endpoint Manager(MEM) Intune.
Let’s understand the prerequisite for automatic Intune enrollment of Windows 10 devices.
- Ensure that the user who is going to enroll the device has a valid Intune license.
- Ensure that auto-enrolment is activated for those users who are going to enroll the devices into Intune.
- Ensure that the device OS version is Windows 10, version 1709 or later.
- Auto-enrollment into Intune via Group Policy is valid only for devices that are hybrid Azure AD joined.
- Run the following command to confirm dsregcmd /status
- AzureAdJoined : YES
- DomainJoined : YES
- Run the following command to confirm dsregcmd /status
- Make sure you have access to configure Group Policies in the on-prem Active Directory.
- Make sure Windows 10 ADMX is installed to enable the group policy.
Configure Intune Enrollment Group Policy
Now, let’s have a look into Group Policy implementation for automatic Intune enrollment. Hopefully, you have already taken care of all the prerequisites explained above. Otherwise, the following MDM group policy will not help you enroll the Windows 10 devices into Intune management.
- Launch Group Policy Management (gpmc.msc) from the start menu (from Domain controller or any other remote management server).
- Right-Click on Group Policy Object and Select NEW.
NOTE! – Make sure Windows 10 ADMX is installed to GPO as mentioned in the above prerequisite section.
- Enter the name of the GPO that you want to deploy to Windows 10 clients for Intune enrollment.
- Name = MDM
- Click OK
- Right-Click on the newly created policy MDM and select Edit.
- Navigate to policy nodes as shown in the below screenshot.
- Computer Configuration -> Policies -> Administrative Templates: Policy Definitions -> Windows Components.
NOTE! – If you don’t install Windows 10 ADMX, then you won’t be able to see the group policy that we are looking for.
- Scroll down until you find the MDM folder.
- Click on the MDM folder.
- From the policies displayed on the right pane of MMC, select the following policy.
- Double click on Enable Automatic MDM Enrollment Using Default Azure AD Credentials.
- This is policy setting specifies whether to automatically enroll the device to the Mobile Device Management (MDM) service configured in Azure Active Directory (Azure AD). If the enrollment is successful, the device will remotely be managed by the MDM service.
- Important: The device must be registered in Azure AD for enrollment to succeed.
- If you do not configure this policy setting, automatic MDM enrollment will not be initiated.
- If you enable this policy setting, a task is created to initiate enrollment of the device to the MDM service specified in the Azure AD.
- If you disable this policy setting, MDM will be unenrolled.
- Click on Enable option to enable the Intune enrollment option for Hybrid AD joined Windows 10 devices.
- Select Credential Type to use option is important. The default option is to use User Credentials.
NOTE from Microsoft Docs – In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. Device Credential is a new option that will only have an effect on clients that have installed Windows 10, version 1903, or later. The default behavior for older releases is to revert to User Credential. Device Credential is not supported for enrollment type when you have a ConfigMgr Agent on your device.
- I have selected Device Credentials and it worked fine for me with the latest version of Windows 10 2004 and ConfigMgr 2010 client. Not sure whether there are some updates missing from Microsoft docs or not.
- Click OK to complete the Group policy creation.
Assign Intune Enrollment Group Policy to OU
Now, I have created the group policy for MDM/Intune enrollment. The next step is that we need to link the group policy to an Organizational Unit (OU) in Active Directory. I want to assign this MDM/Intune enrollment GPO to only one particular OU called WVD.
- Launch command prompt and type in DSA.MSC (Assuming you have access to create OU and you know what you are doing).
- Right-click Domain and select New -> Organizational Unit.
- Enter the Name of the OU = WVD.
- Click OK to complete the OU creation process.
- Go back to Group Policy Management console.
- You can see a new OU there called WVD.
- Right-click on the new OU in the Group Policy management console.
- Select Link an Existing GPO option.
- Select the MDM group policy from the list.
- Click OK to complete the GPO assignment.
Once the Windows 10 MDM/Intune enrollment group policy is applied on the device, you can see the Intune policy details on the accounts page from the settings page.
- Click on Info tab to check Intune policies.
- You can also run RSOP to confirm whether the MDM/Intune Group policy.
- You can confirm this Hybrid AD Join + Windows 10 Intune enrollment from portal.azure.com – Azure Active Directory.