Intune Enrollment using Group Policy | Automatic Enrollment AVD VMs

Let’s understand how to perform Intune Enrollment Using Group Policy. This is a way to enroll hybrid Azure AD joined Windows devices to Intune automatically. You can use Intune (MDM) enrollment group policy with Hybrid Azure AD joined devices. The Hybrid Azure AD joined devices are domain joined + Azure AD registered devices.

I’ve explained the manual process of Windows 10 Intune enrollment for the BYOD scenario and Windows 10 Azure AD Join Manual Process – CYOD scenario. You can refer to my detailed guide to Learn Intune Device Management (Intune Starter Kit).

The Intune group policy is used mainly for AVD (Azure Virtual Desktop) scenarios. It would be best to use this group policy to enroll AVD VMs in Microsoft Endpoint Manager(MEM) Intune. Intune Group policy from Windows 10 and Windows 11 ADMX templates are here to help you.

Prerequisites – Intune Enrollment using Group Policy

Let’s understand the prerequisite for automatic Intune enrollment of Windows 10 devices.

Patch My PC

Ensure that the user who is going to enroll the device has a valid Intune license.

Ensure that auto-enrolment is activated for those users who are going to enroll the devices into Intune.

Intune Enrollment using Group Policy | Automatic Enrollment AVD VMs
Intune Enrollment using Group Policy | Automatic Enrollment AVD VMs

Ensure that the device OS version is Windows 10, version 1709, or later.

Auto-enrollment into Intune via Group Policy is valid only for devices that are hybrid Azure AD joined

Adaptiva

Run the following command to confirm dsregcmd /status

AzureAdJoined : YES

DomainJoined : YES

Windows 10 Intune Enrollment using Group Policy | Automatic Enrollment | WVD
Windows 10 Intune Enrollment using Group Policy | Automatic Enrollment | AVD | Intune Group policy
  • Make sure you have access to configure Group Policies in the on-prem Active Directory.
  • Make sure Windows 10 ADMX is installed to enable the group policy.

Configure Intune Group Policy for Enrollment for AVD VMs

Now, let’s have a look into Group Policy implementation for automatic Intune enrollment. Hopefully, you have already taken care of all the prerequisites explained above. Otherwise, the following MDM group policy will not help you enroll the Windows 10 devices into Intune management.

Launch Group Policy Management (gpmc.msc) from the start menu (from Domain controller or any other remote management server).

Windows 10 Intune Enrollment using Group Policy | Automatic Enrollment | AVD
Windows 10 Intune Enrollment using Group Policy | Automatic Enrollment | AVD
  • Right-Click on Group Policy Object and Select NEW.

NOTE! – Make sure Windows 10 ADMX is installed to GPO as mentioned in the above prerequisite section.

  • Enter the name of the GPO that you want to deploy to Windows 10 clients for Intune enrollment.
    • Name = MDM
    • Click OK
Windows 10 Intune Enrollment using Group Policy | Automatic Enrollment | AVD
Windows 10 Intune Enrollment using Group Policy | Automatic Enrollment | AVD

Right-Click on the newly created policy MDM and select Edit.

Windows 10 Intune Enrollment using Group Policy | Automatic Enrollment | WVD
Windows 10 Intune Enrollment using Group Policy | Automatic Enrollment | AVD

Navigate to policy nodes as shown in the below screenshot.

Computer Configuration – PoliciesAdministrative Templates: Policy DefinitionsWindows Components.

NOTE! If you don’t install Windows 10 ADMX, you won’t be able to see the group policy we are looking for.

Intune Enrollment using Group Policy | Automatic Enrollment AVD VMs
Intune Enrollment using Group Policy | Automatic Enrollment AVD VMs
  • Scroll down until you find the MDM folder.
  • Click on the MDM folder.
  • From the policies displayed on the right pane of MMC, select the following policy.
    • Double click on Enable Automatic MDM Enrollment Using Default Azure AD Credentials.
  • This is policy setting specifies whether to automatically enroll the device to the Mobile Device Management (MDM) service configured in Azure Active Directory (Azure AD). If the enrollment is successful, the device will remotely be managed by the MDM service.
  • Important: The device must be registered in Azure AD for enrollment to succeed.
  • If you do not configure this policy setting, automatic MDM enrollment will not be initiated.
  • If you enable this policy setting, a task is created to initiate enrollment of the device to the MDM service specified in the Azure AD.
  • If you disable this policy setting, MDM will be unenrolled.
  • Click on Enable option to enable the Intune enrollment option for Hybrid AD joined Windows 10 devices.
  • Select Credential Type to use option is important. The default option is to use User Credentials.

NOTE from Microsoft Docs – In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. Device Credential is a new option that will only have an effect on clients that have installed Windows 10, version 1903, or later. The default behavior for older releases is to revert to User CredentialDevice Credential is not supported for enrollment type when you have a ConfigMgr Agent on your device.

  • I have selected Device Credentials and it worked fine for me with the latest version of Windows 10 2004 and ConfigMgr 2010 client. Not sure whether there are some updates missing from Microsoft docs or not.
  • Click OK to complete the Group policy creation.
Windows 10 Intune Enrollment using Group Policy | Automatic Enrollment | WVD
Windows 10 Intune Enrollment using Group Policy | Automatic Enrollment | AVD

Assign Intune Enrollment Group Policy to OU

Now, I have created the group policy for MDM/Intune enrollment. The next step is to link the group policy to an Organizational Unit (OU) in Active Directory. I want to assign this MDM/Intune enrollment GPO to only one particular OU called AVD.

  • Launch command prompt and type in DSA.MSC (Assuming you have access to create OU and you know what you are doing).
  • Right-click Domain and select NewOrganizational Unit.
  • Enter the Name of the OU = WVD.
  • Click OK to complete the OU creation process.
Windows 10 Intune Enrollment using Group Policy | Automatic Enrollment | WVD
Windows 10 Intune Enrollment using Group Policy | Automatic Enrollment | WVD

Go back to the Group Policy Management console.

You can see a new OU there called WVD.

Windows 10 Intune Enrollment using Group Policy | Automatic Enrollment | WVD
Windows 10 Intune Enrollment using Group Policy | Automatic Enrollment | AVD

Right-click on the new OU in the Group Policy management console. Select Link an Existing GPO option.

Select the MDM group policy from the list. Click OK to complete the GPO assignment.

Windows 10 Intune Enrollment using Group Policy | Automatic Enrollment | WVD
Windows 10 Intune Enrollment using Group Policy | Automatic Enrollment | WVD

Results

Once the Windows 10 MDM/Intune enrollment group policy is applied on the device, you can see the Intune policy details on the accounts page from the settings page.

Click on the Info tab to check Intune policies.

You can also run RSOP to confirm the MDM/Intune Group policy.

Windows 10 Intune Enrollment using Group Policy | Automatic Enrollment | WVD
Windows 10 Intune Enrollment using Group Policy | Automatic Enrollment | AVD

You can confirm this Hybrid AD Join + Windows 10 Intune enrollment from portal.azure.comAzure Active Directory.

Windows 10 Intune Enrollment using Group Policy | Automatic Enrollment | WVD
Windows 10 Intune Enrollment using Group Policy | Automatic Enrollment | WVD

Video Intune Group Policy for Enrollment

Resources

Author

25 thoughts on “Intune Enrollment using Group Policy | Automatic Enrollment AVD VMs”

  1. Nice article, I have a query. Domain network will need to white list all Intune urls n ports for this to be successful.

    Reply
  2. Hi Anoop.
    Question, have you tried the disable-function of the GPO? (If you disable this policy setting, MDM will be unenrolled).
    If you have enrolled your hybrid devices, will they automatically unenroll from Intune if you put the GPO to “Disabled”?
    Looking at migration from one AD/Intune to a new AD/Intune, and cant find any that used that function (only reinstall or scripts to remove regvalues etc).

    Reply
    • I have never tried this for the removal of the MDM enrollment. As per documentation, the PCs should get unenrolled and Also I don’t know what will happen if the license is removed from the user.

      Reply
  3. Hi Anoop, I tried this but for some reason I am getting the below message in EventVwr:
    Automatic certificate enrollment for local system failed (0x80094012) The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
    Are there any more pre-requisites that need considering related to Certificate enrollment? Many thanks

    Reply
    • I think this is because (probably) AAD device registration does not happen for this device. Can you check the command dsregcmd /status?

      Also, check whether the device record is available in the AAD portal.

      This is the prerequisite.

      Reply
  4. I am using “Device Credential” to enrol PCs with a ConfigMgr agent already installed. Seems to be working fine, contrary to what you wrote. Thoughts?

    Reply
  5. I recommend Device Credentials as mentioned below. Sorry but I’m confused with your statement “Seems to be working fine, contrary to what you wrote.”

    “I have selected Device Credentials and it worked fine for me with the latest version of Windows 10 2004 and ConfigMgr 2010 client.”

    Reply
  6. HI Anoop
    can this be done using a powershell, as GPO is not in site and we required to enable the Autoenrollment MDM using user credentails on the device.

    Reply
  7. Hello Anoop,

    I am having some issues auto enrolling a device into Intune. The device is Hybrid Azure AD Joined and I have created a GPO which I linked with security filtering to a security group which the machine is a member of. I have also linked the GPO to the OU that the machine is in and the GPO is set to enabled.
    I am signing in as an enrollment manager and I have a valid Intune license (Business Premium)
    Here is the error code: Auto MDM Enroll: Device Credential (0x0), Failed (Unknown Win32 Error code: 0xcaa90014)
    When I set up the GPO I do not have a dropdown selection for user or device credentials, is that an issue? I tried updating the admx and still no option to select those.
    Any thoughts on how I can start to troubleshoot this issue?

    Reply
  8. I am struggling with this error. EVENT ID 90
    Auto MDM Enroll Get AAD Token: Device Credential (0x0), Resource Url (NULL), Resource Url 2 (NULL), Status (Unknown Win32 Error code: 0x8018002b)
    Event ID 76
    Auto MDM Enroll: Device Credential (0x0), Failed (Unknown Win32 Error code: 0x8018002b)

    This device was enrolled using Company Portal App and then removed. I applied Intune via GPO on all other devices and every device works ok except this one.
    I have tried this https://learn.microsoft.com/en-us/troubleshoot/mem/intune/device-enrollment/windows10-enroll-error-80180002b and reset the device , performed above steps but still getting same error.

    Reply
    • Few things to check:

      1.Intune License
      2.Azure AD registration status. try to delete the already registered object from Azure AD and check whether it is reappearing automatically, etc.
      3.Manual installation of Company Portal instead of GPO works or not?

      Reply
  9. Hi Anoop

    Thanks for looking into this

    User got the license. Hybrid environment. Device appear as hybrid in azure ad if I reconnect as local AD after deleting from Azure and on premises AD. If I connect via company portal device register immediately. But via group policy AzureAdPrt status is No. Azure adjoin and domain join is Yes

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.