Automatically enroll Domain joined PC’s into Intune via GPO

Share This

In this tutorial i will explain how to automatically enroll your Windows 10/11 domain joined PC’s into Intune using a Group Policy Object.

Note: if you are using Azure MFA make sure you read the ‘known issues’ section at the end of the article or you will run into issues

Before we begin, there’s a few prerequisites that you must meet in order for devices to be automatically joined to Intune.

  • Devices must be Hybrid Azure AD joined (HAADJ)
  • User(s) must be permitted to enroll devices into Azure AD have a valid Intune Licence

Setup Hybrid Azure AD Join

If your devices are not already configured to Hybrid Join you will need to install the Azure AD Connect Tool on to a server on your domain.

  1. Launch Azure AD Connect tool and click configure.
  2. Click Configure Device Options
  3. Authenticate with your Azure Admin account, if using AAD Connect Version or above, you can use an account with the ‘Hybrid Identity Admin‘ role assigned instead.

4. Select Configure Hybrid Azure AD Join from the options

5. Tick ‘Windows 10 or later domain joined devices‘ and click ‘Next‘ – You don’t need to choose windows down level devices as this wont work with automatic enrollment anyway.

5. In order for your devices to know which Azure Tennant to join you must first specify a SCP or Service Connection Point. Azure AD Connect tool will populate this for you but first you need to provide enterprise admin credentials for your Active Directory forest. Tick your forest and press add, providing enterprise admin credentials.

You can verify your device is Azure AD Joined by running dsregcmd /status in a command prompt

AzureAdJoined EnterpriseJoined DomainJoined Device state
YES NO NO Azure AD Joined
NO NO YES Domain Joined
YES NO YES Hybrid AD Joined
NO YES YES On-premises DRS Joined

Setting up the Group Policy Object

  1. Open up Group Policy Management Console and create a new group policy object
  2. Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > MDM
  3. Double click the setting enable automatic MDM enrollment using default Azure credentials

4. Enable the policy and choose User Credential

5. Deploy the GPO over a test OU

When a user with a valid Intune licence signs into the PC it should now automatically enroll into Intune. The user must also be allowed to enroll devices into Intune to check this head to Azure Active Directory and click Settings > Mobility 

Choose Microsoft Intune

On the MDM user scope, select the users you wish to be able to join devices to Intune, remember they must have a valid Intune licence assigned to them.

You should now be able to see your device is Hybrid Azure Joined but also joined to the MDM (Intune), head to devices, search for your device and verify its now showing as Hybrid Azure AD Joined and MDM is set to Intune

Known Issue’s

If you are having any issues you can check the logs by going to event viewer on the PC you are trying to join, go to Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider

If you see an error with Auto MDM Enroll: Failed (Unknown Win32 Error code: 0x8018002a) this is down to having MFA enabled. To remedy this you either need to disable MFA (not recommended) or go to Conditional Access and allow an exception in your CA policy (this requires Azure P1 subscription which is included in A3/E3 A5/A5)

Head to Azure AD admin centre and go to Protect & Secure > Conditional Access

Open your policy and under cloud apps or actions and head to Exclude and search for Microsoft Intune enrollment.

The next time you login the PC should now automatically join intune.

Did you enjoy this article?
Signup today and receive free updates straight in your inbox. We will never share or sell your email address.

Leave a Reply

Your email address will not be published. Required fields are marked *