MDM Intune enrollment process for Windows 10 / Windows 11 is a lengthy and complex process. To understand and troubleshoot the issues related to enrolling the device, we must need to understand how this process works.
At a very high level, a device has to go through multiple steps to enroll it properly, and all the required configuration should be perfectly set.
Steps involved in enrollment process
For getting the device enrolled, following steps are involved:
Step 1: AAD Sync – To discover & register new device
Once Azure AD Connect is configured properly to use specific OU to be synchronized (under Domain/OU Filtering), AAD Synchronization cycle will run using Synchronization Service (Azure Active Directory Sync Services) and new device will be discovered and visible in Azure Active Directory.
By default it is scheduled to run every 30 mins, you can force it to run immediately by using PowerShell commands:
For Delta Sync:
Start-ADSyncSyncCycle -PolicyType Delta
For Full Sync:
Start-ADSyncSyncCycle -PolicyType Initial
Check the device is registered in Azure Portal > Azure Active Directory > Devices.
Device will be shown as Azure AD Registered under AAD > Devices.
Step 2: Hybrid Azure AD Join step will perform
Hybrid Azure AD join is a device which is joined to on-premises Active Directory and registered with Azure Active Directory. Hence to perform this step, device must need to have direct line of sight access to on-premises domain controller
For Hybrid Azure AD join, we need to specify settings on azure portal. Navigate to Azure Active Directory > Devices > Device settings. Enable the option Users may join devices to Azure AD, it is always recommended to use selected groups if you don’t want all users to join.
We can also policy to restrict specific devices only to register the device. To perform this, open Group Policy editor, navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Device Registration > Register Domain joined computers as devices should be enabled.
As the device is already registered in Azure Active Directory, the next step will be to join Hybrid Azure AD.
A Primary Refresh Token (PRT) will be issued to the device using Device ID & Session key which is valid for 14 days. This PRT / token is responsible for authentication when user logs in to the device.
Device will be shown as Hybrid Azure AD Joined.
Step 3: MDM Intune Enrollment
There will be 2 certificates issued to device (Client authentication & Server Authentication), open Computer Certificate Store and navigate to Personal Certificates:
As device is Hybrid Azure AD join, hence MDM enrollment process will begin. Lets understand what is required for this to achieve:
- Logged in user should have any of the license assigned such as :
- Enterprise Mobility + Security E3 (EMS + E3)
- Enterprise Mobility + Security E5 (EMS + E5)
- Microsoft 365 E3
- Microsoft 365 E5
For more details check type of intune license
For automatic enrollment, Azure AD Premium access is required, it could be AADP1 or AADP2. Hence, assigning any of the above license will provide you access to Azure AD Premium features.
- MDM user scope should be enabled.
On Azure Portal, navigate to Azure Active Directory > Mobility (MDM and MAM) > Microsoft intune > set the MDM user scope to specific group or user.
- Setup Group policy to enable the enrollment process.
Open Group Policy editor (gpmc.msc), navigate to Computer configuration > Policies > Administrative Templates > Windows Components > MDM > Enable automatic MDM enrollment using default Azure AD credentials should be enable with Select Credential type to Use set to User Credential.
Device enrollment will be completed automatically and we can see the results under Microsoft Endpoint Manager admin center portal and navigating to Devices > Windows devices.
Verification of Enrollment of Device
- Open cmd prompt and run dsregcmd /status
We can see Device state mentioning AzureAdJoined as Yes. MdmUrl, MdmTouUrl, MdmComplianceUrl is pointing to MDM intune url’s.
AzureAdPrt is showing as Yes which is an indication of Primary refresh token issued.
- Under Personal certificate store, there is now 3rd certificate available with the name Microsoft Intune MDM Device CA
- Navigate to Settings > Accounts > Access work or school and click on briefcase icon showing connect. Info button is visible (this will not be there for just on-premises system). Click on Info button, we can see Managed by organization name, areas managed by, connection info and Sync button to synchronise with MEM / intune.
- Open Task Scheduler (taskschd.msc), navigate to Microsoft > Windows > EnterpriseMgmt > GUID. There are multiple scheduler tasks created during MDM Intune enrollment process. Schedule created by enrollment client is the one responsible for enrolling the client which calls deviceenroller.exe. Along with that another Scheduler task created by enrollment client which executes at different interval times such as 3 mins, 15 mins and 8 hours.
We can see that Automatic Enrollment process looks like a complex process when we see initially. But when we know all the details required for them to work, we can understand and troubleshoot the process. There are 3 locations in Event viewer which can help identifying the enrollment process for success and failure:
- Applications and Services Logs > Microsoft > Windows > User Device Registration
- Applications and Services Logs > Microsoft > Windows > ModernDeployment-Diagnostics-Provider
- Applications and Services Logs > Microsoft > Windows > AAD