In this post, I will be going through the implementation of automatic enrollment of devices in Intune using Group Policy object. By default, devices will not get enrolled to intune, we have to make certain changes to make.

Assumptions: Before making any changes to automatic enrollment policy

  • You should be on minimum Windows 10, version 1709.
  • For a device to get enrolled, appropriate license should be assigned to logged in user. EMS + E3, EMS + E5, Microsoft 365 E3, Microsoft 365 E5 etc will do the job. For complete list of supported intune license check the page.
Licenses Assignments
  • Open Azure Portal, navigate to Azure Active Directory > Users, select the user and click Licenses to verify or assign the license. I can see I have assigned Enterprise Mobility + Security E3 license assigned. If not, click on assignments to assign one.

  • Microsoft Intune configuration should be in place. Under Azure Portal  > Azure Active Directory > Mobility (MDM and MAM) > Microsoft Intune, MDM user scope should be defined for all or specific users if you want to limit it.
MDM user scope
  • User should have permission to join Azure Active Directory. Again navigate to Azure Active Directory > Devices > Device settings, Users may join device to Azure AD should be set to all or group of selected users.
Users may join devices to Azure AD

Once above mentioned configuration is in place, device should be discover and will be shown as Hybrid Azure AD joined as Join type under All devices.

Hybrid Azure AD joined

Check the link if you wanted to know more about Automatic MDM Intune Enrollment process

Create auto-enrollment group policy for devices

This is the time to create the Group policy. Login to domain controller and launch Group Policy Object (gpmc.msc). Select the OU where you want to apply GPO, right click and select Create a GPO in this domain, and Link it here.

Create a GPO

Give it a name such as Auto-enrollment Intune and edit the Group Policy.

Under Group Policy Management Editor, navigate to Computer configuration > Policies > Administrative Templates > Windows Components > MDM.

In right pane, double click Enable automatic MDM enrollment using default Azure AD credentials (If you are on old ADMX template, you might see option Auto MDM Enrollment with AAD Token)

Click on Enabled, under options, you will get Select Credential Type to Use: with 2 options:
Device Credential
User Credential

Select User Credential and click OK.

Use Security Filtering to apply this policy to a specific group / set of users so as to prevent all devices to get auto-enrolled within the OU.

Enable automatic MDM enrollment using default Azure AD credentials

What is the impact of the policy ?

Registry key associated with Group Policy “Enable automatic MDM enrollment using default Azure AD credentials” is AutoEnrollMDM under Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM.

AutoEnrollMDM value will set to 1.

AutoEnrollMDM

This policy will create a task under task scheduler which will try to auto-enroll the device every 5 minutes.

Open Task Scheduler, navigate to Task Scheduler Library > Microsoft > Windows > EnterpriseMgmt. You will see task schedule with the name Schedule created by enrollment client for automatically enrolling in MDM from AAD. This task is execute following command which is responsible for Auto-enrollment:

%windir%\system32\deviceenroller.exe /c /AutoEnrollMDM

Schedule created by enrollment client for automatically enrolling in MDM from AAD
deviceenroller.exe

Initiation of auto-enrollment process

Login to the device with UPN (complete User Principal Name , ie [email protected]). Wait for group policy to arrive or run gpupdate /force. Once done, task scheduler entry kicks in trying to enroll the device.

The enrollment process can be checked through event viewer, launch eventvwr.msc and navigate to Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider and select Admin.

Event ID 75 means success: It is related to successful Auto MDM Enrollment.
Event ID 76 means failure: any time you see 76 event id look for the error for further troubleshooting.

Event ID 75 will generate the message:
Auto MDM Enroll: Device Credential (0x0), Succeeded

This enrollment process will create multiple tasks under Task Scheduler > Microsoft Windows > EnterpriseMgmt > {GUID}

created by enrollment client

All these tasks creation job can be monitored through Event viewer. Navigate to Applications and Services Logs > Microsoft > Windows > TaskScheduler, Operational.

User "S-1-5-18"  registered Task Scheduler task "\Microsoft\Windows\EnterpriseMgmt\348F3AFB-3E38-49A8-9F46-521D15D41F79\Schedule #1 created by enrollment client"
User "S-1-5-18"  registered Task Scheduler task "\Microsoft\Windows\EnterpriseMgmt\348F3AFB-3E38-49A8-9F46-521D15D41F79\Schedule #2 created by enrollment client"
User "S-1-5-18"  updated Task Scheduler task "\Microsoft\Windows\EnterpriseMgmt\348F3AFB-3E38-49A8-9F46-521D15D41F79\Schedule #2 created by enrollment client"
User "S-1-5-18"  registered Task Scheduler task "\Microsoft\Windows\EnterpriseMgmt\348F3AFB-3E38-49A8-9F46-521D15D41F79\Schedule to run OMADMClient by server"
User "S-1-5-18"  registered Task Scheduler task "\Microsoft\Windows\EnterpriseMgmt\348F3AFB-3E38-49A8-9F46-521D15D41F79\Passport for Work alert created by enrollment client"
User "S-1-5-18"  registered Task Scheduler task "\Microsoft\Windows\EnterpriseMgmt\348F3AFB-3E38-49A8-9F46-521D15D41F79\Schedule created by enrollment client for renewal of certificate warning"
User "S-1-5-18"  registered Task Scheduler task "\Microsoft\Windows\EnterpriseMgmt\348F3AFB-3E38-49A8-9F46-521D15D41F79\OS Edition Upgrade event listener created by enrollment client"
User "S-1-5-18"  registered Task Scheduler task "\Microsoft\Windows\EnterpriseMgmt\348F3AFB-3E38-49A8-9F46-521D15D41F79\Win10 S Mode event listener created by enrollment client"
Task Scheduler launch task "\Microsoft\Windows\EnterpriseMgmt\348F3AFB-3E38-49A8-9F46-521D15D41F79\Schedule #1 created by enrollment client" , instance "%windir%\system32\deviceenroller.exe"  with process ID 8704.

And finally original task schedule which was created for enrollment with the name Schedule created by enrollment client for automatically enrolling in MDM from AAD, will be deleted as it has returned return code 0 and did the job which is no longer required.

Event viewer will show:

User "NT AUTHORITY\System"  deleted Task Scheduler task "\Microsoft\Windows\EnterpriseMgmt\Schedule created by enrollment client for automatically enrolling in MDM from AAD"
Task Scheduler terminated "{db5334ea-095d-4d6b-be10-9f0929d55de4}"  instance of the "\Microsoft\Windows\EnterpriseMgmt\Schedule created by enrollment client for automatically enrolling in MDM from AAD"  task.
Task Scheduler successfully completed task "\Microsoft\Windows\EnterpriseMgmt\Schedule created by enrollment client for automatically enrolling in MDM from AAD" , instance "{db5334ea-095d-4d6b-be10-9f0929d55de4}" , action "%windir%\system32\deviceenroller.exe" with return code 0.

New task scheduler entries are now responsible for keeping this client alive by trying to enroll using deviceenroll.exe command at various intervals.

Navigating to Start Menu > Settings > Accounts > Access work or school, we can see Connected to AD domain (briefcase sign and info button), once clicked lots of information related to device enrolled to intune such as Device sync status, Areas managed etc.

Access work or school

Open command prompt to run dsregcmd /status to check the enrollment status. We can see Device State AzureAdJoined and DomainJoined as Yes.

Also MdmUrl, MdmTouUrl,MdmComplianceUrl is having valid links which is not empty, this itself is an indication of successful auto-enrollment status.

dsregcmd /status