Auto-enroll Windows 10 devices using Group Policy

This week is all about creating awareness for the automatic MDM enrollment feature, using ‘Group Policy, that is introduced in Windows 10, version 1709. In some scenarios that might not sounds very interesting. Especially when looking at cloud only scenarios. However, this feature is very interesting in scenarios when organizations want to move to the cloud. Think about co-management. Co-management helps organizations to slowly move their device management capabilities to the cloud, by allowing multiple device management agents on a single device. Microsoft just released co-management in Microsoft Intune and co-management is also available in the latest Technical Preview releases of Configuration Manager. So, imagine a scenario in which a currently Configuration Manager managed device can receive a Group Policy setting to also auto-enroll the device in Microsoft Intune. Very helpful in the transition to the cloud.

In this post I’ll provide a short introduction to auto-enrollment for Windows 10 devices, followed by an overview of the requirements to enable auto-enrollment for Windows 10 devices. I’ll end this post with how to verify the results of a successful auto-enrollment.


Let’s start by looking at an introduction to automatic MDM enrollment of Windows 10 devices. Well, actually more describing what will happen when configuring automatic enrollment. Automatic enrollment relies on the presence of an MDM service in Azure Active Directory and the Azure Active Directory registration of a Windows 10 device. Starting with Windows 10, version 1607, once an organization has registered its Active Directory with Azure Active Directory, a Windows 10 device that is Active Directory domain joined is automatically Azure Active Directory registered.

SchedTask_AutoMDMWhen the auto-enroll Group Policy is enabled, a scheduled task is created that initiates the MDM enrollment. That scheduled task will start deviceenroller.exe with the AutoEnrollMDM parameter, which will use the existing MDM service configuration, from the Azure Active Directory information of the user, to auto-enroll the Windows 10 device. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is completed, the scheduled task will be removed and a folder will be created with the “standard” MDM-related tasks.

Note: In Windows 10, version 1709, when the same setting is configured via Group Policy and via MDM, the Group Policy setting wins. This might change in future releases of Windows 10.


Before starting with the configuration, let’s start by having a look at the list of requirements that must be in place to facilitate the auto-enroll configuration.

  • Active Directory is integrated with Azure Active Directory;
  • MDM service is configured in Azure Active
  • Device is running Windows 10, version 1709, or later;
  • Device is Active Directory joined;
  • Device is Azure Active Directory registered.

As in my posts the main focus is at the management of the devices, let’s highlight the configuration requirement of the MDM service in Azure Active Directory.

1 Open the Azure portal and navigate to Azure Active Directory > Mobility (MDM and MAM);
2 On the Mobility (MDM and MAM) blade, click Add application to add the applicable MDM app. As I’m using Microsoft Intune, the MDM app was already added and preconfigured;
3 IntuneMDMConfigSelect the MDM app, in my case Microsoft Intune, and make sure the settings are configured.


Now let’s have a look at the main configuration of this post, the configuration of the required Group Policy setting. It’s actually quite simple, but it’s all about being aware. Simply install the latest ADMX-files for Windows 10, version 1709, or later and perform at least the following 3 steps.

1 Create a new GPO, or open an existing GPO, in the Group Policy Management Editor and navigate to Administrative Templates > Windows Components > MDM;

GPO_AutoMDMOpen the Auto MDM Enrollment with AAD Token setting, select Enabled and click OK;

3 Make sure the GPO is linked to the correct OU.


Once the configuration of the Group Policy is done, and the policy is enabled and linked, it’s time to look at the results. The following 3 locations, are the easiest locations, on the local Windows 10 device, to look for a success of the auto-enrollment.

EventView_AutoMDMEvent Viewer – The first place to look for a success is the Event Viewer. The Event Viewer contains a specific location for device management related events. That location can be found at Microsoft > Windows > DeviceManagement-Enterprise > Diagnostics > Provider > Admin. That location should show Event ID: 75, with the message “Auto MDM Enroll: Succeeded”.
TaskSched_AutoMDMTask Scheduler – The next place to look for a success is the Task Scheduler. The Task Scheduler contains a specific location for device management tasks. That location can be found at Microsoft > Windows > EnterpriseMgmt. That location previously contained a task named “Schedule created by enrollment client for automatically enrolling in MDM from AAD Properties”. After a successful auto-enrollment, that task should be gone and a folder with a guid name should show.
Settings_AutoMDMSettings – Another place to look for a success is the Settings panel.  The Settings panel contains a location that provides information about the connected work and school environments. That location can be found via Start > Settings > Accounts > Access work or school. Without a successful auto-enrollment it simply shows a connected Active Directory domain. Once the auto-enrollment is successful, the connected Active Directory domain can be selected and the Info button can be used to see the MDM enrollment information.

Note: The Windows 10 device can also be located in the Azure Active Directory. However, I thought that providing the information above provides more insights in what’s actually happens. Besides that, a screenshot of a Windows 10 device in Azure Active Directory, is simply boring.

More information

For more information about automatically enrolling Windows 10 devices using GPO, please refer to this article of Enroll a Windows 10 device automatically using Group Policy.

61 thoughts on “Auto-enroll Windows 10 devices using Group Policy”

  1. Hi peter,

    When i update gp on those devices , i get the following error “Windows failed to apply the MDM Policy settings. MDM Policy settings might have its own log file. Please click on the “More information” link.”

  2. Hi Peter,

    Our environment is setup to meet all the requirements but the tasks failed in Task Scheduler with the following: Auto MDM Enroll: Failed (0x8018002B). Even logs > DeviceManagement shows the same error message.

    A bit more about our environment:

    – We are using OKTA for MFA and SSO

    – On-prem AD with Hybrid Connect configured with as SCP. I do noticed an option to add to SCP configuration as well – but Im not sure if this is required.

    – When a user click on Enroll only in Device Management it enrolls without any issues

    What do you think is the issue?

  3. Hello,

    i get the error message, too:
    “Windows failed to apply the MDM Policy settings. MDM Policy settings might have its own log file. Please click on the “More information” link.”

    The message is because the device is still registered in InTune but the (gpupdate) process trys to register the device again.

    It is expected behavoir (Microsoft):

    I have removed the group policy but the warning message still remains.

    Some have an solution to get rid of this message when using gpupdate?


  4. Hi Peter, Our Scenario is :
    Auto Enrollment is not happening at All.
    Win 10 version 1803
    1. GPO for Auto Enrollment I am configuring on the Win 10 device Locally, just to check whether device will Auto Enroll or not. so the result coming as : No Task creation in Task Scheduler, Event id 76 coming with the statement : “Auto MDM Enroll: Device Credential (0x0), Failed (The background task activation is spurious.)”, and when I ran RSOP.msc there was no Auto Enroll policy showing, so for the policy is this normal that the policy will not show in rsop ?
    2. My question is : So when I am configuring the GPO locally on the system for the Auto Enroll, and nothing is happening, do we have to configure it from Domain Level and check ?
    3. My Intune Settings are ok I have checked… User through which we used to login on the systems has been granted EMS + E3 Licenses, Device Auto erollment is also enabled with MDM and No in MAM.
    4. Erollment restriction is also not there for Windows devices.
    5. Manual Enrollment is happening fine, we have done it through Settings >> Accounts >> Access work or school…………
    This is something strange happening. Can you please put your light on it.

  5. GPO enrollment to InTune fails because ADFS prompts each time. Seen when enrolling manually. When it fails to automatically enroll via gpo settings, event ID 76 says: Auto MDM Enroll: Device Credential (0x0), Failed (The system tried to delete the JOIN of a drive that is not joined.)
    Devices are in Azure AD already (joined) .
    How to bypass ADFS promt in the process?

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.