This week is all about creating awareness for the automatic MDM enrollment feature, using ‘Group Policy, that is introduced in Windows 10, version 1709. In some scenarios that might not sounds very interesting. Especially when looking at cloud only scenarios. However, this feature is very interesting in scenarios when organizations want to move to the cloud. Think about co-management. Co-management helps organizations to slowly move their device management capabilities to the cloud, by allowing multiple device management agents on a single device. Microsoft just released co-management in Microsoft Intune and co-management is also available in the latest Technical Preview releases of Configuration Manager. So, imagine a scenario in which a currently Configuration Manager managed device can receive a Group Policy setting to also auto-enroll the device in Microsoft Intune. Very helpful in the transition to the cloud.
In this post I’ll provide a short introduction to auto-enrollment for Windows 10 devices, followed by an overview of the requirements to enable auto-enrollment for Windows 10 devices. I’ll end this post with how to verify the results of a successful auto-enrollment.
Let’s start by looking at an introduction to automatic MDM enrollment of Windows 10 devices. Well, actually more describing what will happen when configuring automatic enrollment. Automatic enrollment relies on the presence of an MDM service in Azure Active Directory and the Azure Active Directory registration of a Windows 10 device. Starting with Windows 10, version 1607, once an organization has registered its Active Directory with Azure Active Directory, a Windows 10 device that is Active Directory domain joined is automatically Azure Active Directory registered.
Note: In Windows 10, version 1709, when the same setting is configured via Group Policy and via MDM, the Group Policy setting wins. This might change in future releases of Windows 10.
Before starting with the configuration, let’s start by having a look at the list of requirements that must be in place to facilitate the auto-enroll configuration.
- Active Directory is integrated with Azure Active Directory;
- MDM service is configured in Azure Active
- Device is running Windows 10, version 1709, or later;
- Device is Active Directory joined;
- Device is Azure Active Directory registered.
As in my posts the main focus is at the management of the devices, let’s highlight the configuration requirement of the MDM service in Azure Active Directory.
|1||Open the Azure portal and navigate to Azure Active Directory > Mobility (MDM and MAM);|
|2||On the Mobility (MDM and MAM) blade, click Add application to add the applicable MDM app. As I’m using Microsoft Intune, the MDM app was already added and preconfigured;|
|3||Select the MDM app, in my case Microsoft Intune, and make sure the settings are configured.|
Now let’s have a look at the main configuration of this post, the configuration of the required Group Policy setting. It’s actually quite simple, but it’s all about being aware. Simply install the latest ADMX-files for Windows 10, version 1709, or later and perform at least the following 3 steps.
Once the configuration of the Group Policy is done, and the policy is enabled and linked, it’s time to look at the results. The following 3 locations, are the easiest locations, on the local Windows 10 device, to look for a success of the auto-enrollment.
Note: The Windows 10 device can also be located in the Azure Active Directory. However, I thought that providing the information above provides more insights in what’s actually happens. Besides that, a screenshot of a Windows 10 device in Azure Active Directory, is simply boring.
For more information about automatically enrolling Windows 10 devices using GPO, please refer to this article of Enroll a Windows 10 device automatically using Group Policy.
65 thoughts on “Auto-enroll Windows 10 devices using Group Policy”
I have followed this and a few other articles but i am still stuck with error 0x8018002b.
The only info i could find is this: however i already have set MAM to none and MDM to All Users
I’ve got 2 questions:
1. Did you log on to the device with a user with an Intune license assigned?
2. Did you check the Event Viewer for more information?
Can we auto-enroll Windows 10 devices without GPO? Apparently, with windows 10 1709 & AD Connect, it’s possible.. Do you know something about that?
Depends on the scenario. This Group Policy configuration is focused on devices that are already domain joined (on-premises).
I did the autojoin now with my domain joined W10 1709 machine, but when I look at it in Intune, no user is associated to the machine. Is this by design? How do I then use Intune to give user apps and/or settings?
In my cases, the auto-registration registered the device with the logged on user.
We’re using this setup for our Win10 devices, but unfortunately we have some machines that was non-compliant and they weren’t fixed before time, so they have been removed from Intune.
Machines are still available within AAD.
Machines have been brought back to full compliance, how do we re-add those in Intune?
How did you remove those devices?
Do you know how to management win10 devices without MDM?
if you know ,please tell me .
Yes! What are you trying to achieve?
I have been testing with already domain joined machines. What I experience is that when I join the domain it pulls into Azure InTune as EAS managed. What I want is for the machine/user to register as MDM managed.
Are those devices already managed by ConfigMgr?
I have ADFS 3.0 setup on my environment to auto join devices to Azure Ad. So my local domain devices are joined as Hybrid Joined. This was setup so we could bypass conditional access. Devices where not Auto Joined to Intune.
Now, I configured the GPO to auto join the devices to MDM also and it looks like its working fine.
The issue I have is that after enrollment PIN does not work. We have Windows Hello configured on Intune, and that config is pushed to domain joined devices once they are enrolled. Users are prompted to setup pin and fingerprint but they can not use the fingerprint. They get an error message ” Unable to contact your server”. We don’t have Win Hello on prem configured.
Have you seen this issue before or do you have any suggestion how to bypass it?
Any suggestion on what the best practice is for adding domain joined devices to Intune will be greatly appreciated.
I would either (temporarily) disable the Windows Hello for Business enrollment, or directly configure the on-premises requirements for Windows Hello for Business for the on-premises devices.
I use autoenrolment scenario for domain joined computer. Intune is set up to standalone. My device is joined to ad azure (connect type Hybrid Join) with success, device is enrolled to Intune but without user assigment. When I open company portal I see “This device hasn’t been set up for corparate use yet….” . When I try assign I see message that “device is already beging managed by an organization “. In Intune console I see this device and MDM is enabled. What can I do to assign user to device?
Is that the same user that was logged on during the automatic enrollment?
Thanks for an excellent blog post. I’ve got automatic mdm enrollment working. Is there a way to push company portal to the pc ?
Yes, you can use Intune (in combination with WSfB) to also deploy the Company Portal app.
And thanks for the excellent post. We got this working, however if the user has MFA enabled, there is no prompt to complete authentication. Any ideas?
If I’m not mistaken, I received a notification about an additional action.
Thanks. For some reason the notification is not coming up with our MFA enabled users. We do receive plenty of error messages to Event Viewer (Microsoft -> Windows -> AAD -> Operational ) : “Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access…”. The notification is just not coming up.
That’s right. For some reason we do not receive the additional action notification, even though we can see from event viewer that there are authentication attempts.
Do you actually require MFA for enrollment?
Sometimes the solution is closer than we think… The key here was the “notification”. There was another GPO (I was not aware of) that was blocking majority of the notifications in the Action Center. I disabled this policy, and now I can enroll machines with the MFA requirement as well.
That explains a lot Henri! Thank you for lettings us know!
Got a problem with auto enrollment. I get the following error: “Auto MDM Enroll: Failed (Unknown Win32 Error code: 0x8018002b). ”
Saw someone else in this thread getting the same error.
This has happend to about 75% of our devies, the weird thing is that 25% has been enrolled to Intune with no problem (took a while, tho). I can’t seem to find anything else in Event viewer than the error message above
I’ve made sure the user got an Intune license, Intune is set as MDM authority, MAM set to None. The devices is being Hybrid joined with no problem aswell..
Could it be that MFA is enabled for those users?
Yes MFA is enabled for all users.
Could it be that those users are prompted for the MFA challenge?
Same thing as Stefan – error code 0x8018002b. I’ve successfully run through these same steps before on the same machine and same user. The first two times worked fine. This is the third time I’ve reset it for testing, and now suddenly I can’t auto-enroll it via GPO.
I did not ever receive the MFA prompt in the first two – I’m fairly certain it used my Hello for Business credential for MFA.
I’m at a loss for what to do, and MS Support has not yet responded.
I’m sorry, but I’m also out of ideas… no weird errors in the Event Viewer? Also, if you have premium support, you might want to use that.
When you solve it, I’m really curious!
Talking to MS Support, it looks like some part of the device information hadn’t propagated into the cloud. The device successfully enrolled about 2 days after the task kicked in (and had been running every 5 minutes). I have no idea what caused this, and I am hesitant to recommend this as deployment until I can figure out the root cause.
I had a very not-helpful call with support today about it, but the issue seems to be on the AzureAD registration side for the device. To be fair, it had recently Hybrid Azure AD joined, so maybe something on the backend was slow.
As a side note, MFA is not required for enrollment at the moment, so that’s out of the question.
Thank you for the update, Nathan! I assume that the call isn’t closed yet, as there is not root cause determined yet.
Hi Andris Brigers,
I’ve been having issues with this feature also. As all Intune features its a hit and miss. It never works as expected. I’ve been trying to implement Intune for 2years now and its always something that will go wrong out of the blue. And, the support is a joke. It will take months before it escalates to someone that know anything about Intune.
Back to your issue 🙂 . I had a few cases when I got that error message. In some cases that error came as soon as the GP is applied and in other cases it just appears after a few weeks. The device is enrolled and all good when all of the sudden you open Company Portal app and device is not listed. It asks you to enroll again.
The only solution I have found so far has been on running dsregcmd.exe as the system account on the affected machine ( I use psexec to open cmd as system account.)
Once that done everything magical worked back as expected. Give it a try.
Hi Nathan and Peter.
I am getting the exact same issue. EventID 76 “Auto MDM Enroll: Failed (Unknown Win32 Error code: 0x8018002b). ”
My devices are showing as Hybrid Joined in Azure AD and none when I look to see who they are managed.
I can’t see that I am doing anything wrong.
Have you seen this post: https://social.technet.microsoft.com/Forums/exchange/en-US/d2bda796-eef4-452a-b622-7c7463218555/mdm-enrollment-error-0x8018002b-on-windows-10-1709?forum=microsoftintuneprod
“Auto MDM Enroll: Failed (Unknown Win32 Error code: 0x8018002b)”
Start > Settings > Accounts > Access work or school account:
The Info button is missing
Sounds like the device is registered with Azure AD, but couldn’t find the MDM service. See the earlier mentioned post for some more information.
So I’m digging into Azure AD Join and Azure AD Registration for the first time and I feel that I am getting some mixed messages. My searches have led me here and I’m hoping you may be able to clarify some things for me. I see articles that state Azure AD Join allows SSO with cloud based apps while Azure AD Registration allows SSO with cloud and on-premises systems. Where I’m running into conflict is that I’ve read articles where they say Azure AD Join also provides the same benefits of Azure AD Registration in regards to on-premises systems. Is this true? We are going to be using Microsoft Intune as our MDM, and if we have to create a policy to force Azure AD Registration, I would prefer to do that through Intune and not GPO – is that possible?
Appreciate any input you have or just pointing me somewhere else if needed.
All current versions of Windows 10 automatically register with Azure AD (see for a lot more details: https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-control).
For some great details about your other question, have a look here: https://jairocadena.com/2016/01/18/how-domain-join-is-different-in-windows-10-with-azure-ad/
Thank you for this. I’ve been told that I have to do Azure AD Join AND Azure AD Registration – but this confirms that I only need to worry about Azure AD Join.
The good thing is that it’s not even possible to Azure AD join and Azure AD register the same device.
Thank you for this information. We have been able to get single-user devices enrolled and have plans to enable this for our existing users, however, I am confused on how to enroll existing multi-user devices in a hybrid scenario without configuration manager. Is there a way to generate a bulk-enrollment package for a hybrid-join to push out to existing multi-user devices or do we need to somehow use a DEM for this situation?
What’s the behavior that you’re seeing?
Thanks for the response. I am not sure how to answer the question as I have no idea how multi-user auto-enrollment should even work for devices already in production. For now the windows 10 devices that are multi-use (and have users logging in that don’t have the ability to enroll) get the same error in event viewer that a device who hasn’t had anyone (with the ability to enroll) login (Auto MDM enroll: Failed – 0x8018002b). My assumption is that if Microsoft’s solution for enrolling multi-user devices is a Device Enrollment Manager, then there has to be way to enroll these devices without manually logging into every one, am I assuming too much?
To my knowledge the MDM enrollment requires a licensed user to logon to the device. Agree, that it’s not a multi-user device solution…
Has anyone seen the following Auto MDM Enroll error: “The system tried to delete the JOIN of a drive that is not joined”? I have a Windows 10 1709 device I am trying to hybrid Azure AD Join. I have configured Hybrid Azure AD Join on the AAD Connect and have also enabled the GPO for Auto MDM Enrollment.
Just to understand, you’re trying to hybrid Azure AD join those devices?
Yes, I was trying to hybrid Azure AD Join a Windows 10 1709 device. It looked like this was a timing issue. My client let it sit overnight and then the device was able to join.
Thank you for letting me know, Melissa!
When i update gp on those devices , i get the following error “Windows failed to apply the MDM Policy settings. MDM Policy settings might have its own log file. Please click on the “More information” link.”
Did you check the Event Viewer?
Our environment is setup to meet all the requirements but the tasks failed in Task Scheduler with the following: Auto MDM Enroll: Failed (0x8018002B). Even logs > DeviceManagement shows the same error message.
A bit more about our environment:
– We are using OKTA for MFA and SSO
– On-prem AD with Hybrid Connect configured with xxxx.onmicrosoft.com as SCP. I do noticed an option to add xxxx.okta.com to SCP configuration as well – but Im not sure if this is required.
– When a user click on Enroll only in Device Management it enrolls without any issues
What do you think is the issue?
Is a manual MDM enrollment successful?
i get the error message, too:
“Windows failed to apply the MDM Policy settings. MDM Policy settings might have its own log file. Please click on the “More information” link.”
The message is because the device is still registered in InTune but the (gpupdate) process trys to register the device again.
It is expected behavoir (Microsoft):
I have removed the group policy but the warning message still remains.
Some have an solution to get rid of this message when using gpupdate?
Have you verified if the related (to the GPO) setting is actually removed?
Hi Peter, Our Scenario is :
Auto Enrollment is not happening at All.
Win 10 version 1803
1. GPO for Auto Enrollment I am configuring on the Win 10 device Locally, just to check whether device will Auto Enroll or not. so the result coming as : No Task creation in Task Scheduler, Event id 76 coming with the statement : “Auto MDM Enroll: Device Credential (0x0), Failed (The background task activation is spurious.)”, and when I ran RSOP.msc there was no Auto Enroll policy showing, so for the policy is this normal that the policy will not show in rsop ?
2. My question is : So when I am configuring the GPO locally on the system for the Auto Enroll, and nothing is happening, do we have to configure it from Domain Level and check ?
3. My Intune Settings are ok I have checked… User through which we used to login on the systems has been granted EMS + E3 Licenses, Device Auto erollment is also enabled with MDM and No in MAM.
4. Erollment restriction is also not there for Windows devices.
5. Manual Enrollment is happening fine, we have done it through Settings >> Accounts >> Access work or school…………
This is something strange happening. Can you please put your light on it.
I haven’t seen that specific error message before. To my knowledge that policy setting only configures a registry key that will trigger everything. So even creating that registry key should be sufficient. For some more troubleshooting tips have a look at this article: https://support.microsoft.com/en-us/help/4494359/how-to-configure-windows-10-group-policy-based-auto-enrollment-in-intu
GPO enrollment to InTune fails because ADFS prompts each time. Seen when enrolling manually. When it fails to automatically enroll via gpo settings, event ID 76 says: Auto MDM Enroll: Device Credential (0x0), Failed (The system tried to delete the JOIN of a drive that is not joined.)
Devices are in Azure AD already (joined) .
How to bypass ADFS promt in the process?
What is ADFS prompting for? MFA?
Does MFA can be enabled/enforced for a Hybrid Azure AD join?
Does the user needs to be local admin or is it possible without?
Thanks in advance!
What is it that you’re trying to achieve?
Oh sorry! Im trieing to achieve a hybrid azure AD connection with our AD domain.
I got it working, but only when the user is local admin.
With MFA aswell, I receive a popup that work or school account isnt correct, when clicking on it MFA is prompted and when accepting everything works.
You know if its possible to achieve this without local admin rights?
The MFA is probably related to CA. Also, the hybrid join should be possible. What version of Windows 10 are you using with what configuration?