Auto-enroll Windows 10 devices using Group Policy

This week is all about creating awareness for the automatic MDM enrollment feature, using ‘Group Policy, that is introduced in Windows 10, version 1709. In some scenarios that might not sounds very interesting. Especially when looking at cloud only scenarios. However, this feature is very interesting in scenarios when organizations want to move to the cloud. Think about co-management. Co-management helps organizations to slowly move their device management capabilities to the cloud, by allowing multiple device management agents on a single device. Microsoft just released co-management in Microsoft Intune and co-management is also available in the latest Technical Preview releases of Configuration Manager. So, imagine a scenario in which a currently Configuration Manager managed device can receive a Group Policy setting to also auto-enroll the device in Microsoft Intune. Very helpful in the transition to the cloud.

In this post I’ll provide a short introduction to auto-enrollment for Windows 10 devices, followed by an overview of the requirements to enable auto-enrollment for Windows 10 devices. I’ll end this post with how to verify the results of a successful auto-enrollment.

Introduction

Let’s start by looking at an introduction to automatic MDM enrollment of Windows 10 devices. Well, actually more describing what will happen when configuring automatic enrollment. Automatic enrollment relies on the presence of an MDM service in Azure Active Directory and the Azure Active Directory registration of a Windows 10 device. Starting with Windows 10, version 1607, once an organization has registered its Active Directory with Azure Active Directory, a Windows 10 device that is Active Directory domain joined is automatically Azure Active Directory registered.

SchedTask_AutoMDMWhen the auto-enroll Group Policy is enabled, a scheduled task is created that initiates the MDM enrollment. That scheduled task will start deviceenroller.exe with the AutoEnrollMDM parameter, which will use the existing MDM service configuration, from the Azure Active Directory information of the user, to auto-enroll the Windows 10 device. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is completed, the scheduled task will be removed and a folder will be created with the “standard” MDM-related tasks.

Note: In Windows 10, version 1709, when the same setting is configured via Group Policy and via MDM, the Group Policy setting wins. This might change in future releases of Windows 10.

Requirements

Before starting with the configuration, let’s start by having a look at the list of requirements that must be in place to facilitate the auto-enroll configuration.

  • Active Directory is integrated with Azure Active Directory;
  • MDM service is configured in Azure Active
    Directory;
  • Device is running Windows 10, version 1709, or later;
  • Device is Active Directory joined;
  • Device is Azure Active Directory registered.

As in my posts the main focus is at the management of the devices, let’s highlight the configuration requirement of the MDM service in Azure Active Directory.

1 Open the Azure portal and navigate to Azure Active Directory > Mobility (MDM and MAM);
2 On the Mobility (MDM and MAM) blade, click Add application to add the applicable MDM app. As I’m using Microsoft Intune, the MDM app was already added and preconfigured;
3 IntuneMDMConfigSelect the MDM app, in my case Microsoft Intune, and make sure the settings are configured.

Configuration

Now let’s have a look at the main configuration of this post, the configuration of the required Group Policy setting. It’s actually quite simple, but it’s all about being aware. Simply install the latest ADMX-files for Windows 10, version 1709, or later and perform at least the following 3 steps.

1 Create a new GPO, or open an existing GPO, in the Group Policy Management Editor and navigate to Administrative Templates > Windows Components > MDM;
2

GPO_AutoMDMOpen the Auto MDM Enrollment with AAD Token setting, select Enabled and click OK;

3 Make sure the GPO is linked to the correct OU.

Result

Once the configuration of the Group Policy is done, and the policy is enabled and linked, it’s time to look at the results. The following 3 locations, are the easiest locations, on the local Windows 10 device, to look for a success of the auto-enrollment.

EventView_AutoMDMEvent Viewer – The first place to look for a success is the Event Viewer. The Event Viewer contains a specific location for device management related events. That location can be found at Microsoft > Windows > DeviceManagement-Enterprise > Diagnostics > Provider > Admin. That location should show Event ID: 75, with the message “Auto MDM Enroll: Succeeded”.
TaskSched_AutoMDMTask Scheduler – The next place to look for a success is the Task Scheduler. The Task Scheduler contains a specific location for device management tasks. That location can be found at Microsoft > Windows > EnterpriseMgmt. That location previously contained a task named “Schedule created by enrollment client for automatically enrolling in MDM from AAD Properties”. After a successful auto-enrollment, that task should be gone and a folder with a guid name should show.
Settings_AutoMDMSettings – Another place to look for a success is the Settings panel.  The Settings panel contains a location that provides information about the connected work and school environments. That location can be found via Start > Settings > Accounts > Access work or school. Without a successful auto-enrollment it simply shows a connected Active Directory domain. Once the auto-enrollment is successful, the connected Active Directory domain can be selected and the Info button can be used to see the MDM enrollment information.

Note: The Windows 10 device can also be located in the Azure Active Directory. However, I thought that providing the information above provides more insights in what’s actually happens. Besides that, a screenshot of a Windows 10 device in Azure Active Directory, is simply boring.

More information

For more information about automatically enrolling Windows 10 devices using GPO, please refer to this article of Enroll a Windows 10 device automatically using Group Policy.

65 thoughts on “Auto-enroll Windows 10 devices using Group Policy”

  1. Hi,
    Can we auto-enroll Windows 10 devices without GPO? Apparently, with windows 10 1709 & AD Connect, it’s possible.. Do you know something about that?
    Thanks you

    Reply
  2. Hi Peter!
    I did the autojoin now with my domain joined W10 1709 machine, but when I look at it in Intune, no user is associated to the machine. Is this by design? How do I then use Intune to give user apps and/or settings?

    Reply
  3. Hi Peter,

    We’re using this setup for our Win10 devices, but unfortunately we have some machines that was non-compliant and they weren’t fixed before time, so they have been removed from Intune.

    Machines are still available within AAD.

    Machines have been brought back to full compliance, how do we re-add those in Intune?

    Reply
  4. Hi Peter,

    I have been testing with already domain joined machines. What I experience is that when I join the domain it pulls into Azure InTune as EAS managed. What I want is for the machine/user to register as MDM managed.

    Any ideas?

    Mike

    Reply
  5. Hi Peter,

    I have ADFS 3.0 setup on my environment to auto join devices to Azure Ad. So my local domain devices are joined as Hybrid Joined. This was setup so we could bypass conditional access. Devices where not Auto Joined to Intune.
    Now, I configured the GPO to auto join the devices to MDM also and it looks like its working fine.

    The issue I have is that after enrollment PIN does not work. We have Windows Hello configured on Intune, and that config is pushed to domain joined devices once they are enrolled. Users are prompted to setup pin and fingerprint but they can not use the fingerprint. They get an error message ” Unable to contact your server”. We don’t have Win Hello on prem configured.

    Have you seen this issue before or do you have any suggestion how to bypass it?
    Any suggestion on what the best practice is for adding domain joined devices to Intune will be greatly appreciated.

    Thanks,
    Egert

    Reply
    • Hi Eg,
      I would either (temporarily) disable the Windows Hello for Business enrollment, or directly configure the on-premises requirements for Windows Hello for Business for the on-premises devices.
      Regards, Peter

      Reply
  6. Hi,
    I use autoenrolment scenario for domain joined computer. Intune is set up to standalone. My device is joined to ad azure (connect type Hybrid Join) with success, device is enrolled to Intune but without user assigment. When I open company portal I see “This device hasn’t been set up for corparate use yet….” . When I try assign I see message that “device is already beging managed by an organization “. In Intune console I see this device and MDM is enabled. What can I do to assign user to device?

    Reply
  7. Thanks for an excellent blog post. I’ve got automatic mdm enrollment working. Is there a way to push company portal to the pc ?

    Reply
  8. Hi,

    And thanks for the excellent post. We got this working, however if the user has MFA enabled, there is no prompt to complete authentication. Any ideas?

    Regards,

    Henri

    Reply
  9. Hi Peter,

    Thanks. For some reason the notification is not coming up with our MFA enabled users. We do receive plenty of error messages to Event Viewer (Microsoft -> Windows -> AAD -> Operational ) : “Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access…”. The notification is just not coming up.

    Br,

    Henri

    Reply
  10. Hi Peter,

    That’s right. For some reason we do not receive the additional action notification, even though we can see from event viewer that there are authentication attempts.

    Br,

    Henri

    Reply
  11. Hi.

    Got a problem with auto enrollment. I get the following error: “Auto MDM Enroll: Failed (Unknown Win32 Error code: 0x8018002b). ”
    Saw someone else in this thread getting the same error.

    This has happend to about 75% of our devies, the weird thing is that 25% has been enrolled to Intune with no problem (took a while, tho). I can’t seem to find anything else in Event viewer than the error message above
    I’ve made sure the user got an Intune license, Intune is set as MDM authority, MAM set to None. The devices is being Hybrid joined with no problem aswell..
    Any tips?

    Reply
  12. Hi Peter,

    Same thing as Stefan – error code 0x8018002b. I’ve successfully run through these same steps before on the same machine and same user. The first two times worked fine. This is the third time I’ve reset it for testing, and now suddenly I can’t auto-enroll it via GPO.

    I did not ever receive the MFA prompt in the first two – I’m fairly certain it used my Hello for Business credential for MFA.

    I’m at a loss for what to do, and MS Support has not yet responded.

    Reply
    • Hi Nathan,
      I’m sorry, but I’m also out of ideas… no weird errors in the Event Viewer? Also, if you have premium support, you might want to use that.
      When you solve it, I’m really curious!
      Regards, Peter

      Reply
      • Hey Peter,

        Talking to MS Support, it looks like some part of the device information hadn’t propagated into the cloud. The device successfully enrolled about 2 days after the task kicked in (and had been running every 5 minutes). I have no idea what caused this, and I am hesitant to recommend this as deployment until I can figure out the root cause.

        I had a very not-helpful call with support today about it, but the issue seems to be on the AzureAD registration side for the device. To be fair, it had recently Hybrid Azure AD joined, so maybe something on the backend was slow.

        As a side note, MFA is not required for enrollment at the moment, so that’s out of the question.

        Reply
  13. Hi Andris Brigers,

    I’ve been having issues with this feature also. As all Intune features its a hit and miss. It never works as expected. I’ve been trying to implement Intune for 2years now and its always something that will go wrong out of the blue. And, the support is a joke. It will take months before it escalates to someone that know anything about Intune.

    Back to your issue 🙂 . I had a few cases when I got that error message. In some cases that error came as soon as the GP is applied and in other cases it just appears after a few weeks. The device is enrolled and all good when all of the sudden you open Company Portal app and device is not listed. It asks you to enroll again.

    The only solution I have found so far has been on running dsregcmd.exe as the system account on the affected machine ( I use psexec to open cmd as system account.)
    Once that done everything magical worked back as expected. Give it a try.

    Thanks,
    Egert

    Reply
  14. Hi Nathan and Peter.

    I am getting the exact same issue. EventID 76 “Auto MDM Enroll: Failed (Unknown Win32 Error code: 0x8018002b). ”

    My devices are showing as Hybrid Joined in Azure AD and none when I look to see who they are managed.

    I can’t see that I am doing anything wrong.

    Reply
  15. Hi Peter,

    So I’m digging into Azure AD Join and Azure AD Registration for the first time and I feel that I am getting some mixed messages. My searches have led me here and I’m hoping you may be able to clarify some things for me. I see articles that state Azure AD Join allows SSO with cloud based apps while Azure AD Registration allows SSO with cloud and on-premises systems. Where I’m running into conflict is that I’ve read articles where they say Azure AD Join also provides the same benefits of Azure AD Registration in regards to on-premises systems. Is this true? We are going to be using Microsoft Intune as our MDM, and if we have to create a policy to force Azure AD Registration, I would prefer to do that through Intune and not GPO – is that possible?

    Appreciate any input you have or just pointing me somewhere else if needed.

    Reply
  16. Peter,

    Thank you for this information. We have been able to get single-user devices enrolled and have plans to enable this for our existing users, however, I am confused on how to enroll existing multi-user devices in a hybrid scenario without configuration manager. Is there a way to generate a bulk-enrollment package for a hybrid-join to push out to existing multi-user devices or do we need to somehow use a DEM for this situation?

    Reply
  17. Peter,

    Thanks for the response. I am not sure how to answer the question as I have no idea how multi-user auto-enrollment should even work for devices already in production. For now the windows 10 devices that are multi-use (and have users logging in that don’t have the ability to enroll) get the same error in event viewer that a device who hasn’t had anyone (with the ability to enroll) login (Auto MDM enroll: Failed – 0x8018002b). My assumption is that if Microsoft’s solution for enrolling multi-user devices is a Device Enrollment Manager, then there has to be way to enroll these devices without manually logging into every one, am I assuming too much?

    Reply
  18. Has anyone seen the following Auto MDM Enroll error: “The system tried to delete the JOIN of a drive that is not joined”? I have a Windows 10 1709 device I am trying to hybrid Azure AD Join. I have configured Hybrid Azure AD Join on the AAD Connect and have also enabled the GPO for Auto MDM Enrollment.

    Reply
  19. Hi peter,

    When i update gp on those devices , i get the following error “Windows failed to apply the MDM Policy settings. MDM Policy settings might have its own log file. Please click on the “More information” link.”

    Reply
  20. Hi Peter,

    Our environment is setup to meet all the requirements but the tasks failed in Task Scheduler with the following: Auto MDM Enroll: Failed (0x8018002B). Even logs > DeviceManagement shows the same error message.

    A bit more about our environment:

    – We are using OKTA for MFA and SSO

    – On-prem AD with Hybrid Connect configured with xxxx.onmicrosoft.com as SCP. I do noticed an option to add xxxx.okta.com to SCP configuration as well – but Im not sure if this is required.

    – When a user click on Enroll only in Device Management it enrolls without any issues

    What do you think is the issue?

    Reply
  21. Hello,

    i get the error message, too:
    “Windows failed to apply the MDM Policy settings. MDM Policy settings might have its own log file. Please click on the “More information” link.”

    The message is because the device is still registered in InTune but the (gpupdate) process trys to register the device again.

    It is expected behavoir (Microsoft):
    https://support.microsoft.com/en-gb/help/4456826/windows-failed-to-apply-the-mdm-policy-settings-gpupdate

    I have removed the group policy but the warning message still remains.

    Some have an solution to get rid of this message when using gpupdate?

    Thanks
    Greetings
    Maik

    Reply
  22. Hi Peter, Our Scenario is :
    Auto Enrollment is not happening at All.
    Win 10 version 1803
    1. GPO for Auto Enrollment I am configuring on the Win 10 device Locally, just to check whether device will Auto Enroll or not. so the result coming as : No Task creation in Task Scheduler, Event id 76 coming with the statement : “Auto MDM Enroll: Device Credential (0x0), Failed (The background task activation is spurious.)”, and when I ran RSOP.msc there was no Auto Enroll policy showing, so for the policy is this normal that the policy will not show in rsop ?
    2. My question is : So when I am configuring the GPO locally on the system for the Auto Enroll, and nothing is happening, do we have to configure it from Domain Level and check ?
    3. My Intune Settings are ok I have checked… User through which we used to login on the systems has been granted EMS + E3 Licenses, Device Auto erollment is also enabled with MDM and No in MAM.
    4. Erollment restriction is also not there for Windows devices.
    5. Manual Enrollment is happening fine, we have done it through Settings >> Accounts >> Access work or school…………
    This is something strange happening. Can you please put your light on it.

    Reply
  23. GPO enrollment to InTune fails because ADFS prompts each time. Seen when enrolling manually. When it fails to automatically enroll via gpo settings, event ID 76 says: Auto MDM Enroll: Device Credential (0x0), Failed (The system tried to delete the JOIN of a drive that is not joined.)
    Devices are in Azure AD already (joined) .
    How to bypass ADFS promt in the process?

    Reply
  24. Hi Peter,

    2 questions:

    Does MFA can be enabled/enforced for a Hybrid Azure AD join?
    Does the user needs to be local admin or is it possible without?

    Thanks in advance!

    Reply
      • Hi Peter,

        Oh sorry! Im trieing to achieve a hybrid azure AD connection with our AD domain.
        I got it working, but only when the user is local admin.
        With MFA aswell, I receive a popup that work or school account isnt correct, when clicking on it MFA is prompted and when accepting everything works.

        You know if its possible to achieve this without local admin rights?

        Reply

Leave a Reply to Melissa Carlson Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.