Starting in Windows 10, version 1709, you can use a Group Policy to trigger auto-enrollment to MDM for Active Directory (AD) domain-joined devices.

The enrollment into Intune is triggered by a group policy created on your local AD and happens without any user interaction. This means you can automatically mass-enroll a large number of domain-joined corporate devices into Microsoft Intune. The enrollment process starts in the background once you sign in to the device with your Azure AD account.

Requirements:

  • AD-joined PC running Windows 10, version 1709 or later
  • The enterprise has configured a mobile device management (MDM) service
  • The enterprise AD must be registered with Azure Active Directory (Azure AD)
  • The device should not already be enrolled in Intune using the classic agents (devices managed using agents will fail enrollment with error 0x80180026)
  • The minimum Windows Server version requirement is based on the Hybrid AAD join requirement.

The auto-enrollment relies on the presence of an MDM service and the Azure Active Directory registration for the PC. Starting in Windows 10, version 1607, once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically AAD registered.

When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page.

In Windows 10, version 1709 or later, when the same policy is configured in GP and MDM, the GP policy wins (GP policy takes precedence over MDM). Since Windows 10, version 1803, a new setting allows you to change the policy conflict winner to MDM. 

For this policy to work, you must verify that the MDM service provider allows the GP triggered MDM enrollment for domain joined devices.

Verify auto-enrollment requirements and settings

To ensure that the auto-enrollment feature is working as expected, you must verify that various requirements and settings are configured correctly. The following steps demonstrate required settings using the Intune service:

  1. Verify that the user who is going to enroll the device has a valid Intune license.
    Intune license verification

  2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Intune.
    Auto-enrollment activation verification

     Important

    For BYOD devices, the MAM user scope takes precedence if both MAM user scope and MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will use Windows Information Protection (WIP) Policies (if you configured them) rather than being MDM enrolled.

    For corporate devices, the MDM user scope takes precedence if both scopes are enabled. The devices get MDM enrolled.



  3. Verify that the device OS version is Windows 10, version 1709 or later.

  4. Auto-enrollment into Intune via Group Policy is valid only for devices which are hybrid Azure AD joined. This means that the device must be joined into both local Active Directory and Azure Active Directory. To verify that the device is  hybrid Azure AD joined, run  dsregcmd /status from the command line.
    You can confirm that the device is properly hybrid-joined if both AzureAdJoined and DomainJoined are set to YES.
    Auto-enrollment device status result
    Additionally, verify that the SSO State section displays AzureAdPrt as YES.
    Auto-enrollment Azure AD prt verification
    This information can also be found on the Azure AD device list.
    Azure AD device list

  5. Verify that the MDM discovery URL during auto-enrollment is https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc
    MDM discovery URL

  6. Some tenants might have both Microsoft Intune and Microsoft Intune Enrollment under Mobility. Make sure that your auto-enrollment settings are configured under Microsoft Intune instead of Microsoft Intune Enrollment.
    Mobility setting MDM intune

  7. Verify that the Enable Automatic MDM enrollment using default Azure AD credentials group policy (Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM) is properly deployed to all devices which should be enrolled into Intune. You may contact your domain administrators to verify if the group policy has been deployed successfully.

  8. Verify that the device is not enrolled with the old Intune client used on the Intune Silverlight Portal (this is the Intune portal used before the Azure portal).

  9. Verify that Azure AD allows the logon user to enroll devices. Azure AD device settings

  10. Verify that Microsoft Intune should allow enrollment of Windows devices. Enrollment of Windows devices

Configure the auto-enrollment Group Policy for a single PC

This procedure is only for illustration purposes to show how the new auto-enrollment policy works. It is not recommended for the production environment in the enterprise. For bulk deployment, you should use the Group Policy Management Console process.

Requirements:

  • AD-joined PC running Windows 10, version 1709 or later
  • Enterprise has MDM service already configured
  • Enterprise AD must be registered with Azure AD

  1. Run GPEdit.msc
    Click Start, then in the text box type gpedit.
    GPEdit desktop app search result

  2. Under Best match, click Edit group policy to launch it.

  3. In Local Computer Policy, click Administrative Templates > Windows Components > MDM.
    MDM policies

  4. Double-click Enable automatic MDM enrollment using default Azure AD credentials (previously called Auto MDM Enrollment with AAD Token in Windows 10, version 1709). For ADMX files in Windows 10, version 1903 and later, select User Credential (support for Device Credential is coming) as the Selected Credential Type to use. User Credential enrolls Windows 10, version 1709 and later once an Intune licensed user logs into the device. Device Credential will enroll the device and then assign a user later, once support for this is available.
    MDM autoenrollment policy

  5. Click Enable, then click OK.

     

    In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. Device Credential is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later. The default behavior for older releases is to revert to User Credential.


    When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD."
    To see the scheduled task, launch the Task Scheduler app.
    If two-factor authentication is required, you will be prompted to complete the process. Here is an example screenshot.
    Two-factor authentication notification

     


  6. To verify successful enrollment to MDM , click Start > Settings > Accounts > Access work or school, then select your domain account.

  7. Click Info to see the MDM enrollment information.
    Work School Settings
    If you do not see the Info button or the enrollment information, it is possible that the enrollment failed. Check the status in Task Scheduler app.

Task Scheduler app

  1. Click Start, then in the text box type task scheduler.
    Task Scheduler search result

  2. Under Best match, click Task Scheduler to launch it.

  3. In Task Scheduler Library, open Microsoft > Windows , then click EnterpriseMgmt.
    Auto-enrollment scheduled task
    To see the result of the task, move the scroll bar to the right to see the Last Run Result. Note that 0x80180026 is a failure message (MENROLL_E_DEVICE_MANAGEMENT_BLOCKED). You can see the logs in the History tab.
    If the device enrollment is blocked, your IT admin may have enabled the Disable MDM Enrollment policy. Note that the GPEdit console does not reflect the status of policies set by your IT admin on your device. It is only used by the user to set policies.