Setting up Intune auto enrollment using Group Policy - brian-anderson01/Capstone GitHub Wiki

Prerequisites

  • First off, the DC needs to be hybrid joined to Azure AD and local, as well as any computers you would like to auto-enroll
  • SSO also needs to be enabled on the DC/Azure AD
  • To check that all of this is working run the following in cmd dsregcmd /status. This command will be extremely helpful in the early stages of implementation and troubleshooting
  • After running the command 3 things must be enabled as seen in the screenshots below
  • AzureAdJoined and DomainJoined must be YES
  • If these are both set to yes then the computer is hybrid joined. Finally, you must ensure SSO is working, scroll down and look for the following
  • If AzureAdPrt is set as YES then SSO is enabled and working
  • Once you have determined that these three settings are the correct values you are ready for auto-enrollemnt

Creating a new GPO to auto-enroll new computers

  • Open group policy management on the DC
  • Create a new GPO or edit an existing one, make sure it is linked
    • Edit the GPO and navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > MDM > Enable automatic MDM
    • Change the setting to Enabled and apply and exit
    • Create a new security group for the PCs, or apply to all computers
  • The group policy portion is all set now
  • Run gpupdate /force and gpresult /r to ensure the GPO is being applied
  • Now, log out of the current user on the PC and log back in with an account that has an Intune license
    • If you log in with an account that is not Intune licensed, the enrollment will not work
    • To license an account, log into the office 365 admin panel, go to active users and add an Intune license to one of the on-premise synced users
    • Once you are logged in with the account, wait 5-10 minutes for the device to enroll (the enrollment retries every 5 minutes)
    • If the enrollment is successful, the device should show up in the endpoint manager and will also show the computer as having MDM in Azure AD
  • All future computers should now enroll as long as they are initially logged in with a licensed account, and have the 3 settings enabled as shown in the prerequisites section.

Useful links for troubleshooting and setup

https://adminscriptbank.wordpress.com/2019/09/19/intune-enrolment-error-code-0x80180018/ https://docs.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy#configure-the-auto-enrollment-for-a-group-of-devices